Confusing issue in AD replication report from multiple DC

Hi People,

I'm having some strange issue here with one of my AD domain Controller.

HeadQuarter AD Site:
HQDC01 - Windows Server 2012 R2

Data Center AD Site:
PRODDC01-VM - Windows Server 2008 R2 SP1
PRODDC02-VM - Windows Server 2008 R2 SP1

DR Building AD Site:
DRSITE2012DC01 - Windows Server 2012 R2

FFL/DFL: Windows 2003 Server.

When I execute the DCDIAG command from all of my DC in the head office and the Data Center, everything looks fine except this entry here below:

Starting test: Replications
   REPLICATION-RECEIVED LATENCY WARNING
   HQDC01:  Current time is 2015-08-19 17:08:00.
      DC=ForestDnsZones,DC=domain,DC=com
         Last replication received from DRSITE2012DC01 at
    2014-08-07 10:47:09
         WARNING:  This latency is over the Tombstone Lifetime of 60 days!
      DC=DomainDnsZones,DC=domain,DC=com
         Last replication received from DRSITE2012DC01 at
    2014-08-07 11:02:42
         WARNING:  This latency is over the Tombstone Lifetime of 60 days!
      CN=Schema,CN=Configuration,DC=domain,DC=com
         Last replication received from DRSITE2012DC01 at
    2014-08-07 10:47:09
         WARNING:  This latency is over the Tombstone Lifetime of 60 days!
      CN=Configuration,DC=domain,DC=com
         Last replication received from DRSITE2012DC01 at
    2014-08-07 10:47:09
         WARNING:  This latency is over the Tombstone Lifetime of 60 days!
      DC=domain,DC=com
         Last replication received from DRSITE2012DC01 at
    2014-08-07 11:04:02
         WARNING:  This latency is over the Tombstone Lifetime of 60 days!

All of the Domain Controllers in the AD domain reports the same error as above, but from DRSITE2012DC01 the DCDIAG result is just fine with no issue ?

because when I created new AD object in the all of the Domain Controllers it works fine, but NOT when I created the object from  DRSITE2012DC01 ?

Anything from DRSITE2012DC01 will not be replicated to anywhere at all, even AD Sites and Service new static connection to the DC won't be replicated.
LVL 9
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Toni UranjekConsultant/TrainerCommented:
DRSITE2012DC01 does not replicate with other DCs. The best approach would be to do forceremoval, reboot, meatadata cleanup and repromote this server.
1
Senior IT System EngineerIT ProfessionalAuthor Commented:
So how do you do meta data cleanup ?

Is it just right click on the AD computer object then delete it.
0
Toni UranjekConsultant/TrainerCommented:
1
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Senior IT System EngineerIT ProfessionalAuthor Commented:
Hi Toni,

When we demote Windows Domain Controller 2012 R2, does the DNS or the DHCP server role gets removed as well ?

Because in the AD site this is the only DC, DNS integrated and DHCP is there any impact to the users ?
0
Toni UranjekConsultant/TrainerCommented:
No. But if you use Active Directory integrated zones in DNS, maybe you should convert zones to standard primary.

If you break up DNS, and you use AD integrated zones, they will be replicated immediately after installing AD Domain Services.

DHCP will not be affected.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks Toni,

So after convert zones to standard primary I can then demote the domain controller safely ?

After that wait for few hours for AD replication and then promote it back to domain controller, then what happened to the DNS if I want it to be AD integrated mode again ?
0
Toni UranjekConsultant/TrainerCommented:
Yes, but why would you have to wait few hours for replication?
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Or at least 15 minutes. Becasse that how Active Directory replication works in my company for those AD sites.

Is that Normal or something wrong that I need to investigate for there somewhere ?
0
Toni UranjekConsultant/TrainerCommented:
If you assume, that replication traffic will overload your WAN link, you should consider this option:

Installing an Additional Domain Controller by Using IFM
https://technet.microsoft.com/en-us/library/cc816722(v=ws.10).aspx

Two things to consider, the size of the AD database (ntds.dit) and bandwidth of WAN link.

If you use IFM procedure, you can copy enitire database to DR location outside your normal business hours, install DC by IFM and there will bi minimal initial replication traffic.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Tony,

I asumsi that the DNS server tile Will Aldo be automatically installed and running when promoting the new server as domain controller and Global Catalog ?
0
Toni UranjekConsultant/TrainerCommented:
DNS will be automatically installed, Global catalog is one check box away.
1
Senior IT System EngineerIT ProfessionalAuthor Commented:
So if I demote and re-promote the broken Domain Controller what happens to the client authentication within the AD site ?

can they use the Domain Controller in another AD site ?
0
Toni UranjekConsultant/TrainerCommented:
Of course.
0
arnoldCommented:
Try using the repadmin to reinitialize replication.

Demote/re promote is fine when there are two DCs in the site, with a single DC, DHCP/DNS come into play
Does the existing local scope push remote DNS servers to the clients which are needed by the site systems in the event the local DNS/DC is offline.

The replication failures started more than a year ago.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Many thanks Arnold for joining this discussion.

Yes, the existing DHCP scope, assign the DNS server one to itself and the other one to the Domain Controller in Data Center.
0
arnoldCommented:
Does the site besides DHCP, DNS, ad rely on the server for profile, file shares?
Repadmin could be used to reset replication after you verify that the links to the various DC in the topology are there.

I.e. Do you have a hub and spoke type scheme or a mesh?
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
No Arnold,

The Site Office only use it for DHCP and DNS (primary), File server isserved by NAS appliance.

Do you have a hub and spoke type scheme or a mesh?
How to verify and know it ?
0
arnoldCommented:
Mesh means you have VPNs between and among all sites.

Hub and spoke each site links to the Main HQ site.

https://www.microsoft.com/en-us/download/details.aspx?id=13380 
A topology mapping tool
https://technet.microsoft.com/en-us/library/cc787284(v=ws.10).aspx

The issue might be that you had a mesh VPN and then last year the VPN map or routing changed severing this site from being able to reach the other DCs.
1
Senior IT System EngineerIT ProfessionalAuthor Commented:
Hi Arnold, I'm having a mesh topology, ok, somehow the decommission side effect gone wrong :-|

http://www.experts-exchange.com/questions/28710913/Workstations-lost-its-trust-relationship-with-AD-domain-after-the-only-DC-GC-in-the-AD-Site-is-demoted-but-still-have-multiple-other-DC-GC-in-Data-Center.html

One by one the workstations popping up the Error that the Trust Relationship has broken ?!?!
0
arnoldCommented:
You should be able to login into the workstation using an admin account while the workstation is not connected to tge network.  Upon login, reconnect the workstation to the network and rejoin the domain, do not remove the workstation from the domain.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerIT ProfessionalAuthor Commented:
Yes, This is the Powershell script that I have found after logging in as local admin of the workstations:


2 - Reestablishing Trust
Open PowerShell as administrator. Run this command sequence:
$credential = Get-Credential – (enter domain admin account when prompted)
Reset-ComputerMachinePassword -Server ClosestDomainControllerNameHere

Open in new window


but still I need to visit one by one.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.