raprgz2002
asked on
Windows Server 2008 Active Directory Problem EventID 1988
So I will do my best to get as much detail out as possible.
I recently inherited an active directory configuration that seems to be running in a less than stellar fashion. The FSMO roles are all installed on domain controller Vici which is also suppose to be the primary DC.
There are 5 other domain controllers that are all suppose to be replicating to each other within the forest, etc. now I dont know alot about AD DS or how to get everything back talking with each other however today when I was looking at the event log I have found "alot" of EventID 1988 on DC1 stating lingering objects. I used the following link to try and resolve the lingering object problem, it runs and says X number of lingering objects have been removed however the error checks back in 15 minutes later.
http://support.microsoft.com/?id=314282.
I have run some other repadmin commands for replication and syncronization and it looks like everything except for my DomainDNS zone is replicating successfully.
I am sure there are going to be multiple steps to resolving this issue, any help would be greatly appreciated.
here is the output from my repardmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Now Veni is working and seems to be the most stable, etc. I am not opposed to moving all the FSMO roles, etc. to this domain controller and rebuilding the ones that dont seem to be working correctly. There may need to be work done in the DC site topology aswell but I just dont know at this point...
I recently inherited an active directory configuration that seems to be running in a less than stellar fashion. The FSMO roles are all installed on domain controller Vici which is also suppose to be the primary DC.
There are 5 other domain controllers that are all suppose to be replicating to each other within the forest, etc. now I dont know alot about AD DS or how to get everything back talking with each other however today when I was looking at the event log I have found "alot" of EventID 1988 on DC1 stating lingering objects. I used the following link to try and resolve the lingering object problem, it runs and says X number of lingering objects have been removed however the error checks back in 15 minutes later.
http://support.microsoft.com/?id=314282.
I have run some other repadmin commands for replication and syncronization and it looks like everything except for my DomainDNS zone is replicating successfully.
I am sure there are going to be multiple steps to resolving this issue, any help would be greatly appreciated.
here is the output from my repardmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Now Veni is working and seems to be the most stable, etc. I am not opposed to moving all the FSMO roles, etc. to this domain controller and rebuilding the ones that dont seem to be working correctly. There may need to be work done in the DC site topology aswell but I just dont know at this point...
Repadmin: running command /showrepl against full DC localhost
Kirkland\VICI2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: bc9800c1-8a5b-46fa-8f2f-5904ee483de6
DSA invocationID: f70e38d8-3e2d-47a1-b1f0-fc27addc75ed
==== INBOUND NEIGHBORS ======================================
DC=HQ,DC=org
Spokane\VENI via RPC
DSA object GUID: bab73741-a335-40eb-bdbd-36f5a7335903
Last attempt @ 2011-08-09 19:50:42 was successful.
Seattle-Data-Center\VEDI via RPC
DSA object GUID: 39c70096-831d-4e12-b51d-a47ea2c4187e
Last attempt @ 2011-08-09 19:50:42 was successful.
Romania\VOLO via RPC
DSA object GUID: f0534f93-856e-4aba-88dd-f0ea19d87ee4
Last attempt @ 2011-08-09 19:50:42 was successful.
Kirkland\VICI via RPC
DSA object GUID: 0dde4901-f8ad-42e6-95e3-9bf5a75b99a9
Last attempt @ 2011-08-09 20:04:17 was successful.
CN=Configuration,DC=HQ,DC=org
Kirkland\VICI via RPC
DSA object GUID: 0dde4901-f8ad-42e6-95e3-9bf5a75b99a9
Last attempt @ 2011-08-09 19:50:38 was successful.
Spokane\VENI via RPC
DSA object GUID: bab73741-a335-40eb-bdbd-36f5a7335903
Last attempt @ 2011-08-09 19:50:38 was successful.
Seattle-Data-Center\VEDI via RPC
DSA object GUID: 39c70096-831d-4e12-b51d-a47ea2c4187e
Last attempt @ 2011-08-09 19:50:39 was successful.
Romania\VOLO via RPC
DSA object GUID: f0534f93-856e-4aba-88dd-f0ea19d87ee4
Last attempt @ 2011-08-09 19:50:41 was successful.
CN=Schema,CN=Configuration,DC=HQ,DC=org
Kirkland\VICI via RPC
DSA object GUID: 0dde4901-f8ad-42e6-95e3-9bf5a75b99a9
Last attempt @ 2011-08-09 19:50:38 was successful.
