Troubleshooting AD Replication error 8240: "There is no such object on the server"

Applies to: Windows Server 2019, all versionsWindows Server version 1803Windows Server Datacenter Core More

Symptoms


Symptom 1

Output of the Repadmin /ShowReps command:
SiteName\DCName via RPC
objectGuid: <GUID>
Last attempt @ <Time> failed, result 8240:
There is no such object on the server.
Last success @ (never).

Symptom 2

When you try to force replication in the Active Directory Sites and Services console (dssite.msc) by using the Replicate now option, you receive the following error message:
The following error occurred during the attempt to synchronize naming context <Naming Context> from Domain Controller <Source-DC-Name> to Domain Controller <Destination-DC-Name>:
There is no such object on the server. This operation will not continue.

Symptom 3

When you try to remove Active Directory from a domain controller, you receive the following error message in the Active Directory installation wizard:

Active Directory could not transfer the remaining data in directory partition <Naming-Contentxt> to domain controller <Domain-Controller>."There is no such object on the server."

Symptom 4

You receive NTDS General event 1126 in Directory Service on Domain Controller with error 8240:

Event Type: Error
Event Source: NTDS General
Event Category: Global Catalog
Event ID: 1126
Date: 5/2/2009
Time: 10:51:48 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: ComputerName
Description:
Active Directory was unable to establish a connection with the global catalog.

Additional Data
Error value:
8240 There is no such object on the server.
Internal ID:
3200ba0

Cause


Error 8240 (0x2030) means ERROR_DS_NO_SUCH_OBJECT. This indicates that the specific object could not be found in directory. This error may be encountered in the following two situations.

Situation 1: During AD replication

When a change occurs to an object in Active Directory on the source domain controller, the source domain controller propagates this change to other domain controllers by notifying its replication partners to retrieve this change. Destination domain controllers pull the change from the source domain controller when they receive the change the notification. After the change is retrieved, destination domain controllers try to transact the change into the local database.

The destination domain controller has to look up the changed object in the local database so that the change can be applied to that object. If the target object cannot be located for some reason, Active Directory reports error 8240.

This error may be observed in the following situations:
  • When a change occurred to an object on the source domain controller but this object was cleaned by the garbage-collection process
  • When AD replication recovers after it fails for a time that exceeds the tombstone lifetime (TSL), deletion may not be propagated before the tombstone is cleaned
  • When the change-originating domain controller has Active Directory removed before the domain controller has an opportunity to propagate the deletion to other domain controllers that host a writable partition for that domain and the change is replicated to global catalog

Situation 2: Reported 8240 in 1126 Event (NTDS)

The domain controller tries to locate global catalogs for its functionalities, such as universal group membership lookup. If the system cannot locate an available domain controller, event 1126 is reported together with error 8240 in the NTDS event log.

Resolution


Situation 1: During AD replication

To troubleshoot this issue, follow these steps:
  1. Determine the problematic domain controller that has the inconsistent object. This error means that the local domain controller finds that an inconsistent object exists in its incoming partner (for the specific replication connection) but not local AD database. 
  2. Determine whether you want to remove the objects or leave those objects as they are, as follows: 
    • If you want to remove the objects, you can use the Repadmin.exe command together with the RemoveLingeringObjects switch to remove those inconsistent objects from the source domain controller. For more information, go to the following Microsoft TechNet website:

      Use Repadmin to remove lingering objects

      Note For a read-only partition, you have to use the Repadmin /Rehost command.
    • If you want to keep those objects, you can create the following objects on the destination domain controller:

      Sub-Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
      Value Name: Strict Replication Consistency
      Value Type: REG_DWORD
      Value Data: 0

      Sub-Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
      Value Name: Allow Replication With Divergent and Corrupt Partner
      Value Type: REG_DWORD
      Value Data: 1

      Sub-Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
      Value Name: Correct Missing Object
      Value Type: REG_DWORD
      Value Data: 1


      Note You must be careful in a large environment that contains many domain controllers, because the propagation of those inconsistent objects could cause more and more domain controllers to report 8240 errors until the propagation is complete.
    • Another option is to forcedly remove Active Directory from the domain controller that contains the inconsistent objects. To do this, follow these steps: 
      1. Forcedly remove Active Directory: Active Directory Installation Wizard (Dcpromo.exe) /forceremoval.
      2. Clean up metadata for the domain controller by following the steps in the following article in the Microsoft Knowledge Base:
        216498 How to remove data in Active Directory after an unsuccessful domain controller demotion
      3. Repromote the domain controller by using Dcpromo.exe.

Situation 2: Reported 8240 in 1126 Event (NTDS)

For the error that indicates that GC is not available, we may generally follow the GC location process to check. To do this, follow these steps:
  1. Check whether there is any specified global catalog in the forest. If there is not, configure a GC. 

    Note After you mark a domain controller as GC, it may take time for KCC to calculate a new replication topology, build the global catalog, and GC ready announcement. How long depends on the replication schedule, the time that is used to replicate the required read-only NCs, and the interval of KCC actvity. 
  2. Check whether you can obtain a domain controller from DNS thorugh the command lTest.exe /DnsGetDC:<DomainName> /GC /Force. If you cannot GC record in DNS, take the following two actions:
    • GC announcement on existing GCs: use ldp.exe connect to GC to check whether the value of isGlobalCatalogReady is set to true.
    • Check DNS registration: netdiag /fix.

  3. Check whether you can connect to the GC over TCP 3268 through ldp.exe.

More Information


For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
317097 Lingering objects prevent Active Directory replication from occurring

910204 Troubleshooting problems with promoting a domain controller to a global catalog server