Author Topic: Lingering Object errors reported on Zentyal member Domain Controller  (Read 3780 times)

jtoninger

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Hi All,

We have a Zentyal 6 Server acting as an additional DC in our Windows AD domain.

Recently Windows has started to report an error that some objects contained in within the Zen DC are now Lingering Objects. So far my attempts to remove these objects have been thwarted at every pass.

"Active Directory Domain Services Replication encountered the existence of objects in the following partition that have been deleted from the local domain controllers (DCs) Active Directory Domain Services database.  Not all direct or transitive replication partners replicated in the deletion before the tombstone lifetime number of days passed.  Objects that have been deleted and garbage collected from an Active Directory Domain Services partition but still exist in the writable partitions of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as "lingering objects".

I was initially able to connect to the Zentyal server using ADSIedit and remove the objects. However, that has just moved the objects to a Deleted Items container, except no matter how hard I try I cannot find that container on the Zen server using ldp.exe or ADSIEdit.

I have tried the command "repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC>". but cannot seem to make it work.

Any other advice for how I might remove the lingering object shown below?
 
 
"Source domain controller:
4e851e84-f1a2-4f88-a252-ce2fc2dc40f5._msdcs.domain.com <---this is the guid for the Zentyal DC)
Object:
DC=SGADMIN\0ACNF:7fd5fd14-2a31-4335-94f4-be8f5c1c667e\0ADEL:7fd5fd14-2a31-4335-94f4-be8f5c1c667e,CN=Deleted Objects,DC=DomainDnsZones,DC=domain,DC=com
Object GUID:
7fd5fd14-2a31-4335-94f4-be8f5c1c667e  This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory Domain Services database.  This replication attempt has been blocked.
 
 The best solution to this problem is to identify and remove all lingering objects in the forest."

Thank you




doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: Lingering Object errors reported on Zentyal member Domain Controller
« Reply #1 on: June 26, 2019, 10:27:19 pm »
 :)

I would try the Linux way: https://wiki.samba.org/index.php/LDB#ldbdel

Cheers!
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

jtoninger

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Lingering Object errors reported on Zentyal member Domain Controller
« Reply #2 on: June 26, 2019, 11:05:07 pm »
Thank you for the advice I will give this a shot. Is there any chance you could point me in the right direction with using this tool specific to Zentyal and my issue? I've never edited LDAP entries in Linux directly before and reading this guide it looks like I have a lot to learn.

jtoninger

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Lingering Object errors reported on Zentyal member Domain Controller
« Reply #3 on: August 14, 2019, 04:08:03 pm »
I wanted to follow up with this and hope it gets bumped, but I tried to delete the lingering objects with ldbdel and hit another roadblock

ran - ldbdel --show-deleted -H /var/lib/samba/private/sam.ldb "DC=devicename\0ADEL:419bf462-9b46-49e9-8f5b-e2f4a0dbcd68,CN=Deleted Objects,DC=DomainDnsZones,DC=gardien,DC=com"

with the result:


delete of 'DC=devicename\[/i]0ADEL:419bf462-9b46-49e9-8f5b-e2f4a0dbcd68,CN=Deleted Objects,DC=DomainDnsZones,DC=gardien,DC=com                ' failed - (Unwilling to perform) Refusing to delete tombstone object DC=devicename\0ADEL:419bf462-9b46-49e9-8f5b-e2f4a0db                cd68,CN=Deleted Objects,DC=DomainDnsZones,DC=gardien,DC=com.  This check is to prevent corruption of the replicated state.


I could not get past this point. I tried adding a -f flag to force things but that didn't work.

I still have no way to remove these lingering objects unfortunately.



doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: Lingering Object errors reported on Zentyal member Domain Controller
« Reply #4 on: August 14, 2019, 09:52:09 pm »
 :)

Hi!

Try to synchronize all the domain controllers:

https://wiki.samba.org/index.php/Manually_Replicating_Directory_Partitions (use the --full-sync flag)

afterwards:

Code: [Select]
samba-tool drs showrepl
Could be you'll have to repeat this process many times until showrepl willn't show errors.

cheers!
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

jtoninger

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Lingering Object errors reported on Zentyal member Domain Controller
« Reply #5 on: August 15, 2019, 05:22:09 pm »
Hi!

Thanks again for the advise.

I have run the manual replication a few times now.

Unfortunately the error still shows up from the Windows DC
Quote
Active Directory Domain Services Replication encountered the existence of objects in the following partition that have been deleted from the local domain controllers (DCs) Active Directory Domain Services database.  Not all direct or transitive replication partners replicated in the deletion before the tombstone lifetime number of days passed.  Objects that have been deleted and garbage collected from an Active Directory Domain Services partition but still exist in the writable partitions of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as "lingering objects".
 
 
Source domain controller:
4e851e84-f1a2-4f88-a252-ce2fc2dc40f5._msdcs.company.com <--- this is the Zentyal DC-

Object:
DC=122\0ADEL:e6508b9b-c06f-420f-b2a0-87ebff728ee5,CN=Deleted Objects,DC=ForestDnsZones,DC=company,DC=com
Object GUID:
e6508b9b-c06f-420f-b2a0-87ebff728ee5  This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory Domain Services database.  This replication attempt has been blocked.


