Dashboard
  |    info@waytoinfotech.com
  • Blog
  • Information Technology

  How to Check Tombstone Lifetime of Active Directory Server

How to Check Tombstone Lifetime of Active Directory Server

Managing Active Directory (AD) is crucial for maintaining a healthy and functional Windows environment in any organization. One of the critical aspects of AD management is understanding and monitoring the Tombstone Lifetime. In Active Directory, the Tombstone Lifetime determines how long deleted objects (or tombstones) remain restorable before they are permanently removed from the directory.

What is Tombstone Lifetime?

The Tombstone Lifetime is a period during which deleted objects in the Active Directory can be restored. When an object (such as a user, group, or computer) is deleted from AD, it isn't immediately removed from the database. Instead, it is converted into a "tombstone," which marks it as deleted but retains essential metadata for a specific duration.

Why is Tombstone Lifetime Important?

Understanding and correctly configuring the Tombstone Lifetime is crucial for several reasons:

  1. Deleted Object Recovery: It allows administrators to recover accidentally deleted objects without resorting to a full system restore or backup restoration.

  2. Active Directory Cleanup: It ensures that deleted objects are not retained indefinitely, thus preventing unnecessary database bloat.

Checking Tombstone Lifetime

To determine the Tombstone Lifetime in Active Directory, follow these steps:

  1. Using PowerShell:

    PowerShell provides a straightforward method to query the Tombstone Lifetime value. Here’s how you can do it:

    Import-Module ActiveDirectory
    $ADForestconfigurationNamingContext = (Get-ADRootDSE).configurationNamingContext
    $DirectoryServicesConfigPartition = Get-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$ADForestconfigurationNamingContext” -Partition $ADForestconfigurationNamingContext -Properties *
    $DirectoryServicesConfigPartition.tombstoneLifetime


  2. Using Active Directory Sites and Services:

    • Open Active Directory Sites and Services from the Administrative Tools.
    • Navigate to View > Show Services Node.
    • Expand the Services node, then expand Directory Service.
    • Right-click on CN=Directory Service and select Properties.
    • In the Attribute Editor, locate tombstoneLifetime and view its value in days.
Share :

Add New Comment

 Your Comment has been sent successfully. Thank you!   Refresh
Error: Please try again