In this guide, I’ll show two options on how to check the Tombstone Lifetime in Active Directory.
Option 1. Check Tombstone Lifetime using PowerShell
Use the below PowerShell command to check the Tombstone lifetime in Active Directory. You will need to update the distinguishedName to match your domain.
(get-adobject “cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,DC=ad,DC=activedirectorypro,DC=com” -properties “tombstonelifetime”).tombstonelifetime
You can see in the screenshot above my Tomestone lifetime is 180 days.
You can find your distinguishedName with this command.
Get-ADRootDSE | select defaultNamingContext
Update the section in red with your domains distinguishedName.
Option 2. Check Tombstone Lifetime using ADSI Edit
Step 1. Open ADSI Edit
Step 2. Right on ADSEI Edit and select “Connect to”
Step 3. Select “Configuration” from the drop down and then click “OK”.
Step 4. Expand the following:
- CN=Configuration,(your domain)
- CN=Services
- CN=Windows NT
- CN=Directory Service
Then right click on CN=Directory Service and select “Properties”
Scroll down and check the value of “tombstoneLifetime”.
