[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Active directory not replicating one way

Posted on 2012-08-21
9
Medium Priority
?
801 Views
Last Modified: 2012-08-28
I have a single domain with 3 sites and multiple domain controllers.  Two of the sites are not always used all year around and the VPN connection can sometimes be sketchy.  I started noticing KCC errors on my DCs in my main office.  I investigated and it seems that replication seems to be working everywhere except that "from" one of the remote DCs (running server 2003 x64 sp2) to all other DCs its not replicating.  I removed lingering objects on that DC and modified the registry setting to "allow replication with divergent and corrupt partners".  However, I am still getting errors in my logs that the partitions are not replicating.  What else can I do, short of demoting are promoting again this DC?
0
Comment
Question by:rivkamak
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38318286
Do you know how long it has been since that DC didn't replicate (repadmin /replsum  or /showrepl.

Are you sure you got rid of all the lingering objects? (any errors in the logs)

Thanks

Mike
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38318496
Also Can you post the output of below commands from the domain Controller in question

dcdiag /q

Open in new window

repadmin /showrepl

Open in new window

0
 
LVL 8

Expert Comment

by:piyushranusri
ID: 38319037
did you manually authorize each domain controller to replicate ?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:rivkamak
ID: 38320796
according to the logs on one of the receiving DCs and it says the last successful replication was on 8/31/2010.

I ran the removal of all lingering objects on all 5 partitions.  one of them showed that there were 2 lingering objects which it removed.
0
 

Author Comment

by:rivkamak
ID: 38320813
The DCDIAG output is here:

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: ZoneII\ZII-SERVER-01
      Starting test: Connectivity
         ......................... ZII-SERVER-01 passed test Connectivity

Doing primary tests

   Testing server: ZoneII\ZII-SERVER-01
      Starting test: Replications
         ......................... ZII-SERVER-01 passed test Replications
      Starting test: NCSecDesc
         ......................... ZII-SERVER-01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... ZII-SERVER-01 passed test NetLogons
      Starting test: Advertising
         ......................... ZII-SERVER-01 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... ZII-SERVER-01 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... ZII-SERVER-01 passed test RidManager
      Starting test: MachineAccount
         ......................... ZII-SERVER-01 passed test MachineAccount
      Starting test: Services
         ......................... ZII-SERVER-01 passed test Services
      Starting test: ObjectsReplicated
         ......................... ZII-SERVER-01 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... ZII-SERVER-01 passed test frssysvol
      Starting test: frsevent
         ......................... ZII-SERVER-01 passed test frsevent
      Starting test: kccevent
         ......................... ZII-SERVER-01 passed test kccevent
      Starting test: systemlog
         ......................... ZII-SERVER-01 passed test systemlog
      Starting test: VerifyReferences
         ......................... ZII-SERVER-01 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : oorah
      Starting test: CrossRefValidation
         ......................... oorah passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... oorah passed test CheckSDRefDom

   Running enterprise tests on : oorah.local
      Starting test: Intersite
         ......................... oorah.local passed test Intersite
      Starting test: FsmoCheck
         ......................... oorah.local passed test FsmoCheck

the REPADMIN /SHOWREPL output is here:

repadmin running command /showrepl against server localhost

ZoneII\ZII-SERVER-01
DC Options: IS_GC
Site Options: (none)
DC object GUID: 7bba2d03-3962-4934-880c-1caf1388b5a4
DC invocationID: 6ff6fa91-9bf3-41b6-a9a7-1744c6af810a

==== INBOUND NEIGHBORS ======================================

DC=oorah,DC=local
    ZoneI\ZI-SERVER-01 via RPC
        DC object GUID: 705ca1b0-50a9-4322-9bf6-4d7951db455c
        Last attempt @ 2012-08-22 10:48:41 was successful.
    Main-Office\OORAH-TIMEFORCE via RPC
        DC object GUID: 05f4f28a-a4b0-4ed8-a374-3d2a98766612
        Last attempt @ 2012-08-22 10:48:41 was successful.
    Main-Office\OORAH-SERVER2 via RPC
        DC object GUID: 58e2415d-de42-4e53-bfaf-acc00cb63d2c
        Last attempt @ 2012-08-22 10:48:41 was successful.
    Main-Office\OORAH-DC1 via RPC
        DC object GUID: c80cb2e7-e286-4688-acd5-f53a6cb126fa
        Last attempt @ 2012-08-22 10:48:41 was successful.

