What is Strict Replication in Active Directory?
Active Directory is a vital and most important part of Windows infrastructure. Active Directory infrastructure’s health depends on its replication. In an AD environment, all Domain Controllers should be synced and aware of any changes made on any active Domain Controllers in inter-site or intra-site replication topology.
What is Strict Replication Consistency in Active Directory?
Strict replication is a process in which we make sure that healthy domain controllers will not get lingering objects from an Inactive domain controller.
Let us say one of your domain controllers was down for a period more than tombstone lifetime value, as soon as DC will become online, next it will try to replicate to other domain controllers, as this DC contains lingering objects that will create a mess in Active Directory Objects. This is where strict replication helps healthy domain controllers to prevent replication from corrupted domain controllers.
How to Enable Strict Replication?
Best practice is to remove all lingering objects before enabling strict replication. The first step is to find lingering objects on your domain controllers and the second step is to remove them.
We can find a lingering object from domain controllers’ logs by searching following Event IDs.
Event ID 1388: Inbound replication of the lingering object has occurred on the destination domain controller.
Event ID 1988: Inbound replication of the directory partition of the lingering object has been blocked on the destination domain controller.
We can also use the following command to identify lingering objects and remove them.
Open a command prompt with Enterprise Admin credentials
1- Find GUID of Domain Controller
repadmin /showrepl %ServerName%
2- Find Lingering Objects, report in event logs but do not delete
repadmin /removelingeringobjects %ServerName% %ServerGUID% %DirectoryPartition% /advisory_mode
3- Delete Lingering Objects
repadmin /removelingeringobjects %ServerName% %ServerGUID% %DirectoryPartition%
4- Enable strict replication on one DC
repadmin.exe /regkey <dcname> +strict
Or you can use below command to log output of the command
repadmin.exe /regkey <dcname> +strict > c:\temp\StrictDcs.log
5- Enable strict replication on all DCs
repadmin.exe /regkey * +strict
You can confirm, enable or disable strict replication directly from the registry at the following location.
Strict Replication Consistency
0 = Disable (Loose)
1 = Enabled (Strict)