Cannot delete ancient computers

I did a Global Search in AD Administrative Center and some ancient computers are showing up. These are not servers just some workstations. When I try to delete them it gives me: "Failed to delete computer-name. Directory object not found."
It first showed 4, then I found a few more recently. I suspect that the Subdomain where they existed went disconnected past a Tombstone a few years ago may have something to do with it.

  • I searched for lingering objects with...."Dsquery computer inactive 8 -limit 0" or other values. 0 computers found lingering. When I search AD they also are not there. Just in the Global Search of the whole AD.
  • I hoped that upgrading my Root Domain Controllers to 2012 Server may get rid of them. This didn't help as we now have all the 2008R2 DC's gone but the accounts are still showing up. They only show up in the Root Domain Controllers.
  • Would it help to turn on Strict Replication?
April 10th, 2014 8:29pm

Hello,

Enabling loos replication is not a solution. Loose Replication not only is a security concern but it does not help you to find the lingering objects. What it actually does is Regenerating the object and the object will be replicated. Depending on your environment, removing the lingering objects will take some time. Recently I poted an article about Lingering Objects and how to remove them. You can refer to the following link if you would like to understand the lingering objects and how to remove them:

Re

Free Windows Admin Tool Kit Click here and download it now
April 11th, 2014 2:28am

The filter doesn't show any LO's.

Repadmin /removelingeringobjects DC_Containing_LO, DC_Containing_NO_LO, Partition_Of_LO /advisorymode doesn't show any either.

If I go to:

  1. AD Administrative Center on Root Domain Controller
  2. Global Search
  3. Do a Global Catalog Search - "Our Domain"
  4. Search for the computers I found earlier, 4 show up from a Sub-Domain and they are 'ancient'. When I go into any other Sub-domains with the same search....nothing found.

"I am out of the office now on Annual leave so won't be working on this till I get back."


April 11th, 2014 10:09pm

Thanks Peter,

That was an example. You must replace the DC_Containing_LO and DC_Containing_NO_LO and Partition_Of_LO with your values.

Did you use GUID in the command? Look at the below example and compare with yours:

repadmin /removelingeringobjects DC1.Contoso.com 4d8085a7-5785-4b4f-9615-6c1b68fbcfab dc=Contoso,dc=Com /ADVISORY_MODE
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2014 3:01am

It appears to me that you are dealing with lingering objects in your domain. If lingering object exists then you will not be able to find then withing the console or using simple commands. You can refer below links to troubleshoot issue with lingering objects.

http://social.technet.microsoft.com/Forums/windowsserver/en-US/9f114f3f-e8ef-4ac6-846f-8e61d6324d9a/event-id-1862-then-1864and-how-do-we-resolve?forum=winserverDS

http://jorgequestforknowledge.wordpress.com/2006/05/08/lingering-objects-2/

April 14th, 2014 2:32am

Hi,

Do you need further assistances on this issue by now?

If yes, please feel free to let us know.

Have a nice day!

Amy Wang

Free Windows Admin Tool Kit Click here and download it now
April 17th, 2014 2:09am
I still have them showing up but have given up on repairing it. It doesn't seem to have any effect on our network other than old accounts/computers still showing up.
May 22nd, 2015 4:30pm

Hi,

First of all Difference between Loose replication & Strict replication is below. you should always use the strict replication.

Strict Replication

If your Lingering object exists in your domain partition or domain naming context then server will stop replication for that partition. This what is your Strict Replication.

OR


Loose Replication:

Enabling Loose Replication will allow you to replicate it will not block replication. Allow you to synch the lingering object but not sure it will replicate to all DC's.

loose Replication has following disadvantages:

1. Loose replication does not mean all your partitions are in sync
2. Loose replication means a security concern
3. Loose replication is old school method.
4. Loose replication does not solve the inconsistencies between the same partition.

How to Detect Lingering object: check the Event ID 1388, 1988

Ref Link: https://technet.microsoft.com/en-us/library/cc949124(v=ws.10).aspx

Command to Remove Lingering object: (GUID of computer account)

repadmin /removelingeringobjects * 39c8518e-edaf-4a42-832d-7ed911f1499c DC=Contoso,DC=com /ADVISORY_MODE
repadmin /removelingeringobjects * 39c8518e-edaf-4a42-832d-7ed911f1499c CN=Configuration,DC=Contoso,DC=com /ADVISORY_MODE
repadmin /removelingeringobjects * 39c8518e-edaf-4a42-832d-7ed911f1499c CN=Schema,CN=Configuration,DC=Contoso,DC=com /ADVISORY_MODE
repadmin /removelingeringobjects * 39c8518e-edaf-4a42-832d-7ed911f1499c DC=ForestDnsZones,DC=Contoso,DC=com
repadmin /removelingeringobjects * 39c8518e-edaf-4a42-832d-7ed911f1499c DC=DomainDnsZones,DC=Contoso,DC=com /ADVISORY_MODE

Free Windows Admin Tool Kit Click here and download it now
May 25th, 2015 1:10am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics