locked
Active Directory Replication Error RRS feed

  • Question

  • While installing Additional Domain Controller in for Existing Domain Controller

    I have recieved this error message -

    Active Directory Domain Services Installation Wizard Window -

    The Operation failed because:

    Active Directory Domain Services Could not replicate the directory partition CN= ........... 

    from the remote Active Directory Domain Controller DC. .......COM

    " The Source server is currently rejecting replication request"

    Monday, October 8, 2012 5:26 PM

Answers

  • While installing Additional Domain Controller in for Existing Domain Controller

    I have recieved this error message -

    Active Directory Domain Services Installation Wizard Window -

    The Operation failed because:

    Active Directory Domain Services Could not replicate the directory partition CN= ........... 

    from the remote Active Directory Domain Controller DC. .......COM

    " The Source server is currently rejecting replication request"

    Usually, this occurs when:

    • A USN rollback occurs: http://support.microsoft.com/kb/875495
    • The disk is full and here additional information can not be replicated

    More details in the article posted by Nabil.

    If this a USN rollback issue then you have demote the DC and promote it again.

    Anyway, you have to track events in event Viewer.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    • Edited by Mr XMVP Monday, October 8, 2012 5:48 PM
    • Proposed as answer by Cicely Feng Tuesday, October 9, 2012 5:57 AM
    • Marked as answer by Cicely Feng Monday, October 15, 2012 7:42 AM
    Monday, October 8, 2012 5:46 PM
  • Dinesh,

    Did you ever use an image restore to restore an image of the DC, such as with Ghost, Acronis, HyperV, VMWare, etc? If so, this can cause this and is not supported. If there is more than one DC, the best bet is to simply forcedemote this machine and re-promote it.

    Another thing that can cause this is if replication has not been working beyond the AD tombstone value, or you've shut the DC down for beyond the tombstone value, and attempted to bring it up. What's your tombstone value?

    ---The Tombstone Lifetime is depending on the OS version used when the domain/forest was first created:

    - Windows 2000 with all SPs = 60 Days
    - Windows Server 2003 without SP = 60 Days
    - Windows Server 2003 SP1 = 180 Days
    - Windows Server 2003 R2 SP1, installed with both R2 disks = 60 Days
    - Windows Server 2003 R2 SP1, installed with the 1st R2 disk = 180 Days
    - Windows Server 2003 SP2 = 180 Days
    - Windows Server 2003 R2 SP2 = 180 Days
    - Windows Server 2008 = 180 Days
    - Windows Server 2008 R2 = 180 Days
    - Windows Server 2012 = 180 Days

    Check with:
    Dsquery * "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Domainname" -attr tombstoneLifetime

    or adsiedit.msc:
    CN=Directory Services,CN=Windows NT,CN=Services,CN=Configuration,DC=Domainname


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Proposed as answer by Cicely Feng Tuesday, October 9, 2012 6:12 AM
    • Marked as answer by Cicely Feng Monday, October 15, 2012 7:42 AM
    Monday, October 8, 2012 7:06 PM
  • Hi,

    Have you used repadmin /options * command to check whether the replication of DC has been disabled?
    http://support.microsoft.com/kb/321153

    Rejecting replication error generally occurs when AD database has been out of sync for a long time, presence of lingering objects, or DC has been restored from cloning/imaging/snapshots.

    You can check Windows event viewer to dig into the cause of issue, or you can simply demote and promote the domain controller again to resolve the problem.

    Below are useful links:
    Troubleshooting Active Directory Replication Problems
    http://technet.microsoft.com/en-us/library/bb727057.aspx
    The source server is currently rejecting replication requests
    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/a15c1cc7-163d-48cf-b7f8-3969d28942d3
    Active Directory Replication Error
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/2e2e5d6e-1447-4984-bd9b-aac40fcf727c

    Regards,
    Cicely

    • Marked as answer by Cicely Feng Monday, October 15, 2012 7:42 AM
    Tuesday, October 9, 2012 6:11 AM
  • While installing Additional Domain Controller in for Existing Domain Controller

    I have recieved this error message -

    Active Directory Domain Services Installation Wizard Window -

    The Operation failed because:

    Active Directory Domain Services Could not replicate the directory partition CN= ........... 

    from the remote Active Directory Domain Controller DC. .......COM

    " The Source server is currently rejecting replication request"

    The other errors doesn't bother me much except " The Source server is currently rejecting replication request". This error normally occurs when DC has been restored by images or clone as suggested by others. The disabling of inbound/outbound replication on the DC or pausing of NETLOGON service in accordance with the rejection of writing to NTDS.DIT are the some of the configuration changes performed by OS makes in response to a USN rollback to avoid issue being spreading to the other domain.

