+ Post New Thread
Results 1 to 10 of 10
Windows Server 2012 Thread, Object count disparity over DCs in Technical; Hi all, We've just introduced a new 2012R2 Domain Controller into our student domain. Everything was fine with the setup, ...
  1. #1

    Join Date
    Aug 2013
    Posts
    30
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Object count disparity over DCs

    Hi all,

    We've just introduced a new 2012R2 Domain Controller into our student domain. Everything was fine with the setup, all SYSVOL and NETLOGON appears to be working etc. I've found a problem in that each of our domain controllers is reporting different numbers for differents things. Here's some examples:


    Site1-DC1(2K8) - Alumni OU = 59,245 total items
    Site1-DC2(2K8) - Alumni OU = 25,157 total items
    Site2-DC1(2k12R2) - Alumni OU = 63,575 total items

    Site1-DC1(2K8) - Departments OU = 9,378 total items
    Site1-DC2(2K8) - Departments OU = 9,378 total items
    Site2-DC1(2k12R2) - Departments OU = 1,476 total items

    It's a little worrying as the Departments OU is the main holder for active students. Running both dcdiag and repadmin /showrepl on the new DC passes all tests/shows all as succesful yet we're getting this strange disparity. Has anyone encountered this before, or have any tips to check?


    Thanks,

  2. #2


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,653
    Thank Post
    275
    Thanked 780 Times in 607 Posts
    Rep Power
    224
    What does repadmin /queue * show?

  3. #3

    Join Date
    Aug 2013
    Posts
    30
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Empty queues for all DCs

  4. #4


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,653
    Thank Post
    275
    Thanked 780 Times in 607 Posts
    Rep Power
    224
    Was this issue present before the mass accidental deletion and restore of the tombstoned users?

    How are you counting the objects? Try (adjust for your domain):

    Code:
    Get-ADObject -Filter {name -like '*'} -SearchBase 'DC=internal,DC=SchoolName,DC=localauthorityname,DC=sch,DC=uk' -ResultSetSize $null | Measure-Object

  5. #5

    Join Date
    Aug 2013
    Posts
    30
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    I can only do this for the 20012R2 server, the other two are only 2008.

    I couldn't say for certain if this was present before the authoritative restore, but this new 2012R2 server was only introduced a couple of weeks after the AR. It must be something to do with it, as we restored roughly 14,000 accounts and I'm ~8,000 down in 'Departments', and ~6,000 down in 'Users' when comparing the 2008 to 2012R2 servers.

    Both 2008 servers match numbers in an empty search the Departments OU and Users CN in ADUC, but doing the same search on the new 2012R2 server yields a total of 14,000 less.

  6. #6

    Join Date
    Oct 2008
    Location
    Lincolnshire
    Posts
    2,230
    Thank Post
    13
    Thanked 230 Times in 219 Posts
    Rep Power
    68
    Give them chance to replicate mine took 24 hours when I did this a few years ago.

  7. #7

    Join Date
    Aug 2013
    Posts
    30
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Turns out all the objects are there, but here's the perplexing thing: the "isRecycled" is set to TRUE. Yes, that explains why they don't come back on an ADUC search on the 2012R2 box, but we only have a Domain & Forest Functional Level of 2008, not 2008 R2! This means we can't have the AD Recycle Bin feature enabled, yet here all our objects are with the isRecycled is true.

  8. #8

    Join Date
    Aug 2013
    Posts
    30
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    So it seems we're in a strange limbo situation here. The users have "isRecycled:TRUE" set against them, yet no value for "isDeleted". Accoring the MS documentation this shouldn't really be possible. Additionally, those accounts with isRecycled:True will be set to delete by the 2012R2 server. Luckily, all attributes (such as employeeID) are still present on these objects.

    These accounts show up in 2008 because they don't recognise/honour the 'isRecycled' attribute. The issue here is that it is a system-only value so cannot be changed in ADSI edit. We found we can clear the flag using LDP.exe after tricking AD into thinking a schema update is happening, but this is on a one-by-one basis, and as we're missing 14,000 accounts, we can't do this manually. We're trying to script using the "System.DirectoryServices.Protocols" but keep running into errors.

    If anyone has any tips on this, it would be much appreciated!

  9. #9

    Join Date
    Apr 2012
    Posts
    50
    Thank Post
    0
    Thanked 6 Times in 5 Posts
    Rep Power
    6
    ADDS: Deploying the 1st W2K8 R2 or later DC in an existing forest may temporarily halt AD replication to strict mode destination DCs for up to 12 hours seems to imply that isREcycled is set on deleted objects to 1 when the first windows 2008 r2 dc is promoted - which would imply that you can have isRecycled set to true even if before setting the functional level of the domain/forest. Doesn't really help you though.

  10. #10

    Join Date
    Aug 2013
    Posts
    30
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Thanks for the link. The replication wasn't actually an issue because the objects were there on the new 2012R2 DC, and we'd already had a 2008R2 DC in for a while (which went mega fubar - we think it must be related; this is why we replaced it with a 2012R2 box). We ended up just scripting an .ldf file that modified that value, tricked AD into thinking we were starting a schema update and played the LDF file. This fixed it for us and we've had no issues after this.

SHARE:
+ Post New Thread

Similar Threads

  1. HP DC Gains 4 Minutes Over a Term
    By tech_guy in forum Windows Server 2008 R2
    Replies: 11
    Last Post: 7th June 2013, 09:15 PM
  2. [News] Mysterious object in the Sky over Wales
    By somabc in forum Jokes/Interweb Things
    Replies: 6
    Last Post: 11th July 2008, 01:31 PM
  3. Internet bandwidth over broadband
    By KeithFermor in forum Wireless Networks
    Replies: 6
    Last Post: 20th November 2005, 05:38 PM
  4. Replies: 17
    Last Post: 3rd August 2005, 11:21 PM
  5. Head on over to surveys
    By Ric_ in forum General EduGeek News/Announcements
    Replies: 4
    Last Post: 20th June 2005, 08:33 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •