|
Now the question is..... How many other lingering objects
do you have floating about?
joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Monday, May 17, 2004 3:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? Thanks Wook for the
additional feedback. I wish we had 2003
deployed so I could have used the repadmin method. Todd From: Lee, Wook
[mailto:[EMAIL PROTECTED] Great news. The script
uses the RootDSE method for clobbering lingering objects. This capabillity is
what is now available in Windows 2003 repadmin with the removelingeringobjects
switch. It's more automated than the RootDSE method and doesn't require you to
go fishing for a lot of GUIDs. We've used both methods with great success at
HP/Compaq. We refer to the process as Ghostbusting. :) That being said, we did
get a lot of coaching from Microsoft Alliance support prior to doing either, so
as usual, it's not for the faint of heart. Wook From: Myrick,
Todd (NIH/CIT) I finally had Success in removing "Read Only" Lingering
Object after using the script outlined in KB 314282 verses
LDP. http://support.microsoft.com/?id=314282 It required that you dump a list of servers for each
domain in the forest into a servers-list.txt, and that you specify the GUID for
the server that originally housed the object, and the GUID of the lingering
object in the objects-list.txt file. I just wanted to update you all and make you aware of
the only way that seem to work getting rid of the read only object. Also
the script had to run on each naming context in the
forest. Todd From: Myrick,
Todd (NIH/CIT) Okay, I will double
check… Todd From: joe
[mailto:[EMAIL PROTECTED] Ok so you have the
actual DN of the object in the GC and you went to look at that actual DN in the
default context and it isn't there? I am simply asking because the ADC/Exchange
can dork things around a bit and you may see one name and think you are looking
at the right thing from the GAL yet the real object name is something different.
The GAL is displaying (I believe) the displayName. You can easily have an object
with the displayname of "Myrick, Todd (NIH/CIT)" yet have the username be
something like TODDISCOOL. I just wanted to be
really sure before sending you down the lingering objects direction because that
means other bad things like Al says, something isn't right, and this isn't your
main problem, it is simply a symptom.
joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Myrick, Todd
(NIH/CIT) Joe the account doesn’t
exist in the child domain, and I haven’t found a reference to it in any
domains. The GC entry point to
NTDS://IC.NIH.GOV/Users/<User Name> when I use the AD Search command.
So the entry in the GC’s thinks the account is located in the child domain
where there is no account for that user any longer. Any idea how to scrub
the GC’s, I have tried using LDP like the Q articles say, but it seems once a GC
thinks a entry is in a specific location, it really has a hard time wanting to
get rid of it. Todd From: joe
[mailto:[EMAIL PROTECTED] Todd are you absolutely
positive it doesn't exist in AD or maybe it simply isn't in the location you are
expecting? The -1 issue is as Al indicated an ADC match issue. It sees something
on the AD side and can't match it to the 5.5 side so it creates an object in
5.5. Then depending on how your ADC is configured it can pop something back on
the AD side. Usually the ADC is configured to be able to create objects in
certain OU's/containers that may be different from where you are used to
looking. I would also check
multiple DCs in that child domain for the object. Most likely I would test every
DC. Here is a little perl script that makes that fairly
easy... $domain=shift; @output=`nltest
/dclist:$domain 2>&1`; @tmp=grep(/site/i,@output); print
"\nALLDC V01.00.00pl Joe Richards ([EMAIL PROTECTED]) November 2001\n\n"; } print
"\n"; Note that this is a
very quick and dirty script, just intended to give some quick functionality to
do something against all DCs in a domain.... anyway I would do
something like alldc domain.com
"adfind -h <server> -default -f name=idname
-dn" If you need to put
quotes in the command you want to run against every server then do it something
like alldc domain.com
"adfind -h <server> -default -f \"name=idname\"
-dn"
joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Myrick, Todd
(NIH/CIT) I tried what is
described in the KB 314282 article, but only tried it on port 389 like the
instructions said. The problem I have is
that the object and GUID no longer exist at all in the original child
domain. So I am wondering since it is all the GC’s that have the lingering
read-only object, should I run the clean-up process using LDP and the
RemoveLingeringObjects option on the GC’s on port 3268? I tried doing on
port 389, and it didn’t work. I will defiantly post
my results once I figure out how to do this. Todd From: Coleman,
Hunter [mailto:[EMAIL PROTECTED] Todd- Not sure if this will
work for you or not: http://support.microsoft.com/default.aspx?scid=kb;en-us;314282 There was a similar
thread back in January or so; this is the tail end http://www.mail-archive.com/[EMAIL PROTECTED]/msg13088.html and
you can do alternate searches to get the full discussion. Good
luck... Hunter From: Myrick,
Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] There appears to be two
entries for User in the AD Global Catalogues. The one account appears to
have been ADC'ed & unADC'ed "Doe, John
(XYZ)" at some point, the other account appears to have been ADC'ed,
but then deleted (Never un ADC'ed) "Doe, John
(XYZCORP)-1". Both accounts appear in our Domain's GC, and All
the Child domain GC's except the Child domain where the account originated.
The "Doe, John (XYZ)" exist
in their GC, but not the "Doe, John (XYZCORP)-1". Both accounts
were homed in the child domain, just one got deleted, the other
didn't. We are now trying to
ADC a mailbox in the parent domain, to a different account all together.
The ADC process is failing because it seems to still think the mailbox we
are ADCing is linked to "Doe, John
(XYZCORP)-1". This account no longer
exist in the child domain, and we don't know how to unADC and account that
doesn't exist. Any help would be
appreciated Todd From: Mulnick,
Al [mailto:[EMAIL PROTECTED] Can you redescribe that
for us? It sounds like you have a GC that wasn't supposed to be there, but
I'm not sure I follow completely. From: Myrick,
Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Greetings all, we are seeing an
entry appear in our GC's that is not in the original location. It appears
after it was deleted, it did not replicate out the deleted item, and now us
causing ADC issues. http://support.microsoft.com/default.aspx?scid=kb;en-us;293474 The recommended MS way seems a
little excessive. Does anyone have a better way of getting ahold of the
entry and getting it out of the directory? Thanks, Todd |
- RE: [ActiveDir] Orphaned GC Entry... How do I clean... Myrick, Todd (NIH/CIT)
- RE: [ActiveDir] Orphaned GC Entry... How do I clean... Myrick, Todd (NIH/CIT)
- RE: [ActiveDir] Orphaned GC Entry... How do I clean... Eric Fleischman
- RE: [ActiveDir] Orphaned GC Entry... How do I clean... Mulnick, Al
- RE: [ActiveDir] Orphaned GC Entry... How do I clean... Myrick, Todd (NIH/CIT)
- RE: [ActiveDir] Orphaned GC Entry... How do I clean... Myrick, Todd (NIH/CIT)
- RE: [ActiveDir] Orphaned GC Entry... How do I clean... Myrick, Todd (NIH/CIT)
