The tombstone lifetime in an Active Directory forest determines how long a deleted object (called a “tombstone”) is retained in Active Directory Domain Services (AD DS). The tombstone lifetime is determined by the value of the tombstoneLifetime attribute on the Directory Service object in the configuration directory partition.
Tombstone Process in a basic way
- Object got deleted
- AD marks is as deleted object by setting the objects attribute called "isDeleted" to TRUE ,
- At the same time, the AD strips most of the attributes from the object
- Renames the object
- Moves it to the object, to the special container in the object naming context
- (NC) named CN= Deleted Objects
- The object, now called a tombstone
- Object is no longer visible from ADUC. ( administrators)
Here is the tricky part the Tombstone is visible to the Active Directory replication process. Why is that so? Remember multi-master replication model. In order to make sure the deletion is performed on all the DCs that host the object being deleted, Active Directory replicates the tombstone to the other DCs. Thus the tombstone is used to replicate the deletion throughout the Active Directory environment
The tombstone lifetime is determined by the value of the TombstoneLifetime attribute on the Directory Service object in the configuration directory partition.
- DC name
- DC=Forest domain
- CN=Windows NT
- Right click CN=Directory Service properties
- The attribute name is TombstoneLifetime
On a domain controller in a forest that was created on a domain controller running Windows Server 2003 with Service Pack 1 (SP1), the default value is 180 days.
On a domain controller in a forest that was created on a domain controller running Windows 2000 Server or Windows Server 2003, the default value is 60 days.