No announcement yet.

My DCs have stopped replicating.

  • Filter
  • Time
  • Show
Clear All
new posts

  • My DCs have stopped replicating.

    I created a new DNS entry on DC1 and found that it did not replicate to DC2 although both are in the same domain 7 site and there are no firewalls between them. Both are Win2K3 Enterprise.

    DC2 is logging a LOT of 1988 errors such as this one:
    Event Type: Error
    Event Source: NTDS Replication
    Event Category: Replication
    Event ID: 1988
    Date: 7/30/2012
    Time: 1:14:31 PM
    Computer: DC2
    Active Directory Replication encountered the existence of objects in the following partition that have been deleted from the local domain controllers (DCs) Active Directory database. Not all direct or transitive replication partners replicated in the deletion before the tombstone lifetime number of days passed. Objects that have been deleted and garbage collected from an Active Directory partition but still exist in the writable partitions of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as "lingering objects".

    This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory database. This replication attempt has been blocked.

    The best solution to this problem is to identify and remove all lingering objects in the forest.

    Source DC (Transport-specific network address):
    DC=135.25\0ADEL:61c1ba96-a123-456d-877e-0a5d810975dd,CN=Deleted Objects,DC=DomainDnsZones,DC=mydomain,DC=com
    Object GUID:

    User Action:

    Remove Lingering Objects:

    The action plan to recover from this error can be found at

    If both the source and destination DCs are Windows Server 2003 DCs, then install the support tools included on the installation CD. To see which objects would be deleted without actually performing the deletion run "repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC> /ADVISORY_MODE". The eventlogs on the source DC will enumerate all lingering objects. To remove lingering objects from a source domain controller run "repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC>".

    If either source or destination DC is a Windows 2000 Server DC, then more information on how to remove lingering objects on the source DC can be found at or from your Microsoft support personnel.

    If you need Active Directory replication to function immediately at all costs and don't have time to remove lingering objects, enable loose replication consistency by unsetting the following registry key:

    Registry Key:
    HKLM\System\CurrentControlSet\Services\NTDS\Parame ters\Strict Replication Consistency

    Replication errors between DCs sharing a common partition can prevent user and compter acounts, trust relationships, their passwords, security groups, security group memberships and other Active Directory configuration data to vary between DCs, affecting the ability to log on, find objects of interest and perform other critical operations. These inconsistencies are resolved once replication errors are resolved. DCs that fail to inbound replicate deleted objects within tombstone lifetime number of days will remain inconsistent until lingering objects are manually removed by an administrator from each local DC.

    Lingering objects may be prevented by ensuring that all domain controllers in the forest are running Active Directory, are connected by a spanning tree connection topology and perform inbound replication before Tombstone Live number of days pass.

    For more information, see Help and Support Center at
    I thus assume that the command to be used to view lingering objects on DC1 would be:

    "repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC> /ADVISORY_MODE"


    <Source DC> = DC1 = ""

    <Destination DC DSA GUID> = DC2 = "3ec51b63-cc64-4e06-be32-4af5d433cc60" (I got this value by running the command 'repadmin /showrepl DC2' and got the following output:

    DC Options: IS_GC
    Site Options: (none)
    DC object GUID: 3ec51b63-cc64-4e06-be32-4af5d433cc60
    DC invocationID: 827c9d5a-9db7-423e-a508-1bbae99df9e1

    ==== INBOUND NEIGHBORS ======================================


    <NC> = "DC=135.25\0ADEL:61c1ba96-a123-456d-877e-0a5d810975dd,CN=Deleted Objects,DC=DomainDnsZones,DC=mydomain,DC=com"

    But when I run the command on DC2:

    repadmin /removelingeringobjects 3ec51b63-cc64-4e06-be32-4af5d433cc60 "DC=135.25\0ADEL:61c1ba96-a123-456d-877e-0a5d810975dd,CN=Deleted Objects,DC=DomainDnsZones,DC=mydomain,DC=com" /advisory_mode
    I got the following error:

    DsReplicaVerifyObjectsW() failed with status 8440 (0x20f:
    Can't retrieve message string 8440 (0x20f, error 1815.

    I thus trimmed the command to the following:

    repadmin /removelingeringobjects 3ec51b63-cc64-4e06-be32-4af5d433cc60 "DC=DomainDnsZones,DC=mydomain,DC=com" /advisory_mode
    ....and the resulting output is now:

    RemoveLingeringObjects sucessfull on

    But nothing was shown on the screen. So what am I doing wrong?
    +-- JDMils
    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades

  • #2
    Re: My DCs have stopped replicating.

    The DS event log should show something for removed entries.

    I use this too:

    Make sure you turn on strict replication consistency on all DCs.

    Please read this before you post:

    Quis custodiet ipsos custodes?