Many Lingering object on the DCs

Recently I have replication issues and affected alot of DCs.

I perform the repadmin /removelingeringobjects command but it has error 8524 or 1722

I've attached the picture of the error when perform this command.

I also attached the repadmin /replsum result

Need guidance for this problem.
repadmin-remove-lingering-object.jpg
replicationsummary.txt
sweehanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
Using repadmin to clean lingering objects is definitely one way.   Have you tried repldiag

http://blogs.technet.com/b/robertbo/archive/2010/11/07/cleaning-lingering-objects-across-the-forest-with-repldiag-exe-part-2-of-4.aspx

Much easier syntax/use.   Created by some guys at Microsoft.

Thanks

Mike
0
SandeshdubeySenior Server EngineerCommented:
You are getting the error "The RPC server is unavailable" relates to port being blocked or network connectivity issue or due to dns misconfig.I would suggest contact network/security team to verify whether all the related AD ports being configured and allowed on the firewall for communication. Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.

Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
Disable Windows Firewall: http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

It can also be caused by antivirus software with many of them sporting a new feature called "network traffic protection," which can efffectively block necessary AD traffic

Active Directory and Active Directory Domain Services Port Requirements
http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Troubleshooting “RPC server is unavailable” error, reported in failing AD replication scenario.
http://blogs.technet.com/b/abizerh/archive/2009/06/11/troubleshooting-rpc-server-is-unavailable-error-reported-in-failing-ad-replication-scenario.aspxdn

Clean that Active Directory forest of lingering objects
http://blogs.technet.com/b/glennl/archive/2007/07/26/clean-that-active-directory-forest-of-lingering-objects.aspx

Sometimes its difficult to remove lingering object either using repadmin /removelingeringobjects or other tool & easiest way to deal with such issues is demote & re-promote the DC. If lingering objects spreads then its more difficult to tackle them. Demote & promote is the best bet.You need to forcefully demote the server having lingering object by runnning dcpromo/forceremoval followed by metadata cleanup and promote the server back as DC.
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
0
sweehanAuthor Commented:
I manage to remove the lingering object from the affected DC accept the DC thats holding the fsmo roles

the error when i run the command:

DsBindWithCred to ad01.kpjhealth.local failed with status -2146893022 (0x8009032
2):

other DC i remove the lingering object from these 3 directory path
DC=domain,DC=local
CN=configuration,DC=domain,DC=local
CN=schema,CN=configuration,DC=domain,DC=local
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Mike KlineCommented:
What event log entries are you seeing on this DC?

Thanks

Mike
0
sweehanAuthor Commented:
In the event log Directory service has alot error with eventid 1988
0
Mike KlineCommented:
I'd use repldiag for the lingering objects on that box.

Thanks

Mike
0
SandeshdubeySenior Server EngineerCommented:
The event id indicates that there is no lingering object on that dc where error event  is logged .In the event itself the you will get the server details where lingering object exists.
http://www.adshotgyan.com/2010/12/ho-to-troubleshoot-lingering-objects.html

You need to run the repadmin command for all partions.
http://www.adshotgyan.com/2010/12/ho-to-troubleshoot-lingering-objects.html
0
JaihuntCommented:
In the 1988 event id  check the source domain controller that is the server affected with lingering object.

Repadmin /removelingeringobjects  Bad DC host name  Healthy DC GUID this the command.

Reference: http://anitgenius.com/removing-lingering-objects
0
sweehanAuthor Commented:
Hi,

Microsoft support analyze the problem and summarize the situation





Just checked the repadmin results on all the DCs, only AD01 reported it can’t replicate from all the other DCs for the three partitions. But for the rest of the DCs, the replications all looked good besides one or two replication error. Moreover I checked the other two DCs at the same site of AD01, they’re both fine on replication from other DCs except from AD01.

Therefore consolidate all the logs, I believe the problem is on AD01, and the more efficient way is to disable “replication strict consistency” on AD01 to allow the replication come in:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Strict Replication Consistency, set its value to “0” to disable.

After this, run “repadmin /syncall /e” to check the replication status then.

a.       For AD01, since the replicated object is not existing on its database, so it rejects the replication.
b.      For the rest of domain, the replication is good.

So in this case, the replicated object should be the up-to-date object because it can be replicated to the rest of the domain, so we should allow AD01 to replicate it in.

Therefore there shouldn’t be any impact for AD01, unless all the other DCs is having the incorrect data which normally it’s not possible.

Basically AD01 is the main root DC. There are total of 32 DCs.

Should I disable replication strict consistency on AD01 or I need to remove lingering object on all other DCs using AD01 guid?
0
SandeshdubeySenior Server EngineerCommented:
yes,you are correct you need to enable strict replication consistency and then proceed with removing lingering object by repadmin command.http://technet.microsoft.com/en-us/library/dd723692(v=ws.10).aspx

Alternately as mentioned before you can also demote/promote the server which as lingering object.Sometimes its difficult to remove lingering object either using repadmin /removelingeringobjects or other tool & easiest way to deal with such issues is demote & re-promote the DC.If lingering objects spreads then its more difficult to tackle them. Demote & promote is the best bet.

You need to forcefully demote the server having lingering object by runnning dcpromo/forceremoval followed by metadata cleanup and promote the server back as DC.If faulty DC is FSMO role holder you need to seize the FSMO on other DC.

Reference link
Forcefull removal of DC:http://support.microsoft.com/kb/332199
Metadata cleanup:http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Seize FSMO role:http://www.petri.co.il/seizing_fsmo_roles.htm
0
sweehanAuthor Commented:
Is it advisable to disable all the DCs strict replication consistency?
0
SandeshdubeySenior Server EngineerCommented:
If strict replication consistency on the domain controller is not enabled, lingering objects can be replicated to this domain controller.
0
sweehanAuthor Commented:
To seize role to other DCs, The problem main DC must be offline or power down?

Another thing is this problem has been almost 2 weeks. Is there any impact if the seize roles to be perform?

But I don't think there is any solution than to seize roles because other DCs operation master display error.
0
SandeshdubeySenior Server EngineerCommented:
You can seize the role on any online DC.Once the role is seize you need to make sure that faulty DC is demoted forcefully.You can keep it online and perfrom the same but you need to demote it once role is seized.There will be no impact on siezing the role.See below link

Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, and more)
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sweehanAuthor Commented:
Hi,

The good news is after i perform the seize fsmo roles to another DC, The operation master are fine.

But the group policy seems to have replication errors.

I run the rsop on other dcs and found that they detect unknown user of DefaulAppPool not found.

Could I remove this user from the group policy?
0
SandeshdubeySenior Server EngineerCommented:
You can remove the same if not required can you let us know what is the policy name in question.
0
sweehanAuthor Commented:
Its on the Default Domain Controllers Policy

The pictures attached show the affected policy on local policies->user right assignment
0
SandeshdubeySenior Server EngineerCommented:
Where is the picture can post the same.
0
sweehanAuthor Commented:
Printscreen uploaded
ad02-gp-error.jpg
0
SandeshdubeySenior Server EngineerCommented:
The crossmark indicates that there is userid which is configure is not valid or deleted.Edit the policy with red cross and remove the unrequired user this should fix the issue.
0
sweehanAuthor Commented:
Thank you for all the solutions. The problem of replication and group policy has been solved.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.