Unknown Objects prevent replication

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

We have a customer we've been called upon to solve a tricky situation: Single
Domain forest with one DC only. When trying to add a second DC, replication
of the Domain NC failed (Schema and Config NC are okay) because of error
Schema mismatch. It appears to be two objects in the container
CN=Operations,CN=DomainUpdates,CN=System,DC=Domain,DC=com that are of unknown
Class on the source DC are causing this. These 2 oibjects are part of an
adprep install he tried (and according to adprep logs was okay). Still,
these two objects are the problem.
Since he never upgraded any of his DC's to W2K3 and wil be retiring his
domain in 9 months, I was wondering if it is okay to delete these two objects
Both objects have the same DN
(CN=6bcd568d-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com).
My first reaction is to remove these two objects. I have a feeling they don't
need them at all. To be on the safe side, I would like to hear from one of
you, experts, if you share my opinion.
 
Hi Bart, ;-)

I'm not sure if you can/should delete them. Those objects just show which
updates have been made
However, I would test within a test environment if after I deleted the
object(s), they would return after rerunning ADPREP /DOMAINPREP

Oh... and when doing in production MAKE SURE you have a valid and tested
backup of AT LEAST THE SYSTEM STATE

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
 
Hi Jorge,

I will have to delete them because they stop replication of the Domain NC.
Thanks for the feedback. I have my system state ready just in case...

BR//Bart
 
A schema mismatch means the schema's are out of whack and the DCs aren't
even getting close to replicating objects outside of the schema.

Two objects really can't have the same DN. There is something different
about them. How about you use adfind or dsquery or some other command
line tool to dump the container DNs and post them.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
When looking a bit better at the DN, there is one character different so that
wasn't the problem. The main problem is that both objects dont have an
objectClass and objectGUID. Unfortunately, we deleted them, but that didn't
solve the problem of course. They still are the cause for the replication
error.
This is all the returned data from one of these 2 objects as found in the
deleted objects container when queried wiyh LDP:

Expanding base 'CN=6bcd5687-8314-11d6-977b-00c04f613221\
DEL:53779baa-266a-4821-acc6-76f63a8ee96d,CN=Deleted
Objects,DC=domain,DC=com'...
Result <0>: (null)
Matched DNs:
Getting 1 entries:DEL:53779baa-266a-4821-acc6-76f63a8ee96d,CN=Deleted Objects,DC=domain,DC=com

as you can see, there are a number of basic attributes missing...
 
That is just as unlikely as having two objects with the same DN. More
likely there is a permissions issue or the attributes aren't being
requested properly. People can make mistakes with ldp, try my adfind
with the -showdel switch and see what pops up.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
As requested I performed the adfind and it gives the same output as seen in
LDP: DN only. All other objects in that container show the expected
attributes except those two. Since the complete output is very long, I can
send it offline if you like. This is just a small excerpt:
uSNCreated: 1378535
volTableIdxGUID: {31736676-3032-0000-0000-000000000000}
whenChanged: 20060317102331.0Z
whenCreated: 20060317102331.0Z
Click to expand...

dn:CN=6bcd5684-8314-11d6-977b-00c04f613221\0ADEL:923fc15f-28fa-463d-ae72-18c92f50ba5e,CN=Deleted Objects,DC=DOMAIN,DC=COM

dn:CN=6bcd5687-8314-11d6-977b-00c04f613221\0ADEL:53779baa-266a-4821-acc6-76f63a8ee96d,CN=Deleted Objects,DC=DOMAIN,DC=COM

dn:CN=CC4100AC23294F309E05B7C7DCD0B001,CN=VolumeTable,CN=FileLinks,CN=System,DC=DOMAIN,DC=COM
 
Yeah that still doesn't sound right, I have yet to have seen a case
where an object didn't have an objectGuid and it is impossible to have a
DN without an RDN since the DN isn't a stored value, it is built from
the RDN; AD is a flat structure internally, not hierarchical. I am
wondering if you have some weird ACLs on those objects. What does the
ntsecuritydescriptor attribute have it in for those objects?

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
When I use LDP to display the security descriptor on one of these objects, I
get

***Calling Security...
Error: Security: No Such Attribute. <16>
Server error: <empty>

-- Bart
 
Back
Top