The short answer for nearly everyone is 180 days but to answer the question, how long can a Domain Controller be offline, properly you need to understand what a Tombstone is and you also should consider your Flexible Service Master Roles (FSMO’s).
What is an Active Directory Tombstone?
In 1999 Microsoft introduced the concept of Tombstoning objects. Tombstone can be thought of as a recycle bin for your Active Directory objects. When you delete something in AD, it doesn’t get removed; it just gets flagged with the “isDeleted” property and then usually hidden from most GUI’s.
Objects (user accounts, computer accounts, printers…) that are Tombstoned can be recovered (i.e. undeleted) with the Tombstone lifetime.
If you were to create an Active Directory object (like a user account), then delete it, and create an identical user account, Windows would know they are different because every account has a Globally Unique ID (aka GUID) which is s long string of unique text like a serial number. If you recover an AD object that was deleted, the “isDeleted” property is removed and the object is restored, with its original GUID.
What is Active Directory Garbage Collection?
AD Garbage Collection is the process of actually purging objects (i.e. user accounts, machine accounts, printer accounts…) from Active Directory after their Tombstone Lifetome has expired.
What is The Tombstone Lifetime?
The Tombstone Lifetime can be set manually, but by default is is set by the first Domain Controller that is added to creat the Forest:
|Operating System of first Domain Controller||Default Tombstone Lifetime (days)|
|Windows Server 2022||180|
|Windows Server 2019||180|
|Windows Server 2016||180|
|Windows Server 2012||180|
|Windows Server 2008 R2||180|
|Windows Server 2008||180|
|Windows Server 2003 R2 SP2||180|
|Windows Server 2003 R2 SP1||60|
|Windows Server 2003 R2||60|
|Windows Server 2003 SP2||180|
|Windows Server 2003 SP1||180|
|Windows Server 2003 RTM||60|
|Windows 2000 Server||60|
How To Check or Set AD Tombstone Lifetime:
- Click START, type ADSI and click on ADSI EDIT
- Right click on ADSI EDIT and select CONNECT TO
- Change SELECT A WELL KNOWN NAMING CONTEXT to CONFIGURATION and click OK
- Expand CONFIGURATION > CN=CONFIGURATION,DC=(DOMAIN) > CN = SERVICES > CN = WINDOWSNT
- Right click on CN= DIRECTORY SERVICES and select PROPERTIES
- Scroll down until you see TOMBSTONE LIFETIME
If TOMESTONE LIFETIME shows <NOT SET>, it is the default number shown in the table above
How Long Can a Windows Domain Controller Stay Offline?
In nearly all cases a Domain Controller can happily reconnect to a Domain after being powered off or disconnected for up to 180 days.
A Microsoft Windows Domain Controller can stay offline, disconnected from the other DC’s in the Forest for number of days set as the directories TOMBSTONE. Unless someone in your company has manually changed the Tombstone Lifetime, is will range between 60 and 180 days.
The Knowledge Consistency Checker service will function happily (syncing all of the changes, additions, and deletions to your Active Directory) when a DC is reconnected to a Domain up to the “Tombstone” lifetime.
Precautions To Take When Taking a DC Offline For An Extended Period of Time
If you have a DC that is going offline for a long period of time, you will likely want to migrate the FSMO’s to Domain Controllers that are going to stay online. For instance, if the server going down is the Schema Master, Domain Naming Master, PDC Emulator, Operations Master, you likely want those functions to stay online during the time the one server is offline.
If you are not familiar with FSMO’s or you want to know how to view or move your Domains FSMO’s, skim this simple Microsoft article.
How To Fix Problems After Reconnecting An Outdated Domain Controller
…If unexpected events result in a domain controller becoming outdated, you can perform a procedure to safely remove lingering objects. If the disconnected domain controller is running Windows Server 2003 or Windows Server 2008 and an authoritative domain controller running Windows Server 2003 or Windows Server 2008 is available in this site or a neighboring site, reconnect the domain controller and immediately follow the instructions in Use Repadmin to Remove Lingering Objects. Source