Are there recommendations on what the “Deleted Object Lifetime” value should be set to?

That’s a question from the Microsoft Newsgroups:

Is there any recommendation on what should be the value for Object deleted lifetime (msDS-DeletedObjectLifetime). What are the pros and cons of having a small/higher number.

Okay – so let’s look at this: since Server 2008 R2, there’s AD Recycle Bin that lets you delete and in case you need it, restore objects. The benefit therein is that with the Recycle Bin enabled, deleted objects retain all their attributes for the time in the recycle bin (which is called the “Deleted Object Lifetime”) – without the Recycle Bin, there are tombstones that have their attributes stripped.

Clearly, there are benefits having the Recycle Bin enabled in case you fat fin… accidentally delete objects. Now to the question: what is an appropriate value for the Deleted Object Lifetime? To really get behind the Recycle Bin, I recommend another article I setup:

The “Deleted Object Lifetime” is the time the deleted object is “in the recycle bin”. That’s the time during which the objects retains its whole set of attributes before it gets turned into a tombstone and finally, some time later, gets purged. I’ve checked a couple of places and TechNet articles but there was no recommendation on what the “deleted object lifetime” should be set to.

By default, if msDS-DeletedObjectLifetime isn’t set, the system assumes the tombstoneLifetime. That’s either 180 days or 60 days if you didn’t change it. You can use ADfind to find its actual value:

adfind -b “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=tld” dn tombstoneLifetime

My answer would be: If you don’t have a specific preference on setting it to a certain value, leave it with the default. It leaves you 60/180 days to restore the whole objects with all its attributes before it is turned into a “recycled object” – that “recycled object” looks like a tombstone object, stripped from its attributes. From then on, it is gone and you cannot restore it any more.

The Recycle Bin is not a backup strategy on its own nor is it something you should consider have as the restore method for deleted objects. It is just another layer on your restore strategy that brings some convenience as it persists the attributes. Not more, not less. There’s no new backup/restore magic to it.

Keep in mind that having the “deleted object lifetime” value set to a large value, objects tend to stay longer in your directory before they actually get purged. Certainly, that doesn’t blow your DIT enormously but has impact on the number of objects you backup, replicate, index and search for. Just keep that in mind.

3 Comments so far

  1. Philipp Foeckeler on January 5th, 2010

    Interesting article, thx for that…

    But i’m a bit confused about the attribute’s name: ms-DS-objectDeletedLifetime. I think the correct name (if you want to set it through LDAP) is
    ‘msDS-DeletedObjectLifetime’ – or (if you have a look at the AD schema object for this attribute) ‘ms-DS-Deleted-Object-Lifetime’.

    I think the last (db schema related name) is only used internally by the AD DB, but if you want to set it to change the AD recycle bin setting, you definitly have o use ‘msDS-DeletedObjectLifetime’, otherwise you will run into an error, or not?


  2. florian on January 5th, 2010

    Thanks Philipp,

    indeed it is msDS-DeletedObjectLifetime you want to query. I’m going to fix it here. It was wrong in the initial question of the poster and I mixed it all up.

    MSDN is clear about that:

    Again, thanks for pointing that out!

  3. [...] Der Originalartikel ist in englischer Sprache auf zu finden. Verwandte Beiträge:Das Geheimnis der Tombstone Lifetime Das Attribut [...]