Solved

Fixing DNS Replication issues

Posted on 2011-03-22
4
1,833 Views
Last Modified: 2012-05-11
A previous network engineer Added a new server to our Domain about a year ago prior to me arriving. This server was then promoted to a DC.  We have two different Site locations but one Domain (2003) in a single forest (2000).  The original DC holding the FSMO roles are located in the other site.  The DC the new server replaced was then removed from site 2.  I've been working on cleaning up DNS entries over the past few months and users have reported they have been having website loading issues for a year now.  This can be reproduced on all machines except the DC in site 2.  The issue does not affect Site 1.  The website will almost always fail to load the 1st time, even simple sites such as google.com.  If they are able to download a file it will download fast without any issues though.  This seems to be a replication issue between AD on the two DC's.

Running DCDiag reports:

      Starting test: Replications
         [Replications Check,CCHSDL380] A recent replication attempt failed:
            From CCSMS-FS1 to CCHSDL380
            Naming Context:
            DC=DomainDnsZones,DC=ccs,DC=calvinchristian,DC=local
            The replication generated an error (8606):
            Insufficient attributes were given to create an object. This object
may not exist because it may have been deleted and already garbage collected.

            The failure occurred at 2011-03-22 10:09:09.
            The last success occurred at (never).
            22455 failures have occurred since the last success.
         ......................... CCHSDL380 failed test Replications


Repadmin reports the same issue.  

In DNS the records in both zones are incorrect and don't show records from either zone that have been added within the past year.

When running NTDSUTIL Metadata cleanup the old DC is not listed.  From all of the helpful information on this site it seems that one of the only ways to resolve this issue is to DCPROMO /forceremoval then to rejoin it back as a DC.

Is there any alternative that can be done to resolve this issue?  

The current DC OS's are as follows:

Site 1: 2003R2
Site 2: 2008R2
Sites are VPN connected through their Firebox's
0
Comment
Question by:bminetwork2277
  • 3
4 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 35195813
There's likely a fair bit to do here since the original forest was 2000 and has been subsequently upgraded.

Before I start walking you through what should be done, I'd like the following logs so I can be sure Directory Services is functioning properly.

On both DCs:

From a CMD window - run DCDIAG /v > c:\{servername}.txt  <= where servername is the name of the machine you're running it on.

Scrub any private info but not to the extent that it makes the log unhelpful.

Attach them here.

0
 
LVL 1

Accepted Solution

by:
bminetwork2277 earned 0 total points
ID: 35231921
We were able to lessen the issue that is occurring by correcting incorrect Forwarding Zones in DNS that were pointing to the old DC that is not longer functioning.
0
 
LVL 1

Author Comment

by:bminetwork2277
ID: 35231928
Able to resolve issue on own.
0
 
LVL 1

Author Closing Comment

by:bminetwork2277
ID: 35304226
Able to resolve issue on own.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below. (CODE)And / Or: (CODE) Cause This issue can occur in either of these two scenarios. EITHER 1. A Primary DNS S…
One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question