none
Active Directory Replication Error

    Întrebare

  • I'm having a strange problem with AD replication.  I have two DCs both running server 2008 R2.  I'm getting the following error when I attempt to manually replicate them using sites and services:

    The following error occured during the attempt to synchronize naming context domain.local from domain controller DC1 to domain controller DC2.  The source server is currently rejecting replication requests.  The operation will not continue.

    I get the same error trying to replicate on either machine.  In addition the event log also has this error:

    This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role. 
    Operations which require contacting a FSMO operation master will fail until this condition is corrected.
    FSMO Role: DC=cunj,DC=local
    User Action:
    1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
    2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
    3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.

    When I run repadmin /showrepl I get:

    Repadmin: running command /showrepl against full DC localhost
    Ewing\CUNJ-DC2
    DSA Options: IS_GC
    Site Options: (none)
    DSA object GUID: d28980dc-348a-433f-836e-aadd67c8d028
    DSA invocationID: b19ce9c1-6c16-4cfb-b1a1-7a269728dea7

    ==== INBOUND NEIGHBORS ======================================

    DC=cunj,DC=local
        Ewing\CUNJ-DC1 via RPC
            DSA object GUID: d09c750f-3753-4751-aa65-9bf216a15e36
            Last attempt @ 2012-06-22 09:00:48 failed, result 8456 (0x2108):
                The source server is currently rejecting replication requests.
            1141 consecutive failure(s).
            Last success @ 2012-06-13 15:28:12.

    CN=Configuration,DC=cunj,DC=local
        Ewing\CUNJ-DC1 via RPC
            DSA object GUID: d09c750f-3753-4751-aa65-9bf216a15e36
            Last attempt @ 2012-06-22 08:56:57 failed, result 8456 (0x2108):
                The source server is currently rejecting replication requests.
            213 consecutive failure(s).
            Last success @ 2012-06-13 14:48:39.

    CN=Schema,CN=Configuration,DC=cunj,DC=local
        Ewing\CUNJ-DC1 via RPC
            DSA object GUID: d09c750f-3753-4751-aa65-9bf216a15e36
            Last attempt @ 2012-06-22 08:56:57 failed, result 8456 (0x2108):
                The source server is currently rejecting replication requests.
            211 consecutive failure(s).
            Last success @ 2012-06-13 14:48:39.

    DC=DomainDnsZones,DC=cunj,DC=local
        Ewing\CUNJ-DC1 via RPC
            DSA object GUID: d09c750f-3753-4751-aa65-9bf216a15e36
            Last attempt @ 2012-06-22 08:56:57 failed, result 8456 (0x2108):
                The source server is currently rejecting replication requests.
            211 consecutive failure(s).
            Last success @ 2012-06-13 14:48:39.

    DC=ForestDnsZones,DC=cunj,DC=local
        Ewing\CUNJ-DC1 via RPC
            DSA object GUID: d09c750f-3753-4751-aa65-9bf216a15e36
            Last attempt @ 2012-06-22 08:56:57 failed, result 8456 (0x2108):
                The source server is currently rejecting replication requests.
            211 consecutive failure(s).
            Last success @ 2012-06-13 14:48:39.
    DsReplicaGetInfo() failed with status 8453 (0x2105):
        Replication access was denied.
    DsReplicaGetInfo() failed with status 8453 (0x2105):
        Replication access was denied.

    I checked around and saw these instructions:

    repadmin /options DC name
    You may receive the error similar like below, then the inbound and outbound connection object been disabled
    "Current DC Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL"
    If it’s disabled then run the below command to enable the inbound and outbound connection object
    repadmin /options DC Name -disable_inbound_repl
    repadmin /options DC Name -disable_outbound_repl
    If it’s been disabled automatically after some time (15 min) then it’s an issue with the Lingering Objects, you have to check the event viewer for the Event ID 1988

    When I run the command to enable replication I get yet another error:

    C:\Users\danadmin>repadmin /options cunj-dc1
    Current DSA Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL


    C:\Users\danadmin>repadmin /options cunj-dc1 -disable_inbound_repl
    Current DSA Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL
    New DSA Options: IS_GC DISABLE_OUTBOUND_REPL
    LDAP error 50 (Insufficient Rights) Win32 Err 5.


    C:\Users\danadmin>repadmin /options cunj-dc1 -disable_outbound_repl
    Current DSA Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL
    New DSA Options: IS_GC DISABLE_INBOUND_REPL
    LDAP error 50 (Insufficient Rights) Win32 Err 5.

    Teh account I'm using to do this is a domain admin and schema admin with full rights.  I'm stuck at this point and unsure about what else I can try.  I'd very much appreciate any advice.


    Dan


    22 iunie 2012 13:19

Răspunsuri

Toate mesajele

  • There is a MS KB on it..

    Please follow it and see it helps you to troubleshoot this issue

    http://support.microsoft.com/kb/2023007

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    22 iunie 2012 13:54
  • I actually reviewed that article earlier but I don't think it applies to my situation.  I don't see the same errors listed and the root causes described there also don't seem to apply here.

    Update:  by starting the command prompt by running as an admin I was able to successfully execute the  repadmin /options cunj-dc1 -disable_outbound_reply command.  Replication is working at the moment so I'm watching to see if it fails again after a few minutes as indicated here:

    http://www.windowstricks.in/2011/06/destination-server-is-currently.html


    Dan

    22 iunie 2012 14:08
  • I guess, if replication is been rejected then there is a concern. You should probe first because the replication is rejected when DC is restore from image/clone or snapshot, second case is if there is issue with lingering objects or DC has crossed TSL period. If any of the conditions are true then it is better to get rid of the DC either demoting gracefully or forcefully.

    The disabling of inbound/outbound replication to the AD database is performed as security by the OS to protect the USN rollback & allowing it will make your domain with inconsistent results. If i were you, i would not simply enable the replication, but review the logs, understand why it happen, is it disabled by someone if ye, then why, before i take a call to move forward.

    http://awinish.wordpress.com/2012/06/15/active-directory-replication-status-tool/


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    22 iunie 2012 14:23
    Moderator
  • It was a lingering object!  I followed the directions here and was able to remote it successfully:

    http://www.windowstricks.in/2009/07/removing-lingering-objects.html

    C:\Users\danadmin>repadmin /removelingeringobjects cunj-dc1 d28980dc-348a-433f-836e-aadd67c8d028 dc=cunj;dc=local
    RemoveLingeringObjects successful on cunj-dc1.

    Do you think I should still try demoting and promoting the DC?  This is the first time I've seen a problem of this kind.


    Dan

    22 iunie 2012 14:37
  • I would suggest just check the infra using below links for the lingering objects. I had problems in the pasts, where repadmin /removelingeringobject wouldn't remove lingering objects from the partition even though it says it is removed it & replication was blocked. I had to demote & promote, but that was different environment.

    If things are working its fine, but keep an eye & at least scan your AD infra so that there is no DC affected with lingering object else, if it spreads to other DC then its going to make things worse.

    Go though the references posted in the below article by me, might help you to achieve better results.

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/9f114f3f-e8ef-4ac6-846f-8e61d6324d9a


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    22 iunie 2012 15:14
    Moderator
  • I think I'm good, no replication errors after applying the fixes.  Thanks for all of the help!

    Dan

    22 iunie 2012 21:44