[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


ad dns replication issues on w2k8 r2 sp1

Posted on 2013-06-16
Medium Priority
Last Modified: 2013-06-30
dear gurus

we have 4 sites where we have domain atmc.com.sa and we have master server ip and others domain controller(additional) are,, etc

now the issue, they cant replicate each other, user create to master ad cant replicate to others.

v check firewall network cabling ping dns test ad dns config but none of them resolve issue.

we conduct some test and attached results

can someone assist us, how we can resolve it. even on same network say the server cant replication permission of ad users, say a folder on another file server so we want to give, we create user and it seen not in list of ad on file server to assign permission

this network work 3 months fine we have not change anything anywhere

master server is on physical machine hp, where rest all on vmware vsphwere as vms working mostly

kindly assist us
Question by:tmsa12
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 23

Expert Comment

by:Radhakrishnan R
ID: 39251439

I just had a look at the logs, it seems to be the servers are missing few DNS records. I would suggest you to restart the "netlogon" service on the DC's. Usually the missing SRV records gets create once you restart the netlogon service.

LVL 20

Expert Comment

by:Peter Hutchison
ID: 39251513
A few things to check:
IS your DNS in DNS Integrated or Master/Slave mode?
In DNS does each DNS server have a NS (Name Server) record?
Which DCs have Global Catalog service enabled? One, two or all?
Make sure GC and Ldap SRV records exist for each DC with it enabled.

Restarting Netlogon, DNS services may help. Running ipconfig /registerdns will refresh settings on each server.
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Expert Comment

ID: 39252105
it is seem like lingeringobjects. Please check the health server and run below command or Please fellow the microsoft link which is mention below.

c:\>repadmin /removelingeringobjects <Dest_DSA_LIST> <Source DSA GUID>

LVL 13

Expert Comment

ID: 39252452

You have DNS issue and Lingering object issues. Check your physical DC date  time and virtual DC date time are in sync. Fix the DNS issues point all virtual DC primary DNS to your physical DC then perform ipconfig /registerdns or netlogon service re start.  Which is your physical DC ATMCSRVR10 ? If you cant fix the issue remove the 30days OLD DC. perform Metadata cleanup and promote it as DC.        

ATMCSRVR12        36d.06h:43m:29s
ATMCSRVR14        27d.23h:07m:38s
ATMCDR1           27d.22h:53m:41s

 ATMCSRVR10        07d.02h:30m:56s

LVL 24

Accepted Solution

Sandeshdubey earned 2000 total points
ID: 39256527
From below error you have lot o work to do.

Destination DSA     largest delta    fails/total %%   error
 ATMCDR1           27d.22h:53m:41s   13 /  28   46  (1722) The RPC server is una
 ATMCSRVR10        07d.02h:30m:56s    3 /  15   20  (8606) Insufficient attribut
es were given to create an object. This object may not exist because it may have
 been deleted and already garbage collected.
 ATMCSRVR12        36d.06h:43m:29s   17 /  28   60  (1753) There are no more end
points available from the endpoint mapper.
 ATMCSRVR14        27d.23h:07m:38s   10 /  25   40  (1722) The RPC server is una
 ATMCSRVR15        10d.10h:30m:14s    4 /  15   26  (2148074274) The target prin
cipal name is incorrect.
 ATMCSRVR17        11d.00h:35m:25s    5 /  10   50  (2148074274) The target prin
cipal name is incorrect.

From the log it is clear there are multiple issue like secure channel between the DC is broken and hence you are getting target principle name incorrect, Insufficient attribut
es were given to create an object indicates you have lingering object issue and you are also getting RPC service unavailable.

You are getting the error "The RPC server is unavailable" relates to port being blocked or network connectivity issue or due to dns misconfig.I would suggest contact network/security team to verify whether all the related AD ports being configured and allowed on the firewall for communication. Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.

Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
Disable Windows Firewall: http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

It can also be caused by antivirus software with many of them sporting a new feature called "network traffic protection," which can efffectively block necessary AD traffic

Active Directory and Active Directory Domain Services Port Requirements

Best practices for DNS client settings on DC and domain members.

Troubleshooting “RPC server is unavailable” error, reported in failing AD replication scenario.

From the log it is clear that secure channel between the DC are broken.Hence you are getting the error target principal name is incorrect.

Refer below link:

If you have multiple DC in the network you can demote & re-promote the DC containing lingering object.Sometimes its difficult to remove lingering object either using repadmin /removelingeringobjects or other tool & easiest way to deal with such issues is demote & re-promote the DC. If lingering objects spreads int the domain then its more difficult to tackle them. Demote & promote is the best solution.

For removal of lingering object see this:http://blogs.technet.com/b/glennl/archive/2007/07/26/clean-that-active-directory-forest-of-lingering-objects.aspx

Hope this helps

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question