Event ID 1388 or 1988: A lingering

object is detected
Updated: August 22, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1,
Windows Server 2003 with SP2
If a destination domain controller logs event ID 1388 or event ID 1988, a lingering object has been
detected and one of two conditions exists on the destination domain controller:
Event ID 1388: Inbound replication of the lingering object has occurred on the destination
domain controller.

Event ID 1988: Inbound replication of the directory partition of the lingering object has been
blocked on the destination domain controller.

Event ID 1388
This event indicates that a destination domain controller that does not have strict replication
consistency enabled has received a request to update an object that does not reside in the local
copy of the Active Directory database. In response, the destination domain controller has
requested the full object from the source replication partner. In this way, a lingering object has
been replicated ("reanimated") to the destination domain controller.
The event text identifies the source domain controller and the outdated (lingering) object. An
example version of the event text is as follows:
Important
When event ID 1388 occurs, if either the source domain controller (the replication partner that
is outbound-replicating the lingering object) or the destination domain controller (the inbound
replication partner that reports event ID 1388) is running Windows 2000 Server, you cannot
use the Repadmin tool to remove lingering objects. For information about how to remove
lingering objects in this case, see article 314282, "Lingering objects may remain after you bring
an out-of-date global catalog server back online
1
," on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=41410. The procedures and information in this article
apply to the removal of lingering objects from global catalog servers as well as from domain
controllers that are not global catalog servers.
Page 1 of 9 Event ID 1388 or 1988: A lingering object is detected: Active Directory
5/30/2011 http://technet.microsoft.com/en-us/library/cc780362(d=printer,v=WS.10).aspx
Event ID 1988
This event indicates that a destination domain controller that has strict replication consistency
enabled has received a request to update an object that does not exist in its local copy of the
Active Directory database. In response, the destination domain controller has blocked replication of
the directory partition containing that object from that source domain controller. The event text
identifies the source domain controller and the outdated (lingering) object. An example version of
the event text is as follows:
Page 2 of 9 Event ID 1388 or 1988: A lingering object is detected: Active Directory
5/30/2011 http://technet.microsoft.com/en-us/library/cc780362(d=printer,v=WS.10).aspx
Cause
An object that has been permanently deleted from Active Directory (that is, its tombstone has
been garbage-collected) remains on a domain controller. The domain controller failed to receive
direct or transitive replication of the object deletion because it was disconnected (offline or
experiencing an inbound replication failure) from the replication topology for a period that
exceeded a tombstone lifetime. That object has been updated on the domain controller, causing a
replication notification to the replication partner that an update is ready for replication. The
replication partner has responded according to its replication consistency setting. This notification
applies to attempted replication of a writable object. A copy of the writable lingering object might
also exist on a global catalog server.
Solution
If replication of a lingering object has been detected, you can remove the object from
Active Directory, along with any read-only replicas of the object, by identifying the domain
controllers that might store this object (including global catalog servers) and running a repadmin
command to remove lingering objects against these servers
(repadmin /removelingeringobjects). This command is available on domain controllers that are
running the version of Repadmin.exe that is included with Windows Support Tools in
Windows Server 2003.
If the lingering object is present in a writable or read-only directory partition on a domain
controller running Windows Server 2003 or Windows Server 2003 with Service Pack 1 (SP1), you
can remove lingering objects by running the repadmin /removelingeringobjects command
Page 3 of 9 Event ID 1388 or 1988: A lingering object is detected: Active Directory
5/30/2011 http://technet.microsoft.com/en-us/library/cc780362(d=printer,v=WS.10).aspx
against that target domain controller.
To remove lingering objects, do the following:
1. Use the event text to identify the following:

a. Directory partition of the object

b. Source domain controller that attempted replication of the lingering object

2. Install Windows Support Tools on the domain controller that received the event, if necessary.
See "Install Windows Support Tools" in Configuring a Computer for Troubleshooting Active
Directory
2
.


3. Use Repadmin to Identify the GUID of an Authoritative Domain Controller

4. Use Repadmin to Remove Lingering Objects

5. Enable Strict Replication Consistency, if necessary.

Use Repadmin to Identify the GUID of an Authoritative Domain Controller
To perform the procedure that removes lingering objects, you must identify the globally unique
identifier (GUID) of an up-to-date domain controller that has a writable replica of the directory
partition that contains the lingering object that has been reported. The directory partition is
identified in the event message.
The object GUID of a domain controller is stored in the objectGUID attribute of the NTDS Settings
object.
Requirements
Administrative credentials: To complete this procedure, you must be a member of the
Domain Admins group in the domain of ServerName.