CN=Configuration,DC=oorah,DC=local
    ZoneI\ZI-SERVER-01 via RPC
        DC object GUID: 705ca1b0-50a9-4322-9bf6-4d7951db455c
        Last attempt @ 2012-08-22 10:48:38 was successful.
    Main-Office\OORAH-TIMEFORCE via RPC
        DC object GUID: 05f4f28a-a4b0-4ed8-a374-3d2a98766612
        Last attempt @ 2012-08-22 10:48:38 was successful.
    Main-Office\OORAH-SERVER2 via RPC
        DC object GUID: 58e2415d-de42-4e53-bfaf-acc00cb63d2c
        Last attempt @ 2012-08-22 10:48:39 was successful.
    Main-Office\OORAH-DC1 via RPC
        DC object GUID: c80cb2e7-e286-4688-acd5-f53a6cb126fa
        Last attempt @ 2012-08-22 10:48:39 was successful.

CN=Schema,CN=Configuration,DC=oorah,DC=local
    ZoneI\ZI-SERVER-01 via RPC
        DC object GUID: 705ca1b0-50a9-4322-9bf6-4d7951db455c
        Last attempt @ 2012-08-22 10:48:41 was successful.
    Main-Office\OORAH-TIMEFORCE via RPC
        DC object GUID: 05f4f28a-a4b0-4ed8-a374-3d2a98766612
        Last attempt @ 2012-08-22 10:48:41 was successful.
    Main-Office\OORAH-SERVER2 via RPC
        DC object GUID: 58e2415d-de42-4e53-bfaf-acc00cb63d2c
        Last attempt @ 2012-08-22 10:48:41 was successful.
    Main-Office\OORAH-DC1 via RPC
        DC object GUID: c80cb2e7-e286-4688-acd5-f53a6cb126fa
        Last attempt @ 2012-08-22 10:48:41 was successful.

DC=DomainDnsZones,DC=oorah,DC=local
    ZoneI\ZI-SERVER-01 via RPC
        DC object GUID: 705ca1b0-50a9-4322-9bf6-4d7951db455c
        Last attempt @ 2012-08-22 10:48:41 was successful.
    Main-Office\OORAH-TIMEFORCE via RPC
        DC object GUID: 05f4f28a-a4b0-4ed8-a374-3d2a98766612
        Last attempt @ 2012-08-22 10:48:41 was successful.
    Main-Office\OORAH-SERVER2 via RPC
        DC object GUID: 58e2415d-de42-4e53-bfaf-acc00cb63d2c
        Last attempt @ 2012-08-22 10:48:41 was successful.
    Main-Office\OORAH-DC1 via RPC
        DC object GUID: c80cb2e7-e286-4688-acd5-f53a6cb126fa
        Last attempt @ 2012-08-22 10:48:42 was successful.

DC=ForestDnsZones,DC=oorah,DC=local
    ZoneI\ZI-SERVER-01 via RPC
        DC object GUID: 705ca1b0-50a9-4322-9bf6-4d7951db455c
        Last attempt @ 2012-08-22 10:48:43 was successful.
    Main-Office\OORAH-TIMEFORCE via RPC
        DC object GUID: 05f4f28a-a4b0-4ed8-a374-3d2a98766612
        Last attempt @ 2012-08-22 10:48:43 was successful.
    Main-Office\OORAH-SERVER2 via RPC
        DC object GUID: 58e2415d-de42-4e53-bfaf-acc00cb63d2c
        Last attempt @ 2012-08-22 10:48:43 was successful.
    Main-Office\OORAH-DC1 via RPC
        DC object GUID: c80cb2e7-e286-4688-acd5-f53a6cb126fa
        Last attempt @ 2012-08-22 10:48:43 was successful.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 750 total points
ID: 38320816
oh ok then you are way past the tombstone lifetime on that box.

In this case you can forcefully demote the box

dcpromo /forceremoval
http://kpytko.wordpress.com/2011/08/30/decommissioning-broken-domain-controller/

Then clean it up in AD   http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Did the box hold any FSMO roles?

After the demotion and cleanup and once that cleanup has been replicated around then you can promote the box again.
0
 

Author Comment

by:rivkamak
ID: 38320824
what do you mean when you say "did you manually authorize each domain controller to replicate ?"

are you referring to bridgeheads? connections? or something else?
0
 

Author Comment

by:rivkamak
ID: 38321271
It doesn't hold any fsmo roles.  I know that I can demote it and promote it again, my question is whether I can get it to start replicating without doing that?
0
 
LVL 18

Accepted Solution

by:
Sarang Tinguria earned 750 total points
ID: 38321369
No you should not enable replication of Tombstoned DC without demote/Promote
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question