Saturday, May 22, 2010

The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifeti

SkyHi @ Saturday, May 22, 2010

Solution

Treat this occurrence as a lingering object condition, and do the following:

  • Run the repadmin /showrepl command on the domain controller that received the error to determine which domain controller has been disconnected for longer than a tombstone lifetime.

  • Remove lingering objects. Follow the instructions for removing lingering objects from the source and destination domain controllers as described in Event ID 1388 or 1988: A lingering object is detected.

  • Restart replication on the destination domain controller. After you remove lingering objects, you must restart replication on the domain controller that logged the event by editing the registry setting that allows replication with a potentially out-of-date domain controller. You can also perform this procedure if you do not want to wait to remove lingering objects and you want to start replication immediately.

  • Reset the registry to protect the domain controller against outdated replication. After replication has resumed on the domain controller that logged the event, reset the registry so that this domain controller continues to log events if replication is attempted with a domain controller where the last successful replication occurred longer than a tombstone lifetime ago.

Restart Replication Following Event ID 2042

To restart inbound replication on the destination domain controller following event ID 2042, you must edit the Allow Replication With Divergent and Corrupt Partner registry entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.

Use the following procedure to change the registry entry value. This procedure does not require a restart of the domain controller to take effect.

REFERENCES
http://technet.microsoft.com/en-us/library/cc757610%28WS.10%29.aspx
====================================================================
====================================================================


C:\Users\Administrator.W2K8>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Vancouver\W2K8AD2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: c860e2a8-e512-4b11-be91-600bf110c339
DSA invocationID: fc20ac7b-701a-4d1d-995e-c7e4f88106b1

==== INBOUND NEIGHBORS ======================================

DC=w2k8,DC=local
Vancouver\W2K8AD1 via RPC
DSA object GUID: ad9c2f9d-1236-43cd-9c79-cea6eb7d945a
Last attempt @ 2010-05-22 21:48:53 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
169 consecutive failure(s).
Last success @ 2009-09-26 15:02:24.

CN=Configuration,DC=w2k8,DC=local
Vancouver\W2K8AD1 via RPC
DSA object GUID: ad9c2f9d-1236-43cd-9c79-cea6eb7d945a
Last attempt @ 2010-05-22 21:47:10 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
8 consecutive failure(s).
Last success @ 2009-09-26 14:50:50.

CN=Schema,CN=Configuration,DC=w2k8,DC=local
Vancouver\W2K8AD1 via RPC
DSA object GUID: ad9c2f9d-1236-43cd-9c79-cea6eb7d945a
Last attempt @ 2010-05-22 21:47:10 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
8 consecutive failure(s).
Last success @ 2009-09-26 14:45:17.

DC=DomainDnsZones,DC=w2k8,DC=local
Vancouver\W2K8AD1 via RPC
DSA object GUID: ad9c2f9d-1236-43cd-9c79-cea6eb7d945a
Last attempt @ 2010-05-22 21:47:10 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
15 consecutive failure(s).
Last success @ 2009-09-26 14:45:17.

DC=ForestDnsZones,DC=w2k8,DC=local
Vancouver\W2K8AD1 via RPC
DSA object GUID: ad9c2f9d-1236-43cd-9c79-cea6eb7d945a
Last attempt @ 2010-05-22 21:47:10 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
8 consecutive failure(s).
Last success @ 2009-09-26 14:45:17.

Source: Vancouver\W2K8AD1
******* 162 CONSECUTIVE FAILURES since 2009-09-26 15:02:24
Last error: 8614 (0x21a6):
The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.



repadmin /removelingeringobjects
C:\Users\Administrator.W2K8>repadmin /removelingeringobjects
Invalid arguments.

Removes lingering objects - an object stored in Active Directory that has
seen, deleted and garbage collected by a reference DC but continues to
incorrectly exist on direct or transitive replication partners DC's that
have not inbound replicated knowledge of the objects deletion within
tombstone lifetime number of days.

The PC running repadmin may have Windows Vista or Windows Server 2008
installed, and must have network connectivity to all domain controllers
targeted by the parameter.

The reference DC must host a writeable copy of the directory partition
targeted for lingering object removal and have network connectivity to all
domain controllers targeted by the parameter.

