Active Directory Ghost Object replication issue

I have a Windows 2003, Single Forest with nearly 50 Domains. This is a constantly changing, deployable system where not all Domains are connected and online at all times.
Some months ago 2 of these domains were held up in transit and tombstoned. Before they were connected to the Forest again they went to our Hardware support department to be "cleaned" meaning remove dust etc, instead they wiped the arrays on all
servers.
Our Level 4 Support team reanimated these node after restoring them from a really old backup.
This backup did not refelect the AD as it was when it was deleted, therefore we have several orphaned objects form those domains. The Domains are functioning correctly and replicating, however, the GC in the forest is inconsistent and the orphaned/ghost
objects are still being replicated.
We have rehosted the directory partitions from the problem nodes to online domains which works fine, but as soon as another domain comes online the orphaned objects are again replicated into the Global Catalog. The nature of our system means that we cannot
control when the other domains are coming back online to rehost them before replicating the object items back into the GC.
I have made several LDAP queries and can see that the items no longer exist on the problem domain, the only reference to the objects is in the GC directory partitions of those domains.
The biggest issue I have is that these objects were mail enabled users and when the GAL queries the GC it is repopulating them.
I've hit a bit of a wall now and do not know how we can remove these ghost objects without having all domains online at the same time and rehosting the problem domains partitions forest wide. I'd appreciate any assistnce.
I have asked this question before but with less detail so I'm having another go!

An AD backup is as good as the Tombstone lifetime. By default the TSL of a 2003 forest functional level is 60. So if you haven't done this already you should probably configure a higher value for the TSL. By default Strict Replication
Consistency is also enabled to prevent DC that have been disconnected for a long time to propagate lingering objects into the AD topology, check to see if you have this enabled. You should use "repadmin" to remove the lingering objects.
"When a domain controller in your Active Directory environment is disconnected from the replication topology for an extended period of time, all objects that are deleted from AD DS on all other domain controllers might remain on the disconnected
domain controller. Such objects are called lingering objects. When this domain controller is reconnected to the replication topology, it acts as a source replication partner that has one or more objects that its destination replication partners no longer have.
Problems occur when these lingering objects on the source domain controller are updated and these updates are sent by replication to the destination domain controllers. A destination domain controller can respond in one of two ways:
If the destination domain controller has strict replication consistency enabled, it recognizes that it cannot update the object (because the object does not exist), and it locally halts inbound replication of the directory partition from that source
domain controller.
If the destination domain controller does not have strict replication consistency enabled, it requests the full replica of the updated object, which introduces a lingering object into the directory."
Also keep in mind that the Infrastructure Master role handles the cross-domain references and phantoms from the global catalog in its domain. Make sure that you either have all DCs as Global Catalogs or do not place the GC on the DC with the IM role.
Here are some useful links:
Determine the tombstone lifetime for the forest
Event ID 1388 or 1988: A lingering object is detected
Use Repadmin to remove lingering objects
Enable strict replication consistency
FSMO placement and optimization on Active Directory domain controllers
Phantoms, tombstones and the infrastructure master
http://mariusene.wordpress.com/

Similar Messages

Active Directory - Lingering Objects

Hello,
I'm having an issue with replication and I'm hoping someone can point me in the right direction.
I have the Strict Replication setting enabled on all of my DCs. I am running into a problem with replication failures due to lingering objects. I ran repldiag.exe /removelingeringobjects /advisorymode on one of the DCs and it found 52 objects.
However, the lingering objects are shared printer objects that are still in use in my organization. What would be the impact of deleting these printer objects? Would my workstations loose the ability to print to these printers?
Thank you.

Have you reviewed the link below?
Lingering objects prevent Active Directory replication from occurring
http://support.microsoft.com/kb/317097

MS Active Directory LDAP Authentication/Locking Issue.

Dear All,
We are a software company; we have implemented feature of LDAP Authentication in our product using Java API and its working fine from our network environment.
We have used following things with LDAP feature.
1. User Authentication.
2. Locking account after exceed the maximum attempts that has configured in window server.
Main our issue is: The LDAP feature is not working properly from our client side. They are able to authenticate their LDAP user but do not able to lock user account however they have exceeded the maximum attempts from login dialog of our products but it still working in our side.
If anybody has any experienced about it then please reply with positvie solution or any other information like require do the specific configuration for different version of Windows and Active Directory Server etc.
Can any body know what are the possibilities for identifying and resolving this issue?
Please help us if anybody has any experienced about it.
Please do the needful.
Thanks,
Mehul.

Hi,
Thanks for your reply.
We have used java package of javax.naming.* and javax.naming.directory.* for LDAP Authentication.
Following code for checking whether ADS User is valid or not.
* Function checks whether ADSUser is valid user or not
* @returns int value indicating result.
public int isValidADSUser() {
Hashtable env = new Hashtable(5);
Vector adsInfoVec = getADSInfo();
env.put("java.naming.referral", "ignore");
// env.put("java.naming.security.authentication", "simple");
env.put(Context.SECURITY_AUTHENTICATION,"simple");
String provider = "com.sun.jndi.ldap.LdapCtxFactory";
env.put("java.naming.factory.initial", provider);
//For handling Uncontinued reference found message of partial result exception
env.put(Context.REFERRAL, "follow");
env.put("java.naming.ldap.derefAliases", "always");
env.put("java.naming.ldap.deleteRDN", "false");
env.put("java.naming.ldap.attributes.binary", "");
env.put(Context.PROVIDER_URL,
"ldap://" + (String) adsInfoVec.elementAt(0) + ":" +
(String) adsInfoVec.elementAt(1));
// env.put("java.naming.security.principal",
// userNameStr + "@" + (String) adsInfoVec.elementAt(0));
env.put(Context.SECURITY_PRINCIPAL,
userNameStr + "@" + (String) adsInfoVec.elementAt(0));
if (userPassStr == null) {
userPassStr = "";
// env.put("java.naming.security.credentials", userPassStr);
env.put(Context.SECURITY_CREDENTIALS, userPasswordStr);
try {
DirContext ctx = new InitialDirContext(env);
ctx.lookup("");
//System.out.println(ctx.lookup(""));
ctx.close();
catch (javax.naming.AuthenticationException ex) {
//System.out.println();
ex.printStackTrace();
return AUTHENTICATION_ERROR;
catch (javax.naming.PartialResultException pex) {
pex.printStackTrace();
return COMMUNICATION_ERROR;
catch (javax.naming.CommunicationException pex) {
pex.printStackTrace();
return COMMUNICATION_ERROR;
catch (NamingException e) {
System.out.println("Failed to connect to ");
e.printStackTrace();
return COMMUNICATION_ERROR;
return SUCCESS;
Result of this code from our company: We are able to Authenticate LDAP user and also Lock User Account after exceed the Max Failure Attempt that configured from Windows Server.
Result of this code from our client side: They are able to Authenticate LDAP user but they can't User Accout Lock however exceed the Max Failure Attemp that configured from their Windows Server.
Can u please help us if any experience about it and suggest if any other configuration require from Windows Server / Active Directory Server OR also if some other implementation require for resolving this issue.
Your optimistic reply is much appreciated.
Thanks,
Mehul Garnara.
Edited by: [email protected] on Mar 6, 2008 10:24 PM
Edited by: [email protected] on Mar 6, 2008 10:25 PM
Edited by: [email protected] on Mar 6, 2008 10:25 PM

Active Directory FindAll SearchResutlsCollection Performance Issue

Hi,
I am trying to get list of users from active directory with query as shown in below code snippet. From below code and after FindAll() statement, getting results (users collection) from active directory. As and when try results.count or any operation on results
object, taking 7 seconds first time. So every time when try to get users, taking more than 7 seconds. Could you please provide your suggestion to overcome the 7 seconds delay.
Thanks,
Janaiah
Try
Dim path As String = "LDAP://xxxx/CN=Users,DC=firm,DC=xxxx,DC=com"
Dim filter As String = "(&(objectCategory=person)(objectClass=user)(Description=test*)(Description=*SampleAcc))" '(!userAccountControl:1.2.840.113556.1.4.803:=2))"
Dim propertiesToLoad As String() = New String(0) {"name"}
'(&(objectClass=user)(Description=testaccount*)(Description=*TestAccount))
Using root As New DirectoryEntry(path, "domain\username", "password", AuthenticationTypes.Secure)
Using searcher As New DirectorySearcher(root, filter, propertiesToLoad)
Dim temp As String = DateTime.Now
Using results As SearchResultCollection = searcher.FindAll()
temp = temp + " - " + DateTime.Now
For Each result As SearchResult In results
temp = temp + " - " + DateTime.Now
Dim name As String = DirectCast(result.Properties("name")(0), String)
'ADUsersList.Items.Add(name)
Next
End Using
End Using
End Using
Catch
End Try

