Tom, Most likely the reason that MS instructed them to remove the GC role from all the DCs, only later to re-enable the role, as well as the answer to your question around why would these deleted objects show up on a GC is "lingering objects." Basically a lingering object is an object that has been previously deleted on a DC with a writeable partition, but for some reason knowledge of that deletion (replication of the tombstone object) never made it to a one or more DC/GCs. 9 times out of 10 there are replication issues in the AD environment that are preventing replication to one or more DC/GCs. That 1 other time usually is resulted to the tombstone lifetime not being long enough to allow the deletion to replicate to all systems.
When lingering objects exist within the GC, which is read only, how do you remove them? The answer used to be "remove the GC role from all systems" and after the removal is complete re-enable the role allowing the GCs to rebuild themselves from the writeable domain partitions held by other DCs. For a smaller environment this is not a problem but for a larger environment it will kill your functionality especially when it comes to applications like Exchange - not to mention logging on. The occupancy level as Dean mentioned governs when the GC begins to "act like" a GC. In a large environment with lots of domains fulfilling the occupancy level can take a long time. In the later service packs of W2K and in W2K3 a new switch was implemented in repadmin to help with the removal of lingering objects even from the read-only GC partition. With any luck, Wook Lee will see this thread and will provide us his dissertation on the various types of lingering objects (as defined by him): Zombies, Ghosts, and Poltergeists. Regards, Aric Bernard -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, April 20, 2005 9:53 AM To: [email protected] Subject: RE: [ActiveDir] GC's I never talked to the guy from MS, so I don't know how that conversation went, though it did seem a little like "reboot to fix the problem" type solution. Which brings me to another question- under what circumstances would a deleted object still show up as a valid object in GC's? That was the problem they were having. it was claimed that OU's were deleted and that was never reflected in the GC, among other objects. The only thing i can think of, is some admin said they were using movetree to move objects between domains. I've never used movetree, but i'm aware of its limitations as to global and local groups as well that it can't move computer objects. I don't know if it spits out an error when you try these things, but that could've caused the issues. thanks -----Original Message----- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 20, 2005 12:26 PM To: Send - AD mailing list Subject: RE: [ActiveDir] GC's "Occupancy level" is an integer (controlled via the DC's registry) that represents how much of the total-partial foreign domain content a newly designated GC must have sourced before announcing itself as "ready". Early builds of Windows 2000 defaulted to 3 I believe, this was later adjusted to 6 where the 3 equates to the insane "a complete-partial replica of all foreign domains in _same site_" and the 6 equates to the more heart-warming "a complete-partial replica of all foreign domains". Unchecking and rechecking the GC box only has an impact if the uncheck action replicated out discreetly and reached the DC to whom it applied (keep in mind that when you uncheck the box you are merely originating a write against a replica of the config. NC which may or may not [most likely not] be the DC to whom the change applies). If the box is rechecked before it reached that owning DC, it is impossible to state with any certainty as to whether the target DC will begin the demotion process since it's dependent upon the replication topology and its inherent end-to-end latency. PS - With all due respect to the support technician that instructed you to demote each GC in turn, wait a while and re-promote ... that wouldn't guarantee a working end-result, there's a chance it will work and an equal chance that it will fail unless the other steps were taken to contrive how the GCs re-sourced their content. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, April 20, 2005 11:49 AM To: [email protected] Subject: RE: [ActiveDir] GC's Actually, I did want to know the other stuff as wel :) Also, what exactly is "occupancy level". I had some EA's that saw a issue in AD where there were objects that were deleted in AD but were still present in the GC(for months). They called MS and MS told them this will snowball into a serious issue. So,after much chatting, MS recommended for them to rebuild every GC in the forest. They did this by unchecking the GC tab on the ntds object, waiting a while and then checking it back. This is in a win2k2p4 forest. Only the root domain is in native mode. So, yeah, I'd like to know exactly what it means when you uncheck(and thats all), wait and check again... Thanks Dean Wells wrote: > Only sort of wrong, there's a particular interface (NSPI/Named Service > Provider Interface) exposed by GCs that is used by Exchange. This > interface wasn't exposed on new GCs until they had been rebooted (that > has been addressed for 2K3), the other aspects of the GC take effect > according to something known as the "occupancy level". > > In the event I've misunderstood and you are actually asking what > happens if you click-it-on and then straight back off again ... well, > that depends on a few other clicks but I don't really think that's > what you wanted to know. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
