Description of the Lingering Object Liquidator tool

Introduction
The Lingering Object Liquidator (LOL) is a tool to automate the discovery and removal of lingering objects. The tool uses the DRSReplicaVerifyObjects method, which is leveraged by the repadmin /removelingeringobjects command and the repldiag tool in combination with the removeLingeringObject rootDSE primitive that's used by LDP.EXE.

Benefits and availability

  • Combines discovery and removal of lingering objects in one interface.
  • The tool is available from Microsoft Connect.

Key features

  • Removes all the lingering objects across all domain controllers (DCs) without any prompting.
  • Performs an (n * (n-1)) comparison across every DC in the forest.
  • Performs topology detection, which lets you pick and choose DCs to use for Lingering object comparison (source and target).
  • Exports a list of lingering objects as a CSV file, so that it can be edited offline and then imported back into the tool to remove the objects if necessary (useful for advanced removal operations).
  • Saves the contents of the object in a log file in case a new object must be hydrated from the lingering object.

Tools requirements

  • Download and run Lingering Object Liquidator on a DC or member computer in the forest you want to remove lingering objects from.
  • The Microsoft .NET Framework 4.5 must be installed on the computer that's running the tool.
  • Permissions: The user account running the tool must have Domain Administrator credentials for each domain in the forest that the executing computer resides in. Members of the Enterprise Administrators group have domain administrator credentials in all domains within a forest by default. Domain Administrator credentials are sufficient in a single domain or a single domain forest.
  • You must enable the Remote Event Log Management (RPC) firewall rule on any DC that needs scanning. Otherwise, the tool returns an "Exception: The RPC server is unavailable" error.
    Firewall ruleRPC exception
  • The liquidation of lingering objects in Active Directory Lightweight Directory Services (AD LDS / ADAM) environments is not supported.

Walkthrough

Lingering object detection

Run the tool as a domain administrator (or as an Enterprise administrator if you want to scan the entire forest). To do this follow these steps.

Note You will receive error 8453 if the tool is not run as elevated.

Lingering Object Liquidator

  1. In the Topology Detection section, select Fast.

    Fast detection populates the Naming Context, Reference DC, and Target DC lists by querying the local DC. Thorough detection does a more exhaustive search of all DCs and leverages DC Locator and DSBind calls. Be aware that Thorough detection will likely fail if one or more DCs are unreachable.

  2. The following are the fields on the Lingering Objects tab:

    Naming Context

    Naming Context

    Reference DC

    This is the DC you will compare to the target DC. The reference DC hosts a writeable copy of the partition.

    Reference DC

    Note All DCs in the forest are displayed even if they are unsuitable as reference DCs (ChildDC2 is an RODC and is not a valid Reference DC since it doesn’t host a writable copy of a DC).

    Target DC

    The target DC that lingering objects are to be removed from.

    Target DC

  3. Click Detect to use these DCs for the comparison or leave all fields blank to scan the entire environment.

    The tool does a comparison amongst all DCs for all partitions in a pair-wise fashion when all fields are left blank. In a large environment, this comparison will take a great deal of time (possibly even days) as the operation targets (n * (n-1)) number of DCs in the forest for all locally held partitions. For shorter, targeted operations, select a naming context, reference DC and target DC. The reference DC must hold a writable copy of the selected naming context. Be aware that clicking Stop does not actually stop the server-side API, it just stops the work in the client-side tool.

    Detect button

    During the scan, several buttons are disabled, and the current count of lingering objects is displayed on the status bar at the bottom of the screen, together with the current tool status. During this execution phase, the tool is running in an advisory mode and reading the event log data that's reported on each target DC.

    Current count of Lingering Objects

    When the scan is complete, the status bar updates, buttons are re-enabled, and total count of lingering objects is displayed. The Results pane at the bottom of the window updates with any errors encountered during the scan.

    If you see error 1396 or error 8440 in the status pane, you are using an early beta-preview version of the tool and should update to the latest version.
    • Error 1396 is logged if the tool incorrectly used an RODC as a reference DC.
    • Error 8440 is logged when the targeted reference DC doesn't host a writable copy of the partition.


    Notes about the Lingering Object Liquidator discovery method
    • Leverages DRSReplicaVerifyObjects method in Advisory Mode.
    • Runs for all DCs and all partitions.
    • Collects lingering object event ID 1946s and displays objects in main content pane.
    • List can be exported to CSV for offline analysis (or modification for import).
    • Supports import and removal of objects from CSV import (leverage for objects not discoverable using DRSReplicaVerifyObjects).
    • Supports removal of objects by DRSReplicaVerifyObjects and LDAP rootDSE removeLingeringobjects modification.


    The tool leverages the Advisory Mode method exposed by DRSReplicaVerifyObjects that both repadmin /removelingeringobjects /Advisory_Mode and repldiag /removelingeringobjects use. In addition to the normal Advisory Mode–related events logged on each DC, it displays each of the lingering objects within the main content pane.

    Display of Lingering Objects

    Results of the scan are logged in the Results pane. Many more details of all operations are logged in the linger<Date-TimeStamp>.log.txt file in the same directory as the tool's executable.

    The Export button allows you to export a list of all lingering objects listed in the main pane into a CSV file. View the file in Excel, modify if necessary and use the Import button later to view the objects without having to do a new scan. The Import feature is also useful if you discover abandoned objects (not discoverable with DRSReplicaVerifyObjects) that you need to remove.

    A note about transient lingering objects:
    Garbage collection is an independent process which runs on each DC every 12 hours by default. One of its jobs is to remove objects that have been deleted and have existed as a tombstone for greater than the tombstone lifetime number of days. There is a rolling 12-hour period where an object eligible for garbage collection exists on some DCs but has already been removed by the garbage collection process on other DCs. These objects will also be reported as lingering object by the tool, however no action is required as they will automatically get removed the next time the garbage collector process runs on the DC.
  4. To remove individual objects, select a single object or multi-select multiple objects by using the Ctrl or Shift key. Press Ctrl to select multiple objects, or Shift to select a range of objects and then select Remove.

    Remove individual objects
    Are you sure?

    The status bar is updated with the new count of lingering objects and the status of the removal operation:

    Status bar

    The tool dumps a list of attributes for each object before removal and logs this along with the results of the object removal in the removedLingeringObjects.log.txt log file. This log file is in the same location as the tool's executable.

    C:\tools\LingeringObjects\removedLingeringObjects<DATE-TIMEStamp.log.txt

    Example contents of the log file:

    the obj DN: <GUID=0bb376aa1c82a348997e5187ff012f4a>;<SID=010500000000000515000000609701d7b0ce8f6a3e529d669f040000>;CN=Dick Schenk,OU=R&D,DC=root,DC=contoso,DC=com
    objectClass:top, person, organizationalPerson, user;
    sn:Schenk ;
    whenCreated:20121126224220.0Z;
    name:Dick Schenk;
    objectSid:S-1-5-21-3607205728-1787809456-1721586238-1183;primaryGroupID:513;
    sAMAccountType:805306368;
    uSNChanged:32958;
    objectCategory:<GUID=11ba1167b1b0af429187547c7d089c61>;CN=Person,CN=Schema,CN=Configuration,DC=root,DC=contoso,DC=com;
    whenChanged:20121126224322.0Z;
    cn:Dick Schenk;
    uSNCreated:32958;
    l:Boulder;
    distinguishedName:<GUID=0bb376aa1c82a348997e5187ff012f4a>;<SID=010500000000000515000000609701d7b0ce8f6a3e529d669f040000>;CN=Dick Schenk,OU=R&D,DC=root,DC=contoso,DC=com;
    displayName:Dick Schenk ;
    st:Colorado;
    dSCorePropagationData:16010101000000.0Z;
    userPrincipalName:Dick@root.contoso.com;
    givenName:Dick;
    instanceType:0;
    sAMAccountName:Dick;
    userAccountControl:650;
    objectGUID:aa76b30b-821c-48a3-997e-5187ff012f4a;
    value is :<GUID=70ff33ce-2f41-4bf4-b7ca-7fa71d4ca13e>:<GUID=aa76b30b-821c-48a3-997e-5187ff012f4a>
    Lingering Obj CN=Dick Schenk,OU=R&D,DC=root,DC=contoso,DC=com is removed from the directory, mod response result code = Success
    ----------------------------------------------
    RemoveLingeringObject returned Success

    After all objects are identified, they can be bulk-removed by selecting all objects and then Remove, or exported into a CSV file. The CSV file can later be imported again to do bulk removal. Be aware that there's a Remove All button that leverages the repadmin /removelingeringobject method of lingering object removal.

Workflow


Workflow

More information
Removal methodObject / Partition & and Removal CapabilitiesDetails
Lingering Object LiquidatorPer-object and per-partition removal

Leverages:
  • RemoveLingeringObjects LDAP rootDSE modification
  • DRSReplicaVerifyObjects method
  • GUI-based
  • Quickly displays all lingering objects in the forest to which the executing computer is joined
  • Built-in discovery through the DRSReplicaVerifyObjects method
  • Automated method to remove lingering objects from all partitions
  • Removes lingering objects from all DCs (including RODCs) but not lingering links
  • Windows Server 2008 and later DCs (will not work against Windows Server 2003 DCs)
Repldiag /removelingeringobjectsPer-partition removal

Leverages:
  • DRSReplicaVerifyObjects method
  • Command line only
  • Automated method to remove lingering objects from all partitions
  • Built-in discovery through DRSReplicaVerifyObjects
  • Displays discovered objects in events on DCs
  • Does not remove lingering links. Does not remove lingering objects from RODCs (yet).
LDAP RemoveLingeringObjects rootDSE primitive (most commonly executed using LDP.EXE or an LDIFDE import script)Per-object removal
  • Requires a separate discovery method
  • Removes a single object per execution unless scripted.
Repadmin /removelingeringobjectsPer-partition removal

Leverages:
  • DRSReplicaVerifyObjects method
  • Command line only
  • Built-in discovery through DRSReplicaVerifyObjects
  • Displays discovered objects in events on DCs
  • Requires many executions if a comprehensive (n * (n-1)) pairwise cleanup is required.

    Note The repldiag tool and the Lingering Object Liquidator tool automate this task.

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.
Properties

Article ID: 3141939 - Last Review: 08/01/2016 22:24:00 - Revision: 6.1

Windows Server 2012 R2 Datacenter, Windows Server 2008 R2 Datacenter, Windows Server 2012 Datacenter

  • kbexpertiseinter kbhowto kbsurveynew KB3141939
Feedback