none
DC Replication problem

    Question

  • Hi everyone I have 2 domain controllers DC1 and DC2 They are in different cities, DC1 is main Controller All users and computers there, They lost connection one year ago, this time they do not replicated, When the connection was established I can not replicate they in Active Directory Sites and Services in NTDS setting I receive this message   " One or more of these Active Directory Services connections are between Domain Controllers in Different sites.AD DS will attempt to replicate across these connections.For mor information about how to verify replication, see Help and Support". I saw last attempt for replication was yesterday but it Fails with error "result 1726<0x6be>: the remote procedure call failed" service RPC is work normaly, thanks for help.I can ping DC2,I tried connect with RDP but I recieve error: "Your Remote Desktop Services has ended.The connection to the remote compter was lost,possibly due to network connectivity problems.Try connecting to the remote comuter again.If the problem continues,contact your networ administrator or technical support".Is this possible because of the port closed?

    Sunday, April 30, 2017 9:11 PM

Answers

  • Hi

    They lost connection one year ago, this time they do not replicated, >>> So it would have tombstone lifetime issue on the DC2.And you can demote dc2 forcefully , perform metadata cleanup then promote as dc again.

     Before need to check which one is fsmo roles holder,if dc2 is holder just seize fsmo roles to dc1 first.

    run "netdom query fsmo" to check holder.

    Forcefully demote dc;

    https://technet.microsoft.com/en-us/library/cc731871%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Seize fsmo roles;

    https://support.microsoft.com/en-us/help/255504/using-ntdsutil.exe-to-transfer-or-seize-fsmo-roles-to-a-domain-controller

    Metadata cleanup;

    https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Bill Gatess Monday, May 1, 2017 8:48 PM
    Sunday, April 30, 2017 9:23 PM
  • Yes,after a metadata cleanup you can add it as dc again.Also you should check port accessibility before promote,you can verify with PortQryUI

    https://www.microsoft.com/en-us/download/details.aspx?id=24009


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Bill Gatess Monday, May 1, 2017 8:48 PM
    Sunday, April 30, 2017 10:12 PM
  •  Will it working?My domain admin created 1 month ago but problem was 1 years ago DC2 do not know >>> That's why you should forcefully demote DC2 and do metadata cleanup.You can forcefully demote dc2 from DC1 and also perfrom metadata cleanup on DC1.

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Bill Gatess Monday, May 1, 2017 8:48 PM
    Monday, May 1, 2017 11:25 AM
  • Burak Uqur if my DC2 is have not any FSMO roles, DC2 works as aditional Domain controller cleanup metadata enough for resolve this issue??

    Not enough,you should forcefully demote DC2 first.(cause the dc become unfunctional.)Then perform metadata cleanup.(cause this will remove records related to dc2.)then do a clean installation of OS and promote as domain controller again.

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Bill Gatess Monday, May 1, 2017 8:44 PM
    Monday, May 1, 2017 8:25 PM
  • On metadata cleanup steps it will remove dc2.(if you mean,you can't able to logon dc2.)

    https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

    After that make sure all records with dc2 already removed from ADUC,ADSS,DFS,DNS,etc...


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Bill Gatess Monday, May 1, 2017 8:48 PM
    Monday, May 1, 2017 8:44 PM
  • ok thank you Burak Ugur
    • Marked as answer by Bill Gatess Tuesday, May 9, 2017 8:41 AM
    Monday, May 1, 2017 8:48 PM
  • Hi

     First check the necessary ports already accessible between DC's.Check the article for FW config,

    https://msdn.microsoft.com/en-us/library/bb727063.aspx?f=255&MSPPError=-2147217396

    Then verify with PortQryUI;

    https://www.microsoft.com/en-us/download/details.aspx?id=24009

    Also you should check dcpromo log's to find the issue;

    https://dirteam.com/carlos/2006/10/02/dcpromo-debug/


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Bill Gatess Tuesday, May 9, 2017 8:41 AM
    Friday, May 5, 2017 8:47 AM
  • 10.126.20.20

    10.128.14.20

    all the DC's dns resolve from Ipv6;

    dns:::1

    But they need to resolve from Ipv4,so you should modify provider order to resolve from Ipv4.Check the article;

    https://technet.microsoft.com/en-us/library/cc732472%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    If you can't modify disable IPv6 on both.(But as you know disable Ipv4 not recommended from ms,so you should disbale for a while.)

