question

AngelGarciaGomez-7296 avatar image
0 Votes"
AngelGarciaGomez-7296 asked ·

change time tombstone


Hello,

I need to expand the tombstone to 365 days

Is it safe?

I have been able to see this URL, but I am afraid of breaking something.

https://www.windowstechno.com/how-can-i-check-the-tombstone-lifetime-of-my-active-directory-forest/

windows-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered ·

It isn't good to be in a disconnected state for this long. Is there some compelling reason to do so?
https://docs.microsoft.com/en-us/windows/win32/adschema/a-tombstonelifetime

--please don't forget to Accept as answer if the reply is helpful--


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AngelGarciaGomez-7296 avatar image
0 Votes"
AngelGarciaGomez-7296 answered ·

The reason is due to long term backups.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered ·

Not sure what is meant. The much simpler / safer method is to always have at least two domain controllers for high availability and disaster mitigation.


--please don't forget to Accept as answer if the reply is helpful--


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AngelGarciaGomez-7296 avatar image
0 Votes"
AngelGarciaGomez-7296 answered ·

I understand you.

By way of culture.

What happens if, for example, I have 3 domain controllers, dc1, dc2 and dc3 and dc3 reaches 180?

It will simply stop replication attempts and I will have to delete it manually?

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered ·

In reality that should never happen, but in the event it did you can simply demote, reboot, promo it again. Worst case you could seize roles to a healthy one (if needed)
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds

perform cleanup
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

then rebuild it. Extending tombstone is not really a solution. Tombstone happens because of network problems.


--please don't forget to Accept as answer if the reply is helpful--





·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered ·

Hi,

Increase the the tombstone lifetime can be used as a method for troubleshooting the replication issue.
But it will not be recommended to keep the long period (365 days) in your domain.
More information for your reference:

Active Directory replication Event ID 2042: It has been too long since this machine replicated
Troubleshoot Active Directory replication error 8614


· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.
 
Best Regards,

0 Votes 0 ·