Replication Problem (Will I need to rebuild domain)

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

Problem: One of out DC's (dc.sub.root.org) have not replicated for 60
day so therefore has exceeded the tombstone lifetime. This DC is part
of a forest. There are no other DC's in that domain.

Does the root DC (dc.root.org) of the forest keep a copy of the AD for
this domain? (sub.root.org)

Or will we have to rebuild this domain and re-add it to the forest?

Any advice would be appreciated.

This is the log in the Event Log: NTDS Replication Event ID: 2042

It has been too long since this machine last replicated with the named
source machine. The time between replications with this source has
exceeded the tombstone lifetime. Replication has been stopped with
this source.
The reason that replication is not allowed to continue is that the two
machine's views of deleted objects may now be different. The source
machine may still have copies of objects that have been deleted (and
garbage collected) on this machine. If they were allowed to replicate,
the source machine might return objects which have already been
deleted.
Time of last successful replication:
2004-09-15 00:01:50
Invocation ID of source:
03edf844-f834-03ed-c813-2e040c532403
Name of source:
c38c08ca-48ae-4f30-ac07-2603556726c3._msdcs.tdlg.net
Tombstone lifetime (days):
60

The replication operation has failed.

User Action:

Determine which of the two machines was disconnected from the forest
and is now out of date. You have three options:

1. Demote or reinstall the machine(s) that were disconnected.
2. Use the "repadmin /removelingeringobjects" tool to remove
inconsistent deleted objects and then resume replication.
3. Resume replication. Inconsistent deleted objects may be introduced.
You can continue replication by using the following registry key. Once
the systems replicate once, it is recommended that you remove the key
to reinstate the protection.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow
Replication With Divergent and Corrupt Partner

Thanks

John
6 answers Last reply
More about replication problem will rebuild domain
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    > Does the root DC (dc.root.org) of the forest keep a copy of the AD for
    > this domain? (sub.root.org)

    No it does not.


    > Or will we have to rebuild this domain and re-add it to the forest?

    Yes, this is exactly what you will have to do. You will also need to
    cleanup this domain and domain controller by following these KBs:
    -- http://support.microsoft.com/?id=230306
    -- http://support.microsoft.com/?id=216498


    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/

    "John" <homehome16@hotmail.com> wrote in message
    news:42f3a03a.0502150354.27d52583@posting.google.com...
    Hi,

    Problem: One of out DC's (dc.sub.root.org) have not replicated for 60
    day so therefore has exceeded the tombstone lifetime. This DC is part
    of a forest. There are no other DC's in that domain.

    Does the root DC (dc.root.org) of the forest keep a copy of the AD for
    this domain? (sub.root.org)

    Or will we have to rebuild this domain and re-add it to the forest?

    Any advice would be appreciated.

    This is the log in the Event Log: NTDS Replication Event ID: 2042

    It has been too long since this machine last replicated with the named
    source machine. The time between replications with this source has
    exceeded the tombstone lifetime. Replication has been stopped with
    this source.
    The reason that replication is not allowed to continue is that the two
    machine's views of deleted objects may now be different. The source
    machine may still have copies of objects that have been deleted (and
    garbage collected) on this machine. If they were allowed to replicate,
    the source machine might return objects which have already been
    deleted.
    Time of last successful replication:
    2004-09-15 00:01:50
    Invocation ID of source:
    03edf844-f834-03ed-c813-2e040c532403
    Name of source:
    c38c08ca-48ae-4f30-ac07-2603556726c3._msdcs.tdlg.net
    Tombstone lifetime (days):
    60

    The replication operation has failed.

    User Action:

    Determine which of the two machines was disconnected from the forest
    and is now out of date. You have three options:

    1. Demote or reinstall the machine(s) that were disconnected.
    2. Use the "repadmin /removelingeringobjects" tool to remove
    inconsistent deleted objects and then resume replication.
    3. Resume replication. Inconsistent deleted objects may be introduced.
    You can continue replication by using the following registry key. Once
    the systems replicate once, it is recommended that you remove the key
    to reinstate the protection.
    Registry Key:
    HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow
    Replication With Divergent and Corrupt Partner

    Thanks

    John
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Paul, Thanks for you help just one more question:

    What would happen if I either used the repadmin
    /removelingeringobjects command or edited the registry key?

