Windows Server - Forcing replication after tombstone cleanup
Asked By Dav
11-Jun-08 11:31 AM
Hi all,
Does anyone have any experience of getting site replication working again
once two DC's have exceeded their tombstone life?
I have inherited a network where the replication was a real mess and several
servers were not replicating properly. I have set this all up now and got
everything working except for one site as it had been disconnected so long it
had exceeded it's tombstone life and so would not replicate. All servers are
running 2003.
I have run repadmin /removelingeringobjects to sync the two AD's again and
have got replication working one way, ie, from HQ to Site1 however I can't
get it to replicate the other way. I get;
content siteaddress.co.uk from domain controller SITE1 to domain controller
HQ:
The naming context is in the process of being removed or is not replicated
from the specified server."
Also if I run repadmin /showreps I get:
******* 1 CONSECUTIVE FAILURES since 2008-06-11 15:18:02
Last error: 8614 (0x21a6):
Can't retrieve message string 8614 (0x21a6), error 1815."
Error 8614 appears to be linked to the tombstone life so even though I have
run repadmin /removelingeringobjects it still will not play ball.
I tried the registry key HKLM\System\CurrentControlSet\NTDS\Parameters\Allow
Replication With Divergent and Corrupt Partner, but that didn't allow it to
work either.
Anyone got any idea how I force replication in this case? I am happy there
are no lingering objects remaining so I don't believe there should be an
issue with these replicating again if only I could get it to happen.
Many thanks
Dave
Almeida
(1)
Pinto
(1)
Removelingeringobjects
(1)
A8AFC80DC75F
(1)
Tombstone
(1)
Registry
(1)
Showreps
(1)
Metadata
(1)
Jorge de Almeida Pinto [MVP - DS] replied...
read this first....
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/24/153.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/08/Lingering-objects.aspx
after reading... what are your questions tha remain?
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------
Dav replied...
Many thanks!
Using the registry change cracked it. You have saved me a shedload of work
with this, superb article and website. Thanks very much!
Cheers!
Dave
Jorge de Almeida Pinto [MVP - DS] replied...
be very carefull with Lingering Objects and HOW you get rid of those. Just
killing the DC (for removal and cleaning AD metadata and repromoting) is
sometimes much safer than cleaning Lingering objects and reconnecting
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------
with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source. The reason that replication is not allowed f6b8-07b0-0100-000000000000 Name of source: 382cdb4e-7b9c-4a33-a252-4c11bf6117e5._msdcs.kbgca.local Tombstone lifetime (days): 60 The replication operation has failed. User Action: Determine which of the two options: 1. Demote or reinstall the machine(s) that were disconnected. 2. Use the "repadmin / removelingeringobjects" tool to remove inconsistent deleted objects and then resume replication. 3. Resume replication. Inconsistent deleted with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source. The reason that replication is not allowed f6b8-07b0-0100-000000000000 Name of source: 382cdb4e-7b9c-4a33-a252-4c11bf6117e5._msdcs.kbgca.local Tombstone lifetime (days): 60 You have a replication problem between your DC's, they have not replicated over the tombstone lifetime. Did you follow the steps in the event id? See also here: http: / / technet server because the t ime since the last replication with this server has exceeded the tombstone lifet ime. 912 consecutive failure(s). Last success @ 2008-06-25 01:18:42. Default server because the t ime since the last replication with this server has exceeded the tombstone lifet ime. 652 consecutive failure(s). Last success @ 2008-06-25 10:39:40. Default
