Solved

AD Repication Problem

Posted on 2013-12-27
14
533 Views
Last Modified: 2014-03-13
I have this timimg and Dns issue  issue for AD diagnostic


omain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine nlpcpfa-dc1, is a DC.
   * Connecting to directory service on server nlpcpfa-dc1.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 2 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: nlpcpfa\NLPCPFA-DC2
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         [NLPCPFA-DC2] LDAP bind failed with error 8341,
         A directory service error has occurred..
         The clock difference between the home server NLPCPFA-DC1 and target

         server NLPCPFA-DC2 is greater than one minute. This may cause Kerberos

         authentication failures. Please check that the time service is working

         properly. You may need to resynchonize the time between these servers.

         ......................... NLPCPFA-DC2 failed test Connectivity
   
   Testing server: nlpcpfa\NLPCPFA-DC1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... NLPCPFA-DC1 passed test Connectivity


AND Also
Summary of DNS test results:
         
                                            Auth Basc Forw Del  Dyn  RReg Ext  
               ________________________________________________________________
            Domain: nlpcpfa.com
               nlpcpfa-dc2                  PASS FAIL n/a  n/a  n/a  n/a  n/a  
               nlpcpfa-dc1                  PASS PASS FAIL PASS PASS PASS n/a
0
Comment
Question by:zugulu
  • 5
  • 4
  • 2
  • +2
14 Comments
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39741404
Not sure why this is posted under Exchange. This is an Active Directory issue. Seems like you need to synchronize the time between your two domain controllers.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39741529
On DC2 run below command in elevated command prompt:

net time \\DC1_hostname /set /y

This will sync dc2 time with dc1 and then you can replicate between them

On DC1, just check below article and ensure that time synchronization is appropriate across domain
http://support.microsoft.com/kb/816042

Mahesh
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 39741563
The error given indicates that the time difference between the two servers is greater than one minute. Make sure that NLPCPFA-DC2 is in the same time zone and that the time is the same.

For the DNS error, make sure IP version 6 is enabled and that the firewall is disabled then run dcpromo again.

I am assuming sever 2008.
0
 

Author Comment

by:zugulu
ID: 39741576
they are both win server 2003
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 39741638
Have you made the necessary changes and dcpromo again. If still issue, please give errors and warnings in event viewer. And what done so far.
0
 

Author Comment

by:zugulu
ID: 39741735
I have ran
1.NET TIME \\TIMESRV /SET /YES
2. the Event Error from DC2(With Replication Error) is given below :
Event viewer

>>Application
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x800706ba).  The RPC server is unavailable.
Directory Service
t has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.
The reason that replication is not allowed to continue is that the two machine's views of deleted objects may now be different. The source machine may still have copies of objects that have been deleted (and garbage collected) on this machine. If they were allowed to replicate, the source machine might return objects which have already been deleted.
Time of last successful replication:
2012-11-26 09:43:30
Invocation ID of source:
03cdf6c8-f6b8-03cd-0100-000000000000
Name of source:
ee90ff2e-5950-492a-b1ef-1c2dfe0cd56d._msdcs.nlpcpfa.com
Tombstone lifetime (days):
60
 
The replication operation has failed.
 
User Action:
 
Determine which of the two machines was disconnected from the forest and is now out of date. You have three options:
 
1. Demote or reinstall the machine(s) that were disconnected.
2. Use the "repadmin /removelingeringobjects" tool to remove inconsistent deleted objects and then resume replication.
3. Resume replication. Inconsistent deleted objects may be introduced. You can continue replication by using the following registry key. Once the systems replicate once, it is recommended that you remove the key to reinstate the protection.
 Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner


For more information, see Help and Support Center at

DNS

i.The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

2.The DNS server received a bad TCP-based DNS message from 172.31.28.5.  The packet was rejected or ignored. The event data contains the DNS packet.

>>File Replication

he File Replication Service is having trouble enabling replication from NLPCPFA-DC1 to NLPCPFA-DC2 for c:\windows\sysvol\domain using the DNS name nlpcpfa-dc1.nlpcpfa.com. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name nlpcpfa-dc1.nlpcpfa.com from this computer.
 [2] FRS is not running on nlpcpfa-dc1.nlpcpfa.com.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

For more information, see Help and Support Center at
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39742508
The DC2 is not replicated with DC1 since last one year

You need to demote this DC forcefully with dcpromo /forceremoval switch and also need to clean-up server metadata from active directory

Once that done you can promote server again to DC

http://www.petri.co.il/delete_failed_dcs_from_ad.htm
http://social.technet.microsoft.com/Forums/windowsserver/en-US/ff531e4f-4034-4770-bf0a-46c854884724/repromote-dc-with-same-name-after-dcpromo-forceremoval

Mahesh
0
 
LVL 12

Expert Comment

by:Md. Mojahid
ID: 39743256
0
 

Author Comment

by:zugulu
ID: 39923622
i am trying to promote the server back as  DC2 using the configure your  wizard but it came back with an error that the server already exit. On checking the DC1 i found out that the DC is still listed under Domain Controllers in Active Directory; attempt to 'physically' delete the server (DC2) failed. The failure reports are attached.
ErrorII.bmp
Error.bmp
DC2-AD-Promotion-Error.png
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39924174
Have you already removed \ demoted server DC2 from domain ?

You need to select last option in wizard (This domain controller is permanently offline) if you want to use wizard

OR

You can use dcpromo /forceremoval, then you must clear DC2 metadata with ntdsutil

The steps are already outlined in my earlier comment articles

Once you removed metadata and clear all old records , then you can promote it again to ADC

Mahesh
0
 

Author Comment

by:zugulu
ID: 39924460
Yes, I have done that.. but it appears no smooth. i am getting this error while using  the wizard to promo the DC2 back

The operation failed because:

The attempt to join this computer to the nlpcpfa.com domain failed.

"The specified user already exists."
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39925666
There is a computer account with the same name as the computer on which you are attempting to install Active Directory Domain Services.

Please follow below article and mentioned resolution to resolve your issue
http://support.microsoft.com/kb/2000622

Mahesh
0
 

Author Closing Comment

by:zugulu
ID: 39927214
I finally reset the system and delete  from Domain Controller container. Thereafter  use the Wizard to promote the second server to domain controller.
0

Join & Write a Comment

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now