    If no information what changed on the schema or the config. Would it
    work? What would be the worse that could happen?

    John


    "ptwilliams" <ptw2001@hotmail.com> wrote in message news:<Ot2rPu4EFHA.208@TK2MSFTNGP12.phx.gbl>...
    > > Does the root DC (dc.root.org) of the forest keep a copy of the AD for
    > > this domain? (sub.root.org)
    >
    > No it does not.
    >
    >
    > > Or will we have to rebuild this domain and re-add it to the forest?
    >
    > Yes, this is exactly what you will have to do. You will also need to
    > cleanup this domain and domain controller by following these KBs:
    > -- http://support.microsoft.com/?id=230306
    > -- http://support.microsoft.com/?id=216498
    >
    >
    > --
    >
    > Paul Williams
    >
    > http://www.msresource.net/
    > http://forums.msresource.net/
    >
    > "John" <homehome16@hotmail.com> wrote in message
    > news:42f3a03a.0502150354.27d52583@posting.google.com...
    > Hi,
    >
    > Problem: One of out DC's (dc.sub.root.org) have not replicated for 60
    > day so therefore has exceeded the tombstone lifetime. This DC is part
    > of a forest. There are no other DC's in that domain.
    >
    > Does the root DC (dc.root.org) of the forest keep a copy of the AD for
    > this domain? (sub.root.org)
    >
    > Or will we have to rebuild this domain and re-add it to the forest?
    >
    > Any advice would be appreciated.
    >
    > This is the log in the Event Log: NTDS Replication Event ID: 2042
    >
    > It has been too long since this machine last replicated with the named
    > source machine. The time between replications with this source has
    > exceeded the tombstone lifetime. Replication has been stopped with
    > this source.
    > The reason that replication is not allowed to continue is that the two
    > machine's views of deleted objects may now be different. The source
    > machine may still have copies of objects that have been deleted (and
    > garbage collected) on this machine. If they were allowed to replicate,
    > the source machine might return objects which have already been
    > deleted.
    > Time of last successful replication:
    > 2004-09-15 00:01:50
    > Invocation ID of source:
    > 03edf844-f834-03ed-c813-2e040c532403
    > Name of source:
    > c38c08ca-48ae-4f30-ac07-2603556726c3._msdcs.tdlg.net
    > Tombstone lifetime (days):
    > 60
    >
    > The replication operation has failed.
    >
    > User Action:
    >
    > Determine which of the two machines was disconnected from the forest
    > and is now out of date. You have three options:
    >
    > 1. Demote or reinstall the machine(s) that were disconnected.
    > 2. Use the "repadmin /removelingeringobjects" tool to remove
    > inconsistent deleted objects and then resume replication.
    > 3. Resume replication. Inconsistent deleted objects may be introduced.
    > You can continue replication by using the following registry key. Once
    > the systems replicate once, it is recommended that you remove the key
    > to reinstate the protection.
    > Registry Key:
    > HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow
    > Replication With Divergent and Corrupt Partner
    >
    > Thanks
    >
    > John
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hmmm...this is one of those "what if" scenarios.

    Realistically, you can remove the lingering objects and will probably be
    fine. Especially if you don't have many DCs. The main issue here, and it's
    going to be worse in larger environments where replication latency is
    greater, is that objects that have been deleted can be brought back. A
    worse case scenario is database inconsistencies, which will result in a
    rebuild of the domain (and possibly forest if we're talking enterprise
    partition issues/ corruption, etc.). Think about what could happen, you
    could have a possible scenario where object DACLs have changed, computer
    objects have different GUID associated with them, user conflicts due to
    objects with the same names being in the same containers (shouldn't be an
    issue), possible duplicate SPNs, etc.

    Zombies ;-)

    How many DCs per domain are we talking and what kind of changes have
    happened in the last two months?


