AD replication health degraded after removal of last DC in child domain
About 4 weeks ago we demoted the last DC in one of our child domains. Everything went well, no errors occured during the demotion processand we thought everything was taken care of. Recently we created an AD notification job taht watches AD for us. Since then we're randomly started recieving the follow error on all of our remaing domain controllers:
AD replication health degraded: Directory partition DC=***,DC=net
Time of Event: 4/4/2011 2:04:00 PM
Source Machine Name: *****-DC02
Event Severity: 10
KS Name: 6470:AD_ServerHealth
Detail Message: Partition: DC=***,DC=net
Replication Status
------------------
Status: There is no replication partner for this directory partition.
Severity: 10
I've used the NTDSUtil thinking maybe I needed to remove orphaned objects from AD but the it only shows our two remaining domain, the empty root forest and the final remaining child domain. Any ideas as to why our remaining DCs are still looking for the directory partition in a domain that doesn't exist anymore?
AD replication health degraded: Directory partition DC=***,DC=net
Time of Event: 4/4/2011 2:04:00 PM
Source Machine Name: *****-DC02
Event Severity: 10
KS Name: 6470:AD_ServerHealth
Detail Message: Partition: DC=***,DC=net
Replication Status
------------------
Status: There is no replication partner for this directory partition.
Severity: 10
I've used the NTDSUtil thinking maybe I needed to remove orphaned objects from AD but the it only shows our two remaining domain, the empty root forest and the final remaining child domain. Any ideas as to why our remaining DCs are still looking for the directory partition in a domain that doesn't exist anymore?
ASKER
I've checked and the demoted child domain is not existent in the DNS zones.
Can you provide a dcdiag?
dcdiag /v /c /f:dcdiag.txt
(open in notepad and use Search and Replace if you want to hide your domain name)
dcdiag /v /c /f:dcdiag.txt
(open in notepad and use Search and Replace if you want to hide your domain name)
ASKER
Sure, the dcdiag is attached.
dcdiag.txt
dcdiag.txt
The search and replace messed up the formatting so it was a little har to read the lines...
Can you run this and post the output?
repadmin /replsum /bysrc /bydest /sort:delta
(it will show you the status of the AD replication forest wide)
Can you run this and post the output?
repadmin /replsum /bysrc /bydest /sort:delta
(it will show you the status of the AD replication forest wide)
ASKER
Source DSA largest delta fails/total %% error
******-DC03 55m:15s 0 / 23 0
******-DC05 55m:15s 0 / 16 0
***NCT-DC02 55m:15s 0 / 43 0
***N-DC05 55m:15s 0 / 14 0
***NBR-DC02 54m:40s 0 / 12 0
***NBR-DC01 53m:43s 0 / 6 0
***NSW-DC05 53m:18s 0 / 11 0
***NCT-DC01 52m:46s 0 / 67 0
******-DC04 50m:12s 0 / 16 0
***NJP-DC03 47m:12s 0 / 6 0
***NRI-DC01 46m:30s 0 / 6 0
***NJP-DC04 45m:44s 0 / 11 0
***NRI-DC03 45m:17s 0 / 11 0
***NSW-DC04 44m:29s 0 / 6 0
***NAU-DC03 43m:05s 0 / 11 0
***NAU-DC02 42m:44s 0 / 6 0
***NFR-DC01 42m:23s 0 / 9 0
***NFR-DC03 41m:23s 0 / 3 0
***NCA-DC02 40m:14s 0 / 6 0
***NES-DC01 37m:45s 0 / 5 0
***NDE-DC01 37m:40s 0 / 5 0
***NUK-DC02 37m:39s 0 / 5 0
***NIT-DC01 37m:36s 0 / 5 0
***NMA-DC01 30m:03s 0 / 6 0
Destination DSA largest delta fails/total %% error
