Active Directory – finding the tombstone lifetime

One of the things that impact the validity of a backup is the tombstone lifetime.

To find it quickly we can use Powershell and run the below:

 (get-adobject "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=windowsrockstar,DC=com" -properties "tombstonelifetime").tombstonelifetime

This will return the answer in days. By default it will be 180 days if your forest started in Windows Server 2008. It will be 60 days or no result (which means 60 days) if your forest started in Windows 2000 or 2003

tombstone lifetime

There is also a GUI way of doing it by using ADSI Edit.

In the Connection Point section, select the Select a well known Naming Context radio button and select Configuration from the dropdown list.

ADSI Edit configuration naming context

Expand Configuration; CN=Configuration,DC=; CN=Services; and CN=Windows NT. Then right click on CN=Directory Service and select Properties.
In the Attribute Editor tab of the properties window, locate the tombstoneLifetime. The value of this attribute represents the forest’s current tombstone lifetime in days. If the attribute’s value shows <not set>, the tombstone lifetime of the forest is 60 days.

Tombstone lifetime – adsi edit

If you want to change the tombstone lifetime you can edit the attribute and set it to desired value in days.

If you want to change the value of tombstone lifetime with Powershell you can use the below code:

(Set-adobject -Server DCNAME  “cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=domainname,dc=domainsuffix” -Replace @{‘tombstonelifetime’=”240″})

Don’t forget that how long you can use your Active Directory backup depends on the tombstone lifetime.