Authoritative vs. Non-Authoritative Restore

Question

I have 1 Forest, 1 Domain, 2 Sites (2008R2) FRS.
Site A:
DC1 (FSMO roles) errors: 13552 & 13555
DC2 error: 13508
DC3 errors: 13552 & 13555

Site B:
DC4 error: 13508
DC5 error: 13508
Site B DC's do Repl to each other
Nothing from Site A will Repl.

It would seem that I need to do an Authoritative Restore, with DC1: D4 flag and the others D2 flag.
Questions: Since DC3 has the same error as DC1 can a Non-Authoritative Restore on DC3 using only D2 first help?
If I have to use a Authoritative restore, I guess DC1 would use the D4 flag, do I have to have All the other DC's use D2 at the same time or can I do it 1 at a time?
What happens to the DC's when running an Authoritative restore? Can users still login?
If I created a New DC, do you think that it would work, if so I can just create 4 new DC's.
Is there any pitfalls performing an Authoritative restore?

Answer 1

It would seem that I need to do an Authoritative Restore, with DC1

You can't right now since DC1 and DC3 are in unknown broken states. More info here.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/frs-event-log-error-codes

Nonauthoritative restore
Use a nonauthoritative restore to return a member back into service, saving as much state from that member and from the direct replication partner in the direction that replication is not working.

Authoritative restore
The computer that is configured for the authoritative restore is configured to be authoritative for all the data that you want to replicate to replica set members

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/use-burflags-to-reinitialize-frs

• So use nonauthoritative to fix a single member
• When you use authoritative you're declaring one member the authority that the others will all inherit from

Another possibly simpler option to fix a single bad actor is to demote it, then after reboot promo it again.

This tool may also be helpful
https://www.microsoft.com/en-us/download/details.aspx?id=30005

--please don't forget to Accept as answer if the reply is helpful--

Answer 2

Do you see that DC3 is broken? Or do you see DC1 & DC3 broken?
Thanks for your response.

Answer 3

Just from what you posted

• DC1 (FSMO roles) errors: 13552 & 13555
• DC3 errors: 13552 & 13555

Looks like these two are both suspect. Probably without know a lot more its going to be difficult. Try to debug these sort is likely problematic to do via public forums. If you needed more assistance I'd suggest starting a case here with product support.
https://support.serviceshub.microsoft.com/supportforbusiness

--please don't forget to Accept as answer if the reply is helpful--

Answer 4

I'll run the Active Directory Replication Status Tool and see what that says. It seems that I have to move the (FSMO roles) to maybe DC2 to fix DC1 & 3...
Also error 13508 is that bad?

Answer 5

error 13508 is that bad?

No, not necessarily

Event ID=13508 Severity=Warning The File Replication Service is having trouble enabling replication from %1 to %2 for %3 using the DNS name %4. FRS will keep retrying.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/frs-event-log-error-codes

--please don't forget to Accept as answer if the reply is helpful--