DC Replication Issue

We are adding another branch to our main office that is on the other side of the city. We have a site to site VPN configured with two Cisco ASA 5505's. The Main site has a Server 2003 Domain Controller and the New site has a Server 2012 that we just made a Domain Controller. We raised forest functional levels to the appropriate level and successfully added the 2012 server as another Domain Controller.

I went into AD Site and Services and configured two sites, Site-Main and Site-Remote. I entered the appropriate subnets in place. I am able to ping their internal IP's successfully.

The problem I am having is they seem to not be able to replicate. I tried to manually replicate and I get the following message:

"the following error occurred during an attempt to synchronize naming context from domain.local from domain controller server 2 to domain controller server 1: The naming context is in the process of being removed or is not replicated from the specified server.

this operation will not continue."

I've tried dcdiag /fix as well as repadmin /syncall. Below are the dcdiag results:

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = SERVER2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: domain-Remote\SERVER2
      Starting test: Connectivity
         ......................... SERVER2 passed test Connectivity

Doing primary tests

   Testing server: domain-Remote\SERVER2
      Starting test: Advertising
         Warning: DsGetDcName returned information for \\SERVER1.domain.local,
         when we were trying to reach SERVER2.
         ......................... SERVER2 failed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... SERVER2 passed test FrsEvent
      Starting test: DFSREvent
         ......................... SERVER2 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... SERVER2 passed test SysVolCheck
      Starting test: KccEvent
         ......................... SERVER2 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... SERVER2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... SERVER2 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... SERVER2 passed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\SERVER2\netlogon)
         [SERVER2] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
         ......................... SERVER2 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... SERVER2 passed test ObjectsReplicated
      Starting test: Replications
         ......................... SERVER2 passed test Replications
      Starting test: RidManager
         ......................... SERVER2 passed test RidManager
      Starting test: Services
         ......................... SERVER2 passed test Services
      Starting test: SystemLog
         ......................... SERVER2 passed test SystemLog
      Starting test: VerifyReferences
         ......................... SERVER2 passed test VerifyReferences

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : domain
      Starting test: CheckSDRefDom
         ......................... domain passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... domain passed test CrossRefValidation

   Running enterprise tests on : domain.local
      Starting test: LocatorCheck
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
         A Good Time Server could not be located.
         ......................... domain.local failed test LocatorCheck
      Starting test: Intersite
         ......................... domain.local passed test Intersite
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
When you created the new Site did you do the following steps...
- Create the new Subnet
- Associate the new Subnet with the Default-Site-Link
- Allow the KCC to automatically create the connections for you

Run the following commands
Repadmin /replsum
Repadmin /showrepl
Repadmin /bridgeheads

When you expand Default-Site-Link> Servers> You should see your branch office DC> expand then click on "NTDS Settings". Make sure that there is a connection back to the main DC and the connection is set to automatically generated.

Also make sure that you are not using a "preferred" bridgehead server either. Let the KCC do its job.

joe_edmondAuthor Commented:
I created another site, so theres the default site and another site.

Then I associated new subnets with the sites

Then I went into the DefaultIPSiteLink and noticed that the Sites were already configured, and I closed out.

Summary of repadmin /replsum:

[i]Replication Summary Start Time: 2013-10-04 14:52:16

Beginning data collection for replication summary, this may take awhile:

Source DSA          largest delta    fails/total %%   error
 SERVER1                   09m:31s    0 /   5    0

Destination DSA     largest delta    fails/total %%   error
 SERVER2                   09m:31s    0 /   5    0[/i]

Results of Showrepl:

Repadmin: running command /showrepl against full DC localhost
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: fa715963-9248-452b-9e5a-ac72c3e54d8f
DSA invocationID: b4487471-1014-4847-aa4e-afd49d837454

==== INBOUND NEIGHBORS ======================================

    Domain-Main\SERVER1 via RPC
        DSA object GUID: ee645915-2dfb-445c-8d42-41ce4ba0d548
        Last attempt @ 2013-10-04 14:42:45 was successful.