    Then run "iponfig /flushdns",ipconfig /registerdns" and check the dns records update corectly.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur


    • Edited by Burak Uğur Friday, May 5, 2017 10:30 AM
    • Marked as answer by Bill Gatess Tuesday, May 9, 2017 8:41 AM
    Friday, May 5, 2017 10:29 AM
  • I think also related to Ipv6,if possible demote the dc ,will do metadata cleanup again,also check on ADUC,DNS,DFS,etc.. there won't be any related records exist on domain,if has just remove them.And promote it again as dc.

     But before process make sure both dc resolve from Ipv4.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Bill Gatess Tuesday, May 9, 2017 8:41 AM
    Friday, May 5, 2017 2:18 PM
  • Burak is it important replicate from server which have all FSMO roles? DC1 is not have two roles schema master and domain naming master

    You must seize fsmo roles to DC1.(the healthy DC,all 5 fsmo roles should be avaiable.)check article for seize roles;

    https://support.microsoft.com/en-us/help/255504/using-ntdsutil.exe-to-transfer-or-seize-fsmo-roles-to-a-domain-controller

    Then check the other dc again,also if issue persist you should configure server OS with different image and fully patched it then promote as DC again.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur


    • Edited by Burak Uğur Sunday, May 7, 2017 6:52 PM
    • Marked as answer by Bill Gatess Tuesday, May 9, 2017 8:41 AM
    Sunday, May 7, 2017 6:52 PM
  • Hi Burak, we have root domain "com" and we try to add DC2 in sub domain "contoso .com"(DC1 and DC2 are in child domain contoso.com)

    in root domain we have two roles schema master and domain naming master,other roles in child domain,we have not access to root domain "com"

    • Marked as answer by Bill Gatess Tuesday, May 9, 2017 8:41 AM
    Monday, May 8, 2017 6:01 AM
  • in root domain we have two roles schema master and domain naming master,other roles in child domain,we have not access to root domain "com"

    That's right placement,Root domain holds Schema and Naming master's,child domain holds other 3 role.But there should be a default trust created between root and child domain by default.So you should able to access root domain.

     Please verify trust between child and root domain; https://technet.microsoft.com/en-us/library/cc835085(v=ws.11).aspx

    and you need to check accessibility between root DC and child dc's.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Bill Gatess Tuesday, May 9, 2017 8:41 AM
    Monday, May 8, 2017 7:33 AM
  • Hi Burak problem is solved in NTDS setting in DC2 we did not have DC1 we had many others DC-s we added DC1 int NTDS setiing manually and deleted others then did force replicate from DC1 now it WORK Thank you for your help!!!!
    Tuesday, May 9, 2017 8:41 AM

All replies

  • Hi

    They lost connection one year ago, this time they do not replicated, >>> So it would have tombstone lifetime issue on the DC2.And you can demote dc2 forcefully , perform metadata cleanup then promote as dc again.

     Before need to check which one is fsmo roles holder,if dc2 is holder just seize fsmo roles to dc1 first.

    run "netdom query fsmo" to check holder.

