What is Active Directory Tombstone Lifetime?

In the realm of Active Directory (AD), the Tombstone Lifetime is a property that holds significant importance. It determines the period a deleted object, known as a “tombstone”, remains in the directory service before it is permanently deleted. This period is crucial for the replication of the deletion to all other domain controllers in the network.

The Importance of Active Directory Tombstone Lifetime

Understanding and managing the Tombstone Lifetime is essential for two key reasons:

1. Replication Consistency: When an object is deleted in AD, it’s not immediately erased. Instead, it becomes a tombstone and is marked for deletion after the Tombstone Lifetime period. This delay ensures that the deletion is replicated to all domain controllers, maintaining consistency across the network.
2. Recovery of Accidentally Deleted Objects: If an object is accidentally deleted, the tombstone can be reanimated before it’s permanently deleted, allowing the object to be recovered. However, it’s important to note that not all attributes of the object are preserved in the tombstone.

By default, the Tombstone Lifetime in AD is 60 or 180 days, depending on the version of Windows Server. However, it can be modified to suit the needs of your organization.

The Tombstone Process

When an object is deleted from Active Directory, it is not physically removed immediately. Instead, it’s marked as a tombstone object. The Active Directory sets the ‘isDeleted’ attribute of the deleted object to TRUE and moves it to a special container called Tombstone, previously known as CN=Deleted Objects.

Tombstones are not accessible through the Windows directory or MMC console. However, they are available to the Directory Replication Process, ensuring that the object deletion is replicated to all the domain controllers in the domain. This process ensures that the object deletion is consistent across all computers throughout the Active Directory.

Benefits of Tombstones

Tombstones can be beneficial in several situations:

• Accidental object deletion: If an object is accidentally deleted, it can be restored with its original Security Identifier (SID) if it’s not beyond the tombstone time period. This is crucial as the SID enables an object to get access to resources, be a part of groups, etc. Even if you create a new object with the same name, the SID will be different.
• Deletion action is captured during an AD restore: If a domain controller crashes and you need to rebuild it from the last available backup, any objects deleted before the restore will still be in the backup. Tombstoning ensures that these objects do not become active after being replicated to the restored domain controller.
• Replication of a deletion action: All the domain controllers (DC) in a domain follow the multimaster replication model. This means making changes to any DC will replicate those changes in all the other DCs in the domain. Tombstoning enables the deletion action to be replicated.

Modifying the Tombstone Lifetime Attribute

The tombstone lifetime attribute can be modified using tools like ADSI Edit or PowerShell. For example, the following PowerShell command retrieves the current Tombstone Lifetime:

To change the Tombstone Lifetime, you can use the ADSI Edit tool. This tool is installed with the AD DS role in Windows Server 2008 and above, or it can be downloaded and installed along with Remote Server Administration Tools.

In conclusion, the Tombstone Lifetime is a critical aspect of Active Directory management. It plays a vital role in replication consistency and object recovery. Therefore, AD administrators should be familiar with it and know how to manage it effectively.

---

I hope this post provided a deeper understanding of the Active Directory Tombstone Lifetime. If you have any questions or need further clarification, feel free to reach out. Stay tuned for more informative posts on Active Directory and other IT topics.

Book a call

 

chat with us on Linkedin

 

Secure your active directory – book a demo