How to identify Lingering Objects

The problem happens when the Domain Controller with lingering object involve with outbound replication. In such situation, one of following can happen. 

โ€ข If the destination domain controller has strict replication consistencyenabled it will halt the inbound replication from that particular Domain Controller. 

โ€ข If the destination domain controller has strict replication consistency disabled it will request full replica and will reintroduced to the directory. 

We can identify the lingering objects by even viewer as well rep admin tool.


A) Event Viewer:

Events 1388 or 1988  will be generated on Directory service of event viewer.

Event 1988 will generate if the destination domain controller has strict replication consistency enabled, it recognizes that it cannot update the object (because the object does not exist), and it locally halts inbound replication of the directory partition from that source domain controller.

Event 1388 will generate if the destination domain controller has strict replication consistency disabled, it requests the full replica of the updated object. In this case, the object is reintroduced into the directory.

The generated event is quite descriptive which is needed for removing lingering objects.

Sample Event:

Log Name: Directory Service Source: Microsoft-Windows-ActiveDirectory_DomainService Date: 7/19/2017 11:27:17 AM Event ID: 1988 Task Category: Replication Level: Error Keywords: Classic User: ANONYMOUS LOGON Computer: DC_name Description: Active Directory Domain Services Replication encountered the existence of objects in the following partition that have been deleted from the local domain controllers (DCs) Active Directory Domain Services database. Not all direct or transitive replication partners replicated in the deletion before the tombstone lifetime number of days passed. Objects that have been deleted and garbage collected from an Active Directory Domain Services partition but still exist in the writable partitions of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as “lingering objects”. Source domain controller: 24a7f2bd-c962-4927-a975-b220dfa958a5._msdcs.Domain_Name.com Object: CN=object,OU=OU_Name,DC=Domain_Name,DC=com Object GUID: 275d114b-268e-4bfd-9613-0867cd6c3193 This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory Domain Services database. This replication attempt has been blocked. The best solution to this problem is to identify and remove all lingering objects in the forest. User Action: Remove Lingering Objects: The action plan to recover from this error can be found at http://support.microsoft.com/?id=314282. If both the source and destination DCs are Windows Server 2003 DCs, then install the support tools included on the installation CD. To see which objects would be deleted without actually performing the deletion run “repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC> /ADVISORY_MODE”. The event logs on the source DC will enumerate all lingering objects. To remove lingering objects from a source domain controller run “repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC>”. If either source or destination DC is a Windows 2000 Server DC, then more information on how to remove lingering objects on the source DC can be found at http://support.microsoft.com/?id=314282 or from your Microsoft support personnel. If you need Active Directory Domain Services replication to function immediately at all costs and don’t have time to remove lingering objects, enable loose replication consistency by unsetting the following registry key: Registry Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Strict Replication Consistency Replication errors between DCs sharing a common partition can prevent user and computer accounts, trust relationships, their passwords, security groups, security group memberships and other Active Directory Domain Services configuration data to vary between DCs, affecting the ability to log on, find objects of interest and perform other critical operations. These inconsistencies are resolved once replication errors are resolved. DCs that fail to inbound replicate deleted objects within tombstone lifetime number of days will remain inconsistent until lingering objects are manually removed by an administrator from each local DC. Lingering objects may be prevented by ensuring that all domain controllers in the forest are running Active Directory Domain Services, are connected by a spanning tree connection topology and perform inbound replication before Tombstone Live number of days pass.

B) repadmin /showreps or repadmin /replsum:

Repadmin /replsum or repadmin /showreps fails with error 8606 or 8204.

Event ID            General description
8240                   There is no such object on the server.
8606                   Insufficient attributes were given to create an object.

Source: IND-BLR\DC01
******* 43 CONSECUTIVE FAILURES since 2019-06-12 11:41:13
Last error: 8606 (0x219e):
Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook @windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!

Leave a Reply