Hi Janaiah Putta,
I am moving your thread into the
Visual Basic Forum for dedicated support. Thanks for your understanding.
Best Regards,
Jack
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

Active Directory error 1864 (replication)

Hello colleagues
I have 5 DC's (1dc.test.local - 5dc.test.local) and 1 DC (6dc.test.local) out of domain 3 months. All DC's is Windows 2003 in one domain test.local. Then I changed IP address for 6dc.test.local and connect it to LAN of domain (to another 5 DC's). I see that
6dc.test.local now have lastest update copy of DNS zone and AD. Now I want remove 6dc.test.local from a domain but I can't do this, after run DCPROMO I take an error:
"The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime."
and have error 1864 (about replication) in events.
Maybe someone already have this problem? How can I remove 6dc.test.local from domain and that another DC's in domain khows about it?
Please help!

Hi,
Please remove the 6th dc using following command.
DCPROMO /Forceremoval
If that one also failed run the metadata cleanup using script given below. make sure you run this scriptfrom PDC server and then delete the records manually from DNS console given below. Once you have done that kindly Rebuild the OS & then Promote as
Domain controller.
https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3
Repeat running the vbs script till the wrong/unnecessary dc’s are removed.
         Cross check the removal – dsa.msc [ad users and computers] > Domain Controllers OU
Adsiedit.msc
Expand domain partition, select OU=Domain Controllers, make sure only the necessary domain controllers are listed.
Delete the incorrect domain controllers.
Dnsmgmt.msc [Dns Management]
      Expand the forward lookup zones\_msdcs folder
i.      Make sure only the actual domain controllers are listed, delete wrong Alias recordsremove wrong name server records
ii.      Select the container [forward lookup zones\_msdcs.domain.com\dc\_sites_\sitename\_tcp] > delete incorrect _ldap and _kerberos records are listed.
iii.      Select the container [forward lookup zones\_msdcs.domain.com\dc\_tcp] and delete incorrect _ldap and _kerberos records
iv.      Expand the [forward lookup zones\_msdcs.domain.com\domains\guid\_tcp] and delete incorrect _ldap entries
v.      Select [forward lookup zones\_msdcs.domain.com\gc] – delete incorrect HostA records
vi.      Expand the [forward lookup zones\_msdcs.domain.com\gc\_sites\sitename\_tcp] – delete incorrect _ldap entries
vii.      Select the [forward lookup zones\_msdcs.domain.com\gc\_tcp] – delete incorrect _ldap entries
viii.      Select the [forward lookup zones\_msdcs.domain.com\pdc\_tcp] – delete incorrect _ldap entries
      Expand the forward lookup zones\domain.com folder
i.
Delete Host(A) records of dc’s which are non-existant.
ii.
Correct the NameServer (NS) records
iii.
Follow steps similar to ’ A ii ‘ >> ‘ A viii’
         Dssite.msc [Sites and Services]
      Expand the [Sites\Sitename\Servers] – delete incorrect server’s
B.      Delete incorrect subnet configurations [Sites\Subnets]
      Delete incorrect site links [Sites\IP]

OID and Active Directory(global catalog) synchronization issues

We have a large network with 7 domains within the AD forest.....The OID server profile
points to a single domain controller/gc in 1 of these 7 domains. It is able to synchronize when a change occured
from this domain but not the others in the forest by quering port 3268/GC. We reloaded
the bootstrap which reduced the "highest committed usn" last read attribute value in
OID....and the synch started working again with another domain but not consistently(a change in AD gets pulled into OID)...
It seems as if OID cannot read the highest committed usn value for all domains
within one forest by quering a single global catalog domain controller in one
domain....any ideas on best practice to have a consistent synch from OID to all
domains in AD?
Message was edited by:
marcvip

Each AD server in the Forest will maintain his own highestCommittedHSN. The AD GC should maintain a consistent HSN but knows and keeps all the AD servers in sync. So if the GC does not maintain a consistent HSN you should contact Microsoft as well (besides this forum :-)
regards,
--Olaf

User synchronization issue between Active Directory and Solution manager.

