Lingering Objects Test

When restoring a backup file, Active Directory generally requires that the backup file be no more than 180 days old. If you attempt to restore a backup that has expired, you may encounter problems due to “lingering objects”.

A lingering object is a deleted AD object that re-appears (“lingers”) on the restored domain controller (DC) in its local copy of Active Directory. This can happen if, after the backup was made, the object was deleted on another DC more than than 180 days ago.

When a DC deletes an object it replaces the object with a tombstone object. The tombstone object is a placeholder that represents the deleted object. When replication occurs, the tombstone object is transmitted to the other DCs, which causes them to delete the AD object as well.

Tombstone objects are kept for 180 days, after which they are garbage-collected and removed.

If a DC is restored from a backup that contains an object deleted elsewhere, the object will re-appear on the restored DC. Because the tombstone object on the other DCs has been removed, the restored DC will not receive the tombstone object (via replication), and so it will never be notified of the deletion. The deleted object will “linger” in the restored local copy of Active Directory.

Such lingering objects tend to create problems during replication. For instance, if the source domain controller has outdated objects that have been out of replication for more than one tombstone lifetime  a failure event will be logged in the Windows event log at the time of replicating from the source. You will have to promptly capture such events, identify the lingering objects, and delete them to ensure that replication resumes. In order to achieve this, you can use the Lingering Objects test. This test scans the event logs for replication events related to lingering objects, and promptly alerts you upon the occurrence of such events. Using the detailed diagnosis of the test, you can easily determine the location of the lingering objects, so that you can immediately proceed to remove them. This way, the test ensures that the replication engine operates without a glitch.

Note:

This test works only on Active Directory servers that operate on Windows 2012 or above.

Target of the test : An Active Directory or Domain Controller on Windows 2012 or above

Agent deploying the test : An internal agent

Outputs of the test : One set of results for every Active Directory server that is being monitored

Configurable parameters for the test
Parameters Description

Test period

This indicates how often should the test be executed.

Host

The IP address of the machine where the Active Directory is installed.

Port

The port number through which the Active Directory communicates. The default port number is 389.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Lingering messages

Indicates the number of messages that are currently logged in the event log, which contains references to lingering objects.

Number

This measure typically captures and reports the number of events with event IDs 1388 and 1988 in the event log.

Event ID 1388 indicates that a destination domain controller that does not have strict replication consistency enabled received a request to update an object that does not reside in the local copy of the Active Directory database. In response, the destination domain controller requested the full object from the source replication partner. In this way, a lingering object was replicated to the destination domain controller. Therefore, the lingering object was reintroduced into the directory.

Event ID 1988 indicates that a destination domain controller that has strict replication consistency enabled has received a request to update an object that does not exist in its local copy of the Active Directory database. In response, the destination domain controller blocked replication of the directory partition containing that object from that source domain controller.

The detailed diagnosis of this test provides the complete description of the events with IDs 1388 and/or 1988 that are logged in the event log. The source domain controller and the lingering objects can be inferred from the event description. Using this information, you can run the repadmin command on the source domain controller to delete the lingering objects.