Restoring a domain controller may cause inconsistencies between domain controllers
- "DC=domain,DC=root" is the domain naming context.
- "good_DC" is the destination DC. This is the good partner that will receive the updates.
- The DSA GUID is the replication GUID for the restored DC. You can get this by running Repadmin /showreps on the restored server. The GUID is listed at the top under "DC Object Guid".
Repeat the process for the configuration naming context by using a command similar to the following:
Event Source: NTDS Replication
Event Category: (5)
Event ID: 1587
Time: 10:52:35 AM
The Directory Service Agent (DSA) corresponding to objectGuid d0a6a575-9702-4f4e-bf68-bb2a9f875188 has asked for changes starting at a bookmark preceding the local DSA's most recent restore from backup at USN 94727614. The bookmark is being adjusted as follows: Previous Invocation ID: bc546028-fae7-4978-abe0-d294694da32b
Previous Object Update USN: 95853579
Previous Property Update USN: 95853579
New Invocation ID: ae6286cb-740b-4bb3-ace7-9577efa9dc9f
New Object Update USN: 94727614
New Property Update USN: 94727614
This event is typical for a restored domain controller. By itself, this does not indicate a problem. This is a problem if objects that are created on the restored domain controller "silently" do not replicate out.
In the problem scenario, the highest USN is rolled back. However, during the bookmark (or "up-to-dateness" vector reset), the source domain controller supplies the highest USN value that was present before the restoration. Objects that have USNchanged values between the upper and lower highestCommittedUSN attribute value are never considered for replication.
For example: Assume that domain controller 1 has a highest USN of 100. Its replication partner, domain controller 2, has an "up-to-dateness" vector of 100 for domain controller 1.
You restore domain controller 1 from a backup on which the highest USN is 50. After the next replication with domain controller 2, domain controller 1 resets the bookmark to 100 (it should be 50). domain controller 1 originates changes 51, 52, and 53. When domain controller 2 negotiates replication, it never considers the changes because it believes that it has changes up through 100. domain controller 1 continues to make changes and eventually reaches 101. Change 101 is replicated, but changes 51 through 100 are not.
In some cases, you can detect this state. Use Ldp or ADSI Edit to read the current highestCommittedUSN attribute on the rootDSE object on the restored domain controller. Then, compare that to the output from the repadmin /showreps /verbose command on one of its partners. In the Repadmin output, look for the "USN ###/OU" value for the restored domain controller for each naming context. If the value in Repadmin is higher than the highestCommittedUSN attribute, the restored domain controller is experiencing the problem.
Note that if the restored domain controller has originated enough updates that its highestCommittedUSN attribute has reached or exceeded the "up-to-dateness" vector that is recorded on the other domain controllers (as in the example in this article), some changes will never be considered for replication. However, new changes are replicated out. The unreplicated changes are referred to as "lingering objects."
317097 Lingering Objects Prevent Active Directory Replication from Occurring
3125191 Event ID 1587 is generated on a Domain Controller when there are more than two domain controllers in the same site as a Lync server
Article ID: 316829 - Last Review: 01/25/2016 21:57:00 - Revision: 7.0
- kbbug kbdirservices kbfix kbwin2000presp3fix kbwin2000sp3fix KB316829