OT: Delete Large LDAP container?

  • 1.2K Views
  • Last Post 18 March 2012
edsibone posted this 30 October 2011

Hey all,

I've been trying to delete a container in my LDS that contains 1000s of
objects.. ADSIEdit seems to choke on it when I right click delete, LDP, I
cant quite figure out the way to delete. How can I wax this container.. I
would imagine the same procedure in AD had I had a large OU.. I am about
to try admod with -treedelete but am unsure of the proper syntax...

eg, container to delete is "Accounts"

admod -h localhost -b DC=BigDir,DC=local -treedelete
CN=Accounts,DC=BigDir,DC=local

I dont have access to this server at the moment so I am just brainstorming
it to try later....

Thanks all.
-Ed.

Order By: Standard | Newest | Votes
dloder posted this 30 October 2011

See http://blog.joeware.net/2007/06/01/905/  -- http://dloder.blogspot.com --From: Ed Sibone <edsibone.rdy@xxxxxxxxxxxxxxxx>To: activedir@xxxxxxxxxxxxxxxxSent: Thursday, August 11, 2011 8:09 AMSubject: Re: [ActiveDir] OT: Delete Large LDAP container?Hmm, is that a MS thing or an LDAP thing?    I tried setting up the Subtree Delete control in LDP and when I go to delete it just says "Size Limit Exceeded".  ADSI, sort of the same thing.  Anyone know the admod syntax to dump this container?On Wed, Aug 10, 2011 at 9:48 PM, Steve Kradel <skradel@xxxxxxxxxxxxxxxx> wrote:Yep, the subtree delete LDAP control is the most efficient way to do>this.  However, you will have to run it several times on a truly>massive subtree; the command will work for a while before it gives you>a result like, "I tried, and made progress, but am willing to do this>for only so long.">>--Steve>>>On Wed, Aug 10, 2011 at 10:41 PM, Ed Sibone <edsibone.rdy@xxxxxxxxxxxxxxxx> wrote:>> Hey all,>>>> I've been trying to delete a container in my LDS that contains 1000s of>> objects..  ADSIEdit seems to choke on it when I right click delete, LDP, I>> cant quite figure out the way to delete.   How can I wax this container..  I>> would imagine the same procedure in AD had I had a large OU..   I am about>> to try admod with -treedelete but am unsure of the proper syntax...>>>> eg, container to delete is "Accounts">>>> admod -h localhost -b DC=BigDir,DC=local -treedelete>> CN=Accounts,DC=BigDir,DC=local>>>> I dont have access to this server at the moment so I am just brainstorming>> it to try later....>>>> Thanks all.>> -Ed.>>List info: http://www.activedir.org/List.aspx&gt;

bdesmond posted this 30 October 2011

What is the error from admod when you run it with the -exterr switch?



Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx<mailto:brian@xxxxxxxxxxxxxxxx>

c - 312.731.3132

show

DonH posted this 30 October 2011

You can indeed do it via LDP, ADSIedit, or anything else that can tree
delete, just not in one step. When you tree delete the offending container
it takes out 16k objects each time. That's seven steps for a 100,000 object
container.

Sorry that this sucks so bad. There's a long technical explanation as to
why it needed to be done in chunks and why doing the restart loop on the
server side would have been hard, but the short version is that the end user
experience is just lousy. We should have done better.

Don

_

show

edsibone posted this 30 October 2011

Well, before I got the syntax right for admod, I couldnt even get it do
anything.. now I got it right and got the same message from joe's article..

Extended Error: 000020CD: SvcErr: DSID-030907D2, problem 5008
(ADMINLIMITEXCEEDED), d
ata 0

It appears no way around this, as I see its by design, unless I find a way
to programatically keep hitting it till its gone.

show

listmail posted this 30 October 2011

Yeah I started to change this in AdMod so that it would truly nuke the whole
subtree but then I stopped. I don't recall exactly why I did because it was
a long time ago. Possibly because I sometimes use AdFind/Mod to troubleshoot
LDAP functionality and I don't want to do too much magic in the background
because then after a time I forget the magic is happening and start assuming
things work in certain ways and then bam I get it upside the head from some
place I didn't expect. ;) Of course I could add another switch for that
like treenuke or something. People are always looking for me to add new
switches. J



In the meanwhile, and I probably should have updated the blog entry, and
maybe I will, who knows. But you could use a simple FOR /L loop to handle
this. The usage for the FOR /L command:



FOR /L %param in (start,incremement,end) do blah



So for 100K entries you could do something like



FOR /L %i in (1,1,7) do admod -b blah -deltree



And that should work for you.





Now to the actual issue. Is this for testing or something like that? I am
not sure why you would create hundreds of thousands of objects and then want
to delete them afterward, especially multiple times such that you want a
tool to do it effectively. If that is the case, then I would consider using
dynamic objects with the appropriate TTL. Then when the time comes, they
just evaporate and you don't worry about them anymore. No going back and
cleaning them up. Of course if you don't know the lifetime that makes it
tougher, you would either have to set something huge and then drop it down
to min value when ready to see them die or you could just keep extending the
TTL as needed.





joe





--

O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm

Blog: http://blog.joeware.net <http://blog.joeware.net/&gt;

show

skradel posted this 30 October 2011

Source (and a binary in the .zip) are available here:
https://github.com/skradel/Zetetic.Ldap/tree/master/Zetetic.Ldap.MassDeleter

It's really nothing fancy, just a paged search and plenty of deletes.

--Steve

show

listmail posted this 09 February 2012

FYI.



http://blog.joeware.net/2012/02/09/2422/





--

O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm

Blog: http://blog.joeware.net

show

edsibone posted this 16 March 2012

whoa, right on joe! When can we expect that version to hit the public :p

Thanks!!

show

listmail posted this 17 March 2012

I keep getting ready to release and someone dings me with something else I
want to slip in to one or the other tool, Princess (Jorge) just recently
pinged me on getting forced recycle of objects into AdMod. Plus he has
pointed out some weirdness around removing massive numbers of members from a
group that I want to look into a little closer. But I need to get these out
the door so I may just say no more and to the final testing and ship.



joe



--

O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm

Blog: http://blog.joeware.net

show

robertsingers posted this 18 March 2012

Maybe you can add a -jorge switch that fires up Clippy "So you appear to be trying to delete a large number of objects!"

--
Rob "bring back clippy" Singers

show

Close