    --

    Paul Williams

    http://www.msresource.net
    http://forums.msresource.net


    "John" <homehome16@hotmail.com> wrote in message
    news:42f3a03a.0502160345.3ad5ad1@posting.google.com...
    Paul, Thanks for you help just one more question:

    What would happen if I either used the repadmin
    /removelingeringobjects command or edited the registry key?

    If no information what changed on the schema or the config. Would it
    work? What would be the worse that could happen?

    John


    "ptwilliams" <ptw2001@hotmail.com> wrote in message
    news:<Ot2rPu4EFHA.208@TK2MSFTNGP12.phx.gbl>...
    > > Does the root DC (dc.root.org) of the forest keep a copy of the AD for
    > > this domain? (sub.root.org)
    >
    > No it does not.
    >
    >
    > > Or will we have to rebuild this domain and re-add it to the forest?
    >
    > Yes, this is exactly what you will have to do. You will also need to
    > cleanup this domain and domain controller by following these KBs:
    > -- http://support.microsoft.com/?id=230306
    > -- http://support.microsoft.com/?id=216498
    >
    >
    > --
    >
    > Paul Williams
    >
    > http://www.msresource.net/
    > http://forums.msresource.net/
    >
    > "John" <homehome16@hotmail.com> wrote in message
    > news:42f3a03a.0502150354.27d52583@posting.google.com...
    > Hi,
    >
    > Problem: One of out DC's (dc.sub.root.org) have not replicated for 60
    > day so therefore has exceeded the tombstone lifetime. This DC is part
    > of a forest. There are no other DC's in that domain.
    >
    > Does the root DC (dc.root.org) of the forest keep a copy of the AD for
    > this domain? (sub.root.org)
    >
    > Or will we have to rebuild this domain and re-add it to the forest?
    >
    > Any advice would be appreciated.
    >
    > This is the log in the Event Log: NTDS Replication Event ID: 2042
    >
    > It has been too long since this machine last replicated with the named
    > source machine. The time between replications with this source has
    > exceeded the tombstone lifetime. Replication has been stopped with
    > this source.
    > The reason that replication is not allowed to continue is that the two
    > machine's views of deleted objects may now be different. The source
    > machine may still have copies of objects that have been deleted (and
    > garbage collected) on this machine. If they were allowed to replicate,
    > the source machine might return objects which have already been
    > deleted.
    > Time of last successful replication:
    > 2004-09-15 00:01:50
    > Invocation ID of source:
    > 03edf844-f834-03ed-c813-2e040c532403
    > Name of source:
    > c38c08ca-48ae-4f30-ac07-2603556726c3._msdcs.tdlg.net
    > Tombstone lifetime (days):
    > 60
    >
    > The replication operation has failed.
    >
    > User Action:
    >
    > Determine which of the two machines was disconnected from the forest
    > and is now out of date. You have three options:
    >
    > 1. Demote or reinstall the machine(s) that were disconnected.
    > 2. Use the "repadmin /removelingeringobjects" tool to remove
    > inconsistent deleted objects and then resume replication.
    > 3. Resume replication. Inconsistent deleted objects may be introduced.
    > You can continue replication by using the following registry key. Once
    > the systems replicate once, it is recommended that you remove the key
    > to reinstate the protection.
    > Registry Key:
    > HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow
    > Replication With Divergent and Corrupt Partner
    >
    > Thanks
    >
    > John
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    We have two DC's in the top level domain (Domain A). These have not
    been touch since they were install. Below this level we have two
    domains. One of the domains has teow DC's (Domain B). and the other
    which is the problem domain has one DC (Domain c). In total there are
    only 5 DC in the forest.

    We also have some old legacy that have two way trusts with Domain B.
    These are all windows 2000 domains

    I started here about 3 months ago and I don't think that any big
    changes have been made. Just to note the problem domain was the last
    domain added to the forest.

    The only changes that have been made are new users/deleted users. New
    shares, printers, etc. however I thought that this information was
    stored in the "Domain Partition", and I didn't think that this
    information was replicated across to other domains.

    We have also added a few more server's and computer's to Domain B.
    Most of the servers have been either termainl servers or files
    servers. We haven't added any new DC's or exchange servers, we may
    have added some SQL servers.

