Hello! In a Windows 2003 DC server, the following error is occurring and that is impacting on the replication of AD. ============================================================================== Event Type: Error Event Source: NTDS Replication Event Category: Replication Event ID: 1988 Date: 4/27/2011 Time: 8:31:48 AM User: NT AUTHORITY\ANONYMOUS LOGON Computer: DC1 Description: Active Directory Replication encountered the existence of objects in the following partition that have been deleted from the local domain controllers (DCs) Active Directory database. Not all direct or transitive replication partners replicated in the deletion before the tombstone lifetime number of days passed. Objects that have been deleted and garbage collected from an Active Directory partition but still exist in the writable partitions of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as "lingering objects". This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory database. This replication attempt has been blocked. The best solution to this problem is to identify and remove all lingering objects in the forest. Source DC (Transport-specific network address): 0f6b1a87-a727-4962-a8a6-ecdfe8a60bb6._msdcs.mydomain.com Object: CN=testvpn\0ADEL:1ba4696a-50fb-480c-890c-a440ac8c9cf3,CN=Deleted Objects,DC=branch1,DC=mydomain,DC=com Object GUID: 1ba4696a-50fb-480c-890c-a440ac8c9cf3 User Action: Remove Lingering Objects: The action plan to recover from this error can be found at http://support.microsoft.com/?id=314282. If both the source and destination DCs are Windows Server 2003 DCs, then install the support tools included on the installation CD. To see which objects would be deleted without actually performing the deletion run "repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC> /ADVISORY_MODE". The eventlogs on the source DC will enumerate all lingering objects. To remove lingering objects from a source domain controller run "repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC>". If either source or destination DC is a Windows 2000 Server DC, then more information on how to remove lingering objects on the source DC can be found at http://support.microsoft.com/?id=314282 or from your Microsoft support personnel. If you need Active Directory replication to function immediately at all costs and don't have time to remove lingering objects, enable loose replication consistency by unsetting the following registry key: Registry Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Strict Replication Consistency Replication errors between DCs sharing a common partition can prevent user and compter acounts, trust relationships, their passwords, security groups, security group memberships and other Active Directory configuration data to vary between DCs, affecting the ability to log on, find objects of interest and perform other critical operations. These inconsistencies are resolved once replication errors are resolved. DCs that fail to inbound replicate deleted objects within tombstone lifetime number of days will remain inconsistent until lingering objects are manually removed by an administrator from each local DC. Lingering objects may be prevented by ensuring that all domain controllers in the forest are running Active Directory, are connected by a spanning tree connection topology and perform inbound replication before Tombstone Live number of days pass. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ============================================================================== I ran the command repadmin /removelingeringobjects successfully, but no lingering objects were found. Through the LDP application, I can see the object CN=testvpn\0ADEL:1ba4696a-50fb-480c-890c-a440ac8c9cf3,CN=Deleted Objects,DC=branch1,DC=mydomain,DC=com. Deleting this object by the LDP, the replication problem is solved? NOTE1: I used the following article to find the deleted object: http://www.petri.co.il/manually-undeleting-objects-windows-active-directory-ad.htm NOTE2: All DC servers have Windows 2003 installed. Thanks!

Hi Bbastos, Here's an article that might provide better overall troubleshooting details to lead towards resolution on this issue... I like the Technet Library Troubleshooting guides better than the Microsoft Support KB pages. EVENT ID 1388 and 1988: A lingering object is detected: Active Directory - http://technet.microsoft.com/en-us/library/cc780362(WS.10).aspx Best Regards,Steve Kline Microsoft Certified IT Professional: Server Administrator Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7 Microsoft Certified Product Specialist & Network Product Specialist Red Hat Certified System Administrator This posting is "as is" without warranties and confers no rights.

Hi, In addition to the above suggestions, please also have a look at the following articles: Unable to remove Lingering objects problem http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/965b259a-36b4-4811-8720-5d5e1b6c9ea0 Cleaning lingering objects across the forest with ReplDiag.exe http://blogs.technet.com/b/robertbo/archive/2010/11/07/cleaning-lingering-objects-across-the-forest-with-repldiag-exe-part-2-of-4.aspx Hope it helps. Regards, Bruce This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hello! As the lingering objects were not found using the command "repadmin / removelingeringobjects" I tried to delete the object "testvpn" using the LDP application. The object was not deleted and the following error occurred: Error: Delete: No Such Object. <32> Server error: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=testvpn\0ADEL:1ba4696a-50fb-480c-890c-a440ac8c9cf3,CN=Deleted Objects,DC=branch1,DC=mydomain,DC=com' What can I do to diagnose this problem? Thanks!

Hello, please upload the following files: ipconfig /all >c:\ipconfig.txt [from each DC/DNS Server] dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)] dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045) As the output will become large, DON'T post them into the thread, please use Windows Sky Drive (skydrive.live.com) [with open access!] and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Hello, I ran the repadmin /replsummary command and the following errors happened in some domain controllers: - (8606) Can't retrieve message string 8606 (0x219e), error 1815. - (8614) Can't retrieve message string 8614 (0x21a6), error 1815. - (8606) Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected. - (8614) The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime. How to troubleshoot these errors? Thanks!

Hello, how about providing the files so we can have a deeper look?Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Hello, As I can not remove the ligering object when Using "repadmin /removelingeringobjects" and LDP, I'm thinking the following option to solve the problem: I have a System State backup (day 13/03/2011) of the branch1.mydomain.com domain. Can I restore this backup using authoritative restore (I have no problems losing the recent changes) to try to solve the problem? This replication problem began on 30/03/2011. What do you think about this option? Thanks!