Tag Archives: Domain Controller

Active Directory Lingering objects

If you are maintaining healthy AD infrastructure it is very much unlikely to see lingering objects in AD. Let’s assume a Domain Controller has been disconnected from Active Directory environment and stayed offline more that the value specified tombstone lifetime attribute. Then it was again reconnected to replication topology. The objects which were deleted from Active Directory during the time that particular domain controller stayed offline will be remain as lingering objects on it. 

When object was deleted using one domain controller, it replicates to other domain controllers as tombstone object. it contains few attribute values but it cannot be used for active operations. It remains in Domain Controllers until it reaches the time specify by tombstone lifetime value. Then tombstone object will be permanently deleted from the directory. Tombstone time value is forest wide setting and depend on the operating system running. For operating systems after windows server 2003, default tombstone value is 180 days.  

The problem happens when the Domain Controller with lingering object involve with outbound replication. In such situation, one of following can happen. 

If the destination domain controller has strict replication consistency enabled it will halt the inbound replication from that particular Domain Controller. 

If the destination domain controller has strict replication consistency disabled it will request full replica and will reintroduced to the directory. 

Events 1388, 1988, 2042 are clues for lingering objects in Active Directory Infrastructure. 

Event id

Event Description


Another domain controller (DC) has attempted to replicate into this DC an object which is not present in the local Active Directory Domain Services database. The object may have been deleted and already garbage collected (a tombstone lifetime or more has past since the object was deleted) on this DC. The attribute set included in the update request is not sufficient to create the object. The object will be re-requested with a full attribute set and re-created on this DC. Source DC (Transport-specific network address): xxxxxxxxxxxxxxxxx._msdcs.contoso.com Object: CN=xxxx,CN=xxx,DC=xxxx,DC=xxx Object GUID: xxxxxxxxxxxxx Directory partition: DC=xxxx,DC=xx Destination highest property USN: xxxxxx


Active Directory Domain Services Replication encountered the existence of objects in the following partition that have been deleted from the local domain controllers (DCs) Active Directory Domain Services database. Not all direct or transitive replication partners replicated in the deletion before the tombstone lifetime number of days passed. Objects that have been deleted and garbage collected from an Active Directory Domain Services partition but still exist in the writable partitions of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as "lingering objects". This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory Domain Services database.

This replication attempt has been blocked. The best solution to this problem is to identify and remove all lingering objects in the forest. Source DC (Transport-specific network address): xxxxxxxxxxxxxx._msdcs.contoso.com Object: CN=xxxxxx,CN=xxxxx,DC=xxxxxx,DC=xxx Object GUID: xxxxxxxxxxxx


It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source. The reason that replication is not allowed to continue is that the two machine's views of deleted objects may now be different. The source machine may still have copies of objects that have been deleted (and garbage collected) on this machine. If they were allowed to replicate, the source machine might return objects which have already been deleted. Time of last successful replication: <date> <time> Invocation ID of source: <Invocation ID> Name of source: <GUID>._msdcs.<domain> Tombstone lifetime (days): <TSL number in days> The replication operation has failed.

Strict replication consistency

This setting is controlled by a registry key. After windows server 2003, by default this setting is enabled. The key can be found under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters 


Removing lingering objects

Lingering objects can be remove using:

repadmin /removelingeringobjects <faulty DC name> <reference DC GUID><directory partition>

In the preceding command:

faulty DC name: It represents the DC which contains lingering objects

reference DC GUID: It is the GUID of a DC which contains an up-to-date database that can be used as a reference

directory partition is the directory partition where lingering objects are contained

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.  

Why I can’t connect PC to the Domain?


This is one of the very common question I get from starters, students, admins who follow my blog. They says, the follow my step-by-step guides to install domain controller on the production or demo setup and at the end they can’t connect the computers to the domain. I’m sure if you are already working on domain infrastructure, you also face same experience in your job some times.

So I thought to share some tips to troubleshoot and get your pc connected to the domain.

Read the Error!!!

This is the very best friend of your initial troubleshooting. Read the error carefully. It will give you some clues where to start. It can be simple typo mistake, so first step, read the error twice or more until you get clear understanding, what it says.


To make successful communication between domain controller and pc it should have reliable connectivity. There are lot of ways where it can be interrupted.

1)    Local host
To start, first try the ping to local host ip from the pc ( ping if it success it means local pc running with correct protocols and required components. If its not, its first place to start.

2)    Ipconfig /all
Try this on both server and pc and make sure client pc got valid ip assign. Make sure its in same range of ip addresses as server so they can talk to each other.

3)    DNS
This is very common issue for the joining pc to a domain. Make sure PC is using the domain DNS servers as its primary DNS resolver. Some time you may have uses a valid domain which ends up with .com, .org, net etc. in such case you need to make sure you have correct DNS entries to identify the local server instead of trying to resolve in to public DNS entry.
If all above are checked, then use “ping” from server as well as PC to make sure both can ping to each other ( if firewall is active in pc or server, allow the ICMP traffic temporally before troubleshooting)
If the pings fails then you need to look in to the network level, it can be the cable, vlan configurations, switch port configuration etc.


