Solved

Unable to Remove Lingering objects

Posted on 2011-02-23
36
2,850 Views
Last Modified: 2012-06-27
Hello to everyone.
i have a lab  with two sites.   Site A has DC01 &  DC02 - Site B Has DC03
I am trying to delete some lingering objects in my lab environment, because i am getting event id error 2042 (tombstone) in my healthy DC02, but i can't.
when i execute the repadmin /removelingeringobject command i am getting  an error :
DsReplicaVerifyObjectsW() failed with status -2146893022 (0x80090322):
    Can't retrieve message string -2146893022 (0x80090322), error 1815.

I've already changed the registry with the Reg_dword : Allow Replication With Divergent and Corrupt Partner in both replication partners, but still getting the same message
I've tried Netdiag /test:trust  and the result was a success. the secure channel is not broken. I have to note that the secure channel is set to DC01, FSMO roles keeper, but the active directory connection for the replication is set to DC02
dcdiag /fix also informed me for tombstone
Does anyone have any idea ?  i want to give a try before dcpromo/force
 
Thanks in advance
0
Comment
Question by:bstdbit
  • 19
  • 15
  • 2
36 Comments
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
Do you know on what NC you got lingering objects?

Can you show us the complete repadmin command you tries?
0
 

Author Comment

by:bstdbit
Comment Utility
i believe that lingering objects are placed in DC03 because i am getting event id 2042 on DC02 which is a healthy DC
if you mean the repadmin /removelingeringobjects command :
repadmin /removelingeringobjects  DC03 <GUID of DC02>  dc=lab,dc=dom
Did you mean another repadmin command ?
i also have an error from NTDS KCC saying that all domain controllers placed in the remote site are unavailable.  but i can ping them with theirs GUID and there is no DNS issue.  Active Directory connections in S&S are automatically generated.

Thanks in advance
0
 
LVL 11

Expert Comment

by:Tasmant
Comment Utility
If lingering objects were detect, it's possible that the DC shut down the inbound and outbound replication themselves.
could you run repadmin /options dcname ? on each dc please ?
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
Do you get any 1988 or 1388 events? Those are Lingering object detected events. They should say in which NC they are found in.
0
 

Author Comment

by:bstdbit
Comment Utility
runing repadmin /options <dcname>   in the healthy  DC i got

P:\>repadmin /options DC02
Current DC Options: IS_GC

P:\>repadmin /options DC03
Current DC Options: IS_GC

but when i run it at DC03 i got

C:\>repadmin /options DC02
repadmin running command /options against server DC01.lab.dom
[d:\srvrtm\ds\ds\src\util\repadmin\repldap.c, 1241] LDAP error 82 (Local Error) Win32 Err 8341.

C:\>repadmin /options DC03
Current DC Options: IS_GC


No i do not have any 1988 or 1388 events
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
If you don't have Event 1988 (or 1388), then the DCs have not detected any LOs. I guess that's because they don't replicate.

Run: repadmin /replsum

Can you attach: dcdiag /v /e /f:dcdiag.txt
0
 

Author Comment

by:bstdbit
Comment Utility
Hello to everyone and i am very sorry form the delay
At  DC03  (propably the bad DC)
C:\>repadmin /replsum
Replication Summary Start Time: 2011-02-24 15:39:29

Beginning data collection for replication summary, this may take awhile:
  .......

Destination DC    largest delta    fails/total  %%  error
DC03                   >60 days             8 /   8  100  (2148074274) Can't retrieve message string -2146893022 (0x800903...

Experienced the following operational errors trying to retrieve replication information:
        8341 - DC01.lab.dom
        8341 - DC02.lab.dom

c:\>
-------------------------------------
At DC02  (The healthy DC)
C:\>repadmin /replsum
Replication Summary Start Time: 2011-02-24 15:41:15

Beginning data collection for replication summary, this may take awhile:
  .......

Destination DC    largest delta    fails/total  %%  error
 DC01                   42m:44s            0 /   5      0
 DC02                   53m:05s            0 /  10      0
 DC03                  >60 days           8 /   8       100  (2148074274) The target ...

