Solved

AD Replications issues

Posted on 2016-11-16
12
46 Views
1 Endorsement
Last Modified: 2016-11-28
I have a Windows 2003 R2  (SRV1) and 2008 RS (SRV2). They are both Domain controllers. I added 4 new Windows 7 Pro workstations and noticed that some were not able to log into the security domain due to their computer account. I rebooted the troubled workstations and was back in. Obviously it depended on which server the workstations were trying to log in with. I checked the event logs to discover that AD replications was not happening.

I ran Dcdiag and repadmin. I received a number of errors that have me running in circles.

In order to clear the slate and start from the beginning, I went to each server and pushed an AD replication. I received the following error:

Replicate Now - window from SRV1

The Following error occured during the attempt to

synchronize naming context ABC.Local from domain controller

SRV2 to domain controller SRV1: Insufficient attributes

were given to create an object. This object may not exist

because it may have been deleted and already garbage

collected.

I believe AD replication has been down for a while - months. I don't want this to get worse. Can anybody help on this matter? How do I repair/restore replication? More importantly, ensure the health of my AD.

I will follow up with some of the Dcdiag errors

Thank you
1
Comment
Question by:GeeMoon
  • 9
  • 2
12 Comments
 

Author Comment

by:GeeMoon
ID: 41890245
Dcdiag Errors:

SRV2

Starting test: CheckSecurityError

[SRV2] DsReplicaGetInfo(KCC_DS_CONNECT_FAILURES) failed with error  8453, Replication access was denied..
[SRV2] Unable to query the list of KCC connection failures. Continuing... [SRV2] No security related replication errors were found on this DC! To target the connection to a specific source DC use /ReplSource:<DC>.

----

SRV2 failed test NCSecDesc

Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have   Replicating Directory Changes In Filtered Set
         access rights for the naming context:         DC=ForestDnsZones,DC=ABC,DC=local
         * Security Permissions Check for           DC=DomainDnsZones,DC=ABC,DC=local
            (NDNC,Version 3)
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have             Replicating Directory Changes In Filtered Set
         access rights for the naming context:         DC=DomainDnsZones,DC=ABC,DC=local

---------
Starting test: Services

Checking Service: NTDS
            Could not open NTDS Service on SRV2, error 0x5 "Access is denied."
---------------
Warning: no DNS RPC connectivity (error or non Microsoft DNS server is running)
                  [Error details: 5 (Type: Win32 - Description: Access is denied.)]
0
 
LVL 6

Expert Comment

by:Niten Kumar
ID: 41890425
Can you post the output of the following commands:

  1. repadmin /showrepl
  2. repadmin /replsummary
  3. dcdiag /q
  4. netdom query fsmo

Also check Event Viewer for errors and post those errors.  Thanks.
1
 

Author Comment

by:GeeMoon
ID: 41890673
repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Default-First-Site\SRV2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 361d267b-fb93-482c-a3ad-9c9121e5c425
DSA invocationID: 9a9178af-5a1f-4a84-a3ed-2407546cb633

==== INBOUND NEIGHBORS ======================================

DC=ABC,DC=local
    Default-First-Site\SRV1 via RPC
        DSA object GUID: fa656f49-32b4-4b6a-a83e-d2490889898a
        Last attempt @ 2016-11-16 18:09:55 was successful.

CN=Configuration,DC=ABC,DC=local
    Default-First-Site\SRV1 via RPC
        DSA object GUID: fa656f49-32b4-4b6a-a83e-d2490889898a
        Last attempt @ 2016-11-16 17:45:02 was successful.

CN=Schema,CN=Configuration,DC=ABC,DC=local
    Default-First-Site\SRV1 via RPC
        DSA object GUID: fa656f49-32b4-4b6a-a83e-d2490889898a
        Last attempt @ 2016-11-16 17:45:02 was successful.

