Lingering objects are objects in a Windows AD which have been created, replicated, deleted, and then garbage collected on at least a single DC that originated the deletion but still exist as live objects on one or more DCs in the same forest.
Lingering object removal has traditionally required lengthy cleanup sessions using tools like LDP, ADSIEdit, repadmin /removelingeringobjects which anyone working with AD will have used at least once and maybe wished to never touch again!!
A number of tools have improved the processes and management of AD replications including powershell scripts, repldiag.exe, Manageengine or ADREPLSTATUS and now we have another tool for our USB stick: Lingering Object Liquidator.
Tombstone lifetime and replication of deletions
When an object is changed, added or deleted, Active Directory replicates the changes. Object which are deleted become a tombstone object. A tombstone object consists of a small subset of the attributes of the deleted object to all other domain controllers in the domain to receive information about the deletion. The tombstone is retained in Active Directory for a specified period. This specified period is called the TSL. At the end of the TSL, the tombstone object is permanently deleted.
The default value of the TSL depends on the version of the operating system that is running on the first domain controller that is installed in a forest. The following table indicates the default TSL values for different Windows operating systems.
First domain controller in forest root Default tombstone lifetime
Windows 2000 60 days
Windows Server 2003 60 days
Windows Server 2003 with Service Pack 1 180 days
Why you should care about lingering object removal
It is important to remove lingering objects for the following reasons
- Lingering objects can result in a long term divergence for objects and attributes residing on different DCs in your Active Directory forest
- The presence of lingering objects prevents the replication of newer objects, deletes and modifications to destination DCs configured to use strict replication consistency. These un-replicated changes may apply to objects or attributes on users, computers, groups, group membership or ACLS
- Objects intentionally deleted by admins or application continue to exist as live objects on DCs that have yet to inbound replicate knowledge of the deletes.
How to obtain Lingering Object Liquidator
1. Log on to the Microsoft Connect site (using the Sign in) link with a Microsoft account:
Note: You may have to create a profile on the site if you have never participated in Connect.
2. Open the Non-feedback Product Directory:
3. Join the following program:
Product Azure Active Directory Connection Join link
5. Download all associated files
6. Double click on the downloaded executable to open the tool.