Hello,

We have a small domain ~30 servers with two domain controllers. We are
seeing NTDS Replication Errors 1411 event every 1 minute in the Directory
Service log on one of our DCs attempting to replicate to two domain
controllers which have never fully existed. We had to change the hardware
for our second domain controller so dcpomo'd the box to remove it from the
domain, replace the hardware, reinstall and rea-dd to the domain with the
same name. The demotion appeared to work correctly but we believe some
orphaned entries were left in AD/DNS from the old server and the reinstall
didn't go well. When attempting to demote the new install it failed to
demote properly. We did a manual clean out and were very thorough, a couple
of technicians have checked no entries were left over.

We since reinstalled and re-added the domain controller. Everything is
working apart from these NTDS Replication errors on our original DC. I would
appreciate any advice on how to resolve this as I'm completely stumped. If I
use Active Directory Explorer and navigate to
CN=Servers,CN=Default-First-Site-Name,CN=Sites.CN=Configuration,DC=DOMAIN,DC=LOCAL there are three entries where there should only be two:

CN=DC1
CN=DC2
CN=DC2[]DEL:1f7c4def-.......-....-........31f0a0be65bd

Inside the third invalid CN=DC2[]DEL Entry there are two NTDS Settings
entries also with DEL in the name. The guid names of these two entries are
the same as those listed in the NTDS Replication error i.e.
a7dc8027-...-...c6ed0._msdcs.DOMAIN.LOCAL.

From what I can tell these are phantom entries should have been deleted on
moved to the Deleted CN but are still sitting inside the live Sites CN
causing the errors. I need (I think) to remove these to stop the DC from
attempting to replicate on these connections which don't actually exist. The
problem is if I right click on them in Active Directory Explorer the Delete
option is greyed out. If I use ADSIEdit I am only able to see CN=DC1 and
CN=DC2 from the above list,the CN=DC2[]DEL..... entry isn't even listed.

Can anyone please advise what may be going wrong and how we can resolve this
issue ?

Thanks - Stuart.

Howdie!

Stuart Munroe schrieb:

Quote:

We have a small domain ~30 servers with two domain controllers. We are seeing NTDS Replication Errors 1411 event every 1 minute in the Directory Service log on one of our DCs attempting to replicate to two domain controllers which have never fully existed. We had to change the hardware for our second domain controller so dcpomo'd the box to remove it from the domain, replace the hardware, reinstall and rea-dd to the domain with the same name. The demotion appeared to work correctly but we believe some orphaned entries were left in AD/DNS from the old server and the reinstall didn't go well. When attempting to demote the new install it failed to demote properly. We did a manual clean out and were very thorough, a couple of technicians have checked no entries were left over.

First of all, check whether replication works in any terms. Check with
repadmin and run a complete check with DCDiag. If you're still unsure
whether replication works just create a user object in an OU on one DC
and see whether it's replicated to the other DC.

If there are lingering DC objects, you may want to check whether you can
clean up their metadata:
http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx

It reads like the de-promotion didn't work as expected - not sure why.
That's what I'd start with. If you're unsure what to do next, feel free
to post the DCDiag and repadmin output here so we can look into it. You
may also change real DC names into "nicknames" like "DC1" and "DC2" and
cover real IP addresses with sample ones.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

"Florian Frommherz [MVP]" <florian@frickelsoft.DELETETHIS.net> wrote in
message news:%23vgFofzVKHA.4004@TK2MSFTNGP05.phx.gbl...

Quote:

Howdie! Stuart Munroe schrieb: We have a small domain ~30 servers with two domain controllers. We are seeing NTDS Replication Errors 1411 event every 1 minute in the Directory Service log on one of our DCs attempting to replicate to two domain controllers which have never fully existed. We had to change the hardware for our second domain controller so dcpomo'd the box to remove it from the domain, replace the hardware, reinstall and rea-dd to the domain with the same name. The demotion appeared to work correctly but we believe some orphaned entries were left in AD/DNS from the old server and the reinstall didn't go well. When attempting to demote the new install it failed to demote properly. We did a manual clean out and were very thorough, a couple of technicians have checked no entries were left over. First of all, check whether replication works in any terms. Check with repadmin and run a complete check with DCDiag. If you're still unsure whether replication works just create a user object in an OU on one DC and see whether it's replicated to the other DC. If there are lingering DC objects, you may want to check whether you can clean up their metadata: http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx It reads like the de-promotion didn't work as expected - not sure why. That's what I'd start with. If you're unsure what to do next, feel free to post the DCDiag and repadmin output here so we can look into it. You may also change real DC names into "nicknames" like "DC1" and "DC2" and cover real IP addresses with sample ones. Cheers, Florian -- Microsoft MVP - Group Policy eMail: prename [at] frickelsoft [dot] net. blog: http://www.frickelsoft.net/blog. Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

Florian,

Just to add...

The demotion then resulting promotion could have been done quickly where
replication didn't occur, or there were replication problems to begin with,
to allow the old DC's reference to be removed before promoting the server
back in using the same name. I've seen this before, and it's sticky to clean
up other than a complete demotion or metadata cleanup, then either wait and
confirm replication, then promote it back in.

