domain controllers cannot communicate

All heck broke loose this afternoon.  The PDC and BDC stopped communicating and Exchange 2007 was stuck in the middle.  I can force AD replication from 2 to 1 but when I try from 1 to 2 I get an error that says:

"The following error occurred during and attempt to synchronize naming contect <domain> from domain controller dc1 to dc2.  Replication is denied.  It looked as if the PDC was not workign correctly so I tried to transfer FSMO roles to the BDC and take the PDC offline.  When I did that the BDC tool the roles fine but the PDC would not let go of them, saying that if I wanted to transfer roles I would have to connect the DC's....but they are connected.  When I perform a netdiag on the Exchange Server it can't find any domain conrollers.

I'm not sure what happened here, but nothing seems to be talking.  I have layer 1, 2, and 3 connection but that seems to be where it stops.  I am getting pummeled with userenv 1030 and 1058 errors as well as Exchange  errors and warnings that there are no domain controllers online.  I have reset teh kerberos passwords thinking it might be an authentication error or maybe a journal wrap of some sorts possibly.  I have been going blind trying to figure this one out.  Any help gets my eternal gratitude.
Who is Participating?
PeteJThomasConnect With a Mentor Commented:
So, you're from an NT4 background then? :) There are no such things as 'BDC's anymore (well, not as such), but I guess you just mean the DC that held the FSMO roles as the PDC, and just a normal DC as the BDC.

Ok, just a quick clarification - If you actually seized the roles to DC2, DC1 will not 'release' them - Seizing is not the same as transferring 'gracefully' - You should not really seize roles whilst the 'source' DC is still up and on the network.

I have little/no experience with Exchange, but I think it's important to at least try and get AD working properly again. So you NEED to get rid of DC1, as with both DCs on the network, you have 2 DCs both thinking they have all the FSMO roles (BAAAAD). So get DC1 off the network, kill it (format etc), and run a meta data cleanup on AD to remove ALL records of DC1, as explained here:

You will essentially be left with a single DC, that is unaware that DC1 ever existed. Once this is the case (and the domain is functioning properly), and DC1 has been reformated and built afresh, you can promote it back into the domain again, and if you want, gracefully transfer the FMSO roles back to it.

Then you should have at least a functioning domain again! But unfortunately that may not be much help, as I don't really know where Exchange fits in to that equation...


Do you have backup for system state?? I'm sure you have played around with lots of settings which makes it hard to give you an answer.
It will be better to restore system state on one server then get your exchange server to talk to it by changing the directory access tap in exchange system manger.
Then restore system state on the secondary server & attach it to the network.

Restoring system state will take about 10 minutes, then your system will boot up with working state.

Best of luck
At this moment I'm not sure what it might be but something tells me you may need to reset the password of the computer account of DC2. I'm saying unsure, because I have not the seen the exact ERROR messages. Those are always important to prevent misinterpretations. Can you post those errors including event IDs?
 Can you also attach a DCDIAG output in TXT files of BOTH DCs? (DCDIAG /C /V /D)
To reset the pssword of a DC:
219comAuthor Commented:
Once I removed one of the DC's and made some adjustments system came to life, thanks
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.