Active Directory object can only be viewed in Global Catalog

This topic is resolved

Share

Tagged: 

Viewing 3 reply threads
  • Author
    Posts
    • #999378
      Nico Penaroyo
      Participant
      • Topics: 2
      • Replies: 7
      Post count: 20
      Member Points: 309
      Rank: Level 2

      Hi Pro’s, Im having a problem with a certain object that can only be viewed in Global Catalog. This object was a domain controller before. I tried removing the object using ntdsutil, but nothing happens. Also, there are computers on the main domain controller that are searchable using the search option, but they cant be seen in any OU. I am unable to see its properties, move or delete them.

       

      0
    • #1001860
      Luc Fullenwarth
      Moderator
      • Topics: 7
      • Replies: 161
      Post count: 298
      Member Points: 16,066
      Rank: Level 4

      You may experience a phantom object issue.

      Please verify that:

      • All your Domain Controlers are also Global Catalogs
      • If all Domain Controlers are NOT Global Catalogs, the Infrastructure Master is NOT a Global Catalog

      FSMO placement and optimization on Active Directory domain controllers

      http://support.microsoft.com/kb/223346

      Quick explanation:

      The Problem is that If the IM is also a GC, when is going to check for  changes he asks for a GC and because the IM is also a GC it “thinks” that it  has all information updated and there’s no need to update the DCs on its domain causing others DCs ending up with nonupdated information, remember  DCs in a domain only know everything about their domain, because the domain  partition is replicated between them.

      https://social.technet.microsoft.com/forums/windowsserver/en-US/8aff0e96-d807-4dfc-b4a1-b290b48e2f8f/hi-why-global-catalog-and-infrastructure-master-not-placed-in-same-dc

      1+
      avatar
    • #1001865
      Luc Fullenwarth
      Moderator
      • Topics: 7
      • Replies: 161
      Post count: 298
      Member Points: 16,066
      Rank: Level 4

      Please verify also the following:

      Global catalog servers must either have replication partners for all domains
      or be able to replicate with another global catalog server.

      https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc737410(v=ws.10)#global-catalog-physical-structure

      1+
      avatar
      • #1005470
        Nico Penaroyo
        Participant
        • Topics: 2
        • Replies: 7
        Post count: 20
        Member Points: 309
        Rank: Level 2

        Hi Luc,

        Thanks for the advise I am still Stuck with my problem.

        I am trying to remove a domain controller that no longer exist, I already tried cleaning up the metadata cleanup method but this DC’s only shows in ADSIEDIT, and also I found that these DC’s are installed last year as a test in a virtual environment, then they just deleted the virtual file without demoting it.

         

        Attachments:
        You must be logged in to view attached files.
        0
        • #1008960
          Luc Fullenwarth
          Moderator
          • Topics: 7
          • Replies: 161
          Post count: 298
          Member Points: 16,066
          Rank: Level 4

          Did you check the following?

          • All your Domain Controlers are Global Catalogs

          or

          • If all Domain Controlers are NOT Global Catalogs, the Infrastructure Master is NOT a Global Catalog

          I am quite sure this is a replication issue (Global Catalog partitions are not replicating correctly),
          which should solve itself automatically as soon as the replication is working fine again.

          For information, Global Catalog partitions are read-only, which means you cannot remove nor modify any of their objects.

          0
        • #1011430
          Luc Fullenwarth
          Moderator
          • Topics: 7
          • Replies: 161
          Post count: 298
          Member Points: 16,066
          Rank: Level 4

          I had a look at your screenshot again.

          What is weird is that those objects are DC objects.
          Normally, under the root, there are only OU or CN objects.
          It’s like somebody has put them manually where they are…

          1+
          avatar
    • #1006568
      Michael Pietroforte
      Keymaster
      • Topics: 170
      • Replies: 676
      Post count: 1968
      Member Points: 26,774
      Author of the year 2018
      Rank: Level 4

      I wonder what problems this object causes? Is there anything that is not work as it should? You risk causing serious problems if you mess with your AD database without being 100% sure of what you are doing.

