Help with Warnings and replication issues between Win2008 Domain Controllers?

I've been noticing some Warning logs on Domain Controllers in my AD environment.
Under the Event Viewer > Applications and Services Logs > "File Replication Service", I find there to be many of these types:

Event ID 13508:
The File Replication Service is having trouble enabling replication from DC05 to DC01 for c:\windows\sysvol\domain using the DNS name DC05.cafe.com. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name DC05.cafe.com from this computer.
 [2] FRS is not running on DC05.cafe.com.
 [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.

Followed by:

Event ID: 13509:
The File Replication Service has enabled replication from DC05 to DC01 for c:\windows\sysvol\domain after repeated retries.


And there are others like that but between other DC's as well.

And then this:

Event ID: 13562:

Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller dc01.cafe.com for FRS replica set configuration information.
 
 The nTDSConnection object cn=032a9a28-d23e-43dc-92ec-08fa47375516,cn=ntds settings,cn=dc01,cn=servers,cn=cafe,cn=sites,cn=configuration,dc=cafenet,dc=com is conflicting with cn=06a14940-4928-4576-ab8e-7b403b92ac76,cn=ntds settings,cn=dc01,cn=servers,cn=cafe,cn=sites,cn=configuration,dc=cafenet,dc=com.
Using cn=032a9a28-d23e-43dc-92ec-08fa47375516,cn=ntds settings,cn=dc01,cn=servers,cn=cafe,cn=sites,cn=configuration,dc=cafenet,dc=com


I'm not sure why this would be happening.
There is only one DC I found that has had some sync issues and with the repadmin /showrepl I had found that it was tombstoned and no longer sycning. That is a "DC04", not mentioned in the above event logs, however, and is not a FSMO.
garryshapeAsked:
Who is Participating?
 
Will SzymkowskiSenior Solution ArchitectCommented:
What you might have to do then is manually run ntdsutil on another DC and forceally remove the tombstoned DC. Also deleting the computer account from the Domain Controllers OU as well as removing any SRV records from the _msdcs.domain.com zone in DNS.

Once you have done this just power off the DC and or reformat it.

If it does not hold any of the FSMO roles then you do not need to seize any of the roles either. Once this is removed make sure SItes and Services are creating connections to the DC's that are still in your environment.

If a DC is not working propoelry you need to remove it. Don't just leave it powered on because you are just going to create more issues when users create accounts/group policies/authenticate etc.

Manually do a metadata cleanup and power off the DC.

Also make sure that you update your DHCP scopes and remove this DC from DNS if it configured.

Will.
0
 
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
Hi,

Can you post output of DCDIAG /ALL command from DC05 please?

M
0
 
garryshapeAuthor Commented:
Is that just the main DCDIAG command with all results? Or is /All supposed to be a parameter; I'm not showing that available from the help.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
sorry just post me the dcdiag command will do fine.

I was mixing it up with dcdiag /fixall.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
If you have a tombstoned DC you need to decommission this to stop further issues that you might be encountering in your domain. Use ntdsutil to remove this DC and perform metadata cleanup.

Also what connections are made in AD Sites and Services?

Try and run Check Replication Topology to force the KCC to check replication and re-create connections if necessary.

Will.
0
 
garryshapeAuthor Commented:
Problem with the tombstoned DC is my admin account was created after it tombstoned and while I can remote into the DC, it's giving access denied types of errors, or trying to launch dcpromo.exe won't open it . "C:\Windows\system32\dcpromo.exe - Windows cannot access the specified device, path, or file.
0
 
garryshapeAuthor Commented:
Sorry got a duplicate thread going here but technically they are two issues.

I'm reading the "Active Directory" book by O'Reilly, and it says when manually removing a domain controller from Active Directory, if it's not a FSMO, you can simply select the DC within Active Directory Users and Computers MMC and delete it. It says after you do that, the metadata cleanup steps are performed automatically. (Chapter 18: Backup, Recovery and Maintenance).

Only on Windows Server 2003 does it mention having to go into ntdsutil and running commands and stuff.

Is that ok then? So if I'm just deleting it from AD, do I need to shut down the DC first? It's a Virtual Machine -- can I just power it off then delete it from AD?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.