Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1988 Source: NTDSReplication

The local domain controller has attempted to replicate the following object from the following source domain controller. This object is not present on the local domain controller because it may have been deleted and already garbage collected.

Source domain controller: <GUID>
Object: <object distinguished name>
Object GUID: <GUID>

Replication will not continue with the source domain controller until the situation has been resolved.
From the error message, identify the name of the domain controller containing the lingering objects ("Source DC" in the error message). This can be done by pinging the FQDN mentioned in the error message to identify the IP address of the server, or by checking the _msdcs section in DNS.

Source DC (Transport-specific network address):

Identify the GUID of the domain controller on which you receive the event log message, by using 'repadmin /showrepl' on that domain controller. This would be the value for "DC object GUID" in the results of the repadmin command.

Within the error message, identify the naming context in which the lingering objects exist, e.g. the error message might mention (example only!):

DC=DomainDnsZones, DC=yourdomain, DC=local

Run the following command on the dc on which you receive the error message:

repadmin /removelingeringobjects name_of_server_containg_lingering_objects GUID_of_dc_on_which_error_appears DC=DomainDnsZones, DC=yourdomain, DC=local /advisory_mode

On the dc containing the lingering objects, check the Directory Service event log for information logged about lingering objects found.

Now run the same command as above, but omit '/advisory_mode'. Check the event log again, which should report that lingering objects have been removed.
You can get these errors when one of your DCs is offline for too long (+60 days).
- Step 1: try removing lingering items according to ME870695. Use the syntax repadmin /removelingeringobjects BAD-DC-FQDN GOOD-DC-GUID PARTITION, and remove this for all DNS partitions (domain, configuration, schema, forestdnszones, domaindnszones, and others if applicable).
- Step 2: if after a while the lingering objects are back, use ReplDiag instead (see EV100261 (Cleaning lingering objects across the forest with ReplDiag.exe). Remember to run it using Enterprise Admin credentials.
- Step 3: if this still doesn't solve the problem, demote the faulty DC, remove it from the domain, delete all AD references to it (use ntdsutil and also check the _msdcs DNS zone), then add it to the domain again and promote it again.
- Step 4: if demoting/promoting the faulty DC is not an option, turn off Strict Replication (see ME317097)
This error for our DC revolved around deleted objects that had accumulated since the source DC was offline. The “repadmin /removelingeringobjects” command worked for all other containers but would not touch this.
In the end, I just turned off Strict Replication after a systemstate backup and now replication is working without error.
As per Microsoft: "This event indicates that a destination domain controller that has strict replication consistency enabled has received a request to update an object that does not exist in its local copy of the Active Directory database". See the link to "Fixing Replication Lingering Object Problems" to solve this problem.
See ME870695 to resolve this problem.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.