asked on
DFSRMIG migration state inconsistent
Setup
5 2008 R2 Domain Controllers across 4 sites
Functional Level 2008 R2
All Global Catalog Servers
I recently had one DC die and had to seize the FSMO roles on another DC then build a new DC to replace the failed one. The new DC has a new name and IP address assigned. Running dcdiag I can confirm that replication is working across all 5 DC's except for one error on the new DC
Starting test: VerifyReferences
Some objects relating to the DC DC3 have problems:
[1] Problem: Missing Expected Value
Base Object:
CN=C3,OU=Domain Controllers,DC=domain,DC=c
Base Object Description: "DC Account Object"
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
......................... DC3 failed test VerifyReferences
The article referenced does not apply as the domain was built at 2008 R2 level and DFRS has been in place as far as I know since the beginning (I started with the company after this was in place). No other DC's provide this error. I began digging deeper and upon checking the DFSR Migration state found that DC3 is not in sync. Here are the results from some dfsrmig commands
C:\Windows\system32>dfsrmi
Current DFSR global state: 'Eliminated'
Succeeded.
C:\Windows\system32>dfsrmi
The following Domain Controllers are not in sync with Global state ('Eliminated'):
Domain Controller (Local Migration State) - DC Type
==========================
dc3 ('Start') - Writable DC
Migration has not yet reached a consistent state on all Domain Controllers.
State information might be stale due to AD latency.
C:\Windows\system32>repadm
Replication Summary Start Time: 2015-04-01 10:10:41
Beginning data collection for replication summary, this may take awhile:
........
Source DSA largest delta fails/total %% error
dcremoteofc2 06m:43s 0 / 5 0
dcremoteofc1 14m:30s 0 / 5 0
dc1 21m:43s 0 / 10 0
dc2 14m:30s 0 / 15 0
dc3 06m:41s 0 / 5 0
Destination DSA largest delta fails/total %% error
dcremoteofc1 13m:57s 0 / 5 0
dcremoteofc2 04m:25s 0 / 5 0
dc1 14m:31s 0 / 10 0
dc2 21m:45s 0 / 15 0
dc3 03m:38s 0 / 5 0
I found this excellent write up which describes how to migrate
http://blogs.technet.com/b/filecab/archive/2008/02/08/sysvol-migration-series-part-1-introduction-to-the-sysvol-migration-process.aspx
but as I said earlier this is not a migration. DC3 was built to replace a failed dc. DC3 has been in place for about a month now. Has anyone seen this before? Would it be safe to modify the registry key of DC3 to which controls this to '3' which is "Eliminated" state? Should I start the migration process over from the FSMO role holder?
In addition I do not have a share of 'sysvol_DFRS' but only 'sysvol' exists.
I have also attempted to force this by issuing
repadmin/syncall /aed
5 2008 R2 Domain Controllers across 4 sites
Functional Level 2008 R2
All Global Catalog Servers
I recently had one DC die and had to seize the FSMO roles on another DC then build a new DC to replace the failed one. The new DC has a new name and IP address assigned. Running dcdiag I can confirm that replication is working across all 5 DC's except for one error on the new DC
Starting test: VerifyReferences
Some objects relating to the DC DC3 have problems:
[1] Problem: Missing Expected Value
Base Object:
CN=C3,OU=Domain Controllers,DC=domain,DC=c
Base Object Description: "DC Account Object"
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
......................... DC3 failed test VerifyReferences
The article referenced does not apply as the domain was built at 2008 R2 level and DFRS has been in place as far as I know since the beginning (I started with the company after this was in place). No other DC's provide this error. I began digging deeper and upon checking the DFSR Migration state found that DC3 is not in sync. Here are the results from some dfsrmig commands
C:\Windows\system32>dfsrmi
Current DFSR global state: 'Eliminated'
Succeeded.
C:\Windows\system32>dfsrmi
The following Domain Controllers are not in sync with Global state ('Eliminated'):
Domain Controller (Local Migration State) - DC Type
==========================
dc3 ('Start') - Writable DC
Migration has not yet reached a consistent state on all Domain Controllers.
State information might be stale due to AD latency.
C:\Windows\system32>repadm
Replication Summary Start Time: 2015-04-01 10:10:41
Beginning data collection for replication summary, this may take awhile:
........
Source DSA largest delta fails/total %% error
dcremoteofc2 06m:43s 0 / 5 0
dcremoteofc1 14m:30s 0 / 5 0
dc1 21m:43s 0 / 10 0
dc2 14m:30s 0 / 15 0
dc3 06m:41s 0 / 5 0
Destination DSA largest delta fails/total %% error
dcremoteofc1 13m:57s 0 / 5 0
dcremoteofc2 04m:25s 0 / 5 0
dc1 14m:31s 0 / 10 0
dc2 21m:45s 0 / 15 0
dc3 03m:38s 0 / 5 0
I found this excellent write up which describes how to migrate
http://blogs.technet.com/b/filecab/archive/2008/02/08/sysvol-migration-series-part-1-introduction-to-the-sysvol-migration-process.aspx
but as I said earlier this is not a migration. DC3 was built to replace a failed dc. DC3 has been in place for about a month now. Has anyone seen this before? Would it be safe to modify the registry key of DC3 to which controls this to '3' which is "Eliminated" state? Should I start the migration process over from the FSMO role holder?
In addition I do not have a share of 'sysvol_DFRS' but only 'sysvol' exists.
I have also attempted to force this by issuing
repadmin/syncall /aed
Active DirectoryWindows Server 2008
Last Comment
Snagajob IT
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
This DC is located at our remote data center with our Exchange server. Would it be better to build a new DC at that location before forcing removal of the out of sync one? I think Exchange would perform slowly having to perform topology look up across a VPN to a remote DC. I don't recall any errors during DC promotion and sysvol replication is working along with AD replication. I'll do some further research. Thanks for the reply.
ASKER
when running the command
repladmin /showrepl servername
against any of the DC's from DC3 I get results that show successful. I am trying to avoid a forceful demotion and metadata cleanup for the second time in a month.
repladmin /showrepl servername
against any of the DC's from DC3 I get results that show successful. I am trying to avoid a forceful demotion and metadata cleanup for the second time in a month.
The problem here is dfsrmig not showing you "Eliminated" state which means there is some problem with that particular DC
Unless you get "Eliminated" state that DC will not work correctly
Unfortunately I don't see any way other than decommission DC and promote it with new name
Have you checked that AD ports are opened as appropriate between local and remote site?
Check with PortQueryUI tool
Also install DFSR tools from windows server features on DC and check DFSR status there
Unless you get "Eliminated" state that DC will not work correctly
Unfortunately I don't see any way other than decommission DC and promote it with new name
Have you checked that AD ports are opened as appropriate between local and remote site?
Check with PortQueryUI tool
Also install DFSR tools from windows server features on DC and check DFSR status there
ASKER
I have disabled the Windows firewall for testing purposes with the same result.
I have also installed the DFSR tools and there are no reported errors from the servers I have checked on. Based on the lack of community feedback and the rarity of the issue I will proceed to decommission the current server and setup a new one.
I have also installed the DFSR tools and there are no reported errors from the servers I have checked on. Based on the lack of community feedback and the rarity of the issue I will proceed to decommission the current server and setup a new one.
ASKER
I built a new DC with a different name and forcefully removed the one that was not in sync. DFSRMIG is now showing all DC's are in global state 'eliminate', no errors with DCDIAG or REAPADMIN.