RE: [ActiveDir] Replication failures - lingering objects
Yeah…1952, nice huh? ;-) I love starting a new job and seeing an AD setup like this! We have one site, replication is still trying and incrementing the number of failures. It’s still under 60 days; so I guess technically I *could* turn replication back on and we *should* be ok, I’m just reluctant to do it. Besides this particular machine is both a dc/gc and the first exchange server in the site so you know I’m dying to decommission this box… -alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, May 22, 2005 9:49 AM To: ActiveDir@mail.activedir.org Cc: 'Eric Fleischman' Subject: RE: [ActiveDir] Replication failures - lingering objects Ouch. Hasn't replicated since 1952... That is certainly interesting. I would say that is a bug somewhere though I guess it could represent a corrupted LDAP attribute value holding the replication status info. :o) Out of curiosity I would look at your replication frequency and and try to determine how many days out 5823 failures takes you. If it is trying to replicate with an out of site DC and you don't have change notification enabled on the site link you will have a minumum 15 minute interval which I believe that puts you just outside of 60 days. If it is greater than 15 minutes, you are well outside the 60 day period. I am not sure, but it may be that it doesn't try any more (and hence doesn't increment the attempts) once you are outside of the safe period. I would have to leave that to Eric or someone who has actually played with this and seen it though. Either way, I think it is good you are shooting it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Saturday, May 21, 2005 10:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication failures - lingering objects When running repadmin /showreps on one of the good DCs I get the following message only under cn=configuration Last attempt @ 2005-05-21 19:48.33 failed, result 8614: The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime. Last success @ 1952-08-19 22:59.10. 5823 consecutive failure(s). I agree…I’m already preparing to rebuild this server…. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 20, 2005 10:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication failures - lingering objects I am confused, the config is the only partition not replicating? If the DC is not replicating due to being to far out because of TLS issues then it shouldn't be replicating anything. Anytime you get into a position like that, I agree with Rick, mow the DC down and start over. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Tuesday, May 17, 2005 4:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication failures - lingering objects I have a DC that appears to have had some time synch problems before I got here… Subsequently, all other DCs have discontinued replication for the cn=configuration (per repadmin) with this DC. My question is; the first event I can see showing replication problems with this DC is on April 8th, which should mean that I’m not past the 60 day garbage collection period. It seems to me that I could modify the reg setting to allow the other DCs to resume replication and no lingering objects would be reintroduced because the deleted object info is still present. The offending DC is running Windows 2000 SP3. Any thoughts? TIA -Alex
RE: [ActiveDir] Replication failures - lingering objects
Ouch. Hasn't replicated since 1952... That is certainly interesting. I would say that is a bug somewhere though I guess it could represent a corrupted LDAP attribute value holding the replication status info. :o) Out of curiosity I would look at your replication frequency and and try to determine how many days out 5823 failures takes you. If it is trying to replicate with an out of site DC and you don't have change notification enabled on the site link you will have a minumum 15 minute interval which I believe that puts you just outside of 60 days. If it is greater than 15 minutes, you are well outside the 60 day period. I am not sure, but it may be that it doesn't try any more (and hence doesn't increment the attempts) once you are outside of the safe period. I would have to leave that to Eric or someone who has actually played with this and seen it though. Either way, I think it is good you are shooting it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex FontanaSent: Saturday, May 21, 2005 10:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication failures - lingering objects When running repadmin /showreps on one of the good DCs I get the following message only under cn=configuration Last attempt @ 2005-05-21 19:48.33 failed, result 8614: The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime. Last success @ 1952-08-19 22:59.10. 5823 consecutive failure(s). I agree…I’m already preparing to rebuild this server…. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 20, 2005 10:07 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication failures - lingering objects I am confused, the config is the only partition not replicating? If the DC is not replicating due to being to far out because of TLS issues then it shouldn't be replicating anything. Anytime you get into a position like that, I agree with Rick, mow the DC down and start over. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex FontanaSent: Tuesday, May 17, 2005 4:53 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Replication failures - lingering objects I have a DC that appears to have had some time synch problems before I got here… Subsequently, all other DCs have discontinued replication for the cn=configuration (per repadmin) with this DC. My question is; the first event I can see showing replication problems with this DC is on April 8th, which should mean that I’m not past the 60 day garbage collection period. It seems to me that I could modify the reg setting to allow the other DCs to resume replication and no lingering objects would be reintroduced because the deleted object info is still present. The offending DC is running Windows 2000 SP3. Any thoughts? TIA -Alex
RE: [ActiveDir] Replication failures - lingering objects
Where the heck does "Last success @ 1952-08-19 22:59.10." come from? I know MS uses the year 1601 as the starter date, but I have never seen 1952 or something else before AD was ever available. In this case as you're already doing... kill the old DC and rebuild it CHEERS #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 5/22/2005 4:51 AM Subject: RE: [ActiveDir] Replication failures - lingering objects When running repadmin /showreps on one of the good DCs I get the following message only under cn=configuration Last attempt @ 2005-05-21 19:48.33 failed, result 8614: The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime. Last success @ 1952-08-19 22:59.10. 5823 consecutive failure(s). I agree...I'm already preparing to rebuild this server _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 20, 2005 10:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication failures - lingering objects I am confused, the config is the only partition not replicating? If the DC is not replicating due to being to far out because of TLS issues then it shouldn't be replicating anything. Anytime you get into a position like that, I agree with Rick, mow the DC down and start over. joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Tuesday, May 17, 2005 4:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication failures - lingering objects I have a DC that appears to have had some time synch problems before I got here... Subsequently, all other DCs have discontinued replication for the cn=configuration (per repadmin) with this DC. My question is; the first event I can see showing replication problems with this DC is on April 8th, which should mean that I'm not past the 60 day garbage collection period. It seems to me that I could modify the reg setting to allow the other DCs to resume replication and no lingering objects would be reintroduced because the deleted object info is still present. The offending DC is running Windows 2000 SP3. Any thoughts? TIA -Alex This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication failures - lingering objects
When running repadmin /showreps on one of the good DCs I get the following message only under cn=configuration Last attempt @ 2005-05-21 19:48.33 failed, result 8614: The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime. Last success @ 1952-08-19 22:59.10. 5823 consecutive failure(s). I agree…I’m already preparing to rebuild this server…. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 20, 2005 10:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication failures - lingering objects I am confused, the config is the only partition not replicating? If the DC is not replicating due to being to far out because of TLS issues then it shouldn't be replicating anything. Anytime you get into a position like that, I agree with Rick, mow the DC down and start over. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Tuesday, May 17, 2005 4:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication failures - lingering objects I have a DC that appears to have had some time synch problems before I got here… Subsequently, all other DCs have discontinued replication for the cn=configuration (per repadmin) with this DC. My question is; the first event I can see showing replication problems with this DC is on April 8th, which should mean that I’m not past the 60 day garbage collection period. It seems to me that I could modify the reg setting to allow the other DCs to resume replication and no lingering objects would be reintroduced because the deleted object info is still present. The offending DC is running Windows 2000 SP3. Any thoughts? TIA -Alex
RE: [ActiveDir] Replication failures - lingering objects
I am confused, the config is the only partition not replicating? If the DC is not replicating due to being to far out because of TLS issues then it shouldn't be replicating anything. Anytime you get into a position like that, I agree with Rick, mow the DC down and start over. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex FontanaSent: Tuesday, May 17, 2005 4:53 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Replication failures - lingering objects I have a DC that appears to have had some time synch problems before I got here… Subsequently, all other DCs have discontinued replication for the cn=configuration (per repadmin) with this DC. My question is; the first event I can see showing replication problems with this DC is on April 8th, which should mean that I’m not past the 60 day garbage collection period. It seems to me that I could modify the reg setting to allow the other DCs to resume replication and no lingering objects would be reintroduced because the deleted object info is still present. The offending DC is running Windows 2000 SP3. Any thoughts? TIA -Alex
