none
How long can two AD / DC servers be out of sync??

    Question

  • I'm trying to understand what happens when/if our two DC/AD (also DNS, DHCP, one of them is RDS/TS licensing) servers get out of sync for any reason.

    One is physical, one is virtual. This understanding is necessary for presenting BC/DR information to non-technical people.

    If one of the two AD/DC servers is unavailable, my understanding is the remaining server will take over.

    When/if the second AD/DC comes back online what happens??

    I vaguely recall seeing something to the effect that not more than 30 minutes should be allowed to pass with one of the AD/DC servers offline, is this true??

    Can someone point me to an explanation of what happens, consequences, remedies??

    Thank you, Tom

    Thursday, August 16, 2012 1:01 PM

Answers

  • Hi Tom,

    The servers can be disconnected for a limited period of time, but it should not exceed the tombstone period. Otherwise you will end up in lingering objects and journal wraps. 

    The default Tombstone Life time period is 60 days in Windows Server 2003.But the default Tombstone Lifetime period has been changed in Windows Server   2003 SP1 and later to 180 days.

    To get rid of lingering objects you need to demote and re promote the DC.

    And make sure that FSMO role holder is online to serve client requests.

    Active Directory Lingering Objects, Journal Wraps, USN Rollbacks, Tombstone Lifetime, and Event IDs 13568, 13508, 1388, 1988, 2042, 2023, 2095, 1113, 1115, 2103, and more

    http://msmvps.com/blogs/acefekay/archive/2011/12/27/active-directory-lingering-objects-journal-wraps-tombstone-lifetime-and-event-ids-13568-13508-1388-1988-2042-2023.aspx


    Regards,
    Rafic

    If you found this post helpful, please give it a "Helpful" vote.
    If it answered your question, remember to mark it as an "Answer".
    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

    Thursday, August 16, 2012 1:12 PM
  • Hello,

    this depends on the TSL(tombstone lifetime), default on earlier OS doamins is 60 days and on new ones 180 days. At least in this timeframe the DCs MUST synchronize. You can verify with:

    "Dsquery * "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Root-Domain" -attr tombstoneLifetime" in an elevated comand prompt. Or with ADSIEdit.msc under the attribute "tombstoneLifetime" in "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Root-Domain".

    Also it is important that the running DC is Global catalog server, recommended for single domain forest are all DCs should be GC.

    Additional make the DCs both DNS server and configure ALL domain machines to use both domain DNS servers, NONE ELSE, on the NIC. Without DNS nobody is able to logon to the domain.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.


    Thursday, August 16, 2012 1:13 PM
  • Hello,

    Two DCs can be not replicating for a specific period called forest tombstone lifetime. This value can be updated.

    To determine your forest tombstone lifetime: http://technet.microsoft.com/en-us/library/cc784932%28v=ws.10%29.aspx


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Monday, August 20, 2012 1:49 PM

All replies

  • Hi Tom,

    The servers can be disconnected for a limited period of time, but it should not exceed the tombstone period. Otherwise you will end up in lingering objects and journal wraps. 

    The default Tombstone Life time period is 60 days in Windows Server 2003.But the default Tombstone Lifetime period has been changed in Windows Server   2003 SP1 and later to 180 days.

    To get rid of lingering objects you need to demote and re promote the DC.

    And make sure that FSMO role holder is online to serve client requests.

    Active Directory Lingering Objects, Journal Wraps, USN Rollbacks, Tombstone Lifetime, and Event IDs 13568, 13508, 1388, 1988, 2042, 2023, 2095, 1113, 1115, 2103, and more

    http://msmvps.com/blogs/acefekay/archive/2011/12/27/active-directory-lingering-objects-journal-wraps-tombstone-lifetime-and-event-ids-13568-13508-1388-1988-2042-2023.aspx


    Regards,
    Rafic

    If you found this post helpful, please give it a "Helpful" vote.
    If it answered your question, remember to mark it as an "Answer".
    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

    Thursday, August 16, 2012 1:12 PM
  • Hello,

    this depends on the TSL(tombstone lifetime), default on earlier OS doamins is 60 days and on new ones 180 days. At least in this timeframe the DCs MUST synchronize. You can verify with:

    "Dsquery * "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Root-Domain" -attr tombstoneLifetime" in an elevated comand prompt. Or with ADSIEdit.msc under the attribute "tombstoneLifetime" in "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Root-Domain".

    Also it is important that the running DC is Global catalog server, recommended for single domain forest are all DCs should be GC.

    Additional make the DCs both DNS server and configure ALL domain machines to use both domain DNS servers, NONE ELSE, on the NIC. Without DNS nobody is able to logon to the domain.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.


    Thursday, August 16, 2012 1:13 PM
  • Try out this link

    http://technet.microsoft.com/en-us/library/cc755994(v=ws.10).aspx#w2k3tr_repto_how_yipb

    Monday, August 20, 2012 11:37 AM
  • Hello,

    Two DCs can be not replicating for a specific period called forest tombstone lifetime. This value can be updated.

    To determine your forest tombstone lifetime: http://technet.microsoft.com/en-us/library/cc784932%28v=ws.10%29.aspx


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Monday, August 20, 2012 1:49 PM