Solved

Replication between two sites where tombstoned greater than 60 days

Posted on 2009-05-17
6
923 Views
Last Modified: 2012-06-21
Hi gurus,

I am in an awkward situation.

For the first time I am personally visiting a site that is set up as a child domain of our main domain.
The child is based in Australia.

I knew we had AD issues, but nothing quite like what I've walked in to.
issues I've found so far include:
- child domain Sites and Services showing incorrect data
- child domain not able to replicate with parent, or other child domain

Due to the size of the company, there is only 1 DC in the child domain.  However I have a new server to install that I want to seize all DC roles onto, and maybe use the "current old" DC as a secondary.
This DC's event viewer is full of Event IDs 1084, 1926 and 1800.

DNS is setup as the following
Parent:
Primary Zone AD
Child Domain = stub
Child:
Primary Zone AD
Parent Domain = stub

I can ping each DC from each other.
From child DC I can get to parent DC via \\servername and I can see and access shares.
From parent DC I can NOT get to child DC via \\servername, I get the error "No network provider accepted the given network path"


Sorry for the long post, and no doubt there will be more information dependent on the questions asked, I'm wondering if there is a way to force the replication so that everything from the parent DC overwrites the data on the child DC, except the site information, and then the correct site information from child replicates back to parent and overwrites any data on there.
Easier said than done I presume....

Kind Regards
LA
0
Comment
Question by:taffevans
  • 4
  • 2
6 Comments
 

Author Comment

by:taffevans
Comment Utility
To add:

Event Viewer in the UK (parent) shows Event ID's 1925 and 2042.

Sites and Services in the UK is correct, however it shows for the site "australia" that there is replication to the DC in the UK, but not from it to the Australia DC.


0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

You may be interested in this:

http://technet.microsoft.com/en-us/library/cc757610.aspx

It should allow you to replicate changes from the parent domain to the child.

I strongly advise you take a system state backup of both domains prior to following those steps.

Chris
0
 

Author Comment

by:taffevans
Comment Utility
Hi Chris, Thanks for the reply.

I think I've tracked the problem down.  There seems to be an invalid domain on the Australia "copy" of AD, when I run NTDSUTIL and do a metadata cleanup, I see an extra domain for Thailand.

I'm now only getting errors when replicating with ID 1800, and 1801, both representing that "invalid" domain

Event Type:      Warning
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1801
Date:            20/05/2009
Time:            14:54:14
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      AUS-SYD-DC1
Description:
The partition DC=bangkok\0ACNF:ce60523b-c27d-4624-92f2-170b28d08be5,DC=company,DC=local should be hosted at site CN=SYDNEY,CN=Sites,CN=Configuration,DC=comapny,DC=local, but has not been instantiated yet. However, the KCC could not find any hosts from which to replicate this partition.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


I have tried to remove this domain, but it seems that AD has linked it into the correct Bangkok domain.

When I run NTDSUTIL on any other domain (we have 1 parent, 3 child), I do not see this extra Bangkok domain.

Just trying to find how to "cleanse" it.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
Comment Utility

You might check for partitions if the domain is not listed at all.

I take it you followed this KB article (in spirit if not exactly :)) to remove the orphaned domain:

http://support.microsoft.com/kb/230306

It is possible to check for the partition itself (hopefully) with....

ntdsutil
Domain Management
Connections
Connect To Server <TheAUDC>
Quit
Select Operation Target
List Naming Contexts

Otherwise, fire up ADSIEdit.msc, expand Configuration and Partitions, see if the partition is listed there.

As for removing it, I'm reluctant to advise you try and delete it, if only because it's not my network and I'm not the one who will have to fix it should it make it unhappy. I haven't come across any explicit MS KB articles on it, so you may consider contacting Product Support Services (unless you're happy with any risk associated with removing the partition).

Chris
0
 

Author Comment

by:taffevans
Comment Utility
Unfortunately tried that.  Comes up with an error saying I need to connect to the Parent FSMO role holder (which is in the UK), and running NTDSUTIL on there doesn't show that odd domain.

I put in the new DC here in Aus, and removed AD from the old one.  It seemed to run OK and no errors, but the Sites and Services in UK (parent) don't show the new server.  I've removed the old one, now trying to work out how to get it seen.

I've added "Replicate with Corrupt and Divergent Partners" registry key to all servers, just to try and force it through, I can then deal with lingering objects afterwards.

In an ideal world I would of just removed the Sydney domain and started again!
0
 

Author Comment

by:taffevans
Comment Utility
I've managed to get rid of that partition by using
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/08/Lingering-objects.aspx

Was a bit tedious, but with changing "Strict Replication" to 0 and then rebooting the UK DC and the Oz DC, it finally removed that partition.

The issue (another one) now is that the UK KCC Sites and Services doesn't see the new server, I think it was because of the above issue (the new Oz DC couldn't declare itself as a GC because of that partition not being able to be replicated from anywhere).

Thanks for the pointers, slowly getting there! :)
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now