    The second case can be, manually disabling inbound/outbound replication for performing schema changes, but this is not been tested or recommended by the Microsoft to update schema this way.

    http://awinish.wordpress.com/2010/12/24/netlogon-paused-issue-resolved/


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.


    • Edited by Awinish Tuesday, October 9, 2012 9:16 AM
    • Marked as answer by Cicely Feng Monday, October 15, 2012 7:42 AM
    Tuesday, October 9, 2012 9:15 AM
  • It seems that server is in USN rollback state.Configuring DC either from clone/snapshot/image is not recommended.USN Rollback occurs when an Active Directory Domain Controller is restored via a snapshot or imaging process. Microsoft considers this a non-supported method of restoring Active Directory and it is this type of method that causes an Update Sequence Number (USN) rollback, because it results in the USN on the restored DC to be lower than what the other Domain Controllers are using.

    To confirm if the server is in usnrollback check the below parameters.
    *Netlogon service is in paused state.
    *Event id 2103 will be logged whic will state that The Active Directory database has been restored using an unsupported restoration procedure.
    *DSA Not Writable key with value 4 will be created in HKLM\System\CurrentControlSet\Services\NTDS registry path.

    If above is true then to fix the issue you need to demote/promote the DC.You cannot demote the faulty DC gracefully you need to do forcefull removal.You need to ran dcpromo/force removal and then run matadata cleanup on other DC(healthy) to remove the instance of faulty DC from AD database and DNS.Once done you can promote the Server back as DC.If faulty DC is FSMO role holder you need to seize the FSMO on other DC.

    Reference link
    Forcefull removal of DC: http://support.microsoft.com/kb/332199
    Metadata cleanup: http://www.petri.co.il/delete_failed_dcs_from_ad.htm
    Seize FSMO role: http://www.petri.co.il/seizing_fsmo_roles.htm

    I would recommend to post the dcdiag /q,repadmin /replsum and ipconfig /all details of DC to check the health of DC.Please use skydrive to post the log.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by Cicely Feng Monday, October 15, 2012 7:42 AM
    Tuesday, October 9, 2012 9:42 AM

All replies

  • While installing Additional Domain Controller in for Existing Domain Controller

    I have recieved this error message -

    Active Directory Domain Services Installation Wizard Window -

    The Operation failed because:

    Active Directory Domain Services Could not replicate the directory partition CN= ........... 

    from the remote Active Directory Domain Controller DC. .......COM

    " The Source server is currently rejecting replication request"

    Monday, October 8, 2012 5:25 PM
  • Event ID 8456 ou 8457

    If so try with this KB http://support.microsoft.com/kb/2023007


    Merci Nabil BEN SLAMA

    Monday, October 8, 2012 5:28 PM
  • This sounds likeyou source server is having issues.  I would suggest you run diagnostics to track down the reason why the DC is in error.
    http://blogs.dirteam.com/blogs/paulbergson/archive/2009/01/26/troubleshooting-active-directory-issues.aspx

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, October 8, 2012 5:45 PM
  • While installing Additional Domain Controller in for Existing Domain Controller

    I have recieved this error message -

    Active Directory Domain Services Installation Wizard Window -

    The Operation failed because:

    Active Directory Domain Services Could not replicate the directory partition CN= ........... 

    from the remote Active Directory Domain Controller DC. .......COM

    " The Source server is currently rejecting replication request"

    Usually, this occurs when:

    • A USN rollback occurs: http://support.microsoft.com/kb/875495
    • The disk is full and here additional information can not be replicated

    More details in the article posted by Nabil.

    If this a USN rollback issue then you have demote the DC and promote it again.

    Anyway, you have to track events in event Viewer.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    • Edited by Mr XMVP Monday, October 8, 2012 5:48 PM
    • Proposed as answer by Cicely Feng Tuesday, October 9, 2012 5:57 AM
    • Marked as answer by Cicely Feng Monday, October 15, 2012 7:42 AM
    Monday, October 8, 2012 5:46 PM
  • Dinesh,

    Did you ever use an image restore to restore an image of the DC, such as with Ghost, Acronis, HyperV, VMWare, etc? If so, this can cause this and is not supported. If there is more than one DC, the best bet is to simply forcedemote this machine and re-promote it.

    Another thing that can cause this is if replication has not been working beyond the AD tombstone value, or you've shut the DC down for beyond the tombstone value, and attempted to bring it up. What's your tombstone value?

    ---The Tombstone Lifetime is depending on the OS version used when the domain/forest was first created:

    - Windows 2000 with all SPs = 60 Days
    - Windows Server 2003 without SP = 60 Days
    - Windows Server 2003 SP1 = 180 Days
    - Windows Server 2003 R2 SP1, installed with both R2 disks = 60 Days
    - Windows Server 2003 R2 SP1, installed with the 1st R2 disk = 180 Days
    - Windows Server 2003 SP2 = 180 Days
    - Windows Server 2003 R2 SP2 = 180 Days
    - Windows Server 2008 = 180 Days
    - Windows Server 2008 R2 = 180 Days
    - Windows Server 2012 = 180 Days

    Check with:
    Dsquery * "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Domainname" -attr tombstoneLifetime

    or adsiedit.msc:
    CN=Directory Services,CN=Windows NT,CN=Services,CN=Configuration,DC=Domainname


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Proposed as answer by Cicely Feng Tuesday, October 9, 2012 6:12 AM
    • Marked as answer by Cicely Feng Monday, October 15, 2012 7:42 AM
    Monday, October 8, 2012 7:06 PM
  • Hi,

    Have you used repadmin /options * command to check whether the replication of DC has been disabled?
    http://support.microsoft.com/kb/321153

    Rejecting replication error generally occurs when AD database has been out of sync for a long time, presence of lingering objects, or DC has been restored from cloning/imaging/snapshots.

    You can check Windows event viewer to dig into the cause of issue, or you can simply demote and promote the domain controller again to resolve the problem.

    Below are useful links:
    Troubleshooting Active Directory Replication Problems
    http://technet.microsoft.com/en-us/library/bb727057.aspx
    The source server is currently rejecting replication requests
    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/a15c1cc7-163d-48cf-b7f8-3969d28942d3
    Active Directory Replication Error
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/2e2e5d6e-1447-4984-bd9b-aac40fcf727c

    Regards,
    Cicely

    • Marked as answer by Cicely Feng Monday, October 15, 2012 7:42 AM
    Tuesday, October 9, 2012 6:11 AM
  • While installing Additional Domain Controller in for Existing Domain Controller

    I have recieved this error message -

    Active Directory Domain Services Installation Wizard Window -

    The Operation failed because:

    Active Directory Domain Services Could not replicate the directory partition CN= ........... 

    from the remote Active Directory Domain Controller DC. .......COM

    " The Source server is currently rejecting replication request"

    The other errors doesn't bother me much except " The Source server is currently rejecting replication request". This error normally occurs when DC has been restored by images or clone as suggested by others. The disabling of inbound/outbound replication on the DC or pausing of NETLOGON service in accordance with the rejection of writing to NTDS.DIT are the some of the configuration changes performed by OS makes in response to a USN rollback to avoid issue being spreading to the other domain.

    The second case can be, manually disabling inbound/outbound replication for performing schema changes, but this is not been tested or recommended by the Microsoft to update schema this way.

    http://awinish.wordpress.com/2010/12/24/netlogon-paused-issue-resolved/


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.


    • Edited by Awinish Tuesday, October 9, 2012 9:16 AM
    • Marked as answer by Cicely Feng Monday, October 15, 2012 7:42 AM
    Tuesday, October 9, 2012 9:15 AM
  • It seems that server is in USN rollback state.Configuring DC either from clone/snapshot/image is not recommended.USN Rollback occurs when an Active Directory Domain Controller is restored via a snapshot or imaging process. Microsoft considers this a non-supported method of restoring Active Directory and it is this type of method that causes an Update Sequence Number (USN) rollback, because it results in the USN on the restored DC to be lower than what the other Domain Controllers are using.

    To confirm if the server is in usnrollback check the below parameters.
    *Netlogon service is in paused state.
    *Event id 2103 will be logged whic will state that The Active Directory database has been restored using an unsupported restoration procedure.
    *DSA Not Writable key with value 4 will be created in HKLM\System\CurrentControlSet\Services\NTDS registry path.

    If above is true then to fix the issue you need to demote/promote the DC.You cannot demote the faulty DC gracefully you need to do forcefull removal.You need to ran dcpromo/force removal and then run matadata cleanup on other DC(healthy) to remove the instance of faulty DC from AD database and DNS.Once done you can promote the Server back as DC.If faulty DC is FSMO role holder you need to seize the FSMO on other DC.

    Reference link
    Forcefull removal of DC: http://support.microsoft.com/kb/332199
    Metadata cleanup: http://www.petri.co.il/delete_failed_dcs_from_ad.htm
    Seize FSMO role: http://www.petri.co.il/seizing_fsmo_roles.htm

    I would recommend to post the dcdiag /q,repadmin /replsum and ipconfig /all details of DC to check the health of DC.Please use skydrive to post the log.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by Cicely Feng Monday, October 15, 2012 7:42 AM
    Tuesday, October 9, 2012 9:42 AM