Active Directory (1) Database (1) Microsoft® (1) Attributevalues (1) Attributes (1) Replicates (1) Newbie007 (1) Tombstone (1) Hello newbie007, If you delete an object in AD it will not be directly en-us / magazine / cc137800.aspx http: / / support.microsoft.com / kb / 248047 / en-us So the "tombstone" is also in progress when you delete the object. Best regards Meinolf Weber Disclaimer: This the object's naming context (NC) named CN = Deleted Objects. The object, now called a tombstone, is invisible to normal directory operations. It does not show up in any Microsoft® Management snap-ins, and most Lightweight Directory Access Protocol (LDAP) utilities are blissfully unaware of the tombstone's existence. The tombstone is, for all intents and purposes, gone. The data, however, is still there—it's Directory keep tombstones, otherwise deleted objects, in the database? While invisible to other processes, a tombstone is visible to the Active Directory replication process. In order to make sure the deletion performed on all the DCs that host the object being deleted, Active Directory replicates the tombstone to the other DCs. Thus the tombstone is used to replicate the deletion throughout the Active Directory environment - - dkumar - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- - dkumar's Profile
from TEMPOIL at 2007-07-30 11:59:22. WARNING: This latency is over the Tombstone Lifetime of 180 days! Last replication recieved from GSDC2LG at 2008-08-17 16:58 from TEMPOIL at 2007-07-30 11:59:55. WARNING: This latency is over the Tombstone Lifetime of 180 days! Last replication recieved from GSDC2LG at 2008-08-17 16:58 from ROOTSVR2 at 2007-01-29 05:48:14. WARNING: This latency is over the Tombstone Lifetime of 180 days! Last replication recieved from ROOTSVR1 at 2007-01-29 05:48:58. WARNING: This latency is over the Tombstone Lifetime of 180 days! DC = gentingpower, DC = root, DC = net Last replication recieved from GPDC1MZ at 2007-01-29 05:45:11. WARNING: This latency is over the Tombstone Lifetime of 180 days! Last replication recieved from GPDC1BJ at 2007-01-29 05:58:50. WARNING: This latency is over the Tombstone Lifetime of 180 days! Last replication recieved from GPDC1LG at 2007-01-29 05:49 50. WARNING: This latency is over the Tombstone Lifetime of 180 days! Last replication recieved from GPDC1KL at 2007-01-29 08:44:53. WARNING: This latency is over the Tombstone Lifetime of 180 days! DC = DomainDnsZones, DC = gentingsanyen, DC = root, DC = net Last replication recieved
next question is : WHAT HAPPENS IF YOU RESTORE A SYSTEM STATE THAT IS OLDER THAN TOMBSTONE LIFETIME ? I did some testing, last week, on that subject as well and here how I set my test system: With ADSI Edit I set Tombstone Lifetime to 3 days and Garbage collection Period to 2 hours. TIME T0+20(DAYS of events). I followed Microsoft recommendation on how to remove those lingering object with : repadmin / removelingeringobjects <server> <sourceGUID> <NC> on the object that were not replicating (checked that with replmon). Made http: / / forums.techarena.in it is not a limit for replication, rather it is the tombstone limit in AD for all deleted, no longer communicating with, or removed AD objects. In is 60 days by default, in 2003 and later, it is 180 days. Changing the Tombstone Lifetime Attribute in Active DirectoryThe tombstone lifetime must be substantially longer than the expected replication latency between the domain controllers. The interval between cycles of. www.petri.co.il / changing_the_tombstone_lifetime_windows_ad.htm Change tombstone lifetime (VBScript) - Active Directory Cookbook . . .You are here: TechTasks.com > Code Center > Active Directory Cookbook, 2nd edition > Change tombstone lifetime (VBScript) . . . http: / / techtasks.com / code / viewbookcode / 1925 Windows Server: Reanimating Active Directory Tombstone ObjectsHere
you think? Windows 2000 Security Discussions Windows Server 2003 (1) Virtual Server (1) VMs (1) Almeida (1) Pinto (1) C9dda32a (1) F3e6766b (1) Adprep (1) I would say YES, but the best way suggestion in a test environment before implementing! - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- - - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- - On Sep 3, 11:58 pm, "Jorge de Almeida Pinto [MVP - DS]" If I dont have a test environment, then would you recommend that I and stay with the localized version Chinese? On Sep 9, 4:25 = A0am, "Jorge de Almeida Pinto [MVP - DS]" s - -- -- -- -- -- -- -- -- - -- -- -- -- -- -- -- -- ts! - -- -- -- -- -- -- -- -- st - -- -- -- -- -- -- -- -- -- - -- -- -- -- -- -- -- -- -- - -- -- -- -- -- -- -- -- -- - -- -- -- -- -- -- -- -- --"lovemail" I completely agree with you. I have had very suggestion in a test environment before implementing! - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- - - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- - On Sep 9, 4:25 am, "Jorge de Almeida Pinto [MVP - DS]" I completely agree with you. I have had very developed test environments in