• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1225
  • Last Modified:

Exchange 2010 object with LegacyExchangeDN not visible but still exists

Hi All

Exchange 2010

The issue is this. Deleted a Contact from the OU in AD (2008R2), confirm this object no longer appears in AD viewed through ADUC, ADSiEdit nor through EMC. However, two things prove that the object still exists and has the LegacyExchangeDN attribute :-

1. Recreated contact and it appended a suffix to the created LegacyExchangeDN.
2. Replied to a mail from the contact after it was deleted, it still tries to send to the LegacyExchangeDN.

We have worked round the problem by adding the original LegacyExchangeDN as an X500 proxy to the newly recreated contact but are concerned that there may be more "ghost objects" in our AD as a result (there were many contacts deleted at that time).

A. How can we find out if there are any more of these "Ghost Objects" (I thought NTDSUTIL but metadatacleanup seems to be for removed DC cleanups only) ?
B. How can we delete any objects identified ?

Thanks to all who respond.
0
TheGeezer2010
Asked:
TheGeezer2010
  • 7
  • 3
1 Solution
 
NavdeepCommented:
Hi,

Do you have multiple DC? This could be due to replication latency. Check to which DC ADUC is connecting to and check there if the object still exits. Check on other DC's as we.

use following command to check replication summary
repadmin /replsummary

LegacyExchangeDN  is for backward compatibility with earlier versions of exchange. It is a part of schema although value may or may not be populated depending upon your setup.
http://www.msexchange.org/tutorials/Understanding-LegacyExchangeDN.html
0
 
TheGeezer2010Author Commented:
Single dc so that is not issue. I am currently working on using Ldp to view deleted objects, then rescinded the contacts. We have found that simply deleting the contact leaves the legacyrxchangedn in ad. Only by disabling the object THEN deleting does it remove all traces of legacyrxchangedn, which will then be reused if the same object is recreated. Will advise how we get on.
0
 
TheGeezer2010Author Commented:
Single dc so that is not issue. I am currently working on using Ldp to view deleted objects, then rescinded the contacts. We have found that simply deleting the contact leaves the legacyrxchangedn in ad. Only by disabling the object THEN deleting does it remove all traces of legacyrxchangedn, which will then be reused if the same object is recreated. Will advise how we get on.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
TheGeezer2010Author Commented:
Single dc so that is not issue. I am currently working on using Ldp to view deleted objects, then rescinded the contacts. We have found that simply deleting the contact leaves the legacyrxchangedn in ad. Only by disabling the object THEN deleting does it remove all traces of legacyrxchangedn, which will then be reused if the same object is recreated. Will advise how we get on.
0
 
NavdeepCommented:
can you show pre and post screen shots of what you are taking about.
0
 
TheGeezer2010Author Commented:
Not sure what it is that you would like screensjots of ?
0
 
NavdeepCommented:
1. Recreated contact and it appended a suffix to the created LegacyExchangeDN.
2. Replied to a mail from the contact after it was deleted, it still tries to send to the LegacyExchangeDN.
0
 
TheGeezer2010Author Commented:
Will address this tomorrow - thanks for your response !
0
 
TheGeezer2010Author Commented:
Found this to be the case :-

When an object in AD is marked as deleted (tombstoned), many of its attributes are stripped, but the LegacyExchangeDN is NOT one of those attributes. The correct way to remove the LegacyExchangeDN (and thus make it available for re-use) is to firstly, strip the Exchange attributes by DISABLING the Contact in Exchange, subsequently the object can be safely delted from AD.
This explains why the LegacyExchangeDN was still lingering and therefore NOT available for re-use (hence the DN with a suffix is created within AD).
0
 
TheGeezer2010Author Commented:
No points awarded as nobody was able to explain the underlying cause of what was observed, but thank you to those who responded.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now