Forcing Replication of AD Partitions after Tombstone Lifetime Exceeded

When a domain controller has been offline for more than the specified tombstone lifetime, it is considered bad and will no longer replicate properly with the other controllers.

When this happens, new users, groups, and other objects will not be synchronized anymore on this server. It can cause issues with emails sent to these new users. If the email server can still check for the user in the AD against the bad server, emails won’t be delivered since it thinks that the user does not exist.

  1. Run the following on a good DC to show the status of AD replication:
  2. Get the GUI of a good DC:
  3. Remove objects on the bad DC that not longer exist in the current AD (good DC):
  4. Replicate the good AD partitions to the bad DC

    This will synchronize the servers for these partitions and you won’t have issues anymore with the accounts of the new users.

5 Replies to “Forcing Replication of AD Partitions after Tombstone Lifetime Exceeded”

  1. Thanks Jack. Another question- in your post, you mentioned to get the DSA object GUID of the good DC.

    How do I identify the good DC from the Bad DC, when they are both giving me the same error?

    I have 2 DCs, the defaut-First-Site has both the DSA object GUID and the DSA invocation ID the same, while the other DC has them both different.

Leave a Reply