none
Replication not working in DC and ADC

    Question

  • We have three Domain controllers. Two are at same location and one at different.

    all are windows server 2008 R2 STD.

    • insufficient attributes were given to create an object this object may not exist because it may have been deleted and ralreday garbage collected
    • The RPC server is unavailable.
    •  this condition may be  caused of DNS lookup problem.


    Wednesday, April 12, 2017 11:27 AM

All replies

  • run repamin /showrepl and check, how many days the problem exists. If it is more than tombstone lifetime (180 days if I remember), then you have to delete server or AD with dcpromo /forceremoval and clean up server metadata from AD, else you can try to remove lingering objects:

    https://technet.microsoft.com/ru-ru/library/cc794840%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396


    MCSAnykey


    Wednesday, April 12, 2017 12:07 PM
  • error shown on DC while run  DCDIAG /c /e /v cmd 

    

    Wednesday, April 12, 2017 12:16 PM
  • yes, you can not replicate AD partirion because last success replication exceeded tombstone lifetime as I said.

    you must delete DC role with "dcpromo /forceremoval" and delete metadata from AD (check link to MS kb above) after that. After all you can install DC again


    MCSAnykey


    Wednesday, April 12, 2017 12:24 PM
  • Means on additional domain controller or primary domain controller...?
    Wednesday, April 12, 2017 2:54 PM
  • show 'repadmin /showrepl' for each DC please

    MCSAnykey

    Wednesday, April 12, 2017 7:32 PM
  • 
    C:\Users\Administrator>repadmin /showrepl

    Repadmin: running command /showrepl against full DC localhost
    Default-First-Site-Name\DCSERVER
    DSA Options: IS_GC
    Site Options: (none)
    DSA object GUID: 5016a46d-2643-4766-a0e4-38762d29458a
    DSA invocationID: 39add7ed-e3f2-40e3-982a-82fa4ce5a65e

    ==== INBOUND NEIGHBORS ======================================

    DC=garware,DC=local
        Default-First-Site-Name\WADCSERVER via RPC
            DSA object GUID: f2b899ec-aadb-42b1-803b-66eb63a41ca6
            Last attempt @ 2017-04-11 10:23:30 failed, result 1722 (0x6ba):
                The RPC server is unavailable.
            6924 consecutive failure(s).
            Last success @ 2017-02-19 12:19:47.
        Default-First-Site-Name\PDCSERVER via RPC
            DSA object GUID: ae91f11c-0213-4655-b4dd-189de0f79888
            Last attempt @ 2017-04-11 10:33:29 was successful.

    CN=Configuration,DC=garware,DC=local
        Default-First-Site-Name\PDCSERVER via RPC
            DSA object GUID: ae91f11c-0213-4655-b4dd-189de0f79888
            Last attempt @ 2017-04-11 10:23:30 was successful.
        Default-First-Site-Name\WADCSERVER via RPC
            DSA object GUID: f2b899ec-aadb-42b1-803b-66eb63a41ca6
            Last attempt @ 2017-04-11 10:23:52 failed, result 1722 (0x6ba):
                The RPC server is unavailable.
            4952 consecutive failure(s).
            Last success @ 2017-02-19 12:15:18.

    CN=Schema,CN=Configuration,DC=garware,DC=local
        Default-First-Site-Name\WADCSERVER via RPC
            DSA object GUID: f2b899ec-aadb-42b1-803b-66eb63a41ca6
            Last attempt @ 2017-04-11 10:24:13 failed, result 1722 (0x6ba):
                The RPC server is unavailable.
            4891 consecutive failure(s).
            Last success @ 2017-02-19 12:15:18.
        Default-First-Site-Name\PDCSERVER via RPC
            DSA object GUID: ae91f11c-0213-4655-b4dd-189de0f79888
            Last attempt @ 2017-04-11 10:24:13 was successful.

    DC=DomainDnsZones,DC=garware,DC=local
        Default-First-Site-Name\WADCSERVER via RPC
            DSA object GUID: f2b899ec-aadb-42b1-803b-66eb63a41ca6
            Last attempt @ 2017-04-11 10:23:30 failed, result 1256 (0x4e8):
                The remote system is not available. For information about network troubleshooting, see Windows Help.
            4994 consecutive failure(s).
            Last success @ 2017-02-19 12:15:19.
        Default-First-Site-Name\PDCSERVER via RPC
            DSA object GUID: ae91f11c-0213-4655-b4dd-189de0f79888
            Last attempt @ 2017-04-11 10:30:57 was successful.

