Repair Non-Replicating Server 2003 AD after Restore

Steps to repair non-replicating AD

Information Sources:
http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx
http://support.microsoft.com/kb/870695

Procedure for using the recovery option:

• “Restore” the image
• !!! Boot into DSRM !!! (not connected to the network)
• Note the value of “DSA Previous Restore Count”
  (HKLM\System\CurrentControlSet\Services\NTDS\Parameters) (Not visible? –> Assume value of 0)
• Add the entry “Database restored from backup” (DWORD) with a value of 1
  (HKLM\System\CurrentControlSet\Services\NTDS\Parameters) (This triggers the actions needed for AD right after a system state restore!)
• Stop the “File Replication Service (NTFRS)” and assign the value “D4” (for auth. or primary restore) or “D2” (for an non-auth. restore) to the entry “BurFlags” in (HKLM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup)
  (This triggers the actions needed for the SYSVOL right after a system state restore!) (and other replicated DFS namespaces!)
  (also see: Using the BurFlags registry key to reinitialize File Replication Service replica sets – http://support.microsoft.com/?id=290762)
• Boot into normal DC mode (not connected to the network)
• Check the value of “DSA Previous Restore Count”
  (HKLM\System\CurrentControlSet\Services\NTDS\Parameters) (New value = old value + 1)
• In the DS event log check for event ID 1109
• In the FRS event log check for event ID 13565 & 13520 if a non-auth. restore was performed for the SYSVOL
• In the FRS event log check for event ID 13566 if an auth. restore was performed for the SYSVOL
• Connect to the network again
• Check the health of the DC (AD & SYSVOL)
  • DCDIAG /D /C /V
  • NETDIAG /DEBUG /V
  • GPOTOOL.EXE /CHECKACL /VERBOSE
  • REPADMIN.EXE /SHOWUTDVEC <FQDN DC> <NC>
• DONE!

SYMPTOMS

On your Microsoft Windows Server 2003-based domain controller, the following Error event is logged in the Directory Service event log:
Type: Error
Source: NTDS Replication
Category: Replication
Event ID: 1988
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: Computer_name
Description:
The local domain controller has attempted to replicate the following object from the following source domain controller. This object is not present on the local domain controller because it may have been deleted and already garbage collected.

Source domain controller:
GUID-based_domain_controller_FQDN
Object:
object_distinguished_name
Object GUID:
object_GUID

Replication will not continue with the source domain controller until the situation has been resolved.

 

CAUSE

This issue occurs if the source domain controller has outdated objects that have been out of replication for more than one tombstone lifetime. The source domain controller is identified in the event message. These outdated objects are referred to as lingering objects. A domain controller that was offline for longer than the value of the tombstone lifetime setting may contain objects that have been deleted on other domain controllers or global catalog servers. The default tombstone lifetime value is 60 days. Additionally, tombstones for these objects may no longer exist. When you bring the outdated domain controller back online, it cannot be notified of the object deletions.

 

RESOLUTION

To resolve this issue, you can use the Repadmin tool to remove lingering objects from a directory partition. The repadmin /removelingeringobjects command does the following:

1.	Designates an up-to-date domain controller as the authority. This domain controller acts as the authoritative directory replica.
2.	Compares the Active Directory Directory service database objects on the authoritative server with the objects that are on the source replication partner that contains the lingering objects.
3.	Either removes the lingering objects or logs the potential deletions to the Directory Services event log. The behavior depends on whether you use the /advisory_mode parameter.

To use the repadmin /removelingeringobjects command, follow these steps.

Note To use the repadmin /removelingeringobjects command, both the source domain controller and the destination domain controllers must be running Windows Server 2003.

1.	Install the Repadmin tool. The Repadmin tool is included with the Windows Server 2003 Support Tools that are included with the Windows Server 2003 CD-ROM. To install the support tools, double-click Suptools.msi in the CD_Drive:\Support\Tools folder.
2.	At the command prompt, type repadmin /removelingeringobjects Destination_domain_controller Source_domain_controller_GUID Directory_partition /advisory_mode, and then press ENTER.Note The /advisory_mode parameter is optional. You can use this parameter to make sure that the lingering object that is reported in event ID 1988 exists in the Active Directory database on the server that you suspect has the lingering objects. When you use this parameter, the lingering objects are not removed. Instead, the /advisory_ mode parameter lets you view the results of the command before you take action to remove any objects from the folder. We recommend that you always use the /advisory_ mode parameter before you use Repadmin to delete the lingering objects. • Destination_domain_controller is the domain name system (DNS) name or IP address of the domain controller that has lingering objects. In the event ID 1988, this value is the server that is identified in the source domain controller field.Note You can use the dc_list parameter if you want to specify multiple destination domain controllers that have lingering objects. Because lingering object removal is not replicated to other domain controllers, you must run the repadmin /removelingeringobjects command against all destination domain controllers and global catalog servers that have lingering objects. For more information about the dc_list parameter, type repadmin /listhelp at the command prompt, and then press ENTER. • Source_domain_controller_GUID is the object GUID of the source domain controller that you are using as the authoritative server. To obtain the object GUID of the source domain controller, use one of the following methods. Method one At a command prompt, type repadmin /showrepl /v name of the authoritative server, and then press ENTER. The object GUID of the domain controller is listed in the DC object GUID field. Method two Use the Active Directory Sites and Services tool to locate the object GUID of the source domain controller. To do this, follow these steps: a. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services. b. Expand Sites, expand the site where your authoritative domain controller is located, expand Servers, and then expand the domain controller. c. Right-click NTDS Settings, and then click Properties. d. View the value in the DNS Alias box. The GUID that appears in front of _msdcs.forest_root_name.com is the object GUID of the domain controller. The Repadmin tool only requires the GUID. Do not include the _msdcs.forest_root_domain_name.com component in the Repadmin syntax. • Directory_partition is the distinguished name (DN) of the directory partition that contains the lingering objects. This is part of the object_distinguished_name in the event message.
3.	Repeat the procedure for the following partitions, as needed: • Domain directory partition (dc=domain_DN) • Configuration directory partition (cn=Configuration,dc=forest_root_DN) • Application directory partition or partitions (cn=Application_directory_partition_name,dc=domain_DN) (cn=Application_directory_partition_name,dc=forest_root_DN) • Schema directory partition (cn=Schema, cn=Configuration,dc=,dc=forest_root_DN)

Example of the command syntax

The following is an example of the repadmin /removelingeringobjects command syntax for the fictional Example.com domain:

C:\>repadmin /removelingeringobjects domain_controller.example.com A0AE6093-15F5-4DB8-836B-4495E3A15396 dc=example,dc=com /advisory_mode

If the command runs successfully, you receive the following message:

RemoveLingeringObjects successful on domain_controller_name.domain_name.com