Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1388 Source: NTDSReplication

This destination system received an update for object which should have been present locally, but was not. The attribute set included in the packet is not sufficient to create the object.  A full copy of the object will be requested.
Object Name: DC="114
DEL:<GUID>",CN=Deleted Objects,DC=xxxx-xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx Object GUID: <GUID> Partition: DC=xxxx-xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx Transport-specific source address: Destination highest property update USN: 467737.
In one case, this occurred on a domain that was created by restoring an image of a domain controller and then promoting two other domain controllers with DCPROMO. It was found that AD replication was not working. It is believed that the original image may have contained Active Directory objects that were older than the tombstone lifetime interval or some other corruption. This was fixed by using DCPROMO to demote/promote one domain controller at a time, and seizing the FSMO roles.
As per Microsoft: "This event indicates that a destination domain controller that does not have strict replication consistency enabled has received a request to update an object that does not reside in the local copy of the Active Directory database". See the link to "Fixing Replication Lingering Object Problems" to solve this problem.
See the link to "EventID 1388 from source Active Directory" for information on this event.
From a newsgroup post: "I'm currently running a Windows 2000 domain on a number of domain controllers across various sites. Recently, our FSMO server (which is also a PDC Emulator), Server1 went offline. We restored from backups to get it running again. When it came back online, it immediately updated any changes that were made to Active Directory (AD) during its downtime, so it was assumed that everything was all right. However, during the time Server1 was offline, changes were made to Group Policy (GP) (creating, modifying, deleting etc) on Server2, which is located on the same site. Two days later after Server1 was brought back online and the changes were made to GP, we found that the GPs weren't applying to the clients at our other sites. I used the GPRESULT.EXE tool to verify this. I used the GPOTOOL on the DCs and found that an error was generated on Server2, which was: “Error: Cannot access \\Server2\sysvol\mydomain\policies\{CF5495EF-7667-4241-A5FA-8EBCD4658A51}, error 2”. The GP that the error message refers to is one called AutoUpdates, which I deleted from Server2. I verified that the folder no longer exists, so it seems that even though all references to AutoUpdates was deleted GPO seems to think that AutoUpdates still exists. I ran GPOTOOL on the other DCs except for Server1 and got the same error message as described above. I get no error messages running GPOTOOL on Server1. As far as it's concerned, AutoUpdates doesn't exist. All the other changes and additions of GPs seemed to have replicated fine too. I have tested the replication on both AD and FRS, and they seem to both be working fine. Seem to in the sense that changes to AD are getting replicated as are changes to files under the NETLOGON share. To fix the problem I went into the Active Directory Users and Computers snap-in, changed the view to include Advanced Features, and went to the Policies folder under System and found the lingering policy that I deleted. I manually deleted it, waited for the change to replicate across the domain and now everything is right again".

Take a look at ME317097 for more details.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.