    Thanks John


    "ptwilliams" <ptw2001@hotmail.com> wrote in message news:<uLbXXlGFFHA.4004@tk2msftngp13.phx.gbl>...
    > Hmmm...this is one of those "what if" scenarios.
    >
    > Realistically, you can remove the lingering objects and will probably be
    > fine. Especially if you don't have many DCs. The main issue here, and it's
    > going to be worse in larger environments where replication latency is
    > greater, is that objects that have been deleted can be brought back. A
    > worse case scenario is database inconsistencies, which will result in a
    > rebuild of the domain (and possibly forest if we're talking enterprise
    > partition issues/ corruption, etc.). Think about what could happen, you
    > could have a possible scenario where object DACLs have changed, computer
    > objects have different GUID associated with them, user conflicts due to
    > objects with the same names being in the same containers (shouldn't be an
    > issue), possible duplicate SPNs, etc.
    >
    > Zombies ;-)
    >
    > How many DCs per domain are we talking and what kind of changes have
    > happened in the last two months?
    >
    >
    > --
    >
    > Paul Williams
    >
    > http://www.msresource.net
    > http://forums.msresource.net
    >
    >
    > "John" <homehome16@hotmail.com> wrote in message
    > news:42f3a03a.0502160345.3ad5ad1@posting.google.com...
    > Paul, Thanks for you help just one more question:
    >
    > What would happen if I either used the repadmin
    > /removelingeringobjects command or edited the registry key?
    >
    > If no information what changed on the schema or the config. Would it
    > work? What would be the worse that could happen?
    >
    > John
    >
    >
    >
    >
    > "ptwilliams" <ptw2001@hotmail.com> wrote in message
    > news:<Ot2rPu4EFHA.208@TK2MSFTNGP12.phx.gbl>...
    > > > Does the root DC (dc.root.org) of the forest keep a copy of the AD for
    > > > this domain? (sub.root.org)
    > >
    > > No it does not.
    > >
    > >
    > > > Or will we have to rebuild this domain and re-add it to the forest?
    > >
    > > Yes, this is exactly what you will have to do. You will also need to
    > > cleanup this domain and domain controller by following these KBs:
    > > -- http://support.microsoft.com/?id=230306
    > > -- http://support.microsoft.com/?id=216498
    > >
    > >
    > > --
    > >
    > > Paul Williams
    > >
    > > http://www.msresource.net/
    > > http://forums.msresource.net/
    > >
    > > "John" <homehome16@hotmail.com> wrote in message
    > > news:42f3a03a.0502150354.27d52583@posting.google.com...
    > > Hi,
    > >
    > > Problem: One of out DC's (dc.sub.root.org) have not replicated for 60
    > > day so therefore has exceeded the tombstone lifetime. This DC is part
    > > of a forest. There are no other DC's in that domain.
    > >
    > > Does the root DC (dc.root.org) of the forest keep a copy of the AD for
    > > this domain? (sub.root.org)
    > >
    > > Or will we have to rebuild this domain and re-add it to the forest?
    > >
    > > Any advice would be appreciated.
    > >
    > > This is the log in the Event Log: NTDS Replication Event ID: 2042
    > >
    > > It has been too long since this machine last replicated with the named
    > > source machine. The time between replications with this source has
    > > exceeded the tombstone lifetime. Replication has been stopped with
    > > this source.
    > > The reason that replication is not allowed to continue is that the two
    > > machine's views of deleted objects may now be different. The source
    > > machine may still have copies of objects that have been deleted (and
    > > garbage collected) on this machine. If they were allowed to replicate,
    > > the source machine might return objects which have already been
    > > deleted.
    > > Time of last successful replication:
    > > 2004-09-15 00:01:50
    > > Invocation ID of source:
    > > 03edf844-f834-03ed-c813-2e040c532403
    > > Name of source:
    > > c38c08ca-48ae-4f30-ac07-2603556726c3._msdcs.tdlg.net
    > > Tombstone lifetime (days):
    > > 60
    > >
    > > The replication operation has failed.
    > >
    > > User Action:
    > >
    > > Determine which of the two machines was disconnected from the forest
    > > and is now out of date. You have three options:
    > >
    > > 1. Demote or reinstall the machine(s) that were disconnected.
    > > 2. Use the "repadmin /removelingeringobjects" tool to remove
    > > inconsistent deleted objects and then resume replication.
    > > 3. Resume replication. Inconsistent deleted objects may be introduced.
    > > You can continue replication by using the following registry key. Once
    > > the systems replicate once, it is recommended that you remove the key
    > > to reinstate the protection.
    > > Registry Key:
    > > HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow
    > > Replication With Divergent and Corrupt Partner
    > >
    > > Thanks
    > >
    > > John
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    We have two DC's in the top level domain (Domain A). These have not
    been touch since they were install. Below this level we have two
    domains. One of the domains has teow DC's (Domain B). and the other
    which is the problem domain has one DC (Domain c). In total there are
    only 5 DC in the forest.

