What is the tombstone lifetime ?

This is quite a hot question that I get a lot when delivering trainings or helping customers. While most of them know the value, what actually is they do not know.
The Tombstone Lifetime is an attribute of the Directory Services object which can be found with ADSI Edit here: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=WindowsRockstar,DC=com.

The attribute by default can have 2 values, depending on the OS version that was used when the forest was initially deployed.
It can have no value – this translates to the fact that the forest was started in Windows Server 2000, Windows Server 2003 or Windows Server 2008. This means the Tombstone Lifetime is 60 days.
Starting with Windows Server 2008 R2 the value of the Tombstone Lifetime attribute is 180 days.

The minimum value that we can set the Tombstone Lifetime to is 2 days. If we set it to less it will default to 60 days ( Windows Server 2000, Windows Server 2003 or Windows Server 2008) or 2 days starting with Windows Server 2008 R2 and later.

Below you have an image with the default value in Windows Server 2022

Tombstone Lifetime

Finding out the tombstone lifetime is easy and I wrote about it here.

The tombstone lifetime will influence how long we can use the Active Directory backup and how long an object will remain in recycled or deleted state. About this in a future article.

How long can I use my Active Directory Backup

During my daily work I encounter a lot of confusion about this topic.

Let’s first discuss couple of basic things about the backup of Active Directory and why it is so important to use a Microsoft supported solution.

When we are in a Disaster Recovery scenario and we need to restore our Active Directory forest we want to know that we can rely on Microsoft for help. In order to be able to do this we need to use a supported solution which is Windows Server backup.

What is the first step in our Disaster Recovery process?

Document your infrastructure! Document your topology!

What should we document?

  • The forest name
  • All domain names (root and child domain names, including NETBIOS name)
  • Domain Controller names, IP addresses, gateway, DNS settings, VLAN
  • What Site my domain controller is in?
  • The sites topology, site links, replication schedules, connection objects (aka replication topology)
  • Owner of the FSMO roles
  • What kind of backup we are taking from that Domain Controller? (Full Server Backup, System state, Bare metal ?)
  • What hardware I am running on ?
  • What virtualization platform I am using?

The next step is to take a proper backup. Modern Windows Server backup operating systems are not coming with Windows Server Backup installed by default, so the first thing would be to install it. To do that you need to go to Server Manager, Manage, add Roles and Features, go to features and select Windows Server backup, then install it.

After you install it go to Server Manager, Tools and Windows Server Backup

After Windows Server Backup has started, clock on Local Backup then go on the right side to Backup Schedule.

After the wizard starts click on Next, then you have two options: Full Server (recommended) or Custom.

If we select Full Server then all the needed data will be backed up, including Bare Metal recovery, System State, Recovery partition, and the content of the disk drives.

If we select Custom then we need to go click on Add items

Then the selection part opens

What should we backup from here? The answer is: it depends. If we want to be able to perform a full forest recovery then we should backup everything (at least Bare Metal recovery, System State, recovery partition and the C: Drive). If we want to perform a non-authoritative restore of Active Directory we can backup the System State.

After we decide what to backup we need to decide where we will point the backup – dedicated disk, a volume or a network share. Microsoft’s recommendation is to backup to a dedicated disk.

I will backup the full server to a disk.

After clicking Finish the disk will be formatted and will be used for the backup.

The backup will run as scheduled.

To answer the question: How long can I use my Active Directory backup? The answer is for: the duration of your Tombstone Lifetime setting. If your forest was started back in the 2003 days or older the default setting will be 60 days, starting with Windows Server 2008 R2 is 180 days.

So the answer will be: for 60 or 180 days from the moment you took your backup, depending on your tombstone lifetime!

I will discuss about the tombstone lifetime in a different article.

Cool study about cybersecurity trends

Stumbled across a very interesting study “Considerations on Challenges and Future Directions in Cybersecurity” by the National CyberInt and CERT-RO organizations.

It can be accessed here: https://cert.ro/doc/CybersecurityRO2019.pdf

Take time to read it as it is quite detailed and very long.