Tool: Repadmin.exe (Windows Support Tools)

To identify the GUID of a domain controller
1. At a command prompt, type the following command, and then press ENTER:
repadmin /showrepl ServerName
where ServerName is the name of the domain controller for which you want to display the
GUID.
2. In the first section of the output, locate the objectGuid entry. Select and copy the GUID
value into a text file so that you can use it elsewhere.
Use Repadmin to Remove Lingering Objects
If the destination domain controller and source domain controller are both running
Windows Server 2003, you can remove lingering objects by using Repadmin. If either domain
Page 4 of 9 Event ID 1388 or 1988: A lingering object is detected: Active Directory
5/30/2011 http://technet.microsoft.com/en-us/library/cc780362(d=printer,v=WS.10).aspx
controller is running Windows 2000 Server, follow instructions in the article 314282, "Lingering
objects may remain after you bring an out-of-date global catalog server back online
1
," on the
Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=41410.
Requirements
Operating system: Windows Server 2003 for ServerName and ServerGUID
Administrative credentials: To complete this procedure, you must be a member of the Domain
Admins group in the DirectoryPartition domain.
Tool: Repadmin.exe (Windows Support Tools)
To use Repadmin to remove lingering objects
1. At a command prompt, type the following command, and then press ENTER:
repadmin /removelingeringobjects ServerName ServerGUID
DirectoryPartition /advisory_mode

/advisory_mode logs the lingering objects that will be removed so that you can review
them, but it does not remove them.
2. Repeat step 1 without /advisory_mode to delete the identified lingering objects from the
directory partition.
3. Repeat steps 1 and 2 for every domain controller that might have lingering objects.
Term Definition
ServerName
The name of the domain controller that has lingering objects, as identified
in the event message (event ID 1388 or event ID 1988). You can use the
Domain Name System (DNS) name or the distinguished name.
ServerGUID
The GUID of a domain controller that has an up-to-date writable replica of
the directory partition that contains the lingering object
DirectoryPartition
The distinguished name of the directory partition that is identified in the
event message. For example,
DC=RegionalDomainName,DC=ForestRootDomainName,DC=com for a
domain directory partition,
CN=configuration,DC=ForestRootDomainName,DC=com for the
configuration directory partition, or
CN=schema,CN=configuration,DC=ForestRootDomainName,DC=com for
the schema directory partition
Note
The ServerName parameter uses the DC_LIST syntax for repadmin, which allows the use of *
for all domain controllers in the forest and gc: for all global catalog servers in the forest. To see
the DC_LIST syntax, type repadmin /listhelp.
Page 5 of 9 Event ID 1388 or 1988: A lingering object is detected: Active Directory
5/30/2011 http://technet.microsoft.com/en-us/library/cc780362(d=printer,v=WS.10).aspx
Enable Strict Replication Consistency
To ensure that lingering objects cannot be replicated if they occur, enable strict replication
consistency on all domain controllers. The setting for replication consistency is stored in the
registry on each domain controller. However, on domain controllers that are running
Windows Server 2003 with SP1, you can use Repadmin to enable strict replication consistency on
one or all domain controllers.
On domain controllers running Windows Server 2003, Windows 2000 Server with Service Pack 3
(SP3), or Windows 2000 Server with Service Pack 4 (SP4), you must edit the registry to enable the
setting.
Use Repadmin to Enable Strict Replication Consistency
Requirements:
Operating system: Windows Server 2003 with SP1
Administrative credentials:
To complete this procedure on a single domain controller, you must be a member of the
Domain Admins group.

To complete this procedure on all domain controllers in the forest, you must be a member of
the Enterprise Admins group in the forest.

Tool: Repadmin.exe (Windows Support Tools that are included with Windows Server 2003 SP1)
To use Repadmin to enable strict replication consistency
1. Open a command prompt, type the following command, and then press ENTER:
repadmin /regkey DC_LIST +strict
where DC_LIST is the name of a single domain controller. (* applies the change to all
domain controllers in the forest.) For the domain controller name, you can use the Domain
Name System (DNS) name, the distinguished name of the domain controller computer
object, or the distinguished name of the domain controller server object.
2. If you do not use * to apply the change to all domain controllers, repeat step 1 for every
domain controller on which you want to enable strict replication consistency.
Edit the Registry to Enable Strict Replication Consistency
On a domain controller that is running Windows Server 2003 without a service pack, edit the
Note
For more naming options and information about the syntax of the DC_LIST parameter, at the
command prompt, type repadmin /listhelp.
Page 6 of 9 Event ID 1388 or 1988: A lingering object is detected: Active Directory
5/30/2011 http://technet.microsoft.com/en-us/library/cc780362(d=printer,v=WS.10).aspx
registry to enable strict replication consistency. The setting for replication consistency is stored in
the Strict Replication Consistency entry in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.
Values are as follows:
Value: 1 (0 to disable)

Default: 1 (enabled) in a new Windows Server 2003 forest; otherwise 0.

