Are you curious about how long the AD database stores deleted objects? Active Directory, Tombstone Lifetime attribute, determines this, and this article will show you how to change it to meet your organization’s needs.
In case you weren’t aware, the Tombstone Lifetime attribute determines how long Active Directory keeps an object before permanently deleting it. The default value is 180 days for some server versions and 60 for others, but you can modify this value to meet your specific needs.
So, in this article, I will show you two methods to modify the Tombstone Lifetime for your AD forest. Specifically, this guide has steps to perform the task via ADSI Edit and PowerShell.
Finally, you can read my FAQ section, where I answer questions most people ask about AD Tombstone Lifetime.
Modify Active Directory Tombstone Lifetime with ADSI Edit
The ADSI Edit tool offers you the quickest method to change the AD Tombstone Lifetime attribute. Follow the steps below to use this tool to access and modify the value of the Tombstone Lifetime attribute.
- How to Restore Active Directory from Backup
- How to Export or Import AD (Active Directory) Group Members
- Firstly, search ADSI Edit and open it.
- Then, right-click ADSI Edit on the left pane and select Connect to…
- On the “Connection Settings” pop-up, click the Select a well known Naming Context drop-down and select Configuration. The “Connection Settings” pop-up will now look like the second screenshot below.
Then, to continue, click OK.
- When you clicked OK in step 3, ADSI Edit will add the “Configuration” Context for your AD forest. To expand the context, click on it. Then, navigate to the path below.
To navigate, click a node, then click the arrow to the left to expand it.
Cofiguration => CN=Configuration => CN=Services => CN=Windows NT
- Next, right-click CN=Directory Service and select Properties.
- Finally, to adjust the Active Directory Tombstone Lifetime attribute, locate the value from the CN=Directory Service Properties and double-click it.
When the TombstoneLifetime attribute opens, modify the value and click OK – see my second screenshot below for details.
Change the Active Directory Tombstone Lifetime Attribute with PowerShell
Like many other Active Directory tasks, you can modify the Tombstone Lifetime attribute of your AD forest using PowerShell.
Below are the procedures:
- Run PowerShell as administrator. Then, to get the current value of the Tombstone Lifetime attribute, run the commands below:
$ADFNC = (Get-ADRootDSE).configurationNamingContext
(Get-ADObject -identity "CN=Directory Service,CN=Windows NT,CN=Services,$ADFNC” -properties "tombstonelifetime").tombstonelifetime
If you’ve not previously modified the Tombstone attribute, the command should return 180, which is the default value.
- Now to change the value, run this command…
$ADFNC = (Get-ADRootDSE).configurationNamingContext
Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$ADFNC” -Partition $ADFNC -Replace @{tombstonelifetime='213'}
The last command sets the Tombstone Lifetime attribute to 213 days (7 months). To confirm that you modified the value successfully, re-run the Get-ADObject command again…
(Get-ADObject -identity "CN=Directory Service,CN=Windows NT,CN=Services,$ADFNC” -properties "tombstonelifetime").tombstonelifetime
Frequently Asked Questions
In AD, the Tombstone Lifetime attribute determines how long a deleted object stays in the Active Directory database before AD deletes it permanently.
This value determines how long you can safely restore a deleted object from AD. So, it is a very important factor when you develop your AD disaster recovery strategy.
In Active Directory 2016, the default tombstone lifetime is 180 days. All servers from Windows Server 2003 SP1 and above have a tombstone lifetime of 180 days.
However, the tombstone lifetime Lifetime for Windows Server 2003 RTM, Windows Server 2003 R2, and Windows Server 2003 R2 are 60 days.
To check the Tombstone Lifetime attribute in Active Directory 2016 and other server editions, follow the steps below:
a) Open ADSI Edit, then connect to the “Configuration” Naming Context
b) Next, navigate to CN=Directory Service, right-click the property, and select Properties. 
c) Finally, locate tombstoneLifetime attribute, double-click it, change the value, and click OK.
For the steps to change the Tombstone Lifetime in PowerShell, read this section of this guide – Change the Active Directory Tombstone Lifetime Attribute with PowerShell (link opens in the same window).
Active Directory keeps deleted objects based on the value (in days) set in the Tombstone Lifetime value of the Forest. In Windows Server 2003 SP1 and upwards, this value is 80 days.
So, when you delete an object, AD keeps it for 180 days before permanently deleting it from the database.
My Final Thoughts
Before you modify the Tombstone Lifetime attribute value for your Active Directory forest, it is important to understand the implication.
Essentially, this value affects how long AD keeps deleted objects before it permanently deletes them from the database. You need to be cautious while changing this value because it affects your ability to restore deleted objects.
So, before you modify this value, consider how often you receive requests to restore deleted objects.
Once you are confident that you wish to change the tombstone lifetime attribute value, you can use one of the methods discussed in this article to modify it.
References and Further Reading
- Changing the Tombstone Lifetime Attribute in Active Directory | Petri IT Knowledgebase
- 16.18. Modifying the Tombstone Lifetime for a Domain – Active Directory Cookbook [Book] (oreilly.com)
- How can I check the tombstone lifetime of my Active Directory forest? (windowstechno.com)
- Eng. Alessandro Mazzanti: Microsoft – Determine the tombstone lifetime for the forest
To ask a question or comment about this article, visit the article's topic at Itechguides Community