none
Problem in AD and DNS

    Question

  • We are having AD replication and DNS issues and have been trying to troubleshoot, but we have around 13 DC's and some are showing lingering objects.

    Tried removing ,but everyone now and then ,issue re-appears.

    Problem is that our DC's are scattered over different physical locations and our Network Team had done restrictions, which caused some DC replication.

    Recently upgraded to Windows 2012 and moved the fsmo roles on other DC.

    Problem is on some DC's one of the FSMO role is showing to a server which is not there and shows the below error with event id:2091

    Ownership of the following FSMO role is set to a server which is deleted or does not exist. 

     I tried to use ntdstuil, but no luck, that server is actually not there, but it shows up only on some.

    Need help.


    mdimthyas

    Monday, January 16, 2017 8:23 AM

Answers

  • Hi

     First seize fsmo roles to a health DC;

    seize fsmo roles;https://support.microsoft.com/en-us/help/255504/using-ntdsutil.exe-to-transfer-or-seize-fsmo-roles-to-a-domain-controller

    Then you should remove lingering objets from this dc;

    https://blogs.technet.microsoft.com/askds/2014/09/15/remove-lingering-objects-that-cause-ad-replication-error-8606-and-friends/

    If issue still persist just demote this dc then will do a metadata cleanup;

    metadata cleanup; https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by mdimthyas Wednesday, March 15, 2017 7:25 AM
    Thursday, January 19, 2017 7:05 AM

All replies

  • Hi

     You can set from ADSIedit and also check the article with script;

    https://blogs.technet.microsoft.com/the_9z_by_chris_davis/2011/12/20/forestdnszones-or-domaindnszones-fsmo-says-the-role-owner-attribute-could-not-be-read/


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, January 16, 2017 8:39 AM
  • Hello,

    In case of a persistent replication problem on some DCs, you may want to try performing a Non authoritative restore on them: https://technet.microsoft.com/ru-ru/library/cc816627%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    This resyncs the AD database from other controllers (you may also want to make sure that you sync from healthy DCs and not other faulty ones).

    /Regards

    Monday, January 16, 2017 8:44 AM
  • It seems that your servers are still unable to replicate properly. Your network team need to make sure that AD ports used for replication are opened in both direction between your DCs. In addition, you may want to check on the use IP settings and refer to my recommendation here: http://www.ahmedmalek.com/web/fr/articles.asp?artid=23

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Tuesday, January 17, 2017 1:20 AM
  • First check replication of all the DC's and correct the issue, if the DC not replicating more then tombstone lifetime then do the MDC to remove the DC Object from AD

    http://www.windowstricks.in/2010/03/health-check-active-directory.html

    Remove the lingerin object from all the DC by runing the command on all the DC pointing PDC to remove all the the lingerin object 

    http://www.windowstricks.in/2009/07/removing-lingering-objects.html


    Regards www.windowstricks.in

    Tuesday, January 17, 2017 5:00 AM
  • I was trying the steps and removed some of the Lingering objects and I am seeing the below: This is showing on the DC which is holding the FSMO roles. The GUID it is referring to is of the old server,  because the new server GUID is different.

         

    The attempt to establish a replication link for the following writable directory partition failed. 

    Directory partition: 
    CN=Configuration,DC=XXXX,DC=LAN 
    Source directory service: 
    CN=NTDS Settings\0ACNF:873a0919-3b1f-4560-91ab-3dd3fc8ba661,CN=XXXX-DC,CN=Servers,CN=XXXXX-XXXX,CN=Sites,CN=Configuration,DC=XXXX,DC=LAN 
    Source directory service address: 
    873a0919-3b1f-4560-91ab-3dd3fc8ba661._msdcs.XXXX.LAN 
    Intersite transport (if any): 


    This directory service will be unable to replicate with the source directory service until this problem is corrected. 

    User Action 
    Verify if the source directory service is accessible or network connectivity is available. 

    Additional Data 
    Error value: 
    8259 A referral loop was detected by the client.

    Not sure from where its pulling that information and also when i check the fsmo owner in ADSIedit , its showing correctly on some.


    mdimthyas

    Wednesday, January 18, 2017 12:50 PM
  • Hi

     First seize fsmo roles to a health DC;

    seize fsmo roles;https://support.microsoft.com/en-us/help/255504/using-ntdsutil.exe-to-transfer-or-seize-fsmo-roles-to-a-domain-controller

    Then you should remove lingering objets from this dc;

    https://blogs.technet.microsoft.com/askds/2014/09/15/remove-lingering-objects-that-cause-ad-replication-error-8606-and-friends/

    If issue still persist just demote this dc then will do a metadata cleanup;

    metadata cleanup; https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by mdimthyas Wednesday, March 15, 2017 7:25 AM
    Thursday, January 19, 2017 7:05 AM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, January 22, 2017 12:48 PM
    Moderator
  • Sorry for the delay.

    We had to Demote all the DC's and we kept only couple of them in Head Quarters.

    Now, we are planning to install in local offices.

    This helped us in getting rid of the replication and other issues.


    mdimthyas

    Wednesday, March 15, 2017 8:02 AM