[Samba] Problem Promoting Windows DC into existing Samba 4 domain

[Adam Mann]

Hello, I am working on adding a Windows 2008 R2 DC into an existing Samba 4
domain.  The Samba 4 domain has two DCs running Samba 4.2.

I was able to successfully run dcpromo on the Windows server and it appears
that nearly everything has replicated except for the DomainDnsZones
partition.

I have completed the steps in this article for the AD NC Replica command
and I also turned off Strict Replication on the DC so that hopefully all
partitions would come over:
https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting

I am receiving an error message regarding a lingering object in that
partition but the commands that they suggest to remove it (repadmin) do not
work and I also do not see it through adsiedit.

I was wondering if anyone on the list knows how to remove this kind of
object from the samba side or whether there is another way around it.
Below is the text of the error message and thank you much:

Another directory server has attempted to replicate into this directory
server an object which is not present in the local Active Directory Domain
Services database. The object may have been deleted and already garbage
collected (a tombstone lifetime or more has past since the object was
deleted) on this directory server. The attribute set included in the update
request is not sufficient to create the object. The object will be
re-requested with a full attribute set and re-created on this directory
server.
 This event is being logged because the source DC contains a lingering
object which does not exist on the local DCs copy of Active Directory
Domain Services database and the local DC does *not* have the following
registry key enabled to ensure strict replication consistency. Strict
replication consistency prevents lingering objects residing on a source DC
from re-replicating to a destination DC that has already processed the
deletion.  Since this registry key is not set, the object will be
re-replicated and recreated in the local Active Directory Domain Services
database.

 The best solution to this problem is to identify and remove all lingering
objects in the forest, starting with the writable and read-only partitions
containing the object referenced in this event, and then enable the
following registry key to ensure strict replication consistency.


Source DC (Transport-specific network address):
269beeb7-d4cf-49a3-be26-99e48e59e540._msdcs.test.lan
Object:
DC=test-2qmmiskd9y\0ACNF:4b1cdb28-be9b-40c4-a612-26e31b864f68,DC=test.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=lan
Object GUID:
4b1cdb28-be9b-40c4-a612-26e31b864f68
Directory partition:
DC=DomainDnsZones,DC=test,DC=lan
Destination highest property USN:
0
 User Action:
 Verify the continued desire for the existence of this object. To
discontinue re-creation of future similar objects, the following registry
key should be created.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Strict Replication
Consistency
 The action plan to recover from this error can be found at
http://support.microsoft.com/?id=314282.

 If both the source and destination DCs are Windows Server 2003 DCs, then
install the support tools included on the installation CD.  To see which
objects would be deleted without actually performing the deletion run
"repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID>
<NC> /ADVISORY_MODE". The eventlogs on the source DC will enumerate all
lingering objects.  To remove lingering objects from a source domain
controller run "repadmin /removelingeringobjects <Source DC> <Destination
DC DSA GUID> <NC>".

 If either source or destination DC is a Windows 2000 Server DC, then more
information on how to remove lingering objects on the source DC can be
found at http://support.microsoft.com/?id=314282 or from your Microsoft
support personnel.

 Replication errors between DCs sharing a common partition can prevent user
and compter acounts, trust relationships, their passwords, security groups,
security group memberships and other Active Directory Domain Services
configuration data to vary between DCs, affecting the ability to log on,
find objects of interest and perform other critical operations. These
inconsistencies are resolved once replication errors are resolved.  DCs
that fail to inbound replicate deleted objects within tombstone lifetime
number of days will remain inconsistent until lingering objects are
manually removed by an administrator from each local DC.

 Lingering objects may be prevented by ensuring that all domain controllers
in the forest are running Active Directory Domain Services, are connected
by a spanning tree connection topology and perform inbound replication
before Tombstone Live number of days pass.