Hi,
Based on my research:
msDS-deletedObjectLifetime Describes how long a deleted object will be restorable
tombstoneLifetime Describes how long a deleted object will not be restorable
If a domain controller has not replicated with its partner for longer than a tombstone lifetime, it is possible that a lingering object problem exists on one or both domain controllers. The tombstone lifetime in an Active Directory Forest determines how long a deleted object (called a "tombstone") is retained in Active Directory Domain Services (AD DS).
For your questions:
1, So, it is not suggested to set the tombstone lifetime too low.
It will also impact the useful time of the backup time.
2, When does it start the count down?
Based on my test, when you change the tombstone lifetime, it wll not impact the deleted tiems alrady existed.
Once the change of tombstone lifetime is replicated to all other DCs, new deleted objects will be impacted by the new value.
3,
Let's make clear the difference when Recycle Bin enabled and not enabled.
How is object deleted without AD Recycle Bin?
When we do a "Logical delete", the object will be “Tombstoned” and moved to “Deleted Objects” Container; Most of its attributes are removed, and its name is also mangled;
After the so called "TombstoneLifetime", this Object will be “garbage collected” or physically removed.
How object is deleted when Active Directory Recycle Bin is enabled.
When we do a "Logical delete", the object will be “deleted” and moved to “Deleted Objects” Container; however, all its attributes will be kept, but with its name is also mangled;
After the so called "Deleted object lifetime”, this Object will be “recycled” with most of its attributes removed; this is similar to being “Tombstoned” in 2003;
After the "Recycled object lifetime”, this Object will be physically removed.
For information about the AD Recycle Bin, you can refer to:
Best Regards,