Поделиться через

Lingering Objects cleanup

  • Статья

Recently I have been working with a premier customer in South Africa to cleanup their forest from lingering objects.

It is a complex environment with 15 domains,30+ sites and 130+ DCs where power failures and network related issues frequently disrupt AD operations.

So I wanted to share with you the method I used to remove lingering objects and hopefully you find it useful somehow.

First download repldiag from https://activedirectoryutils.codeplex.com/releases/view/13664 as it will save you a lot of typing.

Then create a .bat file similar to the following:

/enable Strict Replication Consistency across the forest

repadmin /regkey * +strict

/dump all repldiag commands to a .txt file (repldiag enumerates all domains, finds all DCs and creates all necessary repadmin commands for removing lingering objects)

repldiag /removelingeringobjects /outputrepadmincommandlinesyntax >output.txt

/dump domain specific repldiag commands to a .bat file (this way you may cleanup one domain at a time)

findstr "domain_a" output.txt >domain_a.bat
(...)
findstr "domain_n" output.txt >domain_n.bat

/call all .bat files in order to remove lingering objects

call domain_a.bat
(...)
call domain_n.bat

/Then run repadmin /showrepl against all DCs in each domain and pipe it to a .txt file

repadmin /showrepl *.domain_a /errorsonly > domain_a.txt
(...)
repadmin /showrepl *.domain_n /errorsonly> domain_n.txt

/Look for "failed, result 8606 (0x219e): Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected."

/Identify the destination DC (the DC logging the event), Source DC (the DC that contains lingering objects) and affected Naming Context (the NC that contains lingering objects)

/With the information above force replication to resume on the affected DCs/NCs

repadmin /replicate destination sourceGUID NC /force

as an example:

**output from showrepl**

Repadmin: running command /SHOWREPL against full DC DC1.domain_a.fqdn

site1\DC1

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa

DSA invocationID: zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz

==== INBOUND NEIGHBORS ======================================

DC=domain_n,DC=fqdn

    Site30\DC via RPC

        DSA object GUID: nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn

        Last attempt @ 2014-10-16 10:55:42 failed, result 8606 (0x219e):

            Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.

        529 consecutive failure(s).

        Last success @ 2014-09-30 07:00:33.

In this example the command to force replication to resume would be

repadmin /replicate DC1.domain_a.fqdn  nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn DC=domain_n,DC=fqdn /force

Hope it helps!

Paulo