none
Unable to replicate between 2 DCs error message: 'exceeded the tombstone lifetime' RRS feed

  • Question

  • We had an issue where our exchange servers CMOS batter died which caused the time to go back to 2005. It looks like during this time we lost synchronization between our main DC and the Exchange DC. We have replaced the battery however not really sure what steps I need to take to resolve this issue. I have seen where I would need to demote the DC. I dont believe I can demote the Exchange DC and not sure if this is even the one I need to demote. When I go to Active Directory Sites and Services on the main DC and try to force replication from the NTDS setting "Replicate configuration from the selected DC" on exchange I get "The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the toumbstone lifetime." Also whn reunning repadmin/ showrepl I get the the following posted below. Can someone please assist in how to fix this mess.

    Repadmin: running command /showrepl against full DC localhost
    Default-First-Site-Name\DC
    DSA Options: IS_GC
    Site Options: (none)
    DSA object GUID: xx
    DSA invocationID: xx

    ==== INBOUND NEIGHBORS ======================================

    DC=xx,DC=local
        Default-First-Site-Name\EXchange via RPC
            DSA object GUID: xxxx
            Last attempt @ 2012-11-09 13:14:35 failed, result 8614 (0x21a6):
                The directory service cannot replicate with this server because the
    time since the last replication with this server has exceeded the tombstone life
    time.
            8406 consecutive failure(s).
            Last success @ 2005-03-30 23:14:41.

    CN=Configuration,DC=xx,DC=local
        Default-First-Site-Name\EXchange via RPC
            DSA object GUID: xxxx
            Last attempt @ 2012-11-09 13:14:14 failed, result 8614 (0x21a6):
                The directory service cannot replicate with this server because the
    time since the last replication with this server has exceeded the tombstone life
    time.
            626 consecutive failure(s).
            Last success @ 2005-03-30 23:09:25.

    CN=Schema,CN=Configuration,DC=xx,DC=local
        Default-First-Site-Name\EXchange via RPC
            DSA object GUID: xxxx
            Last attempt @ 2012-11-09 12:48:25 was successful.

    Source: Default-First-Site-Name\EXchange
    ******* 8402 CONSECUTIVE FAILURES since 2005-03-30 23:14:41
    Last error: 8614 (0x21a6):
                The directory service cannot replicate with this server because the
    time since the last replication with this server has exceeded the tombstone life
    time.


    GY

    Friday, November 9, 2012 9:19 PM

Answers

  • Hi,

    If DC has passed tombstone lifetime then the best approach to recover the DC from error state is demote and repromote the problem DC.

    In your case exchange is hosted on DC which is not recommended, is this also an FSMO role owner?

    Anyway first of all confirm that the PDC role owner DC in forest root domain is configured as an authorative time server. If not you need configure the same.

    Verify PDC role owner DC name by running command "netdom query fsmo" and run following command for "Authorative Time Server" configuration:

    On the PDC Emulator DC:
    W32tm /config /manualpeerlist:time.windows.com,0x1 /syncfromflags:manual /reliable:yes /update
    w32time & net start w32time & W32tm /resync /rediscover

    On Non- PDC DC:
    w32tm /config /syncfromflags:domhier /update
    w32time & net start w32time & W32tm /resync /rediscover

    Once you are done with above, run dcdiag /q and repadmin /replsum for any error.

    If still you are getting replication error proceed like this:

    • If the problem DC is an FSMO role owner, transfer FSMO roles to healthy DC and configure it as a time server.
    • Stop and disable exchange services.
    • Deemote the problem Domain Controller using the dcpromo.exe command. If you're unsuccessful you might want to try to remove the server from Active Directory forcefully (DCPROMO /FORCEREMOVAL) and need to perform metadata cleanup.
    • Promote the server as ADC and start exchange services.

    Clean Up Server Metadata Windows Server 2003 and Windows Server 2003 R2
    http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx

    Clean Up Server Metadata Windows Server 2008 and higher
    http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx


    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Friday, November 9, 2012 11:10 PM
  • Considering the circumstances, you might want to consider implementing steps described in http://technet.microsoft.com/en-us/library/cc757610(v=ws.10).aspx - which involve allowing replication with divergent or corrupt partner (Restart Replication Following Event ID 2042 section).

