What is Replication Beyond Tombstone Date?

[mike]

Using Windows Server 2003 Sp1 on both machines

Today I tried to create 2 new users who were subsequently unable to log into
e-mail via OWA. I first thought it was an Exchange problem. To
troubleshoot, I tried to log on to a PC here at our corporate office using
these users' domain credentials. They could not log on. This seemed more
than an Exchange problem. Digging deeper, I find errors on our first domain
controller, DC1: Error 2042: The time between replications with this source
has exceeded
the tombstone lifetime.

I then look on our second domain controller, DC2, and I see that some user
accounts I have created recently are not there.

Following MSKB advice, I ran repadmin /removelingeringobjects in
advisory_mode.

I ran repadmin on DC1, which is the machine getting all the 2042 errors.
The other machine, DC2, had all the 1988 errors. After running repadmin, it
said that repadmin ran successfully with Event ID 1938 and 1942. However, I
do not see any events that tells me what the lingering objects are. Is it
possible that there are no lingering objects? If a "lingering object" is
an object that was deleted from one domain controller but not another, then
I think that, indeed, we may not have any lingering objects. Because I
always add and delete things from DC1, never DC2.

1) How can I tell if there are lingering objects?

2) If there are no lingering objects, is it okay to set both DCs to "loose"
mode instead of "strict" mode?

3) If I do set both DCs to "loose" mode, how do I force a replication, and
how will the servers know which one is "boss", on other words, which user
accounts to use?

4) If it turns out there are 2 or 3 lingering objects, or objects that are
out of sync, what kind of risk am I running by using "loose" mode?

Thank you.

 

[Brian Delaney [MSFT]]

Hi Mike,

My responses are inline.

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

From: "mike" <[email protected]>
Newsgroups: microsoft.public.win2000.active_directory
Subject: What is Replication Beyond Tombstone Date?
Date: Tue, 15 Aug 2006 19:56:09 -0500
Organization: Posted via Supernews, http://www.supernews.com
Message-ID: <[email protected]>

Using Windows Server 2003 Sp1 on both machines

Today I tried to create 2 new users who were subsequently unable to log into
e-mail via OWA. I first thought it was an Exchange problem. To
troubleshoot, I tried to log on to a PC here at our corporate office using
these users' domain credentials. They could not log on. This seemed more
than an Exchange problem. Digging deeper, I find errors on our first domain
controller, DC1: Error 2042: The time between replications with this source
has exceeded
the tombstone lifetime.

I then look on our second domain controller, DC2, and I see that some user
accounts I have created recently are not there.

Following MSKB advice, I ran repadmin /removelingeringobjects in
advisory_mode.

I ran repadmin on DC1, which is the machine getting all the 2042 errors.
The other machine, DC2, had all the 1988 errors. After running repadmin, it
said that repadmin ran successfully with Event ID 1938 and 1942. However, I
do not see any events that tells me what the lingering objects are. Is it
possible that there are no lingering objects? If a "lingering object" is
an object that was deleted from one domain controller but not another, then
I think that, indeed, we may not have any lingering objects. Because I
always add and delete things from DC1, never DC2.

1) How can I tell if there are lingering objects?

repadmin /removeligneringobjects will log any lingering objects found to
the Directory Service event log.

2) If there are no lingering objects, is it okay to set both DCs to "loose"
mode instead of "strict" mode?

I usually would not disable strict replication consistency in this
scenario. Strict Replication Consistency is designed to prevent the
propogation of lingering objects amonst your domain controllers. Rather I
would use the registry key described in the 2042 event id:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication
With Divergent and Corrupt Partner = 1 (REG_DWORD)

3) If I do set both DCs to "loose" mode, how do I force a replication, and
how will the servers know which one is "boss", on other words, which user
accounts to use?

Replication can be forced with AD Sites and Services or replmon.exe.
Normal conflict resolution will be utilized in case of conflict. There
will be no authoritative copy.

4) If it turns out there are 2 or 3 lingering objects, or objects that are
out of sync, what kind of risk am I running by using "loose" mode?

Strict Replication Consistency should only be disabled temporarily if you
even need to disable it at all which is not likely. The lingering objects
should be cleaned up via repadmin /removelingeringobjects so that Strict
Replication Consistency can be turned back on and Allow Replication With
Divergent and Corrupt Partner can be disabled.

Refer to
http://technet2.microsoft.com/WindowsServer/en/library/34c15446-b47f-4d51-8e
4a-c14527060f901033.mspx?mfr=true for more info on Allow Replication With
Divergent and Corrupt Partner and the 2042 error

 

[mike]

Brian, thank you very much for the reply. I appreciate the help.

I will try the corrupt partner replication and post the results back to the
group.

Best regards,

Mike

 

[Jorge de Almeida Pinto [MVP]]

have a look at:
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/08/935.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/24/153.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx