AD replication issue

  • Thread starter Thread starter seth
  • Start date Start date
S

seth

ok here is what happened...

in our remote datacenter, there was an electrical issue and lost power

everything came back up ok, but the 2 dc's there (2003 SP2) that are older
systems and the date reset to january 2002 (since fixed)
this is the cause of the event below. i'm trying to determine the best way
to resolve it.
at the same time, users are being prompted for credentials when getting
their mail.
not sure if exchange (2003 SP2) is affected by this or if it's a separate
issue
here is the event:

Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 2042
Date: 12/11/2007
Time: 2:55:46 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: <computername>
Description:
It has been too long since this machine last replicated with the named
source machine. The time between replications with this source has exceeded
the tombstone lifetime. Replication has been stopped with this source.
The reason that replication is not allowed to continue is that the two
machine's views of deleted objects may now be different. The source machine
may still have copies of objects that have been deleted (and garbage
collected) on this machine. If they were allowed to replicate, the source
machine might return objects which have already been deleted.
Time of last successful replication:
2002-01-28 06:53:13
Invocation ID of source:
0478f6c8-f6b8-0478-0100-000000000000
Name of source:
8cf34e45-547f-48d8-9870-bc0d59d31827._msdcs.<domain>.com
Tombstone lifetime (days):
60

The replication operation has failed.

User Action:

Determine which of the two machines was disconnected from the forest and is
now out of date. You have three options:

1. Demote or reinstall the machine(s) that were disconnected.
2. Use the "repadmin /removelingeringobjects" tool to remove inconsistent
deleted objects and then resume replication.
3. Resume replication. Inconsistent deleted objects may be introduced. You
can continue replication by using the following registry key. Once the
systems replicate once, it is recommended that you remove the key to
reinstate the protection.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication
With Divergent and Corrupt Partner


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
In addition, there is another issue (not sure if related) on the other dc's
at this location referencing servers at the remote datacenter.

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 12/11/2007
Time: 3:06:54 PM
User: N/A
Computer: <computername>
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/<fqdn>. The target name used was domain\computer$. This indicates that
the password used to encrypt the kerberos service ticket is different than
that on the target server. Commonly, this is due to identically named
machine accounts in the target realm (domain), and the client realm.
Please contact your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
Hi
That error simple means that the DC passed your forest tombstone-lifetime.
Fastest way to solve this is to manually remove the AD from the DC, then
perform metadacleanup, then add the server as additional DC again, and make
sure that in future you monitor the replication in your DCs.

If that isn't acceptable check:
http://207.46.196.114/windowsserver...b47f-4d51-8e4a-c14527060f901033.mspx?mfr=true
http://support.microsoft.com/kb/216993
--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
 
i think i will blow away AD on these machines and start over....especially
what has happened in the last hour:

Event Type: Warning
Event Source: NTDS Replication
Event Category: Replication
Event ID: 2093
Date: 12/11/2007
Time: 2:26:04 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: <computername>
Description:

The remote server which is the owner of a FSMO role is not responding. This
server has not replicated with the FSMO role owner recently.

Operations which require contacting a FSMO operation master will fail until
this condition is corrected.

FSMO Role: DC=<domain>,DC=com
FSMO Server DN: CN=NTDS
Settings,CN=<computer>,CN=Servers,CN=Boston,CN=Sites,CN=Configuration,DC=<domain>,DC=com
Latency threshold (hours): 24
Elapsed time since last successful replication (hours): 24

User Action:

This server has not replicated successfully with the FSMO role holder
server.
1. The FSMO role holder server may be down or not responding. Please address
the problem with this server.
2. Determine whether the role is set properly on the FSMO role holder
server. If the role needs to be adjusted, utilize NTDSUTIL.EXE to transfer
or seize the role. This may be done using the steps provided in KB articles
255504 and 324801 on http://support.microsoft.com.
3. If the FSMO role holder server used to be a domain controller, but was
not demoted successfully, then the objects representing that server are
still in the forest. This can occur if a domain controller has its operating
system reinstalled or if a forced removal is performed. These lingering
state objects should be removed using the NTDSUTIL.EXE metadata cleanup
function.
4. The FSMO role holder may not be a direct replication partner. If it is an
indirect or transitive partner, then there are one or more intermediate
replication partners through which replication data must flow. The total end
to end replication latency should be smaller than the replication latency
threshold, or else this warning may be reported prematurely.
5. Replication is blocked somewhere along the path of servers between the
FSMO role holder server and this server. Consult your forest topology plan
to determine the likely route for replication between these servers. Check
the status of replication using repadmin /showrepl at each of these servers.

The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this
forest.
PDC: You will no longer be able to perform primary domain controller
operations, such as Group Policy updates and password resets for non-Active
Directory accounts.
RID: You will not be able to allocation new security identifiers for new
user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group
memberships, will not be updated properly if their target object is moved or
renamed.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1863
Date: 12/11/2007
Time: 2:26:04 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: <computername>
Description:
This is the replication status for the following directory partition on the
local domain controller.

Directory partition:
DC=<domain>,DC=com

The local domain controller has not received replication information from a
number of domain controllers within the configured latency interval.

Latency Interval (Hours):
24
Number of domain controllers in all sites:
1
Number of domain controllers in this site:
1

The latency interval can be modified with the following registry key.

Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency
error interval (hours)

To identify the domain controllers by name, install the support tools
included on the installation CD and run dcdiag.exe.
You can also use the support tool repadmin.exe to display the replication
latencies of the domain controllers in the forest. The command is
"repadmin /showvector /latency <partition-dn>".

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
good luck.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
 
Back
Top