How to prevent lingering objects replication in active directory
How to prevent lingering objects replication in active directory
I recently enabled strict replication consistency on my domain controllers in order to follow best practices, where this is not enabled there can be a risk that lingering objects could be replicated to a domain controller. This can occur when a domain controller in your Active Directory environment is disconnected from the replication topology for an extended period of time, this can cause problems when these lingering objects on the source domain controller are updated and these updates are sent by replication to the destination domain controllers.
Strict Replication:
Once the lingering objects have been removed we can enable strict replication on each domain controller or for all domain controllers in the forest.
Strict replication is by-default enabled on DC above server 2003. Forest that are upgraded from windows server 2000 to windows server 2003 does not have strict replication consistency enabled for that we need to manually enable.
The setting for replication consistency is stored in the registry in the Strict Replication Consistency entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.
Values for this entry are as follows:
- Value: 1 (0 to disable)
- Default: 1 (enabled) in a new Windows Server 2003 forest; otherwise 0.
- Data type: REG_DWOR
On domain controllers running Windows Server 2003 with Service Pack 1 (SP1), you do not have to edit the registry directly to enable strict replication consistency. It is best to avoid editing the registry directly if possible. You can use a Repadmin command that enables strict replication consistency on one or all domain controllers in the forest. This command is available only in the version of Repadmin that is included with Windows Support Tools in Windows Server 2003 SP1. This command can be applied only on domain controllers running Windows Server 2003 with SP1.
Administrative credentials
- To complete this procedure on a single domain controller, you must be a member of the Domain Admins group in the domain.
- To complete this procedure on all domain controllers, you must be a member of the Enterprise Admins group in the forest.
Better yet, using RepAdmin just update all DC’s from a command prompt (You need to elevate if on Vista/2008 or greater) in your forest. I pipe the output and save the text file for documentation.
repadmin /regkey * +strict > c:\temp\dcListStrict.log
This will ensure that all your DC’s are protected from any partners that are unhealthy and hopefully save you some real headscratching problems that can occur with Lingering objects. In the example below you can see that only one of the three DC’s needed to be updated. You will also notice that rerunning this does not have an adverse effect.
The output of the above command would look like:
Repadmin: running command /regkey against read-only DC DC01.acme.com
HKLM\System\CurrentControlSet\Services\NTDS\Parameters: “Strict Replication Consistency” REG_DWORD 0x00000001 (1)
New HKLM\System\CurrentControlSet\Services\NTDS\Parameters: “Strict Replication Consistency” REG_DWORD 0x00000001 (1)Repadmin: running command /regkey against full DC DC02.acme.com
HKLM\System\CurrentControlSet\Services\NTDS\Parameters: “Strict Replication Consistency” REG_DWORD 0x00000001 (1)
New HKLM\System\CurrentControlSet\Services\NTDS\Parameters: “Strict Replication Consistency” REG_DWORD 0x00000001 (1)Repadmin: running command /regkey against full DC DC03.acme.com
HKLM\System\CurrentControlSet\Services\NTDS\Parameters: “Strict Replication Consistency” value does not exist
New HKLM\System\CurrentControlSet\Services\NTDS\Parameters: “Strict Replication Consistency” REG_DWORD 0x00000001 (1)
Also check this
How to check replication partner for a specific Domain Controller.
So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!
Recommended content
- RODC Installation Guide- Step by step guide to install read only domain controller
- RODC Filtered Attribute Set
- Installing and configuring a RODC in Windows Server-2012
- How to find the GUID of Domain Controller
- Group Policy Understanding Group Policy Preferences
- Group Policy Verification Tool GPOTool Exe
- Group Policy Health Check on Specific Domain Controller
- What is Netlogon Folder in Active Directory
- How to Create Custom Attributes in Active Directory
- How Can I Check the Tombstone Lifetime of My Active Directory Forest
- How to Determine a Computers AD Site From the Command Line
- How to Check the Active Directory Database Integrity
Guys please don’t forget to like and share the post.Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them .
You can also share the feedback on below windows techno email id.
If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.
