1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

AD replication issues

Discussion in 'Networks' started by Theprof, Aug 20, 2011.

  1. Theprof

    Theprof Petabyte Poster Forum Leader

    4,570
    68
    196
    Guys, I am at a loss here...

    So I am currently working on some AD issues for one of our customers.. They currently have 4 Domain controllers and one of the domain controllers is having issues with replication.

    When I make a change in the group policy on my main domain controller, I see that same change reflected on the other 3 domain controllers but not on the 4th domain controller once replication occurs. Looking at the SYSVOL folder, I can see that replication has not been working for a while, there are missing polices, etc...

    Here's what I've done.

    1. I ran Replmon and I see that it show's everything replicating appropriately
    2. I manually forced a replication from AD Sites and Services in the NTDS settings
    3. When I ran dcdiag /test:replications, I get a sysvol from dc1 - dc2 mismatch. This makes sense as the sysvol folder on my 4th domain controller is not replicating with the parent domain controller.
    4. I ran FRSdiag and could not see much, I even pushed a replication through there and to no avail.
    5. Event viewer shows that the replication service is running accordingly, it has issues with one domain controller from time to time but not always. The actual replication has not worked since 1/5/2010 so it's been awhile.
    6. I rebooted the domain controller
    7. Last thing I tried, was doing a non-authoritative restore on SYSVOL and nothing!
    8. Checked the replication service is started and even restarted it (first thing I did lol)

    Honestly, I don't know what I am missing, at this point I am thinking about demoting the domain controller and then promoting back so at least the SYSVOL directory would be recreated. I am honestly not sure if its the replication service at this point, could be a corrupted SYSVOL directory, etc...

    Any suggestions would be greatly appreciated.
     
    Last edited: Aug 20, 2011
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA
  2. Shinigami

    Shinigami Megabyte Poster

    896
    40
    84
    Hasn't replicated in over a year? That's too long mate, a depromo might not work. Just turn it off, ensure you've got all FSMO's on other DCs, run ntdsutil to remove the DC from AD, reinstall the server and repromo. Tombstone timeout is already gone by now, so recovering it might not be an option you see.
     
    Certifications: MCSE, MCITP, MCDST, MOS, CIW, Comptia
    WIP: Win7/Lync2010/MCM
  3. Theprof

    Theprof Petabyte Poster Forum Leader

    4,570
    68
    196
    Its true about the tombstone timeout... forgot about that... When you say reinstall the server, you mean reinstall the OS?

    I will definitely keep that in mind, thanks again Shinigami.
     
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA
  4. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    I think that 'technically' You shouldn't need to reinstall the OS - just rip all references to the failed DC out of AD, give it time to replicate, then DCpromo it back up. However, you may encounter issues with the old server still having AD partially installed, so whenever I've done this before I've always rebuilt the failed DC.
     
    Certifications: A few
    WIP: None - f*** 'em
  5. jk2447

    jk2447 Petabyte Poster Moderator

    5,482
    352
    249
    I had to do this recently and got away with demoting and promoting the server but as said, if you get any funnies just rebuild it. As a rule though I avoid rebuilds as much as I can.
     
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5, VCP6-NV
  6. Shinigami

    Shinigami Megabyte Poster

    896
    40
    84
    Yeah, there's some published content which takes you steps by step through removing an AD installation from Windows, but I find that it takes just as long to remove that stuff manually and ensure the server doesn't have other issues as it does to reinstall Windows.

    If replication stopped, it might also be an issue with a security update that borked the machine, maybe a network driver issue, and so on... A reinstall gives you a chance to do frmware updates (if running a physical machine), and to put the latest Service Pack/hotfixes and newest drivers before DCPROMO, thus ensuring a very up-to-date box and eliminating other reasons for the failure of AD on the server.
     
    Certifications: MCSE, MCITP, MCDST, MOS, CIW, Comptia
    WIP: Win7/Lync2010/MCM
  7. jk2447

    jk2447 Petabyte Poster Moderator

    5,482
    352
    249
    Just as a side note to this, I wonder if this server has a time mismatch to the rest of the forrest......

