Saturday, January 29, 2011

Active Directory: The time since last replication with this server has exceeded the tombstone lifetime

SkyHi @ Saturday, January 29, 2011
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
If a domain controller has not replicated with its partner for longer than a tombstone lifetime, it is possible that a lingering object problem exists on one or both domain controllers. When this condition occurs, inbound replication with the source partner is stopped on the destination domain controller and event ID 2042 is logged in the Directory Services event log. The event identifies the source domain controller and the appropriate steps to take to either remove the outdated domain controller or remove lingering objects and restore replication from the source domain controller.
An example of the event text is as follows:
Event Type:Error
Event Source:NTDS Replication
Event Category:Replication 
Event ID:2042
Date:3/22/2005
Time:7:28:49 AM
User:NT AUTHORITY\ANONYMOUS LOGON
Computer:DC3
Description:
It has been too long since this machine last replicated with the 
named source machine. The time between replications with this source 
has exceeded the tombstone lifetime. Replication has been stopped 
with this source. 
The reason that replication is not allowed to continue is that 
the two machine's views of deleted objects may now be different. 
The source machine may still have copies of objects that have 
been deleted (and garbage collected) on this machine. If they 
were allowed to replicate, the source machine might return 
objects which have already been deleted. 
Time of last successful replication:
2005-01-21 07:16:03 
Invocation ID of source: 
0397f6c8-f6b8-0397-0100-000000000000 
Name of source: 
4a8717eb-8e58-456c-995a-c92e4add7e8e._msdcs.contoso.com 
Tombstone lifetime (days):
60

The replication operation has failed.

User Action:

Determine which of the two machines was disconnected from the 
forest and is now out of date. You have three options: 

1. Demote or reinstall the machine(s) that were disconnected. 
2. Use the "repadmin /removelingeringobjects" tool to remove 
inconsistent deleted objects and then resume replication. 
3. Resume replication. Inconsistent deleted objects may be introduced. 
You can continue replication by using the following registry key. 
Once the systems replicate once, it is recommended that you remove 
the key to reinstate the protection. 
Registry Key: 
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
The repadmin /showrepl command also reports error 8614:
Source: Default-First-Site-Name\DC1
******* 1502 CONSECUTIVE FAILURES since 2005-01-21 07:16:00
Last error: 8614 (0x21a6):
            The Active Directory cannot replicate with this server 
because the time since the last replication with this server has 
exceeded the tombstone lifetime.

Solution

Treat this occurrence as a lingering object condition, and do the following:
  • Run the repadmin /showrepl command on the domain controller that received the error to determine which domain controller has been disconnected for longer than a tombstone lifetime.
  • Check the system time on both the source and destination domain controllers. If there is a time difference, ensure that you correct the time issue before proceeding. You may have to wait a couple of hours to see ensure that a time skew doesn’t occur. If a time skew does occur, then you must diagnose why and solve the issue. For example, there could be hardware issues, like system battery failure or a firmware update might be required, or the forest root PDC might not be configured to use an External time source (as described in Configure the Time Source for the Forest).
  • Remove lingering objects. Follow the instructions for removing lingering objects from the source and destination domain controllers as described in Event ID 1388 or 1988: A lingering object is detected.
  • Restart replication on the destination domain controller. After you remove lingering objects, you must restart replication on the domain controller that logged the event by editing the registry setting that allows replication with a potentially out-of-date domain controller. You can also perform this procedure if you do not want to wait to remove lingering objects and you want to start replication immediately.
  • Reset the registry to protect the domain controller against outdated replication. After replication has resumed on the domain controller that logged the event, reset the registry so that this domain controller continues to log events if replication is attempted with a domain controller where the last successful replication occurred longer than a tombstone lifetime ago.

Restart Replication Following Event ID 2042

To restart inbound replication on the destination domain controller following event ID 2042, you must edit the Allow Replication With Divergent and Corrupt Partner registry entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.
Use the following procedure to change the registry entry value. This procedure does not require a restart of the domain controller to take effect.
CautionCaution
It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.

Requirements
  • Administrative credentials: To complete this procedure, you must be a member of the Domain Admins group in the domain of the domain controller.
  • Tool: Regedit.exe

To restart replication following event ID 2042

  1. Click Start, click Run, type regedit, and then click OK.
  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
  3. In the details pane, create or edit the registry entry as follows:
    If the registry entry exists in the details pane, modify the entry as follows:
    1. In the details pane, right-click Allow Replication With Divergent and Corrupt Partner, and then click Modify.
    2. In the Value data box, type 1, and then click OK.
    If the registry entry does not exist, create the entry as follows:
    1. Right-click Parameters, click New, and then click DWORD Value.
    2. Type the name Allow Replication With Divergent and Corrupt Partner, and then press ENTER.
    3. Double-click the entry. In the Value data box, type 1, and then click OK.

Reset the Registry to Protect Against Outdated Replication

When you are satisfied that lingering objects have been removed and replication has occurred successfully from the source domain controller, edit the registry to return the value in Allow Replication With Divergent and Corrupt Partner to 0.

============================================================================

If a server has exceed the tombstone lifetime (180 days on WS2008 by default), it will cause issues when brought back on the network.
New users, groups… are not synchronized anymore on this server, and it can cause issues with emails sent to these new users.
If the email server can check for the user in the AD against the bad server, emails won’t be delivered.

Run the following on a good dc :

Repadmin /showrepl

Get the GUI of a good DC :

DC=mydomain,DC=intra
Default-First-Site-Name\GOOD-DC1 via RPC
DSA object GUID: de7429ee-7637-45cb-bbf0-43d17b17831b
Last attempt @ 2010-07-15 12:17:30 was successful.

Then remove objects on the bad DC that not longer exist in the current AD (good DC) :

repadmin /removelingeringobjects bad-dc.mydomain.intra de7429ee-7637-45cb-bbf0-43d17b17831b "dc=mydomain, dc=intra"


Then :

repadmin /replicate bad-dc.mydomain.intra good-dc.mydomain.intra DC=mydomain,DC=intra /force

repadmin /replicate bad-dc.mydomain.intra good-dc.mydomain.intra CN=configuration,DC=mydomain,DC=intra /force

repadmin /replicate bad-dc.mydomain.intra good-dc.mydomain.intra CN=schema,CN=configuration,DC=mydomain,DC=intra /force

This will synchronize the servers for these partitions and you won’t have issues anymore with the accounts of the new users.

But, if the bad DC is planned for a removal I recommend to use the dcpromo /forceremoval method and a metadata cleanup as explained here :
Remove_ad_from_dc
Delete_failed_DC



REFERENCES
http://technet.microsoft.com/en-us/library/cc738415%28WS.10%29.aspx
http://sytrea.blogspot.com/2010/07/force-replication-of-ad-partitions.html
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/24/153.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/08/Lingering-objects.aspx
http://blogs.technet.com/b/glennl/archive/2007/07/26/clean-that-active-directory-forest-of-lingering-objects.aspx