[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Active Directory - Error 8614 - Do all DC's need to replicate

Posted on 2016-10-11
5
Medium Priority
?
243 Views
Last Modified: 2016-10-27
We have a domain with 10 sites.
We have noticed after running a "repadmin /replsummary" that not all of our DC's are communicating and that we are getting a

 "(8614) The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime."

We are not experiencing issues with replication but we think that at least one of the DC's should be able to replicate with all of the DC's.

Is this fine to leave this as everything is working or should we look at resolving this problem?
0
Comment
Question by:Pmb2000
  • 2
  • 2
5 Comments
 
LVL 6

Expert Comment

by:Deepin
ID: 41838308
How many are not syncing?

you are going to have to kill those DC's and then clean the rest of your AD.....and then rebuild them and bring them back in...
1
 

Author Comment

by:Pmb2000
ID: 41838354
Half of them are giving the error - (8614) The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

But we are having no issues with AD objects being replicated.

What is the best method for the cleaning up of the AD?

Are we best to demote and then bring them back on. or what would you suggest?
0
 
LVL 6

Assisted Solution

by:Deepin
Deepin earned 1000 total points
ID: 41838411
1
 
LVL 7

Accepted Solution

by:
Niten Kumar earned 1000 total points
ID: 41839277
Best would be to demote the non-replicating DC's one at a time.  Demote one, rebuild and promote.  Make sure sites and inter-site links are defined properly.  Test the replication using:

1.   repadmin /replsum
2.   repadmin /showrepl

If all is good then do the same with problematic dc's in other sites.

If in case demotion fails then metadata cleanup will be required which will be best cleaned up through the command line utility ntdsutil.

For help you check out this video which thoroughly explains its usage.  You will find the metadata cleanup part at the second half of the video.

https://www.youtube.com/watch?v=DzJTCYtp7XI
1
 

Author Closing Comment

by:Pmb2000
ID: 41862018
Great Guys.

Thanks!!
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

865 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question