Replication between domain controllers doesn't work correctly

Question

Replication between domain controllers doesn't work correctly

drClays 151

Hello,

I had 6 domain controllers with OS:

3 DC with Windows Server 2008r2(one of them had got RODC function)
2 DC with Windows Server 2012r2(one of them is Primary DC-AD01, AD02 - secondary)
1 DC with Windows Server 2016(that's one was to demote and deleted)

This forest of DC doesn't work correctly. Doesn't had a working replication between them.

DFSR isn't running on this forest.

What's what I did:

Demote all DCs with WS2008r2 and WS2016 OS - on all of these DCs I needed use dcpromo with forceremoval parametr

Now I have working 2 DC with WS2012r2 OS.

Metadata was cleaned after demoting this DC.

BUT! When I try to clean one of entry on DNS in Forward Lookup Zones/_msdcs.contoso.com/dc/_sites/_tcp I can't do this because this entry back. This entry is "_ldap" of one DC with WS2008r2 OS. Other entries are cleaned correctly.

The last DC that I demoted was the DC with RODC. Primary DC cleaned all correctly, but secondary DC(AD02) didn't delete object from AD Users and Computers. DNS was replicated correctly, ADUaC was not.

Repadmin /showrepl from AD01(Primary)

Repadmin: running command /showrepl against full DC localhost
DC\AD01
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 1cb08d25-826b-43ac-add3-77e9e563708b
DSA invocationID: e43f833e-bfe4-4dd5-94ee-5dfee77d7848

==== INBOUND NEIGHBORS ======================================

DC=contoso,DC=local
    DC\AD02 via RPC
        DSA object GUID: 41a32af1-9e55-4614-a958-0aca9f6a6434
        Last attempt @ 2023-08-28 19:02:18 was successful.

CN=Configuration,DC=contoso,DC=local
    DC\AD02 via RPC
        DSA object GUID: 41a32af1-9e55-4614-a958-0aca9f6a6434
        Last attempt @ 2023-08-28 18:49:24 was successful.

CN=Schema,CN=Configuration,DC=contoso,DC=local
    DC\AD02 via RPC
        DSA object GUID: 41a32af1-9e55-4614-a958-0aca9f6a6434
        Last attempt @ 2023-08-28 18:49:24 was successful.

DC=ForestDnsZones,DC=contoso,DC=local
    DC\AD02 via RPC
        DSA object GUID: 41a32af1-9e55-4614-a958-0aca9f6a6434
        Last attempt @ 2023-08-28 18:49:24 was successful.

DC=DomainDnsZones,DC=contoso,DC=local
    DC\AD02 via RPC
        DSA object GUID: 41a32af1-9e55-4614-a958-0aca9f6a6434
        Last attempt @ 2023-08-28 18:58:38 was successful.

Repadmin /showrepl from AD02:

Repadmin: running command /showrepl against full DC localhost
DC\AD02
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 41a32af1-9e55-4614-a958-0aca9f6a6434
DSA invocationID: fe4030bf-bec9-40bc-b649-07ac05e09a5b

==== INBOUND NEIGHBORS ======================================

DC=contoso,DC=local
    DC\AD01 via RPC
        DSA object GUID: 1cb08d25-826b-43ac-add3-77e9e563708b
        Last attempt @ 2023-08-28 19:04:33 failed, result 8606 (0x219e):
            Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.
        11384 consecutive failure(s).
        Last success @ 2023-08-25 19:09:55.

CN=Configuration,DC=contoso,DC=local
    DC\AD01 via RPC
        DSA object GUID: 1cb08d25-826b-43ac-add3-77e9e563708b
        Last attempt @ 2023-08-28 18:51:10 failed, result 8606 (0x219e):
            Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.
        261 consecutive failure(s).
        Last success @ 2023-08-25 19:00:00.

CN=Schema,CN=Configuration,DC=contoso,DC=local
    DC\AD01 via RPC
        DSA object GUID: 1cb08d25-826b-43ac-add3-77e9e563708b
        Last attempt @ 2023-08-28 18:51:10 was successful.

DC=ForestDnsZones,DC=contoso,DC=local
    DC\AD01 via RPC
        DSA object GUID: 1cb08d25-826b-43ac-add3-77e9e563708b
        Last attempt @ 2023-08-28 18:51:10 was successful.

DC=DomainDnsZones,DC=contoso,DC=local
    DC\AD01 via RPC
        DSA object GUID: 1cb08d25-826b-43ac-add3-77e9e563708b
        Last attempt @ 2023-08-28 18:58:23 was successful.

Source: DC\AD01
******* 11355 CONSECUTIVE FAILURES since 2023-08-25 19:09:55
Last error: 8606 (0x219e):
            Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.