***NCT-DC01 55m:29s 0 / 31 0
***NBR-DC01 55m:11s 0 / 6 0
***NBR-DC02 54m:17s 0 / 12 0
***NSW-DC04 53m:47s 0 / 6 0
***N-DC05 52m:49s 0 / 53 0
******-DC03 50m:29s 0 / 24 0
******-DC04 50m:15s 0 / 16 0
******-DC05 48m:20s 0 / 16 0
***NJP-DC04 47m:32s 0 / 6 0
***NRI-DC03 47m:06s 0 / 6 0
***NJP-DC03 46m:07s 0 / 12 0
***NCT-DC02 45m:21s 0 / 31 0
***NRI-DC01 45m:20s 0 / 12 0
***NSW-DC05 44m:55s 0 / 12 0
***NAU-DC02 43m:49s 0 / 6 0
***NAU-DC03 43m:23s 0 / 12 0
***NFR-DC03 42m:30s 0 / 3 0
***NFR-DC01 41m:27s 0 / 9 0
***NIT-DC01 41m:09s 0 / 6 0
***NES-DC01 37m:24s 0 / 6 0
***NCA-DC02 35m:33s 0 / 6 0
***NMA-DC01 32m:11s 0 / 6 0
***NDE-DC01 29m:05s 0 / 6 0
***NUK-DC02 28m:03s 0 / 6 0
******-DC03 55m:15s 0 / 23 0
******-DC05 55m:15s 0 / 16 0
***NCT-DC02 55m:15s 0 / 43 0
***N-DC05 55m:15s 0 / 14 0
***NBR-DC02 54m:40s 0 / 12 0
***NBR-DC01 53m:43s 0 / 6 0
***NSW-DC05 53m:18s 0 / 11 0
***NCT-DC01 52m:46s 0 / 67 0
******-DC04 50m:12s 0 / 16 0
***NJP-DC03 47m:12s 0 / 6 0
***NRI-DC01 46m:30s 0 / 6 0
***NJP-DC04 45m:44s 0 / 11 0
***NRI-DC03 45m:17s 0 / 11 0
***NSW-DC04 44m:29s 0 / 6 0
***NAU-DC03 43m:05s 0 / 11 0
***NAU-DC02 42m:44s 0 / 6 0
***NFR-DC01 42m:23s 0 / 9 0
***NFR-DC03 41m:23s 0 / 3 0
***NCA-DC02 40m:14s 0 / 6 0
***NES-DC01 37m:45s 0 / 5 0
***NDE-DC01 37m:40s 0 / 5 0
***NUK-DC02 37m:39s 0 / 5 0
***NIT-DC01 37m:36s 0 / 5 0
***NMA-DC01 30m:03s 0 / 6 0
Destination DSA largest delta fails/total %% error
***NCT-DC01 55m:29s 0 / 31 0
***NBR-DC01 55m:11s 0 / 6 0
***NBR-DC02 54m:17s 0 / 12 0
***NSW-DC04 53m:47s 0 / 6 0
***N-DC05 52m:49s 0 / 53 0
******-DC03 50m:29s 0 / 24 0
******-DC04 50m:15s 0 / 16 0
******-DC05 48m:20s 0 / 16 0
***NJP-DC04 47m:32s 0 / 6 0
***NRI-DC03 47m:06s 0 / 6 0
***NJP-DC03 46m:07s 0 / 12 0
***NCT-DC02 45m:21s 0 / 31 0
***NRI-DC01 45m:20s 0 / 12 0
***NSW-DC05 44m:55s 0 / 12 0
***NAU-DC02 43m:49s 0 / 6 0
***NAU-DC03 43m:23s 0 / 12 0
***NFR-DC03 42m:30s 0 / 3 0
***NFR-DC01 41m:27s 0 / 9 0
***NIT-DC01 41m:09s 0 / 6 0
***NES-DC01 37m:24s 0 / 6 0
***NCA-DC02 35m:33s 0 / 6 0
***NMA-DC01 32m:11s 0 / 6 0
***NDE-DC01 29m:05s 0 / 6 0
***NUK-DC02 28m:03s 0 / 6 0
All NCs are replicated with no errors forest wide. Largest Delta is under 60 minutes, so your replication is ok.
If there was an inbound partner trying to replicate an orphan NC you would have seen it in the output above.
You mentioned a "AD notification job". What sort of job is this?
If there was an inbound partner trying to replicate an orphan NC you would have seen it in the output above.
You mentioned a "AD notification job". What sort of job is this?
ASKER
This is a job that is run by NetIQ application, it monitors our AD for errors among other things. I'm beginning to believe that the NetIQ job itself is looking for the missing directory partition and not the domain controllers themselves. I can't really find anything related to the errors I'm seeing from NetIQ in any of the domain controller logs, the only thing that I can find is some information about some objects that are still in AD that should be removed at the next tombstone interval.
I need to have a look at the NetIQ job and see if that's what's going on, once I can confirm this I"ll report back here and assign points for the help.
I need to have a look at the NetIQ job and see if that's what's going on, once I can confirm this I"ll report back here and assign points for the help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Found answer on my own.
http://www.windowsitpro.com/article/domains2/q-how-can-i-avoid-receiving-an-0x2015-error-when-i-use-ntdsutil-to-delete-a-nonexistent-domain-