DC Replication Issue

Posted on 2013-10-04
Medium Priority
Last Modified: 2013-10-14
We are adding another branch to our main office that is on the other side of the city. We have a site to site VPN configured with two Cisco ASA 5505's. The Main site has a Server 2003 Domain Controller and the New site has a Server 2012 that we just made a Domain Controller. We raised forest functional levels to the appropriate level and successfully added the 2012 server as another Domain Controller.

I went into AD Site and Services and configured two sites, Site-Main and Site-Remote. I entered the appropriate subnets in place. I am able to ping their internal IP's successfully.

The problem I am having is they seem to not be able to replicate. I tried to manually replicate and I get the following message:

"the following error occurred during an attempt to synchronize naming context from domain.local from domain controller server 2 to domain controller server 1: The naming context is in the process of being removed or is not replicated from the specified server.

this operation will not continue."

I've tried dcdiag /fix as well as repadmin /syncall. Below are the dcdiag results:

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = SERVER2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: domain-Remote\SERVER2
      Starting test: Connectivity
         ......................... SERVER2 passed test Connectivity

Doing primary tests

   Testing server: domain-Remote\SERVER2
      Starting test: Advertising
         Warning: DsGetDcName returned information for \\SERVER1.domain.local,
         when we were trying to reach SERVER2.
         ......................... SERVER2 failed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... SERVER2 passed test FrsEvent
      Starting test: DFSREvent
         ......................... SERVER2 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... SERVER2 passed test SysVolCheck
      Starting test: KccEvent
         ......................... SERVER2 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... SERVER2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... SERVER2 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... SERVER2 passed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\SERVER2\netlogon)
         [SERVER2] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
         ......................... SERVER2 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... SERVER2 passed test ObjectsReplicated
      Starting test: Replications
         ......................... SERVER2 passed test Replications
      Starting test: RidManager
         ......................... SERVER2 passed test RidManager
      Starting test: Services
         ......................... SERVER2 passed test Services
      Starting test: SystemLog
         ......................... SERVER2 passed test SystemLog
      Starting test: VerifyReferences
         ......................... SERVER2 passed test VerifyReferences

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : domain
      Starting test: CheckSDRefDom
         ......................... domain passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... domain passed test CrossRefValidation

   Running enterprise tests on : domain.local
      Starting test: LocatorCheck
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
         A Good Time Server could not be located.
         ......................... domain.local failed test LocatorCheck
      Starting test: Intersite
         ......................... domain.local passed test Intersite
Question by:joe_edmond
  • 14
  • 4
  • 3
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 700 total points
ID: 39547629
When you created the new Site did you do the following steps...
- Create the new Subnet
- Associate the new Subnet with the Default-Site-Link
- Allow the KCC to automatically create the connections for you

Run the following commands
Repadmin /replsum
Repadmin /showrepl
Repadmin /bridgeheads

When you expand Default-Site-Link> Servers> You should see your branch office DC> expand then click on "NTDS Settings". Make sure that there is a connection back to the main DC and the connection is set to automatically generated.

Also make sure that you are not using a "preferred" bridgehead server either. Let the KCC do its job.


Author Comment

ID: 39547791
I created another site, so theres the default site and another site.

Then I associated new subnets with the sites

Then I went into the DefaultIPSiteLink and noticed that the Sites were already configured, and I closed out.

Summary of repadmin /replsum:

[i]Replication Summary Start Time: 2013-10-04 14:52:16

Beginning data collection for replication summary, this may take awhile:

Source DSA          largest delta    fails/total %%   error
 SERVER1                   09m:31s    0 /   5    0

Destination DSA     largest delta    fails/total %%   error
 SERVER2                   09m:31s    0 /   5    0[/i]

Results of Showrepl:

Repadmin: running command /showrepl against full DC localhost
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: fa715963-9248-452b-9e5a-ac72c3e54d8f
DSA invocationID: b4487471-1014-4847-aa4e-afd49d837454

==== INBOUND NEIGHBORS ======================================

    Domain-Main\SERVER1 via RPC
        DSA object GUID: ee645915-2dfb-445c-8d42-41ce4ba0d548
        Last attempt @ 2013-10-04 14:42:45 was successful.

