Forcing Replication of AD Partitions after Tombstone Lifetime Exceeded

When a domain controller has been offline for more than the specified tombstone lifetime, it is considered bad and will no longer replicate properly with the other controllers.

When this happens, new users, groups, and other objects will not be synchronized anymore on this server. It can cause issues with emails sent to these new users. If the email server can still check for the user in the AD against the bad server, emails won’t be delivered since it thinks that the user does not exist.

1. Run the following on a good DC to show the status of AD replication:

   repadmin /showrepl
   

2. Get the GUI of a good DC:

   Default-First-Site-Name\good-dc
   DSA Options: IS_GC
   Site Options: (none)
   DSA object GUID: 01550726-b50d-47dc-b8f7-b7a5869a9a6d
   DSA invocationID: 85e50533-00f6-4387-aafe-1e1906064bf8
   

3. Remove objects on the bad DC that not longer exist in the current AD (good DC):

   repadmin /removelingeringobjects "bad-dc.domain.tld" 01550726-b50d-47dc-b8f7-b7a5869a9a6d "DC=domain,DC=tld"
   

4. Replicate the good AD partitions to the bad DC

   repadmin /replicate "bad-dc.domain.tld" "good-dc.domain.tld" "DC=domain,DC=tld" /force
   repadmin /replicate "bad-dc.domain.tld" "good-dc.domain.tld" "CN=Configuration,DC=domain,DC=tld" /force
   repadmin /replicate "bad-dc.domain.tld" "good-dc.domain.tld" "CN=Schema,CN=Configuration,DC=domain,DC=tld" /force
   repadmin /replicate "bad-dc.domain.tld" "good-dc.domain.tld" "DC=DomainDnsZones,DC=domain,DC=tld" /force
   repadmin /replicate "bad-dc.domain.tld" "good-dc.domain.tld" "DC=ForestDnsZones,DC=domain,DC=tld" /force
   

   This will synchronize the servers for these partitions and you won’t have issues anymore with the accounts of the new users.