Active directory problem/replication/exchange2010
Dear Experts
I am glad to be back here.
I have following problem. I have small network - primary DC (W8DC) (all FSMO roles assigned and GC). Secondary DC (DC) and Exchange 2010 server (E2010E08).
All those running smoothly in VMWare ESX.
I was quite fool and have not realized that backup of those machines via Veeam is not enough, or it is enough, but must be carefull during recovery as restore of primary DC to previous state can cause problems in replication (USN].
So I finished with replication error between primary and secondary DC. No real windows backup of ActiveDirectory available.
Luckily as I said my domain is not complicated, it is just a few people and Exchange. I could ever recreate domain from scratch but I am unsure how to connect it back to Exchange so I tried following steps.
1. I removed DNS from secondary DC and pointed Exchange to primary DC only. I adjusted primary DC DHCP to announce itself as only DNS. No problem.
2. I forcefully removed secondary DC from the domain (correct removal was not possible as there were errors in replication). I removed domain services from secondary DC. still no problem.
3. I cleaned domain data from secondary DC (no problem).
4. I removed all traces of secondary DC from primary DC DNS (no problem)
5. I pointed Exchange 2010 to work with primary DC only as for domain and as for GC. No problem.
6. I created primary DC to be time-source for domain synchronizing itself with an external time source.
7. At this point, after restart - primary DC started with notification that domain recovery was done via an unsupported method and netlogon function was paused. I removed DSA Not Writable entry from registry on primary DC and indeed after restart it stopped complaining about recovery and netlogon is still running.
8. At this point all seems to work, logons, a creation of new accounts etc.
But when I run dcdiag on primary DC I got this errors - please see the verbose listing from dcdiag:
W8DC failed test NCSecDesc
W8DC failed test Replications
W8DC failed test SystemLog
Would you be so kind to help me to get rid of those errors to have a clean domain as much as possible?
Can we start with W8DC failed test Replications? I see that inbound outbound replication is disabled. So I tried on primary DC repadmin /options -DISABLE_OUTBOUNT_REPL but got this error
C:\Users\administrator.BUZ
Error: An LDAP lookup operation failed with the following error:
LDAP Error 81(0x51): Server Down
Server Win32 Error 0(0x0):
Extended Information:
And here I do not know how to proceed on.
I am playing with all this on the isolated copy of my production computers on another ESX server so we can try whatever you advice without fear.
Many thanks for your help
Vladimir
dcdiag.txt
I am glad to be back here.
I have following problem. I have small network - primary DC (W8DC) (all FSMO roles assigned and GC). Secondary DC (DC) and Exchange 2010 server (E2010E08).
All those running smoothly in VMWare ESX.
I was quite fool and have not realized that backup of those machines via Veeam is not enough, or it is enough, but must be carefull during recovery as restore of primary DC to previous state can cause problems in replication (USN].
So I finished with replication error between primary and secondary DC. No real windows backup of ActiveDirectory available.
Luckily as I said my domain is not complicated, it is just a few people and Exchange. I could ever recreate domain from scratch but I am unsure how to connect it back to Exchange so I tried following steps.
1. I removed DNS from secondary DC and pointed Exchange to primary DC only. I adjusted primary DC DHCP to announce itself as only DNS. No problem.
2. I forcefully removed secondary DC from the domain (correct removal was not possible as there were errors in replication). I removed domain services from secondary DC. still no problem.
3. I cleaned domain data from secondary DC (no problem).
4. I removed all traces of secondary DC from primary DC DNS (no problem)
5. I pointed Exchange 2010 to work with primary DC only as for domain and as for GC. No problem.
6. I created primary DC to be time-source for domain synchronizing itself with an external time source.
7. At this point, after restart - primary DC started with notification that domain recovery was done via an unsupported method and netlogon function was paused. I removed DSA Not Writable entry from registry on primary DC and indeed after restart it stopped complaining about recovery and netlogon is still running.
8. At this point all seems to work, logons, a creation of new accounts etc.
But when I run dcdiag on primary DC I got this errors - please see the verbose listing from dcdiag:
W8DC failed test NCSecDesc
W8DC failed test Replications
W8DC failed test SystemLog
Would you be so kind to help me to get rid of those errors to have a clean domain as much as possible?
Can we start with W8DC failed test Replications? I see that inbound outbound replication is disabled. So I tried on primary DC repadmin /options -DISABLE_OUTBOUNT_REPL but got this error
C:\Users\administrator.BUZ
Error: An LDAP lookup operation failed with the following error:
LDAP Error 81(0x51): Server Down
Server Win32 Error 0(0x0):
Extended Information:
And here I do not know how to proceed on.