    I know replication doesn't soley depend on time as it uses USNs but again, dusting off the :sec on my MCSE, I'm pretty sure Kerberos does throw a wobbler if the time on your DC's doesn't match...... someone correct me if I've got early dementia :S
     
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5, VCP6-NV
  8. Theprof

    Theprof Petabyte Poster Forum Leader

    4,570
    68
    196
    The times are properly synchronized, it's actually one of the first things I've checked. This particular DC is a VM and I know in the past for some reason the NTP settings on the VMware ESX host would not syn correctly and would cause the VM's times to be out of sync so I've checked that right away thinking that could be the problem, but it wasn't, I wish it were that easy!
     
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA
  9. Theprof

    Theprof Petabyte Poster Forum Leader

    4,570
    68
    196
    This makes sense, I think the first thing I will attempt is to remove the domain controller from AD completely and join it back in... if the problem still persists, I will probably end up reinstalling windows and take it from there... Luckily there is not much on that domain controller, just AD/DC, DNS, WINS, and basic IIS install.... Also all the FSMO roles are on the primary domain controller so we're good there too.
     
    Last edited: Aug 21, 2011
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA
  10. jk2447

    jk2447 Petabyte Poster Moderator

    5,482
    352
    249
    I wonder....... I like a challenge, have you tried the dnslint command to see if its good old DNS's fault?

    **Edit: Sorry here you go, I don't think its a standard tool this
     
    Last edited: Aug 21, 2011
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5, VCP6-NV
  11. Theprof

    Theprof Petabyte Poster Forum Leader

    4,570
    68
    196
    I haven't used the dnslint app, for DNS, I just checked the basic things like the A/glue, and NS records to make sure they can be resolved and configured properly. I will give this a try and let you know how it goes, I doubt that it is a DNS issue, although these days you never know!
     
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA
  12. Theprof

    Theprof Petabyte Poster Forum Leader

    4,570
    68
    196
    I just ran the dnslint /ad /s localhost command on two of my domain controllers, one that works (primary) and the one I am having issues with the replica partner and both show that they can resolve the GUID's along with the CNAME records and A/Glue records.
     
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA
  13. jk2447

    jk2447 Petabyte Poster Moderator

    5,482
    352
    249
    Its weird isn't it, I know you've got to get it fixed asap but it would be great to know what has caused this
     
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5, VCP6-NV
  14. Theprof

    Theprof Petabyte Poster Forum Leader

    4,570
    68
    196
    I agree... It would make my life easier ;)
     
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA
  15. jk2447

    jk2447 Petabyte Poster Moderator

    5,482
    352
    249
    Let us know how you got on mate
     
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5, VCP6-NV
  16. Theprof

    Theprof Petabyte Poster Forum Leader

    4,570
    68
    196
    So far so good... I was able to successfully demote the server using dcpromo... I was afraid that it might not work. I will remove DNS from that server as well then promote it back and put DNS. Just waiting for the replication to go through to the other 3 DC's...
     
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA
  17. Theprof

    Theprof Petabyte Poster Forum Leader

    4,570
    68
    196
    Well the issue is now resolved, just as I thought, demoting and then promoting back fixed the problem. Luckily I did not have to reinstall the OS, I just ran the DCPROMO setup, it ran successfully, then I removed DNS, and then added back the AD/DC role and DNS. Made sure all the zones in the DNS got transferred and AD replicated the GPO's successfully. Must of been something off with the SYSVOL folder.

    Thanks for all the help!
     
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA
  18. Shinigami

    Shinigami Megabyte Poster

    896
    40
    84
    Glad to hear the graceful depromo and repromo worked for you :)
     
    Certifications: MCSE, MCITP, MCDST, MOS, CIW, Comptia
    WIP: Win7/Lync2010/MCM
  19. onoski

    onoski Terabyte Poster

    3,120
    51
    154
    Thanks for sharing and glad to hear the issue is now resolved. The joys of working in I.T:)
     
    Certifications: MCSE: 2003, MCSA: 2003 Messaging, MCP, HNC BIT, ITIL Fdn V3, SDI Fdn, VCP 4 & VCP 5
    WIP: MCTS:70-236, PowerShell

Share This Page

Loading...