Announcement

Collapse
No announcement yet.

Finding GUIDs of lost domain controllers

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Finding GUIDs of lost domain controllers

    Hi

    I have many GUIDs of lost domain controllers coming from a run of "repadmin /showvector /latency dc=???,dc=???" (see attached).

    I also will be doing a full cleanup using the following once I work out how to find the guids;

    http://www.petri.com/delete_failed_dcs_from_ad.htm

    The issue is that as you can see from the attached output these are very old and lost. They are only known to AD by the GUID and I want to work out how to find them and delete them from AD using ADSIedit.msc so I can have a clean AD from these lost and/or abandoned domain controllers.


    I have many GUIDs of lost domain controllers coming from a run of "repadmin /showvector /latency dc=wm,dc=org,dc=au" (see attached).

    I also will be doing a full cleanup using the following once I work out how to find the guids;

    http://www.petri.com/delete_failed_dcs_from_ad.htm

    The issue is that as you can see from the attached output these are very old and lost. They are only known to AD by the GUID and I want to work out how to find them and delete them from AD using ADSIedit.msc so I can have a clean AD from these lost and/or abandoned domain controllers.


    I tried to use the command below to find the object so I could manually delete it with ADSI edit, but it did not return anything;

    adfind -default -binenc -f objectGUID={{a6cb26cf-32eb-4171-865b-f4c2b7f9690c}} dn

    Do you have a suggestion on how to find these GUID objects so I can fully clean them up?

    Thanks
    Peter
    Attached Files

  • #2
    Re: Finding GUIDs of lost domain controllers

    I think the correct adfind.exe syntax should be:
    Code:
    adfind -default -b "" -binenc -f "objectGUID={{GUID:a6cb26cf-32eb-4171-865b-f4c2b7f9690c}}" -dn |findstr /ib "dn"
    Or,
    You can go through the Repadmin file containing the results, with a batch:
    Code:
    @echo off & color 6a & title AdFind GUID
    
    Set "inputFile=RepadminResults.txt"
    Set "outputFile=AdFindResults.txt"
    
    :: new outputFile
    >"%outputFile%" echo %date% - %time%
    (Set regexp=/r "\<........-....-....-............ ")
    
    For /f "[email protected]" %%i in (
      'Findstr %regexp% "%inputFile%"'
      ) do call:StrGUIDToHex %%i >>"%outputFile%"
    
    echo\... DONE ...
    
    goto:eoStrGUIDToHex
       :StrGUIDToHex (http://support.microsoft.com/kb/325649)
       ::====================================================
       :: convert the string form of an object's GUID
       :: into its hexadecimal string (base 16) form.
       ::====================================================
       Set "StrGUID=%*"
       Set "StrGUID=%StrGUID:"=%
       Set "StrGUID=%StrGUID:{=%
       Set "StrGUID=%StrGUID:}=%
       Set "GUIDStr=%StrGUID:-=%
    
       :: Convert the string by flipping the bits around.
       Set "strHex=%GUIDStr:~6,2%
       Set "strHex=%strHex%%GUIDStr:~4,2%"
       Set "strHex=%strHex%%GUIDStr:~2,2%"
       Set "strHex=%strHex%%GUIDStr:~0,2%"
       Set "strHex=%strHex%%GUIDStr:~10,2%"
       Set "strHex=%strHex%%GUIDStr:~8,2%"
       Set "strHex=%strHex%%GUIDStr:~14,2%"
       Set "strHex=%strHex%%GUIDStr:~12,2%"
       Set "strHex=%strHex%%GUIDStr:~16%"
    
       :: start AdFind (provide path to exe if necessary)
       echo\---------------------------------------------------------------------
       echo\&echo GUIDstr: {%StrGUID%}
             echo GUIDhex: %strHex%
       AdFind.exe -b "<GUID=%strHex%>" -dn
    
       exit /b
    :eoStrGUIDToHex
    In most programs the GUID is showed in string format with separators and wrapped between curly brackets. However the GUID is stored in a Hexadecimal form.
    When binding to an object by using the GUID you'll need the Hexadecimal GUID form. Sample how to use a VBS script, http://forums.petri.com/showthread.p...112#post167112


    \Rems
    Last edited by Rems; 12th August 2009, 17:33.

    This posting is provided "AS IS" with no warranties, and confers no rights.

    __________________

    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts

    Comment


    • #3
      Re: Finding GUIDs of lost domain controllers

      Hi,

      Nice idea, both the command and the batch file works, thank you, but from the attached results, as you can see no objects are found. See the attached output from the batch file.

      Can you think of a way of finding the objects in AD so I can then delete them (with adsiedit i supose) as they are orphaned?

