Daniel Ramawidjaja Blog

June 22, 2009

Restore Deleted Objects in Active Directory Database Using Tombstone Reanimation (LDP.EXE)

This tip has been tested that it works for Windows Server 2003, Windows Server 2008, or later.
For Windows Server 2008 R2, it is recommended to use Active Directory Recycle Bin feature. It’s more efficient method and can do complete restore of the previous deleted objects.

What Is a Tombstone?
When Active Directory deletes an object from the directory, it does not physically remove the object from the database. Instead, Active Directory marks the object as deleted by setting the object’s isDeleted attribute to TRUE, stripping most of the attributes from the object, renaming the object, and then moving the object to a special container in the object’s naming context (NC) named CN=Deleted Objects. The object, now called a tombstone, is invisible to normal directory operations.

Obviously, objects don’t remain in the CN=Deleted Objects container forever. The default tombstone lifetime is 60 days for forests initially built using Windows® 2000 and Windows Server 2003, and 180 days for forests that were initially built with Windows Server 2003 SP1. You can change the tombstone lifetime by setting the tombstoneLifetime attribute of the CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration, DC= object.

Every 12 hours, each domain controller starts a garbage collection process. (This can be changed by setting a new value for the garbageCollPeriod attribute of the CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration,DC= object.) This garbage collection scans all of the tombstones on the DC and physically deletes any that are older than the tombstone lifetime.

The Deleted Objects container is hidden and can not be viewed by using Active Directory Users and Computers and ADSIEDIT.MSC. But you can use LDP.EXE.

For example, in this documentation, I delete an account with distinguishedName: CN=Jenny Gates,OU=Marketing,DC=Microship,DC=com.
That account will be stored in Deleted Objects container in the form:
CN=Jenny GatesADEL:c7f41f06-7f02-42c9-8701-d5ad5ee3a7d0,CN=Deleted Objects,DC=Microship,DC=com
and with the attribute isDeleted is set TRUE.

To restore the user account, you have to use LDP.EXE to modify the properties of the deleted objects.
Here the snapshots


The previous condition
Jenny Gates (username: JennyG) has the following attributes:

Tombstone Reanimation - Before Deletion

Tombstone Reanimation - Before Deletion

Jenny has permissions set to C:\Data\Marketing folder.

Tombstone Reanimation - Before Deletion

Delete the user account Jenny

Tombstone Reanimation - Deletion

As the Result of Deletion
The Jenny’s previous account will be shown in the folder as her old SID. If you create a new user, it actually create a new object with the new SID for the user. That’s why you have to use the Tombstone Reanimation method to restore the old object.

Tombstone Reanimation - Impact of Deletion


For preparation to restore the deleted object, you have to install Windows Server 2003 Support Tools. From the Windows Server 2003 Installation CD, it is located on \SUPPORT\TOOLS\SUPTOOLS.MSI
You do not need to follow this step, if using Windows Server 2008.

Tombstone Reanimation - Support Tools


Process to Restore the Deleted Object
Run LDP.exe.
On LDP window, click Connection menu, click Connect, type the appropriate server name and port.
Click Connection menu, click Bind, and type the Administrator account and password.

Click Options menu, click Controls.
On Load Predefined, select Return deleted objects.
This option will show the Deleted Objects container that is hidden by default.

Tombstone Reanimation

Click View menu, click Tree, and then select the distinguished name of the domain name.
On the left, select DC=Microship,DC=com.
Then expand the Deleted Objects container, and find Jenny Gates.

Right click on the Jenny account, then click Modify.

Tombstone Reanimation

In the Attribute box, type isDeleted. Under Operation, click Delete, and then click Enter.
In the Attribute box, type distinguishedName, in the Values box, type CN=Jenny Gates,OU=Marketing,DC=Microship,DC=com. Under operation, click Replace, and then click Enter.
Select the Extended check box, and then click Run.

Tombstone Reanimation

The result of restoring deleted objects using Tombstone Reanimation procedure is not perfect. You will restore a disabled account with all attributes has been stripped. You have to set the password and enable the account.

Tombstone Reanimation - The Result

But as you can see from the following picture that the permissions for Jenny has been restored.
Now Jenny can access the shared folder.

Tombstone Reanimation - The Result

The next pictures show that, although you can restore the object, but many attributes has gone including the membership of the user.

Tombstone Reanimation - The Result

Tombstone Reanimation - The Result

If you want to have a successful restore including all attributes of the user, you should consider to do Authoritative Restore that need you to restore from backup. and you can not restore the active directory database from backup without restarting to Active Directory Restore Mode.



  1. […] Tombsone Reanimation Using AdRestore.exe and ADRestore.NET By using AdRestore.exe or ADRestore.NET, you can easily restore deleted objects from Active Directory database by using tombstone reanimation method. So it basically do the same as using LDP in my previous post, Restore Deleted Objects in Active Directory Database Using Tombstone Reanimation (LDP.EXE) […]

    Pingback by Tombsone Reanimation Using AdRestore.exe and ADRestore.NET « Daniel Ramawidjaja Blog — June 22, 2009 @ 5:39 pm | Reply

  2. Great Help !!! Thanks for the Information.

    Comment by Pravin — March 26, 2010 @ 1:39 pm | Reply

  3. I have noticed the using Exchange Console and removing the mailbox, awill remove the AD object also. but it doesn’t show up in the garbage colection. why is that?
    what can I do if I have a user that instead of desabling a user mailbox, removes it, and the NT account, I have an administrator look and it doesn’t show up in the Garbage can process to restore. anyone know what is the deal here?

    Comment by Dave keffer — July 13, 2010 @ 4:43 pm | Reply

    • It’s about Active Directory not Exchange. but it’s ok. 🙂
      You didn’t say about the Exchange version you used. Assumed it’s Exchange 2010. You tried to do this.
      On your Exchange Server where you disable the mailbox, open Exchange Management Shell. run cmdlet: Get-MailboxDatabase | Clean-MailboxDatabase. Then verify the result from Exchange Management Console, it should be visible on Disconnected Mailbox node.

      Comment by Daniel Ramawidjaja — July 14, 2010 @ 12:31 am | Reply

  4. Good Article.. helpful in understanding the deleted objects life cycle in Active Directory

    Comment by Naveen Kumar B — July 25, 2011 @ 7:47 am | Reply

  5. Great article, thanks!

    Note – Note: As a search result of LDAP query, only 1000 objects are returned by default. For example, if more than 1000 objects exist in the Deleted Objects container, not all objects appear in this container. If your target object does not appear, use NTDSUTIL, and then set the maximum number by using maxpagesize to get the search results, as described in the following KB article: How to view and set LDAP policy in Active Directory by using Ntdsutil.exe – 315071 7. Double-click the object that you want to undelete or to reanimate.

    Comment by Michael Chelsea — October 16, 2011 @ 4:04 pm | Reply

  6. Thank you!

    Comment by Ondrej — June 2, 2012 @ 2:58 am | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: