Windows 2003/2008 – AD Connections Tombstoned

Recently a client of mine reported an issue with adding new Windows 7 workstations to their domain. For their domain they have two Windows 2008 R2 Domain Controllers as well as two Windows 2003 R2 Domain Controllers. The client noticed the issue when they were having random login issues on the new workstations. It was then noticed that these Windows 7 workstations that were added to the domain were only on one domain controller and not on any other domain controller.

A quick review of the facts pointed us to a replication issue. To troubleshoot this I used a series of tools and methods to track down the source of the issue:

  • Replmon
  • Repadmin
  • Dcdiag
  • NetDiag
  • Event Viewer

The event log had a series of Event 2042 events in the logs – “It has been too long since this machine replicated”. I ran “replmon /showrepl” to see what the state of all the replication connections was. This too revealed errors similar to this:

Last error: 8614 (0x21a6):
The Active Directory cannot replicate with this server
because the time since the last replication with this server has
exceeded the tombstone lifetime.

Replmon revealed a few partitions that would not replicate. When a manual replication was attempted an error message would appear to the effect that replication had not occurred in so long that the connection was tombstoned. The Event Logs revealed the same kind of issues. Did some research on this issue and possible solutions. There were three listed in the Event Log itself:

1) Attempt manual replication – which failed
2) Use the “repadmin /removelingeringobjects” tool to remove inconsistent deleted objects and then resume replication.
3) DCPromo to remove the DC role. Metabase cleanup. Promote the domain controller again.

Since the first suggested fix had failed, we attempted the second solution. In order to do this you must follow one of two KB articles depending on the version of the Windows OS.

Windows 2003 –
Windows 2008 –

This should be done on all domain controllers, depending on the extent of your issue. Once this is enabled, restart the FRS service and then try a manual replication.

Once replication looks good again, remove the registry settings and you are all done.

I am sure that there will be someone reading my blog, sees this article, and asks “Why is an AD article in a UC blog?”   Well, let me answer this simply with this – without a healthy AD Exchange may not work properly.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s