Lets see how lingering objects gets created in a domain
Example:
DC1 and DC2
User1 on both the DC`s
AD Replication stopped between the 2 DC`s on 01st Jan
The Tombstoned Period is the default 180 days
On 01st Feb, the administrator of the domain deleted User1 from DC1
Since the AD Replication was not working, the deletion was not replicated on DC2
Henceforth, User1 is not on DC1 but is present on DC2
The User1 on DC1 is in "Deleted Objects" container where as on DC2 it is still in AD
Now on 30th July, the user1 which was deleted on 01st Feb, will cross its tombstoned period and after 12 hrs from there on, it will be Garbaged Collected and removed completely from the Active Directory
Lets now assume that on 01st Aug, the administrator checked the AD Replication and since it was broken so he fixed the Replication (Please don't ask me what this administrator was doing from past 6 months and why now he suddenly checked the Replication... Just believe me that we do have such kind of administrators in this world... :) and yes, their jobs still survives....
Now the situation is as follow:
On DC1: The User1 is not there in AD neither is present in "Deleted Objects" container
On DC2: The User1 is present in AD
Had it been, that the fast and furious administrator would have fixed the replication before the object User1 got Garbage Collected, then after the replication, the deletion from DC1 would have been triggered and this would have caused User1 to get deleted from DC2 as well
But this didn't happened, and now after fixing Replication, DC2 will try to push User1 to DC1
At this point, you can of course raise a question!!!
Why cant then DC1 accept User1 and let it get replicated to DC1 from DC2
The question lies in the fact that when a user gets deleted, its partial attributes are stripped off and the user is moved to the Deleted Container. Then, once the Garbage Collection process is completed, the user is moved out of the "Deleted Objects" container but at the same time the User still remains in AD with more of its attributes being stripped off. But then, few attributes like GUID of the object ALWAYS remains with the object eve though it is permanently deleted
Coming back to DC1, since DC2 is trying to replicate User1 which has been deleted from DC1, DC1 will now consider this object as a "Lingering Object"
Lingering Object : An object which has been deleted on a domain controller and even garbage collected but it still remains on another domain controller is termed as a Lingering Object
Make sure AD Replication is working fine between the two domain controllers
Create few users on DC1
Change the value of Tombstone Period from 180 days to 2 days (Min)
Disable the Inbound Replication
Disable the Outbound Replication
Connect to LDP and browse for the Deleted Objects Container
Delete few Users from AD
Check if you can view those users in the "Deleted Objects" container
Now, Increase the system time by two days. This will make sure that the tombstone period of the user which we have deleted and which is in "Deleted Objects" container will expire
Once the tombstone period of the user expires, the Garbage Collection process will run and will delete the user completely from AD on this DC
But then we have to wait for 12 hrs for the Garbage Collection process to run (Default time of Garbage Collection is 12 hours)
Instead, what we will do is to Force Garbage Collection so that the users will be removed from the "Deleted Objects" container as well on DC1
Now check the "Deleted Objects" container and we should not see any objects in that container as the Garbage Collection has Run
Enable the Inbound Replication
Enable the Outbound Replication
Change the system time back to what it was Earlier
Check for the Events
On DC1, you will not find those Users
On DC2, those users are still there in AD
Make any change in those users (To trigger the Replication)
Check for the Events on DC1 from where the Users has been deleted
Oops... We got a Lingering Object... :(
