Event ID 1388 or 1988: A lingering object is detected

Applies To: Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

If a destination domain controller logs Event ID 1388 or Event ID 1988, a lingering object has been detected and one of two conditions exists on the destination domain controller:

Event ID 1388: Inbound replication of the lingering object has occurred on the destination domain controller. 

Event ID 1988: Inbound replication of the directory partition of the lingering object has been blocked on the destination domain controller. 

Applies To: Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

If a destination domain controller logs Event ID 1388 or Event ID 1988, a lingering object has been detected and one of two conditions exists on the destination domain controller:

Event ID 1388: Inbound replication of the lingering object has occurred on the destination domain controller. 

Event ID 1988: Inbound replication of the directory partition of the lingering object has been blocked on the destination domain controller. 

Diagnosis

When a particular is object is parmently deleted from AD DS OR collected garbage remains on a connected Domain Controller. 

The domain controller failed to receive direct or transititive replication of the deleted object because it was disconnected (it is offline or facing some sort inbound replication issues in domain controller)from replciation topology for a period that exceeded a tomstone life time period.

The domain controller is now reconnected to the topology and that object has been updated on the domain controller, causing a replication notification to the replication partner that an update is ready for replication. The replication partner responded according to its replication consistency setting. This notification applies to attempted replication of a writable object. A copy of the writable lingering object might also exist on a global catalog server.

Resolution

If replication of a lingering object is detected, you can remove the object from AD DS, along with any read-only replicas of the object, by identifying the domain controllers that might store this object (including global catalog servers) and running a repadmin command to remove lingering objects on these servers (repadmin /removelingeringobjects). This command is available on domain controllers that are running Windows Server 2008. It is also available on domain controllers that are not running Windows Server 2008 but are running the version of Repadmin.exe that is included with Windows Support Tools in Windows Server 2003.

To remove lingering objects, do the following:

1. Use the event text to identify the following:

           a. The directory partition of the object

           b. The source domain controller that attempted replication of the lingering object

2. Use Repadmin to identify the GUID of an authoritative domain controller 

           a.   At a command prompt, type the following command, and then press ENTER:
         
     repadmin /showrepl
                   

           b.   In the first section of the output, locate the objectGuid entry. Select and copy the GUID value into a  text file so that you can use it elsewhere.

3. To use Repadmin to remove lingering objects

Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins or Enterprise Admins credentials, if required, and then click Continue.

a.      At the command prompt, type the following command, and then press ENTER:

repadmin /removelingeringobjects /advisory_mode

             b.     Repeat step 2 without /advisory_mode to delete the identified lingering objects from the directory partition.

c.      Repeat steps 2 and 3 for every domain controller that might have lingering objects.

4. To use Repadmin to enable strict replication consistency

1.   Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins or Enterprise Admins credentials, if required, and then click Continue.

2.   At the command prompt, type the following command, and then press ENTER:

repadmin /regkey +strict

3.   If you do not use * to apply the change to all domain controllers, repeat step 2 for every domain controller on which you want to enable strict replication consistency.

5. To use Regedit to enable strict replication consistency

 

1.   Open Regedit as an administrator: Click Start and then, in Start Search, type regedit. At the top of the Start menu, right-click regedit.exe, and then clickRun as administrator. In the User Account Control dialog box, provide Domain Admins credentials, and then click OK.

2.   Navigate to the Strict Replication Consistency entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.

3.   Set the value in the Strict Replication Consistency entry to 1.