Active Directory

What is Strict Replication Consistency

Strict Replication Consistency is a registry value that prevents destination domain controllers (DC) from replicating in lingering objects. Lingering objects are objects that deleted from DC but replication failures prevent a partner DC learning of the deletion. The result is those deleted objects remain “Active” on the replication partners. If the replication failure persists for longer than tombstone lifetime but is later corrected, the DC that failed to inbound replicate the deletions will continue to have “live”/lingering objects in its copy of the AD database. When one or more attributes are modified on these “live” objects, that object must replicate outbound. DCs that don’t have Strict Replication Consistency enforced will replicate in these formerly deleted objects, re-animating them.

Strict replication is by-default enabled on DC above server 2003.Forest that are upgraded from windows server 2000 to windows server 2003 does not have strict replication consistency enabled for that we need to manually enable. The setting for replication consistency is stored in the registry in the Strict Replication Consistency entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters. Values for this entry are as follows:

Value: 1 (0 to disable)

Default: 1 (enabled) in a new Windows Server 2003 forest; otherwise 0.

Data type: REG_DWOR

On domain controllers running Windows Server 2003 with Service Pack 1 (SP1), you do not have to edit the registry directly to enable strict replication consistency. It is best to avoid editing the registry directly if possible. You can use a Repadmin command that enables strict replication consistency on one or all domain controllers in the forest. This command is available only in the version of Repadmin that is included with Windows Support Tools in Windows Server 2003 SP1. This command can be applied only on domain controllers running Windows Server 2003 with SP1.

Administrative credentials

  • To complete this procedure on a single domain controller, you must be a member of the Domain Admins group in the domain.
  • To complete this procedure on all domain controllers, you must be a member of the Enterprise Admins group in the forest.

Better yet, using RepAdmin just update all DC’s from a command prompt (You need to elevate if on Vista/2008 or greater) in your forest.  I pipe the output and save the text file for documentation.

repadmin /regkey * +strict > c:\temp\dcListStrict.log

This will ensure that all your DC’s are protected from any partners that are unhealthy and hopefully save you some real headscratching problems that can occur with Lingering objects.  In the example below you can see that only one of the three DC’s needed to be updated.  You will also notice that rerunning this does not have an adverse effect.

The output of the above command would look like:

Repadmin: running command /regkey against read-only DC DC01.windowstechno.local HKLM\System\CurrentControlSet\Services\NTDS\Parameters: “Strict Replication Consistency” REG_DWORD 0x00000001 (1) New HKLM\System\CurrentControlSet\Services\NTDS\Parameters: “Strict Replication Consistency” REG_DWORD 0x00000001 (1) Repadmin: running command /regkey against full DC DC02.windowstechno.local HKLM\System\CurrentControlSet\Services\NTDS\Parameters: “Strict Replication Consistency” REG_DWORD 0x00000001 (1) New HKLM\System\CurrentControlSet\Services\NTDS\Parameters: “Strict Replication Consistency” REG_DWORD 0x00000001 (1) Repadmin: running command /regkey against full DC DC03.windowstechno.local HKLM\System\CurrentControlSet\Services\NTDS\Parameters: “Strict Replication Consistency” value does not exist New HKLM\System\CurrentControlSet\Services\NTDS\Parameters: “Strict Replication Consistency” REG_DWORD 0x00000001 (1)

Also check this

How to prevent lingering objects replication in active directory

So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!

Recommended content

RODC Installation Guide- Step by step guide to install read only domain controller
RODC Filtered Attribute Set
Installing and configuring a RODC in Windows Server-2012
How to find the GUID of Domain Controller
Group Policy Understanding Group Policy Preferences
Group Policy Verification Tool GPOTool Exe
Group Policy Health Check on Specific Domain Controller
What is Netlogon Folder in Active Directory
How to Create Custom Attributes in Active Directory
How Can I Check the Tombstone Lifetime of My Active Directory Forest
How to Determine a Computers AD Site From the Command Line
How to Check the Active Directory Database Integrity

Guys please don’t forget to like and share the post.Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them .

You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!

As you found this post useful...

Follow us on social media!

Was this article helpful?
YesNo

Vipan Kumar

He is an Active Directory Engineer. He has been working in IT industry for more than 10 years. He is dedicated and enthusiastic information technology expert who always ready to resolve any technical problem. If you guys need any further help on subject matters, feel free to contact us on admin@windowstechno.com Please subscribe our Facebook page as well website for latest article. https://www.facebook.com/windowstechno

Leave a Reply

Back to top button