RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
I finally had Success in removing Read Only Lingering
Object after using the script outlined in KB 314282 verses LDP.
http://support.microsoft.com/?id=314282
It required that you dump a list of servers for each domain in the
forest into a servers-list.txt, and that you specify the GUID for the server
that originally housed the object, and the GUID of the lingering object in the objects-list.txt
file.
I just wanted to update you all and make you aware of the only way that
seem to work getting rid of the read only object. Also the script had to run
on each naming context in the forest.
Todd
From: Myrick, Todd
(NIH/CIT)
Sent: Thursday, May 13, 2004 1:22
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
Okay, I will double check
Todd
From: joe
[mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 11:24
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
Ok so you have the actual DN of the object
in the GC and you went to look at that actual DN in the default context and it
isn't there? I am simply asking because the ADC/Exchange can dork things around
a bit and you may see one name and think you are looking at the right thing
from the GAL yet the real object name is something different. The GAL is
displaying (I believe) the displayName. You can easily have an object with the
displayname of Myrick, Todd (NIH/CIT) yet have the username be
something like TODDISCOOL.
I just wanted to be really sure before
sending you down the lingering objects direction because that means other bad
things like Al says, something isn't right, and this isn't your main problem,
it is simply a symptom.
joe
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)
Sent: Thursday, May 13, 2004 9:47
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
Joe the account doesnt exist in the
child domain, and I havent found a reference to it in any domains.
The GC entry point to
NTDS://IC.NIH.GOV/Users/User Name when I use the AD Search command.
So the entry in the GCs thinks the account is located in the child
domain where there is no account for that user any longer.
Any idea how to scrub the GCs, I have
tried using LDP like the Q articles say, but it seems once a GC thinks a entry
is in a specific location, it really has a hard time wanting to get rid of it.
Todd
From: joe
[mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 9:04
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
Todd are you absolutely positive it
doesn't exist in AD or maybe it simply isn't in the location you are expecting?
The -1 issue is as Al indicated an ADC match issue. It sees something on the AD
side and can't match it to the 5.5 side so it creates an object in 5.5. Then
depending on how your ADC is configured it can pop something back on the AD
side. Usually the ADC is configured to be able to create objects in certain
OU's/containers that may be different from where you are used to looking.
I would also check multiple DCs in that
child domain for the object. Most likely I would test every DC. Here is a
little perl script that makes that fairly easy...
$domain=shift;
$command=shift;
@output=`nltest
/dclist:$domain 21`;
@tmp=grep(/site/i,@output);
chomp @tmp;
map($_=~s/\s+([\w.]+).+/\1/,@tmp);
map($_=uc($_),@tmp);
print
\nALLDC V01.00.00pl Joe Richards ([EMAIL PROTECTED]) November
2001\n\n;
if (!$domain or !$command)
{
print USAGE: ALLDC domain command\n\n;
exit;
}
print Domain: $domain\n;
print Command: $command\n;
$cnttot=0;
foreach $this (sort @tmp)
{
$cnttot++;
print $this...\n;
$tmpcmd=$command;
$tmpcmd=~s/SERVER/$this/ig;
print [$tmpcmd]\n;
@output=`$tmpcmd 21`;
print @output\n;
print xx80,\n\n;
}
print
\n;
print Total Domain Controllers: $cnttot\n;
Note that this is a very quick and dirty
script, just intended to give some quick functionality to do something against
all DCs in a domain
anyway I would do something like
alldc domain.com adfind -h
server -default -f name=idname -dn
If you need to put quotes in the command you
want to run against every server then do it something like
alldc domain.com adfind -h
server -default -f \name=idname\ -dn
joe
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)
Sent: Wednesday, May 12, 2004 7:37
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
I tried what is described in the KB 314282
article, but only tried it on port 389 like the instructions said.
The problem I have is that the object and
GUID no longer exist at all in the original child domain. So I am
wondering since it is all the GCs that have the lingering read-only
object, should I run
RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
Great news. The script uses the RootDSE method for clobbering lingering objects. This capabillity is what is now available in Windows 2003 repadmin with the removelingeringobjects switch. It's more automated than the RootDSE method and doesn't require you to go fishing for a lot of GUIDs. We've used both methods with great success at HP/Compaq. We refer to the process as Ghostbusting. :) That being said, we did get a lot of coaching from Microsoft Alliance support prior to doing either, so as usual, it's not for the faint of heart.
Wook
From: Myrick, Todd (NIH/CIT)Sent: Mon 5/17/2004 10:52 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
I finally had Success in removing "Read Only" Lingering Object after using the script outlined in KB 314282 verses LDP.
http://support.microsoft.com/?id=314282
It required that you dump a list of servers for each domain in the forest into a servers-list.txt, and that you specify the GUID for the server that originally housed the object, and the GUID of the lingering object in the objects-list.txt file.
I just wanted to update you all and make you aware of the only way that seem to work getting rid of the read only object. Also the script had to run on each naming context in the forest.
Todd
From: Myrick, Todd (NIH/CIT) Sent: Thursday, May 13, 2004 1:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
Okay, I will double check
Todd
From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 11:24 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
Ok so you have the actual DN of the object in the GC and you went to look at that actual DN in the default context and it isn't there? I am simply asking because the ADC/Exchange can dork things around a bit and you may see one name and think you are looking at the right thing from the GAL yet the real object name is something different. The GAL is displaying (I believe) the displayName. You can easily have an object with the displayname of "Myrick, Todd (NIH/CIT)" yet have the username be something like TODDISCOOL.
I just wanted to be really sure before sending you down the lingering objects direction because that means other bad things like Al says, something isn't right, and this isn't your main problem, it is simply a symptom.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Thursday, May 13, 2004 9:47 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
Joe the account doesnt exist in the child domain, and I havent found a reference to it in any domains.
The GC entry point to NTDS://IC.NIH.GOV/Users/User Name when I use the AD Search command. So the entry in the GCs thinks the account is located in the child domain where there is no account for that user any longer.
Any idea how to scrub the GCs, I have tried using LDP like the Q articles say, but it seems once a GC thinks a entry is in a specific location, it really has a hard time wanting to get rid of it.
Todd
From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 9:04 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
Todd are you absolutely positive it doesn't exist in AD or maybe it simply isn't in the location you are expecting? The -1 issue is as Al indicated an ADC match issue. It sees something on the AD side and can't match it to the 5.5 side so it creates an object in 5.5. Then depending on how your ADC is configured it can pop something back on the AD side. Usually the ADC is configured to be able to create objects in certain OU's/containers that may be different from where you are used to looking.
