Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

repadmin /removelingeringobjects

990 views
Skip to first unread message

Ryan

unread,
Sep 5, 2007, 8:04:02 AM9/5/07
to
Here's one for you AD guys out there. Maybe my approach is all wrong...

I want to run repadmin /removelingeringobjects for all my DCs going to one
other DC. To do that, I need to run the command once for every NTDS object.
So I create a collection of the NTDS objects (note: I'm using Quest's
ActiveRoles cmdlets):

$colNtdsObjs = get-qadobject -searchroot
'CN=Sites,CN=Configuration,DC=myforest,DC=com'

To verify I got what I need, I see if I can return all the GUIDs (this is in
a test forest, so these aren't my actual production DC GUIDs):

$colNtdsObjs | %{write-host $_.guid}

d2ccf1fc-f976-4960-86be-eb447b52cb70
29213079-c590-4620-ac19-ffb26d6629fb
e090823d-31a6-4885-87fc-ed6a15fa7944
7e038d81-642e-4a8d-be45-be7f64d8a7e0
75ad6344-cf22-4db3-ba6e-94ad6bde4f2e
8a863f3b-0616-4159-8daa-69528d7ce991
73a86a5f-de47-4cf8-8409-085c062ec989
4d1cf290-1fd5-46fe-baee-629cc946bc71
0e192f87-5ff5-440c-9e72-baef262a83d2
1cf95256-30ba-4745-9885-eedfddd409c7
62a74862-37c5-4e99-9cd3-21f17230585e
946df72d-accb-4241-8f50-b763ee62841d
63434741-b56e-4534-9619-6570ead1afe5
0c1bda8b-e665-4b60-b502-9a96b55110ad
b90231d1-90bd-4bfb-a81c-983f6812d69b
b80855eb-59ea-405e-bf63-d1bb3cab0de2
93d25a1c-f703-4e91-9213-bff44025a12c
4844923b-70c6-46f0-923d-1c647c6882ba
a3ceb37f-1c34-4930-ab53-e4da62b78071
0a3e6cde-67ce-4e3b-b5c4-12f8c4c6983a
e8a76464-aa9b-4b47-8712-6c307351d4ce
f62a86dd-0acd-47c0-8cf3-66715b3e15e8
80ec2e77-273d-4664-9958-83eaf97b83ed
e23a8fd1-0734-4d42-af63-ea2d0956f182

Ok so there are all the GUIDs. Fantastic. Now I want to run the repadmin
command for each of those:

$colNtdsObjs | %{repadmin /removelingeringobjects DC1
$_.guidDC=mydomain,DC=com /advisory_mode}

I get 'Invalid Arguments' returned for each iteration.

Any thoughts on this?

Shay Levi

unread,
Sep 5, 2007, 8:25:11 AM9/5/07
to
Try:

$colNtdsObjs | foreach { repadmin "/removelingeringobjects" DC1 "$_.guidDC=mydomain,DC=com"
"/advisory_mode"}

If it doesn't work, try with the Call operator

$colNtdsObjs | foreach {& repadmin "/removelingeringobjects" DC1 "$_.guidDC=mydomain,DC=com"
"/advisory_mode"}


HTH

Shay
http://scriptolog.blogspot.com

Ryan

unread,
Sep 5, 2007, 8:46:05 AM9/5/07
to
Thanks for the reply. I tried both those options and still get 'Invalid
Arguments." I did try a write-host of the command as assembled in the
for-each and it comes out the way it should look. I also tried running a few
of them individually (copy and pasted) and they do work.

Shay Levi

unread,
Sep 5, 2007, 8:52:18 AM9/5/07
to
I think the GUID is invalid
Try to change it to "CN=$($_.guidDC),DC=mydomain,DC=com"


Shay
http://scriptolog.blogspot.com

Shay Levi

unread,
Sep 5, 2007, 8:55:40 AM9/5/07
to
Sorry, I meant DistinguishedName (insted of GUID) :)

Shay
http://scriptolog.blogspot.com

Ryan

unread,
Sep 5, 2007, 9:20:02 AM9/5/07
to
No this command uses the GUID of the NTDS Settings object. See:

http://technet2.microsoft.com/windowsserver/en/library/03b7fc47-e25c-4af8-822f-f856b565b76a1033.mspx?mfr=true

And as I said earlier, to check what the foreach produces, I did a
write-host and put the command in quotes and it produced this:

repadmin /removelingeringobjects DC1 d2ccf1fc-f976-4960-86be-eb447b52cb70
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 29213079-c590-4620-ac19-ffb26d6629fb
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 e090823d-31a6-4885-87fc-ed6a15fa7944
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 7e038d81-642e-4a8d-be45-be7f64d8a7e0
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 75ad6344-cf22-4db3-ba6e-94ad6bde4f2e
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 8a863f3b-0616-4159-8daa-69528d7ce991
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 73a86a5f-de47-4cf8-8409-085c062ec989
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 4d1cf290-1fd5-46fe-baee-629cc946bc71
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 0e192f87-5ff5-440c-9e72-baef262a83d2
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 1cf95256-30ba-4745-9885-eedfddd409c7
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 62a74862-37c5-4e99-9cd3-21f17230585e
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 946df72d-accb-4241-8f50-b763ee62841d
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 63434741-b56e-4534-9619-6570ead1afe5
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 0c1bda8b-e665-4b60-b502-9a96b55110ad
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 b90231d1-90bd-4bfb-a81c-983f6812d69b
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 b80855eb-59ea-405e-bf63-d1bb3cab0de2
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 93d25a1c-f703-4e91-9213-bff44025a12c
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 4844923b-70c6-46f0-923d-1c647c6882ba
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 a3ceb37f-1c34-4930-ab53-e4da62b78071
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 0a3e6cde-67ce-4e3b-b5c4-12f8c4c6983a
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 e8a76464-aa9b-4b47-8712-6c307351d4ce
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 f62a86dd-0acd-47c0-8cf3-66715b3e15e8
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 80ec2e77-273d-4664-9958-83eaf97b83ed
DC=mydomain,DC=com /advisory_mode
repadmin /removelingeringobjects DC1 e23a8fd1-0734-4d42-af63-ea2d0956f182
DC=mydomain,DC=com /advisory_mode

And I ran a couple of those individually and got the correct results.

Thanks,
Ryan

Brandon Shell

unread,
Sep 5, 2007, 9:25:35 AM9/5/07
to
I think maybe there is a little confusion on how repadmin works.

The Syntax of the command is so
repadmin /removelingeringobjects ServerName ServerGUID DirectoryPartition
/advisory_mode
===================================================================
ServerName = The DNS name or the distinguished name of the domain controller
that has or might have lingering objects.
ServerGUID = The GUID of a domain controller that has an up-to-date writable
replica of the directory partition
DirectoryPartition = The distinguished name of the domain directory
partition that might have lingering objects
===================================================================

You just need one GUID as a "master" . The GUID should be the GUID of a
known good DC. Then you loop through the DNS names.

btw... I am working on a Powershell version of repadmin so stay tuned to my
blog www.bsonposh.com


"Ryan" <Ry...@discussions.microsoft.com> wrote in message
news:C975B2AF-809B-4461...@microsoft.com...

Shay Levi

unread,
Sep 5, 2007, 9:35:35 AM9/5/07
to
Any errors in the event log?

Shay
http://scriptolog.blogspot.com

Shay Levi

unread,
Sep 5, 2007, 9:50:21 AM9/5/07
to
/removelingeringobjects can be used to detect and remove lingering objects
from a directory partition
when source and destination domain controllers are Windows Server 2003.

Syntax:
repadmin /removelingeringobjects <Dest_DC_LIST> <Source DCGUID> <NC> [/ADVISORY_MODE]

Common Syntax:
repadmin /removelingeringobjects <Dest_DC_LIST> <Source DCGUID> <NC>

Dest_DC_LIST - DC suspected to have lingering objects
Source DCGUID - Source DC GUID used to compare with the suspected DC
NC - Specifies the distinguished name of the directory partition
ADVISORY_MODE - Read-only mode.

As Brandon said, you need only one source DC and a list of Destination DCs

I'll try to find out more on this, my environment is not so full of DCs :)

Shay
http://scriptolog.blogspot.com

Ryan

unread,
Sep 5, 2007, 9:56:07 AM9/5/07
to
Aha!

Very good Discussion here, by the way.

Yes, if I pick one "known good" GUID and loop through the servers (created a
collection from the Domain Controllers container), I do get the expected
result.

$colServers | %{repadmin /removelingeringobjects $_.name
'd2ccf1fc-f976-4960-86be-eb447b52cb70' "dc=myforest,dc=com" /advisory_mode}

Thanks a lot for your help and I already have you blog bookmarked. I've used
it in the past. Can't wait to see your Powershell version of repadmin!

Thanks!
Ryan

Dominik Gauss

unread,
Nov 27, 2007, 10:25:26 AM11/27/07
to

Hey Guys!

You all had some points right and other point not.
The repadmin syntax posted at last is right, but...

Normally a single DC with correct data is sufficient to fix a broken
one.
Reality is slightly different if you work in a multi-domain-forest as I
do.
I am running about 20 DCs in 9 domains.

At last I had a broken DC which blocked every sync, set the disable
inbound/outbound flags and stopped NetLogon.

