Forcing Replication of AD Partitions after Tombstone Lifetime Exceeded
When a domain controller has been offline for more than the specified tombstone lifetime, it is considered bad and will no longer replicate properly with the other controllers.
When this happens, new users, groups, and other objects will not be synchronized anymore on this server. It can cause issues with emails sent to these new users. If the email server can still check for the user in the AD against the bad server, emails won’t be delivered since it thinks that the user does not exist.
-
Run the following on a good DC to show the status of AD replication:
repadmin /showrepl -
Get the GUI of a good DC:
Default-First-Site-Name\good-dc DSA Options: IS_GC Site Options: (none) DSA object GUID: 01550726-b50d-47dc-b8f7-b7a5869a9a6d DSA invocationID: 85e50533-00f6-4387-aafe-1e1906064bf8 -
Remove objects on the bad DC that not longer exist in the current AD (good DC):
repadmin /removelingeringobjects "bad-dc.domain.tld" 01550726-b50d-47dc-b8f7-b7a5869a9a6d "DC=domain,DC=tld" -
Replicate the good AD partitions to the bad DC
repadmin /replicate "bad-dc.domain.tld" "good-dc.domain.tld" "DC=domain,DC=tld" /force repadmin /replicate "bad-dc.domain.tld" "good-dc.domain.tld" "CN=Configuration,DC=domain,DC=tld" /force repadmin /replicate "bad-dc.domain.tld" "good-dc.domain.tld" "CN=Schema,CN=Configuration,DC=domain,DC=tld" /force repadmin /replicate "bad-dc.domain.tld" "good-dc.domain.tld" "DC=DomainDnsZones,DC=domain,DC=tld" /force repadmin /replicate "bad-dc.domain.tld" "good-dc.domain.tld" "DC=ForestDnsZones,DC=domain,DC=tld" /forceThis will synchronize the servers for these partitions and you won’t have issues anymore with the accounts of the new users.
){kind=avatar}
Jack Wozny
BS, CISSP, CCSP, SSCP
As a computer engineer, I have a decade of expertise in securing various networks and systems. I have led and delivered several security projects, ensuring their compliance, availability, and security.