Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 536
  • Last Modified:

Active Directory Replication Issues

I'm having trouble with our Active Directory Servers. The changes I make on the backup with Exchange on it is not replicating to the primary, or the other way around. How do I force replication between the two servers?
0
DuNuNuBatman
Asked:
DuNuNuBatman
  • 7
  • 6
  • 3
  • +1
1 Solution
 
Jay_Jay70Commented:
fyou can force on the conneciton links in AD sites and services....dcdiag will tell you whats going on though
0
 
SKTRNCommented:
Start the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in.
Expand the Sites branch to show the sites.
Expand the site that contains the DCs. (The default site Default-First-Site-Name might be the only site.)
Expand the servers.
Select the server you want to replicate to, and expand the server.
Double-click NTDS Settings for the server.
Right-click the server you want to replicate from.
Select Replicate Now from the context menu, as the Screen shows.
Click OK in the confirmation dialog box.
This replication is one-way. If you want two-way replication, you need to replicate in each direction.
0
 
SKTRNCommented:
I would use the command repadmin /showrepl to view status
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
MSE-dwellsCommented:
If you're able, download and run the following script, it will assist in identifying whether or not your DCs are converged -

ftp://falcon.msetechnology.com/scripts/convergeCheck.cmd.txt

Sample output -

C:\>convergecheck /exclude \DCstoExclude.exc

convergeCheck v1.2 / Dean Wells (email address removed - Jay) - July 2007

- No DN was supplied, use "dc=MSET,dc=LOCAL" [Y/N]?y

+ Processing ...

 = Initiated at 11:21:33.50 on Fri 10/12/2007

   - Domain name : MSET.LOCAL
   - Domain DN   : dc=MSET,dc=LOCAL
   - Canary DN   : dc=MSET,dc=LOCAL
   - Exclude file: \DCstoExclude.exc

Querying for USNs and canary metadata ... complete.

 Displaying detailed convergence results -

   SOURCE: falcon.mset.local [canary USN @ 299923]
    + light.mset.local ............. CONVERGED

   SOURCE: light.mset.local [canary USN @ 184321]
    + falcon.mset.local ............ CONVERGED

 Results complete; summary as follows -

 = Initiated at 11:21:33.50 on Fri 10/12/2007
 = Completed at 11:21:36.25 on Fri 10/12/2007

   - Domain name : MSET.LOCAL
   - Domain DN   : dc=MSET,dc=LOCAL
   - Canary DN   : dc=MSET,dc=LOCAL
   - Exclude file: \DCstoExclude.exc

   + 3 Domain Controllers were found in the Domain
     - 1 Domain Controller[s] administratively excluded
     - 2 possible convergence scenario[s] determined
     - 2 of which have converged

- Done.
0
 
DuNuNuBatmanAuthor Commented:
Here is the output I get when I run dcdiag


Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site\EXCHANGE
      Starting test: Connectivity
         ......................... EXCHANGE passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site\EXCHANGE
      Starting test: Replications
         [Replications Check,EXCHANGE] A recent replication attempt failed:
            From PRINTSERVER to EXCHANGE
            Naming Context: CN=Schema,CN=Configuration,DC=pcfloans,DC=local
            The replication generated an error (8614):
            The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
            The failure occurred at 2007-10-12 09:59:20.
            The last success occurred at 2003-02-21 21:51:58.
            286 failures have occurred since the last success.
         [Replications Check,EXCHANGE] A recent replication attempt failed:
            From PRINTSERVER to EXCHANGE
            Naming Context: CN=Configuration,DC=pcfloans,DC=local
            The replication generated an error (8614):
            The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
            The failure occurred at 2007-10-12 10:06:31.
            The last success occurred at 2003-02-21 21:57:28.
            760 failures have occurred since the last success.
         [Replications Check,EXCHANGE] A recent replication attempt failed:
            From PRINTSERVER to EXCHANGE
            Naming Context: DC=pcfloans,DC=local
            The replication generated an error (8614):
            The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
            The failure occurred at 2007-10-12 10:10:59.
            The last success occurred at 2003-02-21 22:05:19.
            2247 failures have occurred since the last success.
         REPLICATION-RECEIVED LATENCY WARNING
         EXCHANGE:  Current time is 2007-10-12 10:14:21.
            CN=Schema,CN=Configuration,DC=pcfloans,DC=local
               Last replication recieved from PRINTSERVER at 2003-02-21 21:51:58.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
            CN=Configuration,DC=pcfloans,DC=local
               Last replication recieved from PRINTSERVER at 2003-02-21 21:57:28.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
            DC=pcfloans,DC=local
               Last replication recieved from PRINTSERVER at 2003-02-21 22:05:19.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
         ......................... EXCHANGE passed test Replications
      Starting test: NCSecDesc
         ......................... EXCHANGE passed test NCSecDesc
      Starting test: NetLogons
         ......................... EXCHANGE passed test NetLogons
      Starting test: Advertising
         ......................... EXCHANGE passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... EXCHANGE passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... EXCHANGE passed test RidManager
      Starting test: MachineAccount
         ......................... EXCHANGE passed test MachineAccount
      Starting test: Services
         ......................... EXCHANGE passed test Services
      Starting test: ObjectsReplicated
         ......................... EXCHANGE passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... EXCHANGE passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... EXCHANGE failed test frsevent
      Starting test: kccevent
         An Error Event occured.  EventID: 0xC00007FA
            Time Generated: 10/12/2007   10:04:02
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC00007FA
            Time Generated: 10/12/2007   10:06:31
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC00007FA
            Time Generated: 10/12/2007   10:06:35
            (Event String could not be retrieved)
         ......................... EXCHANGE failed test kccevent
      Starting test: systemlog
         ......................... EXCHANGE passed test systemlog
      Starting test: VerifyReferences
         ......................... EXCHANGE passed test VerifyReferences
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : pcfloans
      Starting test: CrossRefValidation
         ......................... pcfloans passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... pcfloans passed test CheckSDRefDom
   