    Domain-Main\SERVER1 via RPC
        DSA object GUID: ee645915-2dfb-445c-8d42-41ce4ba0d548
        Last attempt @ 2013-10-04 14:42:45 was successful.

    Domain-Main\SERVER1 via RPC
        DSA object GUID: ee645915-2dfb-445c-8d42-41ce4ba0d548
        Last attempt @ 2013-10-04 14:42:45 was successful.

    Domain-Main\SERVER1 via RPC
        DSA object GUID: ee645915-2dfb-445c-8d42-41ce4ba0d548
        Last attempt @ 2013-10-04 14:42:45 was successful.

    Domain-Main\SERVER1 via RPC
        DSA object GUID: ee645915-2dfb-445c-8d42-41ce4ba0d548
        Last attempt @ 2013-10-04 14:42:45 was successful.

Results from birdgeheads:

Repadmin: running command /bridgeheads against full DC localhost
Gathering topology from site Domain-Remote (SERVER2.Domain.local):

Bridgeheads for site Domain-Remote (SERVER2.Domain.local):
             Source Site    Local Bridge  Trns         Fail. Time    #    Status

         ===============  ==============  ====  =================   ===  =======
                Domain-Main         SERVER2    IP             (never)   0   The ope
ration completed successfully.
                 DomainDnsZones ForestDnsZones Domain Configuration

Bridgeheads for site Domain-Main (SERVER1.Domain.local):
             Source Site    Local Bridge  Trns         Fail. Time    #    Status

         ===============  ==============  ====  =================   ===  =======
              Domain-Remote         SERVER1    IP 2013-10-03 18:12:24  83   The DSA
 operation is unable to proceed because of a DNS lookup failure.
                 Configuration Domain

Author Comment

ID: 39547795
ALl of these commands were done on Server 2, the new server at the branch office.
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

LVL 53

Expert Comment

by:Will Szymkowski
ID: 39547811
From a replicaiton stand point it looks fine. Can you run the same commands on the DC in the main office? Also check the event logs on both DC's to ensure there are no warning/errors.

Author Comment

ID: 39547867
what about the operation was unable to proceed because of a DNS lookup failure? I'd like to be able to manually replicate...but the errors still persist.

Here is what I found in the event viewer of Server 1, the main office:

DNS Event Log

The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

Directory Service Error Event ID 1311

The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.
User Action
Use Active Directory Sites and Services to perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.
If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.

Author Comment

ID: 39547876
Also to note, I created an Active Directory Integrated, Reverse Lookup Zone on Server 2 and it is NOT replicated onto Server 1.

-I really do appreciate all of the help
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39548182
Is the DC at the remote site part of the name servers for your internal domain? Also what is the DC using for DNS? Is it point to itself or the DC at the main site?

Author Comment

ID: 39548209
Server 1 - Main Site DC  (Site A)

Server 2 - Remote Site DC  (Site B)

Server 1 is part of the name servers for my internal domain. It's the primary DNS Server for Site A.

Server 2 is part of the name servers for my internal domain. It's the primary DNS Server for Site B

Server 2 has Server 1 as the primary DNS & Itself as backup. Server 1 has Server 2 as primary DNS and itself as backup.

I fixed the DNS Lookup error I was getting in the bridgehead repadmin command by adding the DNS settings like i have just typed. So no more replication errors.

I am however getting the same errors on my dcdiag...
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39548227
DC's should be pointing to themselves. What errors are you getting in dcdiag?

Author Comment

ID: 39548232
I have also noticed some event logs in the Directory Service log. All other logs are clear... I've attached the file for review.

Author Comment

ID: 39548238
DCDiag results are in my original post.
LVL 24

Accepted Solution

Sandeshdubey earned 1300 total points
ID: 39548268
From the above log it is clear that netlogon share is missing.You can run net share command to check the same.Check the sysvol share too and check the sysvol folder both policies and script folder should be present.

