May 27 2014

PowerShell Code: Get & Set Active Directory Tombstone Lifetime and Active Directory Delete & Recycle Operations

Active Directory is a multi-master database replicated among multiple Domain Controllers. In order to ensure that objects are fully replicated before deletions are processed (purged), objects that are marked for deletion before they are completely purged from Active Directory. Active Directory marks the object as deleted by performing the following actions on the object:

  • The isDeleted attribute of the deleted object is set to TRUE (objects with an isDeleted attribute value set to TRUE are called tombstones.)
  • The deleted object is moved to the Deleted Objects container for its naming context. If the object systemFlags property contains the 0x02000000 flag, the object is not moved to the Deleted Objects container. The Deleted Objects container is flat, so all objects reside at the same level within the Deleted Objects container.
  • Thus, the relative distinguished name of the deleted object is changed to ensure that the name is unique within the Deleted Objects container. If the original name is longer than 75 characters, it is truncated to 75 characters.
  • The following are then appended to the new name:
    A 0x0A character
    The string “DEL:”
    The string form of a unique GUID, such as “947e3228-70c9-4311-8b7a-e5c9b5bd4432”

 

The AD tombstone lifetime determines how long deleted items exist in AD before they are purged. The default value was originally 60 days, but this was increased to 180 days starting with new AD forests created with Windows 2003 SP1. While the tombstone lifetime directly affects deleted items, it also has an impact on Domain Controllers. If a DC hasn’t replicated within the tombstone lifetime with another DC, it is effectively orphaned from the domain. Additionally, DC backups are only useful for restoring AD data within this tombstone lifetime – a backup that is 181 days old is no longer useful when the tombstone lifetime is 180 days.

 

First Domain Controller Operating System Version Default Tombstone Lifetime Setting (days)
Windows 2000 Server 60
Windows Server 2003 RTM 60
Windows Server 2003 R2 (SP1) 60
Windows Server 2003 SP1 and SP2 180
Windows Server 2003 R2 SP2 180
Windows Server 2008 and higher 180

Since this value is stored as an attribute (tombstonelifetime) on the AD object “cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=<forestDN>”, it can be queried and modified.

There are some changes to how this process works once the AD Forest is set to Windows Server 2008 R2 mode and the AD Recycle Bin is enabled.Once enabled, there is a 180 day threshold from when an object is deleted by an admin within which it may be restored. Then at day 181, it is effectively “tombstoned” and may not be restored using the recycle bin undelete method. At day 360, this object is removed from the directory (purged). In other words, enabling the recycle bin keeps the object in the directory for 360 days after it is deleted. Microsoft states that this increases the size of AD by about 10 – 15%.

The AD Recycle Bin enables rapid restoration of deleted objects without a restore operation by implementing two new attributes, and using two existing attributes:

  • isDeleted

    • Has existed since Windows 2000
    • Exists on every object
    • Describes if an object is deleted but restorable
  • isRecycled

    • New to Windows Server 2008 R2
    • Exists on every object once it is recycled
    • Describes if an object is deleted but not restorable
  • msDS-deletedObjectLifetime

    • New to Windows Server 2008 R2
    • Is set on the “CN=Directory Service,CN=Windows NT, CN=Services, CN=Configuration, DC=COMPANY,DC=COM” container
    • Describes how long a deleted object will be restorable
  • tombstoneLifetime

    • Has existed since Windows 2000
    • Is set on the “CN=Directory Service,CN=Windows NT, CN=Services, CN=Configuration, DC=COMPANY,DC=COM” container
    • Describes how long a deleted object will not be restorable

 

Get Tombstone Lifetime:

 

Write-Output “Get Tombstone Setting `r”
Import-Module ActiveDirectory

 

$ADForestconfigurationNamingContext = (Get-ADRootDSE).configurationNamingContext

 

$DirectoryServicesConfigPartition = Get-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$ADForestconfigurationNamingContext” -Partition $ADForestconfigurationNamingContext -Properties *

 

$TombstoneLifetime = $DirectoryServicesConfigPartition.tombstoneLifetime

 

Write-Output “Active Directory’s Tombstone Lifetime is set to $TombstoneLifetime days `r “

Note that no value returned means the tombstone lifetime setting is set to 60 days (default for AD forests installed with Windows 2003 or older).

Set Tombstone Lifetime to 365 days (for example):
Import-Module ActiveDirectory
$ADForestconfigurationNamingContext = (Get-ADRootDSE).configurationNamingContext

Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$ADForestconfigurationNamingContext” -Partition $ADForestconfigurationNamingContext -Replace @{tombstonelifetime=’365′}

This same process can be leveraged to identify the msDS-deletedObjectLifetime value (180 days by default).

 

References:

(Visited 31,133 times, 9 visits today)

Sean Metcalf

I improve security for enterprises around the world working for TrimarcSecurity.com
Read the About page (top left) for information about me. :)
https://adsecurity.org/?page_id=8