Lingering Objects and Replication issues

In my test envi­ron­ment, I have cre­ated mul­ti­ple domain con­trollers and placed them in mul­ti­ple sub­nets. Cou­ple of the servers is in Leela office and another one is in Gay­a­tri. I could not check these servers for some days and did not work on them due to other activ­i­ties. Recently I tried to con­nect to them and logged on to one of my test domain con­trollers and noticed that one of the servers was out of net­work and did not repli­cate to other servers for some days. (I haven’t imple­mented any­thing to mon­i­tor repli­ca­tion health). I then tried to force­fully repli­cate the server using ‘repad­min’ com­mand. But it has been failed with an error:

“The source server is cur­rently reject­ing repli­ca­tion requests. This oper­a­tion will not continue”

Then I checked event viewer and noticed that there are some error events due to lin­ger­ing objects in the server which was out of net­work. These are some user accounts deleted from a server other than the affected server. This change was not repli­cated to the affected server since it was out of net­work. Tomb­stone period has expired before bring­ing the server back online and the deleted objects became present only in the affected server. So when I brought the server back after the tomb­stone period these user objects became lin­ger­ing and other servers were deny­ing to repli­cate to the affected server due to lin­ger­ing objects.

I used the below com­mand to remove lin­ger­ing objects.

repad­min /removelingeringobjects <affect­ed­server­name> <GUID­of­goodDC> dc=ADFANS,dc=NET

This com­mand basi­cally com­pares the AD data­base of the affected and good DCs and deletes the lin­ger­ing objects with­out trig­ger­ing repli­ca­tion so that the dele­tions occur only in the affected server. (You can also use the /advisory_mode switch to run the tool for test­ing pur­pose. This will not remove the lin­ger­ing objects but will give you the details of the objects in event viewer.)

Then I synchronized the servers using the Repad­min /syncall option.

In my case it was obvi­ous that the lin­ger­ing objects were on the server which was out of net­work. But in huge envi­ron­ments you will not be able to find out the affected server very eas­ily. In that case you could locate the server by check­ing the event logs. Domain con­troller that doesn’t log Event ID 1388 or Event ID 1988 (if Strict Repli­ca­tion Con­sis­tency is not enabled) con­tains the lin­ger­ing object. There are tools avail­able to gather event ids from mul­ti­ple servers and Event­combmt is such one.

I have referred the below arti­cles to diag­nose and fix my issue. Repad­min is a tool used to diag­nose repli­ca­tion issues and this comes with win­dows server 2003 sup­port tools.

Forc­ing repli­ca­tion:­ing Lin­ger­ing objects:


DNS and Active Directory, Best Practices

In my pre­vi­ous orga­ni­za­tion, I have Pro­moted, demoted and set up more than 100 domain con­trollers in an year and migrated a domain with 6000 users, 50 group poli­cies, 4000 com­put­ers to a domain hav­ing more than 500 poli­cies 125000 users, same num­ber of com­put­ers and 130 Domain Con­trollers. I have faced a lot of DNS related issues dur­ing, after the instal­la­tion of active direc­tory. In order to avoid such issue you may fol­low some best prac­tices and checks while installing and con­fig­ur­ing DNS for active directory.

  • If you are going to pro­mote the first domain con­troller and you don’t have a DNS present in the net­work, you can first install the DNS from add or remove win­dows com­po­nents and directly go for DC pro­mo­tion with­out con­fig­ur­ing DNS. I will leave the con­fig­u­ra­tion part to Active direc­tory and it should auto­mat­i­cally pop­u­late the zones.
  • If you already have a DNS server you need to check the DNS pre­fix of the server. The best prac­tice is to keep both the DNS zone name and active direc­tory domain name same.
  • Also before pro­mot­ing a domain con­troller you need to check the DNS is con­fig­ured prop­erly for that server. If it is the first domain con­troller and no DNS server is avail­able, then you need to men­tion the IP of the same machine as the DNS server. Else you can spec­ify the near­est or avail­able DNS server’s IP.
  • After pro­mot­ing the DC, you need to cre­ate the reverse lookup for the newly pro­moted DC. Most of the does not do this but it is required to get bet­ter name res­o­lu­tion. If the reverse lookup is not present, it will not be able to resolve the name of the DNS server when you type nslookup.
  • You can check for some DNS related events in the DNS console.
  • Make sure that required zones are cre­ated and some of the active direc­tory related records are cre­ated. If any­thing seems to be wrong you may restart the net­l­o­gon ser­vice or else can restart the server as a sec­ond option.

There may be some more addi­tional checks and prac­tices which can be fol­lowed accord­ing to the sit­u­a­tion. The above prac­tices are for gen­eral con­di­tions and can be fol­lowed to reduce the chance for an issue.

Why Active Directory?

Every day we expe­ri­ence the power of direc­tory ser­vice.  Even though it does not directly vis­i­ble for the end user, lot of appli­ca­tions run on a direc­tory ser­vice plat­form. We can’t think a net­work with­out active direc­tory. The influ­ence of active direc­tory is that big. But the ques­tion is a lit­tle bit dif­fer­ent… Why can’t we use other technologies/alternatives instead of active direc­tory? Why do we still use active direc­tory? Have you ever thought of that? Have you ever thought of an alter­na­tive for AD?

