Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


AD Repication Problem

Posted on 2013-12-27
Medium Priority
Last Modified: 2014-03-13
I have this timimg and Dns issue  issue for AD diagnostic

omain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine nlpcpfa-dc1, is a DC.
   * Connecting to directory service on server nlpcpfa-dc1.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 2 of them.
   Done gathering initial info.

Doing initial required tests
   Testing server: nlpcpfa\NLPCPFA-DC2
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         [NLPCPFA-DC2] LDAP bind failed with error 8341,
         A directory service error has occurred..
         The clock difference between the home server NLPCPFA-DC1 and target

         server NLPCPFA-DC2 is greater than one minute. This may cause Kerberos

         authentication failures. Please check that the time service is working

         properly. You may need to resynchonize the time between these servers.

         ......................... NLPCPFA-DC2 failed test Connectivity
   Testing server: nlpcpfa\NLPCPFA-DC1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... NLPCPFA-DC1 passed test Connectivity

AND Also
Summary of DNS test results:
                                            Auth Basc Forw Del  Dyn  RReg Ext  
               nlpcpfa-dc2                  PASS FAIL n/a  n/a  n/a  n/a  n/a  
               nlpcpfa-dc1                  PASS PASS FAIL PASS PASS PASS n/a
Question by:zugulu
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +2
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39741404
Not sure why this is posted under Exchange. This is an Active Directory issue. Seems like you need to synchronize the time between your two domain controllers.
LVL 37

Expert Comment

ID: 39741529
On DC2 run below command in elevated command prompt:

net time \\DC1_hostname /set /y

This will sync dc2 time with dc1 and then you can replicate between them

On DC1, just check below article and ensure that time synchronization is appropriate across domain

LVL 16

Expert Comment

by:Joseph Nyaema
ID: 39741563
The error given indicates that the time difference between the two servers is greater than one minute. Make sure that NLPCPFA-DC2 is in the same time zone and that the time is the same.

For the DNS error, make sure IP version 6 is enabled and that the firewall is disabled then run dcpromo again.

I am assuming sever 2008.
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.


Author Comment

ID: 39741576
they are both win server 2003
LVL 16

Expert Comment

by:Joseph Nyaema
ID: 39741638
Have you made the necessary changes and dcpromo again. If still issue, please give errors and warnings in event viewer. And what done so far.

Author Comment

ID: 39741735
I have ran
2. the Event Error from DC2(With Replication Error) is given below :
Event viewer

Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x800706ba).  The RPC server is unavailable.
Directory Service
t has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.
The reason that replication is not allowed to continue is that the two machine's views of deleted objects may now be different. The source machine may still have copies of objects that have been deleted (and garbage collected) on this machine. If they were allowed to replicate, the source machine might return objects which have already been deleted.
Time of last successful replication:
2012-11-26 09:43:30
Invocation ID of source:
Name of source:
Tombstone lifetime (days):
The replication operation has failed.
User Action:
Determine which of the two machines was disconnected from the forest and is now out of date. You have three options:
1. Demote or reinstall the machine(s) that were disconnected.
2. Use the "repadmin /removelingeringobjects" tool to remove inconsistent deleted objects and then resume replication.
3. Resume replication. Inconsistent deleted objects may be introduced. You can continue replication by using the following registry key. Once the systems replicate once, it is recommended that you remove the key to reinstate the protection.
 Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner

For more information, see Help and Support Center at


i.The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

2.The DNS server received a bad TCP-based DNS message from  The packet was rejected or ignored. The event data contains the DNS packet.

>>File Replication

he File Replication Service is having trouble enabling replication from NLPCPFA-DC1 to NLPCPFA-DC2 for c:\windows\sysvol\domain using the DNS name FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 [1] FRS can not correctly resolve the DNS name from this computer.
 [2] FRS is not running on
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

For more information, see Help and Support Center at
LVL 37

Expert Comment

ID: 39742508
The DC2 is not replicated with DC1 since last one year

You need to demote this DC forcefully with dcpromo /forceremoval switch and also need to clean-up server metadata from active directory

Once that done you can promote server again to DC

LVL 12

Expert Comment

by:Md. Mojahid
ID: 39743256

Author Comment

ID: 39923622
i am trying to promote the server back as  DC2 using the configure your  wizard but it came back with an error that the server already exit. On checking the DC1 i found out that the DC is still listed under Domain Controllers in Active Directory; attempt to 'physically' delete the server (DC2) failed. The failure reports are attached.
LVL 37

Expert Comment

ID: 39924174
Have you already removed \ demoted server DC2 from domain ?

You need to select last option in wizard (This domain controller is permanently offline) if you want to use wizard


You can use dcpromo /forceremoval, then you must clear DC2 metadata with ntdsutil

The steps are already outlined in my earlier comment articles

Once you removed metadata and clear all old records , then you can promote it again to ADC


Author Comment

ID: 39924460
Yes, I have done that.. but it appears no smooth. i am getting this error while using  the wizard to promo the DC2 back

The operation failed because:

The attempt to join this computer to the domain failed.

"The specified user already exists."
LVL 37

Accepted Solution

Mahesh earned 1000 total points
ID: 39925666
There is a computer account with the same name as the computer on which you are attempting to install Active Directory Domain Services.

Please follow below article and mentioned resolution to resolve your issue


Author Closing Comment

ID: 39927214
I finally reset the system and delete  from Domain Controller container. Thereafter  use the Wizard to promote the second server to domain controller.

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question