DC=DomainDnsZones,DC=ABC,DC=local
    Default-First-Site\SRV1 via RPC
        DSA object GUID: fa656f49-32b4-4b6a-a83e-d2490889898a
        Last attempt @ 2016-11-16 17:45:02 was successful.

DC=ForestDnsZones,DC=ABC,DC=local
    Default-First-Site\SRV1 via RPC
        DSA object GUID: fa656f49-32b4-4b6a-a83e-d2490889898a
        Last attempt @ 2016-11-16 17:45:02 was successful.
0
 

Author Comment

by:GeeMoon
ID: 41890677
repadmin /replsummary

Replication Summary Start Time: 2016-11-16 18:16:13

Beginning data collection for replication summary, this may take awhile:
  .....

Source DSA          largest delta    fails/total %%   error
 SRV2              07d.05h:00m:29s    1 /   5   20  (8606) Insufficient attribut
es were given to create an object. This object may not exist because it may have
 been deleted and already garbage collected.
 SRV1                      31m:11s    0 /   5    0


Destination DSA     largest delta    fails/total %%   error
 SRV2                      31m:12s    0 /   5    0
 SRV1              07d.05h:00m:29s    1 /   5   20  (8606) Insufficient attribut
es were given to create an object. This object may not exist because it may have
 been deleted and already garbage collected.
0
 

Author Comment

by:GeeMoon
ID: 41890680
dcdiag /q


         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=ABC,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=ABC,DC=local

         ......................... SRV2 failed test NCSecDesc

         An error event occurred.  EventID: 0x00009018
            Time Generated: 11/16/2016   17:24:34
            Event String:
            The following fatal alert was generated: 10. The internal error stat
e is 1203.
         An error event occurred.  EventID: 0x00009018
            Time Generated: 11/16/2016   17:24:34
            Event String:
            The following fatal alert was generated: 10. The internal error stat
e is 1203.
         An error event occurred.  EventID: 0xC00A0038
            Time Generated: 11/16/2016   17:24:35
            Event String:
            The Terminal Server security layer detected an error in the protocol
 stream and has disconnected the client. Client IP: 80.228.64.131.
         An error event occurred.  EventID: 0x00009018
            Time Generated: 11/16/2016   17:31:12
            Event String:
            The following fatal alert was generated: 10. The internal error stat
e is 1203.
         An error event occurred.  EventID: 0x00009018
            Time Generated: 11/16/2016   17:31:12
            Event String:
            The following fatal alert was generated: 10. The internal error stat
e is 1203.
         An error event occurred.  EventID: 0x00009018
            Time Generated: 11/16/2016   17:58:39
            Event String:
            The following fatal alert was generated: 10. The internal error stat
e is 1203.
         An error event occurred.  EventID: 0x00009018
            Time Generated: 11/16/2016   17:58:39
            Event String:
            The following fatal alert was generated: 10. The internal error stat
e is 1203.
         An error event occurred.  EventID: 0x00009018
            Time Generated: 11/16/2016   18:02:14
            Event String:
            The following fatal alert was generated: 10. The internal error stat
e is 1203.
         An error event occurred.  EventID: 0x00009018
            Time Generated: 11/16/2016   18:02:14
            Event String:
            The following fatal alert was generated: 10. The internal error stat
e is 1203.
         ......................... SRV2 failed test SystemLog
0
 

Author Comment

by:GeeMoon
ID: 41890682
netdom query fsmo

Schema master               SRV1.ABC.local
Domain naming master        SRV1.ABC.local
PDC                         SRV1.ABC.local
RID pool manager            SRV1.ABC.local
Infrastructure master       SRV1.ABC.local
The command completed successfully.
0
 

Author Comment

by:GeeMoon
ID: 41890692
Note:

I believe this whole AD Replication issue was caused by a past loss of capacity on the C:\ drive of the PDC (SRV1). A backup job over crowed the server. I resolved the issue, but I think that knocked the replication out of sync. I believe my two servers have a different view of the AD at this point.  Would this be enough to prevent the replication from happening? I keep reading about orphan objects and that they need to be cleaned out. I am just trying to give as much info/insight as I can to get to the bottom of this issue.

