How to troubleshoot and fix Active Directory replication issues on Windows Server 2012 R2

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello friends this snip from Adobe solutions and today I'm going to show you how to troubleshoot Active Directory replication issues on Windows Server 2012 r2 first I want to say happy new year to everyone I want to thank you for the support forum the past few months from the past year I want to wish you all the success all the happiness in the brand-new 2016 year and do you have less issues than before so let's dig into the video in this video I'm going to show you how the long vacation on my domain controllers are equal to your replication not working core this is not able to talk to each other so after powering on my DC's after a month of vacation I noticed that my first domain controller was not replicating it showed a lot of errors so I decided to make a video about it and show you how I'm going to handle the situation and what I initially thought it would be best to do is to demote the DC 0 1 so I tried a graceful demotion I tried a forceful demotion but unfortunately as you get as you will be able to see in my video um I was not able to demote my DC and what I had to do is I had to reset the computer accounts you for my DC after that the replication started working once again but the demotion was already in place and my DC was not working properly so what I did next is I fully performed the graceful demotion and after that I've checked if any metadata cleanup was needed so the best way for me I recommend to you doing is check and perform the metadata cleanup from the graphical interface using Active Directory users and computers DNS active directory sites and services in there you can look and you can find if there are any old records any stale records for your demoted DC if you made the forceful demotion of course you can use the NTDs util with metadata cleanup switch to do it but that way it from my past experience it did not successfully remove all the stale records for the DCN I had to again manually do it from the graphical interface so at the end if you still experience any issues with promoting your DC you can always use the HC edit to remove it from from your Active Directory partitions if there are any any records for your DC there so I'm going to proceed next with promoting my DC 0 1 and I'm going to check the replication check everything after the the promotion using repin min and DC dia comments and I'm going to make sure that my active directory sites and services are as they should be so let's start with the demonstration I'm going to start by logging into my first domain controller with my administrator account and I'm going to work on both the first and the second one today so I'm going to log in to the second one as well so it can fully load and during the holiday season where I was not able to power on my servers and my virtual machines unfortunately when I did that today I noticed that my first domain controller was not able to talk to my second one during more than a month and unfortunately it's stopped replicating information from Active Directory and when I try to do it today it's not functioning properly so let me show you when I try to open the DNS server which is running on the on my first DC lead showing that I don't have the permissions I don't have the access which is denied so it's not able to open the DNS when I try to open the Active Directory modules it's just they are there but they are not updating properly unfortunately so when I check the replication between my two servers it's not functioning properly let me show you it's saying that it's not able to contact my second EC because of the DNS lookup failure when I run DC DIAC let me show you there are a lot of errors which prevent my server to advertise itself as a domain controller which is not cool so let me show you you can see that the Kerberos has lost the the ticket information and currently it's not able to to authenticate that this server is either the main controller and it's not able to replicate any information so this is a good way for me to show you what you can do if you have such an issue when when the replication between the domain controllers stopped for more than the configured time for the Kerberos ticket to work then it loses the the the authentication for the Active Directory database and it stops working and functioning properly so I'm going to show you how you can fix that which is the best way to do it it happened to me in the past so I had to do it and most probably most of you will or were able to see and were able to figure out how to do it so the best way for me to do this is to demote my first domain controller and leave my second domain controller to hold the ennoble AB com domain I'm going to if you remember before I switch the FISMA roles to my second DC so let me show you let don't query three small and my second this is working properly I'm able to see the the DNS zone for the NLB lab everything is there all the records are there regarding my machine so I would assume that would be best for me to proceed with demoting hi this is zero one and we promoting it again so you can see that all my FISMA roles are currently residing on this is 0-2 if for example my this is zero one was not working at all and any FISMA roles were still on it I would have to seize the roles because I'm pretty sure that I won't be able to transfer them gracefully and I would have to seize them all so let's start with demoting this is 0-2 ad is 0-1 and after that we are going to perform a clean up in my Active Directory you can I'll show you a few ways that you can do it but I think the most fast and the most graceful way would be just to go ahead and clean everything related to this zero one from the active directory using the modules instead of using comments like NTDs util so let's start with demoting the DC right now so I'm going to click on manage and remove roles and features and click Next I want to do it on NL BD ce0 1 click Next and I'm going to deselect Active Directory domain services and so now after I select this option it will say that the server is still to make a tour so first I would need to demote that if you remember from the video how to demo to the main controller this is the message that you will receive so I'm going to click on on the malting ok I'm going to use my NLB admin user to demote it I'm going to click Next and it will say that the D server is a DNS server which is not working as I showed you and a global catalog so I need to select the option to proceed with removal and click Next I'm going to specify the new administrator password even though the server will remain in my domain just in case I'm going to set a password for my local administrator ok next ok here you'll be able to see the script is going to forcefully didn't demote my domain controller and I'm going to click the mode okay I can see that the normal demotion is not able to fully demote my server so that means that I'll have to do