What are Tombstones in Active Directory?
When you delete an object from the Active Directory (AD) database, it’s marked as a tombstone object instead of being fully removed. By default, each tombstone object remains in the database for 180 days. Once this tombstone’s lifetime value is exceeded, the tombstone object is automatically deleted by the garbage collection process. Administrators can change the default tombstone lifetime value by using the ADSI Edit tool.
Benefits of tombstones
There are three main situations in which a tombstone can help:
- Accidental object deletion: If you accidently delete an object which had particular attributes, you can’t just create a new object with the same name and expect everything to work as before. Whenever an object is created, a unique security identifier (SID) gets associated with it. It’s the SID which enables an object to get access to resources, be a part of groups, etc. Even if you create a new object with the same name, the SID will be different. Luckily, you can restore a tombstoned object with its original SID.
- Replication of a deletion action: All the domain controllers (DC) in a domain follow the multi master replication model. This means making changes to any DC will replicate those changes in all the other DCs in the domain. If an object is deleted at a particular DC without being tombstone, there is no way this information can be replicated to the other DCs. Tombstone enables the deletion action to be replicated.
- Deletion action is captured during an AD restore: It’s always a good practice to take frequent backups of your DCs. If a DC crashes, you’ll need to rebuild it from the last available backup. Now, imagine if you deleted an object before an AD restored. In this scenario, the last available backup will still contain the deleted object. If not for tombstones, the deleted object would find its way back into AD. By marking the deleted object as a tombstone, you can ensure that the object does not become active after being replicated to the restored DC.
What happens in the back end when you delete an object?
When you try to delete an object, AD will first run a series of checks to ensure that the object can be deleted in the first place. Once AD determines that the object can be deleted, it turns it into a tombstone by setting the object’s isDeleted attribute to TRUE.
AD then strips the unnecessary attributes from the object and only preserves certain important attributes, such as the object’s globally unique identifier (GUID) and security identifier (SID), in the tombstone. It’s important to note that user-group links are not preserved in tombstones and are thus lost forever if objects belonging to a group are tombstoned. After AD has updated the object’s attributes, it’s moved to a special container called Deleted Objects in the naming context (NC). The description given here is not exhaustive; however, it captures the main essence of how tombstones are created and stored.
Default tombstone timeline in Active Directory
|Forest Functional Level of the Domain Controller||Tombstone lifetime in days|
|Windows Server 2012||180|
|Windows Server 2008 R2||180|
|Windows Server 2008||180|
|Windows Server 2003 R2 SP2||180|
|Windows Server 2003 R2 SP1||60|
|Windows Server 2003 R2||60|
|Windows Server 2003 SP2||180|
|Windows Server 2003 SP1||180|
|Windows Server 2003 RTM||60|
How do you view tombstoned objects?
To view and restore tombstoned objects, follow these steps:
- At the DC’s console, choose Run.
- Type LDP.EXE and then press Enter. You’ll get the screen below.
- Go into the Connection menu, and choose Bind. Ensure that Bind as currently logged on user is selected, and click OK. You will see the screen shown below. This confirms that you are authenticated as the administrator of the DC.
- Click on the Options menu, choose Controls, and then choose Return deleted objects under the Load Predefined drop-down. Click OK.
- Go into the View menu, select Tree, and then choose the fully qualified distinguished name of your domain. In our example, this would be DC=vaidyar,DC=com. You will then get the screen below.
- Expand the details of your domain on the left side, and then double-click on the relevant item with details on deleted objects. In our example, this would be CN=Deleted Objects,DC= vaidyar,DC=com. The screen below will then open up. This will show you all the objects that have been deleted in the domain.
How do you restore tombstoned objects?
To restore tombstoned objects, follow these steps:
- Perform steps 1-6 from the section above.
- Double-click on the object you want to restore to obtain more information about it. This step is critical to ensure that you choose the right object for restoration. If you have created objects in the past with the same name, they’ll look similar. One way to make sure you choose the right object is by checking the whenChanged and whenCreated details.
In our example, we’ll try restoring the user object Sudhir Pillai. You’ll see the screen below at this point.
- Right-click on the user object you want to restore, click Modify, and type “isDeleted” in the Edit Entry Attribute field. Click the Delete operation, then hit Enter. When the object was tombstoned, its isDeleted attribute was changed to TRUE. In this step, we’re modifying this attribute.
- Now choose Replace under Operation. Type “distinguishedName” under Edit Entry Attribute, and type the object’s lastKnownParent value under Values. Press Enter, then click Run. The screen below shows how this looks.
The object will now be restored to its last known location. In our example, this location would be CN=Users,DC=vaidyar,DC=com. If you need to restore the object to a different location, you would need to specify the appropriate FQDN in step 4 above.