   Running enterprise tests on : pcfloans.local
      Starting test: Intersite
         ......................... pcfloans.local passed test Intersite
      Starting test: FsmoCheck
         ......................... pcfloans.local passed test FsmoCheck


I'm looking at the tombstone lifetime part. How do I fix that?
0
 
SKTRNCommented:
Sounds like you may have an issue with your timeserver.
To force replication now you have to edit the registry.
Add this key and set the value to 1:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner

See this article for more information:
http://technet2.microsoft.com/windowsserver/en/library/34c15446-b47f-4d51-8e4a-c14527060f901033.mspx?mfr=true
0
 
MSE-dwellsCommented:
SKTRN is correct but be aware that blindly implementing this setting can cause far worse a problem than the one you're currently dealing with.
0
 
MSE-dwellsCommented:
This is a deliverate replication block on Microsoft' part ... the 2 DCs haven't spoken for a period of time that is longer than they'll keep deleted objects for, as such, any deleted object that originated on either DC will not be deleted from the other resulting in something we call 'lingering objects'.

I would recommend that you first determine the cause of the replication failure before permitting such divergent DCs to talk again.  It's usually related to DNS and merely that the source server referenced by DCDIAG has been forcibly removed or simply thrown away.
0
 
SKTRNCommented:
Agreed there are some definite chances for problems.  I would verify that the AD information on the server showing as out of sync does not contain any outdated or lingering information.
0
 
DuNuNuBatmanAuthor Commented:
I think I know what it was. I recently moved the servers and noticed that the time on the domain controller was set to the year 97. So the cmos battery had gone bad so the time had reset. I think that is what caused this in the first place, because they were functioning fine before.
0
 
MSE-dwellsCommented:
Preface the supplied script with -

[BEGIN SCRIPT]
set /a NUM=%1 + 1 2>nul && (
        echo It's a number
        REM continue processing
) || (
        echo Nope, that's garbage to me
        REM End your script here
)
[END SCRIPT]
0
 
SKTRNCommented:
Very likely, I have seen the same in the past.  I would still verify AD information, then verify time is updating correctly and staying in sync.  Then use the registry setting.
0
 
MSE-dwellsCommented:
Please disregard previous post -- sooooooooooo obviously and entirely the wrong thread :0)
0
 
MSE-dwellsCommented:
If time is out of whack then you'll need to ensure the machine with the back CMOS battery isn't serving as a time source.  If you're positive things were fine beforehand (within tombstone lifetime), them implement the setting per SKTRN on the DC where you ran the DCDIAG command ... ensure it's time is fixed first.
0
 
DuNuNuBatmanAuthor Commented:
Yea, I had fixed the time when I moved it but didn't notice the issue until I had to add a new user. It looks like they are replicating fine now though. I just added and deleted some users and it was showing up on the other server as well.

So, thanks for the help guys!
0
 
SKTRNCommented:
Congrats on getting it up and going.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 6
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now