Active Directory Tombstone

Focus: Active Directory Tombstone, TSL, Tombstone reanimation

Active Directory Tombstone

When an object is removed from Active Directory, it is said to be tombstoned. Tombstone is something which a Domain Controller uses to notify other Domain Controllers about an object deletion.
The object which is tombstoned will be retained in AD for a specific amount of time defined by the TombStone Lifetime (TSL). When an object is tombstoned, the object is moved to a special container named Deleted Objects and will be invisible to normal directory operations.

Within the TSL, the object can be retreived anytime which is called as Tombstone reanimation. But the retrieved object will lose some of its properties like its group membership details.
After TSL, the garbage collection process which runs every 12 hours deletes the object permanently from Active Directory

Find TSL for your domain

  1. Open adsiedit.msc
  2. Select Configuration partition
  3. Right click CN=Directory Service and select Properties
  4. In the Attribute column look for tombstoneLifetime value
This value will be the TSL for your domain. If the value is <Not Set>, the TSL will be the default value for that server class.

Default TSL

Windows 2000                - 60 days
Windows 2003 SP1          - 180 days
Windows 2003 R2            - 60 days
Windows 2008 and above - 180 days


Popular posts from this blog

VMware and Windows Interview Questions: Part 2

VMware and Windows Interview Questions: Part 3

VMware vMotion error at 14%