Domain controller is facing issues in replication

Question

Domain controller is facing issues in replication

Sinha, Gourav 21

Hi Techies,

We have run in kind of a situation here in our estate. We found out that one of DC is not replicating properly with rest of them . On some troubleshooting I did reset affected DC password using netdom but that did not help and now it is saying "The naming context is in process of being removed or is not replicated from specific server" on running repadmin /replicate command.

When run repadmin /replsummary I see error - (8606) insufficient attributes were given to create object. This object may not exist because it may have been deleted and already garbage collected.

I have referred few MS articles but to no help. Did anyone else faced this issue who can help me find solution ?

Just to inform We have 11 DCs in one domain and only one is affected among them.

Clément BETACORNE 2,496 Reputation points

2021-11-13T16:51:26.197+00:00

Hello,

Your best option is to reinstall it if you have 11 DCs it won't be a issue.
Do you have multi-role installed on this DC ?
Sinha, Gourav 21 Reputation points

2021-11-13T17:32:40.227+00:00

Yes I believe it has DNS,DHCP as well.

2 answers

Your answer

Clément BETACORNE 2,496 Reputation points

2021-11-13T16:51:26.197+00:00

Hello,

Your best option is to reinstall it if you have 11 DCs it won't be a issue.
Do you have multi-role installed on this DC ?
Sinha, Gourav 21 Reputation points

2021-11-13T17:32:40.227+00:00

Yes I believe it has DNS,DHCP as well.

Answer 1

Anonymous

If using older FRS you can follow along here with a nonauthoritative synchronization
https://support.microsoft.com/en-us/help/290762/using-the-burflags-registry-key-to-reinitialize-file-replication-servi
or for DFSR follow along here.
https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo

or simply move roles of, demote problematic one, reboot, promo it again.

--please don't forget to upvote and Accept as answer if the reply is helpful--

Anonymous

2021-11-13T18:22:11.157+00:00

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--
Sinha, Gourav 21 Reputation points

2021-11-13T18:42:03.713+00:00

Thanks Patrick, Actually I am trying now. I will update with the status once I have tested DFSR non authoritative synch.
Anonymous

2021-11-13T18:43:57.34+00:00

Sounds good, this tool may also be helpful.
https://www.microsoft.com/en-us/download/details.aspx?id=30005

--please don't forget to upvote and Accept as answer if the reply is helpful--
Sinha, Gourav 21 Reputation points

2021-11-13T19:33:36.187+00:00

Hi Patrick,

Unfortunately non authoritative synch did not work in this case still gives same error as "Namin context is in process of being removed".

Is there any other way we can get this sorted. I want to keep demote\promote idea as a failsafe. Is it the only option left ?
Anonymous

2021-11-13T19:45:00.28+00:00

You can follow along here.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/replication-error-8452

if problems persist the simplest / safest solution is to move roles of, demote problematic one, reboot, promo it again.

You didn't mention how long this has been going on but if the domain controller has tombstoned then you'll need to perform clean up
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

rebuild it.
I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new one, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health.

--please don't forget to upvote and Accept as answer if the reply is helpful--
Sinha, Gourav 21 Reputation points

2021-11-13T19:50:34.063+00:00

Yeah rebuilding server, demoting\promoting seems to be final sort probably.

I dont think it is in tombston because its been out of sync since 6 months. Probably as you said , the only solution seems to demote and promote it again. But I would like to give few more tries to solve errors I am seeing in repadmin .

Also I guess server role removal will give me error regarding ws management service- The service is configured to not accept any remote shell requests as I have seen this before in same environment. Not sure how can we get through that.
Anonymous

2021-11-13T20:09:09.387+00:00

because its been out of sync since 6 months

Sounds problematic, you can check it here. "not set" == 60 days

--please don't forget to upvote and Accept as answer if the reply is helpful--
Anonymous

2021-11-14T13:01:14.457+00:00

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--
Sinha, Gourav 21 Reputation points

2021-11-15T10:20:44.243+00:00

tombstone is set as 90 days .

For demoting and repromoting , I will be taking this proposal and will be trying that soon. So will keep you updated.
Anonymous

2021-11-15T13:48:40.567+00:00

If domain controller has tombstoned then rebuild will be needed as mentioned above.

--please don't forget to upvote and Accept as answer if the reply is helpful--
Anonymous

2021-11-19T10:09:03.243+00:00

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--
Sinha, Gourav 21 Reputation points

2021-11-20T20:40:07.72+00:00

Hi Patrick,

Unfortunately we ran into some issues where xml files from group policies went missing when I tried to follow below article. It created an outage for 2 days. Do you have any idea if this can cause xml misconfiguration ? or some other tips to identify the issue.

https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo
Anonymous

2021-11-20T20:50:16.26+00:00

Sounds like the changes had been made while connected to the broken one. There's not much you can do about that other than confirm replication is functional before making big changes.

--please don't forget to upvote and Accept as answer if the reply is helpful--
Sinha, Gourav 21 Reputation points

2021-11-20T20:55:32.9+00:00

Will you be able t o elaborate a bit as I dont think that it will remove xml files. Even if it is replicating from broken one, all DCs should have policies dated back to May. But in this case XML files were all gone.

Have you heard of any such issues before and any probable reasons ?
Anonymous

2021-11-20T21:02:26.857+00:00

Will you be able t o elaborate a bit

If you happen to connect to the broken one, add some new policies (doesn't really matter how long ago), then did a nonauthoritative synchronization the new policies would be overwritten with the current state on the authoritative server. One option here may be to export the new ones from broken server, do the nonauthoritative synchronization, import the policy. Also note this isn't going to work if the domain controller tombstoned. In this case, as already discussed, a rebuild is necessary.

--please don't forget to upvote and Accept as answer if the reply is helpful--
Anonymous

2021-11-22T13:40:59.287+00:00

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 2

Please check date\time are sync between all DCs.
Disable any Antivirus program or Windows firewall you may have for temporary purpose which may block AD replications traffic.
Below is Microsoft article explain different cause and of error (8606) insufficient attributes were given to create object.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/replication-error-8606
Download Active Directory Replication Status Tool from which should able to visualize and able should help to Fix replication relegated errors.

Also, If a domain controller does not replicate for a period of time that is longer than the tombstone lifetime and the domain controller is then reconnected to the replication topology, objects that were deleted from Active Directory while the domain controller was offline can remain on the domain controller as lingering objects.

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc738018(v=ws.10)?redirectedfrom=MSDN

----

--If the reply is helpful, please Upvote and Accept as answer--

Share via

Domain controller is facing issues in replication

2 answers

Your answer