    Forcefully demote dc;

    https://technet.microsoft.com/en-us/library/cc731871%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Seize fsmo roles;

    https://support.microsoft.com/en-us/help/255504/using-ntdsutil.exe-to-transfer-or-seize-fsmo-roles-to-a-domain-controller

    Metadata cleanup;

    https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Bill Gatess Monday, May 1, 2017 8:48 PM
    Sunday, April 30, 2017 9:23 PM
  • DC1 is holder FSMO roles, If I clean metadata if I clean server from the sites and NTDS setting after this Can I add DC2 again without problems?
    Sunday, April 30, 2017 9:44 PM
  • Yes,after a metadata cleanup you can add it as dc again.Also you should check port accessibility before promote,you can verify with PortQryUI

    https://www.microsoft.com/en-us/download/details.aspx?id=24009


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Bill Gatess Monday, May 1, 2017 8:48 PM
    Sunday, April 30, 2017 10:12 PM
  • But I do not know accounts and passwords in DC2 if I add DC2 in NTDS setting in DC1  Will it working?My domain admin created 1 month ago but problem was 1 years ago DC2 do not know about my account, I cheked ports, all ports for AD open.



    Monday, May 1, 2017 5:24 AM
  •  Will it working?My domain admin created 1 month ago but problem was 1 years ago DC2 do not know >>> That's why you should forcefully demote DC2 and do metadata cleanup.You can forcefully demote dc2 from DC1 and also perfrom metadata cleanup on DC1.

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Bill Gatess Monday, May 1, 2017 8:48 PM
    Monday, May 1, 2017 11:25 AM
  • Burak Uqur if my DC2 is have not any FSMO roles, DC2 works as aditional Domain controller cleanup metadata enough for resolve this issue??
    Monday, May 1, 2017 4:42 PM
  • Burak Uqur if my DC2 is have not any FSMO roles, DC2 works as aditional Domain controller cleanup metadata enough for resolve this issue??

    Not enough,you should forcefully demote DC2 first.(cause the dc become unfunctional.)Then perform metadata cleanup.(cause this will remove records related to dc2.)then do a clean installation of OS and promote as domain controller again.

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Bill Gatess Monday, May 1, 2017 8:44 PM
    Monday, May 1, 2017 8:25 PM
  • how can I demote DC2?
    Monday, May 1, 2017 8:37 PM
  • ok I will Install new Domain controller
    Monday, May 1, 2017 8:38 PM
  • i understood thank you for help
    Monday, May 1, 2017 8:39 PM
  • On metadata cleanup steps it will remove dc2.(if you mean,you can't able to logon dc2.)

    https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

    After that make sure all records with dc2 already removed from ADUC,ADSS,DFS,DNS,etc...


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Bill Gatess Monday, May 1, 2017 8:48 PM
    Monday, May 1, 2017 8:44 PM
  • ok thank you Burak Ugur
    • Marked as answer by Bill Gatess Tuesday, May 9, 2017 8:41 AM
    Monday, May 1, 2017 8:48 PM
  • Hi Burak  when I promote DC it give me error I tried clean installation and see error again "Post deployment configuration failed" How can i fix this problem??
    Friday, May 5, 2017 8:20 AM
  • Hi

     First check the necessary ports already accessible between DC's.Check the article for FW config,

    https://msdn.microsoft.com/en-us/library/bb727063.aspx?f=255&MSPPError=-2147217396

    Then verify with PortQryUI;

    https://www.microsoft.com/en-us/download/details.aspx?id=24009

    Also you should check dcpromo log's to find the issue;

    https://dirteam.com/carlos/2006/10/02/dcpromo-debug/


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Bill Gatess Tuesday, May 9, 2017 8:41 AM
    Friday, May 5, 2017 8:47 AM
  • can I send to you log?I can not find problem
    Friday, May 5, 2017 9:37 AM
  • I check ports all ports are open
    Friday, May 5, 2017 9:38 AM
  • dcpromoui A64.48C 00C8 12:06:36.771           DsGetDcNameW(lo, 0x40040050) failed, err=1355

    dcpromoui A64.2C8 0661 12:08:23.869           DsGetDcNameW(lo, 0x40040050) failed, err=1355

    dcpromoui A64.808 1D2F 12:21:56.952       Enter FailedFunct

    dcpromoui A64.808 1D3C 12:21:56.952       Enter State::GetHadNonCriticalFailures

    dcpromoui A64.808 1D3D 12:21:56.952         bHadNonCriticalFailures = false

    this is All fails

    Friday, May 5, 2017 9:47 AM
  • can I send to you log?I can not find problem

    Please upload dcpromo log's,"ipconfig /all" results from both DC on OneDrive,then i check them.

