Active Directory

Remove Lingering Objects

Lingering objects are objects in a Windows AD which have been created, replicated, deleted, and then garbage collected on at least a single DC that originated the deletion but still exist as live objects on one or more DCs in the same forest.

Lingering object removal has traditionally required lengthy cleanup sessions using tools like LDP, ADSIEdit, repadmin /removelingeringobjects which anyone working with AD will have used at least once and maybe wished to never touch again!!

A number of tools have improved the processes  and management of AD replications including powershell scripts, repldiag.exe, Manageengine or ADREPLSTATUS and now we have another tool for our USB stick: Lingering Object Liquidator.

Tombstone lifetime and replication of deletions

When an object is changed, added or deleted, Active Directory replicates the changes. Object which are deleted become a tombstone object. A tombstone object consists of a small subset of the attributes of the deleted object to all other domain controllers in the domain to receive information about the deletion. The tombstone is retained in Active Directory for a specified period. This specified period is called the TSL. At the end of the TSL, the tombstone object is permanently deleted.

The default value of the TSL depends on the version of the operating system that is running on the first domain controller that is installed in a forest. The following table indicates the default TSL values for different Windows operating systems.

 First domain controller in forest root                         Default tombstone lifetime

Windows 2000                                                                      60 days

Windows Server 2003                                                           60 days

Windows Server 2003 with Service Pack 1                        180 days

 

Why you should care about lingering object removal

 It is important to remove lingering objects for the following reasons

  • Lingering objects can result in a long term divergence for objects and attributes residing on different DCs in your Active Directory forest
  • The presence of lingering objects prevents the replication of newer objects, deletes and modifications to destination DCs configured to use strict replication consistency. These un-replicated changes may apply to objects or attributes on users, computers, groups, group membership or ACLS
  • Objects intentionally deleted by admins or application continue to exist as live objects on DCs that have yet to inbound replicate knowledge of the deletes.

How to obtain Lingering Object Liquidator

1. Log on to the Microsoft Connect site (using the Sign in) link with a Microsoft account:

http://connect.microsoft.com

Note: You may have to create a profile on the site if you have never participated in Connect.

2. Open the Non-feedback Product Directory:

https://connect.microsoft.com/directory/non-feedback

3. Join the following program:

AD Health

Product Azure Active Directory Connection Join link

4. Click the Downloads link to see a list of downloads or this link to go directly to the Lingering Objects Liquidator download. (Note: the direct link may become invalid as the tool gets updated.)

5. Download all associated files

6. Double click on the downloaded executable to open the tool.