Saturday 1 April 2017

Active Directory Replication and Lingering Objects

Hello Professionals,
Today we will discuss about the Active Directory Object who will be responsible for replication failure in your environment most of time in the domain.
When there is a replication failure from long time in domain, there will a objects that will be created automatically called Lingering objects. In very straight forward you can say the attributes updates of active directory that failed to replicate in the domain controller from Root to child or other available domain controllers. As an example if user added to any security or distribution group from any domain controller but the updates are not showing to other available domain controllers.
For replication you can wait for 15 to 20 min but if it not updated then there is a case of failure.
There are different inbuilt windows tools and command, which gives youa better output of the replication status.
   1. command to check repadmin /showrepl * /csv >showrepl.csv,
   2. AD health analyser
   3. AD inbuilt tool
There are couple of ways too to detect and remove that culprit lingering objects. You can run this command to see what are the objects that are not replicated
repadmin /removelingeringobjects <ServerName ServerGUID DirectoryPartition> /advisory_mode

repadmin /showrepl <DomainControllerName> { to check GUID of Domain controller}  
There is a registry key called StrictReplicationConsistency -- which we'll refer to as Strict Mode -- that will protect a DC from lingering objects:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
ValueName = Strict Replication Consistency
Data Type = Reg_DWORD
Value Data = 1 = Strict 0=Loose

If this value is set to 1, it will prevent a partner from replicating lingering objects to the DC it is defined on. Thus, if every domain controller has Strict Mode enabled, they are protected from lingering objects being propagated to them. If the value is set to 0, however, it is said to be in Loose Mode, and will allow the lingering objects to be replicate and update in environment.
To check and troubleshoot any issue in windows servers, admin should follow and go through with event logs first. For Replication and Lingering Object there are couple of event which am sharing here.
Event ID 1864:This event will indicate if there are lingering objects are all-ready there or starting. Note that it contains a count of how many DCs have not replicated in a day, week, month, two months, or the tombstone lifetime. The last entry is important. Unfortunately, the event will not tell us the name of the domain controller that hasn't replicated in the tombstone lifetime.

 Event 2042 (Error)Source: NTDS Replication: This identifies that strict replication is enabled, the "source DC" has not replicated in tombstone lifetime days and is attempting to replicate, thus replication has been disabled from the source. The event provides the GUID of the source in the format of the CName (alias) DNS record.

 Event ID 1388 (Error) Source: NTDS Replication: Description: Another domain controller (DC) has attempted to replicate into this DC an object which is not present in the local Active Directory database. The object may have been deleted and already garbage collected (a tombstone lifetime or more has past since the object was deleted) on this DC.

 Event 1988 (Error)Source: NTDS Replication: Description: Active Directory Replication encountered the existence of objects in the following partition that have been deleted from the local domain controllers (DCs) Active Directory database.  This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory database.

A very brief event logs details with there meaning and solution from Ask Active Directory Team 

Fantastic tool from Microsoft to check Health check and Lingering Objects. You have to login with your Microsoft ID and check it,
If you are good with powershell command and script you can get and fix the issue very easily, let me know if you need any kind of help there.

I experienced this situation and very frankly it was very irritating to find this objects.As precaution your AD environment should healthy. There are lots of script and tool, where you can schedule to check and send email for replication status. The worst and horrible activity was when Group Policy folder was missing on branch domain controllers and policy folder were not matched with root Domain Controller. 

 Personally and on base of issue i faced AD Replication tool of 2012R2 and commnad repadmin /showrepl * /csv >showrepl.csv is awesome, they give you more deep data with details.Never get irritated when you are doing AD troubleshooting because for that you need to think act very smartly.
There are lots of real time issues on Replication, please free to ask or comment on the blog.We will be happy to listen from you. 

 Learn, Earn and Share the Knowledge. comment and feedback for this section will help me more. Really happy to listen from your side.

 
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)