    https://onedrive.live.com/


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Friday, May 5, 2017 9:48 AM
  • 10.126.20.20

    10.128.14.20

    all the DC's dns resolve from Ipv6;

    dns:::1

    But they need to resolve from Ipv4,so you should modify provider order to resolve from Ipv4.Check the article;

    https://technet.microsoft.com/en-us/library/cc732472%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    If you can't modify disable IPv6 on both.(But as you know disable Ipv4 not recommended from ms,so you should disbale for a while.)

    Then run "iponfig /flushdns",ipconfig /registerdns" and check the dns records update corectly.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur


    • Edited by Burak Uğur Friday, May 5, 2017 10:30 AM
    • Marked as answer by Bill Gatess Tuesday, May 9, 2017 8:41 AM
    Friday, May 5, 2017 10:29 AM
  • Friday, May 5, 2017 11:36 AM
  • I disabled ipv 6 
    Friday, May 5, 2017 11:37 AM
  • I think also related to Ipv6,if possible demote the dc ,will do metadata cleanup again,also check on ADUC,DNS,DFS,etc.. there won't be any related records exist on domain,if has just remove them.And promote it again as dc.

     But before process make sure both dc resolve from Ipv4.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Bill Gatess Tuesday, May 9, 2017 8:41 AM
    Friday, May 5, 2017 2:18 PM
  • HI Burak Ugur Installation pasted  successfully but I do not have permission to Administrative templates and server manager
    Saturday, May 6, 2017 7:30 AM
  • ALL domain Admins have only user permissions on this server
    Saturday, May 6, 2017 7:42 AM
  • Burak is it important replicate from server which have all FSMO roles? DC1 is not have two roles schema master and domain naming master
    Sunday, May 7, 2017 5:30 PM
  • Burak is it important replicate from server which have all FSMO roles? DC1 is not have two roles schema master and domain naming master

    You must seize fsmo roles to DC1.(the healthy DC,all 5 fsmo roles should be avaiable.)check article for seize roles;

    https://support.microsoft.com/en-us/help/255504/using-ntdsutil.exe-to-transfer-or-seize-fsmo-roles-to-a-domain-controller

    Then check the other dc again,also if issue persist you should configure server OS with different image and fully patched it then promote as DC again.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur


    • Edited by Burak Uğur Sunday, May 7, 2017 6:52 PM
    • Marked as answer by Bill Gatess Tuesday, May 9, 2017 8:41 AM
    Sunday, May 7, 2017 6:52 PM
  • Hi Burak, we have root domain "com" and we try to add DC2 in sub domain "contoso .com"(DC1 and DC2 are in child domain contoso.com)

    in root domain we have two roles schema master and domain naming master,other roles in child domain,we have not access to root domain "com"

    • Marked as answer by Bill Gatess Tuesday, May 9, 2017 8:41 AM
    Monday, May 8, 2017 6:01 AM
  • in root domain we have two roles schema master and domain naming master,other roles in child domain,we have not access to root domain "com"

    That's right placement,Root domain holds Schema and Naming master's,child domain holds other 3 role.But there should be a default trust created between root and child domain by default.So you should able to access root domain.

     Please verify trust between child and root domain; https://technet.microsoft.com/en-us/library/cc835085(v=ws.11).aspx

    and you need to check accessibility between root DC and child dc's.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Bill Gatess Tuesday, May 9, 2017 8:41 AM
    Monday, May 8, 2017 7:33 AM
  • Hi Burak problem is solved in NTDS setting in DC2 we did not have DC1 we had many others DC-s we added DC1 int NTDS setiing manually and deleted others then did force replicate from DC1 now it WORK Thank you for your help!!!!
    Tuesday, May 9, 2017 8:41 AM