I am playing with all this on the isolated copy of my production computers on another ESX server so we can try whatever you advice without fear.
Many thanks for your help
Vladimir
dcdiag.txt
Abhilash Pappiyil
Just to confirm. Have you restored Primary DC (DC1) to an earlier restore point and then De-commissioned the SECONDARY DC?!!!. If you have snapshotted primary DC to an older restore point, then the above issue would occur, but you had a secondary DC which was having a WORKING copy of your AD. I wonder you must have done the disjoin and re-join process on the Primary DC, not on the secondary DC which had a working copy.
ASKER
Dear Abhi
unfortunatelly I cannot remember how this exactly happened, but here is what i see with repadmin /showutdvec on production computers now
C:\Users\administrator.BUZ
..
25ca9444-9e2e-4e93-85c6-65
79437499-7132-4e77-94c5-c3
Vychozi-nazev-prvni-site\D
Vychozi-nazev-prvni-site\W
Vychozi-nazev-prvni-site\D
b994a887-2a4d-4174-883c-30
I would expect to have only 2 entries here.
Is it more clear now?
many thanks
V
unfortunatelly I cannot remember how this exactly happened, but here is what i see with repadmin /showutdvec on production computers now
C:\Users\administrator.BUZ
..
25ca9444-9e2e-4e93-85c6-65
79437499-7132-4e77-94c5-c3
Vychozi-nazev-prvni-site\D
Vychozi-nazev-prvni-site\W
Vychozi-nazev-prvni-site\D
b994a887-2a4d-4174-883c-30
I would expect to have only 2 entries here.
Is it more clear now?
many thanks
V
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi Abhi
I have already red proposed article on petri.il
NTDSUTIL cleanup was already done, now I see only single server, there is nothing I can do more.
I checked Domain sites and services and found only 1 DC.
In Domain users and computers also only 1 DC is listed.
In DNS I found 2 records in REVERZE zone for secondary server and removed them.
Restarted and created new dcdiag /v, i can see some new errors
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'BUZALKA.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
Name resolution for the name _ldap._tcp.Vychozi-nazev-p
This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
The Secure Socket Tunneling Protocol service either could not read the SHA256 certificate hash from the registry or the data is invalid. To be valid, the SHA256 certificate hash must be of type REG_BINARY and 32 bytes in length. SSTP might not be able to retrieve the value from the registry due to some other system failure. The detailed error message is provided below. SSTP connections will not be accepted on this server. Correct the problem and try again.
The WinRM service failed to create the following SPNs: WSMAN/W8DC.BUZALKA.local; WSMAN/W8DC.
Unable to add the interface {F791ACDA-52C3-4376-B7FC-5
A certificate could not be found. Connections that use the L2TP protocol over IPsec require the installation of a machine certificate, also known as a computer certificate. No L2TP calls will be accepted.
Failed to apply IP Security on port VPN2-0 because of error: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate.. No calls will be accepted to this port.
Can you see dcdiag2.txt?
many thanks
Vladimir
dcdiag2.txt
I have already red proposed article on petri.il
NTDSUTIL cleanup was already done, now I see only single server, there is nothing I can do more.
I checked Domain sites and services and found only 1 DC.
In Domain users and computers also only 1 DC is listed.
In DNS I found 2 records in REVERZE zone for secondary server and removed them.
Restarted and created new dcdiag /v, i can see some new errors
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'BUZALKA.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
Name resolution for the name _ldap._tcp.Vychozi-nazev-p
This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
The Secure Socket Tunneling Protocol service either could not read the SHA256 certificate hash from the registry or the data is invalid. To be valid, the SHA256 certificate hash must be of type REG_BINARY and 32 bytes in length. SSTP might not be able to retrieve the value from the registry due to some other system failure. The detailed error message is provided below. SSTP connections will not be accepted on this server. Correct the problem and try again.
The WinRM service failed to create the following SPNs: WSMAN/W8DC.BUZALKA.local; WSMAN/W8DC.
Unable to add the interface {F791ACDA-52C3-4376-B7FC-5
A certificate could not be found. Connections that use the L2TP protocol over IPsec require the installation of a machine certificate, also known as a computer certificate. No L2TP calls will be accepted.
Failed to apply IP Security on port VPN2-0 because of error: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate.. No calls will be accepted to this port.
Can you see dcdiag2.txt?
many thanks
Vladimir
dcdiag2.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
dear Sarang, many thanks, I tried and finally I was able to correct replication with your commands, all is OK, I was able to create fresh secondary DC, connect to primary one and replication is not without errors, once again thanks and Abhi thanks to you as well.
ASKER
Perfect help, thanks both.
You are always welcome buddy