Replication Errors after Replica Promotion © Copyright Hewlett Packard Company 2004. All rights reserved. PRODUCT: Microsoft Windows 2000[TM] COMPONENT: Active Directory SOURCE: Hewlett-Packard Company INTRODUCTION: This article describes how to create a low level replication "link" that will allow the KCC to create replication objects. Although this was originally written to address the case when a new DC doesn't generate outbound replication links, it is useful for any occasion when the "Automatically generated connection" objects do not appear in the Sites and SErvices snapin and other things like DNS, network connectivity, etc. have been checked. This technique is not intrusive and won't hurt anything by trying it. It basically gives the KCC a jump start and almost always will resolve this issue. In the Solution, simply identify which of your DCs would match DC1 and DC2 in the example. DC1 is any healthy DC in the domain, and DC2 is the broken DC - the one that can't generate any KCC connection objecdts. SYMPTOM: W2K is the original, forest root. DC1 and DC2 were promoted as replicas. Sysvol and netlogon shares do not exist. Replication from the new machine to the root or original DC(s) fails, but replication from the original DC to the new DC is successful. Other symptoms include: 1. No automatically generated connection object from the original to the broken DC. 2. Replicate Now on inbound objects on original DC works from the broken DC. 3. Replicate Now on objects on the broken DC from the original DC all say, "Naming context is in the process of being removed or is not replicated from the specified server." 4. Check replication topology operation on the broken DC fails with the error, "AD property not in cache." SOLUTION: Take the following steps: 1. On DC1 and DC2, install Support Tools from the Windows 2000 or 2003 Server CD if it isn't already. 2. Open a command prompt and execute the command: C:> repadmin /showreps. At the top of the output from that command, you will see something like this: Atlanta\DC1 DC Options: IS_GC Site Options: (none) DC object GUID: c78133f9-74ec-4fba-87f4-2514bd5aa540 DC invocationID: 7061acb8-c0d5-463e-b50c-b5d077a6b4cf ================================================= 3. The "DC Object GUID" is the "server GUID" - or the GUID that is used for replication. 4. Get this Server GUID for Each DC. Note that you can execute the repadmin command remotely. For instance, if you are on DC1, you can execute the following command to get the server GUID for DC2: C:> REpadmin /showreps DC2 5. For the purpose of example, the two server guids we will use in this example are: DC1 server guid = 1388A125-9318-4992-AA53-1A0519E24D0A DC2 Server guid = A8413FDA-3131-4F0D-AFE0-C1E110321D25 2. Delete all connection objects - manual and automatically generated. Do this in the Sites and Services Snapin. 3. Create a new connection from the broken DC to the good DC, using the Repadmin command line utility located in the Support Tools kit on the Windows 2000 Server and Advanced Server CD. C:\>repadmin /add "cn=configuration,dc=enterprises,dc=HP, dc=com" 1388A125-9318-4992-AA53-1A0519E24D0A._msdcs.enterprises.HP.com A8413FDA-3131-4F0D-AFE0-C1E110321D25._msdcs.enterprises.HP.com Note that we listed the guid of the good DC first (destination) and the guid of the broken DC last (source). This creates a connection object from the broken DC to the good DC. During this procedure using Repadmin/add, if you get error 8441: distinguished name already exists, then the connection is already there - proceed to the next step. 4. Execute a full replication sync across the connection just built: C:\>repadmin /sync cn=configuration,dc=enterprises,dc=HP,dc=com DC1 A8413FDA-3131-4F0D-AFE0-C1E110321D25/force /full In this case, the name of the good DC is listed first (destination) and the GUID of the broken machine (source) is listed last. This will force a synchronization across the connection just made. A success notice should appear. 5. In Sites and Services, there should be an automatically generated connection object from DC1 to DC2 and from DC2 to DC1. You may have to refresh the snapin to see the changes. You should be able to successfully do a "Replicate Now" on each connection object, an "Check Topology" on each NTDS Settings object in each server. This will verify that replication is working. 6. Validate that Replication works. In Sites & Services, check to make sure there are automatically generated connection objects from the broken machine to the good one (root) and make sure Replicate Now works on that object without error. Also right click on the NTDS Settings object for each DC, go to All Tasks - Check Topology. Make sure it executes without error. Check the Directory Services, System and Application event logs for related errors. To ensure that replication is working, create a new site in Sites and Services on the broken machine and see if it replicates to the good one (remember to focus the snapin on each machine to see it's view of the world). Also create a user account on the broken machine in the Users and Computers snapin and see if it replicates to the good machine. This tests the schema and configuration naming contexts (site creation) and the domain naming context (the user account). [TM] Windows 2000 is a trademark of Microsoft Corporation. \ \ CONTRIBUTORS: \ \ Technical: \ by Gary Olsen (313877) \ \ Editorial: \ Ann Lovell (80164) \ \ by Gary Olsen (313877) \ WIN2K W2K WIN2000 W2000