I would also check multiple DCs in that child domain for the object. Most likely I would test every DC. Here is a little perl script that makes that fairly easy...
$domain=shift;$command=shift;
@output=`nltest /dclist:$domain 21`;
@tmp=grep(/site/i,@output);chomp @tmp;map($_=~s/\s+([\w.]+).+/\1/,@tmp);map($_=uc($_),@tmp);
print "\nALLDC V01.00.00pl Joe Richards ([EMAIL PROTECTED]) November 2001\n\n";if (!$domain or !$command) { print "USAGE: ALLDC domain command\n\n"; exit;}print "Domain: $domain\n";print "Command: $command\n";$cnttot=0;foreach $this (sort @tmp){ $cnttot++; print " $this...\n"; $tmpcmd=$command; $tmpcmd=~s/SERVER/$this/ig; print "[$tmpcmd]\n"; @output=`$tmpcmd 21`; print "@output\n"; print "x"x80,"\n\n";
}
print "\n";print "Total Domain Controllers: $cnttot\n";
Note that this is a very quick and dirty script, just intended to give some quick functionality to do something against all DCs in a domain
anyway I would do something like
alldc domain.com "adfind -h server -default -f name=idname -dn&
RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
Thanks Wook for the additional feedback.
I wish we had 2003 deployed so I could
have used the repadmin method.
Todd
From: Lee, Wook
[mailto:[EMAIL PROTECTED]
Sent: Monday, May 17, 2004 3:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
Great news. The script uses the RootDSE
method for clobbering lingering objects. This capabillity is what is now
available in Windows 2003 repadmin with the removelingeringobjects switch. It's
more automated than the RootDSE method and doesn't require you to go fishing
for a lot of GUIDs. We've used both methods with great success at HP/Compaq. We
refer to the process as Ghostbusting. :) That being said, we did get a lot of
coaching from Microsoft Alliance support prior to doing either, so as usual,
it's not for the faint of heart.
Wook
From: Myrick,
Todd (NIH/CIT)
Sent: Mon 5/17/2004 10:52 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
I finally had Success in removing Read Only Lingering
Object after using the script outlined in KB 314282 verses LDP.
http://support.microsoft.com/?id=314282
It required that you dump a list of servers for each domain in the
forest into a servers-list.txt, and that you specify the GUID for the server
that originally housed the object, and the GUID of the lingering object in the
objects-list.txt file.
I just wanted to update you all and make you aware of the only way that
seem to work getting rid of the read only object. Also the script had to
run on each naming context in the forest.
Todd
From: Myrick, Todd
(NIH/CIT)
Sent: Thursday, May 13, 2004 1:22
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
Okay, I will double check
Todd
From: joe
[mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 11:24
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned GC
Entry... How do I clean it up?
Ok so you have the actual DN of the object
in the GC and you went to look at that actual DN in the default context and it
isn't there? I am simply asking because the ADC/Exchange can dork things around
a bit and you may see one name and think you are looking at the right thing
from the GAL yet the real object name is something different. The GAL is
displaying (I believe) the displayName. You can easily have an object with the
displayname of Myrick, Todd (NIH/CIT) yet have the username be
something like TODDISCOOL.
I just wanted to be really sure before
sending you down the lingering objects direction because that means other bad
things like Al says, something isn't right, and this isn't your main problem,
it is simply a symptom.
joe
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)
Sent: Thursday, May 13, 2004 9:47
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
Joe the account doesnt exist in the
child domain, and I havent found a reference to it in any domains.
The GC entry point to
NTDS://IC.NIH.GOV/Users/User Name when I use the AD Search command.
So the entry in the GCs thinks the account is located in the child
domain where there is no account for that user any longer.
Any idea how to scrub the GCs, I
have tried using LDP like the Q articles say, but it seems once a GC thinks a
entry is in a specific location, it really has a hard time wanting to get rid
of it.
Todd
From: joe
[mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 9:04
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
Todd are you absolutely positive it
doesn't exist in AD or maybe it simply isn't in the location you are expecting?
The -1 issue is as Al indicated an ADC match issue. It sees something on the AD
side and can't match it to the 5.5 side so it creates an object in 5.5. Then
depending on how your ADC is configured it can pop something back on the AD
side. Usually the ADC is configured to be able to create objects in certain
OU's/containers that may be different from where you are used to looking.
I would also check multiple DCs in that
child domain for the object. Most likely I would test every DC. Here is a
little perl script that makes that fairly easy...
$domain=shift;
$command=shift;
@output=`nltest
/dclist:$domain 21`;
@tmp=grep(/site/i,@output);
chomp @tmp;
map($_=~s/\s+([\w.]+).+/\1/,@tmp);
map($_=uc($_),@tmp);
print
\nALLDC V01.00.00pl Joe Richards ([EMAIL PROTECTED]) November
2001\n\n;
if (!$domain or !$command)
{
print USAGE: ALLDC domain command\n\n;
exit;
}
print Domain: $domain\n;
print Command: $command\n;
$cnttot=0;
foreach $this (sort @tmp)
{
$cnttot++;
print $this...\n;
$tmpcmd=$command;
$tmpcmd=~s/SERVER/$this/ig;
print [$tmpcmd]\n;
@output=`$tmpcmd 21`;
print @output\n;
print xx80,\n\n
RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
Now the question is. How many other lingering objects
do you have floating about?
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CIT)Sent: Monday, May 17, 2004 3:20 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC
Entry... How do I clean it up?
Thanks Wook for the
additional feedback.
I wish we had 2003
deployed so I could have used the repadmin method.
Todd
From: Lee, Wook
[mailto:[EMAIL PROTECTED] Sent:
Monday, May 17, 2004 3:02 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC
Entry... How do I clean it up?
Great news. The script
uses the RootDSE method for clobbering lingering objects. This capabillity is
what is now available in Windows 2003 repadmin with the removelingeringobjects
switch. It's more automated than the RootDSE method and doesn't require you to
go fishing for a lot of GUIDs. We've used both methods with great success at
HP/Compaq. We refer to the process as Ghostbusting. :) That being said, we did
get a lot of coaching from Microsoft Alliance support prior to doing either, so
as usual, it's not for the faint of heart.