Requirement:
Synchronize the users between Active directory and solution manager system.
What we did:
1. Created RFC connection (LDAP_RFC) for LDAP connector.
2. Created new LDAP connector that utilize the RFC (LDAP_RFC).
3. Created new logical LDAP Server(CUA).Here we have to maintain the connection
details to the physical directory.
4. We maintained the communication user that is used by the LDAP connector to bind the LDAP Directory Server.
5. In transaction LDAPMAP specific SAP data fields, we mapped to the desired
directory attributes.
6. Testing from LDAP transaction working fine. We are able to see the attributes and
values from Active directory.
Issue:
When executed the program RSLDAPSYNC_USER for user synchronization from t-code se38 with below selection .
LDAP Server = CUA (created earlier)
LDAP Connector = LDAP_RFC (RFC connection created created ealier)
In the tab: (Object that exist both in the directory and in the Database:)
Selected: Compare Time Stamp.
In the tab: (Objects the only exist in the Directory.)
Selected : Create in Database.
In the tab(Objects that only Exist in the Database:
Selected: Ignore Object.
Result from the report shows that connection to LDAP server is fine and 0(zero) objects in Directory.
The program does not create any new user in the Solution Manager system.
Any help on this issue greatly appreciated.
Thanks & Regards,
Harish

where did you see this error ? is there anymore details.
i think the account you are using for Sync does not have Replicate Directory Changes permission in AD. follow below article and give Replicate directory changes permission.
http://technet.microsoft.com/en-us/library/hh296982(v=office.15).aspx
Thanks, Noddy

Active directory intersite replication minimum polling interval is 15 min or 7.5 min ?

in MCITP 70-640 R2 Self-paced training kit , at page 593, we read :
"The minimum polling interval is 15 minutes. With this setting, and using Active Directory’s
default replication configuration, a change made to the directory in one site takes on average
seven and a half minutes to replicate to domain controllers in another site."
i don't underestand which one is true at last ? 15 min or 7.5 min ?
i wonder at my exercises i noticed that replication occured between sites at about that 7.5 min and didn't take 15 min.
if that is 7.5 min , so what is the reason that they wrote 15 min ?

at a maximum 15 min.
the so called average is 7,5 min <----- forget this!
remember the following as your rule of thumb: the minimum interval that can be configured is 15 min and the default is 180 min (3 hours). The interval is the max amount of time that needs to pass before the DCs (between sites) initiates inbound replication.
So it will take the period of the interval or less before replications starts
<o:p></o:p>
Cheers,<o:p></o:p>
(HOPEFULLY THIS INFORMATION HELPS YOU!)
Jorge de Almeida Pinto | MVP Identity & Access - Directory Services
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
################# Jorge's Quest For Knowledge ###############
###### BLOG URL: http://JorgeQuestForKnowledge.wordpress.com/ #####
#### RSS Feed URL: http://jorgequestforknowledge.wordpress.com/feed/ ####
-------------------------------------------------------------------------------------------------------<o:p></o:p>
"john.s2011" wrote in message news:[email protected]...
in MCITP 70-640 R2 Self-paced training kit , at page 593, we read :
"The minimum polling interval is 15 minutes. With this setting, and using Active Directory�??s
default replication configuration, a change made to the directory in one site takes on average
seven and a half minutes to replicate to domain controllers in another site."
i don't underestand which one is true at last ? 15 min or 7.5 min ?
i wonder at my exercises i noticed that replication occured between sites at about that 7.5 min and didn't take 15 min.
if that is 7.5 min , so what is the reason that they wrote 15 min ?
Jorge de Almeida Pinto [MVP-DS] (http://jorgequestforknowledge.wordpress.com/)

Active Directory data replication to database

Hi Guys
Does anybody known how to replicate data from Active Directory (groups and users) direct to database table like Oracle?
My research drive me to code a program that make persistent search on Active Directory monitoring object changes to make insert or update in my table.
Java Technology Forums - JNDI, Active Directory and Persistent Searches (part 1)
http://forum.java.sun.com/thread.jspa?threadID=578338&tstart=200
Java Technology Forums - JNDI, Active Directory and Persistent Searches (part 2)
http://forum.java.sun.com/thread.jspa?forumID=51&threadID=672007
Is it a good idea ?
Thanks
MHM