    We also have some old legacy that have two way trusts with Domain B.
    These are all windows 2000 domains

    I started here about 3 months ago and I don't think that any big
    changes have been made. Just to note the problem domain was the last
    domain added to the forest.

    The only changes that have been made are new users/deleted users. New
    shares, printers, etc. however I thought that this information was
    stored in the "Domain Partition", and I didn't think that this
    information was replicated across to other domains.

    We have also added a few more server's and computer's to Domain B.
    Most of the servers have been either termainl servers or files
    servers. We haven't added any new DC's or exchange servers, we may
    have added some SQL servers.

    Thanks John


    "ptwilliams" <ptw2001@hotmail.com> wrote in message news:<uLbXXlGFFHA.4004@tk2msftngp13.phx.gbl>...
    > Hmmm...this is one of those "what if" scenarios.
    >
    > Realistically, you can remove the lingering objects and will probably be
    > fine. Especially if you don't have many DCs. The main issue here, and it's
    > going to be worse in larger environments where replication latency is
    > greater, is that objects that have been deleted can be brought back. A
    > worse case scenario is database inconsistencies, which will result in a
    > rebuild of the domain (and possibly forest if we're talking enterprise
    > partition issues/ corruption, etc.). Think about what could happen, you
    > could have a possible scenario where object DACLs have changed, computer
    > objects have different GUID associated with them, user conflicts due to
    > objects with the same names being in the same containers (shouldn't be an
    > issue), possible duplicate SPNs, etc.
    >
    > Zombies ;-)
    >
    > How many DCs per domain are we talking and what kind of changes have
    > happened in the last two months?
    >
    >
    > --
    >
    > Paul Williams
    >
    > http://www.msresource.net
    > http://forums.msresource.net
    >
    >
    > "John" <homehome16@hotmail.com> wrote in message
    > news:42f3a03a.0502160345.3ad5ad1@posting.google.com...
    > Paul, Thanks for you help just one more question:
    >
    > What would happen if I either used the repadmin
    > /removelingeringobjects command or edited the registry key?
    >
    > If no information what changed on the schema or the config. Would it
    > work? What would be the worse that could happen?
    >
    > John
    >
    >
    >
    >
    > "ptwilliams" <ptw2001@hotmail.com> wrote in message
    > news:<Ot2rPu4EFHA.208@TK2MSFTNGP12.phx.gbl>...
    > > > Does the root DC (dc.root.org) of the forest keep a copy of the AD for
    > > > this domain? (sub.root.org)
    > >
    > > No it does not.
    > >
    > >
    > > > Or will we have to rebuild this domain and re-add it to the forest?
    > >
    > > Yes, this is exactly what you will have to do. You will also need to
    > > cleanup this domain and domain controller by following these KBs:
    > > -- http://support.microsoft.com/?id=230306
    > > -- http://support.microsoft.com/?id=216498
    > >
    > >
    > > --
    > >
    > > Paul Williams
    > >
    > > http://www.msresource.net/
    > > http://forums.msresource.net/
    > >
    > > "John" <homehome16@hotmail.com> wrote in message
    > > news:42f3a03a.0502150354.27d52583@posting.google.com...
    > > Hi,
    > >
    > > Problem: One of out DC's (dc.sub.root.org) have not replicated for 60
    > > day so therefore has exceeded the tombstone lifetime. This DC is part
    > > of a forest. There are no other DC's in that domain.
    > >
    > > Does the root DC (dc.root.org) of the forest keep a copy of the AD for
    > > this domain? (sub.root.org)
    > >
    > > Or will we have to rebuild this domain and re-add it to the forest?
    > >
    > > Any advice would be appreciated.
    > >
    > > This is the log in the Event Log: NTDS Replication Event ID: 2042
    > >
    > > It has been too long since this machine last replicated with the named
    > > source machine. The time between replications with this source has
    > > exceeded the tombstone lifetime. Replication has been stopped with
    > > this source.
    > > The reason that replication is not allowed to continue is that the two
    > > machine's views of deleted objects may now be different. The source
    > > machine may still have copies of objects that have been deleted (and
    > > garbage collected) on this machine. If they were allowed to replicate,
    > > the source machine might return objects which have already been
    > > deleted.
    > > Time of last successful replication:
    > > 2004-09-15 00:01:50
    > > Invocation ID of source:
    > > 03edf844-f834-03ed-c813-2e040c532403
    > > Name of source:
    > > c38c08ca-48ae-4f30-ac07-2603556726c3._msdcs.tdlg.net
    > > Tombstone lifetime (days):
    > > 60
    > >
    > > The replication operation has failed.
    > >
    > > User Action:
    > >
    > > Determine which of the two machines was disconnected from the forest
    > > and is now out of date. You have three options:
    > >
    > > 1. Demote or reinstall the machine(s) that were disconnected.
    > > 2. Use the "repadmin /removelingeringobjects" tool to remove
    > > inconsistent deleted objects and then resume replication.
    > > 3. Resume replication. Inconsistent deleted objects may be introduced.
    > > You can continue replication by using the following registry key. Once
    > > the systems replicate once, it is recommended that you remove the key
    > > to reinstate the protection.
    > > Registry Key:
    > > HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow
    > > Replication With Divergent and Corrupt Partner
    > >
    > > Thanks
    > >
    > > John
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Then I'll say you'll be fine. Yes, most things are in the domain partition,
    but the GC pulls a subset of attributes from all domain partitions in the
    forest.