No regular attempt led to success.
To solve this problem I had to remove lingering objects against each
other DC in my forest.
This attempt has no side effects except a temporary increase of each
DCs load.

Back to your problem, Ryan.
Your first approach is allmost the solution - you just missed a tiny
fact:
Your search attemt returns too much guids - not all of them, in fact
least of them are DCs.
You have to filter your result against
Code:
--------------------
$_.type -eq "nTDSDSA"
--------------------


I am prepairing a well-documented script working with my solution from
above. If you can wait another day or two I will post it.

Greetings
Dominik

Ryan;442876 Wrote:
> Aha!
>
> Very good Discussion here, by the way.
>
> Yes, if I pick one "known good" GUID and loop through the servers
> (created a
> collection from the Domain Controllers container), I do get the
> expected
> result.
>
> $colServers | %{repadmin /removelingeringobjects $_.name
> 'd2ccf1fc-f976-4960-86be-eb447b52cb70' "dc=myforest,dc=com"
> /advisory_mode}
>
> Thanks a lot for your help and I already have you blog bookmarked. I've
> used
> it in the past. Can't wait to see your Powershell version of repadmin!
>
> Thanks!
> Ryan
>
> "Brandon Shell" wrote:


--
Dominik Gauss

Brandon Shell [MVP]

unread,
Nov 27, 2007, 10:36:39 AM11/27/07
to
Im a little confused... are you saying you had an object on every DC but one?

Brandon Shell
---------------
Blog: http://www.bsonposh.com/
PSH Scripts Project: www.codeplex.com/psobject

DG> Hey Guys!
DG>
DG> You all had some points right and other point not. The repadmin
DG> syntax posted at last is right, but...
DG>
DG> Normally a single DC with correct data is sufficient to fix a broken
DG> one.
DG> Reality is slightly different if you work in a multi-domain-forest
DG> as I
DG> do.
DG> I am running about 20 DCs in 9 domains.
DG> At last I had a broken DC which blocked every sync, set the disable
DG> inbound/outbound flags and stopped NetLogon.
DG>
DG> No regular attempt led to success.
DG> To solve this problem I had to remove lingering objects against each
DG> other DC in my forest.
DG> This attempt has no side effects except a temporary increase of each
DG> DCs load.
DG> Back to your problem, Ryan.
DG> Your first approach is allmost the solution - you just missed a tiny
DG> fact:
DG> Your search attemt returns too much guids - not all of them, in fact
DG> least of them are DCs.
DG> You have to filter your result against
DG> Code:
DG> --------------------
DG> $_.type -eq "nTDSDSA"
DG> --------------------
DG> I am prepairing a well-documented script working with my solution
DG> from above. If you can wait another day or two I will post it.
DG>
DG> Greetings
DG> Dominik
DG> Ryan;442876 Wrote:
DG>

Dominik Gauss

unread,
Nov 27, 2007, 2:16:00 PM11/27/07
to

I'm not quite sure. I haven't seen any whatsoever error like this one
until the day before yesterday.
- The whole forest worked just fine - except this specific DC
- DSEventlog gave a hint that the DC in question had tried to replicate
using USNs which already had been used by its parters. That would
explain why reenabling outbound replication on the DC in question had to
lead to failure - but not why inbound replication also failed resulting
in NetLogon suspension.

So it first seemed this DC was at fault, but...

- The next strange thing was the fact that a "dcdiag /v
/test:fsmocheck" told me this DC would use a GC from another AD domain
in the forest rather than using the GC within its own domain which was
up and running fine
- And what finally beat me was the fact that a "repadmin
/removelingeringobjects <this dc> <guid of a working dc> <config
partition>" failed agains three other domain controllers - don't ask, I
have waited about 20 minutes, no result

After I lost my patience and my fellow (a MCT) had also no better ideas
I chose to give this DC a big shot from all other DCs in the hope this
DC would at least accept one of the other DCs - Guess what: it worked
instantly! I haven't even had to wait for whatever tiny period of time.
Just a sweeping blow and the DC was up and running again.

A last manual sync to and from this DC and the whole forest ran neat
and clean again.

The DSEventlogs had no more clarifying hints so I still have no clue
what had really bugged the DC in question.

And this was the point where my superior told me to rule it off.


--
Dominik Gauss

Greetings,
Dominik

Dominik Gauss

unread,
Dec 13, 2007, 3:39:41 AM12/13/07
to

Hey guys!
After I've been ill for some days I give yout the promised script.


+-------------------------------------------------------------------+
|Filename: remove-LO.ps1.txt |
|Download: http://vista64.net/forums/attachment.php?attachmentid=1988|
+-------------------------------------------------------------------+

0 new messages