Skip to main content

Active Directory Tombstone Lifetime Modification

Tombstone is a container object that contains the deleted objects from Active Directory. Actually when an object is deleted from Active Directory, it is not physically removed from the Active Directory for some days. Rather, the Active Directory sets the ‘isDeleted' attribute of the deleted object to TRUE and move it to a special container called Tombstone, previously known as CN=Deleted Objects.

The tombstones cannot be accessed through Windows Directories or through Microsoft Management Console (MMC) snap-ins. However, tombstones are available to Directory Replication Process, so that the tombstones are replicated to all the domain controllers in the domain. This process ensures that the object deleted is deleted from all the computers throughout the Active Directory.

The tombstone lifetime attribute is the attribute that contains a time period after which the object is physically deleted from the Active Directory. The default value for the tombstone lifetime attribute is 60 days. However, you can change this value if required. Usually tombstone lifetime value is kept longer than the expected replication latency between the domain controllers so that the tombstone is not deleted before the objects are replicated across the forest.


The tombstone lifetime attribute remains same on all the domain controllers and it is deleted from all the servers at the same time. This is because the expiration of a tombstone lifetime is based on the time when an object was deleted logically from the Active Directory, rather than the time when it is received as a tombstone on a server through replication.

Changing Tombstone Lifetime Attribute

The tombstone lifetime attribute can be modified in three ways: Using ADSIEdit tool, using LDIF file, and through VBScript.

Using ADSIEdit Tool

The easiest method to modify tombstone lifetime in Active Directory is by using ADSIEdit. The ADSIEdit tool is not installed automatically when you install Windows Server 2003. You need to install it separately by installing support tools from Windows Server 2003 CD.
If you haven't got your CD's in hand, you can simply download the Windows 2003 SP1 Support Tools from Firewall.cx here.
To install ADSIEdit tool and to modify tombstone lifetime in Active Directory using this tool, you need to:

  1. Insert the Windows Server 2003 CD.
  2. Browse the CD to locate the Support\Tools directory.
  3. Double-click the suptools.msi to proceed with the installation of support tools.
  4. Select Run command from the Start menu.
  5. Type ADSIEdit.msc to open the ADSI Editor, as shown below:

tk-windows-tombstone-1

The ADSI Edit window appears:
tk-windows-tombstone-2

6. Expand Configuration node then subsequently expand CN=Configuration, DC Firewall, DC=cx node.
7. Expand CN-Services node.
8. Drill down to CN=Directory Service under CN Windows NT , as shown in the figure below:
tk-windows-tombstone-3

9. Right-click CN=Directory Service and select Properties from the menu that appears
The CN=Directory Service Properties window appears, as shown below:
10. Double-click the tombstoneLifetime attribute in the Attributes list.
tk-windows-tombstone-4

The Integer Attribute Editor window appears, as shown below:
tk-windows-tombstone-5

11. Set the number of days that tombstone objects should remain in Active Directory in the Value field.
12. Click OK .
The Tombstone Lifetime has now been successfully changed.

Other Ways Of Changing The Tombstone Lifetime Attribute

Using an LDIF file

To change the tombstone lifetime attribute using LDIF file, you need to create a LDIF file using notepad and then execute it using LDIFDE tool. To change the tombstone lifetime attribute using LDIF file, you need to:
1. Create a text file using notepad with the following content:

dn: cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, , <ForestRootDN> changetype: modify
replace: tombstoneLifetime
tombstoneLifetime: <NumberOfDays>

2. Provide the appropriate values in the text between <>. For example put the name of your Active Directory Forest Root domain in the <ForestRootDN> and put the number of days you want to set for tombstone lifetime in <NumberOfDays>.

3. Don't forget to put "-" on the last line.

4. Save the file with .ldf extension.

5. Open the Command Prompt and type the following command on the command prompt:
c:\> Ldifde –v –I –f <Path to tombstoneLifetime.ldf> The Tombstone Lifetime is successfully changed.

Using a VBScript

To change tombstone lifetime using VBScript, you need to type the following code with appropriate values and execute the script.

intTombstoneLifetime = <NumberOfDays>  
set objRootDSE = GetObject("LDAP://RootDSE")
set objDSCont = GetObject("LDAP://cn=Directory Service,cn=Windows NT," & _ "cn=Services," & objRootDSE.Get("configurationNamingContext") )
objDSCont.Put "tombstoneLifetime", intTombstoneLifetime
objDSCont.SetInfo
WScript.Echo "The tombstone lifetime is set to " & _ intTombstoneLifetime

Article Summary

This article explained what the Active Directory Tombstone attribute is and how you can change it to control delete operations performed by the Active Directory replication process. We covered three different methods in great detail to give all the necessary information so these actions can be covered by any Windows Administrator.

Your IP address:

18.225.92.116

All-in-one protection for Microsoft 365

All-in-one protection for Microsoft 365

Test Your Cyber Skills and Win!!

Cybersecurity Awareness month - Test your cyber skills and win!

FREE Hyper-V & VMware Backup

FREE Hyper-V & VMware Backup

Wi-Fi Key Generator

Generate/Crack any
WEP, WPA, WPA2 Key!

Network and Server Monitoring

Network and Server Monitoring

Follow Firewall.cx

Cisco Password Crack

Decrypt Cisco Type-7 Passwords on the fly!

Decrypt Now!

Bandwidth Monitor

Zoho Netflow Analyzer Free Download

Free PatchManager

Free PatchManager

EventLog Analyzer

ManageEngine Eventlog Analyzer

Security Podcast

Hornet-Security-The-Swarm-Podcast

Firewall Analyzer

zoho firewall analyzer