Hello,
I've got a few questions regarding the demotion of a Windows Server 2008 R2 Enterprise secondary DC server. The problem looks like this:
DC1 - Holds all the FSMO roles and is a GC Server too. And it has the following installed roles:
AD DS
DNS Server
File Services
DC2 - Is a GC too, but doesn't hold any other roles except to act as a secondary DC for AD replication purposes and the following:
DHCP Server
DNS Server
File Services
Print and Document Services
Web Server (IIS)
WSUS
TEA Server
Here's the rub, DC1 is showing signs of Tombstones based on the fact that it can't receive updates from DC2. It hasn't replicated in over three years (so the DCdiag showed). I know, I know, how did it get this far in life your asking? Let's just say it took me by surprise as I just took over the network a few months ago and have finally got a chance to poor through the logs (and I when I tried to add a user via the secondary DC for an Exchange account reference; I couldn't find the users account entry that I new existed and when I dug deeper into why the account didn't seem to replicate over to the primary DC and this is where the ball of yarn got way bigger. As, what I found next was the following Event ID's:
Event 2092, ActiveDirectory_DomainService
"This server is the owner of the following FMSO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of it's partners since this server has been restarted. Replication errors are preventing validation of this role.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
Event 2042 ActiveDirectory_DomainService
It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.
The reason that replication is not allowed to continue is that the two DC's may contain lingering objects. Objects that have been deleted and garbage collected from an Active Directory Domain Services partition but still exist in the writable partitions of other DC's in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as "lingering objects". If the local destination DC was allowed to replicate with the source DC, these potential lingering objects would be recreated in the local Active Directory Domain Service database.
Now for the bomb drop:
Time of last successful replication:
2010-10-30 02:20:35
Invocation ID of source directory server:
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
Name of source directory server:
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx.msdcs.some.local
Tombstone lifetime (days):
60
The replication operation has failed.
Now, the question I have, because I verified that DC1 holds all the FMSO roles; can I just demote DC2 and then raise up another DC in it's place in order to allow DC1 to have a "fresh" AD DS to replicate with? Or will that not work because the GC's are tied into each other plus the DNS records that are shared as well? I'm asking because I'd rather not perform a million dollar fix for what would take a $0.39 cent solution. To re-cap:
DC1 can post replication data in the direction of DC2 (no errors when running repadmin)
DC2 cannot post replication data in the direction of DC1 (it's experiencing KCC, Doesn't know that it's a valid time source, and object replication failure is occurring...these are the errors that come up on DC2's side when I ran repadmin and DCdiag tools.). Any suggestions on how to approach this mess would be greatly appreciated.
Jessie R
Network Systems Administrator (non-profit company)