Solved

is it safe to demote a srver with replication problems

Posted on 2009-05-06
13
845 Views
Last Modified: 2012-05-06
I have two servers at a site I have recently inherited..

SBS server
terminal server that is also a AD server

I wish to demote the terminal server (for various reasons) but at the moment replication is only working in one direction, and I am getting kerberos errors on the SBS server and all workstations cant browse by UNC.

A lot of suggested solutions to my problem suggest reinstalling AD - I assume on the SBS - which I dont want to do as I know SBS can be a bitch.

For the time being I would really like to resolve the problem (security and browsing) and then later demote the Terminal.
0
Comment
Question by:wolfcamel
  • 10
  • 3
13 Comments
 
LVL 16

Expert Comment

by:speshalyst
ID: 24313913
can you post the error you get on the SBS server's event logs ?
0
 
LVL 20

Author Comment

by:wolfcamel
ID: 24314048
Sure - I am just rebooting it at the moment..
I had this issue http://blogs.technet.com/sbs/archive/2008/07/17/some-services-may-fail-to-start-or-may-not-work-properly-after-installing-ms08-037-951746-and-951748.aspx 
a week or two ago, and I have just noticed that the registry changes I made to fix this were no longer there - so I have redone these (on both servers for good measure) and am rebooting. Otherwise I will post the errors after it boots up.  Thanks
0
 
LVL 20

Author Comment

by:wolfcamel
ID: 24314282
ok some of the errors..(because hey are still there)
when browsing from terminal
\\sbsserver  logon failure the target account name is incorrect

if i try tomanually replicate
on the terminal, right click on the sbs replicate now..
"cannot replicate since the last replication hs exceeded the tombstone lifetime"
however if i go to the sbs server and replicate from the terminal this says ok

When i tried to browse by UC the SBS server logs a security error Event ID 529, UNknown user name of bad password, Kerberos

I will give you some more info shortly
0
 
LVL 20

Author Comment

by:wolfcamel
ID: 24314341
the terminal server has an error in the directory service log..
Event ID 2042
It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.
The reason that replication is not allowed to continue is that the two machine's views of deleted objects may now be different. The source machine may still have copies of objects that have been deleted (and garbage collected) on this machine. If they were allowed to replicate, the source machine might return objects which have already been deleted.
Time of last successful replication:
2008-04-03 11:01:52
Invocation ID of source:
06e2f6c8-f6b8-06e2-0100-000000000000
Name of source:
72c3a91e-f18c-4f92-b917-6d5554d5bf62._msdcs.internal.local
Tombstone lifetime (days):
180

User Action etc..
Might look into some of these steps
0
 
LVL 20

Author Comment

by:wolfcamel
ID: 24314609
netdiag /test:dns

from the terminal fails :  the DNS entries for this DC are not registered correctly
[FATAL] no DNS servers have the DNS records for this DC registered.

from the SBS
test passes
DNS shows an A record for the terminal with the correct IP
0
 
LVL 20

Author Comment

by:wolfcamel
ID: 24314657
REPADMIN /showrep *  (Run from the terminal) (note the SBS is called cool and the terminal is called BOB - I didnt name them!)


Default-First-Site-Name\COOL
DC Options: (none)
Site Options: (none)
DC object GUID: 847245f7-456f-4879-ab9c-cece6affcd6d
DC invocationID: 05f5793c-c871-4dd4-a5ba-66ce4a599247

==== INBOUND NEIGHBORS ======================================

DC=internal,DC=local
    Default-First-Site-Name\BOB via RPC
        DC object GUID: 72c3a91e-f18c-4f92-b917-6d5554d5bf62
        Last attempt @ 2009-05-06 21:41:11 failed, result 8614 (0x21a6):
            Can't retrieve message string 8614 (0x21a6), error 1815.
        5090 consecutive failure(s).
        Last success @ 2009-04-03 11:01:52.

CN=Configuration,DC=internal,DC=local
    Default-First-Site-Name\BOB via RPC
        DC object GUID: 72c3a91e-f18c-4f92-b917-6d5554d5bf62
        Last attempt @ 2009-05-06 21:28:48 was successful.

CN=Schema,CN=Configuration,DC=internal,DC=local
    Default-First-Site-Name\BOB via RPC
        DC object GUID: 72c3a91e-f18c-4f92-b917-6d5554d5bf62
        Last attempt @ 2009-05-06 21:28:48 was successful.

Source: Default-First-Site-Name\BOB
******* 5088 CONSECUTIVE FAILURES since 2009-04-03 11:01:52
Last error: 8614 (0x21a6):
            Can't retrieve message string 8614 (0x21a6), error 1815.
0
Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

 
LVL 16

Accepted Solution

by:
speshalyst earned 500 total points
ID: 24314903
guess we have a host of problems... :)  
For Event 2042.. please look at the various causes.. and resolution
http://eventid.net/display.asp?eventid=2042&eventno=3428&source=NTDS%20Replication&phase=1
 For DNS related errors.. check this thread..
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22822479.html 
0
 
LVL 20

Author Comment

by:wolfcamel
ID: 24315235
trying to use repadmin /removelingeringobjects as follows
repadmin /removelingeringobjects cool 847245f7-456f-4879-ab9c-cece6affcd6d DC=internal,DC=local,DC=com /advisory_mode

but get
DsReplicaVerifyObjectsW() failed with status 8440 (0x20f8):
    Can't retrieve message string 8440 (0x20f8), error 1815.

not sure if I have the format correct?
0
 
LVL 20

Author Comment

by:wolfcamel
ID: 24315715
ok - finally decyphered the way to use removelingeringobjects, adjusted the registries and now replication works each way - and I have tested created a test OU on each server and it shows up on the other.

Now to sort the DNS business out as I still cant browse by \\sbs

but i will reboot first incase the relication solves things
0
 
LVL 20

Author Comment

by:wolfcamel
ID: 24315756
awesome.. i didnt even need to reboot - just had to wait a little longer.

I might still reboot because I never trust anything - but outlook and unc browsing is now working from the Terminal. So I am optimistic.!

Thanks for the help anyway.
0
 
LVL 20

Author Comment

by:wolfcamel
ID: 24315880
the netdiag /test:DNS still suggests that the DNS server doesnt have the terminal registered correctly - but as I intend to demote it soon (which I assume I can do safely now they are replicating) I am not too worried.
0
 
LVL 16

Expert Comment

by:speshalyst
ID: 24315932
All the signs seem to be positive .. so far.. leave it running for some time..
lets see how it goes..
 
0
 
LVL 20

Author Closing Comment

by:wolfcamel
ID: 31578422
the link re event 2042 is one of many you can fnd on Google that will lead you in the right direction to solving this problem, although the solution accepted isnt specifically the solution it is certainly the most help I got with this one. Thank you
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now