Data type: REG_DWORD

Requirements:
Operating system: Windows Server 2003, Windows 2000 Server with SP3, Windows 2000 Server
with SP4
Administrative credentials: To complete this procedure, you must be a member of the Domain
Admins group.
Tool: Registry editor (for example, Regedit.exe)
To edit the registry to enable strict replication consistency
1. Open a registry editor.
2. Navigate to Strict Replication Consistency entry in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.
3. Set the value in the Strict Replication Consistency entry to 1.
Ensure Strict Replication Consistency Is Enabled On Newly
Promoted Domain Controllers
If you are upgrading a forest that was originally created using a computer running Windows 2000
Server, you should ensure that the forest is configured to enable strict replication consistency on
newly promoted domain controllers to help avoid lingering objects. After you update the forest, all
new domain controllers that you subsequently add to the forest are created with strict replication
consistency disabled. However, you can implement a forest configuration change that causes new
domain controllers to have strict replication consistency enabled. To ensure that new domain
Caution
It is recommended that you do not directly edit the registry unless there is no other alternative.
Modifications to the registry are not validated by the registry editor or by Windows before they
are applied, and as a result, incorrect values can be stored. This can result in unrecoverable
errors in the system. When possible, use Group Policy or other Windows tools, such as
Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry
directly. If you must edit the registry, use extreme caution.
Page 7 of 9 Event ID 1388 or 1988: A lingering object is detected: Active Directory
5/30/2011 http://technet.microsoft.com/en-us/library/cc780362(d=printer,v=WS.10).aspx
controllers that you add to the forest have strict replication consistency enabled, you can use
Ldifde.exe to create an object in the configuration directory partition of the forest. This object is
responsible for enabling strict replication consistency on any Windows Server 2003 domain
controller that is promoted into the forest.
The object that you create is an operational GUID with the following name:
CN=94fdebc6-8eeb-4640-80de-
ec52b9ca17fa,CN=Operations,CN=ForestUpdates,CN=Configuration,DC=<ForestRootDomain>
Perform the following procedure on any domain controller in the forest to add this object to the
configuration directory partition.
Requirements:
Administrative credentials: To complete this procedure, you must be a member of the Domain
Admins group.
Tools: Ldifde.exe, Notepad
To create the object that ensures strict replication consistency on new domain controllers
1. In a text editor such as Notepad, create the following text file:
dn:
CN=94fdebc6-8eeb-4640-80de-
ec52b9ca17fa,CN=Operations,CN=ForestUpdates,CN=Configuration,DC=<ForestRootDomain>
changetype: add
objectClass: container
showInAdvancedViewOnly: TRUE
name: 94fdebc6-8eeb-4640-80de-ec52b9ca17fa
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=<ForestRootDomain>
Where <ForestRootDomain> contains all domain components (DC=) of the forest root
domain. For example, for the contoso.com forest, DC=contoso,DC=com; for the
fineartschool.net forest, DC=fineartschool,DC=net.
2. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Enterprise Admins credentials, if required, and then click Continue.
3. At the command prompt, type the following command and then press ENTER:
ldife -i f <Path\FileName>

Value Description
Page 8 of 9 Event ID 1388 or 1988: A lingering object is detected: Active Directory
5/30/2011 http://technet.microsoft.com/en-us/library/cc780362(d=printer,v=WS.10).aspx
For information about using Ldifde, see LDIFDE on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=42656).
Links Table
1
http://go.microsoft.com/fwlink/?LinkId=41410

2
http://technet.microsoft.com/en-us/library/cc784161(v=WS.10).aspx

Community Content

-i Specifies import mode. If not specified, the default mode is export.
-f Identifies the import or export file name.
<Path\FileName>
The path and name of the import file that you created in step 1. For
example, C:\ldifde.txt.
2011 Microsoft. All rights reserved.
Page 9 of 9 Event ID 1388 or 1988: A lingering object is detected: Active Directory
5/30/2011 http://technet.microsoft.com/en-us/library/cc780362(d=printer,v=WS.10).aspx