{"id":2464,"date":"2023-04-09T11:12:55","date_gmt":"2023-04-09T09:12:55","guid":{"rendered":"https:\/\/itsimple.info\/?p=2464"},"modified":"2023-04-09T11:12:58","modified_gmt":"2023-04-09T09:12:58","slug":"how-to-fix-active-directory-replication-even-after-tombstone-lifetime-has-expired","status":"publish","type":"post","link":"https:\/\/itsimple.info\/?p=2464","title":{"rendered":"How To Fix Active Directory Replication Even After Tombstone Lifetime Has Expired"},"content":{"rendered":"\n<p>In Active Directory Replication between is one of the most impotent element that must happen without any errors, when this procedure stop, the countdown start for default of 60 days which after you get Lingering Objects which prevent the renewal of replication from happening, the stages are :<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Normal Objects &#8211; you can manage them from any active directory tools<\/li>\n\n\n\n<li>Deleted Objects &#8211; after delete an object he become tombstone for 60 days, all this changes must be replicate among the DC&#8217;s<\/li>\n\n\n\n<li>Object is removed from Active Directory Database    \n<ul class=\"wp-block-list\"><\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p>If the replication is damaged any changes happen in one DC do not replicated to the second DC and so on, causing different object . after 60 days without this sync the DC will refuse to renew the replication until all the problems removed.<\/p>\n\n\n\n<p>First thing to execute is DCDIAG: from the master DC , in order to find who is he , execute in command prompt :<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">netdom query fsmo<\/pre>\n\n\n\n<p>Then run dcdiag<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dcdiag \/fix<\/pre>\n\n\n\n<p>When trying to force replication you can try :<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">repadmin \/syncall \/APeD<\/pre>\n\n\n\n<p>If the replication is halted for more the 60 days you can try to extend the limit time for Lingering objects by Changing the Tombstone Lifetime Attribute in Active Directory : <\/p>\n\n\n\n<p>The tombstone lifetime is set with the install of the first DCs in a forest for all domains. The tombstone lifetime is not configurable per domain.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>Operating System of the first Domain Controller<\/td><td>Tombstone lifetime (days)<\/td><\/tr><tr><td>Windows Server 2022<\/td><td>180<\/td><\/tr><tr><td>Windows Server 2019<\/td><td>180<\/td><\/tr><tr><td>Windows Server 2016<\/td><td>180<\/td><\/tr><tr><td>Windows Server 2012<\/td><td>180<\/td><\/tr><tr><td>Windows Server 2008 R2<\/td><td>180<\/td><\/tr><tr><td>Windows Server 2008<\/td><td>180<\/td><\/tr><tr><td>Windows Server 2003 R2 SP2<\/td><td>180<\/td><\/tr><tr><td>Windows Server 2003 R2 SP1<\/td><td>60<\/td><\/tr><tr><td>Windows Server 2003 R2<\/td><td>60<\/td><\/tr><tr><td>Windows Server 2003 SP2<\/td><td>180<\/td><\/tr><tr><td>Windows Server 2003 SP1<\/td><td>180<\/td><\/tr><tr><td>Windows Server 2003 RTM<\/td><td>60<\/td><\/tr><tr><td>Windows 2000 Server<\/td><td>60<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Changing Tombstone Lifetime Attribute<\/strong><\/p>\n\n\n\n<p>The tombstone lifetime attribute can be modified in three ways: Using ADSIEdit tool, using LDIF file, and through VBScript.in this article we only explain the latest method to change the tombstone time.<\/p>\n\n\n\n<p><strong>USING ADSIEDIT TOOL<\/strong><\/p>\n\n\n\n<p>To perform this procedure, you will need the ADSI Edit utility. In Windows Server 2008 and above, this component is installed together with the AD DS role, or it can be downloaded and installed along with Remote Server Administration Tools. Refer to Install ADSI Edit for detailed instructions on how to install the ADSI Edit utility.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>On any domain controller in the target domain, navigate to Start ? Windows Administrative Tools (Windows Server 2016) or Administrative Tools (Windows 2012 R2 and below) ? ADSI Edit.