domain controllers cannot communicate

Posted on 2010-01-08
Last Modified: 2012-06-27
All heck broke loose this afternoon.  The PDC and BDC stopped communicating and Exchange 2007 was stuck in the middle.  I can force AD replication from 2 to 1 but when I try from 1 to 2 I get an error that says:

"The following error occurred during and attempt to synchronize naming contect <domain> from domain controller dc1 to dc2.  Replication is denied.  It looked as if the PDC was not workign correctly so I tried to transfer FSMO roles to the BDC and take the PDC offline.  When I did that the BDC tool the roles fine but the PDC would not let go of them, saying that if I wanted to transfer roles I would have to connect the DC's....but they are connected.  When I perform a netdiag on the Exchange Server it can't find any domain conrollers.

I'm not sure what happened here, but nothing seems to be talking.  I have layer 1, 2, and 3 connection but that seems to be where it stops.  I am getting pummeled with userenv 1030 and 1058 errors as well as Exchange  errors and warnings that there are no domain controllers online.  I have reset teh kerberos passwords thinking it might be an authentication error or maybe a journal wrap of some sorts possibly.  I have been going blind trying to figure this one out.  Any help gets my eternal gratitude.
Question by:219com
    LVL 2

    Expert Comment

    Do you have backup for system state?? I'm sure you have played around with lots of settings which makes it hard to give you an answer.
    It will be better to restore system state on one server then get your exchange server to talk to it by changing the directory access tap in exchange system manger.
    Then restore system state on the secondary server & attach it to the network.

    Restoring system state will take about 10 minutes, then your system will boot up with working state.

    Best of luck
    LVL 19

    Accepted Solution

    So, you're from an NT4 background then? :) There are no such things as 'BDC's anymore (well, not as such), but I guess you just mean the DC that held the FSMO roles as the PDC, and just a normal DC as the BDC.

    Ok, just a quick clarification - If you actually seized the roles to DC2, DC1 will not 'release' them - Seizing is not the same as transferring 'gracefully' - You should not really seize roles whilst the 'source' DC is still up and on the network.

    I have little/no experience with Exchange, but I think it's important to at least try and get AD working properly again. So you NEED to get rid of DC1, as with both DCs on the network, you have 2 DCs both thinking they have all the FSMO roles (BAAAAD). So get DC1 off the network, kill it (format etc), and run a meta data cleanup on AD to remove ALL records of DC1, as explained here:

    You will essentially be left with a single DC, that is unaware that DC1 ever existed. Once this is the case (and the domain is functioning properly), and DC1 has been reformated and built afresh, you can promote it back into the domain again, and if you want, gracefully transfer the FMSO roles back to it.

    Then you should have at least a functioning domain again! But unfortunately that may not be much help, as I don't really know where Exchange fits in to that equation...


    LVL 5

    Expert Comment

    At this moment I'm not sure what it might be but something tells me you may need to reset the password of the computer account of DC2. I'm saying unsure, because I have not the seen the exact ERROR messages. Those are always important to prevent misinterpretations. Can you post those errors including event IDs?
     Can you also attach a DCDIAG output in TXT files of BOTH DCs? (DCDIAG /C /V /D)
    To reset the pssword of a DC:

    Author Closing Comment

    Once I removed one of the DC's and made some adjustments system came to life, thanks

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now