Know your Tombstones - The Basics

The TSL (Tombstone Lifetime) of an object in the Active Directory is significant especially when related to Backups Restores and Lingering Objects

So today I am going to give you the basics of what Tombstones mean.

What is a Tombstone ?

The Tombstone is what the Active Directory replicates to indicate to other Active Directory Domain Controllers to that the object in question is to be deleted. This inbound-replication process consists of a subset of attributes of the actual object. The object which is tombstoned, is retained in the Active Directory for the period specified by the Tombstone Lifetime. At the end of this defined period the garbage collection process deletes this object from the Active Directory permanently.

Default Tombstones Lifetimes ?

  • Windows 2000 - 60 days
  • Windows 2003 sp1 (not upgraded) - 180 days
  • Windows 2003 R2 - 60 days

This last figure may suprise you. The reason for this is that there is an incorrect Schema.ini file that sets the TSL to 60 days not 180 days. Therefore if you wish to take advantage of the longer TSL you must manually change this value;

To determine\Modify the tombstone lifetime for the forest

1. On the Start menu, click Run, type adsiedit.msc, and then click OK.

2. In the console tree, double-click Configuration [ DomainControllerName ] , CN=Configuration,DC=[ ForestRootDomain ] , CN=Services, and CN=Windows NT.

3. Right-click CN=Directory Service, and then click Properties.

adsiedit

4. In the Attribute column, click tombstoneLifetime.

tombstone

5. Note the value in the Value column. If the value is <not set> , the default value is in effect as discussed above.

For more information regarding this value read the following article https://support.microsoft.com/?id=216993.

Please of course be extremely careful when using Adsiedit to modify any Active Directory related values. Use only under guidance of your Most experienced Active Directory Engineers or PSS or onsite Microsoft Dedicated Engineers.