You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: support/windows-server/active-directory/lingering-objects-remain-dc-gc-back.md
+11-15Lines changed: 11 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -32,23 +32,23 @@ The best way to identify in which domain an object is located (and from that to
32
32
33
33
1. Start **Ldp.exe**.
34
34
2. On the **Connection** menu, select **Connect**.
35
-
3. Enter the name of a global catalog. Enter **3268** as the port to which to connect. Select **OK**.
36
-
4. On the **Connection** menu, select **Bind**. Enter valid credentials if your current credentials aren't sufficient to query all of the global catalog contents. Select **OK**.
35
+
3. Enter the name of a global catalog server. Enter **3268** as the port to which to connect. Select **OK**.
36
+
4. On the **Connection** menu, select **Bind**. Enter valid credentials if your current credentials aren't sufficient to query all of the global catalog server contents. Select **OK**.
37
37
5. On the **View** menu, select **Tree**. Enter the distinguished name of the forest root. Select **OK**.
38
38
6. Right-click the forest root in the tree list, and then select **Search**.
39
39
7. Create a filter of the following form:
40
40
41
-
**([attribute]=[value])**
41
+
**(attribute=value)**
42
42
43
-
Substitute appropriate data for [*attribute*] and [*value*]. For example, to create a filter to return results where the **sAMAccountName** attribute has a value that is set to a user account named **testuser**, enter **(sAMAccountName=testuser)** in the **Filter** box. The **cn**, **userPrincipalName**, **sAMAccountName**, **name**, **mail**, and **sn** attributes are useful candidates for finding a user object. For group objects, use the **cn**, **sAMAccountName**, or **name** attributes. Note that you can use asterisks (*) in the [*value*] field if required.
43
+
Substitute appropriate data for *attribute* and *value*. For example, to create a filter to return results where the **sAMAccountName** attribute has a value that is set to a user account named **testuser**, enter **(sAMAccountName=testuser)** in the **Filter** box. The **cn**, **userPrincipalName**, **sAMAccountName**, **name**, **mail**, and **sn** attributes are useful candidates for finding a user object. For group objects, use the **cn**, **sAMAccountName**, or **name** attributes. Note that you can use asterisks (*) in the *value* field if required.
44
44
45
45
For more information on Lightweight Directory Access Protocol (LDAP) filter syntax, see [Search Filter Syntax](/windows/win32/adsi/search-filter-syntax).
46
46
47
47
8. Select **Subtree** as the search scope.
48
48
9. Select **Options**. In the **Search Options** dialog box, move to the end of the **Attributes** control.
49
49
10. Append **objectGUID;** to the list. Select **OK**.
50
50
11. Select **Run** to run the query.
51
-
12. View the results. You must identify which of the displayed objects should be removed from the global catalog. One indication that you have found a problematic object is that the object doesn't exist on a read/write copy of the naming context.
51
+
12. View the results. You must identify which of the displayed objects should be removed from the global catalog server. One indication that you have found a problematic object is that the object doesn't exist on a read/write copy of the naming context.
52
52
13. Rephrase the query and run it again if required.
53
53
14. If you have identified the lingering object, note its distinguished name and **objectGUID**.
54
54
@@ -65,10 +65,10 @@ objectGuid : <GUID>
65
65
66
66
## Delete lingering objects for few objects scenarios
67
67
68
-
If you have only a few objects and global catalogs, follow these steps to delete the objects by using **Ldp.exe**:
68
+
If you have only a few objects and global catalog servers, follow these steps to delete the objects by using **Ldp.exe**:
69
69
70
70
1. Sign in to each global catalog server that contains a copy of the lingering object by using Enterprise Administrator credentials.
71
-
2. Start **Ldp.exe** and connect to port 389 on the local domain controller (leave the Server box empty).
71
+
2. Start **Ldp.exe** and connect to port 389 on the local domain controller (leave the **Server** box empty).
72
72
3. On the **Connection** menu, select **Bind**. Leave all of the boxes empty (you're already signed in as an Enterprise Administrator).
73
73
4. On the **Browse** menu, select **Modify**.
74
74
5. Leave the **Dn** box empty.
@@ -97,13 +97,13 @@ If you have only a few objects and global catalogs, follow these steps to delete
97
97
98
98
If you have many objects to delete and many global catalog servers, it may be more convenient to use the following scripts:
99
99
100
-
1. Paste the following text into a new file named Walkservers.cmd in a new folder:
100
+
1. Paste the following text into a new file named **Walkservers.cmd** in a new folder:
101
101
102
102
```console
103
103
for /f %%j in (server-list.txt) do walkobjects %%j
104
104
```
105
105
106
-
2. Paste the following text into a file named Walkobjects.cmd:
106
+
2. Paste the following text into a file named **Walkobjects.cmd**:
107
107
108
108
```console
109
109
for /f "delims=@" %%i in (object-list.txt) do cscript //NoLogo MODIFYROOTDSE.VBS %1 "%%i" >>update-%1.log
@@ -174,19 +174,15 @@ If you have many objects to delete and many global catalog servers, it may be mo
174
174
175
175
`<GUID = <DC GUID>> : <GUID = <object GUID>>`
176
176
177
-
A sample entry looks like the following:
178
-
179
-
`<GUID=<GUID>> : <GUID=<GUID>>`
180
-
181
177
Here, the first value is the GUID of the writable domain controller that is used to confirm that the original object no longer exists. The second value is the GUID of the lingering object to be removed.
182
178
183
179
6. Run the **Walk-servers.cmd** file. The scripts generate a log file that is named **Update-server-name.log** for each global catalog server that is listed in the **Server-list.txt** file. The log files contain a line for each object that is to be deleted.
184
180
185
181
> [!NOTE]
186
182
> Errors in the log files don't necessarily indicate a problem because the lingering objects may not exist on all global catalog servers. However, error messages of the form "operation refused" or "operation error" indicate a problem with the GUIDs or with the syntax of the value. If these errors occur, verify the following items:
187
183
>
188
-
> Make sure that the domain controller GUIDs are the correct GUIDs for domain controllers that contain a writable copy of the domain that contains the object.
189
-
> Make sure that the object GUIDs identify lingering objects in global catalog (read-only) naming contexts.
184
+
> - Make sure that the domain controller GUIDs are the correct GUIDs for domain controllers that contain a writable copy of the domain that contains the object.
185
+
> - Make sure that the object GUIDs identify lingering objects in global catalog (read-only) naming contexts.
190
186
191
187
### Error message when running Walkservers.cmd to modify many lingering objects in the environment
0 commit comments