Changing the Tombstone Lifetime Attribute in Active Directory http://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.

htm

Changing the Tombstone Lifetime Attribute in Active Directory

by Daniel Petri - January 7, 2009
Printer Friendly Version

The tombstone lifetime must be substantially longer than the expected replication latency between the domain controllers. The interval
between cycles of deleting tombstones must be at least as long as the maximum replication propagation delay across the forest. Because
the expiration of a tombstone lifetime is based on the time when an object was deleted logically, rather than on the time when a
particular server received that tombstone through replication, an object's tombstone is collected as garbage on all servers at
approximately the same time. If the tombstone has not yet replicated to a particular domain controller, that DC never records the
deletion. This is the reason why you cannot restore a domain controller from a backup that is older than the tombstone lifetime.

By default, the Active Directory tombstone lifetime is sixty days. This value can be changed if necessary. To change this value, the
tombstoneLifetime attribute of the CN=Directory Service object in the configuration partition must be modified. This object is located
here:

cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=

Note: Longer tombstone lifetime decreases the chance that a deleted object remains in the local directory of a disconnected DC beyond
the time when the object is permanently deleted from online DCs. The tombstone lifetime is not changed automatically when you upgrade
to Windows Server 2003 with SP1, but you can change the tombstone lifetime manually after the upgrade. New forests that are installed
with Windows Server 2003 with SP1 have a default tombstone lifetime of 180 days.

You can check your tombstone lifetime attribute by using the following command:

dsquery * " cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=" -scope base -attr tombstonelifetime

There are several ways of modifying this attributes value, the easiest is using ADSIEdit.

Method #1: Using ADSIEdit

The following explains how to modify this attributes value using ADSI Edit.

Note: ADSIEdit is part of the Windows 2003 Support Tools. To get ADSIEdit you need to install the support tools on your computer/DC.
Read my "What are the Windows Server 2003 Support Tools? Where can I get them from?" article for more info on how to obtain the
Windows Server 2003 Support Tools (insert link to existing article).

In addition, in order to perform the following steps you'll need to be a member of the Enterprise Admins group.

To view or change attribute values by using ADSIEdit:

1. On the Start menu, point to Run and then type ADSIEdit.msc and press Enter.
2. Navigate to:

cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=

Where "ForestRootDN" is the Distinguished Name of your Active Directory Forest Root domain. For example, if your domain's name
is kuku.co.il, then the DN for it would be:

DC=kuku,DC=co,DC=il

3. Right-click and choose properties.

1 of 3 1/15/2011 12:27 PM
Changing the Tombstone Lifetime Attribute in Active Directory http://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.htm

Online ad
100% free - Buy and sell anything OLX, all
classifieds in India
www.olx.in
Manage Active Directory
Streamline Active Directory Management. Free
30-day Trial
www.systemtools.com
Free Tombstone Generator
Design a personal tombstone of Your own. Test
it!
www.tombstonedesign.net
Buyers In 150 Countries
Large Network Of Businesses Looking For You.
Dont Miss This Amazing Opp
www.eBay.in

4. In the resultant properties dialog, scroll down to tombstoneLifetime, select this attribute and choose Edit.

5. Configure the Tombstone Lifetime Period, then press Ok.

6. Click OK and then close ADSIEdit.

When you view properties on cn=Directory Service,cn=Windows NT, cn=Services,cn=Configuration,dc=, if no value is set it means that
the default value is in effect. Any value that you type in the Edit Attribute box replaces the default value when you click Set .

The default value for these two attributes applies if the attribute is not set (the initial state of the system).

Method #2: Using an LDIF file

Open Notepad and create a text file with the following content:

dn: cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,

changetype: modify
replace: tombstoneLifetime
tombstoneLifetime:
-

Note: Don't forget the "-" on the last line, at the end.

Where is the Distinguished Name of your Active Directory Forest Root domain. For example, if your domain's name is kuku.co.il, then the
DN for it would be:

DC=kuku,DC=co,DC=il

Save this file as tombstoneLifetime.ldf (or similar).

Open the Command Prompt and type:

Ldifde –I –f {Path to tombstoneLifetime.ldf}

Method #3: Using a VBS script

You can read more about this option on the Change tombstone lifetime (VBScript) page, which presents code found in Chapter 17 of the
Active Directory Cookbook. See the following Links:

TechTasks Code Center

Active Directory Cookbook

Related Articles

Backup Windows Server 2003 Active Directory

2 of 3 1/15/2011 12:27 PM
Changing the Tombstone Lifetime Attribute in Active Directory http://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.htm

Manually Undeleting Objects in Active Directory

Active Directory Offline Defragmentation
Recovering Deleted Items in Active Directory

AWS Privacy Policy | Site Info | Contact | Advertise ©2011 Blue Whale Web Inc. |

3 of 3 1/15/2011 12:27 PM