none
Event ID 1988 RRS feed

  • 问题

  • 最近副控上每天都会出现ID:1988的错误日志。
    日志如下:
    Source domain controller:
    f94089bf-6d9a-4425-b649-483c4fcd3811._msdcs.domainname.edu.cn
    Object:
    DC=119\0ADEL:e7a7e1db-dbd1-40a2-a1a1-298762965113,CN=Deleted Objects,DC=DomainDnsZones,DC=domainname,DC=edu,DC=cn
    Object GUID:
    e7a7e1db-dbd1-40a2-a1a1-298762965113  This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory Domain Services database.  This replication attempt has been blocked.
     
     The best solution to this problem is to identify and remove all lingering objects in the forest.
     
     
    User Action:
     
    Remove Lingering Objects:
     
     The action plan to recover from this error can be found at http://support.microsoft.com/?id=314282.
     
     If both the source and destination DCs are Windows Server 2003 DCs, then install the support tools included on the installation CD.  To see which objects would be deleted without actually performing the deletion run "repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC> /ADVISORY_MODE". The eventlogs on the source DC will enumerate all lingering objects.  To remove lingering objects from a source domain controller run "repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC>".
     
     If either source or destination DC is a Windows 2000 Server DC, then more information on how to remove lingering objects on the source DC can be found at http://support.microsoft.com/?id=314282 or from your Microsoft support personnel.
     
     If you need Active Directory Domain Services replication to function immediately at all costs and don't have time to remove lingering objects, enable loose replication consistency by unsetting the following registry key:
     
    Registry Key:
    HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Strict Replication Consistency
     
     Replication errors between DCs sharing a common partition can prevent user and compter acounts, trust relationships, their passwords, security groups, security group memberships and other Active Directory Domain Services configuration data to vary between DCs, affecting the ability to log on, find objects of interest and perform other critical operations. These inconsistencies are resolved once replication errors are resolved.  DCs that fail to inbound replicate deleted objects within tombstone lifetime number of days will remain inconsistent until lingering objects are manually removed by an administrator from each local DC.
     
     Lingering objects may be prevented by ensuring that all domain controllers in the forest are running Active Directory Domain Services, are connected by a spanning tree connection topology and perform inbound replication before Tombstone Live number of days pass.

    同时还伴随着event id:1864
    日志如下:
    This is the replication status for the following directory partition on this directory server.
     
    Directory partition:
    DC=DomainDnsZones,DC=domainname,DC=edu,DC=cn
     
    This directory server has not recently received replication information from a number of directory servers.  The count of directory servers is shown, divided into the following intervals.
     
    More than 24 hours:
    1
    More than a week:
    1
    More than one month:
    0
    More than two months:
    0
    More than a tombstone lifetime:
    0
    Tombstone lifetime (days):
    60
     
    Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
     
    To identify the directory servers by name, use the dcdiag.exe tool.
    You can also use the support tool repadmin.exe to display the replication latencies of the directory servers.   The command is "repadmin /showvector /latency <partition-dn>".


    我查阅了http://technet.microsoft.com/zh-cn/library/cc949134(WS.10).aspx
    想尝试用 repadmin /removelingeringobjects <ServerName> <ServerGUID> <DirectoryPartition> /advisory_mode  来修复,不过有几点不是很清晰。
    我这边的环境是2台2008的域控,一台主控,一台副控,错误日志发生在副控,主控上没有出现。
    这边的<ServerName> <ServerGUID> 指的是哪台服务器? 日志发生的那台(副控)?还是主控? 还是日志里提示的“Source domain controller“?
    <DirectoryPartition>是不是就是日志里提示的 “DC=DomainDnsZones,DC=domainname,DC=edu,DC=cn “ ?
    希望大家能详细解答下,谢谢了~~
    2009年11月5日 2:52

答案

全部回复

  • The best solution to this problem is to identify and remove all lingering objects in the forest.

    这句已经说的很明白了
      Source domain controller   指复制源  在你的环境里应该你的第一台域控制器 
    2009年11月5日 4:00
  • 您好!

