change time tombstone

Question

Hello,

I need to expand the tombstone to 365 days

Is it safe?

I have been able to see this URL, but I am afraid of breaking something.

https://www.windowstechno.com/how-can-i-check-the-tombstone-lifetime-of-my-active-directory-forest/

Answer

It isn't good to be in a disconnected state for this long. Is there some compelling reason to do so?
https://learn.microsoft.com/en-us/windows/win32/adschema/a-tombstonelifetime

--please don't forget to Accept as answer if the reply is helpful--

Answer

The reason is due to long term backups.

Answer

Not sure what is meant. The much simpler / safer method is to always have at least two domain controllers for high availability and disaster mitigation.

--please don't forget to Accept as answer if the reply is helpful--

Answer

I understand you.

By way of culture.

What happens if, for example, I have 3 domain controllers, dc1, dc2 and dc3 and dc3 reaches 180?

It will simply stop replication attempts and I will have to delete it manually?

Answer

In reality that should never happen, but in the event it did you can simply demote, reboot, promo it again. Worst case you could seize roles to a healthy one (if needed)
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds

perform cleanup
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

then rebuild it. Extending tombstone is not really a solution. Tombstone happens because of network problems.

--please don't forget to Accept as answer if the reply is helpful--

change time tombstone

6 answers