As I said previously, it depends on how frequently you need to synchronise the database; weekly, daily, hourly, realtime.
LDIFDE, CSVDE can be used to export LDIF or CSV files respectively, which you could then import into a database. That would be a good pragmatic solution for something that needs to be done daily or weekly.
The DIRSYNC control is good for any schedule synchronisation, whereas the LDAP Notification Control is better suited to real time applications.
I am rather flattered that the post you referred to http://www.forumeasy.com/forums/thread.jsp?tid=117381285598&fid=ldapprof2&highlight=LDAP+Persistent+Search+Control+JNDI+Client
is based on my original sample titled "JNDI, Active Directory and Persistent Searches (part 2)" which I posted at
http://forum.java.sun.com/thread.jspa?threadID=672007&tstart=90
BTW, the sample for using the dirscnc control which is titled "JNDI, Active Directory & Persistent Searches (part 1)" is available at
http://forum.java.sun.com/thread.jspa?threadID=578338&tstart=200
Another alternative would be to install another server with Active Directory Application Mode (ADAM) specifically for your "expensive" queries and use a tool such as ADAMSync to populate it from your other Active Directory domain controllers.
ADAMSync is included with ADAM and you can find the command line options described at http://technet2.microsoft.com/windowsserver/en/library/c64799ab-88c0-4e5a-b296-bc26031141291033.mspx?mfr=true
Personally, I would much prefer to use something like LDIFDE, CSVDE, ADAMSync or a full fledged synchrisation/provision product such as Identity Lifecycle Manager rather than write (and debug/maintain) my own code.

Bootcamp iMac + Active Directory = Not working!

I have a 2009 iMac with bootcamp and XP pro SP3 running great.
Now have to bind to Active directory box and having issues.
Will bind perfectly but upon restart the login windows stalls on selecting the new domain. the machine then needs to be restarted and same again etc etc.
I have a thinkpad with same install and it works a treat so definitely the iMac thats causing the issue.
Could it be the EFI?
Anyone had similar problems?
Any help would be grand
thanks

I have a 2009 iMac with bootcamp and XP pro SP3 running great.
Now have to bind to Active directory box and having issues.
Will bind perfectly but upon restart the login windows stalls on selecting the new domain. the machine then needs to be restarted and same again etc etc.
I have a thinkpad with same install and it works a treat so definitely the iMac thats causing the issue.
Could it be the EFI?
Anyone had similar problems?
Any help would be grand
thanks

Add random number to a email id while creating account in active directory

Hi,
I have this code with me,
in this code i am creating user account into the active directory, i am facing issue in validating it.
validation is: Let's say we got 2nd Aman verma into the active directory, first aman verma got id as [email protected], i want id of second aman verma as [email protected] (or any other number at the place of 1)
below is my code,
using System;
using System.IO;
using System.DirectoryServices;
namespace ActiveDirectoryAddContacts
class Class1
static void Main(string[] args)
System.DirectoryServices.DirectorySearcher DSESearcher = new System.DirectoryServices.DirectorySearcher();
string RootDSE=DSESearcher.SearchRoot.Path;
RootDSE=RootDSE.Insert(7,"ou=Mytest,");
DirectoryEntry myDE = new DirectoryEntry(RootDSE);
DirectoryEntries myEntries = myDE.Children;
// Create a new entry 'Sample' in the container.
FileStream fs = new FileStream("C:\\UserDetails.csv" , FileMode.OpenOrCreate, FileAccess.Read
StreamReader sr = new StreamReader(fs);
for(int i=1;i<291;i++)
string str = sr.ReadLine();
char[] ca={','};
try
string[] sa = str.Split(ca,4);
DirectoryEntry myDirectoryEntry = myEntries.Add("CN="+sa[2], "user");
myDirectoryEntry.Properties["givenname"].Value=sa[0];
//myDirectoryEntry.Properties["sn"].Value=sa[1];
//myDirectoryEntry.Properties["displayname"].Value=sa[2];
//myDirectoryEntry.Properties["mail"].Value=sa[3];
//myDirectoryEntry.CommitChanges();
catch (Exception e)
Console.WriteLine(str);
any Help will be highly appreciated.
Thank you!
Aman

Hi,
As this might not be a SharePoint issue, I suggest you open a thread in the Windows Server forum, you will get more help and confirmed answers there:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverDS
Thanks
Patrick Liang
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected]

Search for single member in an Active Directory Group

Hello all,
I'm attempting to find a better method to search if a user is a member of a group in Active Directory. I currently retrieve the entire member attribute of the group.
I need to reduce the time of the query. I would like to be able to search for a specific member (user) of the group instead of retrieving the entire member list of the group.
I can post my current code if that would help.
I believe the default Active Directory group object is the ldap group. I know that there are posixGroup and groupOfUniqueNames ldap classes available, but I'm not sure if Active Directory has access to those classes.
Is my request possible using the group ldap object?

