No announcement yet.

AD database curruption and replication problems

  • Filter
  • Time
  • Show
Clear All
new posts

  • AD database curruption and replication problems

    Hi all

    I have a multi-server Win2K3 full active directory system with 2 domain controllers which both are also DNS servers. Ever since I deleted a trust which existed between our domain and an old NT domain, all replication has stopped between my 2 domain controllers. DNS name resolution seems to be working ok as I have tried this through NSlookup and other tools. However I am getting some DNS errors in the logs which all point out to the fact that the DNS server was unable to open the zone_msdcs.domainname.local in AD. In the DNS management mmc, all forward and reverse zones seem to be ok except the msdcs.ourdomainname.local which has stopped and can not be reloaded by right click (greyed out). I tried to demote one of the domain controllers through DCpromo so I can work at the problem with no replication involved. However the operation failed because the domain controllers could not write to the corrupted AD database. As I said DNS name resolution seems to be ok. So presently, despite the fact that users seem to be oblivious to this problem, I have 2 DCís that can not replicate and changes made in one do not reflect of the other. Any one with a systematic way of solving this problem?

    Many thanks. David.

  • #2

    You need Ultrasound. This tool is seriously cool in diagnosing AD replication issues. Not only will it find issues with your AD replication; it will tell you how to fix them!!!

    I recommend this tool highly for diagnosing AD replication issues.


    • #3
      I can hardly imagine that this problem has anything to do with the trust.

      > As I said DNS name resolution seems to be ok

      Not if the critical _msdcs.* zone is not working!!

      - Do both DC's have this DNS problem, or only one?
      - does the _msdcs zone have wrong permissions for some reason?
      - what do the eventlogs say?
      - did you run dcdiag for additional info?

      Can you remove and recreate the _msdcs zone? Perhaps that solves the problem.

      (w.r.t. ultrasound: that's for frs replication; related, but different)


      • #4

        reply to your questions:

        Many thanks fopr helping.

        - Do both DC's have this DNS problem, or only one?
        DNS seems to be working ok. Both DCís resolve each others names and IPís. I have tried testing name resolution through NSlookup and other tools and it seems to be ok. However both DCís can not resolve the all important msdcs zone. When I run DCdiag or netdiag on both domain controllers they both returned problems with the msdcs.OurDomainName.local (The host ._msdcs.OurDomainName.local could not be resolved).

        - does the _msdcs zone have wrong permissions for some reason?
        No the permissions are ok and have not been changed since it was working ok.

        - what do the eventlogs say?
        The predominante error message is in the DNS log as follows:

        The DNS server was unable to open zone _msdcs.OurDomainName.local in the Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code

        - did you run dcdiag for additional info?
        See above (first question) for dcdiag and netdiag results.

        Thanks for your help.



        • #5
          Maybe I see what is happening. Does your DNS look like this:

          --> _msdcs (grayed)
          --> _sites
          --> _tcp
          --> ....

          and is there no at the toplevel? Then the actual _msdcs zone has been deleted, with only the delegation left in place!

          If so, recreate the zone, replication scope all DNS in the forest, secure dynamic updates. Then, restart netlogon on both DC's.


          • #6

            Close. But not quite. What we have is as follows:

            Forward Lookup zones
            _msdcs.OurDomainName.local (not working with red X)
            Ourdomain.local (working fine)
            --> _msdcs (working fine)
            --> _sites (working fine)
            --> _tcp (working fine)
            --> ....

            The msdcs.OurDomainName.local is not working and has a red X on it. If I right click it, the reload option is greyed out. This is causing Active Directory to act with inconsistencies. I have now managed to remove the second domain controller by using the 'forceremoval' switch with dcpromo. But I am still having problems with active directory consistency because _msdcs is corrupted. Do you know of a way of replacing, repairing or reloading it? Basically what are my choices if i can not reload it?

            Again many thanks for your help.



            • #7
              You have duplicate _msdcs zones.

              _msdcs can be configured as part of OurDomainName.local zone or as seperate zone, but in both cases it resolves to _msdcs.OurDomainName.local FQDN, hence only one of the two you have can exist at any given time.

              The fact that you have _msdcs as seperate zone makes me guess that you have created a dedicated AD application partition for this zone, but from some reason has not removed the _msdcs folder under _msdcs.OurDomainName.local zone.

              My suggestion, remove the _msdcs folder inside OurDomainName.local zone and run on the DC:
              net stop netlogon
              ipconfig /flushdns
              [restart DNS server]
              net start netlogon
              ipconfig /registerdns

              The SRV records should now get re-registered correctly.
              run dcdiag/netdig to check the server.
              This should re
              Guy Teverovsky
              "Smith & Wesson - the original point and click interface"


              • #8
                Agreed with Guy. You have a zone that already exists as a domain in another zone, and that is causing the error. At least, that is the only thing that makes sense to me. What a strange situation! Any idea how it got this way?

                One small addition to get the situation back to default. This step is sort of optional in most situations, but I like to get things 100%.

                After the _msdcs zone starts working again, create a delegation from to the _msdcs domain. That is how a default w2003 domain looks like.