    Adding servers and the like are domain-specific, so should not affect this.

    I'd go for it!

    Let us know...


    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/

    "John" <homehome16@hotmail.com> wrote in message
    news:42f3a03a.0502170332.8591f32@posting.google.com...
    We have two DC's in the top level domain (Domain A). These have not
    been touch since they were install. Below this level we have two
    domains. One of the domains has teow DC's (Domain B). and the other
    which is the problem domain has one DC (Domain c). In total there are
    only 5 DC in the forest.

    We also have some old legacy that have two way trusts with Domain B.
    These are all windows 2000 domains

    I started here about 3 months ago and I don't think that any big
    changes have been made. Just to note the problem domain was the last
    domain added to the forest.

    The only changes that have been made are new users/deleted users. New
    shares, printers, etc. however I thought that this information was
    stored in the "Domain Partition", and I didn't think that this
    information was replicated across to other domains.

    We have also added a few more server's and computer's to Domain B.
    Most of the servers have been either termainl servers or files
    servers. We haven't added any new DC's or exchange servers, we may
    have added some SQL servers.

    Thanks John


    "ptwilliams" <ptw2001@hotmail.com> wrote in message
    news:<uLbXXlGFFHA.4004@tk2msftngp13.phx.gbl>...
    > Hmmm...this is one of those "what if" scenarios.
    >
    > Realistically, you can remove the lingering objects and will probably be
    > fine. Especially if you don't have many DCs. The main issue here, and
    > it's
    > going to be worse in larger environments where replication latency is
    > greater, is that objects that have been deleted can be brought back. A
    > worse case scenario is database inconsistencies, which will result in a
    > rebuild of the domain (and possibly forest if we're talking enterprise
    > partition issues/ corruption, etc.). Think about what could happen, you
    > could have a possible scenario where object DACLs have changed, computer
    > objects have different GUID associated with them, user conflicts due to
    > objects with the same names being in the same containers (shouldn't be an
    > issue), possible duplicate SPNs, etc.
    >
    > Zombies ;-)
    >
    > How many DCs per domain are we talking and what kind of changes have
    > happened in the last two months?
    >
    >
    > --
    >
    > Paul Williams
    >
    > http://www.msresource.net
    > http://forums.msresource.net
    >
    >
    > "John" <homehome16@hotmail.com> wrote in message
    > news:42f3a03a.0502160345.3ad5ad1@posting.google.com...
    > Paul, Thanks for you help just one more question:
    >
    > What would happen if I either used the repadmin
    > /removelingeringobjects command or edited the registry key?
    >
    > If no information what changed on the schema or the config. Would it
    > work? What would be the worse that could happen?
    >
    > John
    >
    >
    >
    >
    > "ptwilliams" <ptw2001@hotmail.com> wrote in message
    > news:<Ot2rPu4EFHA.208@TK2MSFTNGP12.phx.gbl>...
