Risks and Best Practices related to the introduction of the first Win2K8 DC in a Win2K3 Forest

Hello ALL,

Sometimes you think ... "Hey it's too easy to install a Windows Server and upgrade it or too easy is add a new domain controller", but sometimes you really need to take care of small things you cannot imagine it will impact you.

This post is to help and complete the previous post http://panerarichang.blogspot.com/2011/05/how-to-install-first-2008-r2-domain.html

Let's starting think about this scenario:

The first DC running Windows Server 2008 R2 was added in the forest which has the side-effect of stamping the isrecycled attribute on live objects AND deleted objects that reside in the deleted objects container, including objects that are @ the cusp of TSL expiration and about to be garbage collected. This update triggers an outbound replication event to replica DCs hosting common partitions.

NTDS Replication Event 1988 is logged on strict mode destination DCs that received a request to inbound replicate an update to an object from the source DC cited in the event that the destination DC has already seen, deleted and garbage collected.

This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory database.  This replication attempt has been blocked.

" The best solution to this problem is to identify and remove all lingering objects in the forest."

 Cause

=============

The problem occurs when introduction of the First Windows Server 2008 R2 DC outbound replicates updates objects deleted (@ the cusp of) TSL # of days in the past to strict mode destination DCs that have independently garbage collected the deleted objects

An up-to 12 hour "race condition" exists that can block AD replication when source DCs that have not yet garbage collected objects deleted at the cusp of TSL expiration outbound replicate IsRecycled stamps to strict mode destination domain controllers that have seen, deleted and garbage collected those same objects.

There is a known issue when you add your first Windows 2008 R2 domain controller in an Active Directory forest. It is caused by the Active Directory Recycle Bin feature, which requires updating all Active Directory objects to fill the new attribute named isRecycled even if this feature is not enabled.

When this DC is added, it will update the objects to set the isRecycled attribute. This attribute change has to be replicated to other DCs. As the objects deleted about Tombstone_Lifetime days earlier may have already been garbage collected on the target DCs, this update will concern a non-existing object. This scenario is the lingering object one, and its effect is to block replication (if strict replication is configured) until this lingering object is removed.

In this case, this situation will disappear after a maximum of 12 hours, the interval between to execution of the garbage collection.

Resolution

=============

Wait up to 12 hours for all domain controllers logging the NTDS Replication 1988 event to garbage collect lingering object

OR

Accelerate the execution of garbage collection on DCs that have yet to garbage collect objects deleted TSL # of days in the past on the source DCs referenced in the 1988 events using the ROOTDSE "DoGarbageCollection control.

1. In Ldp.exe, when you click Browse on the Modify menu, leave the Distinguished name box empty.
2. In the Edit Entry Attribute box, type "DoGarbageCollection" (without the quotation marks),
3. In the Values box, type "1" (without the quotation marks).
4. Set the Operation value set to Add and click the Enter button, and then click Run.

OR

Increase the garbage collection interval prior to the introduction prior to the introduction of the 1st Win2K8 R2 DC.

The garbage collection interval can be configured by entering a value in the garbageCollPeriod attribute at:

CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=forest,DC=root

                           Default - 12 hours
                           Minimum - 1 hour
                           Maximum - Not documented.

Articles Related

==================

Enable Strict Replication Consistency

http://technet.microsoft.com/en-us/library/cc816938(WS.10).aspx

Troubleshooting Active Directory operations that fail with error 8606 Insufficient attributes were given to create an object

http://support.microsoft.com/kb/2028495

Event ID 1988 Logged in Directory Service Log after Schema Update

http://support.microsoft.com/kb/2005074

Problems with introducing a new Windows Server 2008 DC into a Windows 2003 forest

http://blogs.technet.com/b/instan/archive/2009/07/30/problems-with-introducing-a-new-windows-server-2008-dc-into-a-windows-2003-forest.aspx?wa=wsignin1.0