DNS on one DC not replicating

Robert Sturtevant 1 Reputation point
2021-02-15T21:44:43.647+00:00

It just came to my attention that one of the DCs in my domain has not been replicating DNS to the rest of the domain controllers for about a year. There are constant events in the Directoy service event viewer stating that replication has been stopped because it exceeded the tombstone lifetime. The repadmin /showrepl command shows that Active Directory, Schema replication, etc is working fine. It's just DNS that is not working. There is a detailed kb about this problem with instructions to look for lingering objects, resolve them, then force replication to start back up again using a tag to allow divergent replication. It looks like the lingering objects applies more to directory/schema objects than DNS records. So there are no lingering objects found since that replication works. So I guess I have a couple questions. Should I be trying the fix to allow divergent replication to see if that resolves DNS replication as well? If it does, would there be any risk to legitimate DNS records in my domain that have not replicated to the affected DC? I'm concerned that if I fix this, then new records created since the error in the rest of the domain will disappear when the affected DC re-syncs. The affected DC is at a remote site that does not get a ton of activity or new host entries. So I'm not surprised that it took so long for DNS resolution problems from that site to get reported. But now I just want to get everything synced up so that everything runs normal, new hosts from the rest of the domain get updated on the affected server and any new hosts registered on the affected server get updated everywhere else. All of the DNS is AD integrated

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,728 questions
Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,043 questions
{count} votes

6 answers

Sort by: Most helpful
  1. Anonymous
    2021-02-16T00:58:05.707+00:00

    The recommended (and simplest) method for a tombstoned domain controller is to demote, reboot, promo it again.

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  2. Hannah Xiong 6,276 Reputation points
    2021-02-16T03:33:45.113+00:00

    Hello,

    Thank you so much for posting here.

    We are wondering whether it is replication error 8614? If so, we could follow the link to solve this issue.

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/replication-error-8614

    As mentioned, we have checked that there are no lingering objects. We could try the solutions mentioned in the link. On this affected DC, set "Allow use of divergent and damaged partner replication" to 1 in the registry. This setting allows DCs whose replication time exceeds the tombstone lifetime to synchronize data.

    Besides, ensure that strict replication consistency is enabled. Strict replication consistency ensures that lingering objects will not be replicated. For more detailed information, we could refer to the above link.

    Please backup the DCs before the operations.

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  3. Robert Sturtevant 1 Reputation point
    2021-02-19T18:16:17.693+00:00

    Sorry for the delayed response. Yes, I am seeing error 8614 when I run repadmin against the DC. But I am only seeing it for ForestDnsZones and DomainDnsZones. t's only DNS that is not replicating. I have confirmed this by making changes to SYSVOL and Active Directory on the affected DC, and those changes replicate fine. It's only DNS changes that appear to be tombstoned. I can try the suggestion to allow divergent replication. But assuming that works, I'm wondering how inconsistencies with the DNS records would be resolved. Will records that exist on the tombstone DC but not in the rest of the domain get created everywhere else and vice versa? Is there a chance records will get deleted when replication resumes? Lingering objects does not appear to include stale or missing DNS records, because no lingering objects are found when I perform that check. So setting strict replication I don't believe will affect DNS.

    I'm a little hesitant to demote and promote the DC only because it is the only DC in the site and I'm worried about unintended consequences. I don't want to make things worse. If DNS is the only problem, would it make sense to consider removing the DNS role from the DC and re-adding? Would that theoretically cause it to get a fresh copy of DNS and start replication over?

    0 comments No comments

  4. Anonymous
    2021-02-19T18:20:35.88+00:00

    I'm a little hesitant to demote and promote the DC only because it is the only DC in the site and I'm worried

    Then you could stand up a new one for replacement. If / when things look Ok, then you can demote the broken one.

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  5. Robert Sturtevant 1 Reputation point
    2021-02-19T19:34:56.5+00:00

    If I stand up a new DC, I would presumably have to install the DNS role. So if I do that, I'm curious how the new DC would populate its DNS. Would it inherit the unreplicated DNS database from the local tombstone DC, or will it get the fresh database from one of the other Global Catalogs. But I guess there are no great options. I thought maybe I could just remove the DNS role from the tombstone DC while keeping it as a domain controller. But I don't think it will let me do that. So I guess the options are to either stand up a new DC at the site and see what happens, or allow divergent replication for the tombstone DC and see if the replication works itself out.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.