Replication Problem

  • Thread starter Thread starter Ido Ran
  • Start date Start date
I

Ido Ran

Hello,

I have a Windows 2000 domain scatered over several sites. In is a single
domain in the forest. Each site has two DCs in it. We have setup the
iner-site replication topology in Sites and Services snap-in and everything
works fine.
About two mounth ago on of the servers has been shout-down, that server was
the bridge-head server in it site. The KDC has not moved the bridge-head to
the second DC in that site. Now, two mounth later I have restarted the
server.

The problem: The DC does not replicate with other DCs in the domain. The
ReplMon tool show an "Access Denied" problem.
I have searched in the MSDN and google for that problem and found a few
articles but none of them solved the problem.

I have tried the following solutions:
* Disable the KDC service, restart the server and use netdom to reset the DC
secure-channel with other DC. This did not solve the problem but it solved
the intra-site replication. So now the two DCs replicate between them-selves
but not with over DCs.
* run RepAdmin tool with /SyncAll switch and /Sync switch

Other sympthoms:
When I use "net time \\otherDC" the result is "Access Denied", when I use
"net time \\X.X.X.X" (The IP of OtherDC) the command complete successfully.

Possible Solutions:
* Backup the Active Directory database in other site and restore only the
Domain Controllers OU. I hope this will resync the computer account
passwords and the replication will restart to work
* Demote the bridge-head server in the problematic site (possible with
/force_removal), remove any leftover objects in the domain and promote the
DC again.

Please help me to understand what went wrong and how can I reinitiate the
repliation to that site.

Thank you very much,
Ido.
 
Two months is looking like the tombstone period has expired (60 days by
default). This is probably the problem.

Out of your possible solutions, I'd say number one is a no-go -it won't
work. Number two is the best solution.

The question here, is if both DCs in the site are up-to-date or not.

You could try resetting the secure channel with the DCs in the other site.

However, if 60 days have passed, the best thing to do is demote both DCs in
this site (using /forceremoval if necessary), running a metadata cleanup and
then re-promoting the DCs.


Perhaps you will learn some good lessons here:
-- Fix replication problems ASAP.
-- Don't configure the bridgehead servers manually. Let the ISTG do it.
This way, the KCCs can fail-over.



--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Hello,

I have a Windows 2000 domain scatered over several sites. In is a single
domain in the forest. Each site has two DCs in it. We have setup the
iner-site replication topology in Sites and Services snap-in and everything
works fine.
About two mounth ago on of the servers has been shout-down, that server was
the bridge-head server in it site. The KDC has not moved the bridge-head to
the second DC in that site. Now, two mounth later I have restarted the
server.

The problem: The DC does not replicate with other DCs in the domain. The
ReplMon tool show an "Access Denied" problem.
I have searched in the MSDN and google for that problem and found a few
articles but none of them solved the problem.

I have tried the following solutions:
* Disable the KDC service, restart the server and use netdom to reset the DC
secure-channel with other DC. This did not solve the problem but it solved
the intra-site replication. So now the two DCs replicate between them-selves
but not with over DCs.
* run RepAdmin tool with /SyncAll switch and /Sync switch

Other sympthoms:
When I use "net time \\otherDC" the result is "Access Denied", when I use
"net time \\X.X.X.X" (The IP of OtherDC) the command complete successfully.

Possible Solutions:
* Backup the Active Directory database in other site and restore only the
Domain Controllers OU. I hope this will resync the computer account
passwords and the replication will restart to work
* Demote the bridge-head server in the problematic site (possible with
/force_removal), remove any leftover objects in the domain and promote the
DC again.

Please help me to understand what went wrong and how can I reinitiate the
repliation to that site.

Thank you very much,
Ido.
 
Back
Top