    DC=ForestDnsZones,DC=garware,DC=local
        Default-First-Site-Name\WADCSERVER via RPC
            DSA object GUID: f2b899ec-aadb-42b1-803b-66eb63a41ca6
            Last attempt @ 2017-04-11 10:23:30 failed, result 1256 (0x4e8):
                The remote system is not available. For information about network troubleshooting, see Windows Help.
            4899 consecutive failure(s).
            Last success @ 2017-02-19 12:15:19.
        Default-First-Site-Name\PDCSERVER via RPC
            DSA object GUID: ae91f11c-0213-4655-b4dd-189de0f79888
            Last attempt @ 2017-04-11 10:24:13 was successful.

    Source: Default-First-Site-Name\WADCSERVER
    ******* 6924 CONSECUTIVE FAILURES since 2017-02-19 12:19:47
    Last error: 1256 (0x4e8):
                The remote system is not available. For information about network troubleshooting, see Windows Help.
    Thursday, April 13, 2017 1:47 AM


  • Repadmin: running command /showrepl against full DC localhost

    Default-First-Site-Name\PDCSERVER

    DSA Options: IS_GC 

    Site Options: (none)

    DSA object GUID: ae91f11c-0213-4655-b4dd-189de0f79888

    DSA invocationID: 21b7be2c-76ec-4a64-b186-e3d1429f195c



    ==== INBOUND NEIGHBORS ======================================



    DC=garware,DC=local

        Default-First-Site-Name\WADCSERVER via RPC

            DSA object GUID: f2b899ec-aadb-42b1-803b-66eb63a41ca6

            Last attempt @ 2017-04-11 10:50:20 failed, result 1722 (0x6ba):

                The RPC server is unavailable.

            185752 consecutive failure(s).

            Last success @ 2017-01-02 14:13:57.

        Default-First-Site-Name\DCSERVER via RPC

            DSA object GUID: 5016a46d-2643-4766-a0e4-38762d29458a

            Last attempt @ 2017-04-11 10:52:57 failed, result 8606 (0x219e):

                Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.

            244996 consecutive failure(s).

            Last success @ 2017-01-02 14:13:49.



    CN=Configuration,DC=garware,DC=local

        Default-First-Site-Name\WADCSERVER via RPC

            DSA object GUID: f2b899ec-aadb-42b1-803b-66eb63a41ca6

            Last attempt @ 2017-04-11 10:50:47 failed, result 1722 (0x6ba):

                The RPC server is unavailable.

            4908 consecutive failure(s).

            Last success @ 2017-02-19 12:17:55.

        Default-First-Site-Name\DCSERVER via RPC

            DSA object GUID: 5016a46d-2643-4766-a0e4-38762d29458a

            Last attempt @ 2017-04-11 10:52:19 was successful.



    CN=Schema,CN=Configuration,DC=garware,DC=local

        Default-First-Site-Name\WADCSERVER via RPC

            DSA object GUID: f2b899ec-aadb-42b1-803b-66eb63a41ca6

            Last attempt @ 2017-04-11 10:51:14 failed, result 1722 (0x6ba):

                The RPC server is unavailable.

            4892 consecutive failure(s).

            Last success @ 2017-02-19 12:17:55.

        Default-First-Site-Name\DCSERVER via RPC

            DSA object GUID: 5016a46d-2643-4766-a0e4-38762d29458a

            Last attempt @ 2017-04-11 10:51:25 was successful.



    DC=DomainDnsZones,DC=garware,DC=local

        Default-First-Site-Name\WADCSERVER via RPC

            DSA object GUID: f2b899ec-aadb-42b1-803b-66eb63a41ca6

            Last attempt @ 2017-04-11 10:50:20 failed, result 1256 (0x4e8):

                The remote system is not available. For information about network troubleshooting, see Windows Help.

            142008 consecutive failure(s).

            Last success @ 2014-12-09 18:17:51.

        Default-First-Site-Name\DCSERVER via RPC

            DSA object GUID: 5016a46d-2643-4766-a0e4-38762d29458a

            Last attempt @ 2017-04-11 10:51:15 failed, result 8614 (0x21a6):

                The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

            134502 consecutive failure(s).