Thanks for the reply.
I have read the first post you gave, but not the second. I'm off to read that now.
My main concern is that I don't have access to the DN of the user in the member attrib. I have access to their CN and uid (which is indexed). From what I can recall from when I last updated this code, I couldn't create a wildcard search filter e.g.,:
(&(cn=All Scientists)(objectClass=Group)(member=CN=Albert Einstein*))
If that's correct and I require a DN, is there any way around this?
I was interested in the posixGroup and groupOfUniqueNames classes. I wasn't aware that these were available through Active Directory, but I see them listed in the AD schema (http://msdn.microsoft.com/en-us/library/ms683908(VS.85).aspx).
If I'm correct, posixGroup would allow for a filter of (&(cn=All Scientists)(objectClass=posixGroup)(memberUid=AEinstein))
I'm not sure how typical it is to use the posixGroup class in AD and I'll have to check with my AD team before moving forward with this. But I wanted to get some more direction/ideas before asking them to create some posixGroup objects for me.
I'm now going to go and read the second post you linked, but I wanted to put the rest of my details out there.
Thanks again.

Active Directory : Replication Issue - "Disconnected" sub-domain from the Forest

Hello everyone,
I'm managing a multi-domain forest (with 7 sub-domain). All are working fine except for one. Throught repadmin (Repadmin /replsum /bysrc /bydest /sort:delta), I noticed I got both domain controllers of a subdomain (there are only 2 DCs in that
subdomain), who hadn't replicated with the rest of the forest for more than 60 days.
According to my research, it's usually recommended to Depromote and repromote the problematic DC to avoid the issue of lingering objects. In this case, it's both DC of a sub-domain. Of course, on the others DCs in the forest, I got the event
ID 2012 "it has been too long since this machine last replicated with the named source machine....".
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
to a value of 1.
As I understand it, this may cause lingering objects to appear (they can be removed with repadmin /removelingeringobjects command with the DSA GUID, naming context, etc..). So far, I haven't used that registry key yet because of the associated risks.
I didn't noticed any other issue so far. Users in the problematic sub-domain are fine, and the problematic sub-domain seems to be able to pull replication data from the others DCs in the forests. (at least, I'm not getting any error in the A.D. Sites
and Services)
I added two new DCs for the affected sub-domains, so the number of DCs for that domain went from 2 to 4 DCs. The two old DCs that hadn't replicated for 60 days are windows Server 2003 and the two new DCs are Server 2008 R2.
Unfortunately (and I was half expecting this, but did it anyway since I must eventually replace the old DCs), that didn't solve my issue, since the rest of the forest "doesn't see" the two new DCs of the sub-domain. By that, I mean that I
cannot add an Active Directory Domain Services Connection in Sites & Services console (from a DC in another domain of the forest or even the root domain). I see all the DCs, including the two old DCs that are server 2003, but not the new ones.
I believe it's because the others DCs doesn't pull/replicate the information from the old DCs anymore, so they aren't "aware" of the two new DCs for that problematic sub-domain.
I was wondering what is the best course of action. Is it worthwhilte to use the registry key force replication with the old DCs ? (and hopefully, the new DCs will get their AD Services connection/replication vector created, so I can depromote
the old DCs.
Since the Old DCs from the problematic sub-domain seems to be able to pull the replication from the rest of the forest, does the risk of Lingering object isn't that great ?
Or is it too risky and I must create a new sub-domain and migrate one way or another the users ? (which would be time-consuming)
Thanks in advance,
Adam

