question

AkramMokhtar-7181 avatar image
0 Votes"
AkramMokhtar-7181 asked DSPatrick commented

Domain Controller Replication Issue

i have two Domain Controllers one DC - Win2019 and Second is BDC - Windows 2012 R2
DC - win2019 is Primary and BDC - win 2012 R2 is the Backup Domain Conroller

my Problem is that I got this error :- DCdiag.exe - on DC win2019

         From BDC to DC 

         Naming Context: DC=DomainDnsZones,DC=domainnamehere,DC=com 

         The replication generated an error (8606): 

         Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.

   The failure occurred at 2022-04-18 11:22:54. 

         The last success occurred at 2022-03-20 17:55:39. 

         2712 failures have occurred since the last success. 

      ......................... DC failed test Replications

,check the snapshot below

and how to fix it?

193884-3.jpg

193874-1.jpg


193856-2.jpg


windows-serverwindows-server-2019windows-server-2012
3.jpg (156.5 KiB)
1.jpg (25.0 KiB)
2.jpg (83.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
1 Vote"
DSPatrick answered DSPatrick commented

Have you tried?
https://www.microsoft.com/en-us/download/details.aspx?id=56051

--please don't forget to upvote and Accept as answer if the reply is helpful--



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered

I'd work through this one.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/replication-error-8606

--please don't forget to upvote and Accept as answer if the reply is helpful--



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AkramMokhtar-7181 avatar image
0 Votes"
AkramMokhtar-7181 answered AkramMokhtar-7181 published

i have seen this article of microsoft before but I didn't understand what to delete,I'll read it again and see what I can do

here is the result when run command :

