No announcement yet.

AD cannot replicate between 2 DCs

  • Filter
  • Time
  • Show
Clear All
new posts

  • AD cannot replicate between 2 DCs

    I have 2 Win 2K3 servers, the PDC has no service packs, the second DC has SP2. Originally installed AD with DCPromo months ago on second DC and thought all was well. Now having user connection issues. From the PDC if I try to force replication in AD Sites and Services, get:
    AD cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
    From the second DC if I try to force replication I get:
    The target principal name is incorrect.
    I saw a tidbit on MS TechNet to add the key
    HKLM\System\CurrentControlSet\Services\NTDS\Parame ters\Allow Replication With Divergent and Corrupt Partner
    but this didn't help.
    Event Viewer on the PDC shows IDs 1308,1864,1988,2042 all related to this mess.
    I tried to demote second DC with DCPromo but, since replication connection faulty, errors out.
    Any suggestions would be welcomed. Thank you in advance.

  • #2
    Re: AD cannot replicate between 2 DCs

    You might want to start here:
    and here:
    Technical Consultant

    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"


    • #3
      Re: AD cannot replicate between 2 DCs

      For future reference, questions related to Active Directory/DNS are best asked in the Active Directory forum. One of the MODs will most likely move this shortly.

      The worst fear of any AD Admin .
      your problem is b/c you probably have Lingering objects on the old DC.
      and since it is a Windows 2003 AD fresh installation (not an 2000 AD upgrade) you have the "Strict Replication Consistency" enabled.
      combine the two you have what's called Replication Blocking to prevent "Lingering objects" spreading on to other Domain Controllers, this is done by Stopping all replication to the effected domain controller and isolating it.
      You must remove the Lingering Objects on the Outdated DC (using RepAdmin), only then the replication would come back to normal.
      But 1st you must Determine which DC out of the Two DCs are the outdated DCs , meaning the DC that was offline more then 60 days.
      Your Domain Tombstone Life time is 60 Days not 180 Days even though you have a DC that is Win2003 w/SP2.

      As a Golden Role Scenarios where the TSL will not be set to 180 days includes:
      Forests built from a 2000 or 2003 (non-SP1) based DC.
      Forests built from a 2003 SP1 DC where the DC was upgraded in place from 2000.
      Forests built from a 2003 SP1 DC where the OS originated as 2003 and SP1 was installed afterwards.
      Forests built from 2003 R2 media.

      NOTE: This conflicts with expectations because 2003 R2 media is essentially 2003 with SP1. Expectations are that the TSL should be set to 180. However, this does not occur because of an incorrect schema.ini file on the R2 media. For forests built from a 2003 R2-based DC, the TSL must be manually changed to 180 if the larger value is desired.

      Lingering objects prevent Active Directory replication from occurring

      Lingering objects may remain after you bring an out-of-date global catalog server back online

      Outdated Active Directory objects generate event ID 1988 in Windows Server 2003
      Last edited by Akila; 23rd October 2008, 16:31.