Restoring a domain controller may cause an Event ID: 1587, indicating inconsistencies between domain controllers. If this occurs, some lingering objects may be present on the restored domain controller. Also, new objects on the restored domain controller are not replicated.
This problem occurs because the domain controller assigns a new invocation ID, but uses the original highwater mark.
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
To resolve this issue, obtain the hotfix that is described in the following Microsoft Knowledge Base article:
299687 MS01-036: Function Exposed By Using LDAP over SSL Could Enable Passwords to Be Changed
To work around this problem, demote and then promote the restored domain controller. Before you demote the affected server, force a full replication of the affected server to another domain controller. (The full synchronization can be resource intensive for larger domains.) Perform the full synchronization on the domain partition and on the configuration partition. The following line shows the syntax of the Repadmin command that you use to perform the synchronization:
The problem is not likely to be solved after you do this. After you do this, install the hotfix or demote and then promote the domain controller to solve the problem.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.
When you restore a domain controller, the highest committed USN is rolled back to the point when the backup was created. The domain controller's invocation ID is retired and a new one is assigned. When a partner tries to replicate the first time after the restoration, the follow message is recorded:
Event Type: Information Event Source: NTDS Replication Event Category: (5) Event ID: 1587 Date: 3/16/2001 Time: 10:52:35 AM User: CONTOSO\CO-NA-DC-01$ Computer: CO-DC-02 Description: The Directory Service Agent (DSA) corresponding to objectGuid d0a6a575-9702-4f4e-bf68-bb2a9f875188 has asked for changes starting at a bookmark preceding the local DSA's most recent restore from backup at USN 94727614. The bookmark is being adjusted as follows: Previous Invocation ID: bc546028-fae7-4978-abe0-d294694da32b Previous Object Update USN: 95853579 Previous Property Update USN: 95853579 New Invocation ID: ae6286cb-740b-4bb3-ace7-9577efa9dc9f New Object Update USN: 94727614 New Property Update USN: 94727614
This event is typical for a restored domain controller. By itself, this does not indicate a problem. This is a problem if objects that are created on the restored domain controller "silently" do not replicate out.
In the problem scenario, the highest USN is rolled back. However, during the bookmark (or "up-to-dateness" vector reset), the source domain controller supplies the highest USN value that was present before the restoration. Objects that have USNchanged values between the upper and lower highestCommittedUSN attribute value are never considered for replication.
For example: Assume that domain controller 1 has a highest USN of 100. Its replication partner, domain controller 2, has an "up-to-dateness" vector of 100 for domain controller 1.
You restore domain controller 1 from a backup on which the highest USN is 50. After the next replication with domain controller 2, domain controller 1 resets the bookmark to 100 (it should be 50). domain controller 1 originates changes 51, 52, and 53. When domain controller 2 negotiates replication, it never considers the changes because it believes that it has changes up through 100. domain controller 1 continues to make changes and eventually reaches 101. Change 101 is replicated, but changes 51 through 100 are not.
In some cases, you can detect this state. Use Ldp or ADSI Edit to read the current highestCommittedUSN attribute on the rootDSE object on the restored domain controller. Then, compare that to the output from the repadmin /showreps /verbose command on one of its partners. In the Repadmin output, look for the "USN ###/OU" value for the restored domain controller for each naming context. If the value in Repadmin is higher than the highestCommittedUSN attribute, the restored domain controller is experiencing the problem.
Note that if the restored domain controller has originated enough updates that its highestCommittedUSN attribute has reached or exceeded the "up-to-dateness" vector that is recorded on the other domain controllers (as in the example in this article), some changes will never be considered for replication. However, new changes are replicated out. The unreplicated changes are referred to as "lingering objects."
For additional information about lingering objects, click the following article number to view the article in the Microsoft Knowledge Base:
317097 Lingering Objects Prevent Active Directory Replication from Occurring
3125191 Event ID 1587 is generated on a Domain Controller when there are more than two domain controllers in the same site as a Lync server