Solved

DC replication fails with event ID 1864 & 1988

Posted on 2014-03-17
4
769 Views
Last Modified: 2014-03-23
Hi Experts,

DC1: W2003 with FSMO roles (192.168.2.5)
DC2: W2008Ent and recently moved from hyper-v to Esxi.(192.168.2.31)

After I moved the DC2 vm from hyper-v to esxi I started to have error ID 1864 & 1988 related to replication of DC.
I did moved FSMO from DC2 to DC1 as I thought the DC2 could be down for a while. in the end it was only about 6 hours down time.

Initially I had 5 eventID1864 errors(DC,configuration,schema,domaindnszones,and forestdnszones) on DC2.
But after ran
"repadmin /options DC2 -DISABLE_OUTBOUND_REPL" and "repadmin /options DC2 -DISABLE_INBOUND_REPL"
errors were disappered with result of dcdiag as below.

=====================================================
Directory Server Diagnosis

Performing initial setup:

   Trying to find home server...

   Home Server = DC2

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Wellington\DC2

      Starting test: Connectivity

         ......................... DC2 passed test Connectivity



Doing primary tests

   
   Testing server: Wellington\DC2

      Starting test: Advertising

         ......................... DC2 passed test Advertising

      Starting test: FrsEvent

         ......................... DC2 passed test FrsEvent

      Starting test: DFSREvent

         ......................... DC2 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... DC2 passed test SysVolCheck

      Starting test: KccEvent

         ......................... DC2 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... DC2 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... DC2 passed test MachineAccount

      Starting test: NCSecDesc

         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=ForestDnsZones,DC=xxxxx,DC=xxx,DC=org,DC=nz
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=DomainDnsZones,DC=xxxxx,DC=xxx,DC=org,DC=nz
         ......................... DC2 failed test NCSecDesc

      Starting test: NetLogons

         ......................... DC2 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... DC2 passed test ObjectsReplicated

      Starting test: Replications

         ......................... DC2 passed test Replications

      Starting test: RidManager

         ......................... DC2 passed test RidManager

      Starting test: Services

         ......................... DC2 passed test Services

      Starting test: SystemLog

         ......................... DC2 passed test SystemLog

      Starting test: VerifyReferences

         ......................... DC2 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : mpsad

      Starting test: CheckSDRefDom

         ......................... mpsad passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... mpsad passed test CrossRefValidation

   
   Running enterprise tests on : xxxxx.xxx.org.nz

      Starting test: LocatorCheck

         ......................... xxxxx.xxx.org.nz passed test LocatorCheck

      Starting test: Intersite

         ......................... xxxxx.xxx.org.nz passed test Intersite
=====================================================

On DC1, it was 5 ID 1864s before fixing on dc2, but it is now 2 eventID 1988 & 1864.

How can I solve this errors?

Cheers,
Yasuyasu
1864-on-DC1.txt
1988-on-DC1.txt
repadmin-showreps-on-DC1.txt
0
Comment
Question by:YasuYasu
  • 2
  • 2
4 Comments
 
LVL 13

Accepted Solution

by:
Santosh Gupta earned 500 total points
ID: 39933836
Hi,

#1. seems you had a domain controller with IP 192.168.2.108 and it still exist in database, pls run metadata cleanup for 108 DC.

##2. Make sure you have no more records for 108 DC in DNS, ADUC and Site & Services.

###3
Enable Loose Replication Consistency


 To enable Loose Replication Consistency, follow these steps on the domain controller 2003 that reports the errors messages. Locate and click the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

2.Click Add Value on the Edit menu.
3.Add the following value:
Value Name: Strict Replication Consistency
 Data type: REG_DWORD
 Value data: If the value is 1, change it to 0

####4. Run DCDIAG /V
0
 

Author Comment

by:YasuYasu
ID: 39936277
Hi santosh,

Thanks for your advice. I have followed your steps but there is new error error event  1388 attached. It looks like I still have a 192.168.2.108 domain controller.

I ran "repadmin /removelingeringobjects DC2 DC1_object_GUID DC=xxxxx,DC=xxx,DC=org,DC=nz" Is this correct?

Cheers,
Yasu
1388-on-DC1.txt
dcdiag-V-result.txt
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39937096
hi,

Yes, you are right, it needs to be removed. Please go though the links and remove the 108 DC from everywhere.
http://technet.microsoft.com/en-us/library/cc816907%28v=ws.10%29.aspx
http://mcpmag.com/articles/2006/05/30/cleaning-up-after-ad.aspx?admgarea=BDNA

After all these if you see the same event then pls make sure that server 108 have been remove from all these locations.

1. ADSU
2. DNS
3. Site and Services
0
 

Author Closing Comment

by:YasuYasu
ID: 39949083
Hi Santosh,

thanks for your reply. after I have an error, I re-tried to this again and errors were disappered. DCDIAG doesn't have errors either.

Thank you!
YasuYasu
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Many admins will agree: WSUS is is a nice invention but using it on the client side when updating a newly installed computer is still time consuming as you have to do several reboots and furthermore, the procedure of installing updates, rebooting an…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now