Freigeben über


One-Liner: Collect AD LDS Lingering Object 1946 Events

Lingering Objects... what are they? Here's the essence of LOs:

"...Lingering objects are objects that exist on one or more DCs that do not exist on other DCs hosting the same partition...They are essentially object delete operations that do not successfully replicate to DCs/GCs that host the partition of the deleted object. Eventually the tombstoned (deleted) object will be garbage collected which destroys all knowledge of the delete and purges the object from the database.

They can be introduced through a few mechanisms:  
    • Failing replication for more than the tombstone lifetime (TSL)
     • System state restores using a backup that is older than TSL
    • Dcpromos using IFM media that is older than TSL..."

If you want to know more about Lingering Objects and how to remediate them, then take a look at these articles:

   Clean that Active Directory forest of lingering objects

   Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)

 

LO's can be found in AD DS and also AD LDS and their remediation can be quite an involved process. To help with that process, I'm going to show you a one-liner for producing a CSV report of lingering objects detected by repadmin /removelingeringobjects in ADVISORY_MODE against an AD LDS instance... but first, here's a sample repadmin /removelingeringobjects comparison command for AD LDS:

 

repadmin /removelingeringobjects NINJALDS01:389 d259cdaa-9f90-4fb5-8dcc-c5dc612b4fd8 "CN=NINJAAPPS,DC=ADLDS,DC=FABRIKAM,DC=INTERNAL" /ADVISORY_MODE

 

  •  NINJALDS01:389 is the AD LDS instance where LOs are suspected to exist... notice the use of :389 to connect to AD LDS
  • d259cdaa-9f90-4fb5-8dcc-c5dc612b4fd8 is the DSA object GUID of the AD LDS instance that is considered 'good'
  • "CN=NINJAAPPS,DC=ADLDS,DC=FABRIKAM,DC=INTERNAL" is the partition targeted by the comparison
  • /ADVISORY_MODE ensures that detected LOs aren't removed, i.e. you can check them out before running a removal command without the ADVISORY_MODE switch

 

Advisory_Mode will write event 1946 for each lingering object found by the comparison process. This one-liner (displayed over several lines!) collects all of those 1946 events from a target AD LDS host:

 

Get-WinEvent -ComputerName NINJALDS01 -ListLog "ADAM*" |

ForEach-Object {Get-WinEvent -ComputerName NINJALDS01 -FilterHashTable @{LogName=$_.Logname; ID="1946"}} |

Select-Object TimeCreated,ProviderName,Id,Message |

Export-CSV .\lingering_objects.csv -NoTypeInformation -Append

 

First, we use Get-WinEvent to obtain a list of logs, on the target host, whose names are prefixed with ADAM (the old name for AD LDS).

Next, we use Get-WinEvent, against each log, to search for event ID 1946.

The resultant event objects are further filtered with Select-Object and then exported to a CSV file.

 

You now have a CSV report from which you can easily check out what LOs have been found, prior to running any removal commands. And, of course, the CSV is easily converted to a spreadsheet to make analysis even more efficient.

Finally, here's a list of event IDs associated with using repadmin to detect and remove LOs...

 

Advisory Mode:

  • 1938 - LO verification started
  • 1942 - LO verification finished (with total LOs found)
  • 1946 - event logged for each LO found

Removal Mode:

  • 1937 - LO removal started
  • 1939 - LO removal finished (with total LOs removed)
  • 1945 - event logged for each LO removed

 

Tune in next week... same PoSh-time, same PoSh channel...

Comments

  • Anonymous
    May 09, 2014
    Thanks
    very cool