    Domain-Main\SERVER1 via RPC
        DSA object GUID: ee645915-2dfb-445c-8d42-41ce4ba0d548
        Last attempt @ 2013-10-04 14:42:45 was successful.

    Domain-Main\SERVER1 via RPC
        DSA object GUID: ee645915-2dfb-445c-8d42-41ce4ba0d548
        Last attempt @ 2013-10-04 14:42:45 was successful.

    Domain-Main\SERVER1 via RPC
        DSA object GUID: ee645915-2dfb-445c-8d42-41ce4ba0d548
        Last attempt @ 2013-10-04 14:42:45 was successful.

    Domain-Main\SERVER1 via RPC
        DSA object GUID: ee645915-2dfb-445c-8d42-41ce4ba0d548
        Last attempt @ 2013-10-04 14:42:45 was successful.

Results from birdgeheads:

Repadmin: running command /bridgeheads against full DC localhost
Gathering topology from site Domain-Remote (SERVER2.Domain.local):

Bridgeheads for site Domain-Remote (SERVER2.Domain.local):
             Source Site    Local Bridge  Trns         Fail. Time    #    Status

         ===============  ==============  ====  =================   ===  =======
                Domain-Main         SERVER2    IP             (never)   0   The ope
ration completed successfully.
                 DomainDnsZones ForestDnsZones Domain Configuration

Bridgeheads for site Domain-Main (SERVER1.Domain.local):
             Source Site    Local Bridge  Trns         Fail. Time    #    Status

         ===============  ==============  ====  =================   ===  =======
              Domain-Remote         SERVER1    IP 2013-10-03 18:12:24  83   The DSA
 operation is unable to proceed because of a DNS lookup failure.
                 Configuration Domain
joe_edmondAuthor Commented:
ALl of these commands were done on Server 2, the new server at the branch office.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Will SzymkowskiSenior Solution ArchitectCommented:
From a replicaiton stand point it looks fine. Can you run the same commands on the DC in the main office? Also check the event logs on both DC's to ensure there are no warning/errors.
joe_edmondAuthor Commented:
what about the operation was unable to proceed because of a DNS lookup failure? I'd like to be able to manually replicate...but the errors still persist.

Here is what I found in the event viewer of Server 1, the main office:

DNS Event Log

The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

Directory Service Error Event ID 1311

The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.
User Action
Use Active Directory Sites and Services to perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.
If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.
joe_edmondAuthor Commented:
Also to note, I created an Active Directory Integrated, Reverse Lookup Zone on Server 2 and it is NOT replicated onto Server 1.

-I really do appreciate all of the help
Will SzymkowskiSenior Solution ArchitectCommented:
Is the DC at the remote site part of the name servers for your internal domain? Also what is the DC using for DNS? Is it point to itself or the DC at the main site?
joe_edmondAuthor Commented:
Server 1 - Main Site DC  (Site A)

Server 2 - Remote Site DC  (Site B)

Server 1 is part of the name servers for my internal domain. It's the primary DNS Server for Site A.

Server 2 is part of the name servers for my internal domain. It's the primary DNS Server for Site B

Server 2 has Server 1 as the primary DNS & Itself as backup. Server 1 has Server 2 as primary DNS and itself as backup.

I fixed the DNS Lookup error I was getting in the bridgehead repadmin command by adding the DNS settings like i have just typed. So no more replication errors.

I am however getting the same errors on my dcdiag...
Will SzymkowskiSenior Solution ArchitectCommented:
DC's should be pointing to themselves. What errors are you getting in dcdiag?
joe_edmondAuthor Commented:
I have also noticed some event logs in the Directory Service log. All other logs are clear... I've attached the file for review.
joe_edmondAuthor Commented:
DCDiag results are in my original post.
SandeshdubeySenior Server EngineerCommented:
From the above log it is clear that netlogon share is missing.You can run net share command to check the same.Check the sysvol share too and check the sysvol folder both policies and script folder should be present.

