Active Directory user accounts are not replicating one way after an upgrade.

Posted on 2007-08-10
Last Modified: 2012-05-05
I was brought in to attempt to fix an issue that has appeared after a server upgrade. I wasn't involved in the initial setup, or the upgrade, so while I'll do my best to answer questions, there's a lot of information I don't have.

Before the upgrade, there were two domain controllers, STANTS2 and STANTS4, both running Windows 2000. STANTS2 was not upgraded or changed and is the PDC. STANTS4 is the Exchange server. (It was running Exchange 2003, despite being Windows 2000.) It is the one that was upgraded, or rather, replaced. The server was backed up, using Backup Exec 10d, demoted from being a DC, then shut down. A new Windows 2003 server was built and given the name STANTS4, along with the old IP address. Then, I don't know the exact order, but I hope it was in whatever order would be appropriate, Exchange was installed, it was promoted to a DC, and backups were restored for the users' home directories, Exchange, and maybe AD (or would that have just been brought back in from STANTS2?).

Old user accounts still work, and email for existing accounts works. The problem comes in when creating new accounts. Accounts that require email are created in AD on STANTS4, but those accounts never show up in AD on STANTS2, and the user can not log in (to a workstation, or to the web-based interface for email). Accounts created on STANTS2, do show up on STANTS4, but don't have any Exchange attributes configured.

STANTS2's Directory Service event log has a lot of this:
Event ID: 1265

The attempt to establish a replication link with parameters
 Partition: CN=Schema,CN=Configuration,DC=stteresasacademy,DC=org
 Source DSA DN: CN=NTDS Settings,CN=STANTS4,CN=Servers,CN=StTeresas,CN=Sites,CN=Configuration,DC=stteresasacademy,DC=org
 Source DSA Address:
 Inter-site Transport (if any):
 failed with the following status:
 The DSA operation is unable to proceed because of a DNS lookup failure.
 The record data is the status code.  This operation will be retried.

And STANTS4's Directory Service event log has a lot of this:
Event ID: 1587

This domain controller has been restored or has been configured to host an application partition. As a result, its replication identity has changed. A partner has requested replication changes using our old identity. The starting sequence number has been adjusted.
 The destination domain controller corresponding to the following object GUID has requested changes starting at a USN that precedes the USN at which the local domain controller was restored from backup media.
Object GUID:
USN at the time of restore:
As a result, the up-to-dateness vector of the destination domain controller has been configured with the following settings.
Previous database GUID:
Previous object USN:
Previous property USN:
New database GUID:
New object USN:
New property USN:

And this:
Event ID: 1586

The Windows NT 4.0 or earlier replication checkpoint with the PDC emulator master was unsuccessful.
A full synchronization of the security accounts manager (SAM) database to domain controllers running Windows NT 4.0 and earlier might take place if the PDC emulator master role is transferred to the local domain controller before the next successful checkpoint.
The checkpoint process will be tried again in four hours.
Additional Data
Error value:
8452 The naming context is in the process of being removed or is not replicated from the specified server.

Question by:josh732
    LVL 15

    Expert Comment

    I happen to know you're getting a Windows-sy reply from someone within the next minute or two but on the Exchange side (She's asked me to chip in)

    1) You can't (shouldn't) install Exchange and then do a DCPROMO so there may well be some problems.
    2) You don't get any Exchange tabs or anything in ADU&C unless you install the Exchange System Manager onto the server. So, you will see the Exchange tabs on STANTS4 but unless you run the Exchange setup.exe on STANTS2 you won't get anything. That's normal and correct. You're confusing the schema a little. Tabs in ADU&C don't have anything to do with the schema.
    LVL 30

    Accepted Solution

    Wow.  Where to start, where to start:

    [1] "Exchange was installed, it was promoted to a DC" - if it took place in that order, this is completely unsupported by Microsoft.  Once you install Exchange you cannot change a server's domain controller status - if it was already a DC you can't demote it after an Exchange install, if it was a member server then you can't run dcpromo after you've installed Exchange.

    [2]  Install the Support Tools on both DCs and run dcdiag /v and netdiag /v.  Based on your description, my initial thought is that STANTS4 was either removed from the directory improperly, or else it was removed properly and then re-inserted -im-properly; the netdiag and dcdiag results will prove or disprove my gut instinct.  

    If my hip-shot is correct, you're probably in a wipe-and-reload scenario, which might go something like this:

    *  Bring down STANTS4
    *  Perform a metadata cleanup of STANTS4 from STANTS2
    *  Seize all FSMO roles onto STANTS2.  (Is this a single-domain forest?  You didn't specify.  If this is a multi-domain forest and the forest-wide FSMOs reside elsewhere, only seize the three domain-wide FSMOs to STANTS2)
    * I would leave STANTS4 as a member server, since I wouldn't put Exchange on the same box as a DC if you paid me, but if you're intent on having it be a domain controller, re-run dcpromo to re-add it to the existing domain BEFORE installing Exchange.
    * Perform a clean install of the 2K3 operating system and perform a disaster recovery install of Exchange 2003.  
    * Recover other data as needed.

    Before resorting to that extreme measure, though, you should also confirm that DNS is working correctly and that all FSMO roles are functioning properly; again, the results of dcdiag and netdiag will be informative about both items.

    Author Comment

    Thanks. Unfortunately, I've been pulled off this project, to another client who's network is completely down. The guy who did the upgrade is going back in on Sunday to try to fix it, so I passed along the suggestions. I made sure to emphasize the suggestion of NOT making the Exchange server a DC. I've asked to be kept in the loop, so I'll be back to report what the solution ended up being.

    Author Comment

    Ok, quick update. The upgrade was done in the order Laura said it needed to be done in. It seems the issue was DNS related, as indicated by the error message on STANTS2.

    Author Comment

    The problem showed up after an upgrade. Laura's suggestion was based on the premise that the problem was due to the upgrade being done in the wrong order. However, the upgrade was done in the correct order (the same one Laura suggested). It turned out to be a DNS issue... Oh, wait, "you should also confirm that DNS is working correctly" I missed that. Sorry, yep, that's the solution.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
    Synchronize a new Active Directory domain with an existing Office 365 tenant
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now