A. It's possible to enable strict replication mode with AD. Strict replication prohibits a domain controller (DC) that has been disconnected for a prolonged period from replicating outdated objects. A prolonged period is defined as longer than the tombstone lifetime, which is 180 days by default. The danger is that a DC that's disconnected for longer than the tombstone will potentially have objects that were deleted and have since been removed from the database through garbage collection. DCs with the strict replication consistency setting will refuse to replicate with the outdated DC.

To enable strict replication on a DC, use the command

repadmin /regkey <DC or * for all DCs in the forest> +strict

You can also enable it by giving the registry key

HKLM\System\CurrentControlSet\Services\NTDS\Parameters
Strict Replication Consistency

a value of 1.

Related Reading:

Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.