With replication not working either in the first place prior to the
demotion/re-promotion, etc, it could have been based on DNS issues. Other
things that could cause it are single label name AD DNS domain name,
multihomed DC (more than one NIC and/or IP and/or RRAS is installed), using
an ISP's DNS address in IP properties, among many other things.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Yo Ace,

thanks for your additions!
You are correct. I guess it pretty much boils down to an DNS issue -
either direct or indirect in terms of a misconfiguration on the NICs. We
don't know - that's why I suggested to check replication and the overall
health with DCDiag. That should give us a clue. If it's broken, we'd get
to know it that way and could see whether fixing the issues will help us
get straight.

It's been a while since I last was in the situation of messing with
promo/de-promo problems - so you may be the better resource here :)

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

"Florian Frommherz [MVP]" <florian@frickelsoft.DELETETHIS.net> wrote in
message news:OEKhxR1VKHA.5584@TK2MSFTNGP05.phx.gbl...

Quote:

Yo Ace, thanks for your additions! You are correct. I guess it pretty much boils down to an DNS issue - either direct or indirect in terms of a misconfiguration on the NICs. We don't know - that's why I suggested to check replication and the overall health with DCDiag. That should give us a clue. If it's broken, we'd get to know it that way and could see whether fixing the issues will help us get straight. It's been a while since I last was in the situation of messing with promo/de-promo problems - so you may be the better resource here :) Cheers, Florian

Thanks, Florian. I've seen this more than once, especially in a classroom
scenario (I'm a trainer) where the students immediately try to re-promote
using the same name, then errors abounded.

Hope to hear from Stuart, the original poster. Hopefully he can provide us
an ipconfig /all (just to eliminate any DNS issues), and results from the
tests you've suggested.

Ace

Sounds like you have a problem with some lingering dc metadata.

I would suggest (I believe others did as well) to clean up your system and
then run some diagnostics.

+++++++++++++++++++++++++++++++++++++++++++++++
If you lost a dc you need to use ntdsutil and you may need to seize the 5
fsmo roles as well as clean up the metadata within AD.

Run the following on another dc's command prompt
netdom query fsmo

This will tell you if any of the roles was on the lost dc.


Metadata cleanup
http://support.microsoft.com/?id=216498

Seize roles
http://support.microsoft.com/default.aspx?scid=kb;en-us;255504

Starting with 2008, Active Directory cleans up the metadata for you. This
can be done from both ADUC and ADSS. The instructions to allow AD to do
this are listed below.

http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx

+++++++++++++++++++++++++++++++++++++++++++++++

Runnig diagnostics against your Active Directory domain.

If you don't have the support tools installed, install them from your server
install disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
-> ntfrsutl ds your_dc_name > c:\sysvol.log
-> dnslint /ad /s "ip address of your dc"

**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take into
account slow links to dc's will also add to the testing time.

If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests without
having to learn all the switch options. The details will be output in
notepad text files that pop up automagically.

The script is located on my website at
http://www.pbbergs.com/windows/downloads.htm

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.

Description and download for dnslint
http://support.microsoft.com/kb/321045




--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Stuart Munroe" <Stuart Munroe@discussions.microsoft.com> wrote in message
news:45E0E6E7-B137-4AC2-B9FD-6B48EB5752BE@microsoft.com...

Quote:

Hello, We have a small domain ~30 servers with two domain controllers. We are seeing NTDS Replication Errors 1411 event every 1 minute in the Directory Service log on one of our DCs attempting to replicate to two domain controllers which have never fully existed. We had to change the hardware for our second domain controller so dcpomo'd the box to remove it from the domain, replace the hardware, reinstall and rea-dd to the domain with the same name. The demotion appeared to work correctly but we believe some orphaned entries were left in AD/DNS from the old server and the reinstall didn't go well. When attempting to demote the new install it failed to demote properly. We did a manual clean out and were very thorough, a couple of technicians have checked no entries were left over. We since reinstalled and re-added the domain controller. Everything is working apart from these NTDS Replication errors on our original DC. I would appreciate any advice on how to resolve this as I'm completely stumped. If I use Active Directory Explorer and navigate to CN=Servers,CN=Default-First-Site-Name,CN=Sites.CN=Configuration,DC=DOMAIN,DC=LOCAL there are three entries where there should only be two: CN=DC1 CN=DC2 CN=DC2[]DEL:1f7c4def-.......-....-........31f0a0be65bd Inside the third invalid CN=DC2[]DEL Entry there are two NTDS Settings entries also with DEL in the name. The guid names of these two entries are the same as those listed in the NTDS Replication error i.e. a7dc8027-...-...c6ed0._msdcs.DOMAIN.LOCAL. From what I can tell these are phantom entries should have been deleted on moved to the Deleted CN but are still sitting inside the live Sites CN causing the errors. I need (I think) to remove these to stop the DC from attempting to replicate on these connections which don't actually exist. The problem is if I right click on them in Active Directory Explorer the Delete option is greyed out. If I use ADSIEdit I am only able to see CN=DC1 and CN=DC2 from the above list,the CN=DC2[]DEL..... entry isn't even listed. Can anyone please advise what may be going wrong and how we can resolve this issue ? Thanks - Stuart.