Abacus IT
asked on
Backup DC replication issues
Hello,
We had some trouble with our exchange server the other day. It was trying to authenticate to our backup server (DNSBACKUP) and kept failing. checked the dns on the server, and its a record for the exchange server was pointing to an old ip address. Went a bit further and noticed that the backup dc has not replicated from the primary dc (pe2500) for awhile. It looks like its caught in the tombstone lifetime. I tried using repadmin to perform a sync all, but I get a "target principal name is invalid" error. I tried syncing time for the hell of it:
(from dnsbackup)
net time \\pe2500
but it says access is denied.
Is there a way to get this secondary dc replicating again without demoting and repromoting it? Any help would be appreciated!!!
We had some trouble with our exchange server the other day. It was trying to authenticate to our backup server (DNSBACKUP) and kept failing. checked the dns on the server, and its a record for the exchange server was pointing to an old ip address. Went a bit further and noticed that the backup dc has not replicated from the primary dc (pe2500) for awhile. It looks like its caught in the tombstone lifetime. I tried using repadmin to perform a sync all, but I get a "target principal name is invalid" error. I tried syncing time for the hell of it:
(from dnsbackup)
net time \\pe2500
but it says access is denied.
Is there a way to get this secondary dc replicating again without demoting and repromoting it? Any help would be appreciated!!!
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DNSBACKUP
Starting test: Connectivity
......................... DNSBACKUP passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DNSBACKUP
Starting test: Replications
[Replications Check,DNSBACKUP] A recent replication attempt failed:
From PE2500 to DNSBACKUP
Naming Context: DC=DomainDnsZones,DC=pn,DC=alberttire,DC=com
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2009-07-12 11:51:38.
The last success occurred at 2008-11-03 09:58:05.
6025 failures have occurred since the last success.
[PE2500] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
[Replications Check,DNSBACKUP] A recent replication attempt failed:
From PE2500 to DNSBACKUP
Naming Context: DC=ForestDnsZones,DC=pn,DC=alberttire,DC=com
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2009-07-12 11:51:38.
The last success occurred at 2008-11-03 09:58:05.
6024 failures have occurred since the last success.
[Replications Check,DNSBACKUP] A recent replication attempt failed:
From PE2500 to DNSBACKUP
Naming Context: CN=Schema,CN=Configuration,DC=pn,DC=alberttire,DC=com
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2009-07-12 11:51:38.
The last success occurred at 2008-11-03 09:58:05.
6024 failures have occurred since the last success.
[Replications Check,DNSBACKUP] A recent replication attempt failed:
From PE2500 to DNSBACKUP
Naming Context: CN=Configuration,DC=pn,DC=alberttire,DC=com
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2009-07-12 12:02:29.
The last success occurred at 2008-11-03 09:58:05.
6047 failures have occurred since the last success.
[Replications Check,DNSBACKUP] A recent replication attempt failed:
From PE2500 to DNSBACKUP
Naming Context: DC=pn,DC=alberttire,DC=com
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2009-07-12 12:06:53.
The last success occurred at 2008-11-03 10:10:13.
6248 failures have occurred since the last success.
REPLICATION-RECEIVED LATENCY WARNING
DNSBACKUP: Current time is 2009-07-12 12:07:34.
DC=DomainDnsZones,DC=pn,DC=alberttire,DC=com
Last replication recieved from PE2500 at 2008-11-03 09:58:05.
WARNING: This latency is over the Tombstone Lifetime of 180 days!
DC=ForestDnsZones,DC=pn,DC=alberttire,DC=com
Last replication recieved from PE2500 at 2008-11-03 09:58:05.
WARNING: This latency is over the Tombstone Lifetime of 180 days!
CN=Schema,CN=Configuration,DC=pn,DC=alberttire,DC=com
Last replication recieved from PE2500 at 2008-11-03 09:58:05.
WARNING: This latency is over the Tombstone Lifetime of 180 days!
CN=Configuration,DC=pn,DC=alberttire,DC=com
Last replication recieved from PE2500 at 2008-11-03 09:58:05.
WARNING: This latency is over the Tombstone Lifetime of 180 days!
DC=pn,DC=alberttire,DC=com
Last replication recieved from PE2500 at 2008-11-03 10:10:13.
WARNING: This latency is over the Tombstone Lifetime of 180 days!
......................... DNSBACKUP passed test Replications
Starting test: NCSecDesc
......................... DNSBACKUP passed test NCSecDesc
Starting test: NetLogons
......................... DNSBACKUP passed test NetLogons
Starting test: Advertising
......................... DNSBACKUP passed test Advertising
Starting test: KnowsOfRoleHolders
Warning: PE2500 is the Schema Owner, but is not responding to DS RPC Bind.
[PE2500] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: PE2500 is the Schema Owner, but is not responding to LDAP Bind.
Warning: PE2500 is the Domain Owner, but is not responding to DS RPC Bind.
Warning: PE2500 is the Domain Owner, but is not responding to LDAP Bind.
Warning: PE2500 is the PDC Owner, but is not responding to DS RPC Bind.
