RE: [ActiveDir] Linked Attributes Replication
>From the data provided below it sounds like you have a lingering object & a lingering link value...not tragic, pretty straight forward to clean up. If you could be more specific as to domain layout & in which domain each user resides we could likely provide steps to fix this up. If you search KB for lingering object you'll find all sorts of mention of them. I say that you must have a lingering object as link values need point so some object (they are nothing more than a DNT pointer really) so it sounds like you have an object in the partial NC on the GC which still represents that manager. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Loder Sent: Thursday, October 19, 2006 8:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Linked Attributes Replication We've found something unusual in our forest and are hoping someone may have insight as to root-cause. Sometime back in 2003, when our forest was running W2K SP3, someone's manager was deleted, and that event was faithfully replicated around the originating domain and the forest GCs. The manager doesn't exist anywhere. Fast forward to today, forest now running W2K3 SP1. About 20% of the DCs (both originating domain DCs and forest GCs) show that the user still has a manager because the manager attribute contains a DN that no longer exists in the forest. Let me repeat that statement. If I look at GC_1 it shows the employee's manager is . If I look at GC_2 it shows manager is CN=Someone_that_no_longer_exists_in_the_forest. Yet both GC_1 and GC_2 show the same metadata for the manager attribute. At this point we're theorizing that when the user's manager was deleted, that change was faithfully replicated around the forest. However, the linked attribute update is not a replicated event - each DC is personally responsible for updating the backlink, and we had one W2K DC that didn't do it. Fast forward to today where 100% of the DCs have been reinstalled and repromoed as W2K3. Depending on which DC they sourced their promo from we now have the "corruption" spread we see today where some 20% of the DCs have the incorrect value. Has anyone else ever encountered this or have some idea what may that caused the initial "corruption"? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Linked Attributes Replication
joe and I talked offline. Neither of us think it's a lingering object (but that was his first guess too). He was thinking it was a phantom but I'm not sure since I see it in a GC - which never has a need to create a phantom. Layout is a follows. Domain0 is empty root, with child domains 1-6. Manager previously existed in Domain1. User still exists in Domain2. Manager has been verified to not exist on any DC in Domain1. Some (not all) of Domain2's DCs and GCs show the user having a manager. Some (not all) of Domain1's GCs show the user having a manager. Some (not all) of Domain3's GCs show the user having a manager. None of Domain0's GCs or 4-6 show the user having a manager. Around the time this happened back in 2003 there had been some incorrect Infrastructure Master placements. However, Domain2's IM appears to have been correctly configured. Not sure if that is just a red-herring to lead us down the phantom path. --- Eric Fleischman <[EMAIL PROTECTED]> wrote: > >From the data provided below it sounds like you > have a lingering object > & a lingering link value...not tragic, pretty > straight forward to clean > up. If you could be more specific as to domain > layout & in which domain > each user resides we could likely provide steps to > fix this up. > > If you search KB for lingering object you'll find > all sorts of mention > of them. I say that you must have a lingering object > as link values need > point so some object (they are nothing more than a > DNT pointer really) > so it sounds like you have an object in the partial > NC on the GC which > still represents that manager. > > ~Eric > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of David Loder > Sent: Thursday, October 19, 2006 8:36 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Linked Attributes Replication > > We've found something unusual in our forest and are > hoping someone may have insight as to root-cause. > > Sometime back in 2003, when our forest was running > W2K > SP3, someone's manager was deleted, and that event > was > faithfully replicated around the originating domain > and the forest GCs. The manager doesn't exist > anywhere. > > Fast forward to today, forest now running W2K3 SP1. > About 20% of the