Updated a server 2003 AD to 2008 R2. Replication issues and DNS
-
Wednesday, January 23, 2013 1:08 AM
I just updated the PDC Infrasture role. Everything seems to be fine but one of sites isn't getting replicated properly.
I tried different steps but I can't get them back in sync. Last resort is to demote and repromote but I'm looking for other alternative right now. One symptom I've notice thats going on in that Site is that some people can't get to the directory. it would try connecting to the HQ domain controller but it would reject the credentials. I'm not sure what is going on. I'm not sure if it is related.
- Moved by Cheers ZHANGMicrosoft Contingent Staff, Moderator Thursday, January 24, 2013 2:35 AM
All Replies
-
Saturday, January 26, 2013 11:47 AM
See the below links.
DNS client settings on DC and domain members.
Troubleshooting Active Directory Issues- Upload the dcdiag result in skydrive.
HTH
Biswajit Biswas
My Blogs |MCC |TNWiki Ninja
Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
- Edited by i.biswajith Saturday, January 26, 2013 11:48 AM
-
Saturday, January 26, 2013 3:20 PM
Hi,
Can you run dcdiag /test:replications to find out more.What are all the steps you tried?
Regards, Server Engineer - Server Support
-
Tuesday, January 29, 2013 8:16 AM
What is the current status? Please let us know the current situation.
HTH
Biswajit Biswas
My Blogs |MCC |TNWiki NinjaBest regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
- Edited by i.biswajith Tuesday, January 29, 2013 8:17 AM
-
Tuesday, January 29, 2013 11:21 PM
Hi,
I did the dns thing and it didn't work i did a dcdiag as suggested. Please review and see if there is anything you guys can tell.
I did one on the problem DC, one from a working dc, and one from a working dc on the problem dc.
repl on problem and working DC
- Edited by gnynot Tuesday, January 29, 2013 11:28 PM
-
Wednesday, January 30, 2013 2:55 PM
From the log it is clear that there are replication issue dns test failed dc's have reached tombstone lifcycle period,secure channel between the DC are broken,kcc errors etc.
Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/I would suggest contact network/security team to verify whether all the related AD ports being configured and allowed on the firewall for communication. Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.
Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
Disable Windows Firewall: http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspxActive Directory and Active Directory Domain Services Port Requirements
http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspxFor the server which has reachead tombstone lifecycle period you need to demote/promote the server.You cannot demote the faulty DC gracefully you need to do forcefull removal.You need to ran dcpromo/force removal and then run matadata cleanup on other DC(healthy) to remove the instance of faulty DC from AD database and DNS.
Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, and more)
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspxTo rest secure channel of the server see this http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
It seems that there are instances of remove DC too.If this is the case then perfrom metadata cleanup.
Please check the above parameters and once set post ipconfig /all details of DC's,dcdiag /q and repadmin /replsum output.
Hope this helps
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Thursday, January 31, 2013 1:02 AM
The tombstone is on a child domain which will be retired. I'm not to worried about that one.
The one i'm referring to is the DC on a different site. It seems the connection is there and the tombstone life is still within limits.
let me know if you have any ideas.
Thanks,
-
Thursday, January 31, 2013 1:30 AM
If you have retired DC/Domain then you have to cleanup the metadata. See the below links for metadata cleanup. Check the DNS app partitions(Domaindnszones and Forestdnszones) if there is any retired DC/Domain. Retired DC/Domain is causing the replication issue.
1. How can I view the directory partitions enlisted for a domain controller (DC)?
2. i)Remove References of a Failed DC/Domain Or Perform Metadata Cleanup
ii)How do I remove a nonexistent domain controller?
3. Active Directory – Remove a Domain Using NTDSUTIL
Also you can check the app partitions(Domaindnszones and Forestdnszones) from ADSIEDIT.MSC
dc=domaindnszones,dc=contoso,dc=com
DN:-CN=MicrosoftDNS,DC=DomainDnsZones,DC=contoso,DC=com
dc=forestdnszones,dc=contoso,dc=com
DN:-CN=MicrosoftDNS,DC=ForestDnsZones,DC=contoso,DC=com
Also you can use the below DSQUERY for finding the Orphan DC/DCs from DNS app partitions.
C:\>dsquery * DC=DomainDnsZones,DC=contoso,DC=com -scope base -attr msDs-masteredBy C:\>dsquery * DC=forestDnsZones,DC=contoso,DC=com -scope base -attr msDs-masteredBy
"msDs-masteredBy" Backward link for "msDS-hasMasterNCs". Also you can check the value of "msDs-masteredBy" from adsiedit.msc
Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
- Edited by i.biswajith Thursday, January 31, 2013 11:52 AM
.png)
