Will it be possible to "reconcile" domain controllers?

N

Nikolai Shevtsov2015-09-23 22:32:16

Active Directory

Nikolai Shevtsov, 2015-09-23 22:32:16

Good afternoon Colleagues!
It so happened that in the Active Directory forest 2 controllers of the same domain ended up with slightly different operating systems:
Primary controller in the central office (DC) - Windows 2008 SP2 x86 (6.0.6002) - all FSMO roles
Secondary controller in the Chelyabinsk branch (DC-CHEL) - Windows 2008 R2 SP1 x64 (6.1.7601) - GC only
All this somehow worked for a while, until quite tangible problems with DNS resolution of domain hostnames began.
As I found out later, for some time (quite a long time) the controllers did not see each other, and DC-CHEL was most likely turned off. The DNS log had warning 4013 from the start, which was waiting for the primary directory sync to complete. And about a year later, it was replaced by error 4000, after which users felt something was wrong. We couldn't see any direct prerequisites in the system log. Indirectly, it may have affected: warning 29 from Kerberos-Key-Distribution-Center, and then, when error 4000 from DNS went, 1055 from GroupPolicy, 4 from Security-Kerberos rained down.
It is obvious that initially something interfered with replication. The controllers are in different sites and different subnets. Everything is fine in the TCP / IP stack, although there was one moment when there was no reverse route on the DC, but this was fixed.
I see several possible reasons:
1. Due to differences in Windows versions (R2 and non-R2), AD services cannot work correctly together.
2. DNS Warning 4013. Google leads to completely different topics. And the advice is also different. Up to the transfer of the DNS zone to a separate DNS server (not integrated into AD). So I didn't fully understand.
Perhaps I missed something. I'll add along the way, if anything.
What are the possible solutions:
1. Downgrading the role of the DC-CHEL controller (which is also not yet feasible in standard ways, dcpromo / forceRemoval does not help, gives the error "DFS Replication: The main end name is incorrect.") to a member server. Bringing controllers to one version of Windows.
2. If, nevertheless, the joint operation of these versions of Windows is possible, then somehow force them to replicate.

repadmin /replsum
Время запуска сводки по репликации: 2015-09-24 01:51:25

Начат сбор данных для сводки по репликации, подождите:
  .....
Исходный DSA        наиб. дельта     сбоев/всего %%   ошибка
 DC               >60 days            5 /   5  100  (2148074274) Главное конечное имя неверно.

Конечный DSA        наиб. дельта      сбои/всего %%   ошибка
 DC-CHEL          >60 days            5 /   5  100  (2148074274) Главное конечное имя неверно.

Возникли следующие ошибки при попытке получения сведений о репликации:
        8341 - dc.epa.net

In general, what do not do now with the DC-CHEL controller, everything depends on one error " The main end name is incorrect. " Can you suggest something more efficient with less labor, so that the controller does not have to be taken to reinstall Windows from Chelyabinsk, and then back .

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

N

Nikolay Shevtsov, 2015-09-25
@coliator

So.
It has not been possible to reconcile. But after dancing with a tambourine, dcpromo / forceremoval did work. After cleaning all the metadata, I raised the RODC on it, which initially had to be done.

A

Alexander Nikitin, 2015-09-24
@padla2k

Different versions of Windows do not interfere with AD (the main thing is that the level of the forest and domain be equal to the highest version of the domain - in your case, Windows 2008).
Your problem is purely in replication. If one of the controllers could not replicate data from another for more than 180 days, this is sadness.
forum.oszone.net/thread-212829-4.html
Read here, a similar case.