Method of non-synchronous processing of domain controllers

the reason, processing method and monitoring of the domain controller is not synchronized. The most recent Exchange 2007 Information Store service failed to start, checking that the Active Directory Replication Service has a large number of error messages, and finding related log information is about the long time synchronization of domain controllers. Please help to analyze whether the log content exists within the existing domain environment the domain controller is no longer able to synchronize because the long time domain control was not successfully synchronized directly. If this is the case, how to deal with it.

Now the domain environment is 2003, all domain control is 2003 of the system, a total of four domain control. Also find out how to discover and determine that a domain controller is out of the domain due to a long time failure to synchronize successfully.

Answer: According to your description, I understand that the situation you are facing is as follows.

Situation: 4 domain controllers were deployed in the Windows 2003 domain.

Problem:

1. The Exchange 2007 Information Store service could not be started;

2. A large number of Active Directory replication error messages appear in the log. You see the article from the Active Directory SEO http://gnaw0725.blogbus.com/c1404552/

According to your description and the journal you sent me, I analyze the problems in your environment as follows:

1, ADSERVER1 This domain control does not have a long time with other DCs in the domain synchronization, the last success was 09:11:39 in 2008-11-03.

2, no synchronization time has exceeded the tombstone record time (180 days).

3, you give the log is ADSERVER1 on the log, can only judge that there is a replication problem, as for the other three DCs in the domain there are replication problems, it can not be judged.

4. The Exchange 2007 Information Store service could not start normally due to Active Directory replication, but it does not rule out other possibilities.

To troubleshoot errors that the DC cannot sync, I recommend that you do the following on ADSERVER1:

1. Forcibly demote domain control

Dcpromo/forceremoval

2, clean up the Active Directory of ADSERVER1 metadata

Clean metadata using the Ntdsutil command-line tool you see the article from the Active Directory SEO http://gnaw0725.blogbus.com/c1404552/

3, the promotion of domain control

Dcpromo

Also, I recommend that you check that Active Directory replication is normal on other domain controls in the domain.

1, check the directory service log whether there are replication errors;

2, use the Repadmin tool to check Active Directory replication

Repadmin/syncall

Repadmin/showreps

Note: The Repadmin tool is in Support tools, and you can find the tool on the installation CD.

According to your description, I understand that ADSERVER1 is very important in your environment and cannot be lightly cleaned and degraded. At the same time, according to your test, the DC for the client verification, GPO issued and other functions are normal. So I recommend that you modify the registry to solve your Active Directory replication problem.

Modify registry key values you see the article from the Active Directory SEO http://gnaw0725.blogbus.com/c1404552/

Hklmsystemcurrentcontrolsetservicesntdsparametersallow Replication with divergent and corrupt Partner

Its key value is 1

The key value is to allow the DC to ignore the "tombstone" cycle during Active Directory replication, after which only partially purged objects are replicated. I recommend that you close the registry key after you complete all the DC synchronizations in the domain.

This registry key is set to no longer check that the last update time for the data source exceeds the tombstone record cycle before the DC is replicated.

Modifying this registry key does not have a large negative impact, and the only downside is that some of the deleted objects are added to the Active Directory replication to increase the amount of network traffic.

Before the registry key value is set, the DC stops and replicates the data source for data sources that exceed the tombstone record cycle. This is because the objects that have been deleted on the two DCs may be different, and the data source may also have objects that have not been garbage collect real cleanup still exists in the deleted Objects container. If you do not check by default, you may copy the objects in your data source that should have been cleaned up again to the target DC.

You can use the repadmin command to confirm