Active Directory

How to prevent lingering objects replication in active directory

How to prevent lingering objects replication in active directory

I recently enabled strict replication consistency on my domain controllers in order to follow best practices, where this is not enabled there can be a risk that lingering objects could be replicated to a domain controller. This can occur  when a domain controller in your Active Directory environment is disconnected from the replication topology for an extended period of time, this can cause problems when these lingering objects on the source domain controller are updated and these updates are sent by replication to the destination domain controllers.

Strict Replication:

Once the lingering objects have been removed we  can enable strict replication on each domain controller or for all domain controllers in the forest.
Strict replication is by-default enabled on DC above server 2003. Forest that are upgraded from windows server 2000 to windows server 2003 does not have strict replication consistency enabled for that we need to manually enable.

The setting for replication consistency is stored in the registry in the Strict Replication Consistency entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.

Values for this entry are as follows:

  • Value: 1 (0 to disable)
  • Default: 1 (enabled) in a new Windows Server 2003 forest; otherwise 0.
  • Data type: REG_DWOR

On domain controllers running Windows Server 2003 with Service Pack 1 (SP1), you do not have to edit the registry directly to enable strict replication consistency. It is best to avoid editing the registry directly if possible. You can use a Repadmin command that enables strict replication consistency on one or all domain controllers in the forest. This command is available only in the version of Repadmin that is included with Windows Support Tools in Windows Server 2003 SP1. This command can be applied only on domain controllers running Windows Server 2003 with SP1.

Administrative credentials

  • To complete this procedure on a single domain controller, you must be a member of the Domain Admins group in the domain.
  • To complete this procedure on all domain controllers, you must be a member of the Enterprise Admins group in the forest.

Better yet, using RepAdmin just update all DC’s from a command prompt (You need to elevate if on Vista/2008 or greater) in your forest.  I pipe the output and save the text file for documentation.

repadmin /regkey * +strict > c:\temp\dcListStrict.log

This will ensure that all your DC’s are protected from any partners that are unhealthy and hopefully save you some real headscratching problems that can occur with Lingering objects.  In the example below you can see that only one of the three DC’s needed to be updated.  You will also notice that rerunning this does not have an adverse effect.

The output of the above command would look like:

Repadmin: running command /regkey against read-only DC DC01.acme.com
HKLM\System\CurrentControlSet\Services\NTDS\Parameters: “Strict Replication Consistency” REG_DWORD 0x00000001 (1)
New HKLM\System\CurrentControlSet\Services\NTDS\Parameters: “Strict Replication Consistency” REG_DWORD 0x00000001 (1)

Repadmin: running command /regkey against full DC DC02.acme.com
HKLM\System\CurrentControlSet\Services\NTDS\Parameters: “Strict Replication Consistency” REG_DWORD 0x00000001 (1)
New HKLM\System\CurrentControlSet\Services\NTDS\Parameters: “Strict Replication Consistency” REG_DWORD 0x00000001 (1)

Repadmin: running command /regkey against full DC DC03.acme.com
HKLM\System\CurrentControlSet\Services\NTDS\Parameters: “Strict Replication Consistency” value does not exist
New HKLM\System\CurrentControlSet\Services\NTDS\Parameters: “Strict Replication Consistency” REG_DWORD 0x00000001 (1)

Also check this

How to check replication partner for a specific Domain Controller.

So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!

Recommended content

Guys please don’t forget to like and share the post.Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them .

You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!

As you found this post useful...

Follow us on social media!

Was this article helpful?
YesNo

Vipan Kumar

He is an Active Directory Engineer. He has been working in IT industry for more than 10 years. He is dedicated and enthusiastic information technology expert who always ready to resolve any technical problem. If you guys need any further help on subject matters, feel free to contact us on admin@windowstechno.com Please subscribe our Facebook page as well website for latest article. https://www.facebook.com/windowstechno

Leave a Reply

Check Also
Close
Back to top button