Changing the Tombstone Lifetime Attribute in Active Directory

The tombstone lifetime must be substantially longer than the expected replication latency between the domain controllers. The interval between cycles of deleting tombstones must be at least as long as the maximum replication propagation delay across the forest. Because the expiration of a tombstone lifetime is based on the time when an object was deleted logically, rather than on the time when a particular server received that tombstone through replication, an object’s tombstone is collected as garbage on all servers at approximately the same time. If the tombstone has not yet replicated to a particular domain controller, that DC never records the deletion. This is the reason why you cannot restore a domain controller from a backup that is older than the tombstone lifetime.

By default, the Active Directory tombstone lifetime is sixty days. This value can be changed if necessary. To change this value, the tombstoneLifetime attribute of the CN=Directory Service object in the configuration partition must be modified. This object is located here:

[Note: In forests created on Windows Server 2003 SP1 or later, including all modern versions such as Windows Server 2016, 2019, and 2022, the default tombstone lifetime is 180 days.]

​ cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=

Note: Longer tombstone lifetime decreases the chance that a deleted object remains in the local directory of a disconnected DC beyond the time when the object is permanently deleted from online DCs. The tombstone lifetime is not changed automatically when you upgrade to Windows Server 2003 with SP1, but you can change the tombstone lifetime manually after the upgrade. New forests that are installed with Windows Server 2003 with SP1 have a default tombstone lifetime of 180 days.
You can check your tombstone lifetime attribute by using the following command:

​ dsquery * " cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=" -scope base -attr tombstonelifetime

There are several ways of modifying this attributes value, the easiest is using ADSIEdit.

Method #1: Using ADSIEdit

The following explains how to modify this attributes value using ADSI Edit.
Note: ADSIEdit is part of the Windows 2003 Support Tools. To get ADSIEdit you need to install the support tools on your computer/DC. Read my “What are the Windows Server 2003 Support Tools? Where can I get them from?” article for more info on how to obtain the Windows Server 2003 Support Tools (insert link to existing article).
In addition, in order to perform the following steps you’ll need to be a member of the Enterprise Admins group.

[Note: In Windows Server 2008 and later, including Windows Server 2016, 2019, and 2022, ADSIEdit is included by default or can be added via RSAT (Remote Server Administration Tools). On Windows 10/11, it can be installed via “Optional Features” under RSAT: Active Directory tools.]

To view or change attribute values by using ADSIEdit:

1. 1. On the Start menu, point to Run and then type ADSIEdit.msc and press Enter.
   2. Navigate to:

      ​ cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=

Where “ForestRootDN” is the Distinguished Name of your Active Directory Forest Root domain. For example, if your domain’s name is kuku.co.il, then the DN for it would be:

​DC=kuku,DC=co,DC=il

1. 1. Right-click and choose properties.

1. 1. In the resultant properties dialog, scroll down to tombstoneLifetime, select this attribute and choose Edit.

1. 1. Configure the Tombstone Lifetime Period, then press Ok.

1. Click OK and then close ADSIEdit.

When you view properties on cn=Directory Service,cn=Windows NT, cn=Services,cn=Configuration,dc=, if no value is set it means that the default value is in effect. Any value that you type in the Edit Attribute box replaces the default value when you click Set .
The default value for these two attributes applies if the attribute is not set (the initial state of the system).

Method #2: Using an LDIF file

Open Notepad and create a text file with the following content:

​dn: cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,
changetype: modify
replace: tombstoneLifetime
tombstoneLifetime:
-

Note: Don’t forget the “-” on the last line, at the end.
Where is the Distinguished Name of your Active Directory Forest Root domain. For example, if your domain’s name is kuku.co.il, then the DN for it would be:

​DC=kuku,DC=co,DC=il

Save this file as tombstoneLifetime.ldf (or similar).
Open the Command Prompt and type:

​Ldifde –I –f {Path to tombstoneLifetime.ldf}

[Note: This method is still valid on all modern versions of Windows Server (2012 R2–2022). Be sure to run the Command Prompt as an administrator.]

Method #3: Using a VBS script

You can read more about this option on the Change tombstone lifetime (VBScript) page, which presents code found in Chapter 17 of the Active Directory Cookbook. See the following Links:

• TechTasks Code Center
• Active Directory Cookbook

[Note: While VBScript still works in Windows Server 2016/2019/2022, Microsoft has deprecated VBScript and recommends PowerShell for most administrative scripting tasks.]

FAQs

How does changing tombstone lifetime impact Active Directory performance?

When you change tombstone lifetime in Active Directory, it can affect system performance by consuming more storage space for deleted objects and potentially increasing database size. However, a longer tombstone lifetime provides better protection against replication issues and disaster recovery scenarios.

Can I change tombstone lifetime settings across multiple domain controllers simultaneously?

Yes, when you change tombstone lifetime in the configuration partition, the modification automatically replicates to all domain controllers in the forest, ensuring consistent settings across your environment.

What happens if I set the tombstone lifetime too short?

Setting a too-short tombstone lifetime can lead to replication conflicts, inconsistent object deletions, and potential data loss, especially in environments with slow or unreliable network connections between domain controllers.

Are there any best practices for changing tombstone lifetime in a global enterprise environment?

When planning to change tombstone lifetime in large enterprises, it’s recommended to calculate the maximum replication latency between sites, add a safety margin of at least 30 days, and test the changes in a lab environment first.

How does changing tombstone lifetime affect backup and restore operations?

After you change tombstone lifetime, you need to adjust your backup retention policies accordingly. Backups older than the tombstone lifetime become invalid for domain controller restoration, so your backup strategy should align with the new lifetime value.