Removed Domain Controller Replication Issues

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi
I am having a few issues with my Active Directory Setup.

I have 6 domain controllers at head office with approx 400 domain
controllers at seperate sites. Approximatly 2 weeks ago one of the head
office domain controllers failed, this domain controller was then removed
from the domain and a new one installed in its place. Since then we have been
having strange authentication issues on the domain with servers at the sites
not authenticating properly and other issues.
The problem i believe is when i took over support of the network in July
approximatly 300 stores were failing to replicate some being as old as 6
months out of date. I have now got this down to 100 by manually reseting the
secure chanel password on the failing domain controller with one of its
replication partners, disabling kerberos and rebooting the system, then
replicating, enabling kerberos and away we go.

The problem is this is time consuming and causes many duplicates to appear
in active directory. The sites that are having authentication issues are ones
which arn't replicating so as far as they are concerned the failed DC still
exists, the only role the server had was a global catalog.

Is there any way of editing something on the failed DC's or anywhere i can
search on the system for references to the failed DC and change. Or does
anyone know of a script i can use to get these 100 domain controllers back on
the network in one hit? That would be nice.

btw all of the 400 dc's have auto site disvovery disabled and connection
objects are manually controlled using scripts. All Windows 2000 server sp4
with 2 windows 2003 at Head office, the domain is a child domain of the main
head office domain.


Regards

Dave
 
You could have major trouble any dc that was more than 60 days out of
contact with replication will end up with tombstoned objects.

When an object is deleted from AD it is not deleted. Some of the attributes
are deleted and the object is moved to the "Lost and Found" container in the
form of tombstone.The tombstoned object is purged from AD after its lifetime
which is 60 days.

The easiest (Or most difficult) way to repair this is to dcpromo (Demote)
the offended dc's and then repromote them.

http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1052862,00.html?track=NL-119&ad=506503


--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 
When objects are deleted (tombstoned) they are moved into the Deleted
Objects container (viewable with LDP), not the Lost and Found container
(viewable with ADUC in advanced mode). The Lost and found container is used
for example when you delete an OU with user accounts on one DC and I change
one or more user accounts on another DC. In case a conflict occurs and the
changed objects are therefore moved to the Lost And Found container and the
unchanged ones are deleted

If the case is DCs have been disconnected for more than the tombstone
lifetime, the SAFEST way is to forcebly demote and promote them again after
the metadata has been cleaned. Another option is to cleanup untombstoned
objects on the offending DCs by checking them against healthy DCs where the
same objects have been tombstoned.

However.....

Question: did you reinstall a new DC with the same name as the old crashed
DC? If yes, did you cleanup the metadata first of the old DC?

The other problem is still not clear to me. Can you tell us which event IDs
(and source) you are experiencing on DCs?

Could you also run
DCDIAG /D /C /V
NETDIAG /DEBUG /V

on one of the problem DCs and post back the results?
 
Yeah you are correct, my fault, on the Lost and Found. Lost and Found holds
orphaned objects not deleted ones.

After that you won't know which objects need to be replicated to each dc,
since the offended dc may have objects to send to others as well as receive
them. I see no way around fixing these other than demoting and promoting.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.


"Jorge de Almeida Pinto"
 
I think your all right the key is to forcibly demote which is something i
have been trying to avoid as the time involved to replicate accross the
remote link can be quite extensive. The error messages being received are

Workstation:
Trying to map a drive in command prompt
"The Specified server cannot perform the requested operation" error 58

Server: Event Logs
The security package kerberos generated and exception. The package is now
disabled. The exception information is in the data. Event ID 5000 Source
Lsasrv

Failed to authenticate with \\servername\rootdomain Event ID 3210 Source
Netlogon

The Windows NT Domain Controller for this domain could not be contacted
Event ID 3096 Source Netlogon
 
Back
Top