AD Repication Problem

Posted on 2013-12-27
Medium Priority
Last Modified: 2014-03-13
I have this timimg and Dns issue  issue for AD diagnostic

omain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine nlpcpfa-dc1, is a DC.
   * Connecting to directory service on server nlpcpfa-dc1.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 2 of them.
   Done gathering initial info.

Doing initial required tests
   Testing server: nlpcpfa\NLPCPFA-DC2
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         [NLPCPFA-DC2] LDAP bind failed with error 8341,
         A directory service error has occurred..
         The clock difference between the home server NLPCPFA-DC1 and target

         server NLPCPFA-DC2 is greater than one minute. This may cause Kerberos

         authentication failures. Please check that the time service is working

         properly. You may need to resynchonize the time between these servers.

         ......................... NLPCPFA-DC2 failed test Connectivity
   Testing server: nlpcpfa\NLPCPFA-DC1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... NLPCPFA-DC1 passed test Connectivity

AND Also
Summary of DNS test results:
                                            Auth Basc Forw Del  Dyn  RReg Ext  
            Domain: nlpcpfa.com
               nlpcpfa-dc2                  PASS FAIL n/a  n/a  n/a  n/a  n/a  
               nlpcpfa-dc1                  PASS PASS FAIL PASS PASS PASS n/a
Question by:zugulu
  • 5
  • 4
  • 2
  • +2
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39741404
Not sure why this is posted under Exchange. This is an Active Directory issue. Seems like you need to synchronize the time between your two domain controllers.
LVL 39

Expert Comment

ID: 39741529
On DC2 run below command in elevated command prompt:

net time \\DC1_hostname /set /y

This will sync dc2 time with dc1 and then you can replicate between them

On DC1, just check below article and ensure that time synchronization is appropriate across domain

LVL 16

Expert Comment

by:Joseph Nyaema
ID: 39741563
The error given indicates that the time difference between the two servers is greater than one minute. Make sure that NLPCPFA-DC2 is in the same time zone and that the time is the same.

For the DNS error, make sure IP version 6 is enabled and that the firewall is disabled then run dcpromo again.

I am assuming sever 2008.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.


Author Comment

ID: 39741576
they are both win server 2003
LVL 16

Expert Comment

by:Joseph Nyaema
ID: 39741638
Have you made the necessary changes and dcpromo again. If still issue, please give errors and warnings in event viewer. And what done so far.

Author Comment

ID: 39741735
I have ran
2. the Event Error from DC2(With Replication Error) is given below :
Event viewer

Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x800706ba).  The RPC server is unavailable.
Directory Service
t has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.
The reason that replication is not allowed to continue is that the two machine's views of deleted objects may now be different. The source machine may still have copies of objects that have been deleted (and garbage collected) on this machine. If they were allowed to replicate, the source machine might return objects which have already been deleted.
Time of last successful replication:
2012-11-26 09:43:30
Invocation ID of source:
Name of source:
Tombstone lifetime (days):
The replication operation has failed.
User Action:
Determine which of the two machines was disconnected from the forest and is now out of date. You have three options:
1. Demote or reinstall the machine(s) that were disconnected.
2. Use the "repadmin /removelingeringobjects" tool to remove inconsistent deleted objects and then resume replication.
3. Resume replication. Inconsistent deleted objects may be introduced. You can continue replication by using the following registry key. Once the systems replicate once, it is recommended that you remove the key to reinstate the protection.
 Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner

For more information, see Help and Support Center at


i.The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

2.The DNS server received a bad TCP-based DNS message from  The packet was rejected or ignored. The event data contains the DNS packet.

>>File Replication

he File Replication Service is having trouble enabling replication from NLPCPFA-DC1 to NLPCPFA-DC2 for c:\windows\sysvol\domain using the DNS name nlpcpfa-dc1.nlpcpfa.com. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 [1] FRS can not correctly resolve the DNS name nlpcpfa-dc1.nlpcpfa.com from this computer.
 [2] FRS is not running on nlpcpfa-dc1.nlpcpfa.com.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

For more information, see Help and Support Center at
LVL 39

Expert Comment

ID: 39742508
The DC2 is not replicated with DC1 since last one year

You need to demote this DC forcefully with dcpromo /forceremoval switch and also need to clean-up server metadata from active directory

Once that done you can promote server again to DC


LVL 12

Expert Comment

by:Md. Mojahid
ID: 39743256

Author Comment

ID: 39923622
i am trying to promote the server back as  DC2 using the configure your  wizard but it came back with an error that the server already exit. On checking the DC1 i found out that the DC is still listed under Domain Controllers in Active Directory; attempt to 'physically' delete the server (DC2) failed. The failure reports are attached.
LVL 39

Expert Comment

ID: 39924174
Have you already removed \ demoted server DC2 from domain ?

You need to select last option in wizard (This domain controller is permanently offline) if you want to use wizard


You can use dcpromo /forceremoval, then you must clear DC2 metadata with ntdsutil

The steps are already outlined in my earlier comment articles

Once you removed metadata and clear all old records , then you can promote it again to ADC


Author Comment

ID: 39924460
Yes, I have done that.. but it appears no smooth. i am getting this error while using  the wizard to promo the DC2 back

The operation failed because:

The attempt to join this computer to the nlpcpfa.com domain failed.

"The specified user already exists."
LVL 39

Accepted Solution

Mahesh earned 1000 total points
ID: 39925666
There is a computer account with the same name as the computer on which you are attempting to install Active Directory Domain Services.

Please follow below article and mentioned resolution to resolve your issue


Author Closing Comment

ID: 39927214
I finally reset the system and delete  from Domain Controller container. Thereafter  use the Wizard to promote the second server to domain controller.

Featured Post

Take Control of Web Hosting For Your Clients

As a web developer or IT admin, successfully managing multiple client accounts can be challenging. In this webinar we will look at the tools provided by Media Temple and Plesk to make managing your clients’ hosting easier.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question