It also seems to be dns misconfig issue,necessary port not for AD communication as you are getting event id 1311.Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.
Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
 Disable Windows Firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx
Active Directory and Active Directory Domain Services Port Requirements.
Ensure the following dns setting on DC:
 1. Each DC / DNS server points to its private IP address as primary DNS server and other remote/local DNS servers as secondary in TCP/IP properties.
 2. Each DC has just one IP address and single network adapter is enabled.
 3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.
 4. Once you are done, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service each DC.
 Do not put private DNS IP addresses in forwarder list.
 5.Assigning static IP address to DC if IP address is assigned by DHCP server to DC.It is strongly not recommended
Troubleshooting Event ID 1311: Knowledge Consistency Checker:
Event ID 1566 — Network Name Resource Availability:
Event ID 1865 — KCC Replication Path Computation:

To fix the netlogon share missing.From the Log it is clear that netlogon/ sysvol share are not available.This indicates that c:\windows\sysvol\domain.com folder might be empty.If this is the case the policies and script folder might be missing from the above path.

If multiple DC are present in the network you need to do authorative and non authortive restore of sysvol.You have to do non-authorative(D2) on faulty server(Server2) were netlogon share is missing and authorative restore on healthy DC(D4) assuming you have only two DC.Essentially the "http://support.microsoft.com/kb/290762/" article.

Also configure authorative time server role on PDC role holder server.http://support.microsoft.com/kb/816042
Can you post the following to further help us diagnose this?
•Unedited ipconfig /all from each DC
•A PortQry result- (just post any "FILTERED" or "NOT LISTENING" in the results)
 •Dcdiag /q and repadmin /replsum output

Hope this helps

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
joe_edmondAuthor Commented:
Here are the results I got from Server 3 (Remote Site). You are correct that there are no SYSVOL or NETLOGON shares
joe_edmondAuthor Commented:
I'm confused, why would I need to do restores? It looks like maybe the site topology is having issues connecting to the other side?

After seeing the results is a restore from Both sides still necessary?
SandeshdubeySenior Server EngineerCommented:
From the above you have set loopback ip address as primary,If  loopback IP address ( is configured as primary dns setting then remove the same and add IP address of Server.If it is set as alternate DNS setting then no problems.See this:http://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx

As mentioned earlier there is sysvol replication.Have you verified netlogon share and sysvol content if policies and script folder is missing you need to perfrom authorative and non authorative restore of sysvol.On helath DC it should be D4 and on faulty DC it should be D2."http://support.microsoft.com/kb/290762/"
joe_edmondAuthor Commented:
What is D4 and D2 mean? Doesn't the SYSVOL folder just copy over if replication is successful? This is a brand new Domain Controller just implemented.

I can set the Primary DNS to it's real IP address and will do it now.
joe_edmondAuthor Commented:
Ok, the IP's are changed.

I understand what D2 and D4 are now. MY question was this was a new DC implementation, and apparently, SYSVOL and NETLOGON never got copied over when DCPromo was ran from the server 2012 console.

So wouldn't a restore not work in this situation if it never replicated to begin with?
SandeshdubeySenior Server EngineerCommented:
Yes,if the sysvol data is not replicated to new DC running d2 on new server will pull sysvol data from old server.As you have only two DC on old server run d4 and on new server were share and sysvol data is missing run d2.
joe_edmondAuthor Commented:
Solution has been fixed. Thanks to both of you for the help! I successfully did the restores on both servers, and all errors seem to go away with the exception of the NTP.

I noticed NTP was not configured on my original DC. I configured it, started the Windows Time service, then went to Remote Site DC (Server3) and did the following:

net stop w32time

w32tm /unregister

w32tm /register

net start w32time

I performed another DCDiag just to be safe, and now the only error I get is Server 3 is not advertised as a network time server (which is what is actually correct?)
joe_edmondAuthor Commented:
Deleted Comment
joe_edmondAuthor Commented:
Explaining to users how to reset the time server after you configure the NTP Service on the domain controller.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.