Microsoft KB Archive/870695

= Outdated Active Directory objects generate event ID 1988 in Windows Server 2003 =

Article ID: 870695

Article Last Modified on 2/6/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

-





SYMPTOMS
On your Microsoft Windows Server 2003-based domain controller, the following Error event is logged in the Directory Service event log: Type: Error

Source: NTDS Replication

Category: Replication

Event ID: 1988

User: NT AUTHORITY\ANONYMOUS LOGON

Computer:

Description:

The local domain controller has attempted to replicate the following object from the following source domain controller. This object is not present on the local domain controller because it may have been deleted and already garbage collected.

Source domain controller:

Object:

Object GUID:

Replication will not continue with the source domain controller until the situation has been resolved.



CAUSE
This issue occurs if the source domain controller has outdated objects that have been out of replication for more than one tombstone lifetime. The source domain controller is identified in the event message. These outdated objects are referred to as lingering objects. A domain controller that was offline for longer than the value of the tombstone lifetime setting may contain objects that have been deleted on other domain controllers or global catalog servers. The default tombstone lifetime value is 60 days. Additionally, tombstones for these objects may no longer exist. When you bring the outdated domain controller back online, it cannot be notified of the object deletions.



RESOLUTION
To resolve this issue, you can use the Repadmin tool to remove lingering objects from a directory partition. The repadmin /removelingeringobjects command does the following:
 * 1) Designates an up-to-date domain controller as the authority. This domain controller acts as the authoritative directory replica.
 * 2) Compares the Active Directory Directory service database objects on the authoritative server with the objects that are on the source replication partner that contains the lingering objects.
 * 3) Either removes the lingering objects or logs the potential deletions to the Directory Services event log. The behavior depends on whether you use the /advisory_mode parameter.

To use the repadmin /removelingeringobjects command, follow these steps.

Note To use the repadmin /removelingeringobjects command, both the source domain controller and the destination domain controllers must be running Windows Server 2003.  Install the Repadmin tool. The Repadmin tool is included with the Windows Server 2003 Support Tools that are included with the Windows Server 2003 CD-ROM. To install the support tools, double-click Suptools.msi in the :\Support\Tools folder. At the command prompt, type repadmin /removelingeringobjects    /advisory_mode, and then press ENTER.

Note The /advisory_mode parameter is optional. You can use this parameter to make sure that the lingering object that is reported in event ID 1988 exists in the Active Directory database on the server that you suspect has the lingering objects. When you use this parameter, the lingering objects are not removed. Instead, the /advisory_ mode parameter lets you view the results of the command before you take action to remove any objects from the folder. We recommend that you always use the /advisory_ mode parameter before you use Repadmin to delete the lingering objects.   is the domain name system (DNS) name or IP address of the domain controller that has lingering objects. In the event ID 1988, this value is the server that is identified in the source domain controller field.

Note You can use the dc_list parameter if you want to specify multiple destination domain controllers that have lingering objects. Because lingering object removal is not replicated to other domain controllers, you must run the repadmin /removelingeringobjects command against all destination domain controllers and global catalog servers that have lingering objects. For more information about the dc_list parameter, type repadmin /listhelp at the command prompt, and then press ENTER.  is the object GUID of the source domain controller that you are using as the authoritative server. To obtain the object GUID of the source domain controller, use one of the following methods.

Method one
At a command prompt, type repadmin /showrepl /v, and then press ENTER. The object GUID of the domain controller is listed in the DC object GUID field.

Method two
Use the Active Directory Sites and Services tool to locate the object GUID of the source domain controller. To do this, follow these steps:  Click Start, point to Administrative Tools, and then click Active Directory Sites and Services. Expand Sites, expand the site where your authoritative domain controller is located, expand Servers, and then expand the domain controller.</li> Right-click NTDS Settings, and then click Properties.</li> View the value in the DNS Alias box. The GUID that appears in front of '''_msdcs. .com''' is the object GUID of the domain controller. The Repadmin tool only requires the GUID. Do not include the '''_msdcs. .com''' component in the Repadmin syntax.</li></ol> </li>  is the distinguished name (DN) of the directory partition that contains the lingering objects. This is part of the  in the event message.</li></ul> </li> Repeat the procedure for the following partitions, as needed: <ul> Domain directory partition (dc= )</li> Configuration directory partition (cn=Configuration,dc= )</li> Application directory partition or partitions

(cn= ,dc= )

(cn= ,dc= )

</li> Schema directory partition (cn=Schema, cn=Configuration,dc=,dc= )</li></ul> </li></ol>

<div class="moreinformation_section">

Example of the command syntax
The following is an example of the repadmin /removelingeringobjects command syntax for the fictional Example.com domain:

C:\>repadmin /removelingeringobjects .example.com A0AE6093-15F5-4DB8-836B-4495E3A15396 dc=example,dc=com /advisory_mode

If the command runs successfully, you receive the following message:

RemoveLingeringObjects successful on. .com

Note To access the Repadmin tool advanced help, you can use the /experthelp parameter.

Events that are associated with lingering object removal
When you remove the lingering objects, the domain controller with the lingering objects records all removal information. This information includes the source domain controller, the objects that are removed, and a total count of all the objects that are removed. During lingering object removal the following events are logged to the Directory Service log: Event ID: 1937

Event source: NTDS

Category: Replication

Description:

Lingering Object Removal has been initiated on this domain controller (DC). All objects on this DC will have their existence verified on the following source DC. Objects that have been deleted and garbage collected from the source DC will be DELETED from this DC if they still exist. Subsequent event logs will list all deleted objects.

Source DC: ._msdcs.

Event ID: 1945

Source: NTDS Replication

Category: Replication

Description:

Lingering Object Removal will DELETE the following object. Its deletion and garbage collection was detected on the source domain controller (DC) without replicating the deletion to this DC.

Object: DC=

Object GUID:

Source DC: ._msdcs.

Event ID: 1939

Source: NTDS Replication

Category: Replication

Description:

Lingering Object Removal has executed successfully on this domain controller (DC). All objects on this DC have had their existence verified on the source DC. Objects that had been deleted and garbage collected from the source DC were DELETED from this DC. Previous event logs list all such objects.

Source DC: ._msdcs.

Lingering Objects Deleted 23

For more information about lingering object removal in Windows Server 2003, see the &quot;Lingering Object Removal&quot; topic on the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/library/1465D773-B763-45EC-B971-C23CDC27400E1033.mspx

Additional query words: replication old outdated

Keywords: kbactivedirectoryrepl kbactivedirectory kbhowto kbprb KB870695

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.