AD DS: Tombstone Lifetime


Windows Version Default TSL
—————————————-
Windows Server 2000 – 60 days
Windows Server 2003 – 60 days
Windows Server 2003 SP1 – 180 days
Windows Server 2003 R2 – 60 days
Windows Server 2003 R2 SP2 – 180 days
Windows Server 2008 – 180 days
Windows Server 2008 R2 – 180 days
Windows Server 2012 – 180 days
Windows Server 2012 R2 – 180 days (not confirmed)

(thanks for this data goes to Mathias R. Jessen, see his answer to this question on servefault.com)

How to check current setting?

You can do it with dsquery command:

dsquery * "cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=" –scope base –attr tombstonelifetime

How to change?

Use ADSI edit and change tombstoneLifetime value of Directory Service object. Directory Service object reside in configuration partition of AD forest (CN=Configuration,CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=domain, DC=com).

Why shoud I care?

This interval is used to prevent introduction of lingering objects into your AD DS when you perfroming restore. If you need to restore global catalog then time of your backup should not exceed tombstone interval for successful restore. So if you need to do a restore of AD objects older than 60 days, you should change your tombstone interval setting accordingly.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: