Hello,
We recently migrated from a SBS 2003 server (SERVER01) to Windows 2008 R2 DC (SERVER02) and a Windows 2008 R2 Exchange 2010 Server (SERVER03).
We were up to the last stage of the migration, transferring the FSMO roles to SERVER02 and dcpromo SERVER01. Unfortunately the VMware server that was hosting SERVER01 died. It was out of action for 2 weeks. When it was fixed, we tried to start the FSMO transfer on SERVER02 and got the message
"The transfer of the operations master role cannot be performed because: The requested FSMO operation failed. The current FSMO holder could not be contacted."
On SERVER01 there are NTDS Replication 1988 and 1864 errors which I have pasted below. I have tried using"repadmin /removelingeringobjects <SERVER01> <SERVER02 DSA GUID> <DC=domainname,DC=Local>" on SERVER01. It runs successfully but does not delete any objects.
How can I fix the lingering objects in AD, transfer the FSMO roles to SERVER02 and DCPROMO SERVER01? Any ideas/solutions would be appreciated. I have been told only to seize the FSMO roles as an absolute last resort.
Event 1864.
This is the replication status for the following directory partition on the local domain controller.
Directory partition:
DC=domainname,DC=local
The local domain controller has not recently received replication information from a number of domain controllers. The count of domain controllers is shown, divided into the following intervals.
More than 24 hours:
1
More than a week:
1
More than one month:
1
More than two months:
0
More than a tombstone lifetime:
0
Tombstone lifetime (days):
180
Domain controllers that do not replicate in a timely manner may encounter errors. It may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
To identify the domain controllers by name, install the support tools included on the installation CD and run dcdiag.exe.
You can also use the support tool repadmin.exe to display the replication latencies of the domain controllers in the forest. The command is "repadmin /showvector /latency <partition-dn>".
Event 1988
Active Directory Replication encountered the existence of objects in the following partition that have been deleted from the local domain controllers (DCs) Active Directory database. Not all direct or transitive replication partners replicated in the deletion before the tombstone lifetime number of days passed. Objects that have been deleted and garbage collected from an Active Directory partition but still exist in the writable partitions of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as "lingering objects".
This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory database. This replication attempt has been blocked.
The best solution to this problem is to identify and remove all lingering objects in the forest.
Source DC (Transport-specific network address):
ab39f198-e7a7-4e21-b53e-167b9c12f751._msdcs.domainname.local
Object:
CN=master,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=domainname,DC=local
Object GUID:
d91a0414-9d45-48c2-a4b8-4fafb9dd5334
User Action:
Remove Lingering Objects:
The action plan to recover from this error can be found at http://support.microsoft.com/?id=314282.
If both the source and destination DCs are Windows Server 2003 DCs, then install the support tools included on the installation CD. To see which objects would be deleted without actually performing the deletion run "repadmin /removelingeringobjects<Source DC> <Destination DC DSA GUID> <NC> /ADVISORY_MODE". The eventlogs on the source DC will enumerate all lingering objects. To remove lingering objects from a source domain controller run "repadmin /removelingeringobjects<Source DC> <Destination DC DSA GUID> <NC>".
If either source or destination DC is a Windows 2000 Server DC, then more information on how to remove lingering objects on the source DC can be found at http://support.microsoft.com/?id=314282 or from your Microsoft support personnel.
If you need Active Directory replication to function immediately at all costs and don't have time to remove lingering objects, enable loose replication consistency by unsetting the following registry key:
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Strict Replication Consistency
Replication errors between DCs sharing a common partition can prevent user and compter acounts, trust relationships, their passwords, security groups, security group memberships and other Active Directory configuration data to vary between DCs, affecting the ability to log on, find objects of interest and perform other critical operations. These inconsistencies are resolved once replication errors are resolved. DCs that fail to inbound replicate deleted objects within tombstone lifetime number of days will remain inconsistent until lingering objects are manually removed by an administrator from each local DC.
Lingering objects may be prevented by ensuring that all domain controllers in the forest are running Active Directory, are connected by a spanning tree connection topology and perform inbound replication before Tombstone Live number of days pass.