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/windowstechno.com\/changing-the-tombstone-lifetime-attribute-in-active-directory\/\"><img decoding=\"async\" src=\"https:\/\/windowstechno.com\/wp-content\/uploads\/2019\/10\/ADSIEDIT.png\" alt=\"\" class=\"wp-image-2058\"\/><\/a><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Right-click the ADSI Edit node and select Connect To. In the Connection Settings dialog, enable Select a well-known Naming Context and select Configuration from the drop-down list.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/windowstechno.com\/changing-the-tombstone-lifetime-attribute-in-active-directory\/\"><img decoding=\"async\" src=\"https:\/\/windowstechno.com\/wp-content\/uploads\/2019\/10\/Configuration.png\" alt=\"\" class=\"wp-image-2059\"\/><\/a><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Navigate to Configuration &lt;Your_Root_Domain_Name ?<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/windowstechno.com\/changing-the-tombstone-lifetime-attribute-in-active-directory\/\"><img decoding=\"async\" src=\"https:\/\/windowstechno.com\/wp-content\/uploads\/2019\/10\/Screenshot_2.png\" alt=\"\" class=\"wp-image-2060\"\/><\/a><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Expand&nbsp;<strong>Configuration&nbsp;<\/strong>CN=Configuration,DC=Windowstechno,DC=Local ?<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/windowstechno.com\/changing-the-tombstone-lifetime-attribute-in-active-directory\/\"><img decoding=\"async\" src=\"https:\/\/windowstechno.com\/wp-content\/uploads\/2019\/10\/Screenshot_7.png\" alt=\"\" class=\"wp-image-2063\"\/><\/a><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Expand&nbsp;<strong>Services&nbsp;<\/strong>&nbsp;CN=Services ?<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/windowstechno.com\/changing-the-tombstone-lifetime-attribute-in-active-directory\/\"><img decoding=\"async\" src=\"https:\/\/windowstechno.com\/wp-content\/uploads\/2019\/10\/CNService.png\" alt=\"\" class=\"wp-image-2064\"\/><\/a><figcaption class=\"wp-element-caption\">Services<\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Expand&nbsp;<strong>Windows NT&nbsp;<\/strong>&nbsp;CN=Windows NT ?<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/windowstechno.com\/changing-the-tombstone-lifetime-attribute-in-active-directory\/\"><img decoding=\"async\" src=\"https:\/\/windowstechno.com\/wp-content\/uploads\/2019\/10\/Screenshot_4.png\" alt=\"\" class=\"wp-image-2065\"\/><\/a><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Expand&nbsp;<strong>Directory Service&nbsp;<\/strong>&nbsp;CN=Directory Service.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/windowstechno.com\/changing-the-tombstone-lifetime-attribute-in-active-directory\/\"><img decoding=\"async\" src=\"https:\/\/windowstechno.com\/wp-content\/uploads\/2019\/10\/Screenshot_8.png\" alt=\"\" class=\"wp-image-2066\"\/><\/a><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Right-click it and select Properties from the pop-up menu.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/windowstechno.com\/changing-the-tombstone-lifetime-attribute-in-active-directory\/\"><img decoding=\"async\" src=\"https:\/\/windowstechno.com\/wp-content\/uploads\/2019\/10\/Screenshot_9.png\" alt=\"\" class=\"wp-image-2067\"\/><\/a><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In the CN=Directory Service Properties dialog, locate the tombstoneLifetime attribute in the Attribute Editor tab.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/windowstechno.com\/changing-the-tombstone-lifetime-attribute-in-active-directory\/\"><img decoding=\"async\" src=\"https:\/\/windowstechno.com\/wp-content\/uploads\/2019\/10\/Tombstone.png\" alt=\"\" class=\"wp-image-2068\"\/><\/a><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Edit the tombstone value as per your requirement.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/windowstechno.com\/changing-the-tombstone-lifetime-attribute-in-active-directory\/\"><img decoding=\"async\" src=\"https:\/\/windowstechno.com\/wp-content\/uploads\/2019\/10\/TombstoneValue.png\" alt=\"\" class=\"wp-image-2069\"\/><\/a><figcaption class=\"wp-element-caption\">Set the number of days that tombstone objects should remain in Active Directory in the&nbsp;<strong>Value&nbsp;<\/strong>field.<\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Click&nbsp;<strong>OK.