The tombstone object: What is it?
Imagine accidentally deleting a user account in active directory. A tombstone object steps in, holding significant information like the deleted object’s unique identifier and security details.
An object that is deleted from active directory is not eliminated from the database; rather, AD creates an object that is simpler and is referred to as a “tombstone object”. In essence, tombstone objects are composed of GUIDS (global unique identifiers) and SIDS (security identifiers) to ensure data integrity during cleanup.
A tombstone object doesn’t reside within the AD database permanently. It has a certain period of time called “tombstone lifetime”. Tombstone lifetime refers to the amount of time a deleted object remains in AD before it is permanently erased. The default tombstone lifetime in windows server is 180 days. The attribute “isDeleted” is set to TRUE , If the object is deleted.
Purpose of a tombstone object:
Tombstones in AD serve crucial roles in various scenarios:
- Preventing Accidental Deletion: If an object is accidentally deleted, tombstones preserve its unique security identifier (SID), every object that is created has a unique SID attached to it.
- Facilitating Replication: In a multi-master replication model, tombstones ensure that deletion actions are replicated across all domain controllers (DCs), maintaining consistency throughout the domain.
- Supporting AD Restores: During DC restores from backups, tombstones prevent inadvertently reintroducing deleted objects by marking them as inactive, thus preserving the integrity of the Active Directory environment.
Deletion process of objects in AD:
When an object is deleted from AD, it follows a multi-stage process, which is given below:
1. Normal objects:
Initially, the object appears as a conventional AD object, which may be inspected using proper tools or LDAP (Lightweight Directory Access Protocol) interfaces.
2. Deleted objects before tombstone lifetime expires:
Upon deletion, the object enters a Tombstone state for a certain period of time, during which it retains some of its original features but undergoes significant alteration. It is moved to a specific container and its attributes are adjusted, making it inaccessible using standard management tools.
AD creates a tombstone object with following basic set of qualities from the removed objects.
- DN (Distinguished Name) of the deleted object.
- Object class.
- When the object was deleted.
- A flag indicating deletion.
3. Object is completely removed from the Active Directory database:
If there are no further references to the object, it is erased completely from the database, leaving no trace.
4. Phantom Object:
If references to the object remain, it is replaced with a phantom object until the references are resolved. These phantom items exist temporarily and are immediately erased when all references are cleared.
Viewing and restoring tombstones:
- Due to their temporary nature, tombstones are hidden by default.
- Tools like LDP.exe with specific options enabled, allow viewing and restoring tombstones within their TSL.
- When a tombstone item is restored, the destroyed object is effectively recreated using the information that is still available. That type of item can require additional settings.
For more detailed instructions, you can refer to the following guide here.
Finally, understanding the concept of tombstone objects is crucial for AD Administrators to effectively manage user accounts, groups, and other directory objects. Tombstone objects act as a tool for data consistency and system efficiency within Active Directory by representing deleted objects. Administrators can utilise tombstone lifespans to prioritize object restorations before permanent deletion, then remove expired tombstones to optimize Active Directory performance and streamline future object management.
