Removing Lingering Object from AD: The Layadmin’s Version

On Friday afternoon, a schema update was performed in our lab. On Monday, DC replication was halting on a majority of the DCs. I was able to detect this instantly because I monitor the health of the DCs using PowerShell.  DCDIAG on the affected servers would report the following message:

The replication generated an error (8606): Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.

The Directory Service Log (Event Viewer – Applications and Services Log – Directory Service) will also contain replication events (ID1988) that report the following message:

Active Directory Domain Services Replication encountered the existence of objects in the following partition that have been deleted from the local domain controllers (DCs) Active Directory Domain Services database. Not all direct or transitive replication partners replicated in the deletion before the tombstone lifetime number of days passed. Objects that have been deleted and garbage collected from an Active Directory Domain Services partition but still exist in the writable partitions of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as “lingering objects”.

Source domain controller:
4e3cbe55-be33-4614-b426-27229590f4d4._msdcs.DOMAIN.NAME
Object:
DC=NAMEOFLINGERINGOBJECT,CN=CONTAINER,DC=DOMAIN,DC=NAME
Object GUID:
a4acc201-5e87-4530-b4d0-f218b16dc0f6 This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory Domain Services database. This replication attempt has been blocked.

The best solution to this problem is to identify and remove all lingering objects in the forest.

It’s obvious from this detailed error message that this error is thrown due to lingering objects in AD. The method to remove these oddities seemed straight forward, however getting the correct attributes in the right order took several attempts to perfect.

The syntax of the removal command is:

Repadmin /removelingeringobjects ServerWithLingeringObjects CleanServerGUID NamespaceContainingLingeringObject

The confusing aspect of this command becomes apparent while determining the ServerWithLingeringObjectsand the CleanServerGUID. The 1988 error contains the GUID of the ServerWithLingeringObjects as a fully pingable DNS alias. Pinging the “source domain controller” gives you the name of theServerWithLingeringObjects.

The server that throws the error is actually the clean server (CleanServerGUID). The GUID of this server can be located in DNS. Expand Forward Lookup Zones and click in the _msdcs.DOMAIN.NAME zone. In this zone there are CNAME records that point all DCs in the domain to their GUIDs. Copy the GUID of the server that threw the error.

The NamespaceContainingLingeringObject can be copied from the 1988 error as well. The Object: line in the error lists the LDAP formatted location of the lingering object. The object’s root location is theNamespaceContainingLingeringObject. For example, if your object is:

DC=ObjectGUID,CN=LastAndFound,DC=Test,DC=Com

Then your NamespaceContainingLingeringObject is:

DC=Test,DC=Com

The final command will look like:

Repadmin /removelingeringobjects DC01 a4acc201-5e87-4530-b4d0-f218b16dc0f6 DC=Test,DC=Com

Hopefully this will help you understand this simple command better than the MS KB article.

Leave a Reply