How to Modify the Tombstone Lifetime of an AD Forest
Publikováno čvn 17, 2024
The tombstone lifetime of an Active Directory forest represents the maximum allowable replication interval of a domain controller (DC) in that forest. This video shows the procedure for modifying the tombstone lifetime.
Hello, this is David. I'm a Principal Engineer at Dell, and in this video I'll be covering how to modify the tombstone lifetime of an Active Directory forest. As you may already know the tombstone lifetime is the maximum length of time that an Active Directory Domain Controller can go without replicating with a partner. If the tombstone lifetime is exceeded replication is automatically disabled on that Domain Controller, and it will not resume without manual intervention. The default tombstone lifetime of the forest is determined by the version of Windows Server running on the very first Domain Controller in the forest.
In Windows 2000 the tombstone lifetime of newly created forest was 60 days, and that was also the case in Windows Server 2003 until 2003 Service Pack 1 came out, at which point it went to 180 days and stayed there through Service Pack 2. When 2003 R2 came out - which somewhat confusingly included Service Pack 1 - the tombstone lifetime went back to 60 days. When Service Pack 2 for 2003 R2 came out it went back to 180 days and it's been there ever since. Now having said all that it's important to remember that the tombstone lifetime does not change on its own when a new Domain Controller is added to the forest. It's not dependent on the operating system version of your newest Domain Controller, nor is it dependent on the forest functional level or domain functional level.
It has to be manually modified or it will stay at the same value that it had when the forest was created. It's also important to remember that the tombstone lifetime is a forest wide attribute, so an Active Directory forest has a single tombstone lifetime regardless of how many domains it contains. Modifying the tombstone lifetime is a simple procedure to do. We need to use the a-d-s-i edit, or ‘adsiedit’ tool which can be opened by running ‘adsiedit.msc’ at a command prompt. Once the tool is open we need to connect to the configuration directory partition if if it's not already displayed in the console, and we do that by right clicking ‘ADSI Edit’ and selecting ‘Connect to…’ and then selecting the ‘Configuration’ naming context from this dropdown list.
Clicking ‘OK’, that will bring up the configuration partition. Now to find the tombstone lifetime we need to expand ‘Configuration’, underneath that we expand ‘Configuration’ again expand ‘Services’ expand ‘Windows NT’ and inside there we see a container named ‘Directory Service’ that's the container where the attribute resides. So, we right click it select ‘Properties’, this brings up the attribute editor for this container. The container has a number of attributes - among them the tombstone lifetime - so we'll scroll down the list of attributes until we see ‘tombstoneLifetime’. As we can see here it currently has no value. Now, if your tombstone lifetime is ‘<not set> as shown here, the value is actually 60 days regardless of the operating system running on any of your Domain Controllers.
I want to set this to 180 days. So, to change the value all we need to do is select ‘Edit’ here and then simply type in the value that we want. The value is represented in days so we type ‘180’ and click ‘OK’ to confirm and then click ‘OK’ again to confirm and that's really it. Because that value is stored in the configuration directory partition as I mentioned, it is a forest wide value. That directory partition is replicated to every Domain Controller in the forest.
We can force replication if we want to, but the domain we're currently in is just a single domain. It's a single domain forest with two Domain Controllers in it so there's really no need to force anything. I'll just let it replicate on its own. And that's as I said, that's really all you have to do to change the tombstone lifetime. Once again this is David, I'm a Principal Engineer at Dell, and