C:\Windows\system32>repadmin /showattr dc dc=domainnamehere,dc=com
DN: DC=domainnamehere,DC=com
3> objectClass: top; domain; domainDNS
1> distinguishedName: DC=domainnamehere,DC=com
1> instanceType: 0x5 = ( IS_NC_HEAD | WRITE )
1> whenCreated: 24/01/2014 10:00:19 PM Egypt Standard Time
1> whenChanged: 22/03/2022 8:54:32 PM Egypt Standard Time
3> subRefs: DC=ForestDnsZones,DC=domainnamehere,DC=com; DC=DomainDnsZones,DC=domainnamehere,DC=com; CN=Configuration,DC=domainnamehere,DC=com
1> uSNCreated: 13080
1> dSASignature: { V1: Flags = 0x0; LatencySecs = 0; DsaGuid = 6d8b2a09-41ef-4455-9bca-22806d3fec0c }
1> repsTo: dwVersion: 2 v1.cb: 484 v1.cConsecutive Failures: 0 v1.timeLastSuccess: 13294759937 v1.timeLastAttempt: 13294759937 v1.ulResultLastAttempt: 0 v1.cbOtherDraOffset: 216v1.cbOtherDra: 268v1.ulReplicaFlags: 16 v1.rtSchedule: <skipped> v1.usnvec.usnHighObjUpdate: 0 v1.usnvec.usnHighPropUpdate: 0 v1.pszUuidDsaObj: bf9cd30e-487b-403e-a1aa-a6af280106d9 v1.pszUuidInvocId: 00000000-0000-0000-0000-000000000000 v1.pszUuidTransportObj: 00000000-0000-0000-0000-000000000000 v1.cbPASDataOffset: 0 v1~PasData: (none) v2~pdsa_rpc_inst v2.pszDSIServer bf9cd30e-487b-403e-a1aa-a6af280106d9._msdcs.domainnamehere.com v2.pszDSIAnnotation (null) v2.pszDSIInstance bf9cd30e-487b-403e-a1aa-a6af280106d9._msdcs.domainnamehere.com v2.pguidDSIInstance (null)
1> repsFrom: dwVersion: 2 v1.cb: 484 v1.cConsecutive Failures: 0 v1.timeLastSuccess: 13294762062 v1.timeLastAttempt: 13294762062 v1.ulResultLastAttempt: 0 v1.cbOtherDraOffset: 216v1.cbOtherDra: 268v1.ulReplicaFlags: 112 v1.rtSchedule: <skipped> v1.usnvec.usnHighObjUpdate: 5118581 v1.usnvec.usnHighPropUpdate: 5118581 v1.pszUuidDsaObj: bf9cd30e-487b-403e-a1aa-a6af280106d9 v1.pszUuidInvocId: 62d5fbdd-43f1-422d-a33b-c0667a4b3720 v1.pszUuidTransportObj: 00000000-0000-0000-0000-000000000000 v1.cbPASDataOffset: 0 v1~PasData: (none) v2~pdsa_rpc_inst v2.pszDSIServer bf9cd30e-487b-403e-a1aa-a6af280106d9._msdcs.domainnamehere.com v2.pszDSIAnnotation (null) v2.pszDSIInstance bf9cd30e-487b-403e-a1aa-a6af280106d9._msdcs.domainnamehere.com v2.pguidDSIInstance (null)
1> uSNChanged: 11862167
1> name: domainnamehere
1> objectGUID: ff4b77b2-1c31-4e41-a838-5a00aa851692
1> replUpToDateVector: <176 byte blob>
1> creationTime: 22/03/2022 8:54:32 PM Egypt Standard Time
1> forceLogoff: (never)
1> lockoutDuration: 0:00:30:00
1> lockOutObservationWindow: 0:00:30:00
1> lockoutThreshold: 0
1> maxPwdAge: (never)
1> minPwdAge: (never)
1> minPwdLength: 0
1> modifiedCountAtLastProm: 0
1> nextRid: 1000
1> pwdProperties: 0x0 = ( )
1> pwdHistoryLength: 0
1> objectSid: S-1-5-21-353254996-3754926767-3490704302
1> serverState: 1
1> uASCompat: 1
1> modifiedCount: 1
1> auditingPolicy: <2 byte blob>
1> nTMixedDomain: 0
1> rIDManagerReference: CN=RID Manager$,CN=System,DC=domainnamehere,DC=com
1> fSMORoleOwner: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainnamehere,DC=com
1> systemFlags: 0x8C000000 = ( DISALLOW_DELETE | DOMAIN_DISALLOW_RENAME | DOMAIN_DISALLOW_MOVE )
11> wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=domainnamehere,DC=com; B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program Data,DC=domainnamehere,DC=com; B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=domainnamehere,DC=com; B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrincipals,DC=domainnamehere,DC=com; B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=domainnamehere,DC=com; B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=domainnamehere,DC=com; B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=domainnamehere,DC=com; B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=domainnamehere,DC=com; B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,DC=domainnamehere,DC=com; B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=domainnamehere,DC=com; B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=domainnamehere,DC=com
1> objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=domainnamehere,DC=com
1> isCriticalSystemObject: TRUE
1> gPLink: [LDAP://cn={F259A3EC-1B68-46DB-8754-41747EA64737},cn=policies,cn=system,DC=domainnamehere,DC=com;2][LDAP://cn={7C9BE0F8-0D21-46DF-A361-BC57210961C4},cn=policies,cn=system,DC=domainnamehere,DC=com;0][LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainnamehere,DC=com;2]
1> dSCorePropagationData: 0x0 = ( )
2> otherWellKnownObjects: B:32:683A24E2E8164BD3AF86AC3C2CF3F981:CN=Keys,DC=domainnamehere,DC=com; B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service Accounts,DC=domainnamehere,DC=com
2> masteredBy: CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainnamehere,DC=com; CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainnamehere,DC=com
1> ms-DS-MachineAccountQuota: 10
1> msDS-Behavior-Version: 3 = ( WIN2008 )
1> msDS-PerUserTrustQuota: 1
1> msDS-AllUsersTrustQuota: 1000
1> msDS-PerUserTrustTombstonesQuota: 10
2> msDs-masteredBy: CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainnamehere,DC=com; CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainnamehere,DC=com
2> msDS-IsDomainFor: CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainnamehere,DC=com; CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainnamehere,DC=com
1> msDS-NcType: 0
1> msDS-ExpirePasswordsOnSmartCardOnlyAccounts: FALSE
1> dc: domainnamehere

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

What's the history here? Has the domain controller been disconnected for some time?


