Domain object deleted - yet still shows up on other domain

[ancientcontra]

Ok I have 3 domains.
Domain A and two child domains, B and C.
A user account in domain B, was deleted, and does not show up anywhere in B domain, when doing a find in Active directory users and computers.

If you then connect to C domain, and search entire directory for this user account - its still there, yet when trying to delete it or see properties on it - I get directory object not found.

If you then connect back to B domain, and search again - it will not find the user account. My guess is that it is still lingering on the GC's on C domain. (its old physical location was on B domain users OU)

I thought this may be a replication issue, so I followed the steps using repadmin /removelingeringobjects .....
and got an error 8440.

Im not so sure that it is a lingering object though - I need to delete this account permannetly as this user has had a new account created with a different username, and his email sometimes goes to the wrong address.

I have used LDAP on the root domain, domain A and confirmed that is still listed in its old location, B domain users' OU.

Please help !

 

[ancientcontra]

Its a GAL error when looking at it on a DC with exchange extensions. Will look into it further

 

[ITPangaeaArchitect]

error 8440 means you didnt specify a naming context to remove lingering objects from

type at cmd prompt:
net helpmsg 8440

you need to check things like name resolution and such first

AD Repl is typically simple to fix

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there

 

[ancientcontra]

Thanks for the reply. It has got much worse now. We have alot of errors now about lingering objects, and a mix of 2000 and 2003 dc's so that we cannot use repadmin to remove them. Is there any reason why we should not enforce strict replication on every server in the domain?

 

[ITPangaeaArchitect]

mix of DCs should not stop you from using any removal method (for any reaosn i can think of right now anyway, but not thinkin too hard)....

check out the following articles that may help you:

314282
328257
833458
317097
315785
316829
870695



-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there

 

[ancientcontra]

Now the child Domain will not replicate with the parent domain at all !!!
Still can replicate with the other child domain though


Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.


C:\Documents and Settings\Administrator.CHILD>dcdiag /test:checksecurityerror

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: CHILDDOMAIN\CHILDPDC
Starting test: Connectivity
......................... CHILDPDC passed test Connectivity

Doing primary tests

Testing server: CHILDDOMAIN\CHILDPDC
Starting test: CheckSecurityError

Source DC PARENTDCREPLICATIONPARTNER has possible security error (5). Diagnosing...
Time skew error between client and 1 DCs! ERROR_ACCESS_DENIED or down machine reciev
ed by:
PARENTDCREPLICATIONPARTNER
......................... CHILDPDC failed test CheckSecurityError

Running partition tests on : CHILDDOMAIN

Running partition tests on : Schema

Running partition tests on : Configuration

Running enterprise tests on : parentdomain.local

C:\Documents and Settings\Administrator.CHILDDOMAIN>

 

[ancientcontra]

also I have reset the trusts and they appear to validate OK
I have done all of the security permissions on the domain checked all the administrative shares etc and done basically everything in about 15 knowledge base articles.

Access is denied when trying to force a replication.

says something about time skew in the detailed error on dcdiag as above - but cannot figure out why becasue they are in synch - I know kerberos requires within 2 or 1 minutes aswell