<\/strong><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/windowstechno.com\/changing-the-tombstone-lifetime-attribute-in-active-directory\/\"><img decoding=\"async\" src=\"https:\/\/windowstechno.com\/wp-content\/uploads\/2019\/10\/Screenshot_13.png\" alt=\"\" class=\"wp-image-2070\"\/><\/a><figcaption class=\"wp-element-caption\">Tombstone value changed<\/figcaption><\/figure>\n\n\n\n<p>The Tombstone Lifetime has now been successfully changed.<\/p>\n\n\n\n<p>more information about this can be found <a href=\"https:\/\/windowstechno.com\/changing-the-tombstone-lifetime-attribute-in-active-directory\/\">here<\/a> : <a href=\"https:\/\/windowstechno.com\/changing-the-tombstone-lifetime-attribute-in-active-directory\/\" target=\"_blank\" rel=\"noreferrer noopener\">Changing the Tombstone Lifetime Attribute in Active Directory (windowstechno.com)<\/a><\/p>\n\n\n\n<p>After this you try force the replication again and show the results and summery of the replication status :<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">repadmin \/syncall \/APeD\nRepadmin \/showrepl\nRepadmin \/replsummary\n<\/pre>\n\n\n\n<p>You can also execute from the powershell to get nicer view on the current status :<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">repadmin \/showrepl * \/csv | ConvertFrom-CSV | Out-GridView\n<\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"991\" height=\"119\" src=\"https:\/\/itsimple.info\/wp-content\/uploads\/2023\/04\/image.png\" alt=\"\" class=\"wp-image-2465\" srcset=\"https:\/\/itsimple.info\/wp-content\/uploads\/2023\/04\/image.png 991w, https:\/\/itsimple.info\/wp-content\/uploads\/2023\/04\/image-300x36.png 300w, https:\/\/itsimple.info\/wp-content\/uploads\/2023\/04\/image-768x92.png 768w\" sizes=\"auto, (max-width: 991px) 100vw, 991px\" \/><\/figure>\n\n\n\n<p>more information on repadmin example can be found <a href=\"https:\/\/xdot509.blog\/2020\/10\/19\/troubleshooting-active-directory-replication\/\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a> : <a href=\"https:\/\/xdot509.blog\/2020\/10\/19\/troubleshooting-active-directory-replication\/\">Troubleshooting Active Directory Replication \u2013 xdot509.blog<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How to Troubleshoot Lingering Objects<\/h3>\n\n\n\n<p><strong>Lingering Object : An object which has been deleted on a domain controller and even garbage collected but it still remains on another domain controller is termed as a Lingering Object<\/strong><\/p>\n\n\n\n<p><strong>Preventing Lingering Objects<\/strong><\/p>\n\n\n\n<p>Of course, it\u2019s most desirable to prevent lingering objects from being created in the first place. There is a registry key called StrictReplicationConsistency \u2014 which we\u2019ll refer to as Strict Mode \u2014 that will protect a DC from lingering objects:<\/p>\n\n\n\n<p><strong>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NTDS\\Parameters<br><\/strong><strong>ValueName = Strict Replication Consistency<br><\/strong><strong>Data Type = Reg_DWORD<br><\/strong><strong>Value Data = 1 = Strict 0=Loose<\/strong><\/p>\n\n\n\n<p>If this value is set to 1, it will prevent a partner from replicating lingering objects to the DC it is defined on. Thus, if every domain controller has Strict Mode enabled, they are protected from lingering objects<\/p>\n\n\n\n<p><strong>How to Find and Remove Lingering Objects in Active Directory<\/strong><\/p>\n\n\n\n<p>Event ID 1988 proves the presence of Lingering Object in the domain below is the example for the same.<\/p>\n\n\n\n<p>Event Type:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Error<br>Event Source:&nbsp;&nbsp; NTDS Replication<br>Event Category:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Replication<br>Event ID:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1988<br>Date:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5\/31\/2011<br>Time:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 11:58:46 PM<br>User:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NT AUTHORITY\\ANONYMOUS LOGON<br>Computer:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; EXCHANGE1<\/p>\n\n\n\n<p>Description:<br>Active Directory Replication encountered the existence of objects in the following partition that have been deleted from the local domain controllers (DCs) Active Directory database.&nbsp; Not all direct or transitive replication partners replicated in the deletion before the tombstone lifetime number of days passed.