Shulou(Shulou.com)06/03 Report--

When sorting out data synchronization problems for domain users, there is a problem that prompts "the directory service has run out of relative identifier pools" when creating users. After dealing with the problem of identifier pool, it is found that primary and secondary synchronization can not be synchronized at the same time. After searching for some information on the Internet, the final processing method is as follows.

Problem 1: modify the registry: change the TombstoneLifeTime time to solve the problem that the directory service has run out of relative identifier pools

Step 1: run Regedit.exe to edit the registry and navigate to the following location:

HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NTDS\ Parameters

Edit StrictReplication Consistency to 1.

Note: before operating on the registry, you should back up the registry. Improper use of the Registry Editor can cause serious problems that may require a reinstallation of the operating system. Microsoft does not guarantee that it will solve problems caused by improper use of the Registry Editor. You need to use the Registry Editor at your own risk.

Step 2: then do the following on both DC:

Run regedit, find HKLM\ System\ CurrentControlSet\ Services\ NTDS\ Parameters\ AllowReplication With Divergent and Corrupt Partner, and set the key to 1.

If not, create a new Allow Replication With Divergent and Corrupt Partner manually with a type of DW (double-byte value).

After doing the above, restart DC to check the replication of DC.

Step 3: when an object is deleted, it does not disappear completely immediately. In fact, at this time the object is just a record marked as a "tombstone record". After the default TombstoneLifeTime (tombstone life cycle) of 180 days, this record will be completely deleted from the AD database, so by default, we can only restore the record within 180 days. However, you can restore an AD database backup at a specified time by manually modifying the TombstoneLifeTime time. (note that the default time for TombstoneLifeTime in previous versions of the operating system is 60 days)

Run ADsiedit.msc and select the settings in the following figure in turn

Problem 2: modify the registry: let pdc and dc copy at no cost: primary and secondary synchronization can not be synchronized at the same time

Tip: if one of the source or domain controllers is Windows 2000Server DC, you can find more information on how to delete latency objects on the source DC at http://support.microsoft.com/?id=314282, or from your Microsoft support specialist.

"if you need ActiveDirectory replication to work immediately (regardless of cost) and do not have time to delete latency objects, enable loose replication consistency by canceling the following registry key settings:"

Registry Key:

HKLM\ System\ CurrentControlSet\ Services\ NTDS\ Parameters\ StrictReplication Consistency

Set Strict Replication Consistency to 0

Replication errors between DC that share a public partition can cause differences in user and computer accounts, trust relationships, their passwords, security groups, security group membership, and other ActiveDirectory configuration data between DC, which can affect logins, find related objects, and perform other important operations. Once the replication errors are resolved, these inconsistencies will be resolved. The DC of deleted objects that fail to replicate inbound within the logical deletion lifetime will remain inconsistent unless the administrator manually removes the deferred object from each local DC.

Latency objects may be blocked, ensuring that all domain controllers in the forest run ActiveDirectory, connect topologically via spanning tree, and perform inbound replication before the logical deletion lifetime expires.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.