DCs (both originating domain DCs > and > forest GCs) show that the user still has a manager > because the manager attribute contains a DN that no > longer exists in the forest. > > Let me repeat that statement. If I look at GC_1 it > shows the employee's manager is . If I > look > at GC_2 it shows manager is > CN=Someone_that_no_longer_exists_in_the_forest. Yet > both GC_1 and GC_2 show the same metadata for the > manager attribute. > > At this point we're theorizing that when the user's > manager was deleted, that change was faithfully > replicated around the forest. However, the linked > attribute update is not a replicated event - each DC > is personally responsible for updating the backlink, > and we had one W2K DC that didn't do it. Fast > forward > to today where 100% of the DCs have been reinstalled > and repromoed as W2K3. Depending on which DC they > sourced their promo from we now have the > "corruption" > spread we see today where some 20% of the DCs have > the > incorrect value. > > Has anyone else ever encountered this or have some > idea what may that caused the initial "corruption"? > > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.activedir.org/ml/threads.aspx > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Linked Attributes Replication
You can certainly kick GC off by hand to clear that up. If you have the problem on a GC though, how are you to blame a phantom? If you navigate to the partial NC on the GC, do you see the object? I assume the answer is yes (but if not please let me know what you do see). ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Loder Sent: Friday, October 20, 2006 8:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Linked Attributes Replication joe and I talked offline. Neither of us think it's a lingering object (but that was his first guess too). He was thinking it was a phantom but I'm not sure since I see it in a GC - which never has a need to create a phantom. Layout is a follows. Domain0 is empty root, with child domains 1-6. Manager previously existed in Domain1. User still exists in Domain2. Manager has been verified to not exist on any DC in Domain1. Some (not all) of Domain2's DCs and GCs show the user having a manager. Some (not all) of Domain1's GCs show the user having a manager. Some (not all) of Domain3's GCs show the user having a manager. None of Domain0's GCs or 4-6 show the user having a manager. Around the time this happened back in 2003 there had been some incorrect Infrastructure Master placements. However, Domain2's IM appears to have been correctly configured. Not sure if that is just a red-herring to lead us down the phantom path. --- Eric Fleischman <[EMAIL PROTECTED]> wrote: > >From the data provided below it sounds like you > have a lingering object > & a lingering link value...not tragic, pretty > straight forward to clean > up. If you could be more specific as to domain > layout & in which domain > each user resides we could likely provide steps to > fix this up. > > If you search KB for lingering object you'll find > all sorts of mention > of them. I say that you must have a lingering object > as link values need > point so some object (they are nothing more than a > DNT pointer really) > so it sounds like you have an object in the partial > NC on the GC which > still represents that manager. > > ~Eric > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of David Loder > Sent: Thursday, October 19, 2006 8:36 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Linked Attributes Replication > > We've found something unusual in our forest and are > hoping someone may have insight as to root-cause. > > Sometime back in 2003, when our forest was running > W2K > SP3, someone's manager was deleted, and that event > was > faithfully replicated around the originating domain > and the forest GCs. The manager doesn't exist > anywhere. > > Fast forward to today, forest now running W2K3 SP1. > About 20% of the DCs (both originating domain DCs > and > forest GCs) show that the user still has a manager > because the manager attribute contains a DN that no > longer exists in the forest. > > Let me repeat that statement. If I look at GC_1 it > shows the employee's manager is . If I > look > at GC_2 it shows manager is > CN=Someone_that_no_longer_exists_in_the_forest. Yet > both GC_1 and GC_2 show the same metadata for the > manager attribute. > > At this point we're theorizing that when the user's > manager was deleted, that change was faithfully > replicated around the forest. However, the linked > attribute update is not a replicated event - each DC > is personally responsible for updating the backlink, > and we had one W2K DC that didn't do it. Fast > forward > to today where 100% of the DCs have been reinstalled > and repromoed as W2K3. Depending on which DC they > sourced their promo from we now have the > "corruption" > spread we see today where some 20% of the DCs have > the > incorrect value. > > Has anyone else ever encountered this or have some > idea what may that caused the initial "corruption"? > > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.activedir.org/ml/threads.aspx > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Linked Attributes Replication
