How to find and remove lingering objects in Active Directory

How to Troubleshoot Lingering Objects

Lingering Object : An object which has been deleted on a domain controller and even garbage collected but it still remains on another domain controller is termed as a Lingering Object
Some of the biggest annoyances for any Active Directory administrator are odd little things called lingering objects. These have existed since Windows 2000 Server and will probably never go away completely, although Microsoft has worked to give us some great tools to get rid of them and protect our domain controllers.
While there are already some good articles out there describing lingering objects, I’d like to put my own spin on the issue based on experiences I’ve had with them. I still find many Active Directory admins who either don’t understand what lingering objects are or don’t know what to do about them. Put simply, a lingering object is any Active Directory object that has been deleted, but gets reanimated when a DC has not replicated the change during the domain’s tombstone lifetime period.
Preventing Lingering Objects
Of course, it’s most desirable to prevent lingering objects from being created in the first place. There is a registry key called StrictReplicationConsistency — which we’ll refer to as Strict Mode — that will protect a DC from lingering objects:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
ValueName = Strict Replication Consistency
Data Type = Reg_DWORD
Value Data = 1 = Strict 0=Loose
If this value is set to 1, it will prevent a partner from replicating lingering objects to the DC it is defined on. Thus, if every domain controller has Strict Mode enabled, they are protected from lingering objects
How to Find and Remove Lingering Objects in Active Directory
Event ID 1988 proves the presence of Lingering Object in the domain below is the example for the same.
Event Type:       Error
Event Source:   NTDS Replication
Event Category:               Replication
Event ID:            1988
Date:                     5/31/2011
Time:                    11:58:46 PM
User:                     NT AUTHORITY\ANONYMOUS LOGON
Computer:          EXCHANGE1
Description:
Active Directory Replication encountered the existence of objects in the following partition that have been deleted from the local domain controllers (DCs) Active Directory database.  Not all direct or transitive replication partners replicated in the deletion before the tombstone lifetime number of days passed.  Objects that have been deleted and garbage collected from an Active Directory partition but still exist in the writable partitions of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as “lingering objects”.
This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory database.  This replication attempt has been blocked.
 The best solution to this problem is to identify and remove all lingering objects in the forest.
Source DC (Transport-specific network address):
039c75ff-f65c-4f31-90b4-d68570ff4142._msdcs.rootcon.local
Object:
CN=932c938c-2b18-4704-bb6a-0bbe4ce02dacADEL:781d5c06-bdd9-4423-9772-2f51ef1763cc, CN=Deleted Objects, CN=Configuration, DC=rootcon, DC=local
Object GUID:
781d5c06-bdd9-4423-9772-2f51ef1763cc
 User Action:
 Remove Lingering Objects:
 The action plan to recover from this error can be found at http://support.microsoft.com/?id=314282.
 If both the source and destination DCs are Windows Server 2003 DCs, then install the support tools included on the installation CD.  To see which objects would be deleted without actually performing the deletion run “repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC> /ADVISORY_MODE”. The eventlogs on the source DC will enumerate all lingering objects.  To remove lingering objects from a source domain controller run “repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC>”.
If either source or destination DC is a Windows 2000 Server DC, then more information on how to remove lingering objects on the source DC can be found at http://support.microsoft.com/?id=314282 or from your Microsoft support personnel.
 If you need Active Directory replication to function immediately at all costs and don’t have time to remove lingering objects, enable loose replication consistency by unsetting the following registry key:
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Strict Replication Consistency
Replication errors between DCs sharing a common partition can prevent user and compter accounts, trust relationships, their passwords, security groups, security group memberships and other Active Directory configuration data to vary between DCs, affecting the ability to log on, find objects of interest and perform other critical operations. These inconsistencies are resolved once replication errors are resolved.  DCs that fail to inbound replicate deleted objects within tombstone lifetime number of days will remain inconsistent until lingering objects are manually removed by an administrator from each local DC.
Lingering objects may be prevented by ensuring that all domain controllers in the forest are running Active Directory, are connected by a spanning tree connection topology and perform inbound replication before Tombstone Live number of days pass.For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
The description of the Event ID 1988 is quite descriptive. It gives the following Information
1. The GUID of the source domain controller from where the lingering objects are coming.
Source DC (Transport-specific network address):
039c75ff-f65c-4f31-90b4-d68570ff4142._msdcs.rootcon.local
2. The DN of the Lingering Object (This piece of information is helpful in determining the location of the lingering object with respect to the naming context – domain partition, configuration partition , global catalog)
Object:
CN=932c938c-2b18-4704-bb6a-0bbe4ce02dacADEL:781d5c06-bdd9-4423-9772-2f51ef1763cc, CN=Deleted Objects, CN=Configuration, DC=rootcon, DC=local
 3. The event also gives the command that needs to be run to remove lingering objects
Repadmin /RemoveLingeringObjects <Name of the Source DC> <GUID of the DC which do not have the Lingering Objects>
Name of the Source DC: The Event ID 1988 mentions the GUID of the source DC. From this GUID, we need to get the name of that DC
GUID of the DC which do not have the Lingering Objects: DC on which we are getting Event ID 1988is the one on which we do not have the Lingering Objects.
Remember this; there is no “Bad” domain controller or “Good” domain controller. There is domain controller which has lingering objects and domain controller which do not have lingering objects. The presence of lingering objects does not make a domain controller “Bad”
Ping the GUID which is mentioned in the Event 1988. This is the GUID of the domain controller which has Lingering Objects. By pinging the GUID, we will get the name of the domain controller having lingering objects
C:\>ping 039c75ff-f65c-4f31-90b4-d68570ff4142._msdcs.rootcon.local
Pinging authserver.Rootcon. Local [10.10.10.10] with 32bytes of data
pinging 10.10.10.10 with 32 bytes of data:
Reply from 10.10.10.10: bytes=32 time<1ms TTL=127
Reply from 10.10.10.10: bytes=32 time<1ms TTL=127
Reply from 10.10.10.10: bytes=32 time<1ms TTL=127
Reply from 10.10.10.10: bytes=32 time<1ms TTL=127
Ping statistics for 10.10.10.10:
                Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
                Minimum = 0ms, Maximum = 0ms, Average = 0ms
Now we need to get the GUID of the domain controller which does not have lingering objects. The domain controller on which we get 1988 is the one which does not have lingering objects. We can get the GUID of this domain controller from DNS.
As stated earlier, the Event ID 1988 contains the DN of the lingering object which can help us to identify the naming context (partition) in which we have the lingering objects
Object:
CN=932c938c-2b18-4704-bb6a-0bbe4ce02dacADEL:781d5c06-bdd9-4423-9772-2f51ef1763cc, CN=Deleted Objects, CN=Configuration, DC=rootcon, DC=local
To remove the lingering object run Repadmin /RemoveLingeringObjects
The same command can be run with “Advisory Mode” and without “Advisory Mode”
With “Advisory Mode”: This only shows the number and name of the Lingering Objects in the form of Events in the Event Viewer. This does NOT removes the Lingering Objects
C:\Documents and Settings\noc>repadmin /removelingeringobjects Authserver 04dc247f-cb35-43ac-8856-23f4603076b0 CN=configuration, DC=rootcon, DC=local/advisory_mode
RemoveLingeringObjects sucessfull on authserver.

