none
Windows 2003 AD - User with "invalid" name showing up

    Question

  • Hi all,

    I have an odd problem in a 2003 forest. The forest has 6 subdomains, each with only one DC, and only 2 GC, on the root domain.

    I believe I have a "corrupted" or "invalid" user, and it was after the migration to Exchange 2007 that I was made aware of this.

    On my Exchange 2007 machine, I keep getting this "legacy mailbox", even after I've moved all the mailboxes from 2003, and decomissioned the 2003 structure.

    On a closer look, the user mentioned on that "legacy mailbox" doesn't show up on the subdomain it's suposed to. I've searched each individual domain, even with the root domain, and the user doesn't show up anywhere. However, if I do a LDAP query (on the ADUC snap-in), that searches the entire directory, the user shows up!

    The name is something odd like: "José António (small square) CNF:b86f2fad-829" etc. It seems as if some other atribute got "mixed up" into the name and CN.

    I've tried to find it via ADSI edit, but couldn't find it.

    The only way I can see it is using LDP, but only when using the GC port (3268) on either the GCs. When I try to delete it, LDP gives me an error, saying that the operation is not allowed through the GC port. If I connect via 389 to either the GCs, I can't find the object.

    I can see the attributes "CN", "distinguishedName" and "name" are messed up with the small square thing. Oh and the rest of the string that comes after the small square is the user "objectGUID".

    Is there any way I can get to the object and delete if for good? Anything through the normal GUIs (ADUC or Exchange 2007 console) just give me an error saying the user doesn't exist (although they mention the odd name with the little square in it).

    I'm guess that for some reason, the GCs kept a copy of the invalid object, because I can't even find it on the DC of the domain where it should be. I'm a bit of a loss on how to nail the guy.

    Thanks for your attention!

    Cheers,

    Helder
    Monday, February 22, 2010 6:07 PM

Answers

  • Hey Joson,

    Thanks for your suggestion.

    I was able to fix the problem, it ended up being simpler than I thought :) I just "demoted" one of the GC from being GC, leaving just one GC. And then I reversed the situation, so that each of the GCs got to be the only GC in the forest.

    This apparently cleaned up whatever clutter there was, since the invalid object is now gone, and the "legacy mailbox" doesn't show in Exchange 2007 anymore, so it's fixed! Yay! :)

    Once again, that's for your replies :)

    Just a quick word of praise to Microsoft. It's really nice to be able to use the groups and post our issues and be able to exchange ideas with other people, in a clean, quick way. I've posted questions here a couple of times now, and I've got all those issues fixed. I might not have a straightforward solution to my problem, but the "back-and-forth" puts me on the right track.

    Once again, thank you all for the attention, and keep up the good work! :)

    Cheers,

    Helder

    Thursday, February 25, 2010 12:16 AM

All replies

  • Hello,

    CNF:b86f2fad-829 is related to lingering objects, see the following article about:
    http://blogs.dirteam.com/blogs/jorge/archive/2006/05/08/Lingering-objects.aspx

    See here about removing them with Repadmin:
    http://technet.microsoft.com/en-us/library/cc785298(WS.10).aspx

    Also check replication within the domain with repadmin /showrepl and replmon (GUI version)
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, February 23, 2010 7:32 AM
  • Hi,

    Before you remove the CNF object, please check if the following article helps:

    A mailbox that is located on an Exchange Server 2007 server or on an Exchange Server 2010 server may be identified as a legacy mailbox
    http://support.microsoft.com/kb/931747

    If you need further assistance regarding Exchange Server, you can also create a new thread in Exchange forum:

    Exchange Forum
    http://social.technet.microsoft.com/Forums/en-US/category/exchangeserver
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, February 23, 2010 8:23 AM
  • Hi Joson,

    Thanks for your reply :)

    However, I believe this is a problem with AD objects, as the 2007 doesn't have any mailbox for that specific user, disconnected or otherwise.

    But thanks for your input!

    Cheers,

    Helder
    Tuesday, February 23, 2010 3:00 PM
  • Hey Meinolf,

    Thanks for your reply :)

    I've been checking the lingering objects, but I can't seem to find any. I've even ran the repadmin, against the DC of the subdomain were the object should be, but to no avail. No lingering objects found.

    My guess is that the object is present on the GC copy of that domain, while the DC of that domain itself doesn't have the lingering object.

    Is there a way to "clean" the GC copy of the objects, and have the GC copy everything over again from the correct DC?

    Cheers,

    Helder
    Tuesday, February 23, 2010 3:02 PM
  • Hi Helder,

    From an AD point of view, we can run "repadmin /rehost" on the GCs to clean the objects.

    For more information about the command, please refer to the following article:

    Event ID 2108 and Event ID 1084 occur during inbound replication of Active Directory in Windows 2000 Server and in Windows Server 2003
    http://support.microsoft.com/kb/837932


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, February 24, 2010 3:38 AM
  • Hey Joson,

    Thanks for your suggestion.

    I was able to fix the problem, it ended up being simpler than I thought :) I just "demoted" one of the GC from being GC, leaving just one GC. And then I reversed the situation, so that each of the GCs got to be the only GC in the forest.

    This apparently cleaned up whatever clutter there was, since the invalid object is now gone, and the "legacy mailbox" doesn't show in Exchange 2007 anymore, so it's fixed! Yay! :)

    Once again, that's for your replies :)

    Just a quick word of praise to Microsoft. It's really nice to be able to use the groups and post our issues and be able to exchange ideas with other people, in a clean, quick way. I've posted questions here a couple of times now, and I've got all those issues fixed. I might not have a straightforward solution to my problem, but the "back-and-forth" puts me on the right track.

    Once again, thank you all for the attention, and keep up the good work! :)

    Cheers,

    Helder

    Thursday, February 25, 2010 12:16 AM
  • Hi Helder,

    Thanks for your update and the great compliment. :)

    I am glad to hear that you have resolved the issue. You are welcome to post in our forums if you meet any difficulties and questions in using Microsoft products.

    Have a nice day.

    Joson Zhou
    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tngfb@microsoft.com
     


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, February 25, 2010 2:24 AM