Wook
From: Myrick,
Todd (NIH/CIT)Sent: Mon
5/17/2004 10:52 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC
Entry... How do I clean it up?
I finally had Success in removing "Read Only" Lingering
Object after using the script outlined in KB 314282 verses
LDP.
http://support.microsoft.com/?id=314282
It required that you dump a list of servers for each
domain in the forest into a servers-list.txt, and that you specify the GUID for
the server that originally housed the object, and the GUID of the lingering
object in the objects-list.txt file.
I just wanted to update you all and make you aware of
the only way that seem to work getting rid of the read only object. Also
the script had to run on each naming context in the
forest.
Todd
From: Myrick,
Todd (NIH/CIT) Sent: Thursday,
May 13, 2004 1:22 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC
Entry... How do I clean it up?
Okay, I will double
check
Todd
From: joe
[mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 11:24
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC
Entry... How do I clean it up?
Ok so you have the
actual DN of the object in the GC and you went to look at that actual DN in the
default context and it isn't there? I am simply asking because the ADC/Exchange
can dork things around a bit and you may see one name and think you are looking
at the right thing from the GAL yet the real object name is something different.
The GAL is displaying (I believe) the displayName. You can easily have an object
with the displayname of "Myrick, Todd (NIH/CIT)" yet have the username be
something like TODDISCOOL.
I just wanted to be
really sure before sending you down the lingering objects direction because that
means other bad things like Al says, something isn't right, and this isn't your
main problem, it is simply a symptom.
joe
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Myrick, Todd
(NIH/CIT)Sent: Thursday, May
13, 2004 9:47 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC
Entry... How do I clean it up?
Joe the account doesnt
exist in the child domain, and I havent found a reference to it in any
domains.
The GC entry point to
NTDS://IC.NIH.GOV/Users/User Name when I use the AD Search command.
So the entry in the GCs thinks the account is located in the child domain
where there is no account for that user any longer.
Any idea how to scrub
the GCs, I have tried using LDP like the Q articles say, but it seems once a GC
thinks a entry is in a specific location, it really has a hard time wanting to
get rid of it.
Todd
From: joe
[mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 9:04
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC
Entry... How do I clean it up?
Todd are you absolutely
positive it doesn't exist in AD or maybe it simply isn't in the location you are
expecting? The -1 issue is as Al indicated an ADC match issue. It sees something
on the AD side and can't match it to the 5.5 side so it creates an object in
5.5. Then depending on how your ADC is configured it can pop something back on
the AD side. Usually the ADC is configured to be able to create objects in
certain OU's/containers that may be different from where you are used to
looking.
I would also check
multiple DCs in that child domain for the object. Most likely I would test every
DC. Here is a little perl script that makes that fairly
easy...
$domain=shift;$command=shift;
@output=`nltest
/dclist:$domain 21`;
@tmp=grep(/site/i,@output);chomp
@tmp;map($_=~s/\s+([\w.]+).+/\1/,@tmp);map($_=uc($_),@tmp);
print
"\nALLDC V01.00.00pl Joe Richards ([EMAIL PROTECTED]) November 2001\n\n";if
(!$domain or !$command) { print "USAGE: ALLDC domain
RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
If you really want to find out, just try pushing an attribute into the partial attribute set. You'll find out real fast, but be prepared to strap on the proton packs and have plenty of ectoplasmic containment units on hand. We're talking about overtime in Biblical proportions, cat and dogs living together (oops wrong thread), real wrath of CIO stuff. Well, not really, but it will take a while to get things cleaned up if you have additional lingering objects around. Wook "Sticky Summer Night Is there noplace cooler than This Data Center?" From: joeSent: Mon 5/17/2004 1:53 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? Now the question is. How many other lingering objects do you have floating about? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Monday, May 17, 2004 3:20 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? Thanks Wook for the additional feedback. I wish we had 2003 deployed so I could have used the repadmin method. Todd From: Lee, Wook [mailto:[EMAIL PROTECTED] Sent: Monday, May 17, 2004 3:02 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? Great news. The script uses the RootDSE method for clobbering lingering objects. This capabillity is what is now available in Windows 2003 repadmin with the removelingeringobjects switch. It's more automated than the RootDSE method and doesn't require you to go fishing for a lot of GUIDs. We've used both methods with great success at HP/Compaq. We refer to the process as Ghostbusting. :) That being said, we did get a lot of coaching from Microsoft Alliance support prior to doing either, so as usual, it's not for the faint of heart. Wook From: Myrick, Todd (NIH/CIT)Sent: Mon 5/17/2004 10:52 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? I finally had Success in removing "Read Only" Lingering Object after using the script outlined in KB 314282 verses LDP. http://support.microsoft.com/?id=314282 It required that you dump a list of servers for each domain in the forest into a servers-list.txt, and that you specify the GUID for the server that originally housed the object, and the GUID of the lingering object in the objects-list.txt file. I just wanted to update you all and make you aware of the only way that seem to work getting rid of the read only object. Also the script had to run on each naming context in the forest. Todd From: Myrick, Todd (NIH/CIT) Sent: Thursday, May 13, 2004 1:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? Okay, I will double check Todd From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 11:24 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? Ok so you have the actual DN of the object in the GC and you went to look at that actual DN in the default context and it isn't there? I am simply asking because the ADC/Exchange can dork things around a bit and you may see one name and think you are looking at the right thing from the GAL yet the real object name is something different. The GAL is displaying (I believe) the displayName. You can easily have an object with the displayname of "Myrick, Todd (NIH/CIT)" yet have the username be something like TODDISCOOL. I just wanted to be really sure before sending you down the lingering objects direction because that means other bad things like Al says, something isn't right, and this isn't your main problem, it is simply a symptom. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Thursday, May 13, 2004 9:47 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? Joe the account doesnt exist in the child domain, and I havent found a reference to it in any domains. The GC entry point to NTDS://IC.NIH.GOV/Users/User Name when I use the AD Search command. So the entry in the GCs thinks the account is located in the child domain where there is no account for that user any longer. Any idea how to scrub the GCs, I have tried using LDP like the Q articles say, but it seems once a GC thinks a entry is in a specific location, it really has a hard time wanting to get rid of it. Todd From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 9:04 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? Todd are you absolutely positive it doesn't exist in AD or maybe it simply isn't in the location you are expecting? The -1 issue is as Al indicated an ADC match issue. It sees something on the AD side and can't match it to the 5.5 side so it creates an object in 5.5. Then depending on how your ADC is configured it can pop something back on the AD side. Usually the ADC is c
RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
Eric, I think the first question he has is that he needs to
know which port to query. To answer that, use the GC port. You want
to query the domain GC that shows the object that should not be there.
