Active Directory Tombstone Lifetime Modification - 3.0 out of 5 based on 5 votes
Tombstone is a container object that contains the deleted objects from Active Directory. Actually when an object is deleted from Active Directory, it is not physically removed from the Active Directory for some days. Rather, the Active Directory sets the ‘isDeleted' attribute of the deleted object to TRUE and move it to a special container called Tombstone, previously known as CN=Deleted Objects.
The tombstones cannot be accessed through Windows Directories or through Microsoft Management Console (MMC) snap-ins. However, tombstones are available to Directory Replication Process, so that the tombstones are replicated to all the domain controllers in the domain. This process ensures that the object deleted is deleted from all the computers throughout the Active Directory.
The tombstone lifetime attribute is the attribute that contains a time period after which the object is physically deleted from the Active Directory. The default value for the tombstone lifetime attribute is 60 days. However, you can change this value if required. Usually tombstone lifetime value is kept longer than the expected replication latency between the domain controllers so that the tombstone is not deleted before the objects are replicated across the forest.
The tombstone lifetime attribute remains same on all the domain controllers and it is deleted from all the servers at the same time. This is because the expiration of a tombstone lifetime is based on the time when an object was deleted logically from the Active Directory, rather than the time when it is received as a tombstone on a server through replication.
Changing Tombstone Lifetime AttributeThe tombstone lifetime attribute can be modified in three ways: Using ADSIEdit tool, using LDIF file, and through VBScript.
Using ADSIEdit Tool
The easiest method to modify tombstone lifetime in Active Directory is by using ADSIEdit. The ADSIEdit tool is not installed automatically when you install Windows Server 2003. You need to install it separately by installing support tools from Windows Server 2003 CD.
If you haven't got your CD's in hand, you can simply download the Windows 2003 SP1 Support Tools from Firewall.cx here.
To install ADSIEdit tool and to modify tombstone lifetime in Active Directory using this tool, you need to:
- Insert the Windows Server 2003 CD.
- Browse the CD to locate the Support\Tools directory.
- Double-click the suptools.msi to proceed with the installation of support tools.
- Select Run command from the Start menu.
- Type ADSIEdit.msc to open the ADSI Editor, as shown below:
The ADSI Edit window appears:
6. Expand Configuration node then subsequently expand CN=Configuration, DC Firewall, DC=cx node.
7. Expand CN-Services node.
8. Drill down to CN=Directory Service under CN Windows NT , as shown in the figure below:
9. Right-click CN=Directory Service and select Properties from the menu that appears
The CN=Directory Service Properties window appears, as shown below:
10. Double-click the tombstoneLifetime attribute in the Attributes list.
The Integer Attribute Editor window appears, as shown below:
11. Set the number of days that tombstone objects should remain in Active Directory in the Value field.
12. Click OK .
The Tombstone Lifetime has now been successfully changed.
Other Ways Of Changing The Tombstone Lifetime AttributeUsing an LDIF file
To change the tombstone lifetime attribute using LDIF file, you need to create a LDIF file using notepad and then execute it using LDIFDE tool. To change the tombstone lifetime attribute using LDIF file, you need to:
1. Create a text file using notepad with the following content:
dn: cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, , <ForestRootDN> changetype: modify
2. Provide the appropriate values in the text between <>. For example put the name of your Active Directory Forest Root domain in the <ForestRootDN> and put the number of days you want to set for tombstone lifetime in <NumberOfDays>.
3. Don't forget to put "-" on the last line.
4. Save the file with .ldf extension.
5. Open the Command Prompt and type the following command on the command prompt:
Ldifde –v –I –f <Path to tombstoneLifetime.ldf>
The Tombstone Lifetime is successfully changed.
Using a VBScript
To change tombstone lifetime using VBScript, you need to type the following code with appropriate values and execute the script.
intTombstoneLifetime = <NumberOfDays>
set objRootDSE = GetObject("LDAP://RootDSE")
set objDSCont = GetObject("LDAP://cn=Directory Service,cn=Windows NT," & _ "cn=Services," & objRootDSE.Get("configurationNamingContext") )
objDSCont.Put "tombstoneLifetime", intTombstoneLifetime
WScript.Echo "The tombstone lifetime is set to " & _ intTombstoneLifetime
Article SummaryThis article explained what the Active Directory Tombstone attribute is and how you can change it to control delete operations performed by the Active Directory replication process. We covered three different methods in great detail to give all the necessary information so these actions can be covered by any Windows Administrator.
If you have found the article useful, we would really appreciate you sharing it with others by using the provided services on the top left corner of this article. Sharing our articles takes only a minute of your time and helps Firewall.cx reach more people through such services.
About the WritersGFI Software provides the single best source of network security, content security and messaging software for small to medium sized businesses.
Alan Drury is member of the Firewall.cx team and senior engineer at a large multinational company, supporting complex large Windows networks.
Chris Partsenidis is a CCNA certified Engineer, MCP, LCP, Founder & Senior Editor of Firewall.cx