Verify replication

Posted on 2009-12-30
Medium Priority
Last Modified: 2012-05-08
Hi Experts,

Two DCs & Two sites (one DC per site). The DC at HQ (ie FSMO role holder) has not replicated its AD to the other DC because of connectivity issue (more than 3 mths). The DC at HQ is most up-to-date and when connectivity is back online, how do i ensure that the 2nd DC replicate from HQ DC and NOT vice versa?

thanks in advance.  
Question by:kenny_klbn
LVL 17

Expert Comment

by:Premkumar Yogeswaran
ID: 26151736
This exceeds the Tombstone Lifetime period.

You run Replmon, repadmin, DCDiag and Netdiag

and post the error over here...!
LVL 17

Expert Comment

by:Premkumar Yogeswaran
ID: 26151755
Check this link to trouble shoot replication...!

LVL 17

Expert Comment

by:Premkumar Yogeswaran
ID: 26151758
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Accepted Solution

ChandarS earned 2000 total points
ID: 26153634
As of my experience in this filed I recommend you to check the FSMO role must be on Good DC and demote and promote the Tombstone DC.

If you follow any other methods to fix the issue you may get the some other issue related to Active Directory replication and lingering object in near feature. It will not rectify all the stuff.

For more Reference check the below link

Chandar Singh
LVL 39

Expert Comment

ID: 26154985
Hi, good advice, so far:

So, I am going to monitor this question.

You will have a tombstoned server.

You will have to correct the tombstoned server. But before doing so, you will need to figure out what caused the site-to-site disconnect between them. I would start with your site-to-site connection and how DNS is working from one site to the other.

I would start with DNS troubleshooting. Until DNS is fixed, you will not be able to promote within the domain. Instead, it will become a second domain with the same domain name. These servers will need to see each other's SRV records in DNS to replicate and be on the same domain.


Expert Comment

ID: 26163539

There is no need to demote and promote the DC, I would consider that the last option. We can deal with this situation with a flick of few registry changes.
First of all, I am assuming that the DCs are Windows 2003.
You need to create a registry DWORD on the HQ DC under :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters called "Strict Replication Consistency" without quotes.
Give it a value of 1.
Now Create another DWORD value in same location called :
"Allow Replication With Divergent and Corrupt Partner" without quotes.

(As you have told that you only have two DCs, both of them will be tombstoned with each other, you have to make these registry changes on both the DCs one by one and the force the replication)
Now you will see lingering objects warning. Event 1988 (most probably on the HQ DC).

To remove lingering objects, run this command:

repadmin /removelingeringobjects ServerName ServerGUID DirectoryPartition

you can use the /advisory_mode swith to first see how many lingering objects are there.

(Lingering objects are the objects that were deleted from the domain but are still present in the DC which was offline and now is trying to replicate them back to the domain).

Enable strict replication consistency:

Use Repadmin to remove lingering objects:


Author Comment

ID: 26164716
Hi all,

thank you for the comments and suggestions. Before i proceed with any of the above recommendations, may i ask how to verify the following:
When was the last time (day & time) the second DC successfully replicated with the HQ DC?

thanks in advance.

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question