Thanks for the reply. One of the link had another link to a good article about the use of repadmin :
So, I ran the command "repadmin /removinglingerobjects " on one of the problematic DCs ().
For clarity purpose, let's say I used the domain :
domain = main domain
subdomain = the domain whose DC are problematic (all of them).
AnotherSubDomain = Just another subdomain I used as a "reference" DC to cleanup the appropriate partition.
Command (the DSA guid is from a DC "clean" in another domain)
repadmin /removelingeringobjects adrec01.mysubdomain.domain.ca C4081E00-921A-480D-9FDE-C4C34F96E7AC dc=ANOTHERsubdomain,dc=domain,dc=ca /advisory_mode
I got the following message in the event viewer :
Active Directory Domain Services has completed the verification of lingering objects on the local domain controller in advisory mode. All objects on this domain controller have had their existence verified on the following source domain controller.
Source domain controller:
c4081e00-921a-480d-9fde-c4c34f96e7ac._msdcs.mydomain.ca
Number of objects examined and verified:
0
Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller have been listed in past event log entries. To permanently delete the lingering objects, restart this procedure without using the
advisory mode option.
How should I interpret the message "number of objects examined and verified 0". Does it mean it just didn't find any object to compare ? (which would be odd IMHO) Or there is another problem ?
Thanks in advance,
Adam

Active directory SYSVOL replication issues

Hello.
I have 2 domain controllers, both of them on the same site DC1 & DC2. I have added a new site with a DC3. When I have added DC3 to the domain, I have realized, SYSVOL was not initialized correctly. I went back to DC1 and found out, there's following
error in the event viewer:
Error: 4012 on DC1
The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter
(60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected.
Error: 2213 on DC2
The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication
WMI method to resume replication.
This indicates a DFS replication issue between DC1 & DC2 and probably this would be the reason, why the SYSVOL was not properly initialized on DC3.
How can I restore correct DFS replication between DC1 & DC2? I've read
this article, but it's not clear to me, which of the 2 domain controllers has a good version of SYSVOL + I can not find a decent step-by-step article for reconnecting Windows 2012 domain controller.
Any idea, how I can proceed further here?

Here's a complete documentation with resolution of my issue. I have created this documentation for my own purposes in our WIKI, so I will paste it here (I hope, it will help somebody else in the future):
The Problem
We have bought a new server for our domain. This server (NEWDC01) was promoted to be a domain
controller in the DOMAIN. After the promotion, I have added a single computer to the domain. When I have logged on the client to the domain, I realized, this computer is not using the new domain controller (NEWDC01)
for authentication, but DC02 domain controller instead. This is not intended. Local clients should use local domain controllers for authentication (assuming, the Active directory sites & services are configured properly). Further investigation revealed,
there are some replication errors on OLDDC01 & OLDDC02 servers. First I need to solve these replication errors. Then I can
add the NEWDC01 server to domain properly.
Analysis
There are several errors related to DFSR replication on both domain controllers:
Error: 4012 on OLDDC01
The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain.
This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder
until this error is corrected.
Error: 2213 on OLDDC02
The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database
is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.
In order to have active directory in a healthy condition, one must ensure, there’s a successful
replication between existing domain controllers up and running. If the replication does not work correctly, you can expect bunch of issues.
group policies and logon scripts are not applied correctly, or as intended
when you want to add a new domain controller to the domain, it will not work as expected (although, you will not see any specific errors after the
server is promoted to be a domain controller)
Active directory backup
I have scheduled an AD backup on OLDDC01 server using the ‘Windows Backup’ solution to make sure,
I can restore the AD / SYSVOL, in case something goes wrong. The backup is scheduled to be executed every day.
Active directory restore
In this particular case, I will talk only about SYSVOL restore. As indicated above, we must get
rid of the DFSR event viewer errors which you can find in event viewer. One of them is indicating, that the JET database was not shut down cleanly and autorecovery was disabled. The other error indicates, the SYSVOL volume is no longer replicated. I am not
sure, what is the reason, why the AD’s in the domain stopped to replicate. Probably it was an unclean server shutdown. The DFSR service stopped to replicate the SYSVOL share and I was not aware about that. When the replication did not run for more than ~99
days, the SYSVOL share was excluded from the DFSR replications.
Find out the most accurate SYSVOL share in the domain
I have compared the content of the SYSVOL directories on both OLDDC01 and OLDDC02 servers: C:\Windows\SYSVOL\domain\Policies.
Both directories have 37 subdirectories. Each subdirectory corresponds to one group policy. This means, that the content is approximately the same, thus I can’t tell, which version is most recent. I do most of the GPO changes on OLDDC01, so I made a conclusion,
that this server contains the most recent version of the SYSVOL share.
There are 2 types of SYSVOL restores, you can do:
Authoritative restore
Non-authoritative restore
Non-authoritative restore
This is a more simple kind of a restore. You can perform this kind of restore, when you are sure,
that one of the domain controllers is authoritative (e.g. you presume, the SYSVOL share is intact and working properly). If you can identify such a working server, you can perform non-authoritative restore of the active directory on a broken domain controller.
Authoritative restore
In this case, you can designate a specific domain controller to be authoritative. You set a special
flag on this server, which will prohibit to overwrite it’s state from another domain controllers, when the replication is enabled on the server again. After you designate one server to be authoritative, you need to update all the another domain controllers
using the non-authoritative procedure.
In this article, you can find, how to perform authoritative vs. non authoritative AD resotre:
http://support.microsoft.com/kb/2218556.
In my case, I was not sure, which of the domain controllers had a more recent copy of AD, so I
have decided to make OLDDC01 authoritative (check the link above). Once this has been done, I have made a non-authoritative update on OLDDC02 server.
Everything was almost ready. The last step, I needed to execute was, I needed to fix the ‘JET’
event viewer error on SRVBK1. In the event log entry on the bottom, you can find following:
Recovery Steps
1. Back up the files in all replicated folders on the volume. Failure to do
so may result in data loss due to unexpected conflict resolution during the recovery of the replicated folders.
2. To resume the replication for this volume, use the WMI method ResumeReplication
of the DfsrVolumeConfig class. For example, from an elevated command prompt, type the following command:
wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig
where volumeGuid="D37A9FC3-8B1D-11E2-93E8-806E6F6E6963" call ResumeReplication
For more information, see http://support.microsoft.com/kb/2663685.
Final words
After I have executed this command, the replication was again started between OLDDC01 and OLDDC02
servers. After I have started up the NEWDC01 server, I have realized, it has automatically replicated the contents of the SYSVOL share - almost immediately after the server was started up. I have again tried to login with the local client into DOMAIN domain
and now I see, that local client is using local Domain controller for authentication.
Everything seems to be OK now.