Especially since that's the only ones that show it.
Repadmin is not well doc'd on the webiste help files.
Just filed a fix-it for the web site folks a few minutes
ago.
Todd, I would further suggest investigating how you got in that
situation in the first place if indeed that is the root issue. Having
issues with replication can never be a good thing and may defeat the efforts
you're expending to fix the problem.
Al
From: Eric Fleischman
[mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 10:24
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir]
Orphaned GC Entry... How do I clean it up?
I'm coming in to this
thread, but it sounds like you have objects in GC partitions on DCs outside of
domain in question which make reference to an object no longer existing in
domain NC in question. Further, I bet GCs in that domain do not have it, only
GCs outside of that domain.
Correct?
In that case you
have what is called a lingering object. There are some KBs on this. I can
discuss approaches on this dl if people want to, but it is heavily documented in
KB already. I would look at the lingering object KBs, then come back with
questions or thoughts after you do. Probably will save everyone some time that
way. :)
~Eric
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Myrick, Todd
(NIH/CIT)Sent: Thursday, May
13, 2004 8:47 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC
Entry... How do I clean it up?
Joe the account doesn't
exist in the child domain, and I haven't found a reference to it in any
domains.
The GC entry point to
NTDS://IC.NIH.GOV/Users/User Name when I use the AD Search command.
So the entry in the GC's thinks the account is located in the child domain
where there is no account for that user any longer.
Any idea how to scrub
the GC's, I have tried using LDP like the Q articles say, but it seems once a GC
thinks a entry is in a specific location, it really has a hard time wanting to
get rid of it.
Todd
From: joe
[mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 9:04
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC
Entry... How do I clean it up?
Todd are you absolutely
positive it doesn't exist in AD or maybe it simply isn't in the location you are
expecting? The -1 issue is as Al indicated an ADC match issue. It sees something
on the AD side and can't match it to the 5.5 side so it creates an object in
5.5. Then depending on how your ADC is configured it can pop something back on
the AD side. Usually the ADC is configured to be able to create objects in
certain OU's/containers that may be different from where you are used to
looking.
I would also check
multiple DCs in that child domain for the object. Most likely I would test every
DC. Here is a little perl script that makes that fairly
easy...
$domain=shift;$command=shift;
@output=`nltest
/dclist:$domain 21`;
@tmp=grep(/site/i,@output);chomp
@tmp;map($_=~s/\s+([\w.]+).+/\1/,@tmp);map($_=uc($_),@tmp);
print
"\nALLDC V01.00.00pl Joe Richards ([EMAIL PROTECTED]) November 2001\n\n";if
(!$domain or !$command) { print "USAGE: ALLDC domain
command\n\n"; exit;}print "Domain: $domain\n";print
"Command: $command\n";$cnttot=0;foreach $this (sort
@tmp){ $cnttot++; print "
$this...\n"; $tmpcmd=$command;
$tmpcmd=~s/SERVER/$this/ig; print "[$tmpcmd]\n";
@output=`$tmpcmd 21`; print "@output\n"; print
"x"x80,"\n\n";
}
print
"\n";print "Total Domain Controllers:
$cnttot\n";
Note that this is a
very quick and dirty script, just intended to give some quick functionality to
do something against all DCs in a domain
anyway I would do
something like
alldc domain.com
"adfind -h server -default -f name=idname
-dn"
If you need to put
quotes in the command you want to run against every server then do it something
like
alldc domain.com
"adfind -h server -default -f \"name=idname\"
-dn"
joe
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Myrick, Todd
(NIH/CIT)Sent: Wednesday, May
12, 2004 7:37 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC
Entry... How do I clean it up?
I tried what is
described in the KB 314282 article, but only tried it on port 389 like the
instructions said.
The problem I have is
that the object and GUID no longer exist at all in the original child
domain. So I am wondering since it is all the GC's that have the lingering
read-only object, should I run the clean-up process using LDP and the
RemoveLingeringObjects option on the GC's on port 3268? I tried doing on
port 389, and it didn't work.
I will defiantly post
my re
RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
Todd are you absolutely positive it doesn't exist in AD or
maybe it simply isn't in the location you are expecting? The -1 issue is as Al
indicated an ADC match issue. It sees something on the AD side and can't match
it to the 5.5 side so it creates an object in 5.5. Then depending on how your
ADC is configured it can pop something back on the AD side. Usually the ADC is
configured to be able to create objects in certain OU's/containers that may be
different from where you are used to looking.
I would also check multiple DCs in that child domain for
the object. Most likely I would test every DC. Here is a little perl script that
makes that fairly easy...
$domain=shift;$command=shift;
@output=`nltest /dclist:$domain
21`;
@tmp=grep(/site/i,@output);chomp
@tmp;map($_=~s/\s+([\w.]+).+/\1/,@tmp);map($_=uc($_),@tmp);
print "\nALLDC V01.00.00pl Joe Richards ([EMAIL PROTECTED])
November 2001\n\n";if (!$domain or !$command) { print
"USAGE: ALLDC domain command\n\n"; exit;}print "Domain:
$domain\n";print "Command: $command\n";$cnttot=0;foreach $this (sort
@tmp){ $cnttot++; print "
$this...\n"; $tmpcmd=$command;
$tmpcmd=~s/SERVER/$this/ig; print "[$tmpcmd]\n";
@output=`$tmpcmd 21`; print "@output\n"; print
"x"x80,"\n\n";
}
print "\n";print "Total Domain Controllers:
$cnttot\n";
Note that this is a very quick and dirty script, just
intended to give some quick functionality to do something against all DCs in a
domain
anyway I would do something like
alldc domain.com "adfind -h server -default -f
name=idname -dn"
If you need to put quotes in the command you want to run
against every server then do it something like
alldc domain.com "adfind -h server -default -f
\"name=idname\" -dn"
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CIT)Sent: Wednesday, May 12, 2004 7:37 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC
Entry... How do I clean it up?
I tried what is
described in the KB 314282 article, but only tried it on port 389 like the
instructions said.