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AkramMokhtar-7181 avatar image
0 Votes"
AkramMokhtar-7181 answered

@DSPatrick
no it's working all the time ,but I don't know what is the issue and how to fix it?
i want the replication works ,or do I have to drop this Domain Controller BDC and recreate new one,or what do u think?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered AkramMokhtar-7181 commented

The first step in doc was to check the tombstone lifetime. You can also use adsiedit.msc and navigate as follows. Here where it is not set the default is 60 days.



194315-image.png




image.png (74.2 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



0 Votes 0 ·

@DSPatrick

i found my Tomstonelife time is set to 180

what do u want to me to do next?

0 Votes 0 ·
AkramMokhtar-7181 avatar image
0 Votes"
AkramMokhtar-7181 answered

look at this also

C:\Windows\system32>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\DC
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: e166a195-04cd-4761-9a27-ab0994ec3bfd
DSA invocationID: 874fde50-1951-4199-87c2-5260e728e6a2

==== INBOUND NEIGHBORS ======================================

DC=mydomainnamehere,DC=com
Default-First-Site-Name\BDC via RPC
DSA object GUID: bf9cd30e-487b-403e-a1aa-a6af280106d9
Last attempt @ 2022-04-25 10:34:50 was successful.

CN=Configuration,DC=mydomainnamehere,DC=com
Default-First-Site-Name\BDC via RPC
DSA object GUID: bf9cd30e-487b-403e-a1aa-a6af280106d9
Last attempt @ 2022-04-25 10:34:03 was successful.

CN=Schema,CN=Configuration,DC=mydomainnamehere,DC=com
Default-First-Site-Name\BDC via RPC
DSA object GUID: bf9cd30e-487b-403e-a1aa-a6af280106d9
Last attempt @ 2022-04-25 10:31:48 was successful.

DC=ForestDnsZones,DC=mydomainnamehere,DC=com
Default-First-Site-Name\BDC via RPC
DSA object GUID: bf9cd30e-487b-403e-a1aa-a6af280106d9
Last attempt @ 2022-04-25 10:31:48 was successful.

DC=DomainDnsZones,DC=mydomainnamehere,DC=com
Default-First-Site-Name\BDC via RPC
DSA object GUID: bf9cd30e-487b-403e-a1aa-a6af280106d9
Last attempt @ 2022-04-25 10:31:48 failed, result 8606 (0x219e):
Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.
3470 consecutive failure(s).
Last success @ 2022-03-20 17:55:39.

Source: Default-First-Site-Name\BDC
*** 3469 CONSECUTIVE FAILURES since 2022-03-20 17:55:39
Last error: 8606 (0x219e):
Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.




So how can I delete this replication Object :
DSA object GUID: bf9cd30e-487b-403e-a1aa-a6af280106d9
what is the command to delete it?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AkramMokhtar-7181 avatar image
0 Votes"
AkramMokhtar-7181 answered

i ran this command
C:\Repadmin /replsum /bysrc /bydest /sort:delta >>c:\replication_report.txt

output of replication_report.txt

Replication Summary Start Time: 2022-04-25 10:40:42


Beginning data collection for replication summary, this may take awhile:

.....




Source DSA largest delta fails/total %% error

BDC 35d.16h:45m:03s 1 / 5 20 (8606) Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.

DC 54m:03s 0 / 5 0





Destination DSA largest delta fails/total %% error

DC 35d.16h:45m:04s 1 / 5 20 (8606) Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.

BDC 54m:04s 0 / 5 0




so my problem is with this fails 1 only ,which is the object I want to delete ,am I right?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AkramMokhtar-7181 avatar image
0 Votes"
AkramMokhtar-7181 answered AkramMokhtar-7181 commented

today netlogin is paused
and i get these new errors
200925-errr-in-may2022.jpg



errr-in-may2022.jpg (34.6 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

in Services - i started the netlogin server and it works but still have the failed error ,the tool of Lingering Object Liquidator (LoL) ,it didn't work on my servers 2019 and on server 2012 R2 ,how can I make it work and solve my issues?

0 Votes 0 ·

@DSPatrick can you help me?

0 Votes 0 ·
AkramMokhtar-7181 avatar image
0 Votes"
AkramMokhtar-7181 answered

@DSPatrick
at last i manager to make it open in a workstation ,I found that ,I'll delete it and see the results
Thanks for your support

200849-dc-issue-lol1.jpg



dc-issue-lol1.jpg (247.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.