AD DS: The resultant backup lifetime in this forest should be equal to or greater than 180 days

  • Article

Updated: August 31, 2012

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Domain Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).

Operating System

Windows Server 2008 R2

Windows Server 2012

Product/Feature

Active Directory Domain Services (AD DS)

Severity

Warning

Category

Configuration

Issue

The resultant backup lifetime in this forest is set to a value that is less than the recommended minimum of 180 days.

To determine whether you can use a particular backup of AD DS to successfully recover a previously deleted object through an authoritative restore, consider the value of the resultant backup lifetime in your Active Directory forest. The value of the resultant backup lifetime in an Active Directory forest specifies the number of days during which any backup of this forest is most effective when you use it to restore an Active Directory environment. The restore tasks can include recovering accidentally deleted data or promoting domain controllers from media.

If the Active Directory Recycle Bin feature is not enabled in your environment, the resultant backup lifetime is equal to the value of the tombstone lifetime.

For more information about tombstones and tombstone lifetime, see Reanimating Active Directory Tombstone Objects (https://go.microsoft.com/fwlink/?LinkID=125452).

By default, the tombstoneLifetime attribute, which stores the tombstone lifetime if the Active Directory Recycle Bin is not enabled, is set to null. When tombstoneLifetime is set to null in Windows Server 2008 or Windows Server 2008 R2, the tombstone lifetime defaults to 180 days.

Note

In Windows 2000 Server, Windows Server 2003, or Windows Server 2003 R2, when tombstoneLifetime is set to null, the tombstone lifetime defaults to 60 days. Therefore, if you upgrade your domain controller to Windows Server 2008 or Windows Server 2008 R2 from Windows 2000 Server, Windows Server 2003, or Windows Server 2003 R2, as opposed to performing a clean installation of Windows Server 2008 or Windows Server 2008 R2, we recommend that you manually set the value of tombstoneLifetime to 180 days.

If the Active Directory Recycle Bin is enabled in your environment (in which case the forest functional level in your environment must be raised to Windows Server 2008 R2), the value of the resultant backup lifetime is the smaller value of the following two attributes:

  • The msDS-deletedObjectLifetime attribute, which stores the deleted object lifetime

  • The legacy tombstoneLifetime attribute, which stores the recycled object lifetime

For more information about deleted and recycled objects, deleted objects lifetime, recycled object lifetime, and the Active Directory Recycle Bin, see Scenario Overview for Restoring Deleted Active Directory Objects (https://go.microsoft.com/fwlink/?LinkId=148279).

By default, the msDS-deletedObjectLifetime attribute is set to null. When msDS-deletedObjectLifetime is set to null, the deleted object lifetime is set to the value of the recycled object lifetime. By default, the tombstoneLifetime attribute is also set to null. When tombstoneLifetime is set to null, the recycled object lifetime defaults to 180 days. Therefore, by default, the value of the resultant backup lifetime in an Active Directory forest is 180 days.

Impact

If the resultant backup lifetime in your Active Directory forest is less than 180 days, the backups of your forest that you can use to recover accidentally deleted data or to promote domain controllers from media will be less effective and usable for a shorter period of time.

Resolution

Make sure that the resultant backup lifetime in your Active Directory environment is equal to or greater than 180 days. If Active Directory Recycle Bin is not enabled in your environment, increase the resultant backup lifetime in your forest by ensuring that the value of the tombstone lifetime is equal to or greater than 180 days. If Active Directory Recycle Bin is enabled, ensure that the recycled object lifetime (which is stored in the pre-existing tombstoneLifetime attribute) and the deleted object lifetime (which is stored in the msDS-deletedObjectLifetime attribute) are equal to or greater than 180 days.

We recommend that the resultant backup lifetime in your Active Directory environment be equal to or greater than 180 days. This helps ensure that the backups of your forest are effective and usable for a long period of time so that you can authoritatively restore an Active Directory environment.

You can modify the values of the tombstoneLifetime and msDS-deletedObjectLifetime attributes anytime by using the Set-ADObject cmdlet in the Active Directory module for Windows PowerShell (the recommended method) or by using the Ldp administrative tool.

Membership in Schema Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To modify the tombstone lifetime by using the Set-ADObject cmdlet

  1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.

  2. At the Active Directory module command prompt, type the following command, and then press ENTER:

    Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=mydomain,DC=com” –Partition “CN=Configuration,DC=mydomain,DC=com” –Replace:@{“tombstoneLifetime” = <value>}

    Replace DC=mydomain,DC=com with the appropriate forest root domain name of your Active Directory environment, and replace <value> with the new value for the tombstone lifetime.

    For example, to set tombstoneLifetime to 365 days, run the following command:

    Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com” –Partition “CN=Configuration,DC=contoso,DC=com” –Replace:@{“tombstoneLifetime” = 365}

For more information about the Set-ADObject cmdlet, at the Active Directory module command prompt, type Get-Help Set-AdObject, and then press ENTER.

To modify the tombstone lifetime by using Ldp

  1. Open the Ldp snap-in. To open Ldp, click Start, click Run, and then type ldp.exe.

  2. To connect and bind to the server that hosts the forest root domain of your Active Directory environment, under Connections, click Connect, and then click Bind.

  3. In the console tree, right-click the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration container, and then click Modify.

  4. In the Modify dialog box, in Edit Entry Attribute, type tombstoneLifetime.

  5. In the Modify dialog box, in Values, type the number of days that you want to set for the tombstone lifetime value. (The minimum is 3 days.)

  6. In the Modify dialog box, under Operation, click Replace, click Enter, and then click Run.

To modify the deleted object lifetime by using the Set-ADObject cmdlet

  1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.

  2. At the Active Directory module prompt, type the following command, and then press ENTER:

    Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=mydomain,DC=com” –Partition “CN=Configuration,DC=mydomain,DC=com” –Replace:@{“msDS-DeletedObjectLifetime” = <value>}

    Replace DC=mydomain,DC=com with the appropriate forest root domain name of your Active Directory environment, and replace <value> with the new value of the deleted object lifetime.

    For example, to set the deleted object lifetime to 365 days, run the following command:

    Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com” –Partition “CN=Configuration,DC=contoso,DC=com” –Replace:@{“msDS-DeletedObjectLifetime” = 365}

For more information about the Set-ADObject cmdlet, at the Active Directory module command prompt, type Get-Help Set-AdObject, and then press ENTER.

To modify the deleted object lifetime by using Ldp

  1. Open the Ldp snap-in. To open Ldp, click Start, click Run, and then type ldp.exe.

  2. To connect and bind to the server that hosts the forest root domain of your Active Directory environment, under Connections, click Connect, and then click Bind.

  3. In the console tree, right-click the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration container, and then click Modify.

  4. In the Modify dialog box, in Edit Entry Attribute, type msDS-DeletedObjectLifeTime.

  5. In the Modify dialog box, in Values, type the number of days that you want to set for the tombstone lifetime value. (The minimum is 3 days.)

  6. In the Modify dialog box, under Operation click Replace, click Enter, and then click Run.

Additional references

For more information, see the Active Directory Recycle Bin Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=133971).