Active Directory is not syncing and can not add user accounts

-

i believe need force 1 server authoritative, none recognizing each other.

have 3 server domain domain not syncing:
- new user account email address not work
- new user accounts added domain on server1 not sync server2
- dns changes on server1 not sync server2

server1 call a.domain.local - 2008 r2 standard
server2 call w.domain.local - 2008 sp2 standard
server2 call t.domain.local - 2003 sp2 standard  (this 1 not domain controller)
there 2 old servers still listed in dns , still listed dcs -- have eliminated these a.domain.local

a.domain.local exchange server , has exchange server roles , features

from event log, can see there replication errors going long time.  can see 4 weeks ago replication errors increased.  , "decreased".

i think need make 1 of servers authoritative , force rest sync it, believe needs a.domain.local user , dns changes have been made in last year.

what need force happen?
need check before forcing a.domain.local authoritative server?

-----------------------------------------------

from event log - error has been on server going 6 month log covers.  count of servers not replicating changes.  see 3 events below time line.

----------------------------------------------------

this 1 started 6 months ago , continued until 4 weeks ago:

this replication status following directory partition on directory server.
 
directory partition:
dc=forestdnszones,dc=domain,dc=local
 
directory server has not received replication information number of directory servers.  count of directory servers shown, divided following intervals.
 
more 24 hours:
1
more week:
1
more 1 month:
1
more 2 months:
1
more tombstone lifetime:
1
tombstone lifetime (days):
180
 
directory servers not replicate in timely manner may encounter errors. may miss password changes , unable authenticate. dc has not replicated in tombstone lifetime may have missed deletion of objects, , may automatically blocked future replication until reconciled.

------------------------------------------------------------

this started 4 weeks ago:

this replication status following directory partition on directory server.
 
directory partition:
cn=configuration,dc=domain,dc=local
 
directory server has not received replication information number of directory servers.  count of directory servers shown, divided following intervals.
 
more 24 hours:
2
more week:
2
more 1 month:
1
more 2 months:
1
more tombstone lifetime:
1
tombstone lifetime (days):
180
 
------------------------------------------------------

and current:

this replication status following directory partition on directory server.

 
directory partition:
cn=configuration,dc=domain,dc=local
 
directory server has not received replication information number of directory servers.  count of directory servers shown, divided following intervals.
 
more 24 hours:
1
more week:
1
more 1 month:
0
more 2 months:
0
more tombstone lifetime:
0
tombstone lifetime (days):
180
 



a domain controller has not replicated in longer tombstone lifetime interval should removed active directory ensure data integrity , expected operational performance of active directory functions.

possible, due replication conflicts, lingering objects , different views of database exist on both domain controllers, both of these in use clients.

whilst immediate recommended action removal of affected domain controller , associated meta-data production environment, removal of active directory on isolated domain controller should take place after analysis of objects , usage has been performed - determine if kind of re-creation required within production environment.

1. move server corporate network private network, or isolate server.

note: if believed disconnected domain controller has been in use clients , data must reconciled between dc , rest of active directory forest, use repadmin /removelingering objects perform analysis , return list of obejcts in conflict re-creation/verification.

remove server corporate network, through removal of network connection/cabling , leave offline or connect private network.

2. either forcefully remove active directory or reinstall operating system.

note: remove active directory domain controller if analysis of lingering objects has been completed successfully, or data not required.

to forcefully remove active directory domain controller, use following process:

- open run dialog , type following command: dcpromo /forceremoval
- follow prompts remove active directory domain controller

3. remove server metadata active directory server object cannot revived.

to remove server metadata active directory, use following process:

- use procedure documented in procedure 1: windows server 2003 sp1 or later service packs microsoft kb article: http://support.microsoft.com/kb/216498

enfo zipper
christoffer andersson – principal advisor
http://blogs.chrisse.se - directory services blog



Windows Server  >  Directory Services



Comments

Post a Comment

Popular posts from this blog

Edit Group Policy

-
i have pc has power settings pushed out default domain policy in ad environment. of course on local machine "some settings managed system adminstrator". the machine temporarily no longer in contact domain controller (it's been physically moved , not on same network now) can't updated gpo settings. i believe if edit local group policy won't make difference because of group policy processing , precedence. since it's temporary away ad network, still want use settings of ad user. is there somewhere in registry stored can edit power plan manually until can sync domain? (i need prevent sleeping while plugged in - it's set 1 hour) thanks! allen crist i found site: http://gpsearch.azurewebsites.net/#7916 i able add policy to hkey_local_machine\software\policies\microsoft\power using specs found on site. looks solved issue. i'll report if didn't. thanks! allen crist ...
Read more

Hyper-V VM not reaching OS 'Logon' screen

-
i trying migrate vm vmware hyper-v. so far have done following (seemingly successfully): prepare vmware vm conversion hyper-v format (vhd) within vmware workstation 8.0 environment following steps guide: http://social.technet.microsoft.com/forums/en/winserverhyperv/thread/ef8c12f7-c45d-442e-9a30-c43cd87df3b3   (i.e. remove vm tools, add new ide hard disk…) use vmdk2vhd application convert individual vmdk files vhd ones create new vm in hyper-v exporting in 3 newly converted vhd files at point have checked settings , powered on vm in hyper-v find although windows begins load expected manages reach screen prior login screen saying either of following messages: “windows starting up…” “the active directory rebuilding indices… please wait” to knowledge, albeit limited in area, vm should present me login screen since appears in vmware. if start vm in safe mode can login not desired affect. below details of vm: operating system: windows server 2003 (enterprise edit...
Read more

DNS question...

-
i new setting dns server....my domain name expl. "domain.com"....i set "a" record in forward lookup for  www.domain.com itself...."server's local ip"....i've added no other zones , i seem able resolve names except own....www.domain.com.....also, do i put my isp's dns ip's....for external dns's server can't resolve?....forwarding or in nic setup?......i want setup in my dns server don't have include them on client side..... thanks mark     not put isp dsn server address in settings on nic dc or clients. should point local dns server on dc. set dns forward public dns, such isp. bill Windows Server  >  Network Infrastructure Servers
Read more