    This assumes that your recent replication attempts were successful - and the failure results from the time shift you described.

    Alternatively, you should be able to resolve the issue by restoring the domain controller from backup

    hth
    Marcin

    Friday, November 9, 2012 11:24 PM
  • since the server has reached tombstone lifecycle period I would recommend demote the DC and promote the server back as DC.
     
    You cannot demote the faulty DC gracefully you need to do forcefull removal.You need to ran dcpromo/force removal and then ran matadata cleanup on other DC(healthy) to remove the instance of faulty DC from AD database and DNS.
     
    Once done you can promote the Server back as ADC.If faulty DC is FSMO role holder you need to seize the FSMO on other DC.
     
    Reference link
    Forcefull removal of DC: http://support.microsoft.com/kb/332199
    Metadata cleanup: http://www.petri.co.il/delete_failed_dcs_from_ad.htm
    Seize FSMO role: http://www.petri.co.il/seizing_fsmo_roles.htm

    Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, and more)
    http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
     
    However alternately you can enable Allow Replication With Divergent and Corrupt Partner to force the replication between the DC without demoting the DC but this can lead to lingering object issue.Sometimes its difficult to remove lingering object either using repadmin /removelingeringobjects or other tool & easiest way to deal with such issues is demote & re-promote the DC. If lingering objects spreads then its more difficult to tackle them.I personally would not recommend to do so demote and promote is the best bet.
     
    Reference link:http://technet.microsoft.com/en-us/library/cc757610(WS.10).aspx

    How to find and remove lingering objects in Active Directory.
    http://sandeshdubey.wordpress.com/2011/10/09/how-to-find-and-remove-lingering-objects-in-active-directory/
    http://technet.microsoft.com/en-us/library/cc738018(WS.10).aspx

    Troubleshooting AD Replication error 8614: "The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime"
    http://support.microsoft.com/kb/2020053

    Note:Do not demote a DC if Exchange is on it: http://msmvps.com/blogs/acefekay/archive/2009/08/08/moving-from-exchange-2000-currently-on-a-windows-2000-domain-controller-to-a-new-exchange-2003-server-on-a-windows-2003-member-server.aspx

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, November 17, 2012 12:08 AM

All replies

  • Hi,

    If DC has passed tombstone lifetime then the best approach to recover the DC from error state is demote and repromote the problem DC.

    In your case exchange is hosted on DC which is not recommended, is this also an FSMO role owner?

    Anyway first of all confirm that the PDC role owner DC in forest root domain is configured as an authorative time server. If not you need configure the same.

    Verify PDC role owner DC name by running command "netdom query fsmo" and run following command for "Authorative Time Server" configuration:

    On the PDC Emulator DC:
    W32tm /config /manualpeerlist:time.windows.com,0x1 /syncfromflags:manual /reliable:yes /update
    w32time & net start w32time & W32tm /resync /rediscover

    On Non- PDC DC:
    w32tm /config /syncfromflags:domhier /update
    w32time & net start w32time & W32tm /resync /rediscover

    Once you are done with above, run dcdiag /q and repadmin /replsum for any error.

    If still you are getting replication error proceed like this:

    • If the problem DC is an FSMO role owner, transfer FSMO roles to healthy DC and configure it as a time server.
    • Stop and disable exchange services.
    • Deemote the problem Domain Controller using the dcpromo.exe command. If you're unsuccessful you might want to try to remove the server from Active Directory forcefully (DCPROMO /FORCEREMOVAL) and need to perform metadata cleanup.
    • Promote the server as ADC and start exchange services.

    Clean Up Server Metadata Windows Server 2003 and Windows Server 2003 R2
    http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx

    Clean Up Server Metadata Windows Server 2008 and higher
    http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx


    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Friday, November 9, 2012 11:10 PM
  • Considering the circumstances, you might want to consider implementing steps described in http://technet.microsoft.com/en-us/library/cc757610(v=ws.10).aspx - which involve allowing replication with divergent or corrupt partner (Restart Replication Following Event ID 2042 section).

    This assumes that your recent replication attempts were successful - and the failure results from the time shift you described.