I had thought of this many times when I was work­ing in the crit­i­cal role of an active direc­tory enter­prise admin of Asia’s Largest Soft­ware and IT Com­pany. I am very keen to find out open source alter­na­tives for licensed soft­ware. A sim­ple search in Google for the alter­na­tives returned a dozen of them including:

  • Novel e Directory
  • Red hat/Fedora Direc­tory Server
  • Open Direc­tory
  • Apache Direc­tory
  • Ora­cle inter­net directory
  • IBM Tivoli Direc­tory Server
  • CP direc­tory Server
  • Open LDAP

But none of these can actu­ally ‘replace’ active direc­tory. It is a triv­ial task to find out the best LDAP direc­tory ser­vice from the above list if you just require the basic func­tion­al­i­ties like Cen­tral­ized Authen­ti­ca­tion. With all my expe­ri­ence I can eas­ily pick the bet­ter alter­na­tive from this list and that is def­i­nitely the Nov­ell E Direc­tory. E direc­tory and Active direc­tory are the lead­ing direc­tory ser­vices. Nov­ell is there in the direc­tory ser­vice mar­ket from early 90s. Cur­rently it is in 8th gen­er­a­tion. Active direc­tory is also there from 90s but in its top form from the release of Win­dows 2000 server.

You would con­sider Scal­a­bil­ity, Com­pat­i­bil­ity, Reli­a­bil­ity, Man­age­abil­ity and Secu­rity to rate a direc­tory ser­vice. I installed and com­pared E direc­tory and Active direc­tory based on the above categories.

Microsoft itself says a limit for the num­ber objects in active direc­tory. Nov­ell had tested their direc­tory with more than a bil­lion objects in last cen­tury. If the num­ber of objects is really mas­sive, no need to think… its e directory.

E direc­tory multi mas­ter oper­a­tion makes it really scal­able and reli­able. Multi mas­ter repli­ca­tion is there in active direc­tory but the FSMO roles make it weaker. When the crit­i­cal a role like PDC is down, admin­is­tra­tor effort is required to seize or trans­fer the unavail­able role. Oth­er­wise the direc­tory func­tion­ing will be in trou­ble. In active direc­tory we can­not have mul­ti­ple servers with same FSMO role. In E direc­tory there is no FSMO sin­gle mas­ter con­cept. This elim­i­nates the crit­i­cal­ity of a role holder server.

E Direc­tory uses hier­ar­chi­cal data­base while active direc­tory uses flat data­base, there­fore, no two entity can be same name in active direc­tory, but it is pos­si­ble in e Direc­tory, search­ing speed is more and reli­able in e Direc­tory than Active Direc­tory because of hier­ar­chi­cal archi­tec­ture of e Directory.

For most of the active direc­tory data­base oper­a­tion we need to make the server offline and need to bring it into DSRM to per­form the recov­ery oper­a­tions. In e direc­tory we can do most of the data­base oper­a­tions with­out bring­ing the server down.

If you want to restore an active direc­tory server for any rea­sons you could restore it to the last avail­able backup and that may be the last week or last night or as per you backup con­fig­u­ra­tion.  The e direc­tory hot con­tin­u­ous backup fea­ture will let you restore the direc­tory to the last moment before the failure.

e direc­tory has some more advan­tages like, Dynamic Inher­i­tance, Cus­tomiz­able Objects and Secu­rity Prin­ci­ples etc. In Active Direc­tory you can­not have a secu­rity prin­ci­pal other than a User, Com­puter or a group. But in E direc­tory, a Con­tainer is also con­sid­ered as a secu­rity principal.

The dynamic inher­i­tance in e direc­tory makes the large scale right assign­ments eas­ier. When you assign a set­ting to a con­tainer with a mil­lion objects there are chances of a crash in Active direc­tory as it will write down the changes to the ACLs of indi­vid­ual objects.

Because of the dynamic inher­i­tance, hier­ar­chi­cal man­ner etc the e direc­tory data­base will really small when you com­pare it with an active direc­tory data­base with same num­ber of objects.

Oh, I missed out the point about inter­op­er­abil­ity and com­pat­i­bil­ity… You can host e direc­tory in a vari­ety of oper­at­ing sys­tems like Win­dows, Linux and Unix etc. You can have mul­ti­ple client oper­at­ing sys­tems as well.

When we check the authen­ti­ca­tion, the e direc­tory can have mul­ti­ple authen­ti­ca­tion meth­ods. We can also con­fig­ure mul­ti­ple authen­ti­ca­tion lev­els accord­ing to the secu­rity requirements.

If you do a micro com­par­i­son you can find out more and more points to add. But most of them will be in favor of Nov­ell E direc­tory. Nov­ell calls the E direc­tory as the High End direc­tory ser­vice and that is true. From the above points we can note that E direc­tory is far bet­ter than active direc­tory when you con­sider the following:

  • Scal­a­bil­ity: Suit­able for huge num­ber of objects and large organizations
  • Com­pat­i­bil­ity: Mul­ti­pro­to­col, Multiplatform
  • Reli­a­bil­ity: Multi mas­ter, self repair­ing direc­tory ser­vice. Live main­te­nance tools available
  • Man­age­abil­ity: We based multi plat­form man­age­ment and mon­i­tor­ing tools available
  • Secu­rity: Mul­ti­ple authen­ti­ca­tion lev­els, mul­ti­ple plat­forms and Advanced Secu­rity Principals.

Now what do you think? Which one is bet­ter? The ques­tion is still unan­swered. Why we are still using Active directory?

It’s only because of the Wide usage of Win­dows in cor­po­rate world. More than 90 % of the oper­at­ing sys­tem mar­ket share is for win­dows. I would per­son­ally like to work in active direc­tory rather than e direc­tory because of the friendly envi­ron­ment. Most of us have Win­dows servers in our office and there is no extra cost required to pur­chase Win­dows AD if you have a win­dows Server License… Then why do you need to pur­chase another direc­tory ser­vice for some extra rupees?

But if your require­ment is really a seri­ous and huge one you need think twice