This is also very common issue I have seen, make sure your domain controller and computer system time and dates are matched. Even you use common time servers some time there can be mismatch due to sync.


If you using virtualization software to build your home lap or even you production environment there are few things you should check. In these virtualization platforms you can setup the virtual networks as per your requirement. So some time even DC and PC is on same network range, those may not be in same virtual network. Make sure the interfaces are correctly assign for the relevant virtual network.

Beware!! Most of the time if we building a test lab with few virtual machines we use to clone them. Even in production environments engineers doing this. Not a long ago I had to look in to problem with joining virtual machines to domain. It was using one of famous virtualization software. So the engineer who setup the system, used to link-clone ( all vm are runs same initial image ) them. But when go to add those computers to domain only 1 of the vm can add to the domain and only one vm can login to DC. In setup there was 10 vm running. So what you think the problem is ? With the link clone it was copying all the network information as well. So if look in to each pc, every one of them were using same ip address, and same mac address. Interesting thing was even all of them are switched on none of them were giving ip duplication error. So if you used “clone” option to build the VM make sure it got unique ip address and mac address.
I believe above tipe will help you to troubleshoot issues with dc connection.

If you have any question feel free to contact me on rebeladm@live.com

Image source: https://pcpt.wordpress.com/2008/11/11/welcome/

How to enable universal group membership caching (UGMC)?

In one of my previous posts I explain the how to setup a branch network properly. In there I mentioned how we can utilize the bandwidth between corporate office and the branch office. One of the method we can use for that is universal group membership caching. If the branch office AD servers are not acting as global catalog servers, UGMC allows to store data about membership of the universal groups in cache. This cache is set to update in every eight hours by default. As result of UGMC, branch office domain controllers can process the log on or resources requests without going to a GC server via WAN link.

UGMC have to enable per site basis. In order to get this function work, each user must have logged on when GC server available and UGMC feature is enabled.

Let’s see how we can enable this feature.

1)    Log in to the domain controller as member of domain admin group or enterprise admin group.
2)    Then go to server manager > tools > active directory sites and services


3)    Then in mmc, select the Site you need UGMC enabled


4)    In right hand panel right click on “NTDS site settings” and click properties


5)    In properties window click to enable “Enable Universal Group Membership Caching


6)    Under the refresh cache from drop down you can select which site it should use to get the cache.


7)    Once this is done click ok to apply the change

Now it enables UGMC in the given site. If you have any questions about the steps feel free to contact me on rebeladm@live.com

Step-by-Step Guide to clone a Domain Controller

From Windows server 2012 Microsoft introduce feature to allow clone on domain controller. It helps to quickly restore a domain controller in event of failure and also it helps to deploy test environments easily when needed.

In previous, if you clone a domain controller, it will not allow to deploy on same domain or the forest without running sysprep to remove security information before cloning. Then afterwards you need to promote the domain manually. But now when clone domain controller it will do the sysprep and promote process automatically.

For the demo purpose I am using a windows 2012 R2 domain controller which is deployed in Hyper-V environment.

1)    Log in to the Source Domain controller as Domain admin or Enterprise administrator
2)    Go to Server Manager > Tools > Active Directory Users and Computers


3)    Then go to “Domain Controllers” OU. Select the DC needs to clone and right click to select properties.


4)    Go to member of tab and click on Add.


5)    Then add security group Cloneable Domain Controllers and click ok.


6)    Close the mmc and load the windows PowerShell with admin rights. Then type and enter Get-ADDCCloningExcludedApplicationList . This will check the system if there is program which will not compatible with the clone process.


7)    If it’s comes up with list make sure those services are removed before clone.
8)    After cleanup process type
New-ADDCCloneConfi gFile –Static -IPv4Address “” -IPv4DNSResolver “” -IPv4SubnetMask “” –CloneComputerName “DC2” -IPv4DefaultGateway “” -SiteName “Default-First-Site-Name”

In here I specify the ip address information it (the clone server) will hold. Also the computer name and site name.


9)    Once its pass and completed the process, exit from the console and the server.
10)    For next steps we need to turn off the source domain controller. So before proceed make sure organization is aware about the downtime and the impact.
11)    Load the Hyper-V manager and right click on the DC which needs cloning. Then select Turn-off.


12)    Once its turn off, right click on DC and select export. Then select the path to save the export file.



13)    Once export process is completed, right click on the source dc and click on start.
14)    Then in Hyper-V go to Action > Import Virtual Machine


15)    It will open up the import wizard and click next to continue.


16)    In next window specify the folder path to the exported DC. Then click next.


