Should I Demote to Fix Replication?

[mike]

I have a follow up question to my earlier post regarding domain controllers
that have become out of synch and have passed the "tombstone" period and so
will no longer replicate with each other.

It was suggested that I change a registry setting to allow for replication
between "corrupt partners."

I only have two DCs, and we are a medium-size organization (maybe 300
users). Would it be better simply to demote DC2 to a non-DC, and then
re-promote it to a DC? Or is it a better and safer solution to follow
through with the registery change?

Thanks,

(Also, is there any way to back up the user accounts to a file or
something?)

 

[Guest]

That's probably the best way to go in my opinion. You could install/promote a
temporary DC for redundancy, then demote/promote the faulty DC.

 

[Paul Williams [MVP]]

It was suggested that I change a registry setting to allow for replication

between "corrupt partners."

Don't do this. It's more hassle than it's worth. Demote and promote again.

Of you need help transferring AD and Windows components, have a look at
this:
-- http://www.msresource.net/content/view/24/47/

 

[mike]

Excellent. Thank you both for your input. I will add a 3rd domain
controller (DC3) temporarily, point it to the original DC1 for replication,
and then demote DC2. I think DC1 has the most current user account
additions, even though it is the one giving me all the 2042 errors. DC2
seems "happier" but it does not have all the latest accounts.

 

[mike]

Uh oh. Here's a problem. When I created a new DC (DC3) it went out and
authenticated itself to DC2, which is the healthy but incomplete DC.

I guess I should have turned DC2 off first in order to ensure that DC3
authenticated and replicated to DC1.

Dammit.

 

[mike]

Okay, I shut down DC2. This forced my new domain controller (DC3) to
replicate with our original domain controller, DC1.

So now it looks like I have two working DCs. I did get a lot of 1153
"Warnings" on the new DC3 box, but not errors. And it appears all the
recent user additions are under the users folder.

The question now, I guess, is what do I do with DC2 ?

Should I put it back online and try to demote it?

Should I keep it offline and run dcpromo /forceremoval?

Or something else?

Thanks again.

 

[Herb Martin]

Okay, I shut down DC2. This forced my new domain controller (DC3) to
replicate with our original domain controller, DC1.

So now it looks like I have two working DCs. I did get a lot of 1153
"Warnings" on the new DC3 box, but not errors. And it appears all the
recent user additions are under the users folder.

I would strongly suggest running DCDiag on each DC and
fix any errors (at least those unrelated to the sick DC.)

The question now, I guess, is what do I do with DC2 ?
Should I put it back online and try to demote it?
Should I keep it offline and run dcpromo /forceremoval?
Or something else?

If you do you the latter will also need to clean up the AD with
NTDSUtil "metadata cleanup"

I would likely bring it online. DCPromo, make sure the
others are ok, and then DCPromo #2 to become a DC
if that is what I want.

After fixing it, run the DCDiag and fix any errors.

 

[mike]

Thanks, Herb, that is what I will do.

dcdiag and repladmin /showpartners seem to be fine on DC1 and DC3.

I will bring DC2 online and run dcpromo to remove it from the domain.

I would likely bring it online. DCPromo, make sure the
others are ok, and then DCPromo #2 to become a DC
if that is what I want.

After fixing it, run the DCDiag and fix any errors.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks again.