DC's targeted by the parameter may host read-only or writeable
copies of directory partition targeted for lingering object removal.

DC's and Global catalogs targeted by continue to advertise
and service ldap request during lingering object removal.

The reference DC and domain controllers targeted by the
parameter may have Windows Server 2003, Windows Server 2003 R2 or
Windows Server 2008 installed.



There are no domain or forest functional requirements for this command.

ADVISORY_MODE is a test mode that logs NTDS Replication events 1938, 1946
and 1942 in the targeted domain controllers' directory service event log
identifying the lingering objects that should be removed but does not
actually remove them.

Lingering objects are removed when "repadmin /removelingeringobjects" is
run without the /advisory_mode switch. NTDS Replication events 1937, 1945
and 1939 logged on the target DC's directory services event log identify
the start, conclusion and set of objects removed from a directory
partition.

You should conceptually think of DC's in the as the "bad" DC's
that you want to test or remove lingering objects from and
as the "reference" DC.

Microsoft recommends enabling strict replication consistency before
removing lingering objects.



[SYNTAX]

/removelingeringobjects [/ADVISORY_MODE]

[EXAMPLES]

The following command would check the Europe NC on all DC's in the site HQ
for lingering objects using the DC specified by its ObjectGUID
667f7037-8198-4357-8f15-8f709f04b6e2 as reference.

The /ADVISORY_MODE will cause events to be written to the Directory Service
Event Log for each of the target DC's indicating how many lingering objects
were found.

/removelingeringobjects site:HQ 667f7037-8198-4357-8f15-8f709f04b6e2 DC=europe,DC=contoso,DC=com /ADVISORY_MODE

The following command would check and remove lingering objects from the
Europe NC on DC dubdc03 using the DC specified by
ObjectGUID 667f7037-8198-4357-8f15-8f709f04b6e2.

/removelingeringobjects dubdc03.contoso.com 667f7037-8198-4357-8f15-8f709f04b6e2 DC=europe,DC=contoso,DC=com



C:\Users\Administrator.W2K8>






C:\Users\Administrator.W2K8>repadmin /removelingeringobjects w2k8ad2.w2k8.local ad9c2f9d-1236-43cd-9c79-cea6eb7d945a DC=w2k8,DC=local
RemoveLingeringObjects successful on w2k8ad2.w2k8.local.

C:\Users\Administrator.W2K8>repadmin /removelingeringobjects w2k8ad2.w2k8.local ad9c2f9d-1236-43cd-9c79-cea6eb7d945a CN=Configuration,DC=w2k8,DC=local
RemoveLingeringObjects successful on w2k8ad2.w2k8.local.

C:\Users\Administrator.W2K8>repadmin /removelingeringobjects w2k8ad2.w2k8.local ad9c2f9d-1236-43cd-9c79-cea6eb7d945a CN=Schema,CN=Configuration,DC=w2k8,DC=local
RemoveLingeringObjects successful on w2k8ad2.w2k8.local.

C:\Users\Administrator.W2K8>repadmin /removelingeringobjects w2k8ad2.w2k8.local ad9c2f9d-1236-43cd-9c79-cea6eb7d945a DC=DomainDnsZones,DC=w2k8,DC=local
RemoveLingeringObjects successful on w2k8ad2.w2k8.local.

C:\Users\Administrator.W2K8>repadmin /removelingeringobjects w2k8ad2.w2k8.local ad9c2f9d-1236-43cd-9c79-cea6eb7d945a DC=ForestDnsZones,DC=w2k8,DC=local
RemoveLingeringObjects successful on w2k8ad2.w2k8.local.

C:\Users\Administrator.W2K8>
To restart replication following event ID 2042

1. Click Start, click Run, type regedit, and then click OK.
2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

3. If the registry entry does not exist, create the entry as follows:
1. Right-click Parameters, click New, and then click DWORD Value.
2. Type the name Allow Replication With Divergent and Corrupt Partner, and then press ENTER.
3. Double-click the entry. In the Value data box, type 1, and then click OK.
Reset the Registry to Protect Against Outdated Replication
When you are satisfied that lingering objects have been removed and replication has occurred successfully from the source domain controller, edit the registry to return the value in Allow Replication With Divergent and Corrupt Partner to 0.

4.

5.