That’s a question from the Microsoft Newsgroups:
Is there any recommendation on what should be the value for Object deleted lifetime (msDS-DeletedObjectLifetime). What are the pros and cons of having a small/higher number.
Okay – so let’s look at this: since Server 2008 R2, there’s AD Recycle Bin that lets you delete and in case you need it, restore objects. The benefit therein is that with the Recycle Bin enabled, deleted objects retain all their attributes for the time in the recycle bin (which is called the “Deleted Object Lifetime”) – without the Recycle Bin, there are tombstones that have their attributes stripped.
Clearly, there are benefits having the Recycle Bin enabled in case you fat fin… accidentally delete objects. Now to the question: what is an appropriate value for the Deleted Object Lifetime? To really get behind the Recycle Bin, I recommend another article I setup: http://www.frickelsoft.net/blog/?p=169.
The “Deleted Object Lifetime” is the time the deleted object is “in the recycle bin”. That’s the time during which the objects retains its whole set of attributes before it gets turned into a tombstone and finally, some time later, gets purged. I’ve checked a couple of places and TechNet articles but there was no recommendation on what the “deleted object lifetime” should be set to.
By default, if msDS-DeletedObjectLifetime isn’t set, the system assumes the tombstoneLifetime. That’s either 180 days or 60 days if you didn’t change it. You can use ADfind to find its actual value:
adfind -b “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=tld” dn tombstoneLifetime
My answer would be: If you don’t have a specific preference on setting it to a certain value, leave it with the default. It leaves you 60/180 days to restore the whole objects with all its attributes before it is turned into a “recycled object” – that “recycled object” looks like a tombstone object, stripped from its attributes. From then on, it is gone and you cannot restore it any more.
The Recycle Bin is not a backup strategy on its own nor is it something you should consider have as the restore method for deleted objects. It is just another layer on your restore strategy that brings some convenience as it persists the attributes. Not more, not less. There’s no new backup/restore magic to it.
Keep in mind that having the “deleted object lifetime” value set to a large value, objects tend to stay longer in your directory before they actually get purged. Certainly, that doesn’t blow your DIT enormously but has impact on the number of objects you backup, replicate, index and search for. Just keep that in mind.