Domain Controller Replication Issues
Posted on 2013-05-30
I have a total of 4 Domain Controllers; two of which reside in the Main Office and two that live in remote WAN locations (one in each site...). They are all 2008 Std servers and the Active Directory is at 2008 functional level.
The two WAN DCs were built and promoted in the main office before being delivered to their WAN sites. After they were installed in the WAN locations, AD Sites and Services was configured to set up NTDS replication links between each WAN server and the two main office DCs only. However, they still seem to be linked to each other in some way.
AD setting changes (adding a new user for example) performed on the Main Office DCs will replicate to the WAN servers. Adding a user on at least one (possibly both...) of the WAN servers will not replicate back to the Main Office (or other WAN...) DCs.
Running a dcdiag on the WAN DCs show errors with them trying to replicate with each other but passing all other tests. Running dcdiag on one of the Main Office DCs shows errors for both WAN DCs trying to replicate with the Main Office DCs. The error in all cases is that the WAN DCs have "tombstoned" replication copies. Although tombstoned, the WAN DCs continue to authenticate users in those locations properly and seem to function normally.
Current wisdom suggests demoting both WAN DCs and re-promoting them to fix this. The theory is that they discovered each other when promoted in the Main Office and can't "forget" about each other. By demoting/promoting them in their WAN locations they won't see each other as readily (although the WAN is fully routed and they can ping each other by name...).
Any thoughts on a simpler solution? Is there a way to force them not to attempt replication with each other and only pull a current copy from the accurate Main Office DCs?