Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Active Directory search

Status
Not open for further replies.
KMCsys

KMCsys

Technical User
Dec 5, 2002
5
US
From a remote machine I run Active Directory Users and Computers. When I search for a user that was previously deleted in the specific domain I cannot find it. This is good but when I search using “entire directory” which I have found out is searching against the global catalog portion of the AD database the user shows up. When you try to look at the tabs on the user you get an error. You also cannot delete it you get an error.
I try this directly on a domain controller and it does not show up at all. This is good. But why on the remote machine is it showing up when using “Entire Directory search? Has anyone else seen this problem? How can I fix it?



 
Sort by date Sort by votes
Global catalog partitions are read only, so you cannot make changes to those objects. (eg deleting)
Have you taken into account replication delays between your DCs and GCs? Did you just delete that user?

Lukasz
 
Upvote 0 Downvote

There are users from months ago that were deleted that show up in an “entire directory” search. But again they do not show up in the specific domain search. It seems like an issue on the remote machine because when I do this on a Domain Controller itself the users do not show up in the “entire directory” search.



 
Upvote 0 Downvote
Looks like you have lingering objects in your GC partition(s).

To fix this:
- Use adsiedit and connect to GC partition and locate the object(s) in question. (you might have more than one). Do that to all GC in the forest to find out which GCs are affected. Easiest way to do that is to use ldifde to dump each GC partition to a text file and do a search there using notepad. Notepad will give you location of the object, which you can reconfirm using adsiedit.

Before you do any of those next steps, make sure that this is the issue. (if you see an object in GC partion for domain A, and you go to DC in domain A and this object is not there, then this is it)


- Once you confirm which GCs are affected, you have to turn outbound replication off on all of them at once before you continue to next step (if you miss one, the problem will come back) (repadmin /options +DISABLE_OUTBOUND_REPL)

- Next step is to rehost all bad GC partitions (repadmin /rehost domain_controller naming_context good_source_domain_controller_name
)
or see this:

- Once one GC is fixed, you can enable replication on it and move on to the next one.
(repadmin /options -DISABLE_OUTBOUND_REPL)

Lukasz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

julis2103
  • Locked
  • Question
Active Directory
Replies
0
Views
157
julis2103
julis2103
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
800
goombawaho
goombawaho
geneg28
  • Locked
  • Question
Active Directory and Linux Servers
Replies
0
Views
133
geneg28
geneg28
axilleas
  • Locked
  • Question
Windows 2012 R2 Active directory problem after applying GPO
Replies
7
Views
289
technome
technome
mkrausnick
  • Locked
  • Question
Can't write to folder even though Active Directory effective permissions shows full control
Replies
1
Views
133
mkrausnick
mkrausnick

Part and Inventory Search

Sponsor

Back
Top