Troubleshooting Directory Data Problems
On This Page
Overview
Troubleshooting Lost Domain Objects
Troubleshooting Object Name Conflicts
Overview
Data transactions in Active Directory are either completed in full or not made at all. If for any reason an error occurs and a transaction is unable to complete all of its steps, the system is returned to the state that existed before the transaction began. An example of an atomic transaction is an account transfer transaction where money is removed from account A and placed into account B. If the system fails after it removes the money from account A and before it places it into account B, the transaction processing system puts the money back into account A and returns the system to its original state that is, it rolls back the transaction. Table 2.14 shows the type of directory data problems that can occur, along with root cause and solution.
Table 2.14 Directory Data Problems
Symptom |
Root Cause |
Solution |
---|---|---|
Lingering objects |
If a domain controller remains disconnected for a longer period than the tombstone lifetime, an object that has been deleted from the directory can remain on the disconnected domain controller. For this reason, such objects are called "lingering objects." |
See "Managing Long-Disconnected Domain Controllers" in this guide. |
Lost objects |
If an object is created on one domain controller, and the container in which it was created is deleted on another domain controller before the object has a chance to replicate, it becomes a lost object. Lost objects are automatically placed in a domain container where you can find them and either move or delete them. |
Troubleshoot lost domain objects. |
Object name conflicts |
If an object is created on one domain controller and an object with the same name is created in the same container on another domain controller before replication occurs, it creates an object name conflict. Active Directory automatically changes the relative distinguished name of the object with the earlier timestamp to a unique name. |
Troubleshoot object name conflicts. |
Troubleshooting Lost Domain Objects
In some cases, an administrator might create or move an object into a container on one domain controller and another administrator might delete that same container on a different domain controller before the object is replicated. In such cases, the object is added to the LostAndFound container for the domain. The LostAndFoundConfig container in the configuration directory partition serves the same purpose for forest-wide objects.
Procedures for Troubleshooting Lost Domain Objects
In Active Directory Users and Computers, on the View menu, click Advanced Features.
In the console tree, click the LostAndFound container.
For each object, examine the Last Known Parent attribute. This attribute indicates the previous location of this object.
For each object, do one of the following, as appropriate:
Move the object to the correct location, recreating the parent if necessary.
Delete the object if it is no longer needed.
- Review and revise your operational procedures to ensure that object creations and deletions are coordinated.
Troubleshooting Object Name Conflicts
Active Directory supports multimaster replication of directory objects between all domain controllers in the domain. When replication of objects results in name conflicts (two objects have the same name within the same container), the system automatically renames one of these accounts to a unique name. For example, object ABC is renamed to be *CNF:guid, where "*" represents a reserved character, "CNF" is a constant that indicates a conflict resolution, and "guid" represents a printable representation of the objectGuid attribute value.
This will cause an event ID 12292 to be logged in the system event log on the domain controller. You must clean up Active Directory to resolve this error.
Warning: If you find collisions in the Domain Controllers OU, stop. Continuing with the procedures below can cause further damage. Contact Microsoft Product Support Services for guidance.
Procedures for Resolving Object Name Conflicts
Take note of the conflicting account objects. In Active Directory Users and Computers, delete the appropriate conflicting account objects (usually the newer one) on a domain controller in the domain that contains the accounts.
Rename the client computers whose accounts were deleted and join them to the domain.
Right-click My Computer.
In the System Properties dialog box, select the Computer Name tab and click the Change button.
In the Computer Name Changes dialog box, enter a new name in the Computer name: field.
Click OK to exit the Computer Name Changes dialog box, and click OK to exit the System Properties dialog box.
Restart the computer.
Verify that replication is functioning properly. If replication is not functioning properly, see "Troubleshooting Active Directory Replication Problems" in this guide. If it is, review and revise your operational procedures to ensure that object creations and deletions are coordinated.