Thanks in advance
0
 

Author Comment

by:bstdbit
Comment Utility
As i can understand from the repadmin /replsum at DC02,  DC03 is in tompbstone period.  Sorry if i am using wrong words.
The issue is : can in anyway make it working as it should or i have to go to dcpromo /force  "solution" and then clean Active Directory metadata ?
Pls advice

Thanks in advance
0
 
LVL 11

Expert Comment

by:Tasmant
Comment Utility
it is over the tombstone so you need to perform the dcpromo /forceremoval and clean metadata.
when done you can promote it again to have a clean dc.
you can help you with the following kb http://support.microsoft.com/kb/216498/en-us
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
DC03                  >60 days           8 /   8       100  (2148074274) The target ...

This line is truncated. But if it says something like "The target principal name is incorrect", you should try to reset the secure channel.

See: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_26810356.html


The recomended way is to force it out and run a MD cleanup. You could however enable the "Allow Replication With Divergent and Corrupt Partner.." if MD Cleanup is not an option for you. This might lead to LOs when replication is started that needs to be cleaned. If you have a large environment this can be a big task.
0
 

Author Comment

by:bstdbit
Comment Utility
thank you very much for the fast response
i tried

C:\> Netdiag /test:trust
........
   Computer Name: DC03
    DNS Host Name: DC03.lab.dom
    System info : Microsoft Windows Server 2003 (Build 3790)
    Processor : x86 Family 6 Model 8 Stepping 3, GenuineIntel
    List of installed hotfixes :
        KB911564
        Q147222

Netcard queries test . . . . . . . : Passed

Per interface results:

    Adapter : Local Area Connection 3

        Netcard queries test . . . : Passed

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{7D8B5C79-0694-4A33-846B-EAACF94C9857}
    1 NetBt transport currently configured.

Trust relationship test. . . . . . : Passed
    Found DC '\\DC03.lab.dom' in domain 'lab-HQ'.
    Secure channel for domain 'lab-HQ' is to '\\DC01.lab.dom'.

The command completed successfully

The only difference is that the secure channel is established between DC01, FSMO roles keeper and DC03.  
Active Dirctory Connection in S&S is between DC02 and DC03.   Does it sound strange to you ?

Thanks in advance
0
 

Author Comment

by:bstdbit
Comment Utility
and yes you are right, it says :
DC03       >60 days            8 /   8  100  (2148074274) The target principal name is incorrect.
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
I think you should not trust the output of the netdiag test. Try resetting the SC, and see if it works. You can destroy something that is already destroyed :)
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
*You can't destroy...
0
 

Author Comment

by:bstdbit
Comment Utility
i'll try what you suggested and i am sending  dcdiag /v /e /f:dcdiag.txt

sorry for the delay dcdiag.txt
0
 

Author Comment

by:bstdbit
Comment Utility
hello
i tried to reset the SC but i get an error message saying :
The machine account password for the local machine could not be reset.
logon failure : The target account name is incorrect
the command failed to complete successfully

the syntax is
netdom resetpwd /server:DC02 /userd:lab.dom\administrator /password:password
i  think the syntax is OK and more over i tried FQDN in DC02 (healthy DC - replication partner, but not the FSMO roles Keeper)

Any suggestions ?
Thank you
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
Seems like you missed a character:

netdom resetpwd /server:DC02 /userd:lab.dom\administrator /passwordd:password


0
 

Author Comment

by:bstdbit
Comment Utility
you are right !
but i missed it here. not in the real environment

sorry for the confusion
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
Ok :)

DC03 has not replicated since 2009, so something has gone wrong.

"The target account name is incorrect" usually means a broken SC, DNS errors or missing/faulty SPN registration.

"Ping" is not a good method to find out if you're having problem with missing DNS records.

 
Use dnslint to verify CNAME and A-records used by replication.

dnslint /ad /s <IP_to_DC> /v and dcdiag /test:dns /v





0
 

Author Comment

by:bstdbit
Comment Utility
i am sending  dnslint  output

this server is not a dns server.  
Do you want me to run dcdiag /test:dns /v  ??
dnslint.txt
0
 

Author Comment

by:bstdbit
Comment Utility
and dcdiag

dcdiag-test.txt
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
Yes please include the dcdiag.