It also seems to be dns misconfig issue,necessary port not for AD communication as you are getting event id 1311.Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.
Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
 Disable Windows Firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx
Active Directory and Active Directory Domain Services Port Requirements.
Ensure the following dns setting on DC:
 1. Each DC / DNS server points to its private IP address as primary DNS server and other remote/local DNS servers as secondary in TCP/IP properties.
 2. Each DC has just one IP address and single network adapter is enabled.
 3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.
 4. Once you are done, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service each DC.
 Do not put private DNS IP addresses in forwarder list.
 5.Assigning static IP address to DC if IP address is assigned by DHCP server to DC.It is strongly not recommended
Troubleshooting Event ID 1311: Knowledge Consistency Checker:
Event ID 1566 — Network Name Resource Availability:
Event ID 1865 — KCC Replication Path Computation:

To fix the netlogon share missing.From the Log it is clear that netlogon/ sysvol share are not available.This indicates that c:\windows\sysvol\domain.com folder might be empty.If this is the case the policies and script folder might be missing from the above path.

If multiple DC are present in the network you need to do authorative and non authortive restore of sysvol.You have to do non-authorative(D2) on faulty server(Server2) were netlogon share is missing and authorative restore on healthy DC(D4) assuming you have only two DC.Essentially the "http://support.microsoft.com/kb/290762/" article.

Also configure authorative time server role on PDC role holder server.http://support.microsoft.com/kb/816042
Can you post the following to further help us diagnose this?
•Unedited ipconfig /all from each DC
•A PortQry result- (just post any "FILTERED" or "NOT LISTENING" in the results)
 •Dcdiag /q and repadmin /replsum output

Hope this helps

Author Comment

ID: 39559685
Here are the results I got from Server 3 (Remote Site). You are correct that there are no SYSVOL or NETLOGON shares

Author Comment

ID: 39559977
I'm confused, why would I need to do restores? It looks like maybe the site topology is having issues connecting to the other side?

After seeing the results is a restore from Both sides still necessary?
LVL 24

Expert Comment

ID: 39560240
From the above you have set loopback ip address as primary,If  loopback IP address ( is configured as primary dns setting then remove the same and add IP address of Server.If it is set as alternate DNS setting then no problems.See this:http://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx

As mentioned earlier there is sysvol replication.Have you verified netlogon share and sysvol content if policies and script folder is missing you need to perfrom authorative and non authorative restore of sysvol.On helath DC it should be D4 and on faulty DC it should be D2."http://support.microsoft.com/kb/290762/"

Author Comment

ID: 39560374
What is D4 and D2 mean? Doesn't the SYSVOL folder just copy over if replication is successful? This is a brand new Domain Controller just implemented.

I can set the Primary DNS to it's real IP address and will do it now.

Author Comment

ID: 39560411
Ok, the IP's are changed.

I understand what D2 and D4 are now. MY question was this was a new DC implementation, and apparently, SYSVOL and NETLOGON never got copied over when DCPromo was ran from the server 2012 console.

So wouldn't a restore not work in this situation if it never replicated to begin with?
LVL 24

Expert Comment

ID: 39560421
Yes,if the sysvol data is not replicated to new DC running d2 on new server will pull sysvol data from old server.As you have only two DC on old server run d4 and on new server were share and sysvol data is missing run d2.

Assisted Solution

joe_edmond earned 0 total points
ID: 39560703
Solution has been fixed. Thanks to both of you for the help! I successfully did the restores on both servers, and all errors seem to go away with the exception of the NTP.

I noticed NTP was not configured on my original DC. I configured it, started the Windows Time service, then went to Remote Site DC (Server3) and did the following:

net stop w32time

w32tm /unregister

w32tm /register

net start w32time

I performed another DCDiag just to be safe, and now the only error I get is Server 3 is not advertised as a network time server (which is what is actually correct?)

Author Comment

ID: 39560756
Deleted Comment

Author Closing Comment

ID: 39570374
Explaining to users how to reset the time server after you configure the NTP Service on the domain controller.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question