The problem I have is
that the object and GUID no longer exist at all in the original child
domain. So I am wondering since it is all the GCs that have the lingering
read-only object, should I run the clean-up process using LDP and the
RemoveLingeringObjects option on the GCs on port 3268? I tried doing on
port 389, and it didnt work.
I will defiantly post
my results once I figure out how to do this.
Todd
From: Coleman,
Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 4:38
PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Orphaned GC
Entry... How do I clean it up?
Todd-
Not sure if this will
work for you or not: http://support.microsoft.com/default.aspx?scid=kb;en-us;314282
There was a similar
thread back in January or so; this is the tail end http://www.mail-archive.com/[EMAIL PROTECTED]/msg13088.htmland
you can do alternate searches to get the full discussion. Good
luck...
Hunter
From: Myrick,
Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 2:12
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC
Entry... How do I clean it up?
There appears to be two
entries for User in the AD Global Catalogues. The one account appears to
have been ADC'ed unADC'ed "Doe, John
(XYZ)" at some point, the other account appears to have been ADC'ed,
but then deleted (Never un ADC'ed) "Doe, John
(XYZCORP)-1". Both accounts appear in our Domain's GC, and All
the Child domain GC's except the Child domain where the account originated.
The "Doe, John (XYZ)" exist
in their GC, but not the "Doe, John (XYZCORP)-1". Both accounts
were homed in the child domain, just one got deleted, the other
didn't.
We are now trying to
ADC a mailbox in the parent domain, to a different account all together.
The ADC process is failing because it seems to still think the mailbox we
are ADCing is linked to "Doe, John
(XYZCORP)-1".
This account no longer
exist in the child domain, and we don't know how to unADC and account that
doesn't exist.
Any help would be
appreciated
Todd
From: Mulnick,
Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 3:54
PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Orphaned GC
Entry... How do I clean it up?
Can you redescribe that
for us? It sounds like you have a GC that wasn't supposed to be there, but
I'm not sure I follow completely.
From: Myrick,
Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 3:09
PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Orphaned GC Entry...
How do I clean it up?
Greetings all, we are seeing an
entry appear in our GC's that is not in the original location. It appears
after it was deleted, it did not replicate out
RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
Joe the account doesnt exist in the
child domain, and I havent found a reference to it in any domains.
The GC entry point to
NTDS://IC.NIH.GOV/Users/User Name when I use the AD Search command. So
the entry in the GCs thinks the account is located in the child domain
where there is no account for that user any longer.
Any idea how to scrub the GCs, I
have tried using LDP like the Q articles say, but it seems once a GC thinks a
entry is in a specific location, it really has a hard time wanting to get rid
of it.
Todd
From: joe
[mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 9:04
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
Todd are you absolutely positive it
doesn't exist in AD or maybe it simply isn't in the location you are expecting?
The -1 issue is as Al indicated an ADC match issue. It sees something on the AD
side and can't match it to the 5.5 side so it creates an object in 5.5. Then
depending on how your ADC is configured it can pop something back on the AD
side. Usually the ADC is configured to be able to create objects in certain
OU's/containers that may be different from where you are used to looking.
I would also check multiple DCs in that
child domain for the object. Most likely I would test every DC. Here is a
little perl script that makes that fairly easy...
$domain=shift;
$command=shift;
@output=`nltest
/dclist:$domain 21`;
@tmp=grep(/site/i,@output);
chomp @tmp;
map($_=~s/\s+([\w.]+).+/\1/,@tmp);
map($_=uc($_),@tmp);
print
\nALLDC V01.00.00pl Joe Richards ([EMAIL PROTECTED]) November
2001\n\n;
if (!$domain or !$command)
{
print USAGE: ALLDC domain command\n\n;
exit;
}
print Domain: $domain\n;
print Command: $command\n;
$cnttot=0;
foreach $this (sort @tmp)
{
$cnttot++;
print $this...\n;
$tmpcmd=$command;
$tmpcmd=~s/SERVER/$this/ig;
print [$tmpcmd]\n;
@output=`$tmpcmd 21`;
print @output\n;
print xx80,\n\n;
}
print
\n;
print Total Domain Controllers: $cnttot\n;
Note that this is a very quick and dirty
script, just intended to give some quick functionality to do something against
all DCs in a domain
anyway I would do something like
alldc domain.com adfind -h
server -default -f name=idname -dn
If you need to put quotes in the command
you want to run against every server then do it something like
alldc domain.com adfind -h
server -default -f \name=idname\ -dn
joe
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)
Sent: Wednesday, May 12, 2004 7:37
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
I tried what is described in the KB 314282
article, but only tried it on port 389 like the instructions said.
The problem I have is that the object and
GUID no longer exist at all in the original child domain. So I am wondering
since it is all the GCs that have the lingering read-only object, should
I run the clean-up process using LDP and the RemoveLingeringObjects option on
the GCs on port 3268? I tried doing on port 389, and it
didnt work.
I will defiantly post my results once I
figure out how to do this.
Todd
From: Coleman, Hunter
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 12, 2004 4:38
PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
Todd-
Not sure if this will work for you or not:
http://support.microsoft.com/default.aspx?scid=kb;en-us;314282
There was a similar thread back in January
or so; this is the tail end http://www.mail-archive.com/[EMAIL PROTECTED]/msg13088.htmland
you can do alternate searches to get the full discussion. Good luck...
Hunter
From: Myrick,
Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 12, 2004 2:12
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
There appears to be two entries for User
in the AD Global Catalogues. The one account appears to have been ADC'ed
unADC'ed Doe, John (XYZ)
at some point, the other account appears to have been ADC'ed, but then deleted
(Never un ADC'ed) Doe, John
(XYZCORP)-1. Both accounts appear in our Domain's GC,
and All the Child domain GC's except the Child domain where the account
originated. The Doe, John
(XYZ) exist in their GC, but not the Doe, John
(XYZCORP)-1. Both accounts were homed in the child
domain, just one got deleted, the other didn't.
We are now trying to ADC a mailbox in the
parent domain, to a different account all together. The ADC process is
failing because it seems to still think the mailbox we are ADCing is linked to
Doe, John (XYZCORP)-1.
This account no longer exist in the child
domain, and we don't know how to unADC and account that doesn't exist.
