How to Find Lingering Objects in Active Directory?
Many admins who work in and around ADs know how difficult it is to find lingering objects in Active Directory. Moreover, destroying them is another advanced feat out of reach for many. Not to worry we have here a wide array orf remedy options to get back your AD in a clean state. Apart from that we also discuss the best practices that help prevent such instances in the future. Let’s first determine what exactly we mean when we say that an object in AD is lingering.
What are Lingering Objects in Active Directory?
These are the objects that appear in the AD after their TLS(Tombstone Lifespan) expires. The main reason for this is one or more of your domains became disconnected while an object deletion was taking place. This prevents the disconnected domain from replicating the operation.
So, when the disconnected domain re-connects to the AD one of two things happen.
- If Strict Replication Consistency is enabled (on the source), inbound replication stops to prevent conflicts.
- If disabled, the deleted object reappears in the forest(i.e. Rest of the domains).
Why is Lingering Object Detection Important in AD?
As Lingering objects don’t pose an active threat they often go unnoticed. It is not until the Admin prepares an Active Directory Audit checklist and performs the cleanup that such objects come to light. As the objects that weren’t supposed to exist make their presence in your AD it forces your Forest out of sync.
Nevertheless, you can look at the Event viewer and see if any of the following IDs appear there or not.
Potential Lingering Object Warnings
- Event ID 1862/1863. Local DC didn’t receive inter-site replication info.
- Event ID 1864. Local DC didn’t receive summary replication info.
- Event ID 1311. KCC failed to build a spanning tree topology.
- Event ID 2042. Too long since the last replication with the source server.
Confirmed Lingering Object Alerts
- Event ID 1084. No such object on the server.
- Event ID 1388. Update received for an object that should be local.
- Event ID 1311. Another DC replicated object is not present locally.
Once then you may move towards fixing this error. Microsoft has provided multiple ways we will help you figure them out in an easy-to-understand language, that does not skip over the key technical requirements.
Methods to Remove Lingering Objects in Active Directory
You need to perform any of the following procedures after successfully detecting lingering objects in Active Directory
Redo the Object Removal
Restore the Deleted objects from Tombstone, and delete them while all the domains are active and replicating.
Use Microsoft LoL (Lingering Object Liquidator)
Here are the steps to use this in brief,
- Launch the tool and select “Detect AD Topology”.
- Choose Naming Context, Reference DC, and Target DC.
- Select “Detect Lingering Objects” or “Scan Entire Forest and Target ALL DCs”.
There are two distinct removal methods available within this tool:
- Individual object removal: select the object(s) and click “Remove Selected Lingering Objects”
- Bulk removal: select all objects and click “Remove” or export to CSV and import later
Apply the Repadmin Executable
To use it you must be a member of the Domain Admins list/group.
First, identify the GUID of a Domain Controller:
Hold the Windows + R keys together, then type cmd and press Enter.
In the command line console put
repadmin /showrepl <ServerName>
Then, press ENTER.
Look for the objectGuid entry in the output and copy the GUID value.
Then type
repadmin /removelingeringobjects <ServerName> <ServerGUID> <DirectoryPartition> /advisory_mode
Press ENTER.
Here,
- <ServerName> is the Domain controller with lingering objects.
- <ServerGUID> is for the GUID of an up-to-date domain controller.
- <DirectoryPartition> is the Distinguished name of the directory partition.
Review the output and repeat the last step this time without /advisory_mode to delete lingering objects.
Redo the entire process again for all domain controllers that have lingering objects in them.
Best Practices Before, During and After Removal of Lingering Objects in AD
Make sure you have a proper Active Directory Reporting Tool like the one offered by SysTools. This will allow you to add all the diffrent domains and perform a thorough reporting process. So that your Domain does not begin to automatically bulk add users in AD who are not supposed to be there. Even make its own list of Active Directory Printer objects that are long removed.
After this, you may want to enable Strict Replication Consistency to prevent such an error in the future.
Open a new instance of Command Prompt as an administrator.
Type
repadmin /regkey <DC_LIST> +strict and press ENTER.
<DC_LIST>: Single domain controller or * for all domain controllers.
Otherwise, you may also Modify the registry (backup it first):
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Name: Strict Replication Consistency
Data type: REG_DWORD
Value: 1 (enabled)
Manually Check Replication
Run
repadmin /showrepl * /csv >showrepl.csv
- Open this file in Excel (or any other spreadsheet program), use the filter and sort:
- Delete unnecessary columns
- Then, Freeze pane
- Filter out deleted DCs and replication failures
You may as well remove the problematic Domain Controllers entirely
Ensure offline period < Tombstone Lifetime (TSL)
Another option is to Increase TSL
Which can be done using PowerShell:
$ADForestconfigurationNamingContext = (Get-ADRootDSE).configurationNamingContext Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$ADForestconfigurationNamingContext” -Partition $ADForestconfigurationNamingContext -Replace @{tombstonelifetime=’180?}
Or with the help of ADSI Edit:
- Connect to Configuration partition
- Then, Navigate to CN=Directory Service
- Edit Attribute: TombstoneLifetime
- Finally, set the value to 180, select Set, and OK
Conclusion
So now readers are fully equipped with the knowledge and need not search for how to find lingering objects in Active Directory again.
With the methods described above it’s quite easy to eliminate the dreaded lingering objects inside any AD environment.
