Active Directory object deletion and protection deep understanding

As we all know, in the 2000 and 2003 era, when we delete an object from AD, the ad does not delete the object directly, but instead marks this object as a tombstone object. Also, tombstone objects will be stored in the Active Directory for another 180 days (2000 and 2003 is 60 days, 2003 dozen SP1 after 180 days), this time is the tombstone survival time. This tombstone survival time can be modified by admin using Adsiedit.msc, we only need to find configuration\services\windows nt\directory service TombstoneLifetime property to make changes.

Note: Tombstone Survival time (tombstonelifetime) means: From the beginning of the deletion of an object in AD to the interval at which the object is actually deleted, the default is 180 days, in order to ensure that this deletion is replicated to other DCs in the domain. Restoring a DC's system state data backup is time constrained and cannot be recovered from a backup of the system state data that is older than the default 180-day lifetime of the tombstone. If the Active Directory object is deleted, it does not disappear directly, but it is placed in an invisible cn, named deleted object, which is stored for 180 days (the default), within 180 days, can be restored, on the domain controller, every 24 hours to perform a process called "garbage collection", will be deleted for more than 180 days after the delete record is actually deleted. That can only be recovered by backup. The discussion here is within 180 days of the situation.

Now, we're looking at Microsoft's Active Directory LDP tool.

Select connection to enter the domain controller you want to connect to. We can see that the LDAP protocol uses port number No. 389.

In menu bind, select the identity credentials of the operator who entered the connection. After entering, we can see that the authendicated user= "Administrator" is shown

Select options in the menu, select menu item controls, in which, select return deleted object