17)    Next window to select the DC and click next


18)    In next window from the list select “Copy the virtual machine (create a new unique ID )” option can click next.


19)    In next window it ask for the VM path. You can leave default or the different path based on your requirement. Once done click on next.


20)    Next it’s ask for storage folder. Again it can change as per requirement. Once done click next.


21)    Then it gives a summary page. Click on finish to start the import process.


22)    Once import is completed, right click on the clone dc and click on start.
23)    It will runs under several stages preparing the AD.


24)    Once process is completed, l logged in to the server as domain admin. In Domain controller OU I can see the new clone dc. Also under site and services I can see the cloned dc located correctly.



This is the end of the post and if there is any question feel free to contact me on rebeladm@live.com

How to install Certificate Services in Domain Environment ?

In here with the demonstration I will show how to install active directory certificate services and how we can use the issued certificate for different tasks. specifically i will demonstrate how to issue company’s trusted certificates for each and every client who connects to the domain.

Here i am using a server which is already added to the domain. i have explain how to install domain services in windows 2008 server in one of my previous posts.

The demo environment using windows 2008 standard R2 server and as the client pc i am using windows 7 sp1 pc. This is still valid for windows 2012 as well.

Let’s go ahead and install the certificate services.

To start, log in to the domain server as a domain admin and the open server manager.

Once it open, right click on roles and select add roles.


Once the wizard is open click on next to continue.


From the list select “Active Directory Certificate Services” and click next.


In next window it displays some warning about service and the use of it. Click next to continue.


From next window select the “Certificate authority” as the service and click next to continue.


In next window can select the setup type. Use the default enterprise setup as this is a dc server. Click next to continue.


In next window select the CA type, in here I used the root as this will be the only one used for the demo.


In next window select “create a new private key” option and click next to create pk for the server.


In next window you can change the cryptography settings but I will be using default.


In next window you can change the CA name if need. I will be using the default.

In next window you can define the validity period of the certificates. I will use the default 5 years.


In next window it will ask about the file path to save the certificates database.


The next window it will confirm about the installation and click on install to start the installation.


Once it is installed it will pass the confirmation.


Now we do have the AD CS is installed. Next step is to configure it to issue secure certificate for the computers which are connecting to the domain.

By default there will not be any certificate issues for the computer. To test this I will be log in to a pc which is connected to greenwich.local as user “cs1”(This user is having local admin rights as if not it want show up the certificates which assigned for the computer level).

Once log in go to start > run > mmc
Then it will open the mmc.
Once it open go to File > Add/Remove Snap in


From the window click on certificates and click on add button.


Then in next window select “computer account” as we need to view the certificates issue for the computer. Then click next.


In next window select local computer and click on finish.


Then it will show the added snap in and click on ok to open the snap in.


Once it’s open expand the tree and go to personal > certificates. Then you can see there is on certificate issued for the pc.


Now we need to configure the AD CS to issue certificates for the client computers.

To do that first we need to log back to the server we have installed the AD CS services as domain admin or enterprise admin. Then need to open mmc console like we did on above.

Then go to add/remove snap in as previous step.
From the available snaps-in select “Certificate Authority” and add it.


Then also select “Certificate Templates” and click ok.

Then it will open the console as following


Then click on Certificate templates and from available templates select “Workstation Authentication template”


On the Action menu, click Duplicate Template. The Duplicate Template dialog box opens. Select the template version appropriate for your deployment, and then click OK . The new template properties dialog box opens.



Once its open the window On the General tab, in Display Name , type a new name for the certificate template or keep the default name.


Go to security tab and then select “Domain Computers” from the list. Then from permissions, Under Allow, select the Enroll and Auto enroll permission check boxes, and then click OK .


Then click ok to apply the changes.
Then Double-click Certification Authority , double-click the CA name, and then click Certificate Templates .


On the Action menu, point to New , and then click Certificate Template to Issue . The Enable Certificate Templates dialog box opens.


Click the name of the certificate template you just configured, and then click OK . For example, if you did not change the default certificate template name, click Copy of Workstation Authentication , and then click OK .


Then go to “Group Policy Object Editor” and right-click Default Domain Policy and select edit.

Open Computer Configuration, then Policies, then Windows Settings, then Security Settings, and then Public Key Policies.


In the right hand panel, double-click “Certificate Services Client – Auto-Enrollment” . The Certificate Services Client – Auto-Enrollment Properties dialog box opens.

In the Certificate Services Client – Auto-Enrollment Properties dialog box, in Configuration Model , select Enabled .


Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box and click ok.


Now we have everything in place with the configuration. We need to test out by log in to the pc again to see if its issue the certificate now. I will be login in to same computer with user cs1 (these users have local admin rights for this pc otherwise user only can see certificate for the user). After login will load up the mmc as we did in beginning and browse to the same location.



This shows clearly the new certificate which is created for the computer by the certificate server.