Wednesday, January 7, 2015

Lingering Objects

Lingering Objects

The tombstone lifetime value that is in effect when a Domain Controller is upgraded to any Service Packs and that is not changed by upgrading, the existing Value is maintained until you change it manually. After tombstone is removed permanently the object deletion can no longer be replicated. Therefore the tombstone life time defines how long domain Controllers in Forest can retain knowledge of a deleted object and time during which unique deletion must be received by all direct replication partners of originating Domain Controllers.

How Lingering Objects Occur:-

When a condition occurs in  which domain controller is disconnected for a period that is longer than tombstone lifetime, one or more objects thats get deleted from Active Directory on all other Domain Controllers might remain on disconnected Domain Controller. Such objects are called Lingering Objects. Because Domain Controller is offline during all time that tombstone is alive, Domain Controller never receive replication of tombstone. When its reconnected again, this Domain Controller act as a source replication partner that has a object that its destination partner does not have.

Replication problems occur when object on Source Domain controller is updated. So when destination attempts to inbound-replicate the update, destination domain controller responds in two ways:-

# If Destination Domain Controller has strict replication consistency enabled, it recognize that it cannot update and locally halts inbound replication of directory partition from that source domain controller. 

# If Destination Domain Controller has strict replication consistency disable, it request the full replica of updated object, So object is reintroduced in to directory.

Lingering objects can reside in writable or read only partitions that are potentially replicated between Domain Controllers in same or different domains in same forest.

Domain Controller having Lingering Objects:-

An Outdated Domain controller can store lingering objects with no noticeable effect as long as an administrator, application or service does not update the lingering object or attempt to create an object with same name in domain or with same UPN (user principal name) in forest. However existence of lingering objects can cause problems especially if a object is security principal.


Things which indicates Lingering Objects on Domain:-


# A deleted user or group account remains in GAL on Exchange Servers. So attempts to send Email to this account results in errors although it is their in GAL.

# Multiple copies of an object appears in object picker or GAL for an object that should be unique in the forest. Duplicate objects sometimes appear with altered names creates confusion in directory searching.

# A Universal Group that no longer exists continues to appear in a user's access token. Although Group does not exist, if a user account has group in its security token, the user might have access to resource that you intended to be unavailable to that user.

# Emails are not delivered to users whose AD accounts appears to be current. After an outdated Domain controllers or global catalog servers becomes reconnected both instances of the user object appear in global catalog. Because both objects has same Email address,  email cannot be delivered.

If an attempt is made to update an lingering object that resides in a writable directory partitions, events are logged on destination domain controller. If Only version of Lingering object exist in read only directory partition on global catalog server, the object cannot be updated and this type of event will never be triggered.