Thanks. Powershell is not installed on these servers, unfortunately. And now "repadmin /showreps" is saying that it can't find a domain controller, for either domain. And i can't paste in the output, because copying and pasting from the VM console to my browser doesn't seem to work ...
<SIGH> All I did was follow the directions, running the "removelingeringobjects", and the "repadmin /regkey". And then rebooted (that part was probably a mistake ...) On Tue, Aug 21, 2012 at 3:04 PM, Michael B. Smith <[email protected]>wrote: > Something like this:**** > > ** ** > > ### get the DS entry for the configuration naming context**** > > $configNC = ( [ADSI] 'LDAP://RootDSE' ).ConfigurationNamingContext**** > > $configDSE = ( [ADSI] "LDAP://$configNC" )**** > > **** > > $myForest = > [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()**** > > **** > > ### build a list containing every DC in the forest**** > > ### this is the fully qualified domain name**** > > $dcList = @()**** > > foreach( $site in $myForest.Sites )**** > > {**** > > foreach( $server in $site.Servers )**** > > {**** > > $dcList += $server.Name**** > > }**** > > }**** > > **** > > ### search for NTDS objects in the configNC. the parent object of the NTDS > object**** > > ### is the server object itself.**** > > $dsSearch = New-Object DirectoryServices.DirectorySearcher( $configDSE, > 'objectClass=nTDSDSA' )**** > > $results = $dsSearch.FindAll()**** > > **** > > ### build an array containing the Guid and the DN for each NTDS object**** > > $dcGuids = @()**** > > foreach( $result in $results )**** > > {**** > > $name = $result.properties.distinguishedname.item( 0 )**** > > $guid = New-Object System.Guid( > ,$result.properties.objectguid.item( 0 ) )**** > > $dcGuids += @{Guid=$guid;DN=$name}**** > > }**** > > **** > > ### go through each NTDS object and build a repadmin command for each DC** > ** > > ### that will clean up the lingering objects for that DC. This will be**** > > ### a many-to-many relationship, so the number of output commands can**** > > ### expand quickly!**** > > **** > > foreach( $dcGuid in $dcGuids )**** > > {**** > > $serverName = $dcGuid.DN.Split( ',' )[1] ### this gets > CN=ServerNetBiosName into $serverName**** > > $serverName = $serverName.SubString(3) ### this strips > "CN=" from the front**** > > **** > > $dcFQDN = ( $dcList -like "$serverName*" )[ 0 ] ### get the FQDN > of the server**** > > $arrFQDN = $dcFQDN.Split( '.' )**** > > $arrSlice = $arrFQDN[ 1 .. ( $arrFQDN.Length - 1 ) ]**** > > $domainDN = 'DC=' + ( $arrSlice -join ',DC=' )**** > > **** > > ##$serverName + ' ' + $arrFQDN[ 0 ] ### these two > should be the same**** > > foreach( $dc in $dcList )**** > > {**** > > Write-Host "repadmin /removelingeringobjects $dc" > $dcGuid.Guid $domainDN '/advisory_mode'**** > > }**** > > }**** > > ** ** > > *From:* Michael Leone [mailto:[email protected]] > *Sent:* Tuesday, August 21, 2012 2:52 PM > *To:* NT System Admin Issues > *Subject:* Event ID 2042: It has been too long since this machine > replicated**** > > ** ** > > Hey all. Been a while since I've had time to read or post. But I'm back, > looking for advice. :-) > > I have a test domain (this is a private domain running on a VMware server, > self-contained on their own private vSwitch, completely separate from my > production domain), consisting of a parent (1 DC) and child domain (2 DCs). > This is my testing domain. Unfortunately, apparently the VMs have been > turned off too long, as now I have no replication between the DCs, giving > the error in the subject line). Apparently they've been turned off since > 2012-06-20, and are now there beyond their tombstone life. (figures I > couldn't have looked at this LAST week, when it still would have been > within their tombstone lifetime. Oh, well ...) > > This is a AD 2008 domain; each DC is Win2008 R2. > > In reading through the options to fix this, I can't demote or re-install > the DCs (not easily, anyway). So I want to try the second suggestion: > > 2. Use the "repadmin /removelingeringobjects" tool to remove inconsistent > deleted objects and then resume replication. **** > > The documentation on the exact syntax of the "/removelingeringobjects" is > a bit unclear to me. Obviously I have to run this on the parent DC, and one > one (both?) of the child DCs. **** > > ** ** > > Some questions before running that:**** > > ** ** > > - SourceDCGUID—Run the command repadmin /showrepl AuthDCname |more, > where AuthDCname is the host name of the domain controller that you > selected as authoritative. Substitute the first DSA object GUID that > appears for <SourceDCGUID>.**** > > I find this odd ... when I run "repadmin /showrepl <parent DC>" on the > parent DC, I don't see a "DSA object GUID:"; I see a "DC object GUID"; is > that the same thing? (and why doesn't it say DSA? My production DC says > "DSA". But then, production has had updates applied to it, and I couldn't > even begin to tell you when the private domain was updated - no Internet > access).**** > > ** ** > > - LDAPPartition—The Lightweight Directory Access Partition (LDAP) name > of the partition that you are targeting. For example, if the lingering > objects are in the domain partition of the contoso.com domain, > substitute dc=contoso,dc=com for <LDAPPartition>.**** > > How am I supposed to know where the lingering objects are, before > running it? :-) Also, what if there are in a different partition than the > domain partition; what's the syntax for that?**** > > ** ** > > ** ** > > I ran the "repadmin /removelingeringobjects" with the /advisory_mode > switch, as recommended, and it just came back that "RemoveLingeringObjects > successful on <parent DC FQDN>".**** > > ** ** > > Is it supposed to say that? Seems odd - no indication that this is > advisory_mode, etc.**** > > ** ** > > Do I just go and do the same on each of the child DCs?**** > > ** ** > > Thanks for listening to my long-winded whine ...**** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