            Last success @ 2014-12-09 18:17:51.



    DC=ForestDnsZones,DC=garware,DC=local

        Default-First-Site-Name\WADCSERVER via RPC

            DSA object GUID: f2b899ec-aadb-42b1-803b-66eb63a41ca6

            Last attempt @ 2017-04-11 10:50:20 failed, result 1256 (0x4e8):

                The remote system is not available. For information about network troubleshooting, see Windows Help.

            4893 consecutive failure(s).

            Last success @ 2017-02-19 12:18:27.

        Default-First-Site-Name\DCSERVER via RPC

            DSA object GUID: 5016a46d-2643-4766-a0e4-38762d29458a

            Last attempt @ 2017-04-11 10:51:15 was successful.



    Source: Default-First-Site-Name\WADCSERVER

    ******* 185751 CONSECUTIVE FAILURES since 2017-02-19 12:18:27

    Last error: 1256 (0x4e8):

                The remote system is not available. For information about network troubleshooting, see Windows Help.



    Source: Default-First-Site-Name\DCSERVER

    ******* 244970 CONSECUTIVE FAILURES since 2017-01-02 14:13:49

    Last error: 8606 (0x219e):

                Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.


    Thursday, April 13, 2017 1:47 AM
  • Thursday, April 13, 2017 1:49 AM
  • Hello, I think it's time for you to do a restore. On the server with the most recent AD, select authorative restore and on the other DC's select non-authorative restore.

    https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-for-dfsr-replicated-sysvol-like-d4-d2-for-frs

    Also, as for the remote DC, make sure that you have a fast, stable VPN connection, otherwise packet loss will put you back here again. If your connection is not reliable and fast, you should change Kerberos to use TCP instead of the default UDP.

    https://www.falconitservices.com/support/KB/Lists/Posts/Post.aspx?ID=31

    Below says it all, making a case for D2/D4 restore.

    "The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

            134502 consecutive failure(s).

            Last success @ 2014-12-09 18:17:51."


    Miguel Fra
    Falcon IT Services
    https://www.falconitservices.com

     



    • Edited by Miguel Fra Thursday, April 13, 2017 4:20 AM
    Thursday, April 13, 2017 3:05 AM
  • yes, you can not replicate AD partirion because last success replication exceeded tombstone lifetime as I said.

    you must delete DC role with "dcpromo /forceremoval" and delete metadata from AD (check link to MS kb above) after that. After all you can install DC again


    MCSAnykey



    Or you could do a D2/D4 restore.

    Miguel Fra
    Falcon IT Services
    https://www.falconitservices.com

     

    Thursday, April 13, 2017 3:07 AM
  • Can I do like this?

    • I will create new server join as ADC in same domain..
    • And successful creating ADC.
    • I will transfer FSMO role to new ADC.
    • and remove Primary DC  from network..
    • And check with replication...

    Is this a right way?

    Thursday, April 13, 2017 4:52 AM
  • The easiest and best way is to do an authorative restore on the most updated DC and a non-authorative restore on all the others.

    https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-for-dfsr-replicated-sysvol-like-d4-d2-for-frs

    You will get all 3 DC running and synching AD in one swoop.


    Miguel Fra
    Falcon IT Services
    https://www.falconitservices.com

     


    • Edited by Miguel Fra Thursday, April 13, 2017 4:57 AM
    Thursday, April 13, 2017 4:56 AM
  • D2/D4 restore is about NTFRS replication, not AD!

    First of all, you must repair AD replication, after that it will be ntfrs time, not now, because you have to demote and promote again your DCs (and NTFRS Will be done from scratch).

    • WADCSERVER - it can replicate data from partners, but it is not available (may be it is network problem) from DCSERVER and PDCSERVER and time from last success replication exceeded tombstone lifetime. You must delete DC role from WADCSERVER (dcpromo /forceremoval or just delete VM) and clean its metadata  from AD.
    • DCSERVER has replication issues. exceeded tombstone lifetime too - you have to do same actions with it as WADCSERVER
    • PDCSERVER - it's good.

    So, you have to force removing WADC and DC, after deleting metadata you can promote them again. And you do not have to worry about NTFRS replicatoin (and doing d2/d4 restore) because you will have one working domain controller, from which others can pull working data.

    Also you must check which dc has fsmo roles with netdom /query /fsmo and if it is not PDCSERVER then you have to seize roles.


