Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


What is a tombstone in Active Directory

Posted on 2014-03-23
Medium Priority
Last Modified: 2014-03-27
Not really sure what the tombstone is and when it is important to know / set its value.
Question by:elchermans
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 17

Assisted Solution

WORKS2011 earned 600 total points
ID: 39949539
What Is a Tombstone?
When Active Directory deletes an object from the directory, it does not physically remove the object from the database. Instead, Active Directory marks the object as deleted by setting the object's isDeleted attribute to TRUE, stripping most of the attributes from the object, renaming the object, and then moving the object to a special container in the object's naming context (NC) named CN=Deleted Objects. The object, now called a tombstone, is invisible to normal directory operations. It does not show up in any Microsoft® Management Console (MMC) snap-ins, and most Lightweight Directory Access Protocol (LDAP) utilities are blissfully unaware of the tombstone's existence. The tombstone is, for all intents and purposes, gone. The data, however, is still there—it's just invisible. So why does Active Directory keep tombstones, otherwise deleted objects, in the database?
While invisible to other processes, a tombstone is visible to the Active Directory replication process. In order to make sure the deletion is performed on all the DCs that host the object being deleted, Active Directory replicates the tombstone to the other DCs. Thus the tombstone is used to replicate the deletion throughout the Active Directory environment.

For more info click here.
LVL 17

Expert Comment

ID: 39949548
...and when it is important to know / set its value
if you're not looking for a deleted object from Active Directory I wouldn't worry about it.
LVL 38

Accepted Solution

Mahesh earned 1400 total points
ID: 39949714
This tombstone lifetime value states that how many days deleted objects will remains in deleted object containers
The basic purpose of tombstone is to keep all domain controllers in sync
For Ex:
you have crashed one location DC today
Now tomorrow you have deleted 10 user objects from AD
The object deletion is replicated to all domain controllers and objects are deleted from all location DCs
Now you have non authoritatively restored old system state backup of last week on failed DC of location which contains those 10 objects
Now when after restoration you reboot the Dc and take it online, it will try to communicate to other DCs then other DC's will come to notice that 10 user objects are present on one DC which are not in AD database but they are tomb stoned, hence they will replicate those tomb stoned objects to location DC which tells that those 10 user objects are already deleted and hence he will delete those objects

Now you will wonder how other DCs will identify that objects are already deleted, well it can be discovered with USN (Update sequence number)
When AD object is created 1st time it is assigned one USN and upon any modification this number is gradually increased
When you backup AD system state where objects are not deleted has got one USN value for each object
When you delete those objects from AD, it's USN got updated and same is replicated to all DCs except DC that got crashed
After restoring DC from backup, it has got objects with old USN and there another DCs will come to know that tomb stoned objects they have got more updated USN than live objects presented on restored DC and then they tell to that DC that we have got more updated information than you, so update your self
Now in order to update itself it will delete those objects from its AD database and match USN

In contrast some time in order to recover deleted objects you need to do non authoritative restore of system state backup followed by authoritative restore of deleted objects only which increases USN of restored objects so that other DCs will notice the updated USN on restored DC and undone objects deletion (In short restore objects from tombstone to live database)

By default windows 2000 and 2003 domain controllers have tombstone value set to 60 days
If you upgraded 2003 server to sp1 still this limit remains same
When you install new active directory forest with 2003 SP1 integrated, this tombstone period will be 180 Days by default
This value is remains same for later OS as well straight away up to 2012 R2
You can change Tombstone life time of all objects by changing value to below attribute
After expiring tombstone period for object in deleted object container, those tombstone objects are permanently deleted from AD on all domain controllers during garbage collection period

To determine the tombstone lifetime for the forest using ADSIEdit
Note that tombstone life time is enforced on all domains in forest and can be set on configuration container
Click Start, point to Administrative Tools, and then click ADSI Edit.
In ADSI Edit, right-click ADSI Edit, and then click Connect to.
For Connection Point, click Select a well known Naming Context, and then click Configuration.
If you want to connect to a different domain controller, for Computer, click Select or type a domain or server: (Server | Domain [:port]). Provide the server name or the domain name and Lightweight Directory Access Protocol (LDAP) port (389), and then click OK.
Double-click Configuration, CN=Configuration,DC=ForestRootDomainName, CN=Services, and CN=Windows NT.
Right-click CN=Directory Service, and then click Properties.
In the Attribute column, click tombstoneLifetime.
Note the value in the Value column. If the value is <not set>, the value is 60 days.
Normally its equal to 180 days for 2003 SP1 and above and you can toggle that value
Minimum value is 2 days, even if you set it to 0, it will trigger event in event viewer that it can be set to 2 days at a minimum level.
There is no importance that how much this value should be, it depends upon your organization policy how many days you want to retain old AD system state backup
Most of the time default 180 days is enough
You need to deside this value based on your backup strategy
Because you can't use AD system state backup for restoration older than tombstone life time
Means if you have Tombstone lifetime period set to 180 days and if today you want to restore AD, your backup must not be older than 180 days from today, other wise it will create lingering objects
Lingering objects are those objects for which tombstone objects are not present in AD to track them
For Ex:
You have one server DC offline more than 6 months
Some body has mistakenly started it today
Now guess what will happens, on other DCs some objects are already deleted long back ago for which tombstone objects also get garbage collected from AD
Now if your old DC came online it will start replicating restored objects (lingering objects) in his database for which tombstone objects are already deleted from other DCs and hence they can't track those object status and hence simply assume that these are new objects and start creating those objects as normal replication process
Microsoft has found this behavior and they have developed mechanism to stop replication with DC containing lingering objects
read more on lingering objects

The same thing is true incase you restored old system state backup beyond tombstone life time
In other cases where lingering objects are generated if any online DC did not get Ad replication beyond tombstone life period due to DNS lookup failures, GC latency etc, replication port issues and hence replication failure etc


Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question