VMware - Offline Domain Controller Maintenance

Quick Copy / Paste Notes:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
"Strict Replication Consistency"=dword:00000001
"Allow Replication With Divergent and Corrupt Partner"=dword:00000000
;"Strict Replication Consistency"=dword:00000000
;"Allow Replication With Divergent and Corrupt Partner"=dword:00000001

The target principal name is incorrect.
http://support.microsoft.com/kb/288167
netdom.exe
1) disable KDC service, reboot dc
2) netdom.exe resetpwd /server:pdc /userd:domain\administrator /passwordd:password
3) reboot dc, replicate, enable and start KDC service.

After having Domain Controllers Powered Down over a period of time, replication will give
the following error message when replication is forced manually:

Replicate Now
The following error occurred during the attempt to synchronize naming context DOMAIN.LOCAL from domain controller SOURCE-DC-NAME to domain controller DESTINATION-DC-NAME:

The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

This operation will not continue.

http://technet2.microsoft.com/WindowsServer/en/library/34c15446-b47f-4d51-8e4a-c14527060f901033.mspx
repadmin /showrepl - look for error 8416
Treat this occurrence as a lingering object condition, and do the following:
Run the repadmin /showrepl command on the domain controller that received the error to determine which domain controller has been disconnected for longer than a tombstone lifetime.
Remove lingering objects. Follow the instructions for removing lingering objects from the source and destination domain controllers as described in Event ID 1388 or 1988: A lingering object is detected.
http://technet2.microsoft.com/WindowsServer/en/library/77dbd146-f265-4d64-bdac-605ecbf1035f1033.mspx
repadmin /removelingeringobjects
Use the event text to identify the following:
1. Directory partition of the object.
2. Source domain controller that attempted replication of the lingering object.
Restart replication on the destination domain controller. After you remove lingering objects, you must restart replication on the domain controller that logged the event by editing the registry setting that allows replication with a potentially out-of-date domain controller. You can also perform this procedure if you do not want to wait to remove lingering objects and you want to start replication immediately.
Reset the registry to protect the domain controller against outdated replication. After replication has resumed on the domain controller that logged the event, reset the registry so that this domain controller continues to log events if replication is attempted with a domain controller where the last successful replication occurred longer than a tombstone lifetime ago.
NOTE: If you did not remove the lingering objects, attempting replication might result in replication of a lingering object. If strict replication consistency is enabled on the destination domain controller, replication with the source domain controller will be blocked again.

Edit Registry: Allow Replication With Divergent and Corrupt Partner:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Allow Replication With Divergent and Corrupt Partner = DWORD:1
Change back to 0 after replication is completed to protect outdated replication...

Cause
An object that has been permanently deleted from Active Directory (that is, its tombstone has been garbage-collected) remains on a domain controller. The domain controller failed to receive direct or transitive replication of the object deletion because it was disconnected (offline or experiencing an inbound replication failure) from the replication topology for a period that exceeded a tombstone lifetime. That object has been updated on the domain controller, causing a replication notification to the replication partner that an update is ready for replication. The replication partner has responded according to its replication consistency setting. This notification applies to attempted replication of a writable object. A copy of the writable lingering object might also exist on a global catalog server.

Remove Lingering Object Procedure

To perform the procedure that removes lingering objects, you must identify the globally unique identifier (GUID) of an up-to-date domain controller that has a writable replica of the directory partition that contains the lingering object that has been reported. The directory partition is identified in the event message. The object GUID of a domain controller is stored in the objectGUID attribute of the NTDS Settings object.
repadmin /showrepl ServerName
locate the "objectGuid" entry

repadmin /removelingeringobjects ServerName ServerGUID DirectoryPartition /advisory_mode
ServerName - The name of the domain controller that has lingering objects, as identified in the event message (event ID 1388 or event ID 1988). You can use the Domain Name System (DNS) name or the distinguished name.
ServerGUID - The GUID of a domain controller that has an up-to-date writable replica of the directory partition that contains the lingering object
DirectoryPartition - The distinguished name of the directory partition that is identified in the event message. For example, DC=RegionalDomainName,DC=ForestRootDomainName,DC=com for a domain directory partition, CN=configuration,DC=ForestRootDomainName,DC=com for the configuration directory partition, or CN=schema,CN=configuration,DC=ForestRootDomainName,DC=com for the schema directory partition.
/advisory_mode - Logs the lingering objects that will be removed so that you can review them, but it does not remove them.
repadmin /removelingeringobjects ServerName ServerGUID DirectoryPartition
Repeat for every domain controller that might have lingering objects.

Strict Replication Consistency

To use Repadmin to enable strict replication consistency
repadmin /regkey DC_LIST +strict
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Strict Replication Consistency = 1=enable, 0=disable
where DC_LIST is the name of a single domain controller. (* applies the change to all domain controllers in the forest.) For the domain controller name, you can use the Domain Name System (DNS) name, the distinguished name of the domain controller computer object, or the distinguished name of the domain controller server object.
If you do not use * to apply the change to all domain controllers, repeat for every domain controller on which you want to enable strict replication consistency.

Registry File