Without “Advisory Mode”: This actually removes the Lingering Objects
Run the command on the domain controller on which you are getting the Event 1988
C:\Documents and Settings\noc>repadmin /removelingeringobjects Authserver 04dc247f-cb35-43ac-8856-23f4603076b0 CN=configuration, DC=rootcon, DC=local
RemoveLingeringObjects sucessfull on authserver.
Events gets generated after running the command with the “Advisory Mode”
Running the actual command without “Advisory Mode” in event log it shows that the Removal of Lingering Objects has begun. Finally Event stating that the Lingering Object has been Removed will be logged Directory Service.
Users on Authserver which were present in AD as Lingering Objects are now removed from the Active Directory.
To remove lingering objects from other Directory Partition below are the sample examples.
Repadmin /removelingeringobjects ServerName ServerGUID Directory Partition /advisory_mode .The distinguished name of the directory partition that is identified in the event message. For example,
 DC=rootcon, DC=local   for a domain directory partition,
 CN=configuration, DC=rootcon, DC=local   for the configuration directory partition, or CN=schema, CN=configuration, DC=rootcon, DC=local for the schema directory partition
Example:
C:\Documents and Settings\noc>repadmin /removelingeringobjects authserver 04dc24
7f-cb35-43ac-8856-23f4603076b0 DC=rootcon, DC=local
RemoveLingeringObjects sucessfull on authserver.
C:\Documents and Settings\noc>repadmin /removelingeringobjects authserver 04dc24
7f-cb35-43ac-8856-23f4603076b0 CN=configuration, DC=rootcon, DC=local
RemoveLingeringObjects sucessfull on authserver.
C:\Documents and Settings\noc>repadmin /removelingeringobjects authserver 04dc24
7f-cb35-43ac-8856-23f4603076b0 CN=schema, cn=configuration,DC=rootcon,DC=local
RemoveLingeringObjects sucessfull on authserver.
Reference KB article for lingering object:
http://technet.microsoft.com/en-us/library/cc738018(WS.10).aspx
http://support.microsoft.com/kb/870695
http://support.microsoft.com/kb/317097

Original Post: