Solved

Domain Controller Replication Issues

Posted on 2013-05-30
3
379 Views
Last Modified: 2013-06-10
I have a total of 4 Domain Controllers; two of which reside in the Main Office and two that live in remote WAN locations (one in each site...). They are all 2008 Std servers and the Active Directory is at 2008 functional level.

The two WAN DCs were built and promoted in the main office before being delivered to their WAN sites. After they were installed in the WAN locations, AD Sites and Services was configured to set up NTDS replication links between each WAN server and the two main office DCs only. However, they still seem to be linked to each other in some way.

AD setting changes (adding a new user for example) performed on the Main Office DCs will replicate to the WAN servers. Adding a user on at least one (possibly both...) of the WAN servers will not replicate back to the Main Office (or other WAN...) DCs.

Running a dcdiag on the WAN DCs show errors with them trying to replicate with each other but passing all other tests. Running dcdiag on one of the Main Office DCs shows errors for both WAN DCs trying to replicate with the Main Office DCs. The error in all cases is that the WAN DCs have "tombstoned" replication copies. Although tombstoned, the WAN DCs continue to authenticate users in those locations properly and seem to function normally.

Current wisdom suggests demoting both WAN DCs and re-promoting them to fix this. The theory is that they discovered each other when promoted in the Main Office and can't "forget" about each other. By demoting/promoting them in their WAN locations they won't see each other as readily (although the WAN is fully routed and they can ping each other by name...).

Any thoughts on a simpler solution? Is there a way to force them not to attempt replication with each other and only pull a current copy from the accurate Main Office DCs?
0
Comment
Question by:jhunter9999
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 5

Expert Comment

by:HornAlum
ID: 39209138
Go to AD Sites and Services

under the DC names, you will see your NTDS settings. you can define replication partners. if you have some undesired replication partners, just right click and remove them. I had some automatically generated replication partners under NTDS that i removed, and i created some fresh ones myself to make sure they replicated from exactly the DC's i wanted.

are you using a single "site"? typically, you should create a separate "site" for your WAN offices. Those sites would contain separate subnets. then you would drop those DC's into those sites.
0
 

Author Comment

by:jhunter9999
ID: 39209165
There are three sites (Main Office, WAN1 and WAN2). The NTDS settings are set so either WAN DC only has the Main Office DCs as replication partners. They do not reference each other, which makes it puzzling as to why they mention each other in the dcdiag results.

Thoughts?
0
 
LVL 20

Accepted Solution

by:
compdigit44 earned 500 total points
ID: 39219567
Have you tried to use RepAdmin to remove lingering objects?

http://technet.microsoft.com/en-us/library/cc785298%28v=ws.10%29.aspx
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to secure access to a folder on windows server 2008 R2 6 121
LDAP Setup 6 65
Active Directory Cleanup Report 2 50
PowerShell:  foreach where object notmatch? 17 83
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question