Domain controllers active directory replication failure on cross-premise network (Network Steve Forum)

Domain controllers active directory replication failure on cross-premise network

Hi all,

My domain controllers on the Azure and on-premise used to replicate the directory until few days ago. I didn't realize there was some payment problem on my Azure subscriptions and my services were disabled. After I made the payment, I recreated the removed VNet gateway and established the site-to-site VPN.

Even the domain controllers are able to ping and nslookup to each other now, the directory service has stopped replicate between two DCs. There are many Error 1863 and Warning 2089 on the event viewer.

I tried to look for solutions of Error 1863 for a day but I found very little knowledge and solution about it. I also tried to demote DC2 (on-premise) and promote it again. I got errors while demoting it. Below is the print screen of the error.

I have an idea now which is disjoin DC2 from the domain and force it to remove the AD role. Then, rejoin the domain and promote it to DC2 again. Can anyone advice if this is something do-able ? Any suggestions or advices are much appreciated.

Thanks,

Chee-Kian

Edited by Chee-Kian Tan Tuesday, July 28, 2015 3:24 PM

July 28th, 2015 2:32pm

Hi Purvesh,

Thanks for your reply. There is no role exists on my DC2. My DCs are running Windows Server 2012 R2. DCPROMO /FORCEREMOVAL doesn't work for my machine. So, I tried to remove the AD from server manager and I got the errors which I posted in my first post. Any idea?

Thanks,

Free Windows Admin Tool Kit Click here and download it now

July 29th, 2015 7:41am

In that case you can use the below steps to remove the DC from AD

Download the script from below link for metadata clean-up.

https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3

Copy the code in notepad and save as metadatacleanup.vbs and then open the command prompt run as administrator on one of DC and go to the path where you have copied the script and then run the command cscript metadatacleanup.vbs

It will ask for Domain controller name which you want to remove just type Crashed DC name and then script will remove automatically. Once this is done you have to remove Crashed DC from DNS manually as given below.

Manual Steps

Dnsmgmt.msc [Dns Management]
A.Expand the forward lookup zones\_msdcs folder
i. Make sure only the actual domain controllers are listed, delete wrong Alias recordsremove wrong name server records
ii. Select the container [forward lookup zones\_msdcs.domain.com\dc\_sites_\sitename\_tcp] > delete incorrect _ldap and _kerberos records are listed.
iii. Select the container [forward lookup zones\_msdcs.domain.com\dc\_tcp] and delete incorrect _ldap and _kerberos records
iv. Expand the [forward lookup zones\_msdcs.domain.com\domains\guid\_tcp] and delete incorrect _ldap entries
v. Select [forward lookup zones\_msdcs.domain.com\gc] delete incorrect HostA records
vi. Expand the [forward lookup zones\_msdcs.domain.com\gc\_sites\sitename\_tcp] delete incorrect _ldap entries
vii.Select the [forward lookup zones\_msdcs.domain.com\gc\_tcp] delete incorrect _ldap entries
viii. Select the [forward lookup zones\_msdcs.domain.com\pdc\_tcp] delete incorrect _ldap entries

B.Expand the forward lookup zones\domain.com folder
i.Delete Host(A) records of dcs which are non-existant.
ii.Correct the NameServer (NS) records
iii. Follow steps similar to A ii >> A viii

Dssite.msc [Sites and Services]
A.Expand the [Sites\Sitename\Servers] delete incorrect servers
B.Delete incorrect subnet configurations [Sites\Subnets]
C.Delete incorrect site links [Sites\IP]

Make sure the domain controllers are pointing to the correct dns servers in tcp\ip settings.
Force replication repadmin /syncall

July 29th, 2015 7:47am

Hi, Chee

This issue may be caused by replication, you could run DCDIAG.exe to collect detailed information,

you could also use the support tool REPADMIN.exe to display the replication latencies of DC in the forest. I will be appreciate that if you tell me the report.

The Event ID 1863 may be an indication that the AD may contain lingering objects. These can occur if a domain controller does not replicate for an interval of time that is longer than the tombstone lifetime.

Besides, if you have decided to demote the AD, the following article can be referred to.

You can use to forcefully remove a domain controller,

http://www.procompgroup.com/library/entry/How-To_Demote_a_DC_or_manually_remove_a_DC/

After that, you should cleaning up metadata in the Active Directory Forest

http://windocuments.net/forceremovaldc.html

Hope this can be helpful to you.

Best regards

Free Windows Admin Tool Kit Click here and download it now

July 30th, 2015 9:51pm

This topic is archived. No further replies will be accepted.