RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?

[Mulnick, Al]

Eric, I think the first question he has is that he needs to know which port to query.  To answer that, use the GC port.  You want to query the domain GC that shows the object that should not be there.  Especially since that's the only ones that show it.   Repadmin is not well doc'd on the webiste help files.  Just filed a fix-it for the web site folks a few minutes ago.   Todd, I would further suggest investigating how you got in that situation in the first place if indeed that is the root issue.  Having issues with replication can never be a good thing and may defeat the efforts you're expending to fix the problem.     Al From: Eric Fleischman [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 10:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? I'm coming in to this thread, but it sounds like you have objects in GC partitions on DCs outside of domain in question which make reference to an object no longer existing in domain NC in question. Further, I bet GCs in that domain do not have it, only GCs outside of that domain. Correct? In that case you have what is called a lingering object. There are some KBs on this. I can discuss approaches on this dl if people want to, but it is heavily documented in KB already. I would look at the lingering object KBs, then come back with questions or thoughts after you do. Probably will save everyone some time that way. :)   ~Eric     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Thursday, May 13, 2004 8:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?   Joe the account doesn't exist in the child domain, and I haven't found a reference to it in any domains.   The GC entry point to NTDS://IC.NIH.GOV/Users/<User Name> when I use the AD Search command.  So the entry in the GC's thinks the account is located in the child domain where there is no account for that user any longer.   Any idea how to scrub the GC's, I have tried using LDP like the Q articles say, but it seems once a GC thinks a entry is in a specific location, it really has a hard time wanting to get rid of it.   Todd   From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 9:04 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?   Todd are you absolutely positive it doesn't exist in AD or maybe it simply isn't in the location you are expecting? The -1 issue is as Al indicated an ADC match issue. It sees something on the AD side and can't match it to the 5.5 side so it creates an object in 5.5. Then depending on how your ADC is configured it can pop something back on the AD side. Usually the ADC is configured to be able to create objects in certain OU's/containers that may be different from where you are used to looking.   I would also check multiple DCs in that child domain for the object. Most likely I would test every DC. Here is a little perl script that makes that fairly easy...     $domain=shift; $command=shift;   @output=`nltest /dclist:$domain 2>&1`;   @tmp=grep(/site/i,@output); chomp @tmp; map($_=~s/\s+([\w.]+).+/\1/,@tmp); map($_=uc($_),@tmp);   print "\nALLDC V01.00.00pl Joe Richards ([EMAIL PROTECTED]) November 2001\n\n"; if (!$domain or !$command)  {   print "USAGE: ALLDC domain command\n\n";   exit;  } print "Domain: $domain\n"; print "Command: $command\n"; $cnttot=0; foreach $this (sort @tmp)  {   $cnttot++;   print "  $this...\n";   $tmpcmd=$command;   $tmpcmd=~s/<SERVER>/$this/ig;   print "[$tmpcmd]\n";   @output=`$tmpcmd 2>&1`;   print "@output\n";   print "x"x80,"\n\n";  }   print "\n"; print "Total Domain Controllers: $cnttot\n";   Note that this is a very quick and dirty script, just intended to give some quick functionality to do something against all DCs in a domain....   anyway I would do something like     alldc domain.com "adfind -h <server> -default -f name=idname -dn"     If you need to put quotes in the command you want to run against every server then do it something like   alldc domain.com "adfind -h <server> -default -f \"name=idname\" -dn"       joe     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Wednesday, May 12, 2004 7:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? I tried what is described in the KB 314282 article, but only tried it on port 389 like the instructions said.   The problem I have is that the object and GUID no longer exist at all in the original child domain.  So I am wondering since it is all the GC's that have the lingering read-only object, should I run the clean-up process using LDP and the RemoveLingeringObjects option on the GC's on port 3268?  I tried doing on port 389, and it didn't work.   I will defiantly post my results once I figure out how to do this.   Todd   From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 4:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?   Todd-   Not sure if this will work for you or not: http://support.microsoft.com/default.aspx?scid=kb;en-us;314282   There was a similar thread back in January or so; this is the tail end http://www.mail-archive.com/[EMAIL PROTECTED]/msg13088.html and you can do alternate searches to get the full discussion. Good luck...   Hunter   From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 2:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? There appears to be two entries for User in the AD Global Catalogues.  The one account appears to have been ADC'ed & unADC'ed "Doe, John (XYZ)" at some point, the other account appears to have been ADC'ed, but then deleted (Never un ADC'ed) "Doe, John (XYZCORP)-1".  Both accounts appear in our Domain's GC, and All the Child domain GC's except the Child domain where the account originated.  The "Doe, John (XYZ)" exist in their GC, but not the "Doe, John (XYZCORP)-1".  Both accounts were homed in the child domain, just one got deleted, the other didn't.   We are now trying to ADC a mailbox in the parent domain, to a different account all together.  The ADC process is failing because it seems to still think the mailbox we are ADCing is linked to  "Doe, John (XYZCORP)-1".   This account no longer exist in the child domain, and we don't know how to unADC and account that doesn't exist.   Any help would be appreciated   Todd   From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 3:54 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?   Can you redescribe that for us?  It sounds like you have a GC that wasn't supposed to be there, but I'm not sure I follow completely.       From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 3:09 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Orphaned GC Entry... How do I clean it up? Greetings all, we are seeing an entry appear in our GC's that is not in the original location.  It appears after it was deleted, it did not replicate out the deleted item, and now us causing ADC issues.   http://support.microsoft.com/default.aspx?scid=kb;en-us;293474   The recommended MS way seems a little excessive.  Does anyone have a better way of getting ahold of the entry and getting it out of the directory?   Thanks,   Todd