Tombstone Period in Active Directory is the time that deleted objects are kept in the database. Knowing exactly how long the Tombstone is important, specially when we face with Domain Controllers restoration.

In other words Tombstone Period is something like the Recycle Bin. To find out how long or modify it, you need to have installed Management Tools.

To consult, use the following command in the CLI:

dsquery * "cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=[domain],dc=[root]" -scope base -attr tombstonelifetime

To modify, we need to go to the Domain Controller, and follow below instructions:

  • Start->; Run ->; “adsiedit.msc”. without “”.
  • In the tree, go to: Configuration ->; Domain ->; Services ->; Windows NT
  • Right click on “CN=Directory Service” and in the context menu Properties.
  • In the windows search for the tombstonelifetime and then Edit.
  • Modify value and Accept.

Tombstone