Any help would be appreciated
Todd
From: Mulnick, Al
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 12, 2004 3:54
PM
RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
Im coming in to this thread, but it
sounds like you have objects in GC partitions on DCs outside of domain in
question which make reference to an object no longer existing in domain NC in
question. Further, I bet GCs in that domain do not have it, only GCs outside of
that domain.
Correct?
In that case you have what is called a lingering object. There are some KBs on
this. I can discuss approaches on this dl if people want to, but it is heavily documented
in KB already. I would look at the lingering object KBs, then come back with
questions or thoughts after you do. Probably will save everyone some time that
way. :)
~Eric
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)
Sent: Thursday, May 13, 2004 8:47
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
Joe the account doesnt exist in the
child domain, and I havent found a reference to it in any domains.
The GC entry point to
NTDS://IC.NIH.GOV/Users/User Name when I use the AD Search command.
So the entry in the GCs thinks the account is located in the child
domain where there is no account for that user any longer.
Any idea how to scrub the GCs, I
have tried using LDP like the Q articles say, but it seems once a GC thinks a
entry is in a specific location, it really has a hard time wanting to get rid
of it.
Todd
From: joe
[mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 9:04
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
Todd are you absolutely positive it
doesn't exist in AD or maybe it simply isn't in the location you are expecting?
The -1 issue is as Al indicated an ADC match issue. It sees something on the AD
side and can't match it to the 5.5 side so it creates an object in 5.5. Then
depending on how your ADC is configured it can pop something back on the AD
side. Usually the ADC is configured to be able to create objects in certain
OU's/containers that may be different from where you are used to looking.
I would also check multiple DCs in that
child domain for the object. Most likely I would test every DC. Here is a
little perl script that makes that fairly easy...
$domain=shift;
$command=shift;
@output=`nltest
/dclist:$domain 21`;
@tmp=grep(/site/i,@output);
chomp @tmp;
map($_=~s/\s+([\w.]+).+/\1/,@tmp);
map($_=uc($_),@tmp);
print
\nALLDC V01.00.00pl Joe Richards ([EMAIL PROTECTED]) November
2001\n\n;
if (!$domain or !$command)
{
print USAGE: ALLDC domain command\n\n;
exit;
}
print Domain: $domain\n;
print Command: $command\n;
$cnttot=0;
foreach $this (sort @tmp)
{
$cnttot++;
print $this...\n;
$tmpcmd=$command;
$tmpcmd=~s/SERVER/$this/ig;
print [$tmpcmd]\n;
@output=`$tmpcmd 21`;
print @output\n;
print xx80,\n\n;
}
print
\n;
print Total Domain Controllers: $cnttot\n;
Note that this is a very quick and dirty
script, just intended to give some quick functionality to do something against
all DCs in a domain
anyway I would do something like
alldc domain.com adfind -h
server -default -f name=idname -dn
If you need to put quotes in the command
you want to run against every server then do it something like
alldc domain.com adfind -h
server -default -f \name=idname\ -dn
joe
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)
Sent: Wednesday, May 12, 2004 7:37
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
I tried what is described in the KB 314282
article, but only tried it on port 389 like the instructions said.
The problem I have is that the object and
GUID no longer exist at all in the original child domain. So I am
wondering since it is all the GCs that have the lingering read-only
object, should I run the clean-up process using LDP and the
RemoveLingeringObjects option on the GCs on port 3268? I tried
doing on port 389, and it didnt work.
I will defiantly post my results once I
figure out how to do this.
Todd
From: Coleman, Hunter
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 12, 2004 4:38
PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
Todd-
Not sure if this will work for you or not:
http://support.microsoft.com/default.aspx?scid=kb;en-us;314282
There was a similar thread back in January
or so; this is the tail end http://www.mail-archive.com/[EMAIL PROTECTED]/msg13088.htmland
you can do alternate searches to get the full discussion. Good luck...
Hunter
From: Myrick,
Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 12, 2004 2:12
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
There appears to be two entries for User
in the AD Global Catalogues. The one account appears to have been ADC'ed
unADC'ed Doe, John (XYZ)
at some
RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
Okay, I will double check
Todd
From: joe
[mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 11:24
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
Ok so you have the actual DN of the object
in the GC and you went to look at that actual DN in the default context and it
isn't there? I am simply asking because the ADC/Exchange can dork things around
a bit and you may see one name and think you are looking at the right thing
from the GAL yet the real object name is something different. The GAL is
displaying (I believe) the displayName. You can easily have an object with the
displayname of Myrick, Todd (NIH/CIT) yet have the username be
something like TODDISCOOL.
I just wanted to be really sure before
sending you down the lingering objects direction because that means other bad
things like Al says, something isn't right, and this isn't your main problem,
it is simply a symptom.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Myrick, Todd (NIH/CIT)
Sent: Thursday, May 13, 2004 9:47
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
Joe the account doesnt exist in the
child domain, and I havent found a reference to it in any domains.
The GC entry point to
NTDS://IC.NIH.GOV/Users/User Name when I use the AD Search command.
So the entry in the GCs thinks the account is located in the child
domain where there is no account for that user any longer.
Any idea how to scrub the GCs, I
have tried using LDP like the Q articles say, but it seems once a GC thinks a
entry is in a specific location, it really has a hard time wanting to get rid
of it.
Todd
From: joe
[mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 9:04
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
Todd are you absolutely positive it
doesn't exist in AD or maybe it simply isn't in the location you are expecting?
The -1 issue is as Al indicated an ADC match issue. It sees something on the AD
side and can't match it to the 5.5 side so it creates an object in 5.5. Then
depending on how your ADC is configured it can pop something back on the AD
side. Usually the ADC is configured to be able to create objects in certain
OU's/containers that may be different from where you are used to looking.
I would also check multiple DCs in that
child domain for the object. Most likely I would test every DC. Here is a
little perl script that makes that fairly easy...
