Resuming Replication after 60 Days

[Guest]

I've started to do some work for a company and discovered that they have a
domain that is utilized over two sites that have poor connectivity, with a DC
at both sites. It resulted in the DC's not replicating for over 60 days.
Manually initiating a replication gives a ERROR_REPLICA_SYNC_FAILED_ACCESS IS
DENIED, message. Both sites have been treated as essentially independent
sites, so I don't think replicating will cause any problems with the objects
in AD - ie, JohnDoe at Site 1 won't overwrite JohnDoe at Site 2. Thus I'm
wanting to force the replication. Anyone know how to force this replication?

 

[Herb Martin]

I've started to do some work for a company and discovered that they have a
domain that is utilized over two sites that have poor connectivity, with a
DC
at both sites. It resulted in the DC's not replicating for over 60 days.

Probably the value of the Tombstone setting after which it is dangerous
to replicate.

Manually initiating a replication gives a ERROR_REPLICA_SYNC_FAILED_ACCESS
IS
DENIED, message. Both sites have been treated as essentially independent
sites, so I don't think replicating will cause any problems with the
objects
in AD - ie, JohnDoe at Site 1 won't overwrite JohnDoe at Site 2. Thus I'm
wanting to force the replication. Anyone know how to force this
replication?

Deleted objects from either site will come back to life.

It's a bad thing to do even if you can figure it out.

Standard way is to "pick one" and DCPromo the other DC to non-DC,
then DCPromo it back to DC.

You can search Microsoft for a method of forcing the replication by
altering the tombstone lifetime but it isn't really safe.

 

[Guest]

Thanks for the response. We are talking about a limited number of users
here, about 25 in total. Users have typically been at one location for the
entire time the domain was in existence, so the user account has been
replicated to both DC's but only the one local to them has been updated for
their account - for example, password changes. What I'm afraid of is if I
dcpromo down one of the DC's that has had a new user created since the
replication failures, then that account will no longer exist. I think I'd
rather take my chances with restarting replication between the two. Does
that make sense?

 

[Herb Martin]

Thanks for the response. We are talking about a limited number of users
here, about 25 in total. Users have typically been at one location for
the
entire time the domain was in existence, so the user account has been
replicated to both DC's but only the one local to them has been updated
for
their account - for example, password changes. What I'm afraid of is if I
dcpromo down one of the DC's that has had a new user created since the
replication failures, then that account will no longer exist.

It won't exist if the DCPromo-cycled DC created it without replicating.

I think I'd
rather take my chances with restarting replication between the two. Does
that make sense?

I wouldn't but I can understand your desire.

Try Googling:

[ site:microsoft.com replication "tombstone lifetime" |
tombstone_lifetime ]

If that isn't specific enough you might throw in terms like:

~re-enabling "longer than" failed

 

[Andrei Ungureanu [MVP]]

If you are talking about only a limited number of users - 25, I don't think
it can be too hard to do a comparation between the user lists on both domain
controllers. If you'll find one dc that has all the users .. then do the
dcpromo(demote/promote) on the other dc. It will be quick and safe.
And remember to do backups before you'll start anything.

--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader/default2.asp?ref=au

Thanks for the response. We are talking about a limited number of users
here, about 25 in total. Users have typically been at one location for
the
entire time the domain was in existence, so the user account has been
replicated to both DC's but only the one local to them has been updated
for
their account - for example, password changes. What I'm afraid of is if
I
dcpromo down one of the DC's that has had a new user created since the
replication failures, then that account will no longer exist.

It won't exist if the DCPromo-cycled DC created it without replicating.

I think I'd
rather take my chances with restarting replication between the two. Does
that make sense?

I wouldn't but I can understand your desire.

Try Googling:

[ site:microsoft.com replication "tombstone lifetime" |
tombstone_lifetime ]

If that isn't specific enough you might throw in terms like:

~re-enabling "longer than" failed

 

[Paul Bergson [MVP-DS]]

Do an ldap dump of the server you are going to dcpromo out in the event you
need to recreate a user. It will have pain short term but you can start
ending up with issues which you may not be able to easily understand.

Check out ldifde, a utility that could help you out.
http://computerperformance.co.uk/Logon/Logon_LDIFDE_Export.htm

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Paul Bergson [MVP-DS]]

"... ending up with issues which you may not be able to easily understand."

This is in reference if you don't demote and promote one of them.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jorge de Almeida Pinto [MVP - DS]]

for additional info see:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/24/153.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/08/Lingering-objects.aspx


READ FIRST, ACT AFTER THAT
--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx