Enabling Strict or Loose Replication Consistency
Using a graphical user interface
Using a command-line interface
To enable strict consistency, run the following command:
> reg add HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v "Strict Replication Consistency" /t REG_DWORD /d 1
> reg add HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v "Strict\ Replication Consistency" /t REG_DWORD /d 0
' This code enables strict or loose consistency on the specified DC. ' ------ SCRIPT CONFIGURATION ----- intEnableStrict = 1 ' 1 = strict consistency, 0 = loose consistency strDC = "<DomainControllerName>" ' ------ END CONFIGURATION -------- const HKLM = &H80000002 strNTDSReg = "SYSTEM\CurrentControlSet\Services\NTDS\Parameters" set objReg = GetObject("winmgmts:\\" & strDC & _ "\root\default:StdRegProv") objReg.SetDWORDValue HKLM, strNTDSReg, " Strict Replication Consistency", _ intEnableStrict WScript.Echo "Strict Replication Consistency value set to " & _ intEnableStrict
Up until Windows 2000 Service Pack 3, domain controllers followed a loose replication consistency model whereby lingering objects could get reinjected into Active Directory and replicate among all the domain controllers. A lingering object is one that was previously deleted, but got reintroduced because a domain controller did not successfully replicate for the duration of the time defined by the tombStoneLifetime attribute, or because the object was restored using a backup that was older than the tombStoneLifetime. See the "Introduction" of Chapter 17 for more on the tombStoneLifetime attribute. Windows 2000 SP2 and earlier domain controllers would replicate the lingering object throughout the naming context. Loose consistency thus has the potential to cause some security risks since an object you thought was deleted is now back in the forest again.
Some post-SP2 hotfixes and SP3 introduced strict replication consistency. Under strict replication, a domain controller will stop replicating with a destination domain controller when it determines that the source is attempting to replicate a lingering object. Event ID 1084 will get logged in the Directory Service event log indicating that it couldn't replicate the lingering object. Although strict replication can halt replication, it is the preferable method and is a good check to ensure lingering objects do not infiltrate your forest. For this reason, you must monitor your domain controllers to ensure they are replicating on a regular basis and that they do not have any 1084 events.
The "Introduction" of Chapter 17 for more on the tombStoneLifetime attribute, MS KB 317097 (Lingering Objects Prevent Active Directory Replication from Occurring), and MS KB 314282 (Lingering Objects May Remain After You Bring an Out-of-Date Global Catalog Server Back Online)