ad dns replication issues on w2k8 r2 sp1

Posted on 2013-06-16
Medium Priority
Last Modified: 2013-06-30
dear gurus

we have 4 sites where we have domain atmc.com.sa and we have master server ip and others domain controller(additional) are,, etc

now the issue, they cant replicate each other, user create to master ad cant replicate to others.

v check firewall network cabling ping dns test ad dns config but none of them resolve issue.

we conduct some test and attached results

can someone assist us, how we can resolve it. even on same network say the server cant replication permission of ad users, say a folder on another file server so we want to give, we create user and it seen not in list of ad on file server to assign permission

this network work 3 months fine we have not change anything anywhere

master server is on physical machine hp, where rest all on vmware vsphwere as vms working mostly

kindly assist us
Question by:tmsa12
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 22

Expert Comment

by:Radhakrishnan R
ID: 39251439

I just had a look at the logs, it seems to be the servers are missing few DNS records. I would suggest you to restart the "netlogon" service on the DC's. Usually the missing SRV records gets create once you restart the netlogon service.

LVL 20

Expert Comment

by:Peter Hutchison
ID: 39251513
A few things to check:
IS your DNS in DNS Integrated or Master/Slave mode?
In DNS does each DNS server have a NS (Name Server) record?
Which DCs have Global Catalog service enabled? One, two or all?
Make sure GC and Ldap SRV records exist for each DC with it enabled.

Restarting Netlogon, DNS services may help. Running ipconfig /registerdns will refresh settings on each server.
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.


Expert Comment

ID: 39252105
it is seem like lingeringobjects. Please check the health server and run below command or Please fellow the microsoft link which is mention below.

c:\>repadmin /removelingeringobjects <Dest_DSA_LIST> <Source DSA GUID>

LVL 13

Expert Comment

ID: 39252452

You have DNS issue and Lingering object issues. Check your physical DC date  time and virtual DC date time are in sync. Fix the DNS issues point all virtual DC primary DNS to your physical DC then perform ipconfig /registerdns or netlogon service re start.  Which is your physical DC ATMCSRVR10 ? If you cant fix the issue remove the 30days OLD DC. perform Metadata cleanup and promote it as DC.        

ATMCSRVR12        36d.06h:43m:29s
ATMCSRVR14        27d.23h:07m:38s
ATMCDR1           27d.22h:53m:41s

 ATMCSRVR10        07d.02h:30m:56s

LVL 24

Accepted Solution

Sandeshdubey earned 2000 total points
ID: 39256527
From below error you have lot o work to do.

Destination DSA     largest delta    fails/total %%   error
 ATMCDR1           27d.22h:53m:41s   13 /  28   46  (1722) The RPC server is una
 ATMCSRVR10        07d.02h:30m:56s    3 /  15   20  (8606) Insufficient attribut
es were given to create an object. This object may not exist because it may have
 been deleted and already garbage collected.
 ATMCSRVR12        36d.06h:43m:29s   17 /  28   60  (1753) There are no more end
points available from the endpoint mapper.
 ATMCSRVR14        27d.23h:07m:38s   10 /  25   40  (1722) The RPC server is una
 ATMCSRVR15        10d.10h:30m:14s    4 /  15   26  (2148074274) The target prin
cipal name is incorrect.
 ATMCSRVR17        11d.00h:35m:25s    5 /  10   50  (2148074274) The target prin
cipal name is incorrect.

From the log it is clear there are multiple issue like secure channel between the DC is broken and hence you are getting target principle name incorrect, Insufficient attribut
es were given to create an object indicates you have lingering object issue and you are also getting RPC service unavailable.

You are getting the error "The RPC server is unavailable" relates to port being blocked or network connectivity issue or due to dns misconfig.I would suggest contact network/security team to verify whether all the related AD ports being configured and allowed on the firewall for communication. Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.

Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
Disable Windows Firewall: http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

It can also be caused by antivirus software with many of them sporting a new feature called "network traffic protection," which can efffectively block necessary AD traffic

Active Directory and Active Directory Domain Services Port Requirements

Best practices for DNS client settings on DC and domain members.

Troubleshooting “RPC server is unavailable” error, reported in failing AD replication scenario.

From the log it is clear that secure channel between the DC are broken.Hence you are getting the error target principal name is incorrect.

Refer below link:

If you have multiple DC in the network you can demote & re-promote the DC containing lingering object.Sometimes its difficult to remove lingering object either using repadmin /removelingeringobjects or other tool & easiest way to deal with such issues is demote & re-promote the DC. If lingering objects spreads int the domain then its more difficult to tackle them. Demote & promote is the best solution.

For removal of lingering object see this:http://blogs.technet.com/b/glennl/archive/2007/07/26/clean-that-active-directory-forest-of-lingering-objects.aspx

Hope this helps

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question