     

    根据您提供的信息,该错误很可能是由于某台域控制器上过期的对象造成的,我们建议您根据以下KB中的步骤进行排错:

     

    Outdated Active Directory objects generate event ID 1988 in Windows Server 2003

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;870695

     

    希望我的回答对您有所帮助,如果有什么不清楚的地方,请您回帖。

     

    Tom Zhang 张一平
    Tom Zhang – MSFT
    2009年11月5日 7:58
    版主
  • 感谢大家的热心回复! 我执行了回复repadmin /removelingeringobjects 命令后显示成功了,不过在副控上使用 repadmin /showrepl 命令还是有失败的(主控上使用全部成功)

    repadmin running command /showrepl against server localhost

    Default-First-Site-Name\SDC
    DC Options: IS_GC
    Site Options: (none)
    DC object GUID: 997b5526-2f3f-46d3-8706-81907c528426
    DC invocationID: 4beee9e7-3c8c-48bc-a904-d753656afe18

    ==== INBOUND NEIGHBORS ======================================

    DC=domainname,DC=edu,DC=cn
        Default-First-Site-Name\PDC via RPC
            DC object GUID: f94089bf-6d9a-4425-b649-483c4fcd3811
            Last attempt @ 2009-11-05 16:31:39 was successful.

    CN=Configuration,DC=domainname,DC=edu,DC=cn
        Default-First-Site-Name\PDC via RPC
            DC object GUID: f94089bf-6d9a-4425-b649-483c4fcd3811
            Last attempt @ 2009-11-05 15:52:25 was successful.

    CN=Schema,CN=Configuration,DC=domainname,DC=edu,DC=cn
        Default-First-Site-Name\PDC via RPC
            DC object GUID: f94089bf-6d9a-4425-b649-483c4fcd3811
            Last attempt @ 2009-11-05 15:52:25 was successful.

    DC=DomainDnsZones,DC=domainname,DC=edu,DC=cn
        Default-First-Site-Name\PDC via RPC
            DC object GUID: f94089bf-6d9a-4425-b649-483c4fcd3811
            Last attempt @ 2009-11-05 15:52:25 failed, result 8606 (0x219e):
                Insufficient attributes were given to create an object. This object
    may not exist because it may have been deleted and already garbage collected.
            778 consecutive failure(s).
            Last success @ 2009-10-27 01:56:05.

    DC=ForestDnsZones,DC=domainname,DC=edu,DC=cn
        Default-First-Site-Name\PDC via RPC
            DC object GUID: f94089bf-6d9a-4425-b649-483c4fcd3811
            Last attempt @ 2009-11-05 15:52:25 was successful.

    Source: Default-First-Site-Name\PDC
    ******* 778 CONSECUTIVE FAILURES since 2009-10-27 01:56:05
    Last error: 8606 (0x219e):
                Insufficient attributes were given to create an object. This object
    may not exist because it may have been deleted and already garbage collected.


    另外,使用站点与服务进行强行复制时主控是成功的 ,副控还是不行。
    最后关于event id 1864 的最后那个命令 repadmin /showvector /latency <partition-dn> 中的 <partition-dn> 代表什么参数 ?
    谢谢!

    2009年11月5日 8:39
  • 您好!

     

    根据您提供的错误信息分析,该问题可能与tombstone 生存时间有关,我们建议您尝试以下步骤进行排错:

     

    1. DC上打开“Active Directory站点和服务”,查看是否每个都有连接对象,确认所有DCSRV记录在DNS中被注册了。

     

    2. 请在出现1864错误信息的DC上修改以下注册表键值:

    HKLM\System\CurrentControlSet\Services\NTDS\Parameters,将"Allow Replication With Divergent and Corrupt Partner"的值设置为1

     

    3. 在修改了注册表键值后,关闭或者重启这些DC

     

    4. 打开“Active Directory站点和服务”,强制复制所有DC

    a. 打开Active Directory 站点和服务/Sites/包含复制目录信息时需要经由的连接的站点/Servers/需要强行复制的服务器/NTDS 设置
    b. 在详细信息窗格中,右键单击您要复制目录信息时借助的连接,然后单击“立即复制副本”。

     

    5. DC的命令提示符下输入“repadmin /showrepl”,检查DC之间的复制是否正常。

     

    更多信息请您参考以下文章:

    Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)

    http://technet2.microsoft.com/WindowsServer/en/library/4a1f420d-25d6-417c-9d8b-6e22f472ef3c1033.mspx?mfr=true

     

    How the Active Directory Replication Model Works

    http://technet2.microsoft.com/WindowsServer/en/library/1465d773-b763-45ec-b971-c23cdc27400e1033.mspx?mfr=true

     

    希望我的回答对您有所帮助,如果有什么不清楚的地方,请您告诉我。

     

    Tom Zhang 张一平
    Tom Zhang – MSFT
    2009年12月8日 2:41
    版主