Here is my environment:
- 4 domain controllers in one site. Two are Windows 2003 and two are new 2008 R2 servers.
- Several other sites, each with one DC in them for regional purposes.
Here's what happened:
- We had an issue with our SAN that caused us some issue. Someone rolled back the snapshots for two of the domain controllers (the Windows 2003 ones) to their state several hours before the outage. This caused some AD replication issues that I have since resolved (using instructions found online for recovering from a USN Rollback).
Here's what's wrong now:
- All went swimmingly yesterday with AD playing nicely, but today I moved the DHCP server from one of the 2003 servers to one of the 2008 R2 severs. I used a laptop to release and renew my address, and successfully got an IP from the new DHCP server.
- Now however, I am having replication problems. My 2003 servers are basicallyDC1 and DC2. The new 2008 servers that will be replacing them areDC-1 and DC-2. The DHCP server was moved fromDC2 to DC-2. When I go into Active Directory Sites and Services, drill down to NTDS Settings forDC-1 and try to replicate to either DC1 or
DC2 I get the following error:
The following error occurred during the attempt to synchronize naming context DomainDnsZones.domain.local from Domain Controller DC2 to DC-1: Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.
This operation will not continue.
Looking at the event logs on DC-1 and DC-2, I am getting event 1988 indicating there are lingering objects that have been deleted from the local DCs. It gives me this info:
Source domain controller:
8118aa24-fe90-434e-96b7-1c108b0e4489._msdcs.domain.local
Object:
DC=IT-LAPTOP\0ADEL:818d56c4-56c7-4585-b93c-e9fca0553961,CN=Deleted Objects,DC=DomainDnsZones,DC=domain,DC=local
Object GUID:
818d56c4-56c7-4585-b93c-e9fca0553961
The source domain controller listed is the mscds DNS entry for DC2 (which coincidentally or not is the DC I demoted and promoted back into the fold a couple of days ago). Also, the object mentioned is the laptop I used to get an IP address from the new server (DC-2), which may or may not mean anything. It has never been deleted, however, and has been logged into the domain on and off for weeks.
I've tried following instructions in KBs and forums to use the repadmin command to remove this object. I typed the following on DC-1 and DC-2:
repadmin /removelingeringobjects DC2 a1ef938c-fbfc-461f-a85e-d9276c680b9c dc=domain,dc=local /advisory_mode
RemoveLingeringObjects successful on DC2.
The GUID above is for server DC-1.
If I check the event log on DC2 however, it indicates that no objects were found:
Active Directory has completed the verification of lingering objects on the local domain controller in advisory mode. All objects on this domain controller have had their existence verified on the following source domain controller.
Source domain controller:
a1ef938c-fbfc-461f-a85e-d9276c680b9c._msdcs.domain.local
Number of objects examined and verified:
0
I've also tried running the command with the GUID of server DC2 (as it's that and not the Netbios name of the server listed in the original event) with the same results. I'm really not sure what to do in order to get this working. Ultimately DC1 and DC2 are going bye-bye anyway, and I'm not getting the error when I try to replicate to the regional DC's, but I'm worried about replication in the meantime (as currently most servers and workstations are still pointed at DC1 and DC2 for their DNS and other AD related things; DC1 still holding all the FSMO roles).
Any thoughts are appreciated. Thanks in advance.
**EDIT**
Also, replication the other way works fine (drill down to DC1 and select DC-1 or DC-2 to replicate). To further muddy the situation, although I get errors trying to replicate with DC1, I am *not* getting Event 1988 on it. Instead I get Event 1226:
The following object was created on a remote domain controller with an object name that already exists on the local domain controller.
Object:
DC=IT-LAPTOP,DC=domain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=local
Object GUID:
3456863a-d31d-4833-8c94-65db160e06ec
Existing object GUID:
818d56c4-56c7-4585-b93c-e9fca0553961
The object with the following GUID will be renamed since the other object had this name more recently.
Object GUID:
818d56c4-56c7-4585-b93c-e9fca0553961
Renamed object name:
IT-LAPTOP
CNF:818d56c4-56c7-4585-b93c-e9fca0553961