Also "ipconfig /all" from all DCs.

Is DC03 not a DNS server?
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
Who is this: 10.0.0.4 (<name unavailable>) [Valid]

0
 

Author Comment

by:bstdbit
Comment Utility
yes DC03 it is not a DNS server

and the  ipconfig file
ipconfig.txt
0
 

Author Comment

by:bstdbit
Comment Utility
sorry i didn't notice
10.0.0.4  is  DC01
10.0.0.10  is DC02
192.168.10.2 is DC03
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
Remove "192.168.10.2"  as secondary DNS from the NIC on DC03. Is this DC holding a non-authortitative delegated _msdcs zone?

Run:

ipconfig /flushdns
ipconfig /registerdns


it has 2 nics.   also is configured to run as a router between subnets 10.0.0./24 and  192.168.254.0/24

192.168.254.0/24 = 192.168.254.1-255. Does DC03 (192.168.10.2) reach this network?


Run DNSlint on DC01.
0
 

Author Comment

by:bstdbit
Comment Utility
Hello
I have to leave far away from my office with limited internet access.  I'll try your suggestions and I'll be back with the results.
Do you believe that we can save it or finally we will dcpromo /forceremoval  it ?
Thanks a lot
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
If this was a production environment, I'd without doubt demote and recreate it.

This is a lab with a DC that's been alone a long time. We might get it back in, but then we'll have to make it able to talk to the other DCs (like the "taget principal name is incorrect"). Then we could force a replication and remove any LO if they show up.
0
 

Author Comment

by:bstdbit
Comment Utility
hello
i am sending you dnslint from my DC01.  
the strange thing is that on DNS there are entries notified that DC03 is a DNS server !   but it is not !
More over in the properties of forward lookup zone, lab.dom, it appears as a name server !  which of course is  very strange.
i hope dnslint will help you

i did   ipconfig /flushdns  &  registerdns on DC03 and also remove 192.168.10.2 from DNS servers list  ( i did this before dnslint on DC01 )
and yes, DC03 can reach 192.168.254.0/24 netwrok

as you said if it was a production environment you'd demote it.  The bad news is that i want to install some new servers for testing purposes before i'll install them in real world and i don't have much time.

Pls advice what is better to do

Thank you very much dnslint-on-DC01.txt
0
 
LVL 21

Accepted Solution

by:
snusgubben earned 500 total points
Comment Utility
Your domain thinks there are 3 DNS servers in the domain. I'm not sure if you or someone i.e. have removed the DNS role from DC03 back in 2009?

If you're in a hurry, it will be much faster to force DC03 out, run a MD Cleanup, cleanup DNS and rebuild the DC.

I'm 98% sure we can fix DC03, but that might take days.
0
 

Author Comment

by:bstdbit
Comment Utility
well i think you are right.  there is a possibility to fix DC03, but for now time is very important.
i am going to demoted DC03
in a another post i found these articles :
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
http://support.microsoft.com/kb/216498

do you think that these are all i need ?
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
The first URL is good and easy to follow.

1. After doing this, clean up traces of DC03 in DNS and references on the Forward Lookup Zone.

2. Delete the empty server object DC03 in AD Sites & Services.

3. Rebuild DC03. You should avoid reusing the name DC03 if you can.
0
 

Author Comment

by:bstdbit
Comment Utility
i'll follow the suggestions and return with results

thank you
0
 

Author Comment

by:bstdbit
Comment Utility
i demote/forceremoval DC03 and clean AD metadata.  I also checked data entries with Adsiedit
i  delete DNS entries refered to DC03.   ( DC02 has also DNS service which was successfully updated from DC01 )
since now everything looks OK
NTDS KCC was informed for the changes.

i am going to leave it as it is until tomorrow.  Tomorrow i'll install domain services at DC03 (for which i pick another name - DCDR)

i'll be back with the output

Since now, thanks a lot
0
 

Author Comment

by:bstdbit
Comment Utility
first of all i apologize for not posting earlier the results
since now everything looks fine
nothing strange have appeared to event viewer
my next step is to raise domain and forest functional level to 2003 native

do i have to do any checks before raising ?  any helplful url ?

thank a lot
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now