none
need your advice! RRS feed

  • Question

  • Hi all,

    We have one forest and one domain with Windows 2003 functional level(mixed Windows 2003 and 2008R2 DCs).
    On one domain controller behind FW constantly gets event 1864 (see below)
    I checked the tombstonelifetime through adsiedit.exe and the value is not set. (that means 180 days)
    I checked schema.ini and the tombstoneLifetime=180
    So, tombstoneLifetime in our environment is 180 days. right?
    Also, if there is one DC passed tombstonelifetime and still connected in our network, what could end up?
    The fix to this DC is to disconnect it and do a metadata clean up?

    Thank you for your help

    ---------------
    Event Type: Error
    Event Source: NTDS Replication
    Event Category: Replication 
    Event ID: 1864
    Date: 4/1/2016
    Time: 10:32:57 AM
    User: NT AUTHORITY\ANONYMOUS LOGON
    Computer: PC1
    Description:
    This is the replication status for the following directory partition on the local domain controller. 
     
    Directory partition:
    DC=home,DC=local
     
    The local domain controller has not recently received replication information from a number of domain controllers.   The count of domain controllers is shown, divided into the following intervals. 
     
    More than 24 hours:

    More than a week:

    More than one month:

    More than two months:

    More than a tombstone lifetime:

    Tombstone lifetime (days):
    60 
     Domain controllers that do not replicate in a timely manner may encounter errors. It may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled. 
     
    To identify the domain controllers by name, install the support tools included on the installation  CD and run dcdiag.exe. 
    You can also use the support tool repadmin.exe to display the replication latencies of the domain controllers in the forest.   The command is "repadmin /showvector /latency <partition-dn>".

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Wednesday, April 6, 2016 3:13 PM

Answers

All replies

  • Hi

     You can check this similar case;https://social.technet.microsoft.com/Forums/windowsserver/en-US/dd77bbc0-9529-482b-abd8-bae48d4eaa9c/event-id-1864?forum=winserverDS

    To verify you need to run "dcdiag" and repadmin /replsum" and check for errors...

    Also if your dc has tombstone lifetime error,you should demote DC from domain,then will do a metadata cleanup and promote it again.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, April 6, 2016 4:44 PM
  • The DC is not showing to be tombstoned. Please refer to what I mentioned here especially the required ports as they need to be opened to both directions between your DCs: http://www.ahmedmalek.com/web/fr/articles.asp?artid=23

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Thursday, April 7, 2016 12:17 AM
  • Thanks for your help.

    by https://technet.microsoft.com/en-us/library/cc784932(v=ws.10).aspx, the default value is not set and is 60 days.  TRue?  

    I googled other places and the value should be 180 days in my envir.  Can anyone confirm?

    also, in schema.ini

    ; Explict TSL default set in W2K3 SP1 to increase shelf-life of backups and allow longer
    ; disconnection times.
    tombstoneLifetime=180

    180 days should be TSL in our envi.??

    ------------------------------

    To determine the tombstone lifetime for the forest using ADSIEdit

    1. Click Start, point to Administrative Tools, and then click ADSI Edit.

    2. In ADSI Edit, right-click ADSI Edit, and then click Connect to.

    3. For Connection Point, click Select a well known Naming Context, and then click Configuration.

    4. If you want to connect to a different domain controller, for Computer, click Select or type a domain or server: (Server | Domain [:port]). Provide the server name or the domain name and Lightweight Directory Access Protocol (LDAP) port (389), and then click OK.

    5. Double-click Configuration, CN=Configuration,DC=ForestRootDomainName, CN=Services, and CN=Windows NT.

    6. Right-click CN=Directory Service, and then click Properties.

    7. In the Attribute column, click tombstoneLifetime.

    8. Note the value in the Value column. If the value is <not set>, the value is 60 days.



    • Edited by John JY Thursday, April 7, 2016 2:56 PM
    Thursday, April 7, 2016 2:33 PM
  • Hi

     Seems to you have possible lingering object issue;you should focus on that;check the article,

    https://support.microsoft.com/en-us/kb/910205

    And tombstone lifetime periods;

    On a domain controller in a forest that was created on a domain controller running Windows Server 2003 with Service Pack 1 (SP1), the default value is 180 days.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, April 7, 2016 5:30 PM