Multi-site AD Replication Issues
Posted on 2013-01-28
DC holding all fsmo roles were seized to a new server. Metadata cleanup was performed, with the exception of one entry. The server would not delete from ADSS due to "Access denied" and "Insufficient privileges to delete site". User account was Enterprise admin, and would not delete with ADSS or ADSIEdit.
Due to this condition, I changed the new server to the original name of the failed DC. I transferred the pdc role successfully. The other four roles were on another server, at the same site.
There are a total of nine sites including the main hub. The main hub hosts the fsmo roles, and acts as the primary DNS zones. All the other 8 sites are connected via vpn tunnels.
There are two remaining remote sites, which were never able to replicate from the main hub. They still "think" the old servers are holding all the fsmo roles. therefor, they are failing dcdiag tests KnownsOfRoleHolders. These attributes known as fsmoroleowners, cannot be modified on the bad DCs via ADSIEDIT or LDP.
These servers also are not replicating the dns primary AD integrated zones. They had old zone data, and I deleted them, and rebuilt the primary dns zone from scratch.
This caused the majority of the domain controllers to replicate perfectly. Two stubborn ones I have not figured out how to fix.
I'm pretty sure this issue is being caused by multiple factors, based on dcdiag, netdiag, any many other tools. I need to get the dns zone to replicate to the two bad DCs.
I also believe there to be KCC inconsistinces (based on event log errors), such as "kerberos client received a KRB_AP_ERR_MODIFIED error".
In ADSS or repadmin /replicate, I receive the error "Naming context is in the process of being removed..."
How do I get the kerberos ticket issues resolved? I've done some basic klist tickets and stuff, but need further guidance. I've also reset machine accounts with netdom with some degree of success.
I'm positive this is largely DNS. So, how to get DNS as a primary zone, using the current AD integrated zone? There could even be other copies of the same zone stored in AD, how do I purge these?
I'm also receiving some "The default SPN registration ... is missing" warnings on netdiags.
I want to resolve these issues without demoting/re-promoting. These servers will not demote cleanly, and there has to be a better way than to go that route. The 60 day tombstone lifetime has not been met.
Just some more info to save you guys some time, the dcdiag's on the role holder DCs come back clean. It's just these two that are being a pain (both 2003). The two bad DC's give me lots of KCC errors, and DNS issues, but it's mostly because they have not replicated.
How do I get these servers to pull the replication data from the main hub??? I even made the bad servers secondary copies of the primary zone, but they still will not replicate.
One last note, there are some SPN errors with Netdiag, there is the possibility of duplicate or missing spn records in dns. I've dabbled with setspn to list, and attempt to add spn that are reported missing, but could user further guidance here as well if necessary.