I found this article useful in trying to understand the cleanup process. http://blogs.technet.com/b/glennl/archive/2007/07/26/clean-that-active-directory-forest-of-lingering-objects.aspx
Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<http://www.carlwebster.com/> From: Michael Leone <[email protected]<mailto:[email protected]>> Subject: Event ID 2042: It has been too long since this machine replicated Hey all. Been a while since I've had time to read or post. But I'm back, looking for advice. :-) I have a test domain (this is a private domain running on a VMware server, self-contained on their own private vSwitch, completely separate from my production domain), consisting of a parent (1 DC) and child domain (2 DCs). This is my testing domain. Unfortunately, apparently the VMs have been turned off too long, as now I have no replication between the DCs, giving the error in the subject line). Apparently they've been turned off since 2012-06-20, and are now there beyond their tombstone life. (figures I couldn't have looked at this LAST week, when it still would have been within their tombstone lifetime. Oh, well ...) This is a AD 2008 domain; each DC is Win2008 R2. In reading through the options to fix this, I can't demote or re-install the DCs (not easily, anyway). So I want to try the second suggestion: 2. Use the "repadmin /removelingeringobjects" tool to remove inconsistent deleted objects and then resume replication. The documentation on the exact syntax of the "/removelingeringobjects" is a bit unclear to me. Obviously I have to run this on the parent DC, and one one (both?) of the child DCs. Some questions before running that: * SourceDCGUID—Run the command repadmin /showrepl AuthDCname |more, where AuthDCname is the host name of the domain controller that you selected as authoritative. Substitute the first DSA object GUID that appears for <SourceDCGUID>. I find this odd ... when I run "repadmin /showrepl <parent DC>" on the parent DC, I don't see a "DSA object GUID:"; I see a "DC object GUID"; is that the same thing? (and why doesn't it say DSA? My production DC says "DSA". But then, production has had updates applied to it, and I couldn't even begin to tell you when the private domain was updated - no Internet access). * LDAPPartition—The Lightweight Directory Access Partition (LDAP) name of the partition that you are targeting. For example, if the lingering objects are in the domain partition of the contoso.com<http://contoso.com> domain, substitute dc=contoso,dc=com for <LDAPPartition>. How am I supposed to know where the lingering objects are, before running it? :-) Also, what if there are in a different partition than the domain partition; what's the syntax for that? I ran the "repadmin /removelingeringobjects" with the /advisory_mode switch, as recommended, and it just came back that "RemoveLingeringObjects successful on <parent DC FQDN>". Is it supposed to say that? Seems odd - no indication that this is advisory_mode, etc. Do I just go and do the same on each of the child DCs? Thanks for listening to my long-winded whine ... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