$domain=shift;
$command=shift;
@output=`nltest
/dclist:$domain 21`;
@tmp=grep(/site/i,@output);
chomp @tmp;
map($_=~s/\s+([\w.]+).+/\1/,@tmp);
map($_=uc($_),@tmp);
print
\nALLDC V01.00.00pl Joe Richards ([EMAIL PROTECTED]) November
2001\n\n;
if (!$domain or !$command)
{
print USAGE: ALLDC domain command\n\n;
exit;
}
print Domain: $domain\n;
print Command: $command\n;
$cnttot=0;
foreach $this (sort @tmp)
{
$cnttot++;
print $this...\n;
$tmpcmd=$command;
$tmpcmd=~s/SERVER/$this/ig;
print [$tmpcmd]\n;
@output=`$tmpcmd 21`;
print @output\n;
print xx80,\n\n;
}
print
\n;
print Total Domain Controllers: $cnttot\n;
Note that this is a very quick and dirty
script, just intended to give some quick functionality to do something against
all DCs in a domain
anyway I would do something like
alldc domain.com adfind -h
server -default -f name=idname -dn
If you need to put quotes in the command
you want to run against every server then do it something like
alldc domain.com adfind -h
server -default -f \name=idname\ -dn
joe
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)
Sent: Wednesday, May 12, 2004 7:37
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
I tried what is described in the KB 314282
article, but only tried it on port 389 like the instructions said.
The problem I have is that the object and
GUID no longer exist at all in the original child domain. So I am
wondering since it is all the GCs that have the lingering read-only
object, should I run the clean-up process using LDP and the
RemoveLingeringObjects option on the GCs on port 3268? I tried
doing on port 389, and it didnt work.
I will defiantly post my results once I
figure out how to do this.
Todd
From: Coleman, Hunter
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 12, 2004 4:38
PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?
Todd-
Not sure if this will work for you or not:
http://support.microsoft.com/default.aspx?scid=kb;en-us;314282
There was a similar thread back in January
or so; this is the tail end http://www.mail-archive.com/[EMAIL PROTECTED]/msg13088.htmland
you can do alternate searches to get the full discussion. Good luck...
Hunter
From: Myrick
[ActiveDir] Orphaned GC Entry... How do I clean it up?
Greetings all, we are seeing an entry appear in our GCs that is not in the original location. It appears after it was deleted, it did not replicate out the deleted item, and now us causing ADC issues. http://support.microsoft.com/default.aspx?scid=kb;en-us;293474 The recommended MS way seems a little excessive. Does anyone have a better way of getting ahold of the entry and getting it out of the directory? Thanks, Todd
RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
Can you redescribe that for us? It sounds like you have a GC that wasn't supposed to be there, but I'm not sure I follow completely. From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 3:09 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Orphaned GC Entry... How do I clean it up? Greetings all, we are seeing an entry appear in our GC's that is not in the original location. It appears after it was deleted, it did not replicate out the deleted item, and now us causing ADC issues. http://support.microsoft.com/default.aspx?scid=kb;en-us;293474 The recommended MS way seems a little excessive. Does anyone have a better way of getting ahold of the entry and getting it out of the directory? Thanks, Todd
RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
There appears to be two entries for User in the AD Global Catalogues. The one account appears to have been ADCed unADCed Doe, John (XYZ) at some point, the other account appears to have been ADCed, but then deleted (Never un ADCed) Doe, John (XYZCORP)-1. Both accounts appear in our Domains GC, and All the Child domain GCs except the Child domain where the account originated. The Doe, John (XYZ) exist in their GC, but not the Doe, John (XYZCORP)-1. Both accounts were homed in the child domain, just one got deleted, the other didnt. We are now trying to ADC a mailbox in the parent domain, to a different account all together. The ADC process is failing because it seems to still think the mailbox we are ADCing is linked to Doe, John (XYZCORP)-1. This account no longer exist in the child domain, and we dont know how to unADC and account that doesnt exist. Any help would be appreciated Todd From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 3:54 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? Can you redescribe that for us? It sounds like you have a GC that wasn't supposed to be there, but I'm not sure I follow completely. From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 3:09 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Orphaned GC Entry... How do I clean it up? Greetings all, we are seeing an entry appear in our GC's that is not in the original location. It appears after it was deleted, it did not replicate out the deleted item, and now us causing ADC issues. http://support.microsoft.com/default.aspx?scid=kb;en-us;293474 The recommended MS way seems a little excessive. Does anyone have a better way of getting ahold of the entry and getting it out of the directory? Thanks, Todd
RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
Sounds like two issues then. First is that replication of a deleted object never fully replicated in Active Directory. The second is that ADC still has record for that account joining the 5.5 account to a phantom Active Directory object. The ADC uses msexchadcglobalnames as a way to track users. It stamps this field on the 5.5 side and the Active Directory side. To remove the join, you basically want toremove this join information from both sides.Here's a description of the field use http://support.microsoft.com/default.aspx?scid=kb;en-us;316280and how to removethe join http://support.microsoft.com/default.aspx?scid=kb;en-us;256862 After stopping the ADC and cleaning the 5.5 side, you'll want to fix the delete replication to ensure that the match occurs properly when you restart the ADC. If you don't, you'll likely rematch the existing "supposed to be deleted" object in Active Directory. ADSIEDIT is likely going to be helpful here or possibly LDP if you prefer. I haven't tried this last one before, but just for reference http://support.microsoft.com/default.aspx?scid=kb;en-us;317097 Maybe somebodyelse has a better way of removing that object that should be gone anyway. Al From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 4:12 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? There appears to be two entries for User in the AD Global Catalogues. The one account appears to have been ADC'ed unADC'ed "Doe, John (XYZ)" at some point, the other account appears to have been ADC'ed, but then deleted (Never un ADC'ed) "Doe, John (XYZCORP)-1". Both accounts appear in our Domain's GC, and All the Child domain GC's except the Child domain where the account originated. The "Doe, John (XYZ)" exist in their GC, but not the "Doe, John (XYZCORP)-1". Both accounts were homed in the child domain, just one got deleted, the other didn't. We are now trying to ADC a mailbox in the parent domain, to a different account all together. The ADC process is failing because it seems to still think the mailbox we are ADCing is linked to "Doe, John (XYZCORP)-1". This account no longer exist in the child domain, and we don't know how to unADC and account that doesn't exist. Any help would be appreciated Todd From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 3:54 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? Can you redescribe that for us? It sounds like you have a GC that wasn't supposed to be there, but I'm not sure I follow completely. From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 3:09 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Orphaned GC Entry... How do I clean it up? Greetings all, we are seeing an entry appear in our GC's that is not in the original location. It appears after it was deleted, it did not replicate out the deleted item, and now us causing ADC issues. http://support.microsoft.com/default.aspx?scid=kb;en-us;293474 The recommended MS way seems a little excessive. Does anyone have a better way of getting ahold of the entry and getting it out of the directory? Thanks, Todd
RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
