Active Directory中的Tombstone lifetime(TSL)决定了删除对象的保留时间,默认值为60天,Windows 2003 SP2后改为180天。此设置影响备份有效性、数据恢复及域控制器复制。建议将旧环境更新为180天以增强数据恢复能力。 2025-9-20 00:3:0 Author: adsecurity.org(查看原文) 阅读量:2 收藏
Sep 19 2025
The Tombstone lifetime (TSL) in Active Directory is the limit as to how long a deleted object can remain in AD. The original value was 60 (days). Windows versions since Windows 2003 SP2 have this set to 180 (days). Note that this also affects backups, how long a backup is valid and replication – if a DC doesn’t replicate with its partner(s) within the TSL, the other DCs will ignore it. https://adsecurity.org/?p=81
If you have an environment with it still set to 60, I recommend you update it to 180 days. This may slightly bloat AD since deleted objects will linger longer, but it does provide a fail-safe of sorts if you need to recover going back >60 days.
PowerShell code using the AD PowerShell module to determine the Tombstone lifetime:
$ADRootDSE = Get-ADRootDSE
$ADConfigurationNamingContext = $ADRootDSE.configurationNamingContext
$TombstoneObjectInfo = Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,$ADConfigurationNamingContext" -Partition "$ADConfigurationNamingContext" -Properties *
[int]$TombstoneLifetime = $TombstoneObjectInfo.tombstoneLifetime
IF ($TombstoneLifetime -eq 0)
{ $TombstoneLifetime = 60 }
Write-Host "The AD Forest Tombstone lifetime is set to $TombstoneLifetime days."(Visited 6 times, 6 visits today)
Sean Metcalf
I improve security for enterprises around the world working for TrustedSec & I am @PyroTek3 on Twitter.
Read the About page (top left) for information about me. :)
https://adsecurity.org/?page_id=8
如有侵权请联系:admin#unsafe.sh