    MCSAnykey


    Thursday, April 13, 2017 7:19 AM
  • D2/D4 restore is about NTFRS replication, not AD!

    First of all, you must repair AD replication, after that it will be ntfrs time...


    Mr. MCSAnykey,

    The link I sent is for DFSR restore, which is equivalent to a D2/D4 since I noticed Santosh is on 2008R2. It does apply to this case because an authorative restore on the most current DC and a non-authorative restore on the rest will get his AD database replicating once again.

    https://technet.microsoft.com/en-us/library/dd640019(v=ws.10).aspx


    Miguel Fra
    Falcon IT Services
    https://www.falconitservices.com

     




    • Edited by Miguel Fra Thursday, April 13, 2017 12:19 PM
    Thursday, April 13, 2017 12:17 PM
  • > The link I sent is for DFSR restore, [...] will get his AD database replicating once again.
     
    Maybe it would be best if you do not participiate in this thread further... You are talking about Sysvol replication, and this is totally apart from AD replication. No, DFSR D2/D4 will NOT help in repairing AD replication...
     
    Thanks for your understanding.
     

    Thursday, April 13, 2017 12:31 PM
  • >>The link I sent is for DFSR restore, which is equivalent to a D2/D4 since I noticed Santosh is on 2008R2

    But again, there are "outdated" domain controlers, which must be deleted from AD first because there're AD replication problems, not DFSR. And if after that there will be any errors with Sysvol replicaion, then it can be repaired with your link.


    MCSAnykey

    Thursday, April 13, 2017 12:37 PM
  • My apologies to the thread members.

    Miguel Fra
    Falcon IT Services
    https://www.falconitservices.com

     



    • Edited by Miguel Fra Thursday, April 13, 2017 5:22 PM
    Thursday, April 13, 2017 5:21 PM
  • Can I do like this?

    • I will create new server join as ADC in same domain..
    • And successful creating ADC.
    • I will transfer FSMO role to new ADC.
    • and remove Primary DC  from network..
    • And check with replication...

    Is this a right way?


    1. delete outdated dc to bring the AD condition back to normal, and transfer fsmo roles,
    2. install ADC.

    MCSAnykey

    Thursday, April 13, 2017 5:47 PM
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions. If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, April 18, 2017 2:44 PM
    Moderator
  • Hi Wendy,

    No solved..

    I done following activity:-

    Change tombstone days:-

    On DC, from Site and services trying replicate from ADCserver ..

    It is replicate but same activity I did on ADCserver, trying to replicate from DC. It's not replicating...

    also I observer SOME CNF OU created on DC..

    Regards,

    Santosh



    • Edited by SantoshW Wednesday, April 19, 2017 7:26 AM
    Wednesday, April 19, 2017 5:01 AM
  • Did you delete outdated dc and its metadata from AD?

    MCSAnykey

    Wednesday, April 19, 2017 9:46 AM
  • Currently I shutdown that server and creates new ADC.

    It is replicated on new server but I face new issue.

    Can't get netlogon and sysvol folders access which is on DC. Group policy is not working fine.

    Recently RDP port changed of that DC. Is that affected to access that folder?

    Regards,

    Santosh

    Friday, April 21, 2017 6:50 AM
  • 1. (Again) delete server from AD, you will have different problems whileit exists. When you delete dc from AD, the problem may be solved.
    2. Check, how sysvol is replicated (via ntfrs or dfsr) and do auth restore on dc which have published sysvol and non-auth restore on 'problem' dc (and copy files from sysvol somewhere for safety):
    - for dfsr https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-for-dfsr-replicated-sysvol-like-d4-d2-for-frs
    - for frs https://support.microsoft.com/en-us/help/315457/how-to-rebuild-the-sysvol-tree-and-its-content-in-a-domain

    MCSAnykey



    Friday, April 21, 2017 7:11 AM
  • That DC have FSMO role and DHCP server also..
    Saturday, April 22, 2017 3:14 AM
  • You can transfer or seize fsmo roles (if it cannot be transferred). You can migrate dhcp to another server or don't do anything with it (just remove dc role and add to domain back, if needed).
    Honestly, I don't understand what do you want:) you got answer, how to delete dc with its metadata from AD, you got answer how to restore sysvol, what do you want else?:)

    MCSAnykey


    Saturday, April 22, 2017 4:41 AM