    Alternatively, you should be able to resolve the issue by restoring the domain controller from backup

    hth
    Marcin

    Friday, November 9, 2012 11:24 PM
  • PDC is the Time server and FMSO not exchange DC.

    When running W32tm /config /manualpeerlist:time.windows.com,0x1 /syncfromflags:manual /reliable:yes /update
    w32time & net start w32time & W32tm /resync /rediscover, I get an error for w32time The following arguments were unexpected:
     w32time. Aside from that when I run dcdiag and repadmin get

          An error event occurred.  EventID: 0xC00007FA Time Generated: 11/16/2012   15:34:29

                Event String:

                It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.


             ......................... DC failed test KccEvent

             [Replications Check,DC01] A recent replication attempt failed:

                From EX to DC

                Naming Context: CN=Configuration,DC=x,DC=local

                The replication generated an error (8614):

                The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

               

                The failure occurred at 2012-11-16 14:46:39.

                The last success occurred at 2005-03-30 23:09:25.

                809 failures have occurred since the last success.

             [Replications Check,DC] A recent replication attempt failed:

                From EX to DC

                Naming Context: DC=x,DC=local

                The replication generated an error (8614):

                The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

               

                The failure occurred at 2012-11-16 15:39:20.

                The last success occurred at 2005-03-30 23:14:41.

                10988 failures have occurred since the last success.

             ......................... DC failed test Replications

             An error event occurred.  EventID: 0x00000457

                Time Generated: 11/16/2012   15:31:46

                Event String:

                Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the administrator to install the driver before you log in again.

             ......................... DC failed test SystemLog

    and

    Replication Summary Start Time: 2012-11-16 15:40:56

     

    Beginning data collection for replication summary, this may take awhile:

      .....

     

     

    Source DSA          largest delta    fails/total %%   error

     DC                      53m:16s    0 /   3    0 

     EX             >60 days            2 /   3   66  (8614) The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

     

     

    Destination DSA     largest delta    fails/total %%   error

     DC             >60 days            2 /   3   66  (8614) The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

     EX                     53m:16s    0 /   3    0 

     

     

     

     


    GY

    Friday, November 16, 2012 11:48 PM
  • since the server has reached tombstone lifecycle period I would recommend demote the DC and promote the server back as DC.
     
    You cannot demote the faulty DC gracefully you need to do forcefull removal.You need to ran dcpromo/force removal and then ran matadata cleanup on other DC(healthy) to remove the instance of faulty DC from AD database and DNS.
     
    Once done you can promote the Server back as ADC.If faulty DC is FSMO role holder you need to seize the FSMO on other DC.
     
    Reference link
    Forcefull removal of DC: http://support.microsoft.com/kb/332199
    Metadata cleanup: http://www.petri.co.il/delete_failed_dcs_from_ad.htm
    Seize FSMO role: http://www.petri.co.il/seizing_fsmo_roles.htm

    Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, and more)
    http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
     
    However alternately you can enable Allow Replication With Divergent and Corrupt Partner to force the replication between the DC without demoting the DC but this can lead to lingering object issue.Sometimes its difficult to remove lingering object either using repadmin /removelingeringobjects or other tool & easiest way to deal with such issues is demote & re-promote the DC. If lingering objects spreads then its more difficult to tackle them.I personally would not recommend to do so demote and promote is the best bet.
     
    Reference link:http://technet.microsoft.com/en-us/library/cc757610(WS.10).aspx

    How to find and remove lingering objects in Active Directory.
    http://sandeshdubey.wordpress.com/2011/10/09/how-to-find-and-remove-lingering-objects-in-active-directory/
    http://technet.microsoft.com/en-us/library/cc738018(WS.10).aspx

    Troubleshooting AD Replication error 8614: "The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime"
    http://support.microsoft.com/kb/2020053

    Note:Do not demote a DC if Exchange is on it: http://msmvps.com/blogs/acefekay/archive/2009/08/08/moving-from-exchange-2000-currently-on-a-windows-2000-domain-controller-to-a-new-exchange-2003-server-on-a-windows-2003-member-server.aspx

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, November 17, 2012 12:08 AM