PowerShell Get-ADObject returns values not present in AD, DNS Froward, Reverse lookup and DHCP.

Hey Everyone,

We re doing cleaning of AD, DNS and DHCP.
I run into situation where I am querying AD with Get-ADObject -Filter {Name -Like "S03*"} -Property * | Select-Object Name, OperatingSystem | Export-CSV S03-ADObjects.csv
This S03* site name was decommissioned, I get a result of

#TYPE Selected.Microsoft.ActiveDirectory.Management.ADObject
Name      OperatingSystem
S03-PC-03      
s03-PC-01      
S03-PC-02      
S03-PC-04      Windows XP Professional
S03-PC-04      
S03-PC-05      
S03-PC-05      Windows XP Professional
S03-SRVDC    Windows 2003 Server

Then to get a complete list of AD with all its properties
 Get-ADObject -Filter * -Property * | Export-CSV AD_check.csv

I narrowed it down that objects without property Operating System have property name DN and they are ObjectClass of dnsNode listed with Distinguished name of: DC=S03-PC-03,DC=domain.net,CN=MicrosoftDNS,CN=System,DC=domin,DC=net.

Now when I go into a root of domain.net I cant find any of these objects with Property Operating System from above, although they are list in the AD_check.csv. I also run nslookup using our main DNS server.
Why is that and how to remove them.

I am pretty sure that if I keep looking for other object from different AD remote sites I will fjnd same.

Thanks
r4kietaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
So you are connecting to one DC and doing a search and then connecting to another one and the objects are not present?

If this is the case then you likely have an AD replication issue.

Use the below commands to check the replication...
repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads
DCDiag /v

Will.
0
r4kietaAuthor Commented:
Its not a replication problem we ruled that out.

My previous question is stated incorrectly, sorry for the confusion.
Correction:

"I cant find any objects with dnsNode Property (these are the ones that do not have Operating System Property listed in above list) from above list, although they are listed and showing in the AD_check.csv I pulled out using Get-ADObject -Filter * -Property * | Export-CSV AD_check.csv.  I also run nslookup and searched thru DNS mmc on any DNS server."

Same goes if I generate the AD_check.csv file on any domain controller, all files contain these objects.
These dnsNode records date 2007 or around that time, I am thinking AD put them in a container that is not accessible for viewing, but we want to clear them from the AD DB.

KP
0
footechCommented:
Perhaps deleted DNS records?  When records are deleted using some methods, they're not actually removed, but have an attribute dNSTombstoned that is set to True.  This post has some further details on this - http://blogs.technet.com/b/isrpfeplat/archive/2010/09/23/dns-scavenging-internals-or-what-is-the-dnstombstoned-attribute-for-ad-integrated-zones-dstombstoneinterval-dnstombstoned.aspx

By the way, if you had your zone replicated "to all DNS servers running on domain controllers in this domain" (which is a more standard practice these days) you would never have seen this unless you modified the -searchbase parameter of Get-ADObject.
0
DrDave242Commented:
Footech is probably right. Those are definitely DNS records, and the distinguished name you posted shows that the domain.net zone is stored in the default directory partition rather than one of the DNS partitions.

Use ADSI Edit to locate one of those records and check its dNSTombstoned attribute. It's very likely set to TRUE. Tombstoned DNS records are supposed to be deleted automatically after seven days (by default), but you can manually delete them in ADSI Edit, if you prefer.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
r4kietaAuthor Commented:
I will check that out and get back to you. Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.