ADLDS cleanup in DRA

I'm using DRA 9.1 and 9.2 and seem to have a lot of orphaned items in the ADLDS instance. The cleanup schedule is enabled. My understanding is that when you create a virtual attribute for an object an ADLDS entry is created with the CN=<ADDS Object GUID>. As such, when I look at a given entry in ADLDS I should be able to determine the corresponding object in ADDS by the cn attribute. So I have hundred of objects in the NetIQ DRA ADLDS instance with no corresponding item in ADDS.

Why would this be an how to cleanup?

  • Hello,

     

    You might need to check the DRA Health Check Utility and Windows ADAM event log for any ADLDS errors. You maybe have replication or FSMO role issues. When those occur, the directory will protect its integrity and limit certain actions. You will need to start with the Primary DRA Server, and then check the others.

     

    The Clean Up job should delete Objects under CN=DRAVARoot,DC=DRA,DC=COM ; which no longer have a Corresponding object in DRA cache; whose Object GUID matches the Name of the ADLDS object. If the object still exists within the DRA Cache, the clean up job would not remove it from ADLDS.

    Should you have technical issues with the DRA ADLDS Clean up job, please feel free to open a support case via the Customer Portal: https://portal.microfocus.com/s/?language=en_US

  • Thanks for the info! I ran this simple code to find orphaned computer objects i.e. that name attribute of the DRA ADLDS object does not match a computer objectGUID in ADDS. I found 10 such:

    $draServer = 'myserver'
    $draPort = '50000'
    $draADLDS = "$draServer`:$draport"
    $adldsComputers = Get-ADObject -Server $draADLDS -LDAPFilter '(objectClass=DRA-Computer)' -SearchScope Subtree -SearchBase 'CN=DRAVARoot,DC=DRA,DC=COM'
    write-host "ADLDS Computers:$($adldsComputers.Count)" 
    foreach($c in $adldsComputers){
        try{
            [string]$guid = $c.Name
            $guid = $guid -replace '{',''
            $guid = $guid -replace '}',''
            get-ADComputer -identity $guid | out-null
        }catch{
            write-error "Oops! Can't find ADDS object: $guid"
        } 
    }
    How would I check if there is an object in the cache? Surely the cache must match back to ADDS though?
  • Thanks for the info! I ran this simple code to find orphaned computer objects i.e. that name attribute of the DRA ADLDS object does not match a computer objectGUID in ADDS. I found 10 such:

    $draServer = 'myserver'
    $draPort = '50000'
    $draADLDS = "$draServer`:$draport"
    $adldsComputers = Get-ADObject -Server $draADLDS -LDAPFilter '(objectClass=DRA-Computer)' -SearchScope Subtree -SearchBase 'CN=DRAVARoot,DC=DRA,DC=COM'
    write-host "ADLDS Computers:$($adldsComputers.Count)" 
    foreach($c in $adldsComputers){
        try{
            [string]$guid = $c.Name
            $guid = $guid -replace '{',''
            $guid = $guid -replace '}',''
            get-ADComputer -identity $guid | out-null
        }catch{
            write-error "Oops! Can't find ADDS object: $guid"
        } 
    }
    How would I check if there is an object in the cache? Surely the cache must match back to ADDS though?
  • Suggested Answer

    If you are still having issues with the DRA ADLDS Clean up job, and / or orphaned objects within LDS; please open a Technical SR. Support will be able to work with you on the technical issues.