Backup AD could not replicate to Primary AD

Hi Expert,

we have 2 AD, one primary AD that hold 5 roles and DNS, another backup AD hold DNS role as well.

When we try to manual replicate, it shows

 From Backup AD  to  Primary AD
            Naming Context: DC=abc,DC=local
            The replication generated an error (8606):
            Insufficient attributes were given to create an object. This obje
may not exist because it may have been deleted and already garbage collected.
            The failure occurred at 2015-07-15 11:34:47.

Then, i check from both server logs,

we get this,

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server adserver2$. The target name used was LDAP/ This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (abc.LOCAL) is different from the client domain (abc.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

we never change the password... thus i did google, and some expert said it might due to dns as well, i checked both server dns event logs,

and we get this DNS event id 4013, the DNS server was unable to load AD integrated DNS zones.

what is my next steps?

i plan to delete the backup ad (metadata cleanup) and rebuild the ad server, and i think this is the fastest fix, but a little concern,

what if the DNS problem is cause by primary AD?

Any advise?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Can you run the following commands...
- repadmin /replsum
- repadmin /showrepl
- repadmin /bridgeheads
- DCDiag /v

It seems that the 2 DC's have different information on the NTDS.dit database. Depending on what DC has the issue you might want to demote the DC and repromote it and let it replicate all of the changes from the DC that is online, to ensure that they are both insync.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
patcheahAuthor Commented:
Hi All,

sorry for late reply.

We have delete the missing ad with meta data cleanup, after reboot. everything is normal now.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.