Solved

Windows 2003 Active Directory Replica "Too Old" to replicate

Posted on 2014-03-14
10
431 Views
Last Modified: 2014-03-15
Hi there -- we have 3 Active Directory Controllers at a site.  One of them was off for a long time and we are trying to bring it back online and replicate the AD -- but it is giving an error that the replica is too old to replicate.  I couldn't find anything directly related to this issue online...

How can I remedy this?

Thanks in advance!
0
Comment
Question by:ParadiseITS
  • 5
  • 5
10 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39929648
You can demote that box fun a metadata cleanup and then promote it again.

Are all your boxes 2003 and does that box hold any FSMO roles.

Note it will be a forceful demtion.  dcpromo /forceremoval.

Thanks

Mike
0
 
LVL 9

Author Comment

by:ParadiseITS
ID: 39929662
OK, great -- is there a specific way to do the metadata cleanup that you suggest?

I'm not sure about FSMO, I'll have to look.
0
 
LVL 9

Author Comment

by:ParadiseITS
ID: 39930051
I have verified that the server in question has the RID master FSMO roles -- when I bring up the Operations Masters dialog in ADUC the Operations Master says "Error".

So I've gathered that the best thing to do is to disconnect it, do a demotion with /forceremoval, run the metadata cleanup in NTDSUtil and then rejoin?

My question is -- what happens to the RID master role when I do this?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 39930070
are your other DCs 2008 or 2003...metadata can be done differently on 2008 that is why I'm asking.

You will have to seize that FSMO role  http://www.petri.co.il/seizing_fsmo_roles.htm

Just the RID master for you.

Thanks

Mike
0
 
LVL 9

Author Comment

by:ParadiseITS
ID: 39930078
Mike -- they are all 2003 servers.  And I read that article before I responded, and what concerns me about that is the idea that "the server can never come back online" -- we want to use this as a replica backup, so we want it online.

Will that work?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39930230
what do you mean replica backup?   It can still be a dc again but you would have to repromote it after.
0
 
LVL 9

Author Comment

by:ParadiseITS
ID: 39930273
We don't want it to have any FSMO roles, just to sit on the network and pitch in when needed.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 39930283
so you want it to be a DC still

SO

1.  dcpromo forceremoval  http://kpytko.pl/2011/08/30/decommissioning-broken-domain-controller/
2.  metadata cleanup  http://kpytko.pl/2011/08/29/metadata-cleanup-for-broken-domain-controller/

3. Seize the role that was on the broken box   http://kpytko.pl/2011/08/28/seizing-fsmo-roles/

Once everything replicates you can add the box back and promote.

Thanks


Mike
0
 
LVL 9

Author Closing Comment

by:ParadiseITS
ID: 39931302
Great - thank you!
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39931306
No problem, glad to help
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question