Pagine

Microsoft - Determine the tombstone lifetime for the forest

It's important know Tombstone value about your forest/domain in case you need to restore single user/Ou and so on with ADrestore.Exe utility (take a look to following blog article)

http://technet.microsoft.com/it-it/library/cc784932%28v=ws.10%29.aspx


Applied Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 Foundation, Windows Server 2008 R2, Windows Server 2008 R2 Foundation, Windows Server 2012

The tombstone lifetime in an Active Directory forest determines how long a deleted object (called a “tombstone”) is retained in Active Directory Domain Services (AD DS). The tombstone lifetime is determined by the value of the tombstoneLifetime attribute on the Directory Service object in the configuration directory partition.
You can use this procedure to determine the tombstone lifetime for the forest.
Membership in Domain Users, or equivalent, is the minimum required to complete this procedure.

More details:

Gruppi predefiniti locali e di dominio 


(http://go.microsoft.com/fwlink/?LinkId=83477).

To determine the tombstone lifetime for the forest using ADSIEdit

  1. Click Start, point to Administrative Tools, and then click ADSI Edit.
  2. In ADSI Edit, right-click ADSI Edit, and then click Connect to.
  3. For Connection Point, click Select a well known Naming Context, and then click Configuration.
  4. If you want to connect to a different domain controller, for Computer, click Select or type a domain or server: (Server | Domain [:port]). Provide the server name or the domain name and Lightweight Directory Access Protocol (LDAP) port (389), and then click OK.
  5. Double-click Configuration, CN=Configuration,DC=ForestRootDomainName, CN=Services, and CN=Windows NT.
  6. Right-click CN=Directory Service, and then click Properties.
  7. In the Attribute column, click tombstoneLifetime.
  8. Note the value in the Value column. If the value is , the value is 60 days.

To determine the tombstone lifetime for the forest using Dsquery

  1. Open a Command Prompt window. To open a command prompt, click Start, click Run, type cmd, and then press ENTER.
  2. At the command prompt, type the following command, and then press ENTER:
    dsquery * "cn=directory service,cn=windows nt,cn=services,cn=configuration,
    dc=" –scope base –attr tombstonelifetime
    
    Be sure to replace with the actual distinguished name of the forest. For example, if your forest name is corp.proseware.com, type the following, and then press ENTER:
    dsquery * "cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=corp,
    dc=proseware,dc=com" –scope base –attr tombstonelifetime
    

[update 2017.05.17]


From veeam article that explain how to recover deleted AD object using Veeam 

https://www.veeam.com/blog/reanimating-active-directory-tombstone-objects-best-practices-for-ad-protection.html

Here they are some articles parts:

Once the Active Directory object is deleted, it is not hard deleted from a system. As you may know, Active Directory makes the object hidden by changing its attribute isDeleted to TRUE value. Then, it drops most of the objects’ attributes, renames the object, and moves it to a special container (CN=Deleted Objects). From now on, the object has a tombstone status, and standard Active Directory utilities don’t see its presence. Then, the object is conserved within this special state for a lifetime period (60 days for Windows Server 2000/2003 and 180 days for Windows 2003 SP1/2008).  This is to ensure that the information about removal was successfully replicated across the system. Once the tombstone lifetime period is over, a special process called garbage collector physically removes the object from the database.
Here comes the question. If the tombstone object was not physically deleted within a certain amount of time, would it be possible to recover (reanimate) it? The short answer is yes.