AD Replication Problem

We are having Windows 2008 R2 forest and domain Functional level. we are having HO+5 site (Regional Offices) All ROs are having ADC/DNS placed along with Juniper Firewall. We are facing AD replication problem with one of the site. I am able to ping all the ADCs through the ROs using IP, Host Name, FQDN and CNAME. nslookup is working fine. but when i tried to forcefully replicate, its not happening. nor automatically happening via KCC generated topology. I am able to telnet all DCs and vice versa expect port no TCP 5722, UDP 123 & UDP 125.

The site where we are facing this problem getting FRS event IDs : 13508, 13562.

Directory Services continuous event 1925 (KCC), 2024 (Replication), 1865 (KCC), 1311 (KCC) & 1566 (KCC).

While i tried to repadmin /removelingringobject "FQDN of Good DC" "GUID of BAD DC" "NC" /Advisory mode but command says "8524 the dsa operation is unable to proceed because of a dns lookup failure" and its stopped.

Please Help....

May 26th, 2015 2:04am

Hi

 For KCC errors;check this article

http://blogs.technet.com/b/askds/archive/2008/10/31/troubleshooting-kcc-event-log-errors.aspx

Error 8524

https://technet.microsoft.com/en-us/library/replication-error-8524-the-dsa-operation-is-unable-to-proceed-because-of-a-dns-lookup-failure%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

And make sure Firewall &AV disabled on DC,check firewall device configuration and logs.

And if you demote a DC from domain please do metadata cleanup,and check all records updated on AD DS,DNS,Active directory Site and services,DFS.

Clean Up server Metadata

https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Free Windows Admin Tool Kit Click here and download it now
May 26th, 2015 2:45am

Hello Dev

It looks like there is a network issue stopping AD replication between RODC and RWDC ( HO) .  

To rule out dns issue can you try restarting netlogon at RODC which will re-register all service records in DNS. 

ie at command promt  net stop netlogon & net start netlogong . 

Then you try checking the Network connectivity between those DCs . You need to try AD ports are opened between these DCs  using either portquery tool or telnet . 

AD port requirement:

https://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx

RODC port requirement:

https://technet.microsoft.com/library/dd728028(WS.10).aspx

Note: if RODC is firewalled then you need to provide static port for Frs  . ( 53248) as mentioned in the article. 

To make RODC use static FRS port:

https://support.microsoft.com/en-us/kb/319553?wa=wsignin1.0

May 26th, 2015 2:59am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics