Well unless you know what you are doing and using a tool that can do it, you
won't see tombstone objects in the directory. Certainly you won't see the object
in any of the normal UIs.
If replication is truly working, this object was deleted more than a week or two
ago. It takes by default at least 60 days for the tombstone to be scavenged from
the system. As long as there is a tombstone and replication is really working,
objects will not linger. Lingering objects occur when replication somewhere has
been broken longer than tombstone lifetime[1].
If you want to look for the tombstone objects, there is an MSKB article that
describes how to do it with ldp. You can also view them with the latest versions
of ldifde. The easiest way is to download my adfind command line tool available
from my website (take the first link off google gives if you search for adfind).
With adfind you can display most tombstones with
adfind -b "cn=deleted objects,dc=domain,dc=com" -showdel -f name=objectname*
You will want to put whatever the name of the object was followed by * because a
tombstone is renamed to include \0aDEL:guid to it.
joe
1. Not entirely accurate. You can also do it with a very specific difficult to
contrive situations which requires doing some very unnatural things that you
would not encounter unless someone knew exactly what they were doing.
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Joe,
I check the replication for that partition creating one more user and delete
another one and the changes was reflected in the same day.
Also i search for the object in all dc's and gc's of the child domain and
the object doesnt exists.
Also i run replmon and replicate with all the servers in that child domain
and everything is fine. Replmon doesnt report bad things with this servers.
Another sympton: When i try to see the properties of that particular user
from AD users and computers the U.I goes out .
Joe Richards said:
That object isn't a lingering object yet. It becomes lingering once the
tombstone no longer exists in the home domain of the object. In the meanwhile,
you simply have broken replication. You need to find out why that partition is
not replicating into the GCs.
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Windows 2k SP4, 1 parent domain, 3 child domains.
I delete an account in one child domain, one week later if i look (Entire
Directory)for that account in AD Users and Computers (from one gc in the
parent domain) the account still appear, if i select the name of the child
domain instead "Entire Directory" the account doesnt appear.
If i look for the account from a gc in the child domain the account doesnt
exists.
I follow the
http://support.microsoft.com/default.aspx?scid=kb;en-us;314282
but when i click on Run i receive a :
I'm using an account that belongs to Enterprise, Schema and Domain admin
groups.
***Call Modify...
ldap_modify_s(ld,'(null)',[1] attrs);
Error:Modify:Operations Error.<1>
Any idea ???
