Active Directory: Tombstone Lifetime – Set it to the correct value.

If you have upgraded your Active Directory from Windows 2000 to Windows Server 2003 SP1, 2008 or 2008R2 (or if you installed a pristine Windows 2003/2003 R2 forest), there is a high probability that you have overlooked updating the Active Directory Tombstone Lifetime from 60 days to the new default of 180 days.

The tombstone lifetime needs to exceed the expected replication latency between all domain controllers in a forest and should be set correctly as it can impact backup cycles and disaster recovery, attempting to restore domain controllers or objects from backup that have exceeded the tombstone lifetime are not permitted, but when you expect to have a 180 day window of opportunity but it is still set to 60 days – this can cause issues.

To determine the tombstone lifetime for the forest using ADSIEdit

Click Start, Run then type adsiedit.msc.

In ADSI Edit

Select Action

Select Connect to

Select Connection Point

Click Select a well known Naming Context select Configuration

If you want to connect to a different domain controller,

In the Computer section click Select or type a domain or server:  (Server | Domain [:port]).

Provide the server name or the domain name and Lightweight Directory Access Protocol (LDAP) port (389), click OK.

Double-click Configuration, CN=Configuration,DC=ForestRootDomainName, CN=Services, and CN=Windows NT

Right-click CN=Directory Service, select Properties.

In the Attribute column click tombstoneLifetime.

If the value is , the default value is in effect as follows:

On a domain controller in a forest that was created on a domain controller running Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003 with Service Pack 2 (SP2), Windows Server 2008, or Windows Server 2008 R2, the default value is 180 days..

On a domain controller in a forest that was created on a domain controller running Windows 2000 Server, Windows Server 2003, or Windows Server 2003 R2, the default value is 60 days

If the value of the tombstoneLifeTime= the the value is always 60 Days.

To change the setting from 60 days to 180 days:

Change the tombstoneLifetime value to 180 if your domain has the incorrect value. The key expression from the above being created on:  The is assuming that you have not set this value for some other business reason.

This has been confirmed with fellow DS-MVP’s and validated in the Source Code. The KB Article will be updated.

UPDATE. 11/02/10

After further discussions with other MVP’s on raising the Tombstone lifetime from 60 to 180 days to match the new default, there is one extra factor which needs to be taken into consideration.

If company X has two (many) Domain Controllers, one in London and one in Sydney and on the London DC the tombstoneLifetime is changed to 180.

When garbage collection runs on the London DC it should have already cleaned up all tombstones from 60 days ago but the London DC now has to keep tombstones for 180 days. As a result of this change on the London DC for the next 120 days garbage clean up process has nothing to do.

Meanwhile on the other side of the world the Sydney DC which has not yet received via replication the new tombstoneLifetime and runs the garbage clean up process and cleans up items deleted 60 days ago.

In this scenario the London DC may now have tombstones which were cleaned up on Sydney DC leading various detection mechanisms to identify them as lingering objects

The presence of lingering objects will prevent operations like schema updates for the next 120 days – the issue is self resolving but having to wait 120 days is not ideal. To avoid this issue ensure garbage collection does not run and immediately force replication after making the change to Active Directory to ensure consistency.

A suggested approach to resolving this issue was to lower the tombstone value to say 50 days and waiting for that to fully replicate and for the garbage clean up process to run and then increasing the tombstoneLifetime value to 180.

Comments welcome.

9 thoughts on “Active Directory: Tombstone Lifetime – Set it to the correct value.

  1. Hey,

    Any idea how to find out whether it’s 60 or 180 when the value is not set? Or how can one determine whether W2003, W2003 SP1, W2003SP2 media was used…

    Any thoughts?

  2. Thanks for looking into this. I noticed Joe has a related post about it now too. It’s great you guys are providing us with that kind of information.

  3. Thanks for the insight mark. How do i determine exactly when will the next garbage collection thread is going to execute. I read about the 12 hour cycle. What I’m trying to know is the exact time of next run.

    or else how do i change the value to 180 days in a branch office setup of over 500 dcs located globally?

    Thanks
    Rahul

    1. Rahul, the TSL setting is a forest wide setting, you only have to change it once. The Garbage collection runs, as you state every twelve hours. Set this reg key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\Garbage Collection to 1 and it will give you further insight in the event log.

  4. Good article, Mark.

    I intended to follow this for my own Forest, however, I ran into an issue. Manually triggering Garbage Collection didn’t affect the schedule in my tests. As a result, there was no guarantee that garbage collection wouldn’t run 5 minutes after being manually triggered, which could remove objects which had just hit the TSL – Small risk I know, but was enough to worry me.

    I am looking at other ways of doing this within my forest and I’m thinking of this approach:

    1. Increasing the garbageCollPeriod to 480, replicate.
    2. Changing the TSL to 180, replicate
    3. Change the gabageCollPeriod back to , replicate

    This appears to be the safest option to mitigate the risk of lingering objects and means I don’t have to hit every Domain Controller in my Forest.

    What do you think?

    Mark.

  5. Hey. Problems with this on Server 2008.

    There is no CN=Services – is this something that should be there by default or needs to e created by me? I have OU=Services but no CN

    1. CN=Services is under the configuration partition. To access this, use ADSIEDIT.msc but proceed with caution when using this tool as you have the AD open in in a raw format.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s