Thank you for responding. I look forward to your reply
0
 
LVL 6

Accepted Solution

by:
Niten Kumar earned 500 total points
ID: 41890762
Can you test out the following:

  1. Create a user account(can be a test account which you can delete later) on SRV1, does it replicate to SRV2
  2. Create a test GPO on SRV1 and see if it replicates to SRV2

If the above works then try doing vice-versa, i.e create on SRV2 and see if it replicates to DC1.  If all good then replication is working fine.

Check in the Event Viewer, under Application and Services Logs and see if there are any errors under FRS.

From the log you have posted it seems like SRV1 is ok, but there are issues with SRV2.  What is the tombstone lifetime?

Check the following technet article on how you can check for lingering objects on your DCs

http://social.technet.microsoft.com/wiki/contents/articles/23927.detailed-concepts-lingering-objects-in-active-directory-and-how-to-s.aspx

You can also try a tool found at the following site:

https://blogs.technet.microsoft.com/askds/2014/09/15/remove-lingering-objects-that-cause-ad-replication-error-8606-and-friends/
1
 

Author Comment

by:GeeMoon
ID: 41891976
From SRV1

I created a test user, OU and GPO. It successfully popped up on SRV2

From SRV2

I performed the above and was able to see the new OU/GPO from SRV1, but not the new user.

From the link, it was suggested that I run the following:

Repadmin /removelingeringobjects DC_Containing_LO, DC_Containing_NO_LO, Partition_Of_LO /ADVISORY_MODE

My interpretation is SRV2 has the lingering Object, to be match against SRV1 (the good AD Database). Do I have this right? Do I run this on SRV1? Should I run this on the other server?

This is what I ran with the actual GUID of the SRV1
Repadmin /removelingeringobjects SRV2.ABC.Local (SRV1 GUID) DC=ABC,DC=local /ADVISORY_MODE

I did the above and found 1 entry in event log, Directory Service ID: 1988

Could this be the only thing causing the replication problem?

Also I read the following:
Partition_Of_LO is the partition which you want to search for lingering objects. For example: dc=Contoso,DC=Com. Do not forget to run this against all the partitions except Schema.  Is this what they mean regarding different partitions:

DC=DomainDnsZones,DC=ABC,DC=local
   
DC=ForestDnsZones,DC=ABC,DC=local

Do I need to rerun the Repadmin /removelingeringobjects

Side note:

It appears that the event log Directory service has stopped since 11/09/2016 on SRV2. SRV1 DS log is up-to-date. No services appear to be stopped on SRV2.

Thanks for all your help
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 41894453
Since SRV2 seems to be the problem DC as you have pointed out why not demote this then promoto is again. All FSMO rolls appear do be on SRV1 as you posted earlier
0
 

Author Comment

by:GeeMoon
ID: 41900689
That was going to be my next question, can I bypass this whole process by pulling SRV2 from the domain. My concern, and the reason why I halted, was I was worried due to the current replication issue that I would end up causing future problems with the AD. Is it possible to successfully pull a DC from a domain suffering a faulty replication issue.
0
 

Author Closing Comment

by:GeeMoon
ID: 41904451
I stumbled a bit on assuring the direction (from which server do I run this and how does it sit w/in the command) and identification of the AD server names with in the Repadmin.

I finally ran Repadmin /removelingeringobjects  (see the suggested link) with the /advisory_mode from SRV2. I saw lingering objects identified in the event log of SRV2. I pulled away the /advisory_mode from the command, and ran it again. It removed 20 lingering objects from the AD. I created a couple of additional test users and saw it successfully replicated. I pushed replication from both servers - no error messages - SUCCESS!!!!

Thank you for your help.
0

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now