Warning: PE2500 is the PDC Owner, but is not responding to LDAP Bind.
Warning: PE2500 is the Rid Owner, but is not responding to DS RPC Bind.
Warning: PE2500 is the Rid Owner, but is not responding to LDAP Bind.
Warning: PE2500 is the Infrastructure Update Owner, but is not responding to DS RPC Bind.
Warning: PE2500 is the Infrastructure Update Owner, but is not responding to LDAP Bind.
......................... DNSBACKUP failed test KnowsOfRoleHolders
Starting test: RidManager
......................... DNSBACKUP failed test RidManager
Starting test: MachineAccount
......................... DNSBACKUP passed test MachineAccount
Starting test: Services
......................... DNSBACKUP passed test Services
Starting test: ObjectsReplicated
......................... DNSBACKUP passed test ObjectsReplicated
Starting test: frssysvol
......................... DNSBACKUP passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DNSBACKUP failed test frsevent
Starting test: kccevent
......................... DNSBACKUP passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x40000004
Time Generated: 07/12/2009 11:39:09
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 07/12/2009 11:45:10
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 07/12/2009 11:46:49
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 07/12/2009 11:51:46
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 07/12/2009 12:07:34
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 07/12/2009 12:07:34
Event String: The kerberos client received a
......................... DNSBACKUP failed test systemlog
Starting test: VerifyReferences
......................... DNSBACKUP passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : pn
Starting test: CrossRefValidation
......................... pn passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... pn passed test CheckSDRefDom
Running enterprise tests on : pn.alberttire.com
Starting test: Intersite
......................... pn.alberttire.com passed test Intersite
Starting test: FsmoCheck
......................... pn.alberttire.com passed test FsmoCheck
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I agree with Tony just blow it away and repromote the new box. It shouldn't take you lont.
...by the way that "Allow replication with divergent and corrupt partner" registry entry has been used in Microsoft interviews :)
Thanks
MIke
...by the way that "Allow replication with divergent and corrupt partner" registry entry has been used in Microsoft interviews :)
Thanks
MIke
ASKER
I will try tonight tony. I'm just going to follow your first steps.
The faulty dc has to be disconnected in order to perform the demotion?
Also the metacleanup article said if dcpromo worked, I shouldn't need to be messing around in ntdsutil.
The faulty dc has to be disconnected in order to perform the demotion?
Also the metacleanup article said if dcpromo worked, I shouldn't need to be messing around in ntdsutil.
ASKER
I was more concerned witht he fact that the other articles were telling me to reformat, an option we dont have time for.
ASKER
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DNSBACKUP
Starting test: Connectivity
......................... DNSBACKUP passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DNSBACKUP
Starting test: Replications
......................... DNSBACKUP passed test Replications
Starting test: NCSecDesc
......................... DNSBACKUP passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\DNSBACKUP\netlogon)
[DNSBACKUP] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
......................... DNSBACKUP failed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for \\pe2500.pn.alberttire.com, when we were trying to reach DNSBACKUP.
Server is not responding or is not considered suitable.
......................... DNSBACKUP failed test Advertising
Starting test: KnowsOfRoleHolders
......................... DNSBACKUP passed test KnowsOfRoleHolders
Starting test: RidManager
......................... DNSBACKUP passed test RidManager
Starting test: MachineAccount
......................... DNSBACKUP passed test MachineAccount
Starting test: Services
......................... DNSBACKUP passed test Services
Starting test: ObjectsReplicated
......................... DNSBACKUP passed test ObjectsReplicated
Starting test: frssysvol
......................... DNSBACKUP passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DNSBACKUP failed test frsevent
Starting test: kccevent
......................... DNSBACKUP passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x40000004
Time Generated: 07/12/2009 18:01:35
Event String: The kerberos client received a
An Error Event occured. EventID: 0x825A0011
Time Generated: 07/12/2009 18:32:50
(Event String could not be retrieved)
......................... DNSBACKUP failed test systemlog
Starting test: VerifyReferences
......................... DNSBACKUP passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : pn
Starting test: CrossRefValidation
......................... pn passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... pn passed test CheckSDRefDom
Running enterprise tests on : pn.alberttire.com
Starting test: Intersite
......................... pn.alberttire.com passed test Intersite
Starting test: FsmoCheck
......................... pn.alberttire.com passed test FsmoCheck
ASKER
looks good now. Let me know if that followup snippet has anything to worry about.
Not true about 'messing around with ntdsutil'. This is only true if you didn't use the /forceremoval switch, and performed it on a DC which isn't having replication problems.
You MUST perform all the steps I posted earlier. You did not gracefully remove the server with dcpromo, which is why you have to perform the additional steps.
You MUST perform all the steps I posted earlier. You did not gracefully remove the server with dcpromo, which is why you have to perform the additional steps.
ASKER
Thanks a bunch!
http://www.servernewsgroup
There is a reg fix posted by Ace Fekay to force replication to a tombstoned DC. I can't say I've done it or that it's completely suitable for your exact situation, and frankly I wouldn't do it myself! In the long run it's much safer to just do as I posted above, at least in my opinion! :-)