I suspect ... and winging it here ... if you truly have a DC _that isn't a GC_ for the domain (domain2 I believe) of the user object with the dangling manager link ... move IM for domain2 to that DC ... wait four days for IM to make the rounds ... he should [re?]generate a infrastructure update ... watch event logs to see if AD is having trouble with IM duties ... possibly regularly query AD for new infrastructure update objects, hint they're deleted objects ... see if the problem rectifies itself ... If domain2's IM is already on (for 4+ days) a DC with the dangling manager link, then in theory you've already unintentionally followed my suggestion, and well the problem is non-obvious to me ... -BrettSh This posting is provided "AS IS" with no warranties, and confers no rights. On Fri, 20 Oct 2006, David Loder wrote: > joe and I talked offline. Neither of us think it's a > lingering object (but that was his first guess too). > He was thinking it was a phantom but I'm not sure > since I see it in a GC - which never has a need to > create a phantom. > > Layout is a follows. > > Domain0 is empty root, with child domains 1-6. > > Manager previously existed in Domain1. User still > exists in Domain2. > > Manager has been verified to not exist on any DC in > Domain1. > > Some (not all) of Domain2's DCs and GCs show the user > having a manager. Some (not all) of Domain1's GCs > show the user having a manager. Some (not all) of > Domain3's GCs show the user having a manager. None of > Domain0's GCs or 4-6 show the user having a manager. > > Around the time this happened back in 2003 there had > been some incorrect Infrastructure Master placements. > However, Domain2's IM appears to have been correctly > configured. Not sure if that is just a red-herring to > lead us down the phantom path. > > > --- Eric Fleischman <[EMAIL PROTECTED]> > wrote: > > > >From the data provided below it sounds like you > > have a lingering object > > & a lingering link value...not tragic, pretty > > straight forward to clean > > up. If you could be more specific as to domain > > layout & in which domain > > each user resides we could likely provide steps to > > fix this up. > > > > If you search KB for lingering object you'll find > > all sorts of mention > > of them. I say that you must have a lingering object > > as link values need > > point so some object (they are nothing more than a > > DNT pointer really) > > so it sounds like you have an object in the partial > > NC on the GC which > > still represents that manager. > > > > ~Eric > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On > > Behalf Of David Loder > > Sent: Thursday, October 19, 2006 8:36 AM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] Linked Attributes Replication > > > > We've found something unusual in our forest and are > > hoping someone may have insight as to root-cause. > > > > Sometime back in 2003, when our forest was running > > W2K > > SP3, someone's manager was deleted, and that event > > was > > faithfully replicated around the originating domain > > and the forest GCs. The manager doesn't exist > > anywhere. > > > > Fast forward to today, forest now running W2K3 SP1. > > About 20% of the DCs (both originating domain DCs > > and > > forest GCs) show that the user still has a manager > > because the manager attribute contains a DN that no > > longer exists in the forest. > > > > Let me repeat that statement. If I look at GC_1 it > > shows the employee's manager is . If I > > look > > at GC_2 it shows manager is > > CN=Someone_that_no_longer_exists_in_the_forest. Yet > > both GC_1 and GC_2 show the same metadata for the > > manager attribute. > > > > At this point we're theorizing that when the user's > > manager was deleted, that change was faithfully > > replicated around the forest. However, the linked > > attribute update is not a replicated event - each DC > > is