To check AD replication status use the following in command prompt:
[shell]
Repadmin /replsum
[/shell]
If an error comes up with:
(8606) Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected. Then the object is tombstoned.
To verify run the following:
[shell]
repadmin /removelingeringobjects <Bad DC> <GUID of DC with correct data> <Naming Context of the lingering objects partition> /advisory_mode
[/shell]
To remove the lingering object use the following:
[shell]
repadmin /removelingeringobjects [domain-controller] 21f3a6cd-a35f-42c9-b0f0-afedd65d6bdc DC=DomainDnsZones,DC=Domain,DC=COM
[/shell]
21f3a6cd-a35f-42c9-b0f0-afedd65d6bdc is the DSA object GUID of the domain controller, [domain-controller] was the lingering connection on [domain-controller2] and the command removes and resync from the bad [domain-controller]. Each domain controller will have 4-5 partitions, you can show that with:
[shell]
repadmin /showrepl
[/shell]
Example:
DC=DOMAIN,DC=COM
CN=Configuration,DC=DOMAIN,DC=COM CN=Schema,CN=Configuration,DC=DOMAIN,DC=COM
DC=DomainDnsZones,DC=DOMAIN,DC=COM
You will need to update your remove lingering objects code to reflect the partition. To force sync and not have to wait:
[shell]
repadmin /regkey Domain-Controller +allowDivergent
[/shell]
and remove it later with:
[shell]
repadmin /regkey Domain-Controller –allowDivergent
[/shell]
When all lingering objects are removed, there will be an event log with Event ID 1939 in Directory Services (Event Viewer)