Removing Lingering Object from AD (Domain controller failing to replicate)

Today I walked into work with everyone at one of our remote sites having all kinds of issues from DNS to passwords. After poking around we came to the conclusion that AD was not replicating at all. In order to dig a little deeper you will need two tools: Microsoft’s AD replication status tool and Repadmin. Microsoft’s documentation is a bit confusing (KB2028495) and 90% of the blogs I found were wrong, so after figuring out how to use the command properly I figured I would post something.

 

1) Use MS AD replication status tool, if you see error 8606 you are most likely having a lingering object issue. The error description is as follows:

The replication generated an error (8606): Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.

2) Look in event viewer on the server that is throwing the error (Applications and Services logs -> Directory Service) : Filter for event ID 1988, if you have that event ID you are having lingering object issues.

So at this point I knew what the problem was and after googling there was plenty of information, the problem was most of it was overly complex or wrong. Heres how I fixed it.

3) After filtering your event log you should see in the description of the event something like this (Note: Some information has been removed or truncated for security reasons):

Active Directory Domain Services Replication encountered the existence of objects in the following partition that have been deleted from the local domain controllers (DCs) Active Directory Domain Services database.  Not all direct or transitive replication partners replicated in the deletion before the tombstone lifetime number of days passed.  Objects that have been deleted and garbage collected from an Active Directory Domain Services partition but still exist in the writable partitions of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as “lingering objects”.

Source domain controller:
5b6c8ef6-e8f4-TRUNCATED._msdcs.ORG.com
Object:
DC=COMPUTERNAME\0ADEL:4c41b7b0-TRUNCATED,CN=Deleted Objects,DC=ORG,DC=com
Object GUID:
4c41b7b0-1b88-TRUNCATED  This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory Domain Services database.  This replication attempt has been blocked.

The best solution to this problem is to identify and remove all lingering objects in the forest.

User Action:

Remove Lingering Objects:

The action plan to recover from this error can be found at http://support.microsoft.com/?id=314282.

If both the source and destination DCs are Windows Server 2003 DCs, then install the support tools included on the installation CD.  To see which objects would be deleted without actually performing the deletion run “repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC> /ADVISORY_MODE”. The eventlogs on the source DC will enumerate all lingering objects.  To remove lingering objects from a source domain controller run “repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC>”.

If either source or destination DC is a Windows 2000 Server DC, then more information on how to remove lingering objects on the source DC can be found at http://support.microsoft.com/?id=314282 or from your Microsoft support personnel.

If you need Active Directory Domain Services replication to function immediately at all costs and don’t have time to remove lingering objects, enable loose replication consistency by unsetting the following registry key:

Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Strict Replication Consistency

Replication errors between DCs sharing a common partition can prevent user and compter acounts, trust relationships, their passwords, security groups, security group memberships and other Active Directory Domain Services configuration data to vary between DCs, affecting the ability to log on, find objects of interest and perform other critical operations. These inconsistencies are resolved once replication errors are resolved.  DCs that fail to inbound replicate deleted objects within tombstone lifetime number of days will remain inconsistent until lingering objects are manually removed by an administrator from each local DC.

Lingering objects may be prevented by ensuring that all domain controllers in the forest are running Active Directory Domain Services, are connected by a spanning tree connection topology and perform inbound replication before Tombstone Live number of days pass.

This is actually one of the better errors that Microsoft has and it is pretty helpful. You may notice that you can turn off script replication consistency in an emergency and replication will occur. This isnt recommended if you do have time to use repadmin, which is what I would recommend doing first as it should work.

 

Towards the top of the error you will see this:

Source domain controller:
5b6c8ef6-e8f4-TRUNCATED._msdcs.ORG.com
Object:
DC=COMPUTERNAME\0ADEL:4c41b7b0-TRUNCATED,CN=Deleted Objects,DC=ORG,DC=com
Object GUID:
4c41b7b0-1b88-TRUNCATED

4) The command to fix is as follows: repadmin /removelingeringobjects ‘FQDN of BAD DC’ ‘GUID of GOOD DC’ ‘Naming Context’

The FQDN of the bad DC is pretty self explanatory. But to get the GUID of a GOOD DC takes a bit of effort. Open the DNS snap in, expand forward lookup zones, and then open _msdcs.ORG.com. In this lookup zone you will see a list of GUIDs that point to all of the DCs in the org, pick a known good DC that is replicating correctly to the other DCs(ie. 07879d74-1bba-4b36-TRUNCATED). The Naming context comes from the error, I just used the root of our forest (ie, DC=ORG,DC=com).

The completed command looks like this: repadmin /removelingeringobjects BADDC.org.com 07879d74-1bba-4b36-TRUNCATED DC=ORG,DC=com  I ran this from the known working DC. If you just want ADS to detect the lingering objects add the /advisory_mode flag, this will throw an event ID of 1946 stating that there are or are not lingering objects and then 1942 will appear after that stating that the verification completed.

Run the command without the advisory mode flag, after running you will see an event ID for each lingering object (Event ID 1945) and finally event ID 1939 stating that all objects have been verified.

ADreperrors

 

Hope that helps!

 

0 comments… add one

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.