Solved

Exchange 2010 object with LegacyExchangeDN not visible but still exists

Posted on 2011-02-23
10
1,212 Views
Last Modified: 2012-05-11
Hi All

Exchange 2010

The issue is this. Deleted a Contact from the OU in AD (2008R2), confirm this object no longer appears in AD viewed through ADUC, ADSiEdit nor through EMC. However, two things prove that the object still exists and has the LegacyExchangeDN attribute :-

1. Recreated contact and it appended a suffix to the created LegacyExchangeDN.
2. Replied to a mail from the contact after it was deleted, it still tries to send to the LegacyExchangeDN.

We have worked round the problem by adding the original LegacyExchangeDN as an X500 proxy to the newly recreated contact but are concerned that there may be more "ghost objects" in our AD as a result (there were many contacts deleted at that time).

A. How can we find out if there are any more of these "Ghost Objects" (I thought NTDSUTIL but metadatacleanup seems to be for removed DC cleanups only) ?
B. How can we delete any objects identified ?

Thanks to all who respond.
0
Comment
Question by:TheGeezer2010
  • 7
  • 3
10 Comments
 
LVL 12

Expert Comment

by:Navdeep
ID: 34961984
Hi,

Do you have multiple DC? This could be due to replication latency. Check to which DC ADUC is connecting to and check there if the object still exits. Check on other DC's as we.

use following command to check replication summary
repadmin /replsummary

LegacyExchangeDN  is for backward compatibility with earlier versions of exchange. It is a part of schema although value may or may not be populated depending upon your setup.
http://www.msexchange.org/tutorials/Understanding-LegacyExchangeDN.html
0
 
LVL 11

Author Comment

by:TheGeezer2010
ID: 34962702
Single dc so that is not issue. I am currently working on using Ldp to view deleted objects, then rescinded the contacts. We have found that simply deleting the contact leaves the legacyrxchangedn in ad. Only by disabling the object THEN deleting does it remove all traces of legacyrxchangedn, which will then be reused if the same object is recreated. Will advise how we get on.
0
 
LVL 11

Author Comment

by:TheGeezer2010
ID: 34962704
Single dc so that is not issue. I am currently working on using Ldp to view deleted objects, then rescinded the contacts. We have found that simply deleting the contact leaves the legacyrxchangedn in ad. Only by disabling the object THEN deleting does it remove all traces of legacyrxchangedn, which will then be reused if the same object is recreated. Will advise how we get on.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 11

Author Comment

by:TheGeezer2010
ID: 34962707
Single dc so that is not issue. I am currently working on using Ldp to view deleted objects, then rescinded the contacts. We have found that simply deleting the contact leaves the legacyrxchangedn in ad. Only by disabling the object THEN deleting does it remove all traces of legacyrxchangedn, which will then be reused if the same object is recreated. Will advise how we get on.
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 34962938
can you show pre and post screen shots of what you are taking about.
0
 
LVL 11

Author Comment

by:TheGeezer2010
ID: 34963286
Not sure what it is that you would like screensjots of ?
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 34963467
1. Recreated contact and it appended a suffix to the created LegacyExchangeDN.
2. Replied to a mail from the contact after it was deleted, it still tries to send to the LegacyExchangeDN.
0
 
LVL 11

Author Comment

by:TheGeezer2010
ID: 34971810
Will address this tomorrow - thanks for your response !
0
 
LVL 11

Accepted Solution

by:
TheGeezer2010 earned 0 total points
ID: 35026445
Found this to be the case :-

When an object in AD is marked as deleted (tombstoned), many of its attributes are stripped, but the LegacyExchangeDN is NOT one of those attributes. The correct way to remove the LegacyExchangeDN (and thus make it available for re-use) is to firstly, strip the Exchange attributes by DISABLING the Contact in Exchange, subsequently the object can be safely delted from AD.
This explains why the LegacyExchangeDN was still lingering and therefore NOT available for re-use (hence the DN with a suffix is created within AD).
0
 
LVL 11

Author Closing Comment

by:TheGeezer2010
ID: 35067658
No points awarded as nobody was able to explain the underlying cause of what was observed, but thank you to those who responded.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question