Solved

Synchronization problems with AD

Posted on 2007-11-27
5
175 Views
Last Modified: 2010-03-17
Greetings to all
I run an all Server 2003 network on 2003 functional level for the domain and the forrest. I have 24 sites on different locations and some of these sites might have a DC or not, depending on the number of users in the office. All sites are connected via VPN using Cisco PIX. The WAN was configured by a vendor that setup the PIX to look at the main corporate office but not at the sites. In other words, at the VPN level the WAN is a "star" network and is not a mesh network. The WAN speeds per sites varies depending on the office (some DSL other T1's etc) but the VPN is network is very stable.

This brought some challenges with the AD setup of sites. Because the KCC don't know that the only place to look is "DOMAIN1" at the Corp office I had to create individual connection links for each office rather than grouping similar connections under one link. By doing so I had minimal event viewer messages and replication was taking place.

A few months ago this DOMAIN1 crashed. That server was holding all FSMO roles. I had a DOMAIN2 in place that took over the roles of DOMAIN1. DOMAIN1 was replaced by a new server. We use same name and same IP after doing a metada cleanup. Apparently, everything was normal again. However I'm getting a bunch of KCC errors specially in the last few weeks. Events 1865, 1311 and 1566 are the order of the day!.At the moment, all but one of the 24 sites receive any changes like new user accounts, new OU's etc. Some are not replicating changes back.

My goal and my question is, based on the information provided (and I can provide more details if needed) how can ensure that I have proper synchonization put in place and that specially this one site that is not getting anyhting can be brough up to date.

I'm sure the issue can be complex so any help will be gratly appreciated!
0
Comment
Question by:menendeza
  • 3
  • 2
5 Comments
 
LVL 3

Expert Comment

by:l84work
ID: 20363804
First, remove all preferred bridgehead servers.
Then,
1.  Open "AD Sites and Services" mmc.
2.  Expand "Inter-Site Transport"
3.  Right click on IP
4.  Open Properties.
5.  Make sure "Bridge all site links" is checked.

Let KCC gerenate replication links for you.
0
 

Author Comment

by:menendeza
ID: 20364936
You bring a good point and this is my question, do I need actual connectivity between sites when using bridging? Like I said before, our network is not a fully mesh network. Is more of a star topology. We have a central hub at the corporate office (point A) and all sites connect to that site (Let's say office 1 us point B and office 2 is point C) Points B and C can talk to point A but points B and C can't talk among themselves. If I let KCC do the replication then I get a bunch of 13508 or 13509 messages saying that there is no enough connectivity among the sites because a DC in point B is trying to talk to point C but I know that those two sites can't talk to each other.
0
 
LVL 3

Expert Comment

by:l84work
ID: 20371429
Ok, i forgot your statement about VPN.  Let's take a step back...don't change replication configuration yet.

these error messages are all network related, I think.  You mentioned that they used to be ok, but problem started a few weeks ago.

Has something got change on the network?  Firewall?  Software Firewall on DC?  have you checked that all the ports required by AD and FRS are opened on the firewall?

What happens when you force a replication on a DC that's in the broken site?  Remember AD pulls changes, so you have to force it on a DC that needs to receive an update.



0
 

Author Comment

by:menendeza
ID: 20373282
Ok, I think I found the problem. Some connections links that were setup with old server were popping in these sites. A good clean up on both sides seems to restored the synchronization. I still have a couple of sites with bad connections but I'm aware of some problems with the ISP that are affecting the site. Once the situation with the ISP is corrected on these sites I don't see why everything should be back to 100%.
0
 
LVL 3

Accepted Solution

by:
l84work earned 500 total points
ID: 20380062
glad to hear you've got it figure out.  
0

Join & Write a Comment

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now