Link to home
Create AccountLog in
Avatar of kobalt_systems
kobalt_systems

asked on

Repairing replication errors in AD

Hi All,

Our clients setup:
Three sites, four domain controllers all setup by another company (i.e. we did not design or build)

Head office
DC1(Pri DNS and FSMO)
BackupDC (DNS, AD)

Branch Office1
DC2

Branch Office2
DC3

Intersite transports look like this:
Branch Office2 - Branch Office1 (site link bridge)
Head office - Branch Office2 (site link)
Head office - Branch Office1 (site link)

We had to migrate DC1 to new hardware (deteriorating hardware failure). The migration was done using shadowprotect image  following this best practices guide...http://www.storagecraft.com.au/best-practice-guides/BP000005%20Hardware%20Independent%20Restore.pdf

All went very well, no hardware issues, server booted fine however netlogon was paused with a bunch of 1925, 1311,1566 and 1865 errors in the directory services log.

After manually starting netlogon all services seem OK head office client logons etc.

I then found this https://www.experts-exchange.com/questions/24973303/netlogon-paused.html

However it looks like I need to
- transfer FSMO from DC1 (new) to BackupDC
- demote DC1
- clean metadata (run this from backupDC)
- promote DC1 again
- transfer FSMO role back to DC1

I've never done this before so I'm very nervous. Can anyone comment on the approach I've listed? Will it work? What are the risks?

Really appreciate your time.
Avatar of Sushil Sonawane
Sushil Sonawane
Flag of India image

If you server is USN rollback then you have perfrom as you mention steps.

1)  transfer FSMO from DC1 (new) to BackupDC

2) demote DC1 if not demote normal way then you have to demote forcefully.

3) clean metadata (run this from backupDC)

4)  promote DC1 again

5)  transfer FSMO role back to DC1

Step 5 is optional, if you want keep fsmo role on the backupdc then no need to tranfer fsmo role.
Avatar of kobalt_systems
kobalt_systems

ASKER

Thank you so much Sushil!

Do you think an operation such as this can this be run within business hours?

Are there any outside risks that I need to consider? e.g. will there be tombstone date issues on DC1 (new), or problems with the FSMO transfer that may force a seizure instead.

Will client computers need to point to backupDC for DNS resolution and/or AD authentication (currently using DC1 (new) as primary and backupDC as secondary)?
Do you think an operation such as this can this be run within business hours?

Do this thing off business hours


Are there any outside risks that I need to consider? e.g. will there be tombstone date issues on DC1 (new), or problems with the FSMO transfer that may force a seizure instead.

Instead transfer role better seize the fsmo role.

Will client computers need to point to backupDC for DNS resolution and/or AD authentication (currently using DC1 (new) as primary and backupDC as secondary)?

Yes on the client side for dns resolution primary dsn should be backupdc as primary.
Thanks again.

So, make sure:
- out of hours

- seize the FSMO role (but doesn't that prevent me from transferring back to DC1 (new) ?) Can I try transfer and if that doesn't work seize the FSMO roles?

- client side DNS, if I run out of hours and transfer roles (from DC1 (new) to backupDC, then back to DC1 (new)) then in theory I shouldn't need to do this BUT if I seize the role then the  client DNS needs to change permanently.

Apologies for the questions, just want to be sure of the process first.

cheers
Nick
ASKER CERTIFIED SOLUTION
Avatar of Sushil Sonawane
Sushil Sonawane
Flag of India image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
thanks again sushil, I'll wait till overnight to see if anyone has anything to add before closing
Hello Kobalt_systems,

Have a look on this article http://technet.microsoft.com/en-us/library/bb727057.aspx to troubleshoot replication issue on Active Directory.

Thanks
Kernel Recovery Tools
thanks all, I haven't attempted the fix but I'm pretty sure the main approach to dcpromo etc will work.