(8606) Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.
Remark: This is the example of my production domain controllers.
Then, I perform "repadmin /showrepl".
There is a problem of ForestDnsZones in CONDC01.
I checked the Event log of Directory Services. I found there are a lot of event logs which are Event ID 1988 in CONDC02.
By default, Windows Server 2003 SP1 or later which is a domain controller is enabled "Strict Replication" to prevent to replicate the lingering objects.
For more information about "Strict Replication", please read the following web sites.
Enable Strict Replication Consistency (Windows Server 2008 or Windows Server 2008 R2)
Enable Strict replication consistency (Windows Server 2003)
According to KB2028495, there are some Lingering objects in the Forest DNS Zones of CONDC01.
For more information about "Lingering objects", please read the following web sites.
Information about lingering objects in a Windows Server Active Directory forest
Lingering Objects
Then, I perform "repadmin /removelingeringobjects CONDC01 1fcb48fb-c7f7-4281-9fcc-10987772ae9a DC=ForestDnsZones, DC=CORP,DC=CONTOSO,DC=COM /advisory_ mode" in CONDC02 to detect the lingering objects in CONDC01.
Example: "repadmin /removelingeringobjects <Bad DC> <GUID of DC with correct data> <Naming Context of the lingering objects partition> /advisory_mode
Remark: "1fcb48fb-c7f7-4281-9fcc-10987772ae9a" is the GUID of CONDC02.
There are a lot of Event log of Directory Services in CONDC01. The Event ID is 1946.
It means the lingering object is detected.
When the detection finished, there is an event log with the Event ID 1942 in Directory Services.
Back to CONDC02, I perform "repadmin /removelingeringobjects CONDC01 1fcb48fb-c7f7-4281-9fcc-10987772ae9a DC=ForestDnsZones, DC=CORP,DC=CONTOSO,DC=COM" to delete the lingering objects in CONDC01.
Back to CONDC01, there are a lot of Event log of Directory Services. The Event ID is 1945.
When all the lingering objects were deleted, there is an event log with the Event ID 1939 in Directory Services.
After all lingering objects were deleted, the AD replication resumed normal in my production environment.
Reference:
Clean that Active Directory forest of lingering objects
Lingering objects
This posting is provided “AS IS” with no warranties, and confers no rights!
Thank You for the Informations, it save me a lot of time to fix
ReplyDeleteHeiko
I am getting this error from DC01 after I perform the command at DC02,
ReplyDeleteLog Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 11/5/2014 4:56:02 PM
Event ID: 1943
Task Category: Replication
Level: Error
Keywords: Classic
User: BS\Administrator
Computer: RDCPR01.MEPS.HORIZON
Description:
Active Directory Domain Services was unable to remove all of the lingering objects on the local domain controller. However, some lingering objects might have been deleted on this domain controller before this operation stopped. All objects had their existence verified on the following source domain controller.
Source domain controller:
[]
Number of objects successfully deleted:
0
User Action
Rerun the lingering object removal process.
Additional Data
Error value:
Replication access was denied. 8453
Event Xml:
1943
0
2
5
0
0x8080000000000000
2729
Directory Service
RDCPR01.MEPS.HORIZON
[]
Replication access was denied.
8453
0
Hi,
DeleteSorry for late reply. To easily remove all lingering objects, you can try to use ReplDiag. The tool can be downloaded from the following web site.
http://activedirectoryutils.codeplex.com/releases/view/13664
For reference,
http://blogs.technet.com/b/askds/archive/2014/09/15/remove-lingering-objects-that-cause-ad-replication-error-8606-and-friends.aspx