Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

DNS not replicating, what fix to use?

0 views
Skip to first unread message

Mark Levy

unread,
Jan 26, 2006, 5:38:36 PM1/26/06
to
Hi All,

A client brought to my attention that their DNS is getting a bit flaky, and
changes made to one DNS server weren't getting to the other one. When I ran
NETDIAG, I found that netlogon wasn't running, and the reason that it wasn't
was because the server service was missing. Once I got it reinstalled,
NETDIAG /TEST:DNS now passes everything... However, REPLMON still gives
me these errors when I have it search for replication errors:

DC2 DC=DomainDnsZones,DC=DomainName,DC=Com
Default-First-Site-Name\DC1
DC2 DC=ForestDnsZones,DC=DomainName,DC=Com
Default-First-Site-Name\DC1

In both cases, the failure code and the reason are the same:

Failure Code: 8614
Failure Reason: The Active Directory cannot replicate with this
server because the time since the last replication with this server has
exceeded the tombstone lifetime.

And DCDIAG showed:

Starting test: Replications
[Replications Check,DC2] A recent replication attempt failed:
From DC1 to DC2
Naming Context: DC=ForestDnsZones,DC=DomainName,DC=com
The replication generated an error (8614):
The Active Directory cannot replicate with this server because
the time since the last replication with this server has exceeded the
tombstone lifetime.
The failure occurred at 2006-01-26 14:47:25.
The last success occurred at 2005-06-20 23:28:30.
10554 failures have occurred since the last success.
[Replications Check,DC2] A recent replication attempt failed:
From DC1 to DC2
Naming Context: DC=DomainDnsZones,DC=DomainName,DC=com
The replication generated an error (8614):
The Active Directory cannot replicate with this server because
the time since the last replication with this server has exceeded the
tombstone lifetime.
The failure occurred at 2006-01-26 14:47:25.
The last success occurred at 2005-11-12 15:28:09.
3607 failures have occurred since the last success.
REPLICATION-RECEIVED LATENCY WARNING
DC2: Current time is 2006-01-26 15:06:24.
DC=ForestDnsZones,DC=DomainName,DC=com
Last replication recieved from DC1 at 2005-06-20 23:27:43.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
DC=DomainDnsZones,DC=DomainName,DC=com
Last replication recieved from DC1 at 2005-11-12 15:28:11.
WARNING: This latency is over the Tombstone Lifetime of 60
days!

It seems that AD is replicating, even though DNS isn't.

So, my question is, do I add a new server as a temporary DC/DNS server (DC2
does NOT hold any FSMO master roles, thank goodness, although it is a global
catalog), blow away the existing DC2, clean up the metadata in AD, and then
reinstall the server? Is it OK to use the same server name and IP
addresses? Can I leave the DNS records that still reference DC2 during this
time, or do I need to get rid of them?

Or would it be better to leave the server alone, just removing DNS? Can you
even do that? I know that you can install AD on a server without DNS, but
can you remove DNS from a DC, if there are already other DNS servers
servicing the AD tree?

Given the fact that this server doesn't really hold any critical roles, I
think I'm leaning more towards the first option.

Thanks in advance,

Mark


Jorge de Almeida Pinto [MVP]

unread,
Jan 26, 2006, 5:49:24 PM1/26/06
to
look at:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/4a1f420d-25d6-417c-9d8b-6e22f472ef3c.mspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"Mark Levy" <no-...@nowhere.com> wrote in message
news:uwW5qksI...@TK2MSFTNGP10.phx.gbl...

Kevin D. Goodknecht Sr. [MVP]

unread,
Jan 27, 2006, 9:44:01 AM1/27/06
to

I wouldn't say that blowing away DC2 is the answer, nor can I say blowing
away DC1 is the answer either.
You will have to make that decision based on which DC has the correct
database for your network. Chances are is will be the one holding the FSMO
roles, however, you may find that DC2 is hold some very important data you
don't want to lose.
Take for instance, about a year ago, I had a client contact me about the
same issue, but one of the DCs had Exchange 2003 on Win2k3, while the other
DC was Win2k. Even though the Win2k held all FSMO roles, I kept the Win2k3,
seized the roles, and did a /forceremoval and Metadata cleanup to remove the
Win2k to prevent problems with Exchange.
You should probably contact MS PSS before making a decision on Which DC
should be kept as there is no other way to recover tombstoned DCs. Remember,
from each DCs viewpoint it has the right data and the other DC is
tombstoned.

In all likelihood, based on what I know from your post, DC1 is probably the
keeper and DC2 should have dcpromo /forceremoval and be cleared from AD with
metadata cleanup.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


Mark Levy

unread,
Jan 27, 2006, 10:47:18 AM1/27/06
to
Thanks for the advice.

Luckily, this client has enough servers so that the DCs are dedicated to
providing DNS, WINS, and AD services. They've got 7 SQL servers, 60 TS
servers, about 12 other Windows servers. So, other than providing directory
services to the network, they really don't do anything else.

From the info I posted, is it only the DNS that wasn't replicating? It
seems that replmon.exe is telling me what's not working, but I have yet to
figure out how to see what _IS_ working. I hope that AD is replicating
between the two DCs.

Can you recommend any good references on performing an AD health check? I'm
new to Microsoft and AD, although I'm quite familiar with the technologies
behind directory services, as I've been working with Novell's eDirectory and
NDS since it was first released, and I did quite a bit of troubleshooting
NDS and eDirectory. I would love to find a good reference and "hands on"
instructions on how to ensure that AD is replicating properly, and basicly
just perform regular health checks. So far, netdiag, dcdiag, and replmon
are tools I've found, and I'm just starting to scratch the surface on how to
use them, so any pointers would be very much appreciated.

Thanks again,

Mark

"Kevin D. Goodknecht Sr. [MVP]" <ad...@nospam.WFTX.US> wrote in message
news:%23GhYeA1...@tk2msftngp13.phx.gbl...

Mark Levy

unread,
Jan 27, 2006, 10:48:02 AM1/27/06
to
Thanks!

Mark

"Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyF...@gmail.com> wrote in message
news:ek5I$qsIGH...@TK2MSFTNGP11.phx.gbl...

0 new messages