a force remote on my server which I told you guys the connection between my first DC and my second DC for some reason well it failed because they were not able to do to talk for more than a month so I'll have to do a forceful demote on my server so let's do it right now we can do this from the same way that we try to do it gracefully let me select that and to remove the mode but this time instead of using only credentials I'm going to select the option to force the removal of this domain controller so I'm going to paint it will warn me that I will need to do a metadata cleanup a manual after the removal I understand that and as I said I'm going to show you how you can do it so let me click next to this message I'm going to proceed with the removal and again specified the password for my local admin going to click Next let me view the script once again this time instead of only force true it's going to do a force removal true script so let's do this let's demote the DC you so I faced another error showing that it's not able to demote my domain controller so I'm going to try a fix to see if that would help me to to to the malted so first and what I'm going to do is I'm going to open my services and I'm going to find my KDC ok service and I'm going to stop it disable that as well and I'm going to restart my server and after the restart I'm going to proceed with resetting the the password for the other D C and C for the computer account and see if that would work so let's see if that would help me to demote my server once again so I'm going to log into my server once again after the restart okay I'm going to open a PowerShell or a common prompt as administrator and I'm going to write the following net dumb reset password server ll be TC 0 1 user panel B clap and then we'll be running and then passwords and then the password let me pause just to set the password okay after executing the command it said that the Machine account password for the local machine has been successfully reset so what I'm going to do is I'm going to be turned the service back to automatic and restart the server once again let's see what will happen after that okay and let's just shut down once again I'm going to pause the video once again so I can so you don't have to wait for the server to restart after that we are going to check it so after my server is up and running again I'm going to log into it with my NLB admin and let's see okay okay for some reason my server was demoted as far as I can see let me just see let me open the DCT ACK still showing a lot of errors so let me try to remove the Active Directory domain services once again okay I'm going to demote after we setting the the local computer account let's see if you'll be able to demote it gracefully okay next I'm going to proceed with removal again specify a password read the Mount okay this time I think it's going to pull them out my DC I'm going to pause the video here so you don't have to see the whole process of the molting okay after the demote completed successfully the server is going to restart you can see the Active Directory domain controller was successfully demoted so after the restart I'm going to proceed with uninstalling the Active Directory domain services so let's just wait for the server to boot up once again okay now I'm going to log back in with my domain admin account just to inform you that when I reset the password for the local computer account for the domain controller actually the replication started to work again but unfortunately I think my domain controller was partially demoted partially not so the best way for me to do it is just to fully demote but if you experience such issues when the your this is not working you can try the method of just resetting the account for the for the server in the computer account and see if that would help you but I'm going to proceed with completely uninstalling the Active Directory domain services from the server and while this is happening I'm going to switch over to my second domain controller and just verify that okay in the removal is in progress I'm going to switch over to my second DC and just verify that there are no leftovers from my first domain controller see yeah it's gone from from Active Directory admin controllers and now it should be only a member server there it is so this the graceful demotion of the my controller helped a lot if the domain controller was not able to demote gracefully and the forced removal was needed I would have to go ahead and just delete the computer account from here it would think that the server is a global catalog and it will ask me to perform metadata cleanup by itself which is really better than the method of doing a metadata cleanup from from the NTDs util so if you experience problems with domain controller which are not able to replicate with others and when the server was offline for more than few months I assume that force removal will be needed and then on a good mentor you have to do the metadata cleanup just do it from the Active Directory users and computers and from the Active Directory I'm sorry Active Directory Sites and services in here when you open the sites and services you can locate where exactly is the DC and if there are any links that are left behind by it the other the third one that you need to check is the DNS you need to check if there are any leftovers from the first DC and just remove them manually so yeah sites and services here you can see that I have the main office and servers NO BD ce0 one but there are no links let me show in the branch this is 0-2 there is the NTDs settings but there are no links connecting to this is 0-1 to replicate the information so that's good so the removal was complete I'm going to close that and I'm going to restart my server once again okay I'm going to restart so it can complete not my server is up and running once again I'm going to log into it this is a member server of my domain so I'm going to use my domain admin credentials and from here I'm going to reap remote the server once again to your domain couture so I can be sure that everything is fine with it so I'm going to add let me see okay I'm going to add roles and features and I'm going to add them on my first domain controller which is not at the moment so I'm going to add the features I'm going to click Next next paint install I'm going to wait for the process to finish and after that I'm going to reap remote it to DC so I'm going to pause the video until the installation is complete and I'm going to proceed after that with the promotion ok the feature the wizard finish successfully and I'm going to proceed with promote the server to a DC I'm going to add the domain Couture to an existing domain which is edible app comm with the current credentials I'm going to click Next you it's going to proceed with the checks that are required for it to fully promote without any errors and I'm going to set the the SRM password that I would need if something happens with it I'm going to click next and if you see here