No announcement yet.

Domain Replication Problems

  • Filter
  • Time
  • Show
Clear All
new posts

  • Domain Replication Problems

    Ok, this is going to be a long post, hopefully I cover everything that needs to be said about my problem. I have done a fair share of Google searching the past couple of days, but it hasn't gotten me very far. Please let me know if you need any additional information.

    The environment:
    Three domain controllers, two locations. The locations are constently connected via VPN, no ports blocked through the VPN. Two of the domain controllers, lets call them DC1 and DC2 are at location A, where the majority of the computers are. DC3 is at location B. All three domain controllers have DNS installed and are set to replicate DNS.

    DC1 (Server2003R2 Enterprise) - First domain controller set up in the domain. It runs SQL and a couple of third party programs. It is also set as a file server; it holds the majority of the important data.
    DC2 (Server2008R2 Enterprise) - Terminal server (I know, I want to demote this server when I get the problem fixed), Trend Micro WFBS, and WSUS.
    EXCHANGE(Server2003R2) - Member server, only has Exchange 2003 installed.
    DC3(Server2003R2) - File server for location B.

    DC1 and DC3 are installed on physical machines while DC2 and EXCHANGE are virtual machines on a Xenserver.

    The problem:
    On Monday October 3rd at 7:18AM was the last time DC2 replicated with the other two domain controllers. I first noticed this when I was doing weekly maintenance on that Wednesday. I noticed some wierd group policy errors. Also, every morning I log in remotely (from home) via VPN & RDP to do third party software updates. One morning I lost Internet connectivity at my house for a couple of minutes. When I reconnected to the VPN and DC2 via RDP I got a very wierd error about Remote Desktop Services not being available. If I would have known this was the start to all these problems I would have taken a screenshot. Granted, I do these updates being logged in as domain\administrator. I then logged in as domain\DomainAdminAccount and tried to disconnect the administrator session. It would not disconnect, so I rebooted the server and everything appeared to be working. Later on I found the replication issue started just then.

    When going to Active Directory Sites and Services and clicking 'Replicate Now' gives these results:
    DC1 to DC3 -- No errors
    DC3 to DC1 -- No errors
    DC1 to DC2 -- "The following error occurred during the attempt to synchronize naming context from Domain Controller DC1 to Domain Controller DC2: Access is denied. The operation will not continue"
    DC2 to DC1 -- Same error as above.
    DC3 to DC2 -- Same error as above.
    DC2 to DC3 -- Same error as above.

    Also, sometimes when rebooting either DC1 or DC2 I will get the following error when trying to open Active Directory Sites and Services or Users and Computers: "Naming information cannot be located for the following reason: If you are trying to connect to a Domain Controller running Windows 2000, verify that Windows 2000 Server Service Pack 3 or later is installed on the DC, or use the Windows 2000 administration tools. For more information about connecting to DCs running Windows 2000, see Help and Support." While this is happening, DNS also won't work. The service is started, but the manager says it cannot connect to the DNS server. After a few minutes, DNS comes back online an AD works again. This is very scary. It has never happened on DC3 because I have not restarted it yet.

    What I've tried:
    There are a lot of things I have tried to fix the problem given the results of my Google searching. There may be some things I will forget to mention, but this is what I remember:

    1. Resetting the machine account password via command prompt. I did this, then rebooted but still had the same problem. I tried doing this from DC1 and DC2.
    2. Disabling Kerberos Key Distribution Center service on DC2, rebooting, then 'Replicate Now' Did not fix the problem but it did take longer when attempting to replicate and the error changed to this: "The following error occurred during the attempt to synchronize naming context from Domain Controller DC1 to Domain Controller DC2: Could not find the domain controller for this domain. This operation will not continue. This condition may be caused by a DNS lookup problem. For information about troubleshooting common DNS lookup problems... blah blah blah"
    3. Troubleshoot DNS. I can ping by hostname from any DC to another. I also tried pinging the GUID from the different DC's to each other. Seems to be no problem. nslookup seems to run as it should.

    I cannot demote DC2, which is what I'd like to do at this point. I was thinking I could disconnect DC2 from the network, do the force remove from the domain (where it deletes the whole domain) then do a manual removal on the live domain for DC2. Although with those errors about not being able to connect to AD when rebooting DC1 and DC2 scare me too much to take action.