&nbsp; Objects that have been deleted and garbage collected from an Active Directory partition but still exist in the writable partitions of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as \u201clingering objects\u201d.<\/p>\n\n\n\n<p>This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory database.&nbsp; This replication attempt has been blocked.<\/p>\n\n\n\n<p>The best solution to this problem is to identify and remove all lingering objects in the forest.<br><strong>Source DC (Transport-specific network address):<br>039c75ff-f65c-4f31-90b4-d68570ff4142._msdcs.rootcon.local<br><\/strong><strong>Object:<\/strong><br><strong>CN=932c938c-2b18-4704-bb6a-0bbe4ce02dacADEL:781d5c06-bdd9-4423-9772-2f51ef1763cc, CN=Deleted Objects, CN=Configuration, DC=rootcon, DC=local<\/strong><\/p>\n\n\n\n<p>Object GUID:<br>781d5c06-bdd9-4423-9772-2f51ef1763cc<\/p>\n\n\n\n<p>User Action:<br>Remove Lingering Objects:<br>The action plan to recover from this error can be found at\u00a0<a href=\"http:\/\/support.microsoft.com\/?id=314282\">http:\/\/support.microsoft.com\/?id=314282<\/a>.<br>If both the source and destination DCs are Windows Server 2003 DCs, then install the support tools included on the installation CD.\u00a0 To see which objects would be deleted without actually performing the deletion run \u201crepadmin \/removelingeringobjects &lt;Source DC> &lt;Destination DC DSA GUID> &lt;NC> \/ADVISORY_MODE\u201d. The eventlogs on the source DC will enumerate all lingering objects.\u00a0 To remove lingering objects from a source domain controller run\u00a0<strong>\u201crepadmin \/removelingeringobjects &lt;Source DC> &lt;Destination DC DSA GUID> &lt;NC>\u201d.<\/strong><\/p>\n\n\n\n<p>More information on how to remove lingering objects can be found <a href=\"https:\/\/sandeshdubey.wordpress.com\/2011\/10\/09\/how-to-find-and-remove-lingering-objects-in-active-directory\/\">here<\/a> : <a href=\"https:\/\/sandeshdubey.wordpress.com\/2011\/10\/09\/how-to-find-and-remove-lingering-objects-in-active-directory\/\">How to find and remove lingering objects in Active Directory | Sandesh Dubey Blog (wordpress.com)<\/a><\/p>\n\n\n\n<p>There is a GUI tool to deal with lingering objects called Liquidator v2 : <\/p>\n\n\n\n<p><a href=\"https:\/\/thewindowsupdate.com\/2019\/04\/04\/introducing-lingering-object-liquidator-v2\/\">Introducing Lingering Object Liquidator v2 \u2013 TheWindowsUpdate.com<\/a><\/p>\n\n\n\n<p> <\/p>\n\n\n\n<p class=\"has-black-color has-text-color\">You can download is from here :<\/p>\n\n\n\n<div class=\"wp-block-file\"><a id=\"wp-block-file--media-bfd01246-aeaf-4576-a15d-bba17c8dc9c3\" href=\"https:\/\/itsimple.info\/wp-content\/uploads\/2023\/04\/LingeringObjectLiquidatorInstaller.zip\">LingeringObjectLiquidatorInstaller<\/a><a href=\"https:\/\/itsimple.info\/wp-content\/uploads\/2023\/04\/LingeringObjectLiquidatorInstaller.zip\" class=\"wp-block-file__button wp-element-button\" download aria-describedby=\"wp-block-file--media-bfd01246-aeaf-4576-a15d-bba17c8dc9c3\">Download<\/a><\/div>\n\n\n\n<figure class=\"wp-block-pullquote has-vivid-green-cyan-color has-text-color has-x-large-font-size\"><blockquote><p>Good Luck<\/p><\/blockquote><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>In Active Directory Replication between is one of the most impotent element that must happen without any errors, when this procedure stop, the countdown start for default of 60 days which after you get Lingering Objects which prevent the renewal of replication from happening, the stages are : If the replication is damaged any changes [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12,14,15],"tags":[],"class_list":["post-2464","post","type-post","status-publish","format-standard","hentry","category-tutorials","category-windows","category-windows-server"],"_links":{"self":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts\/2464","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2464"}],"version-history":[{"count":0,"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts\/2464\/revisions"}],"wp:attachment":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2464"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2464"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2464"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}