personally responsible for updating the backlink, > > and we had one W2K DC that didn't do it. Fast > > forward > > to today where 100% of the DCs have been reinstalled > > and repromoed as W2K3. Depending on which DC they > > sourced their promo from we now have the > > "corruption" > > spread we see today where some 20% of the DCs have > > the > > incorrect value. > > > > Has anyone else ever encountered this or have some > > idea what may that caused the initial "corruption"? > > > > > > __ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > > protection around > > http://mail.yahoo.com > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.activedir.org/ml/threads.aspx > > > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.activedir.org/ml/th
RE: [ActiveDir] Linked Attributes Replication
I find nothing. adfind -h Domain1GC -gc -b dc=Domain2,dc=x,dc=y -f "name=UserABC" manager AdFind V01.32.00cpp Joe Richards ([EMAIL PROTECTED]) October 2006 Using server: Domain1GC:3268 Directory: Windows Server 2003 dn:CN=UserABC,OU=USERIDS,dc=Domain2,dc=x,dc=y >manager: CN=Manager123,OU=USERIDS,DC=Domain1,DC=x,DC=y 1 Objects returned adfind -h Domain1GC -gc -b CN=Manager123,OU=USERIDS,DC=Domain1,DC=x,DC=y AdFind V01.32.00cpp Joe Richards ([EMAIL PROTECTED]) October 2006 Using server: Domain1GC:3268 Directory: Windows Server 2003 ldap_get_next_page_s: [Domain1GC] Error 0x20 (32) - No Such Object Best Match of: 'OU=USERIDS,DC=Domain1,DC=x,DC=y' 0 Objects returned --- Eric Fleischman <[EMAIL PROTECTED]> wrote: > You can certainly kick GC off by hand to clear that > up. > If you have the problem on a GC though, how are you > to blame a phantom? > If you navigate to the partial NC on the GC, do you > see the object? I > assume the answer is yes (but if not please let me > know what you do > see). > > ~Eric > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of David Loder > Sent: Friday, October 20, 2006 8:06 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Linked Attributes > Replication > > joe and I talked offline. Neither of us think it's > a > lingering object (but that was his first guess too). > > He was thinking it was a phantom but I'm not sure > since I see it in a GC - which never has a need to > create a phantom. > > Layout is a follows. > > Domain0 is empty root, with child domains 1-6. > > Manager previously existed in Domain1. User still > exists in Domain2. > > Manager has been verified to not exist on any DC in > Domain1. > > Some (not all) of Domain2's DCs and GCs show the > user > having a manager. Some (not all) of Domain1's GCs > show the user having a manager. Some (not all) of > Domain3's GCs show the user having a manager. None > of > Domain0's GCs or 4-6 show the user having a manager. > > Around the time this happened back in 2003 there had > been some incorrect Infrastructure Master > placements. > However, Domain2's IM appears to have been correctly > configured. Not sure if that is just a red-herring > to > lead us down the phantom path. > > > --- Eric Fleischman <[EMAIL PROTECTED]> > wrote: > > > >From the data provided below it sounds like you > > have a lingering object > > & a lingering link value...not tragic, pretty > > straight forward to clean > > up. If you could be more specific as to domain > > layout & in which domain > > each user resides we could likely provide steps to > > fix this up. > > > > If you search KB for lingering object you'll find > > all sorts of mention > > of them. I say that you must have a lingering > object > > as link values need > > point so some object (they are nothing more than a > > DNT pointer really) > > so it sounds like you have an object in the > partial > > NC on the GC which > > still represents that manager. > > > > ~Eric > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On > > Behalf Of David Loder > > Sent: Thursday, October 19, 2006 8:36 AM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] Linked Attributes Replication > > > > We've found something unusual in our forest and > are > > hoping someone may have insight as to root-cause. > > > > Sometime back in 2003, when our forest was running > > W2K > > SP3, someone's manager was deleted, and that event > > was > > faithfully replicated around the originating > domain > > and the forest GCs. The manager doesn't exist > > anywhere. > > > > Fast forward to today, forest now running W2K3 > SP1. > > About 20% of the DCs (both originating domain DCs > > and > > forest GCs) show that the user still has a manager > > because the manager attribute contains a DN that > no > > longer exists in the forest. > > > > Let me repeat that statement. If I look at GC_1 > it > > shows the employee's manager is . If I > > look > > at GC_2 it shows manager is > > CN=Someone_that_no_longer_exists_in_the_forest. > Yet > > both GC_1 and GC_2 show the same metadata for the > > manager attribute. > > > > At this point we're theorizing that when the > user'
