March 25th, 2008, 10:33 PM
AD error, replication
Question, received this error while forcing replication (Replicate now) through the Sites and Services snap in.
The following error occurred during the attempt to synchronize naming context (domain) from domain controller (one) to domain controller (two): The active directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
This operation will not continue.
DC two has all of the domain roles (PDC emulator, infrastructure , and operations master). How would I remedy this problem, i was thinking of demoting it and the promoting it again, to reset the tombstone lifetime?
March 25th, 2008, 11:29 PM
Check if the information in the below link will help in resolving the issue.
Originally Posted by n00bius
March 26th, 2008, 06:13 PM
You're getting this error due to replication having not occured within the specified tombstone lifetime. You wont even be able to demote DC2 normally. You will have to transfer the FSMO roles to DC1, then run dcpromo /forceremoval to force demotion.
March 26th, 2008, 08:00 PM
In my case, there are four domain controllers (DC3 and DC4) which can replicate without any problems with DC2. So with that being said, would I still have to demote DC2?, i suppose i'm trying to narrow down, which server hase exceeded the tombstone lifetime.
Originally Posted by r3b00+
**edit: dc1 only has two replication partners, dc2 and dc3, and using repadmin /showrepl and attempting to force replication, only the inbound connections to dc1 fail.
Last edited by n00bius; March 26th, 2008 at 08:50 PM.
March 26th, 2008, 08:58 PM
If DCs 2, 3 and 4 are all replicating between each other ok then it seems DC1 is the problem. Has this server been down for some time? The default tombstone lifetime is 60 days, im presuming you havent changed it? Is this a production or test environment?
Edit: Check the event logs on DC1 for any replication errors.
Last edited by r3b00+; March 26th, 2008 at 09:01 PM.
March 26th, 2008, 09:04 PM
It's a production environment, But looking at the event logs, and the output from repadmin, it's been like this since '06 .
March 26th, 2008, 09:13 PM
Try what is suggested in this article.
March 27th, 2008, 02:11 AM
to think i'm an assistant system admin, anyway, i'll give it a try, it's been a problem for the last two years so there's no rush, funny it only became apparent once I made them (the guys who reset passwords) start using admin tools instead of remoting into the DC.
March 27th, 2008, 10:12 AM
If it hasnt affected operations to this point then the architecture of your forest musn't be reliant on this DC too much. Good luck!
April 1st, 2008, 06:02 AM
The problem seems to be fixed, I went ahead and head to dcpromo /forceremoval, on the afflicted server, things are going cool now, so all that's left is to rearrange the fsmo roles, and i'll be done for the time being. Thanks for all your help r3b00+