Enable strict replication consistency on domain controllers within Active Directory domain

I recently enabled strict replication consistency on my domain controllers in order to follow best practices, where this is not enabled there can be a risk that lingering objects could be replicated to a domain controller. This can occur  when a domain controller in your Active Directory environment is disconnected from the replication topology for an extended period of time, this can cause problems when these lingering objects on the source domain controller are updated and these updates are sent by replication to the destination domain controllers.

You can identity existing lingering objects on your domain controllers by filtering for Event ID 1388 or Event ID 1988 in the domain controller logs, to which can be described as the below:

  • Event ID 1388: Inbound replication of the lingering object has occurred on the destination domain controller. 
  • Event ID 1988: Inbound replication of the directory partition of the lingering object has been blocked on the destination domain controller. 

If you have any lingering objects identified, you will need to remove this prior to enabling strict replication consistency, by performing the below:

1) Identity the DSA object GUID of the domain controller reporting lingering objects or partitions.

repadmin /showrepl %ServerName%

2)  Review the lingering objects reported on the domain controller for the directory parition reported in the event log, the adivsory_mode switch will log the lingering objects but not remove them. 

repadmin /removelingeringobjects %ServerName% %ServerGUID% %DirectoryPartition% /advisory_mode

3) Once reviewed, remove the lingering objects.

repadmin /removelingeringobjects %ServerName% %ServerGUID% %DirectoryPartition%

So once the lingering objects have been removed we  can enable stict replication consistency on each domain controller or for all domain controllers in the forest (*).

repadmin /regkey <DC_LIST> +strict

This will modify the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters. to set the value for Strict Replication Consistency to 0 (enable). You can disable strict replication consistency by running the command but with the disable switch

repadmin /regkey <DC_LIST> -strict

Advertisements

2 thoughts on “Enable strict replication consistency on domain controllers within Active Directory domain

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s