    > > > Does the root DC (dc.root.org) of the forest keep a copy of the AD for
    > > > this domain? (sub.root.org)
    > >
    > > No it does not.
    > >
    > >
    > > > Or will we have to rebuild this domain and re-add it to the forest?
    > >
    > > Yes, this is exactly what you will have to do. You will also need to
    > > cleanup this domain and domain controller by following these KBs:
    > > -- http://support.microsoft.com/?id=230306
    > > -- http://support.microsoft.com/?id=216498
    > >
    > >
    > > --
    > >
    > > Paul Williams
    > >
    > > http://www.msresource.net/
    > > http://forums.msresource.net/
    > >
    > > "John" <homehome16@hotmail.com> wrote in message
    > > news:42f3a03a.0502150354.27d52583@posting.google.com...
    > > Hi,
    > >
    > > Problem: One of out DC's (dc.sub.root.org) have not replicated for 60
    > > day so therefore has exceeded the tombstone lifetime. This DC is part
    > > of a forest. There are no other DC's in that domain.
    > >
    > > Does the root DC (dc.root.org) of the forest keep a copy of the AD for
    > > this domain? (sub.root.org)
    > >
    > > Or will we have to rebuild this domain and re-add it to the forest?
    > >
    > > Any advice would be appreciated.
    > >
    > > This is the log in the Event Log: NTDS Replication Event ID: 2042
    > >
    > > It has been too long since this machine last replicated with the named
    > > source machine. The time between replications with this source has
    > > exceeded the tombstone lifetime. Replication has been stopped with
    > > this source.
    > > The reason that replication is not allowed to continue is that the two
    > > machine's views of deleted objects may now be different. The source
    > > machine may still have copies of objects that have been deleted (and
    > > garbage collected) on this machine. If they were allowed to replicate,
    > > the source machine might return objects which have already been
    > > deleted.
    > > Time of last successful replication:
    > > 2004-09-15 00:01:50
    > > Invocation ID of source:
    > > 03edf844-f834-03ed-c813-2e040c532403
    > > Name of source:
    > > c38c08ca-48ae-4f30-ac07-2603556726c3._msdcs.tdlg.net
    > > Tombstone lifetime (days):
    > > 60
    > >
    > > The replication operation has failed.
    > >
    > > User Action:
    > >
    > > Determine which of the two machines was disconnected from the forest
    > > and is now out of date. You have three options:
    > >
    > > 1. Demote or reinstall the machine(s) that were disconnected.
    > > 2. Use the "repadmin /removelingeringobjects" tool to remove
    > > inconsistent deleted objects and then resume replication.
    > > 3. Resume replication. Inconsistent deleted objects may be introduced.
    > > You can continue replication by using the following registry key. Once
    > > the systems replicate once, it is recommended that you remove the key
    > > to reinstate the protection.
    > > Registry Key:
    > > HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow
    > > Replication With Divergent and Corrupt Partner
    > >
    > > Thanks
    > >
    > > John
Ask a new question

Read More

Domain Rebuild Active Directory Windows