Active Directory recycle bin risks

Raz Weingarten 21 Reputation points
2021-07-12T13:35:37.19+00:00

Hi,
We activated AD recycle bin in my organization and we didn't really like it.
We wanted to change it to be "disabled" but I read in a few article that the action is irreversible, so we later on figured we could just set the tombstone lifetime to 1, so we can get rid of the objects fast.
I wanted to ask a few questions about it before we take any action:

  1. We changed the lifestyle tombstone to 1, wait are the risks regardless of this action, I heard that we might have some issue incase 1 of our DC's will go down for more then the tombstone lifetime.
  2. When does it start the count down? (after setting it to 1 it didn't delete items that been there for weeks).
  3. What else do I need to know about AD recycle bin? I got no experience with that at all. Thanks in advance, Raz.
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,540 questions
0 comments No comments
{count} votes

Accepted answer
  1. Fan Fan 15,336 Reputation points Microsoft Vendor
    2021-07-13T02:16:50.05+00:00

    Hi,

    Based on my research:

    msDS-deletedObjectLifetime Describes how long a deleted object will be restorable
    tombstoneLifetime Describes how long a deleted object will not be restorable

    If a domain controller has not replicated with its partner for longer than a tombstone lifetime, it is possible that a lingering object problem exists on one or both domain controllers. The tombstone lifetime in an Active Directory Forest determines how long a deleted object (called a "tombstone") is retained in Active Directory Domain Services (AD DS).

    For your questions:

    1, So, it is not suggested to set the tombstone lifetime too low.
    It will also impact the useful time of the backup time.

    2, When does it start the count down?
    Based on my test, when you change the tombstone lifetime, it wll not impact the deleted tiems alrady existed.
    Once the change of tombstone lifetime is replicated to all other DCs, new deleted objects will be impacted by the new value.
    3,
    Let's make clear the difference when Recycle Bin enabled and not enabled.

    How is object deleted without AD Recycle Bin?

    When we do a "Logical delete", the object will be “Tombstoned” and moved to “Deleted Objects” Container; Most of its attributes are removed, and its name is also mangled;
    After the so called "TombstoneLifetime", this Object will be “garbage collected” or physically removed.

    How object is deleted when Active Directory Recycle Bin is enabled.

    When we do a "Logical delete", the object will be “deleted” and moved to “Deleted Objects” Container; however, all its attributes will be kept, but with its name is also mangled;
    After the so called "Deleted object lifetime”, this Object will be “recycled” with most of its attributes removed; this is similar to being “Tombstoned” in 2003;
    After the "Recycled object lifetime”, this Object will be physically removed.

    For information about the AD Recycle Bin, you can refer to:

    https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/the-ad-recycle-bin-understanding-implementing-best-practices-and/ba-p/396944

    Best Regards,


1 additional answer

Sort by: Most helpful
  1. Evgenij Smirnov 541 Reputation points
    2021-07-12T13:43:15.523+00:00

    Hi.

    the tombstoneLifetime value does not govern what happens to the objects in the Recycle Bin, msDs-deletedObjectsLifetime does. Once that number of days has expired, the objects are tombstoned for tombstoneLifetime days and then purged physically by garbage collection.

    So go ahead and set tombstoneLifetime to a higher value to prevent the USN rollback type problems from occurring but lower msDs-deletedObjectsLifetime to 1 to have deleted objects disappear from the Recycle Bin more quickly.

    Out of curiosity: What is it that you 'didn' like' about the Recycle Bin?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.