Active Directory Recycle Bin Tombstone Lifetime

Here is what you need to know:

If the value of tombstonelifetime = null/not set —— it ALWAYS equals 60 days. *this is very confusing because there are MICROSOFT articles that say otherwise but they are WRONG. (see joeware blog post below). I have also confirmed in our environment.

To determine the tombstone lifetime for the forest using ADSIEdit

  1. Click Start, point to Administrative Tools, and then click ADSI Edit.
  2. In ADSI Edit, right-click ADSI Edit, and then click Connect to.
  3. For Connection Point, click Select a well known Naming Context, and then click Configuration.
  4. If you want to connect to a different domain controller, for Computer, click Select or type a domain or server: (Server | Domain [:port]). Provide the server name or the domain name and Lightweight Directory Access Protocol (LDAP) port (389), and then click OK.
  5. Double-click ConfigurationCN=Configuration,DC=ForestRootDomainNameCN=Services, and CN=Windows NT.
  6. Right-click CN=Directory Service, and then click Properties.
  7. In the Attribute column, click tombstoneLifetime.

The ‘default’ value will change based on the OS of the first DC installed in the domain:

  • Windows 2000 (all SPs) = 60 days
  • Windows Server 2003 without SP = 60 days
  • Windows Server 2003 with SP1 = 180 days
  • Windows Server 2003 R2 with SP1 installed with both R2 discs = 60 days
  • Windows Server 2003 R2 with SP1 installed only with the first R2 Disc = 180
  • daysWindows Server 2003 with SP2 = 180 days
  • Windows Server 2003 R2 with SP2 = 180 days
  • Windows Server 2008 = 180 days
  • Windows Server 2008 R2 = 180 days

References:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/73c6c36d-4ec1-4957-a42a-4e0a2e131b27/tombstone-lifetime-attrubute

http://blog.joeware.net/2011/12/28/2355/

 

akers8806

Leave a Reply

Your email address will not be published. Required fields are marked *