Hallo.
I have 2 domain controllers (DC1 a windows 2003 SBS Server and DC2 windows 2003 Standard server). Dc1 one is named srv and Dc2 is named Data.
Some months ago the servers stopped replicating and the tombstone lifetime has expired.
I have beeen investigating the issue and found out that i am unable to connect to dc1 from dc2 using active directory console (But i am able to dc2 from dc1). I also found out that i wasn't able to browse dc1 from dc2 using the servername - ip works fine but not using the unc path. It gives the error \\srv is not accessible......... Logon failure: The target account name is incorrect.
I set KDC service on dc2 to manuel and stopped the service. Rebooted the server and ran the command "netdom resetpwd /server:srv /userd:t-f\administrator /passwordd:x". Rebootet the server again and set the service to automatic again and started the service. Now i was able to browse dc1 again and was also able to connect to the dc1 again.
I now started to remove lingering objects. I found 2 1988 events on dc1 and no 1388 or 1988 found on dc2. So i deleted the 2 lingering object found in the event your using the command "repadmin /removelingeringobjectsServerName ServerGUID DirectoryPartition" and forced the replication to start again by editing the following registry settings on both DC1 and DC2
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
"Allow Replication With Divergent and Corrupt Partner"=dword:00000001
After that the replication started and i could se computers object and user object was updated but now the eventviewer logs event 1988 about lingering object again.
Example1:
Source DC (Transport-specific network address):
56487647-e24b-4764-826b-6de2b501a09c._msdcs.T-F.local
Object:
DC=_gc._tcp\0ADEL:8aa54e2e-5439-4739-b491-a65e99498884,CN=Deleted Objects,DC=DomainDnsZones,DC=T-F,DC=local
Object GUID:
8aa54e2e-5439-4739-b491-a65e99498884
Example2:
Source DC (Transport-specific network address):
56487647-e24b-4764-826b-6de2b501a09c._msdcs.T-F.local
Object:
CN=SE3,OU=Win7_Computers,OU=Workstation_OU,OU=Klinik_OU,DC=T-F,DC=local
Object GUID:
49362c52-4703-4215-8883-0a9860b8e521
I tried deleting these lingering object using the following command for example 1
repadmin /removelingeringobjects srv 4348ce81-0585-4ce3-8cbe-e87c0164a127 DC=DomainDnsZones,DC=T-F,DC=local
But it gives me the following error message:
DsBindWithCred to srv.T-F.local failed with status -2146893022 (0x80090322):
The target principal name is incorrect.
I investigated further and found that i was again uable to browse dc1 using unc path and i was unable to connect to dc1 using active directory. I ran the netdom command again to reset the secure channels and it then worked again but after about 15 minutes the error was back and i was again uable to browse dc1.
What happens? Why does does dc2 keep missing the connection to dc1 and when running the netdom command it works shortly at then again it fails?