Lingering Objects _can_ be a PITA to cleanup but with only four DCs, the process should not be laborious at all (if any LOs exist).
Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<http://www.carlwebster.com/> From: Christopher Bodnar [mailto:[email protected]] Subject: RE: AD Washout Tombstonelifetime error makes me think this might be an issues with lingering objects. Were any of the domain controllers migrated from physical to virtual recently? Or restored from a backup? From: "Dan Bartley" <[email protected]<mailto:[email protected]>> Subject: RE: AD Washout ________________________________ No. However, I just discovered that when I try to do a manual replication on one 2003 DC from the PDCe 2003 DC, I get an error that it can’t replicate due to tombstone lifetime being exceeded. It does replicate the other direction. I am not getting any Event errors in the Directory Service event log of either DC when I try the manual replication (such as 2042-which I did find references on). Best Regards, From: Jon Harris [mailto:[email protected]] Subject: RE: AD Washout Any new patches added just prior to this. Jon ________________________________ Subject: AD Washout To: [email protected]<mailto:[email protected]> I mostly watch and learn, but today a question. Today I had an issue I can’t find any reason for. Mixed 2000-2003 domain. 2 of each. All the roles have been moved to the 2003 DCs, except time server. Fully patched. Out of nowhere I started getting SCOM alerts from 2 of the DCs that various DC functions were failing when contacting one of the 2003 DCs. The 2 2000 servers could be RDP, but not accessed via MMC for services, etc. from a Win7 workstation. I saw various KCC NTDS Replication related errors on one of the 2003 DCs. I could attach to them via RPC (MMC) though. One of the 2000 DCs is still the time server. Neither of the 2003 DCs could update time with it having a server error 5, access denied error. The other 2000 DC could update time fine. Logins to various internal systems and DFS links started to fail with access denied errors. Eventually I rebooted the 2003 DC with the PDCe role and everything started to come back. There were no Directory Service errors or warnings in the event log at or before this happened. At the time this started this DC had system errors that the other 2003 DC had a time in the future, however it did not. In the application log there were errors when it started for ID 1058, Windows cannot access the file gpt.ini for GPO”” and ending with “(There is a time and/or date difference between the client and server. ). Group Policy processing aborted.” All of the other DCs showed nothing other than the breakdown between them and this server. After the reboot all was well again. No performance issues for CPU, HDD or memory while it was going on. No services stopped. Anybody have any thoughts on what might have caused this? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