RE: [ActiveDir] Linked Attributes Replication
Let's take this offline. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Loder Sent: Friday, October 20, 2006 9:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Linked Attributes Replication I find nothing. adfind -h Domain1GC -gc -b dc=Domain2,dc=x,dc=y -f "name=UserABC" manager AdFind V01.32.00cpp Joe Richards ([EMAIL PROTECTED]) October 2006 Using server: Domain1GC:3268 Directory: Windows Server 2003 dn:CN=UserABC,OU=USERIDS,dc=Domain2,dc=x,dc=y >manager: CN=Manager123,OU=USERIDS,DC=Domain1,DC=x,DC=y 1 Objects returned adfind -h Domain1GC -gc -b CN=Manager123,OU=USERIDS,DC=Domain1,DC=x,DC=y AdFind V01.32.00cpp Joe Richards ([EMAIL PROTECTED]) October 2006 Using server: Domain1GC:3268 Directory: Windows Server 2003 ldap_get_next_page_s: [Domain1GC] Error 0x20 (32) - No Such Object Best Match of: 'OU=USERIDS,DC=Domain1,DC=x,DC=y' 0 Objects returned --- Eric Fleischman <[EMAIL PROTECTED]> wrote: > You can certainly kick GC off by hand to clear that > up. > If you have the problem on a GC though, how are you > to blame a phantom? > If you navigate to the partial NC on the GC, do you > see the object? I > assume the answer is yes (but if not please let me > know what you do > see). > > ~Eric > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of David Loder > Sent: Friday, October 20, 2006 8:06 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Linked Attributes > Replication > > joe and I talked offline. Neither of us think it's > a > lingering object (but that was his first guess too). > > He was thinking it was a phantom but I'm not sure > since I see it in a GC - which never has a need to > create a phantom. > > Layout is a follows. > > Domain0 is empty root, with child domains 1-6. > > Manager previously existed in Domain1. User still > exists in Domain2. > > Manager has been verified to not exist on any DC in > Domain1. > > Some (not all) of Domain2's DCs and GCs show the > user > having a manager. Some (not all) of Domain1's GCs > show the user having a manager. Some (not all) of > Domain3's GCs show the user having a manager. None > of > Domain0's GCs or 4-6 show the user having a manager. > > Around the time this happened back in 2003 there had > been some incorrect Infrastructure Master > placements. > However, Domain2's IM appears to have been correctly > configured. Not sure if that is just a red-herring > to > lead us down the phantom path. > > > --- Eric Fleischman <[EMAIL PROTECTED]> > wrote: > > > >From the data provided below it sounds like you > > have a lingering object > > & a lingering link value...not tragic, pretty > > straight forward to clean > > up. If you could be more specific as to domain > > layout & in which domain > > each user resides we could likely provide steps to > > fix this up. > > > > If you search KB for lingering object you'll find > > all sorts of mention > > of them. I say that you must have a lingering > object > > as link values need > > point so some object (they are nothing more than a > > DNT pointer really) > > so it sounds like you have an object in the > partial > > NC on the GC which > > still represents that manager. > > > > ~Eric > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On > > Behalf Of David Loder > > Sent: Thursday, October 19, 2006 8:36 AM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] Linked Attributes Replication > > > > We've found something unusual in our forest and > are > > hoping someone may have insight as to root-cause. > > > > Sometime back in 2003, when our forest was running > > W2K > > SP3, someone's manager was deleted, and that event > > was > > faithfully replicated around the originating > domain > > and the forest GCs. The manager doesn't exist > > anywhere. > > > > Fast forward to today, forest now running W2K3 > SP1. > > About 20% of the DCs (both originating domain DCs > > and > > forest GCs) show that the user still has a manager > > because the manager attribute contains a DN that > no > > longer exists in the forest. > > > > Let me repeat that statement. If I look at GC_1 > it > > shows the employee's manager is . If I > > look > > at GC_2 it shows manager is > > CN
