Hello everyone, been a while since I did a qUICKLY Blog, all I can say is I was extremely busy with Active Directory and customers who use it :), which is almost every company in the world. so today I am writing about something new which you may not be aware of. This blog is not about all the advantages (there are a lot) for Read-Only Domain Controllers, but something I came across and wanted to explain how this could happen. The topic is about Abandoned Objects.
Abandoned objects are objects in the Active Directory database (NTDS.DIT) of Read-Only Domain Controllers which are not present on the existing Writeable Domain Controllers in the domain. These objects were once created on a Writable domain controller, got replicated to Read-Only domain controller but not to any other Writable domain controllers in the domain. The originating domain controller is no longer present to replicate these objects with another Writable domain controller.
These objects on the Read-Only domain controller are called Abandoned Objects and cannot be removed as the only deletion/modification to any objects in Active Directory can be done on Writable Domain Controllers where they do not exist.
How can it happen?
Consider a situation where there are 3 Domain Controllers in the domain. The three domain controllers and their details are:
2008-RWDC1 Windows Server 2008 or R2 Writable Domain Controller
2008-RWDC2 Windows Server 2008 or R2 Writable Domain Controller
2008-RODC1 Windows Server 2008 or R2 Read-Only Domain Controller
2008-RWDC1 is down or not reachable. You create an object on 2008-RWDC2 which gets replicated to 2008-RODC1. Now before 2008-RWDC1 comes online and replicates with its partner 2008-RWDC2, something goes wrong with 2008-RWDC2 such as it crashes, cannot boot, gets demoted forcefully or formatted etc. At this point when 2008-RWDC1 comes online, you will most likely do a metadata cleanup of 2008-RWDC2 so the NTDS server references to this domain controller are removed. You may also restore the OS with Active Directory on 2008-RWDC2 from backup which may not have the object(s) that you recently created which got replicated only to 2008-RODC1. These objects will not replicate from the Read-Only domain controller to the Writable domain controller i.e. the object will not replicate from 2008-RODC1 to 2008-RWDC1.
The objects will always stay and cannot be updated/removed etc on the 2008-RODC1. If you were to create the same DN/RDN of the object on a Writable domain controller such as 2008-RWDC1 or 2008-RWDC2 (after it is recovered, re-installed etc.), these objects will cause conflict on the Read-Only domain controller 2008-RODC1 and will be renamed with CNF or have DUPLICATE value under Account tab for user accounts.
Non-Authoritative restore of 2008-RODC1 will not remove those objects either unless the backup of 2008-RODC1 does not have these objects in it. 'Database Restored from Backup' switch and a System State Backup of the Read-Only domain controller at the time these objects exist will also not work.
So, How can I remove these abandoned objects?
The only solution to remove these abandoned objects is to demote and promote the Read-Only domain controller 2008-RODC1 or to restore the backup in which these objects do not exist. However, there is no problem if these objects just stay - as in all of these cases, they are conflict objects which are renamed to include their GUID in the distinguishedName as well as sAMAccountName is set to DUPLICATE$. Ofcourse you will like to have clean and consistent information on all domain controllers, for which you will have to demote and re-promote the RODC.
Got it! :)
Excellent, this explains the issue we were having.