I tried to repair replication between DCs but I've got this:

PS C:\Windows\system32> repadmin /syncall AD02 /Aed
Syncing all NC's held on AD02.
Syncing partition: DC=DomainDnsZones,DC=contoso,DC=local
CALLBACK MESSAGE: The following replication is in progress:
    From: CN=NTDS Settings,CN=AD01,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
    To  : CN=NTDS Settings,CN=AD02,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
CALLBACK MESSAGE: The following replication completed successfully:
    From: CN=NTDS Settings,CN=AD01,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
    To  : CN=NTDS Settings,CN=AD02,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

Syncing partition: DC=ForestDnsZones,DC=contoso,DC=local
CALLBACK MESSAGE: The following replication is in progress:
    From: CN=NTDS Settings,CN=AD01,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
    To  : CN=NTDS Settings,CN=AD02,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
CALLBACK MESSAGE: The following replication completed successfully:
    From: CN=NTDS Settings,CN=AD01,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
    To  : CN=NTDS Settings,CN=AD02,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

Syncing partition: CN=Schema,CN=Configuration,DC=contoso,DC=local
CALLBACK MESSAGE: The following replication is in progress:
    From: CN=NTDS Settings,CN=AD01,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
    To  : CN=NTDS Settings,CN=AD02,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
CALLBACK MESSAGE: The following replication completed successfully:
    From: CN=NTDS Settings,CN=AD01,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
    To  : CN=NTDS Settings,CN=AD02,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

Syncing partition: CN=Configuration,DC=contoso,DC=local
CALLBACK MESSAGE: The following replication is in progress:
    From: CN=NTDS Settings,CN=AD01,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
    To  : CN=NTDS Settings,CN=AD02,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
CALLBACK MESSAGE: Error issuing replication: 8606 (0x219e):
    Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.
    From: CN=NTDS Settings,CN=AD01,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
    To  : CN=NTDS Settings,CN=AD02,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
CALLBACK MESSAGE: SyncAll Finished.

SyncAll reported the following errors:
Error issuing replication: 8606 (0x219e):
    Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.
    From: CN=NTDS Settings,CN=AD01,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
    To  : CN=NTDS Settings,CN=AD02,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local

Syncing partition: DC=contoso,DC=local
CALLBACK MESSAGE: The following replication is in progress:
    From: CN=NTDS Settings,CN=AD01,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
    To  : CN=NTDS Settings,CN=AD02,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
CALLBACK MESSAGE: Error issuing replication: 8606 (0x219e):
    Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.
    From: CN=NTDS Settings,CN=AD01,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
    To  : CN=NTDS Settings,CN=AD02,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
CALLBACK MESSAGE: SyncAll Finished.

SyncAll reported the following errors:
Error issuing replication: 8606 (0x219e):
    Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.
    From: CN=NTDS Settings,CN=AD01,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local
    To  : CN=NTDS Settings,CN=AD02,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=contoso,DC=local

Any suggestion to fix it? I need to do this before I change FSR to DFSR and move DCs to Windows Server 2022 OS.

2 answers

Your answer

Answer 1

Limitless Technology 44,746

Hello there,

Do you have exclusions for Active Directory folders and files at your antivirus?

Antivirus can be source of your problem

Has the DNS Server service definitely started, and on both DCs (assuming you have DNS on both).
Is your DNS setup to be Active Directory integrated zone?

Active Directory replication problems can have several different sources. For example, Domain Name System (DNS) problems, networking issues, or security problems can all cause Active Directory replication to fail.

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/troubleshoot/troubleshooting-active-directory-replication-problems

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer--

drClays 151 Reputation points

2023-08-29T13:54:54.01+00:00

I disabled for now Antivirus and checked firewall. Port 135 was disabled.

Now I see in Event Viewer a lot of Events with ID 1988 on AD02.

But I don't know how to correctly clean these false objects.

Can I demote AD02 without any consequences?

Answer 2

Anonymous

Hello drClays,

Thank you for posting in Q&A forum.

It seem there are lingering objects on AD01.

Tip: After two DC replicates forcely, we can check on both DCs, if there is event ID 1988 on any DC, the DC with event ID 1988 is DC without lingering objects.

You read this similar thread with marked answer (I have replied with detailed steps) carefully and try the steps to fix the issue.

Problems with DC Replication
https://learn.microsoft.com/en-us/answers/questions/360951/prblems-with-dc-replication?childtoview=372937&page=4#answers

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

==========================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

drClays 151 Reputation points

2023-08-30T12:51:57.93+00:00

I ran LoL but application didn't find any object:
Anonymous

2023-08-31T00:38:39.2133333+00:00

Hello drClays,

Thank you for your reply.

You can try to select different partitions to check.

Best Regards,
Daisy Zhou
drClays 151 Reputation points

2023-08-31T07:16:06.2066667+00:00

I checked all the options with the same result.
drClays 151 Reputation points

2023-08-31T07:17:41.16+00:00

I checked all the options with the same result.
drClays 151 Reputation points

2023-08-31T13:26:42.7166667+00:00

Hi,

I ran LoL as an Administrator and I deleted false objects.

I tried to change FRS to DFSR, but AD02 is stuck on "Start - Writable DC" status, whereas AD01 is "Eliminated".

What can I do with this?

Share via

Replication between domain controllers doesn't work correctly

2 answers

Your answer