Replication Active Directory, ports issues in firewall

Hi,
i am facing some issue in active directory replication between my Active Directory User Database located in two different locations.
I am not doing any Port based ACL in the firewall, and there is no static / dynamic NAT-ng used between the server ip ranges (nat 0).
1) what could be the possible issue in this?2) do i need to issue any command in the FWSM Module to make use / open the dynamic ports ?3) How can i make sure that these ports are not opend or not blocked on the firewall.
below are some of the ports used for this, based on the information from Microsoft Team.
tcp 5389
tcp 5722
tcp 5729
tcp3268
tcp 3269
tcp 445
udp 445
udp 88
udp 2535
udp 389
tcp 1025 - 5000
tcp 44152 - 65535
Appreciate your valuable support.
regards
Sunny

Hi Bro
If you’re not doing any port based ACL in your FWSM, I can only assume you’re permitting the rules between both the AD by IP e.g. access-list inside permit ip host 1.1.1.1 host 2.2.2.2, am I right? I hope you can PING between both the AD, otherwise this could be a routing issue.
Listed below are some commands that you could type to investigate this issue further;
a) show np block (hardware buffer counters) - if they are non-zero and increasing it's bad. You're most likely running into hardware limitation of the FWSM.
b) show np all stats | i RTL and show np all stats | i RL will show you if the packets are dropped because of software rate limiting mechanisms built into network processors.
Perhaps, what you need is to enable the “xlate-bypass” command. By default, the FWSM creates NAT sessions for all connections even if you do not use NAT. You can disable NAT sessions for untranslated network traffic, which is called xlate bypass, in order to avoid the maximum NAT session limit. The xlate-bypass command can be configured as shown:
hostname(config)#xlate-bypass
If the xlate-bypass doesn’t resolve your issue, please do ensure you’ve a static NAT or dedicated nat/global in place.
The last resort is to enable sysoption np completion-unit, this magic option is invoking special processing created to address scenarios in which FWSM was known to introduce out of order packets for TCP streams.

Active Directory Ghost Object replication issue

Similar Messages

Maybe you are looking for