Active Directory is a vital and most important part of Windows infrastructure. Active Directory infrastructure's health depends on its replication. In an AD environment, all Domain Controllers should be synced and aware of any changes made on any active Domain Controllers in inter-site or intra-site replication topology.

What is Strict Replication Consistency in Active Directory?

Strict replication is a process in which we make sure that healthy domain controllers will not get lingering objects from an inactive domain controller.

Let us say one of your domain controllers was down for a period more than the tombstone lifetime value. As soon as the DC comes back online, it will try to replicate to other domain controllers. Since this DC contains lingering objects, that will create a mess in Active Directory Objects. This is where strict replication helps healthy domain controllers to prevent replication from corrupted domain controllers.

How to Enable Strict Replication

Best practice is to remove all lingering objects before enabling strict replication. The first step is to find lingering objects on your domain controllers and the second step is to remove them.

Identify Lingering Objects via Event Logs

We can find lingering objects from domain controllers' logs by searching the following Event IDs:

  • Event ID 1388: Inbound replication of the lingering object has occurred on the destination domain controller.
  • Event ID 1988: Inbound replication of the directory partition of the lingering object has been blocked on the destination domain controller.

Remove Lingering Objects Using Repadmin

We can also use the following commands to identify lingering objects and remove them. Open a command prompt with Enterprise Admin credentials.

Step 1: Find GUID of Domain Controller

repadmin /showrepl %ServerName%

Step 2: Find Lingering Objects (Advisory Mode)

This reports lingering objects in event logs but does not delete them:

repadmin /removelingeringobjects %ServerName% %ServerGUID% %DirectoryPartition% /advisory_mode

Step 3: Delete Lingering Objects

repadmin /removelingeringobjects %ServerName% %ServerGUID% %DirectoryPartition%

Step 4: Enable Strict Replication on One DC

repadmin.exe /regkey <dcname> +strict

Or you can use the below command to log the output:

repadmin.exe /regkey <dcname> +strict > c:\temp\StrictDcs.log

Step 5: Enable Strict Replication on All DCs

repadmin.exe /regkey * +strict

Verify via Registry

You can confirm, enable, or disable strict replication directly from the registry at the following location:

HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
  • Strict Replication Consistency = 0 -- Disabled (Loose)
  • Strict Replication Consistency = 1 -- Enabled (Strict)