Todd- Not sure if this will work for you or not: http://support.microsoft.com/default.aspx?scid=kb;en-us;314282 There was a similar thread back in January or so; this is the tail end http://www.mail-archive.com/[EMAIL PROTECTED]/msg13088.htmland you can do alternate searches to get the full discussion. Good luck... Hunter From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 2:12 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? There appears to be two entries for User in the AD Global Catalogues. The one account appears to have been ADC'ed unADC'ed "Doe, John (XYZ)" at some point, the other account appears to have been ADC'ed, but then deleted (Never un ADC'ed) "Doe, John (XYZCORP)-1". Both accounts appear in our Domain's GC, and All the Child domain GC's except the Child domain where the account originated. The "Doe, John (XYZ)" exist in their GC, but not the "Doe, John (XYZCORP)-1". Both accounts were homed in the child domain, just one got deleted, the other didn't. We are now trying to ADC a mailbox in the parent domain, to a different account all together. The ADC process is failing because it seems to still think the mailbox we are ADCing is linked to "Doe, John (XYZCORP)-1". This account no longer exist in the child domain, and we don't know how to unADC and account that doesn't exist. Any help would be appreciated Todd From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 3:54 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? Can you redescribe that for us? It sounds like you have a GC that wasn't supposed to be there, but I'm not sure I follow completely. From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 3:09 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Orphaned GC Entry... How do I clean it up? Greetings all, we are seeing an entry appear in our GC's that is not in the original location. It appears after it was deleted, it did not replicate out the deleted item, and now us causing ADC issues. http://support.microsoft.com/default.aspx?scid=kb;en-us;293474 The recommended MS way seems a little excessive. Does anyone have a better way of getting ahold of the entry and getting it out of the directory? Thanks, Todd
RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
Okay, I will doublecheck the Exchange 5.5 account to make sure it really was UNADCed Thanks for the KB references. Todd From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 4:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? Sounds like two issues then. First is that replication of a deleted object never fully replicated in Active Directory. The second is that ADC still has record for that account joining the 5.5 account to a phantom Active Directory object. The ADC uses msexchadcglobalnames as a way to track users. It stamps this field on the 5.5 side and the Active Directory side. To remove the join, you basically want toremove this join information from both sides.Here's a description of the field use http://support.microsoft.com/default.aspx?scid=kb;en-us;316280and how to removethe join http://support.microsoft.com/default.aspx?scid=kb;en-us;256862 After stopping the ADC and cleaning the 5.5 side, you'll want to fix the delete replication to ensure that the match occurs properly when you restart the ADC. If you don't, you'll likely rematch the existing supposed to be deleted object in Active Directory. ADSIEDIT is likely going to be helpful here or possibly LDP if you prefer. I haven't tried this last one before, but just for reference http://support.microsoft.com/default.aspx?scid=kb;en-us;317097 Maybe somebodyelse has a better way of removing that object that should be gone anyway. Al From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 4:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? There appears to be two entries for User in the AD Global Catalogues. The one account appears to have been ADC'ed unADC'ed Doe, John (XYZ) at some point, the other account appears to have been ADC'ed, but then deleted (Never un ADC'ed) Doe, John (XYZCORP)-1. Both accounts appear in our Domain's GC, and All the Child domain GC's except the Child domain where the account originated. The Doe, John (XYZ) exist in their GC, but not the Doe, John (XYZCORP)-1. Both accounts were homed in the child domain, just one got deleted, the other didn't. We are now trying to ADC a mailbox in the parent domain, to a different account all together. The ADC process is failing because it seems to still think the mailbox we are ADCing is linked to Doe, John (XYZCORP)-1. This account no longer exist in the child domain, and we don't know how to unADC and account that doesn't exist. Any help would be appreciated Todd From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 3:54 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? Can you redescribe that for us? It sounds like you have a GC that wasn't supposed to be there, but I'm not sure I follow completely. From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 3:09 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Orphaned GC Entry... How do I clean it up? Greetings all, we are seeing an entry appear in our GC's that is not in the original location. It appears after it was deleted, it did not replicate out the deleted item, and now us causing ADC issues. http://support.microsoft.com/default.aspx?scid=kb;en-us;293474 The recommended MS way seems a little excessive. Does anyone have a better way of getting ahold of the entry and getting it out of the directory? Thanks, Todd
RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
I tried what is described in the KB 314282 article, but only tried it on port 389 like the instructions said. The problem I have is that the object and GUID no longer exist at all in the original child domain. So I am wondering since it is all the GCs that have the lingering read-only object, should I run the clean-up process using LDP and the RemoveLingeringObjects option on the GCs on port 3268? I tried doing on port 389, and it didnt work. I will defiantly post my results once I figure out how to do this. Todd From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 4:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? Todd- Not sure if this will work for you or not: http://support.microsoft.com/default.aspx?scid=kb;en-us;314282 There was a similar thread back in January or so; this is the tail end http://www.mail-archive.com/[EMAIL PROTECTED]/msg13088.htmland you can do alternate searches to get the full discussion. Good luck... Hunter From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 2:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? There appears to be two entries for User in the AD Global Catalogues. The one account appears to have been ADC'ed unADC'ed Doe, John (XYZ) at some point, the other account appears to have been ADC'ed, but then deleted (Never un ADC'ed) Doe, John (XYZCORP)-1. Both accounts appear in our Domain's GC, and All the Child domain GC's except the Child domain where the account originated. The Doe, John (XYZ) exist in their GC, but not the Doe, John (XYZCORP)-1. Both accounts were homed in the child domain, just one got deleted, the other didn't. We are now trying to ADC a mailbox in the parent domain, to a different account all together. The ADC process is failing because it seems to still think the mailbox we are ADCing is linked to Doe, John (XYZCORP)-1. This account no longer exist in the child domain, and we don't know how to unADC and account that doesn't exist. Any help would be appreciated Todd From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 3:54 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up? Can you redescribe that for us? It sounds like you have a GC that wasn't supposed to be there, but I'm not sure I follow completely. From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 3:09 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Orphaned GC Entry... How do I clean it up? Greetings all, we are seeing an entry appear in our GC's that is not in the original location. It appears after it was deleted, it did not replicate out the deleted item, and now us causing ADC issues. http://support.microsoft.com/default.aspx?scid=kb;en-us;293474 The recommended MS way seems a little excessive. Does anyone have a better way of getting ahold of the entry and getting it out of the directory? Thanks, Todd