      Thanks
      Peter
      Attached Files

      Comment


      • #4
        Re: Finding GUIDs of lost domain controllers

        Instead of working from the perspective of what you don't know which is the GUID's of the old, invalid DC's why not work from the perspective of what you do know which is the GUID's of the current, valid DC's. Get the GUID's of the current, valid DC's and delete all the others.

        Comment


        • #5
          Re: Finding GUIDs of lost domain controllers

          I have already done that. The DCs are all valid, but the GIIDs still report as they are. How do I find them so I can delete them?

          Comment


          • #6
            Re: Finding GUIDs of lost domain controllers

            The tombstoned objects are in the container CN=Deleted Objects. You will normally never see the CN=Deleted Objects container because the container itself is marked as deleted.
            http://technet.microsoft.com/nl-nl/m...es(en-us).aspx

            \Rems

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment


            • #7
              Re: Finding GUIDs of lost domain controllers

              I have gone through this document and the CN=Deleted Objects is not there. Any other sugestions on how I can find these GUIDs so I can remove them?

              Comment


              • #8
                Re: Finding GUIDs of lost domain controllers

                Originally posted by [email protected] View Post
                the CN=Deleted Objects is not there.
                You can use ADRestore.NET for Browsing the deleted objects that are still within the tombstone lifetime (use the credentials of an Domain Admin or Enterprise Admin to find deleted objects)
                see: http://www.petri.com/recovering-dele...-directory.htm

                And/Or, for more details,
                Use LDP.EXE from the Windows Server Support Tools, found on the Windows Server 2003 CD (not need to install if using Windows Server 2008)
                Run LDP.exe.
                - Click Connection menu
                - a) click Connect, type the appropriate server name (name of dc) and port (389).
                - b) click Bind, and type a Domain Administrator account and password.

                - Click Options menu,
                - a) click Controls. / On Load Predefined, select "Return deleted objects"

                - Click View menu,
                - a) click Tree, and then select the distinguished name of the domain name (DC=yourdomain,DC=local).

                - On the left, select DC=yourdomain,DC=local.
                - Then expand the Deleted Objects container, and find ......


                What is the tombstone lifetime (TSL) for your forest? (= number of days before a deleted object is removed from the directory services), btw.. if the value is not set it means the forest was built with pre-"K3 SP1" or someone cleared the value, if not set then the default is 60 days. And, the TSL is set by default to 180 days when the forest is created by a Windows Server 2003 SP1 computer or, when the NT4 DC is upgraded by using Windows Server 2003 SP1 media kit to create a new forest.


                \Rems
                Last edited by Rems; 13th August 2009, 15:58.

                This posting is provided "AS IS" with no warranties, and confers no rights.

                __________________

                ** Remember to give credit where credit's due **
                and leave Reputation Points for meaningful posts

                Comment


                • #9
                  Re: Finding GUIDs of lost domain controllers

                  Hi, That is excelent, just what I have been looking for, thank you.

                  The issue is I do not fine GUID in the deleted objects, I peesume I have to convert it as the post on the "13th August 2009 02:12", is that correct?

                  Other than that, I try to delete the objects in deleted objects using LPD but it returns, no such object, how do you delete the objects in the deleted objects container?

                  How do you set the tombstone lifetime? to me it looks like tombstone lifetime is not deleting objects and has not for some time as there are objects that would be years old.

                  So the question is;

                  1. How do you confirm tombstone lifetime is operation?
                  2. How do you fix tombstone lifetime if it is not operating?
                  3. How do you find the GUID UNS being returned by repadmin /showvector /latency dc=wm,dc=org,dc=au and clean them up, (you can see the text file attached to the first post)?

                  Thanks
                  Peter

                  Comment


                  • #10
                    Re: Finding GUIDs of lost domain controllers

                    I 'm sure TSL is operating. ADRestore.NET is filtering unresolvable GUIDs, by using this tool you problaby won't see all the GUIDs just the recently deleted objects,?

                    The "problem" is with repadmin /showvector, it shows unresolved GUIDs in the UTDV tables.

                    Originally posted by Joe Richards [MVP]

                    from: http://groups.google.com/group/micro...0155f3e3e7aae5

                    Those are up-to-dateness vector (UTDV) entries and can't be removed. You
                    don't want them removed, they are a critical part of replication
                    dampening.

                    You do not need to worry about unresolved GUIDs in the UDTV tables, they
                    are expected and will be there forever.
                    \Rems
                    Last edited by Rems; 18th August 2009, 11:35.

                    This posting is provided "AS IS" with no warranties, and confers no rights.

                    __________________

                    ** Remember to give credit where credit's due **
                    and leave Reputation Points for meaningful posts

                    Comment


                    • #11
                      Re: Finding GUIDs of lost domain controllers

                      That's not bad metadada, its normal. Repadmin just shows some obsolete history data. I see this in all environments.

                      You're fine, don't screw with your AD.

                      Comment

                      Working...
                      X