Hi!
I've noticed that I got some replication error within my Active Directory Domain.
My domain consist of a parent domain and a child domain. The parent domain have 2 domain controllers and the child domain got 1 domain controller.
If I look at the eventlog on one of the domain controllers in the parent domain, I've got events like:
DC2 1865 Warning Microsoft-Windows-ActiveDirectory_DomainService Directory Service
DC2 1566 Warning Microsoft-Windows-ActiveDirectory_DomainService Directory Service
DC2 1311 Error Microsoft-Windows-ActiveDirectory_DomainService Directory Service
DC2 2042 Error Microsoft-Windows-ActiveDirectory_DomainService Directory Service
Basically they're saying that connection/repliation to child domain failed.
If I run repladmin /replsummary and repladmin /showrepl I receive the following message:
(8614) The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
DCDIAG.exe returns errors on the KKC check as well as replications against Child Domain.
I've searched the forum and found a few others with the same issue:
https://social.technet.microsoft.com/Forums/windows/en-US/a5f64f43-c44f-47cd-9bcd-9c3790e0e6ba/receiving-error-in-ad-replication-but-somehow-passed-test-replications-?forum=winserverDS https://social.technet.microsoft.com/Forums/sharepoint/en-US/9f3919db-ade9-4a36-927c-6853d29e2e4c/the-active-directory-cannot-replicate-with-this-server-because-the-time-since-the-last-replication?forum=winserverDS https://social.technet.microsoft.com/Forums/windowsserver/en-US/cfb99ad9-562e-4bd5-8514-911db79591ff/active-directory-replication-2042-errors-between-2-dcs-involving-lingering-objects-on-both-possibly?forum=winserverDS https://social.technet.microsoft.com/Forums/office/en-US/7066bff9-cf19-4698-bf81-9773ecb48130/two-child-domain-controllers-with-replication-errors?forum=winserverDS
So now I'm trying to fix the replication issues as gracefully as possible by demoting the domain controller in the Child Domain with the following code:
Import-Module ADDSDeployment Uninstall-ADDSDomainController ` -DemoteOperationMasterRole:$true ` -DnsDelegationRemovalCredential (Get-Credential) ` -IgnoreLastDnsServerForZone:$true ` -LastDomainControllerInDomain:$true ` -RemoveDnsDelegation:$true ` -RemoveApplicationPartitions:$true ` -Force:$true
but it fails with the following message:
The operation failed because:
Active Directory Domain Services could not transfer the remaining data in directory partition CN=Schema,CN=Configuration,DC=Parent,DC=local to
Active Directory Domain Controller DC1.Parent.local.
"The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime."
So I'm kind of stuck in a Catch-22 scenario and thinking about a "hard" removal with the following code:
Import-Module ADDSDeployment Uninstall-ADDSDomainController ` -DemoteOperationMasterRole:$true ` -ForceRemoval:$true ` -Force:$true
So my question is:
Is there a better way to fix the issue other then doing a "hard" removal?
What kind of steps do I have to take after the "hard" removal?
PS. This is issue occurs in my home-test lab environment so I do not care too much about the domain. But since I'm studying for MS Exams I would like to know the best way to handle a situation like this.