[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Active Directory - Error 8614 - Do all DC's need to replicate

Posted on 2016-10-11
5
Medium Priority
?
214 Views
Last Modified: 2016-10-27
We have a domain with 10 sites.
We have noticed after running a "repadmin /replsummary" that not all of our DC's are communicating and that we are getting a

 "(8614) The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime."

We are not experiencing issues with replication but we think that at least one of the DC's should be able to replicate with all of the DC's.

Is this fine to leave this as everything is working or should we look at resolving this problem?
0
Comment
Question by:Pmb2000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 6

Expert Comment

by:Deepin
ID: 41838308
How many are not syncing?

you are going to have to kill those DC's and then clean the rest of your AD.....and then rebuild them and bring them back in...
1
 

Author Comment

by:Pmb2000
ID: 41838354
Half of them are giving the error - (8614) The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

But we are having no issues with AD objects being replicated.

What is the best method for the cleaning up of the AD?

Are we best to demote and then bring them back on. or what would you suggest?
0
 
LVL 6

Assisted Solution

by:Deepin
Deepin earned 1000 total points
ID: 41838411
1
 
LVL 7

Accepted Solution

by:
Niten Kumar earned 1000 total points
ID: 41839277
Best would be to demote the non-replicating DC's one at a time.  Demote one, rebuild and promote.  Make sure sites and inter-site links are defined properly.  Test the replication using:

1.   repadmin /replsum
2.   repadmin /showrepl

If all is good then do the same with problematic dc's in other sites.

If in case demotion fails then metadata cleanup will be required which will be best cleaned up through the command line utility ntdsutil.

For help you check out this video which thoroughly explains its usage.  You will find the metadata cleanup part at the second half of the video.

https://www.youtube.com/watch?v=DzJTCYtp7XI
1
 

Author Closing Comment

by:Pmb2000
ID: 41862018
Great Guys.

Thanks!!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question