ad dns replication issues on w2k8 r2 sp1

Posted on 2013-06-16
Last Modified: 2013-06-30
dear gurus

we have 4 sites where we have domain and we have master server ip and others domain controller(additional) are,, etc

now the issue, they cant replicate each other, user create to master ad cant replicate to others.

v check firewall network cabling ping dns test ad dns config but none of them resolve issue.

we conduct some test and attached results

can someone assist us, how we can resolve it. even on same network say the server cant replication permission of ad users, say a folder on another file server so we want to give, we create user and it seen not in list of ad on file server to assign permission

this network work 3 months fine we have not change anything anywhere

master server is on physical machine hp, where rest all on vmware vsphwere as vms working mostly

kindly assist us
Question by:tmsa12

Author Comment

ID: 39251211
LVL 21

Expert Comment

ID: 39251439

I just had a look at the logs, it seems to be the servers are missing few DNS records. I would suggest you to restart the "netlogon" service on the DC's. Usually the missing SRV records gets create once you restart the netlogon service.

LVL 19

Expert Comment

by:Peter Hutchison
ID: 39251513
A few things to check:
IS your DNS in DNS Integrated or Master/Slave mode?
In DNS does each DNS server have a NS (Name Server) record?
Which DCs have Global Catalog service enabled? One, two or all?
Make sure GC and Ldap SRV records exist for each DC with it enabled.

Restarting Netlogon, DNS services may help. Running ipconfig /registerdns will refresh settings on each server.
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.


Expert Comment

ID: 39252105
it is seem like lingeringobjects. Please check the health server and run below command or Please fellow the microsoft link which is mention below.

c:\>repadmin /removelingeringobjects <Dest_DSA_LIST> <Source DSA GUID>
LVL 13

Expert Comment

ID: 39252452

You have DNS issue and Lingering object issues. Check your physical DC date  time and virtual DC date time are in sync. Fix the DNS issues point all virtual DC primary DNS to your physical DC then perform ipconfig /registerdns or netlogon service re start.  Which is your physical DC ATMCSRVR10 ? If you cant fix the issue remove the 30days OLD DC. perform Metadata cleanup and promote it as DC.        

ATMCSRVR12        36d.06h:43m:29s
ATMCSRVR14        27d.23h:07m:38s
ATMCDR1           27d.22h:53m:41s

 ATMCSRVR10        07d.02h:30m:56s

LVL 24

Accepted Solution

Sandeshdubey earned 500 total points
ID: 39256527
From below error you have lot o work to do.

Destination DSA     largest delta    fails/total %%   error
 ATMCDR1           27d.22h:53m:41s   13 /  28   46  (1722) The RPC server is una
 ATMCSRVR10        07d.02h:30m:56s    3 /  15   20  (8606) Insufficient attribut
es were given to create an object. This object may not exist because it may have
 been deleted and already garbage collected.
 ATMCSRVR12        36d.06h:43m:29s   17 /  28   60  (1753) There are no more end
points available from the endpoint mapper.
 ATMCSRVR14        27d.23h:07m:38s   10 /  25   40  (1722) The RPC server is una
 ATMCSRVR15        10d.10h:30m:14s    4 /  15   26  (2148074274) The target prin
cipal name is incorrect.
 ATMCSRVR17        11d.00h:35m:25s    5 /  10   50  (2148074274) The target prin
cipal name is incorrect.

From the log it is clear there are multiple issue like secure channel between the DC is broken and hence you are getting target principle name incorrect, Insufficient attribut
es were given to create an object indicates you have lingering object issue and you are also getting RPC service unavailable.

You are getting the error "The RPC server is unavailable" relates to port being blocked or network connectivity issue or due to dns misconfig.I would suggest contact network/security team to verify whether all the related AD ports being configured and allowed on the firewall for communication. Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.

Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
Disable Windows Firewall:

It can also be caused by antivirus software with many of them sporting a new feature called "network traffic protection," which can efffectively block necessary AD traffic

Active Directory and Active Directory Domain Services Port Requirements

Best practices for DNS client settings on DC and domain members.

Troubleshooting “RPC server is unavailable” error, reported in failing AD replication scenario.

From the log it is clear that secure channel between the DC are broken.Hence you are getting the error target principal name is incorrect.

Refer below link:

If you have multiple DC in the network you can demote & re-promote the DC containing lingering object.Sometimes its difficult to remove lingering object either using repadmin /removelingeringobjects or other tool & easiest way to deal with such issues is demote & re-promote the DC. If lingering objects spreads int the domain then its more difficult to tackle them. Demote & promote is the best solution.

For removal of lingering object see this:

Hope this helps

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question