You want to enable strict or loose replication consistency.
188.8.131.52 Using a graphical user interface
184.108.40.206 Using a command-line interface
To enable strict consistency, run the following command:
> reg add HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v "Strict[RETURN] Replication Consistency" /t REG_DWORD /d 1
To enable loose consistency, run the following command:
> reg add HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v "Strict[RETURN] Replication Consistency" /t REG_DWORD /d 0
220.127.116.11 Using VBScript
' This code enables strict or loose consistency on the specified DC. ' ------ SCRIPT CONFIGURATION ------ intEnableStrict = 1 ' 1 = strict consistency, 0 = loose consistency strDC = "<DomainControllerName>" ' ------ END CONFIGURATION --------- const HKLM = &H80000002 strNTDSReg = "SYSTEM\CurrentControlSet\Services\NTDS\Parameters" set objReg = GetObject("winmgmts:\\" & strDC & _ "\root\default:StdRegProv") objReg.SetDWORDValue HKLM, strNTDSReg, "Strict Replication Consistency", _ intEnableStrict WScript.Echo "Strict Replication Consistency value set to " & _ intEnableStrict
Up until Windows 2000 Service Pack (SP) 3, domain controllers followed a loose replication consistency model whereby lingering objects could get reinjected into Active Directory and replicate among all the domain controllers. A lingering object is one that was previously deleted, but got reintroduced because a domain controller did not successfully replicate for the duration of the time defined by the tombStoneLifetime attribute or was restored using a backup that was older than the tombStoneLifetime. See Introduction in Chapter 16 for more on the tombStoneLifetime attribute.
Windows 2000 SP2 and earlier domain controllers would replicate the lingering object throughout the naming context. Loose consistency has the potential to cause some security risks since an object you thought was deleted is now back in the forest again.
Some post-SP2 hotfixes and SP3 introduced strict replication consistency. Under strict replication, a domain controller will stop replicating with a destination domain controller when it determines that the source is attempting to replicate a lingering object. Event id 1084 will get logged in the Directory Service event log indicating that it couldn't replicate the lingering object. Although strict replication can halt replication, it is the preferable method and is a good check to ensure lingering objects do not infiltrate your forest. For this reason, you must monitor your domain controllers to ensure they are replicating on a regular basis and do not have any 1084 events.
12.10.4 See Also
See the Introduction in Chapter 16 for more on the tombStoneLifetime attribute, MS KB 317097 (Lingering Objects Prevent Active Directory Replication from Occurring), and MS KB 314282 (Lingering Objects May Remain After You Bring an Out-of-Date Global Catalog Server Back Online)