it's currently going to set my DC in the main office because it's detecting that the subnet for my domain controller is the same as the subnet for this DC let me show you so if I open my properties you will see that it's currently residing in the dead 10.0.0.0 network and my sites and services if I go to my second one are configured for and there it is the subnets 10.00 is currently linked for my main office so that's why it automatically the text that the server is in the main office so I'm going to click Next and once again next and I'm going to replicate from any domain controller I have only one at the moment so I'm going to click Next save the database D log files and the C's volts on the default location and you can view the script it's really simple ok next and it's going to start with installing and promoting my DC is going to replicate the information so after this wizard is complete my this is your one should be fully functional and operating so I'm going to oh actually it happened really fast so this is the prerequisite check and I'm going to install now so it going to show the warning messages but there are no critical errors that will prevent me from promoting my DC so I'm going to pause the video and after the replication the initial replication and the promotion is done we are going to proceed with the final checks to see if the replication between the disease is up and running fine okay so the promotion finish successfully and it will restart the server as it's supposed to do and the server's was successfully configured as a domain controller which is good for me to see so I'm going to wait for the server to be start and we are going to proceed from there okay the server is almost done booting up the operating system and now it's going to start all the Active Directory database services everything for it ok it's done so let's log into it with my domain admin account so we find while this is loading up if I switch to my second DC and go in my active directory you can see that under computers I have the NL BD ce0 one as a member server but if i refresh it should appear in the domain controllers once again there it is so it's a global catalog is detected as a global catalog and let me refresh these sites and services once again I don't have any links currently linking my to DC's so let me refresh that page once again there is an automatically generated link to my first DC here if i refresh once again it will create the NTDs settings for me and at the moment it's there are no links currently to the second DC but I assume that that would appear automatically so we'll have to just wait for the replication to fully occur let's see okay I can see that the replication to my second DC successful and it happened today a minute ago let me open the DNS console this time it opens without any errors without saying that it's not able to contact the second DC let me open the sites and services and see how it looks from here the thing is that I'll have to wait for the disease to what you talk for a short time before before leaving like that before trying to create because at the moment I don't see the automatic link that should be created for my NO BD ce0 one for the replication but I can see that the automatic lead generated link for from this is 0 for DC 0 2 from this 0 1 is created so I'm going to leave the disease to talk for for short period of time so they can fully replicate the information for my domain and I'm going to check to see the final results with my DC Diagnostics ok as I said after a short period of time the link to my second to my first domain controller automatically appeared entity to pull information from my DC 0 2 which is great and I can force a replication now I can check the replication status okay everything is successful it's able to replicate and it happened as I force the replication which is great for me I can check the replication summary the information for the Delta will disappear later because there will be there shouldn't be any issues but the decease need just need more time to talk about it so let me refresh that here here the replication still did not occurred so let me pull the information from this is 0-1 to force it let me refresh that page there it is the automatically generated link from this is 0-2 which looks great as well the replication on my second DC also seems to be good you check the summary there it is now all the replication is occurring according to to the way that I want it the last one was from this is your one lakh was from before 24 seconds and from this is 0-2 from one minute so it looks it looks good guys the demotion and the repo motion was successful let me open my Active Directory users and computers there is my domain with all my computer security groups and all my accounts so this is this is how you can solve issues when you have issues with your domain controllers when the bank atoll is not able to to talk to other disease in your domain what you can do is you can just go ahead and demote this DC and we promote it again so and thank you very much for watching if you like this video you can always share it and subscribe to my channel so I can release new interesting things for you and so you can learn from and be a better IT so thank you very much for viewing and see you soon
Info
Channel: NLB Solutions
Views: 207,115
Rating: undefined out of 5
Keywords: Active directory troubleshoot, AD issue, AD troubleshoot and fix, Domain Controller not working, How to fix non working replication, DC replication issue, Demote AD, Demote DC, fix AD replication, Windows 2012 R2 replication issues, Kerberos issues fix, Domain Controller replication fix
Id: sdJdwslWkf4
Channel Id: undefined
Length: 32min 9sec (1929 seconds)
Published: Sun Jan 10 2016
Related Videos
MCITP 70-640: Active Directory Replication
itfreetraining
235K
Active Directory Replication step by step
Pape Ndour
174K
Fix SYSVOL and Domain Controller Replication | Active Directory DFSR Issues Resolved
the Sysadmin Channel
21K
System administration complete course from beginner to advanced | IT administrator full course
Geek's Lesson
3.3M
How to configure DFS on Windows Server 2012 R2 (Explained)
NLB Solutions
118K
Microsoft Active Directory Job Interview Questions & Answers
Online Training for Everyone
8.2K
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
CompTIA Network+ Certification Video Course
PowerCert Animated Videos
3.8M
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
Latest top 39 Windows Active Directory Interview Questions and Answers....Only AD
TECH2N4U
22K
Tools to evaluate the health of your "Active Directory" environment
Bryan Heath
22K
How to monitor server performance and activity on Windows Server 2012 R2 (Explained)
NLB Solutions
145K
Tools to troubleshoot Domain Controller issues - Part 1
ServerGeeks
47K
How to Force an Authoritative DFSR Sync of SYSVOL - Fix Group Policy Replication
ITdvds
61K
REpadmin ( How to force replicate between 2 AD sites)
Girish Sharma
42K
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.