Meanwhile samba-tool drs showrepl shows no errors

Quote
root@torvmdcz01:~# samba-tool drs showrepl
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:torvmdcz01.company.com[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name torvmdcz01.company.com<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name torvmdcz01.company.com<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name torvmdcz01.company.com<0x20>
CA-TOR-SITE\TORVMDCZ01
DSA Options: 0x00000001
DSA object GUID: 4e851e84-f1a2-4f88-a252-ce2fc2dc40f5
DSA invocationId: 7c54fa1e-166c-4354-87d9-5ab7c04a5d30

==== INBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=company,DC=com
        CA-TOR-SITE\TORVMDC01 via RPC
                DSA object GUID: 0ca674bc-46aa-4647-9658-b76d75b5dc42
                Last attempt @ Thu Aug 15 11:07:18 2019 EDT was successful
                0 consecutive failure(s).
                Last success @ Thu Aug 15 11:07:18 2019 EDT

DC=company,DC=com
        CA-TOR-SITE\TORVMDC01 via RPC
                DSA object GUID: 0ca674bc-46aa-4647-9658-b76d75b5dc42
                Last attempt @ Thu Aug 15 11:09:06 2019 EDT was successful
                0 consecutive failure(s).
                Last success @ Thu Aug 15 11:09:06 2019 EDT

DC=company,DC=com
        G-SITE\GARSGVMDC01 via RPC
                DSA object GUID: 982d5579-19f2-4388-b86a-4262de974456
                Last attempt @ Thu Aug 15 11:09:25 2019 EDT was successful
                0 consecutive failure(s).
                Last success @ Thu Aug 15 11:09:25 2019 EDT

DC=company,DC=com
        TW-SG-SITE\GARTYNVMDC01 via RPC
                DSA object GUID: 35f096bf-779d-4e86-a78d-94df0bee08e3
                Last attempt @ Thu Aug 15 11:09:04 2019 EDT was successful
                0 consecutive failure(s).
                Last success @ Thu Aug 15 11:09:04 2019 EDT

CN=Schema,CN=Configuration,DC=company,DC=com
        CA-TOR-SITE\TORVMDC01 via RPC
                DSA object GUID: 0ca674bc-46aa-4647-9658-b76d75b5dc42
                Last attempt @ Thu Aug 15 11:07:22 2019 EDT was successful
                0 consecutive failure(s).
                Last success @ Thu Aug 15 11:07:22 2019 EDT

DC=DomainDnsZones,DC=company,DC=com
        CA-TOR-SITE\TORVMDC01 via RPC
                DSA object GUID: 0ca674bc-46aa-4647-9658-b76d75b5dc42
                Last attempt @ Thu Aug 15 11:07:20 2019 EDT was successful
                0 consecutive failure(s).
                Last success @ Thu Aug 15 11:07:20 2019 EDT

DC=DomainDnsZones,DC=company,DC=com
        TW-SG-SITE\GARTYNVMDC01 via RPC
                DSA object GUID: 35f096bf-779d-4e86-a78d-94df0bee08e3
                Last attempt @ Thu Aug 15 11:08:04 2019 EDT was successful
                0 consecutive failure(s).
                Last success @ Thu Aug 15 11:08:04 2019 EDT

CN=Configuration,DC=company,DC=com
        CA-TOR-SITE\TORVMDC01 via RPC
                DSA object GUID: 0ca674bc-46aa-4647-9658-b76d75b5dc42
                Last attempt @ Thu Aug 15 11:07:22 2019 EDT was successful
                0 consecutive failure(s).
                Last success @ Thu Aug 15 11:07:22 2019 EDT

==== OUTBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=company,DC=com
        CA-TOR-SITE\TORVMDC01 via RPC
                DSA object GUID: 0ca674bc-46aa-4647-9658-b76d75b5dc42
                Last attempt @ Thu Aug 15 11:06:20 2019 EDT was successful
                0 consecutive failure(s).
                Last success @ Thu Aug 15 11:06:20 2019 EDT

DC=company,DC=com
        CA-TOR-SITE\TORVMDC01 via RPC
                DSA object GUID: 0ca674bc-46aa-4647-9658-b76d75b5dc42
                Last attempt @ Thu Aug 15 11:05:04 2019 EDT was successful
                0 consecutive failure(s).
                Last success @ Thu Aug 15 11:05:04 2019 EDT

CN=Schema,CN=Configuration,DC=company,DC=com
        CA-TOR-SITE\TORVMDC01 via RPC
                DSA object GUID: 0ca674bc-46aa-4647-9658-b76d75b5dc42
                Last attempt @ Tue Aug 13 15:32:07 2019 EDT was successful
                0 consecutive failure(s).
                Last success @ Tue Aug 13 15:32:07 2019 EDT

DC=DomainDnsZones,DC=company,DC=com
        CA-TOR-SITE\TORVMDC01 via RPC
                DSA object GUID: 0ca674bc-46aa-4647-9658-b76d75b5dc42
                Last attempt @ Thu Aug 15 11:08:06 2019 EDT was successful
                0 consecutive failure(s).
                Last success @ Thu Aug 15 11:08:06 2019 EDT

CN=Configuration,DC=company,DC=com
        CA-TOR-SITE\TORVMDC01 via RPC
                DSA object GUID: 0ca674bc-46aa-4647-9658-b76d75b5dc42
                Last attempt @ Thu Aug 15 11:02:54 2019 EDT was successful
                0 consecutive failure(s).
                Last success @ Thu Aug 15 11:02:54 2019 EDT

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 7d472401-ab78-4c4c-9ae5-4056aafb87c3
        Enabled        : TRUE
        Server DNS name : TORVMDC01.company.com
        Server DN name  : CN=NTDS Settings,CN=TORVMDC01,CN=Servers,CN=CA-TOR-SITE,CN=Sites,CN=Configuration,DC=company,DC=com
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!

To me it seems as though MS AD is checking for consistency inside the deleted Items folders but Samba AD is disregarding that folder.