Spokane\VENI via RPC
DSA object GUID: bab73741-a335-40eb-bdbd-36f5a7335903
Last attempt @ 2011-08-09 19:50:41 was successful.
Seattle-Data-Center\VEDI via RPC
DSA object GUID: 39c70096-831d-4e12-b51d-a47ea2c4187e
Last attempt @ 2011-08-09 19:50:41 was successful.
Romania\VOLO via RPC
DSA object GUID: f0534f93-856e-4aba-88dd-f0ea19d87ee4
Last attempt @ 2011-08-09 19:50:42 was successful.
DC=DomainDnsZones,DC=HQ,DC=org
Kirkland\VICI via RPC
DSA object GUID: 0dde4901-f8ad-42e6-95e3-9bf5a75b99a9
Last attempt @ 2011-08-09 19:50:38 was successful.
Spokane\VENI via RPC
DSA object GUID: bab73741-a335-40eb-bdbd-36f5a7335903
Last attempt @ 2011-08-09 19:50:43 failed, result 8606 (0x219e):
Insufficient attributes were given to create an object. This object
may not exist because it may have been deleted and already garbage collected.
1074 consecutive failure(s).
Last success @ (never).
Seattle-Data-Center\VEDI via RPC
DSA object GUID: 39c70096-831d-4e12-b51d-a47ea2c4187e
Last attempt @ 2011-08-09 19:50:43 failed, result 8606 (0x219e):
Insufficient attributes were given to create an object. This object
may not exist because it may have been deleted and already garbage collected.
1074 consecutive failure(s).
Last success @ (never).
Romania\VOLO via RPC
DSA object GUID: f0534f93-856e-4aba-88dd-f0ea19d87ee4
Last attempt @ 2011-08-09 19:50:45 failed, result 8606 (0x219e):
Insufficient attributes were given to create an object. This object
may not exist because it may have been deleted and already garbage collected.
787 consecutive failure(s).
Last success @ (never).
DC=ForestDnsZones,DC=HQ,DC=org
Kirkland\VICI via RPC
DSA object GUID: 0dde4901-f8ad-42e6-95e3-9bf5a75b99a9
Last attempt @ 2011-08-09 19:50:38 was successful.
Spokane\VENI via RPC
DSA object GUID: bab73741-a335-40eb-bdbd-36f5a7335903
Last attempt @ 2011-08-09 19:50:43 was successful.
Seattle-Data-Center\VEDI via RPC
DSA object GUID: 39c70096-831d-4e12-b51d-a47ea2c4187e
Last attempt @ 2011-08-09 19:50:43 was successful.
Romania\VOLO via RPC
DSA object GUID: f0534f93-856e-4aba-88dd-f0ea19d87ee4
Last attempt @ 2011-08-09 19:50:43 was successful.
Source: Seattle-Data-Center\VEDI
******* 1074 CONSECUTIVE FAILURES since (never)
Last error: 8606 (0x219e):
Insufficient attributes were given to create an object. This object
may not exist because it may have been deleted and already garbage collected.
Source: Spokane\VENI
******* 1074 CONSECUTIVE FAILURES since (never)
Last error: 8606 (0x219e):
Insufficient attributes were given to create an object. This object
may not exist because it may have been deleted and already garbage collected.
Source: Romania\VOLO
******* 787 CONSECUTIVE FAILURES since (never)
Last error: 8606 (0x219e):
Insufficient attributes were given to create an object. This object
may not exist because it may have been deleted and already garbage collected.Information from EventID 1988
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 8/9/2011 8:05:45 PM
Event ID: 1988
Task Category: Replication
Level: Error
Keywords: Classic
User: ANONYMOUS LOGON
Computer: VICI2.HQ.org
Description:
Active Directory Domain Services Replication encountered the existence of objects in the following partition that have been deleted from the local domain controllers (DCs) Active Directory Domain Services database. Not all direct or transitive replication partners replicated in the deletion before the tombstone lifetime number of days passed. Objects that have been deleted and garbage collected from an Active Directory Domain Services partition but still exist in the writable partitions of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as "lingering objects".
Source domain controller:
f0534f93-856e-4aba-88dd-f0ea19d87ee4._msdcs.HQ.org
Object:
DC=Vici2\0ADEL:1f4278e8-bda1-427a-8105-debbc7dd1429,CN=Deleted Objects,DC=DomainDnsZones,DC=HQ,DC=org
Object GUID:
1f4278e8-bda1-427a-8105-debbc7dd1429 This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory Domain Services database. This replication attempt has been blocked.
The best solution to this problem is to identify and remove all lingering objects in the forest.
User Action:
Remove Lingering Objects:
The action plan to recover from this error can be found at http://support.microsoft.com/?id=314282.
If both the source and destination DCs are Windows Server 2003 DCs, then install the support tools included on the installation CD. To see which objects would be deleted without actually performing the deletion run "repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC> /ADVISORY_MODE". The eventlogs on the source DC will enumerate all lingering objects. To remove lingering objects from a source domain controller run "repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC>".
If either source or destination DC is a Windows 2000 Server DC, then more information on how to remove lingering objects on the source DC can be found at http://support.microsoft.com/?id=314282 or from your Microsoft support personnel.
If you need Active Directory Domain Services replication to function immediately at all costs and don't have time to remove lingering objects, enable loose replication consistency by unsetting the following registry key:
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Strict Replication Consistency
Replication errors between DCs sharing a common partition can prevent user and compter acounts, trust relationships, their passwords, security groups, security group memberships and other Active Directory Domain Services configuration data to vary between DCs, affecting the ability to log on, find objects of interest and perform other critical operations. These inconsistencies are resolved once replication errors are resolved. DCs that fail to inbound replicate deleted objects within tombstone lifetime number of days will remain inconsistent until lingering objects are manually removed by an administrator from each local DC.
Lingering objects may be prevented by ensuring that all domain controllers in the forest are running Active Directory Domain Services, are connected by a spanning tree connection topology and perform inbound replication before Tombstone Live number of days pass.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS Replication" />
<EventID Qualifiers="49152">1988</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>5</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2011-08-10T03:05:45.463479900Z" />
<EventRecordID>60476</EventRecordID>
<Correlation />
<Execution ProcessID="488" ThreadID="2128" />
<Channel>Directory Service</Channel>
<Computer>VICI2.HQ.org</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>f0534f93-856e-4aba-88dd-f0ea19d87ee4._msdcs.HQ.org</Data>
<Data>DC=Vici2\0ADEL:1f4278e8-bda1-427a-8105-debbc7dd1429,CN=Deleted Objects,DC=DomainDnsZones,DC=HQ,DC=org</Data>
<Data>1f4278e8-bda1-427a-8105-debbc7dd1429</Data>
<Data>Strict Replication Consistency</Data>
<Data>System\CurrentControlSet\Services\NTDS\Parameters</Data>
</EventData>
</Event>ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
HI...
Actually i faced same problem in these days between two domain and restrict replication consistency keys enable on all DC on both domain and based on article below which similar event except that my my recored not passed tombstone time (http://support.microsoft.com/kb/2005074) there is no solution for this issue but i am thinking on below solutions:
1.my recored deleted on 14/7/2011 suggest to restore system state backup before this date
2.in my case i have to solve a problem to migrate users and mailbox to new domain before remove old domain (that contain a lingering object) so i will disable the strict replication consistency on new domain to perform migration and then remove domain totally. this is my second solution
any idea guys.....
Actually i faced same problem in these days between two domain and restrict replication consistency keys enable on all DC on both domain and based on article below which similar event except that my my recored not passed tombstone time (http://support.microsoft.com/kb/2005074) there is no solution for this issue but i am thinking on below solutions:
1.my recored deleted on 14/7/2011 suggest to restore system state backup before this date
2.in my case i have to solve a problem to migrate users and mailbox to new domain before remove old domain (that contain a lingering object) so i will disable the strict replication consistency on new domain to perform migration and then remove domain totally. this is my second solution
any idea guys.....
ASKER
Thanks, I was not aware of the forest wide tool. I will give that a shot here shortly and let you know whats coming afterwards.
As for using the original link for cleaning lingering objects that I posted, I had done that several times and tried to force replication from my "clean" DC's to the problem "DC's" but couldnt ever get it to clean up. Im just afraid that here soon everything is going to get tombstoned and garbage collected and Im going to end up with a hosed environment... kinda scary when Im not a AD expert and I hear about the old horror stories.