      1+
      avatar
      • #1006730
        Nico Penaroyo
        Participant
        • Topics: 2
        • Replies: 7
        Post count: 20
        Member Points: 309
        Rank: Level 2

        Thanks for the warning Michael, the problem is that there are two object inside of that domain that i need to use, a computer name that still inside the ou of that non-existing domain, we have a very strict rules in naming object in our directory due to some third party software we are using, I cannot remove the object, thru powershell because its unable to contact the domain it is under, so the only way i think it would solve my problem is to remove this two domain controller that’s no longer exist.

        0
        • #1006733
          Michael Pietroforte
          Keymaster
          • Topics: 170
          • Replies: 676
          Post count: 1968
          Member Points: 26,774
          Author of the year 2018
          Rank: Level 4

          I suppose deleting a computer object of a machine that no longer exists, should not cause problems. To be on the safe side, you could backup your domain and then restore it in an isolated virtual environment. Then you can test without worries. Before you start messing with your production AD, you have to create a backup anyway.

          1+
          avatar
        • #1006739
          Nico Penaroyo
          Participant
          • Topics: 2
          • Replies: 7
          Post count: 20
          Member Points: 309
          Rank: Level 2

          Yeah, I understand the risk and yes it should cause no problem deleting the object or dc that no longer exist, its my first problem i cannot delete the object, I can only find the object in the ADSIEDIT. Thanks by the way.

          0
      • #1008956
        Luc Fullenwarth
        Moderator
        • Topics: 7
        • Replies: 161
        Post count: 298
        Member Points: 16,066
        Rank: Level 4

        @Michael

        I am currently facing a similar isue.

        At least one domain controller is returning to clients a list of old domain controllers among current ones.
        The problem is that clients are trying to reach those non existent controllers which generates timeouts or longer response times.

        0
        • #1008974
          Michael Pietroforte
          Keymaster
          • Topics: 170
          • Replies: 676
          Post count: 1968
          Member Points: 26,774
          Author of the year 2018
          Rank: Level 4

          Strange. Can you see this domain controller in ADUC? You might also want to check your DNS server if there are still entries of the old DC.

          0
        • #1011416
          Nico Penaroyo
          Participant
          • Topics: 2
          • Replies: 7
          Post count: 20
          Member Points: 309
          Rank: Level 2

          Strange as it is, the object I’m trying to remove can only be found using the search function in the ADUC under entire directory tree but cannot be found in any OU’s if I search it one by one in any folder, cannot remove it using the properties. The domain controller also only exist in the ADSIEDIT but unable to remove.

          0
        • #1011423
          Luc Fullenwarth
          Moderator
          • Topics: 7
          • Replies: 161
          Post count: 298
          Member Points: 16,066
          Rank: Level 4

          What if you type the following?

          Or instead of deaddomain use the name of a domain controller?

          0
        • #1018755
          Nico Penaroyo
          Participant
          • Topics: 2
          • Replies: 7
          Post count: 20
          Member Points: 309
          Rank: Level 2

          Hi, Pro’s Luc and Michael,

           

          I solved my issues after 11 days, I almost thought of resigning hahaha(kidding)

          I used the ntdsutil partition management, deleting all the domaindnszones associated on those deaddomains and all the dc that do not really exist, also I found out that there’s more dead domain exist in the list, then followed it up with the metadata cleanup.

          Thanks for all the idea’s from you, appreciate it.

          2+
          avataravatar
        • #1020955
          Luc Fullenwarth
          Moderator
          • Topics: 7
          • Replies: 161
          Post count: 298
          Member Points: 16,066
          Rank: Level 4

          Glad you made it!

          1+
          avatar
Viewing 3 reply threads
  • You must be logged in to reply to this topic.
© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account