RE: [ActiveDir] Replication failures - lingering objects
Use repadmin /showrepl /all or repadmin /showreps /all to see when the last attemped of replication occured (inbound and outbound) If you're not sure about the DC, save data and/or configurations to another location, kill the DC and rebuilt it Cheers jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex FontanaSent: Tuesday, May 17, 2005 22:53To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Replication failures - lingering objects I have a DC that appears to have had some time synch problems before I got here… Subsequently, all other DCs have discontinued replication for the cn=configuration (per repadmin) with this DC. My question is; the first event I can see showing replication problems with this DC is on April 8th, which should mean that I’m not past the 60 day garbage collection period. It seems to me that I could modify the reg setting to allow the other DCs to resume replication and no lingering objects would be reintroduced because the deleted object info is still present. The offending DC is running Windows 2000 SP3. Any thoughts? TIA -Alex This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Replication failures - lingering objects
Try with repadmin /removelingering object Or disable the strict replication key on all domain controllers and re-enable once the objects has been replicated (you can delete later on if you want to) Mod the below /d value for enable/disable of strictrepl key FOR /F "skip=1 usebackq delims==" %i IN (`netdom query dc`) DO reg add \\%i\HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v "Strict Replication Consistency" /t REG_DWORD /d 1 /f Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Wednesday, May 18, 2005 4:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication failures - lingering objects I have a DC that appears to have had some time synch problems before I got here… Subsequently, all other DCs have discontinued replication for the cn=configuration (per repadmin) with this DC. My question is; the first event I can see showing replication problems with this DC is on April 8th, which should mean that I’m not past the 60 day garbage collection period. It seems to me that I could modify the reg setting to allow the other DCs to resume replication and no lingering objects would be reintroduced because the deleted object info is still present. The offending DC is running Windows 2000 SP3. Any thoughts? TIA -Alex
RE: [ActiveDir] Replication failures - lingering objects
If you’re concerned that there might be a problem – I don’t see any real value in taking a chance. I tend to treat DCs much like ‘tin soldiers’. Their purpose in life is primarily object repository and authN. If the object repository can’t be trusted (possibly out of date) then the authN function is worthless. (Reverse is true as well). Me, Alex – I’d find an alternative way to get any critical data off of it (shouldn’t be any – it’s a DC for gosh sakes!) and then flatten it. Rebuild, join, dcpromo, and all is good. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Tuesday, May 17, 2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication failures - lingering objects I have a DC that appears to have had some time synch problems before I got here… Subsequently, all other DCs have discontinued replication for the cn=configuration (per repadmin) with this DC. My question is; the first event I can see showing replication problems with this DC is on April 8th, which should mean that I’m not past the 60 day garbage collection period. It seems to me that I could modify the reg setting to allow the other DCs to resume replication and no lingering objects would be reintroduced because the deleted object info is still present. The offending DC is running Windows 2000 SP3. Any thoughts? TIA -Alex
RE: [ActiveDir] Replication failures - lingering objects
Woops, 60day tombstone lifetime, not garbage collection. From: Alex Fontana Sent: Tuesday, May 17, 2005 1:53 PM To: 'ActiveDir@mail.activedir.org' Subject: Replication failures - lingering objects I have a DC that appears to have had some time synch problems before I got here… Subsequently, all other DCs have discontinued replication for the cn=configuration (per repadmin) with this DC. My question is; the first event I can see showing replication problems with this DC is on April 8th, which should mean that I’m not past the 60 day garbage collection period. It seems to me that I could modify the reg setting to allow the other DCs to resume replication and no lingering objects would be reintroduced because the deleted object info is still present. The offending DC is running Windows 2000 SP3. Any thoughts? TIA -Alex
