Albert Widjaja
asked on
Confusing issue in AD replication report from multiple DC
Hi People,
I'm having some strange issue here with one of my AD domain Controller.
HeadQuarter AD Site:
HQDC01 - Windows Server 2012 R2
Data Center AD Site:
PRODDC01-VM - Windows Server 2008 R2 SP1
PRODDC02-VM - Windows Server 2008 R2 SP1
DR Building AD Site:
DRSITE2012DC01 - Windows Server 2012 R2
FFL/DFL: Windows 2003 Server.
When I execute the DCDIAG command from all of my DC in the head office and the Data Center, everything looks fine except this entry here below:
All of the Domain Controllers in the AD domain reports the same error as above, but from DRSITE2012DC01 the DCDIAG result is just fine with no issue ?
because when I created new AD object in the all of the Domain Controllers it works fine, but NOT when I created the object from DRSITE2012DC01 ?
Anything from DRSITE2012DC01 will not be replicated to anywhere at all, even AD Sites and Service new static connection to the DC won't be replicated.
I'm having some strange issue here with one of my AD domain Controller.
HeadQuarter AD Site:
HQDC01 - Windows Server 2012 R2
Data Center AD Site:
PRODDC01-VM - Windows Server 2008 R2 SP1
PRODDC02-VM - Windows Server 2008 R2 SP1
DR Building AD Site:
DRSITE2012DC01 - Windows Server 2012 R2
FFL/DFL: Windows 2003 Server.
When I execute the DCDIAG command from all of my DC in the head office and the Data Center, everything looks fine except this entry here below:
Starting test: Replications
REPLICATION-RECEIVED LATENCY WARNING
HQDC01: Current time is 2015-08-19 17:08:00.
DC=ForestDnsZones,DC=domain,DC=com
Last replication received from DRSITE2012DC01 at
2014-08-07 10:47:09
WARNING: This latency is over the Tombstone Lifetime of 60 days!
DC=DomainDnsZones,DC=domain,DC=com
Last replication received from DRSITE2012DC01 at
2014-08-07 11:02:42
WARNING: This latency is over the Tombstone Lifetime of 60 days!
CN=Schema,CN=Configuration,DC=domain ,DC=com
Last replication received from DRSITE2012DC01 at
2014-08-07 10:47:09
WARNING: This latency is over the Tombstone Lifetime of 60 days!
CN=Configuration,DC=domain,DC=com
Last replication received from DRSITE2012DC01 at
2014-08-07 10:47:09
WARNING: This latency is over the Tombstone Lifetime of 60 days!
DC=domain,DC=com
Last replication received from DRSITE2012DC01 at
2014-08-07 11:04:02
WARNING: This latency is over the Tombstone Lifetime of 60 days!
All of the Domain Controllers in the AD domain reports the same error as above, but from DRSITE2012DC01 the DCDIAG result is just fine with no issue ?
because when I created new AD object in the all of the Domain Controllers it works fine, but NOT when I created the object from DRSITE2012DC01 ?
Anything from DRSITE2012DC01 will not be replicated to anywhere at all, even AD Sites and Service new static connection to the DC won't be replicated.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Toni,
When we demote Windows Domain Controller 2012 R2, does the DNS or the DHCP server role gets removed as well ?
Because in the AD site this is the only DC, DNS integrated and DHCP is there any impact to the users ?
When we demote Windows Domain Controller 2012 R2, does the DNS or the DHCP server role gets removed as well ?
Because in the AD site this is the only DC, DNS integrated and DHCP is there any impact to the users ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Toni,
So after convert zones to standard primary I can then demote the domain controller safely ?
After that wait for few hours for AD replication and then promote it back to domain controller, then what happened to the DNS if I want it to be AD integrated mode again ?
So after convert zones to standard primary I can then demote the domain controller safely ?
After that wait for few hours for AD replication and then promote it back to domain controller, then what happened to the DNS if I want it to be AD integrated mode again ?
Yes, but why would you have to wait few hours for replication?
ASKER
Or at least 15 minutes. Becasse that how Active Directory replication works in my company for those AD sites.
Is that Normal or something wrong that I need to investigate for there somewhere ?
Is that Normal or something wrong that I need to investigate for there somewhere ?
If you assume, that replication traffic will overload your WAN link, you should consider this option:
Installing an Additional Domain Controller by Using IFM
https://technet.microsoft.com/en-us/library/cc816722(v=ws.10).aspx
Two things to consider, the size of the AD database (ntds.dit) and bandwidth of WAN link.
If you use IFM procedure, you can copy enitire database to DR location outside your normal business hours, install DC by IFM and there will bi minimal initial replication traffic.
Installing an Additional Domain Controller by Using IFM
https://technet.microsoft.com/en-us/library/cc816722(v=ws.10).aspx
Two things to consider, the size of the AD database (ntds.dit) and bandwidth of WAN link.
If you use IFM procedure, you can copy enitire database to DR location outside your normal business hours, install DC by IFM and there will bi minimal initial replication traffic.
ASKER
Tony,
I asumsi that the DNS server tile Will Aldo be automatically installed and running when promoting the new server as domain controller and Global Catalog ?
I asumsi that the DNS server tile Will Aldo be automatically installed and running when promoting the new server as domain controller and Global Catalog ?
DNS will be automatically installed, Global catalog is one check box away.
ASKER
So if I demote and re-promote the broken Domain Controller what happens to the client authentication within the AD site ?
can they use the Domain Controller in another AD site ?
can they use the Domain Controller in another AD site ?
Of course.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Many thanks Arnold for joining this discussion.
Yes, the existing DHCP scope, assign the DNS server one to itself and the other one to the Domain Controller in Data Center.
Yes, the existing DHCP scope, assign the DNS server one to itself and the other one to the Domain Controller in Data Center.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No Arnold,
The Site Office only use it for DHCP and DNS (primary), File server isserved by NAS appliance.
Do you have a hub and spoke type scheme or a mesh?
How to verify and know it ?
The Site Office only use it for DHCP and DNS (primary), File server isserved by NAS appliance.
Do you have a hub and spoke type scheme or a mesh?
How to verify and know it ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Arnold, I'm having a mesh topology, ok, somehow the decommission side effect gone wrong :-|
https://www.experts-exchange.com/questions/28710913/Workstations-lost-its-trust-relationship-with-AD-domain-after-the-only-DC-GC-in-the-AD-Site-is-demoted-but-still-have-multiple-other-DC-GC-in-Data-Center.html
One by one the workstations popping up the Error that the Trust Relationship has broken ?!?!
https://www.experts-exchange.com/questions/28710913/Workstations-lost-its-trust-relationship-with-AD-domain-after-the-only-DC-GC-in-the-AD-Site-is-demoted-but-still-have-multiple-other-DC-GC-in-Data-Center.html
One by one the workstations popping up the Error that the Trust Relationship has broken ?!?!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, This is the Powershell script that I have found after logging in as local admin of the workstations:
2 - Reestablishing Trust
Open PowerShell as administrator. Run this command sequence:
but still I need to visit one by one.
2 - Reestablishing Trust
Open PowerShell as administrator. Run this command sequence:
$credential = Get-Credential – (enter domain admin account when prompted)
Reset-ComputerMachinePassword -Server ClosestDomainControllerNameHere
but still I need to visit one by one.
ASKER
Is it just right click on the AD computer object then delete it.