FSMO-owner not replicating

Question

I have an Active Directory with 6 DCs, where the newly added DC02 is not replicating. It's a mixed environment from Windows 2003 It is also the owner of PDC, RID and Infrastructure roles. Now I'm wondering what the best way to move forward is.

The new DC is replacing a demoted DC with a different name, and initially everything looked okay with the new one after it was added. I let it sit for about a week after promoting it, to let it finish all replication before moving the FSMO-roles over. It didn't give me any fuss about transferring the roles over, so I assumed it was all working as intended. After a while we started noticing that new DNS-records added to DC02 wasn't replicated to the other DCs.

From what I can tell, the situation now is as follows:

DC02 does not have SYSVOL and NETLOGON shared
The other DCs are still seemingly replicating amongst eachother, but none have a connection to DC02. DC02receives updates from the other DCs
Other DCs report an ERROR for the role holder of PDC, RID, and Infrastructure

From my reseach, I'm thinking I have two options, and wondering which would be the best to use:

A D2/D4 Burflags authoritative restore, setting D4 on a working DC and D2 on the DC02 (and all the other DCs?). I've not done this before, and feel tentative as I'm not really sure what it will do.
Taking the faulty DC02 offline permanently and Seize the FSMO-roles back to the original DC. Not really sure what this would do either.

I'd appreciate any tips on how to move forward, and which precautions might be necessary.

Update 1:

The old FSMO-owner DC01 gives this when running a dcdiag Is it safe to assume these errors are caused by the faulty DC, and should still be okay to tranfer back the roles to this server?

dcdiag /q:

Dcdiag could not locate (null) in the dcdiag's cache of servers. Try running this dcdiag test against this server, to avoid any problems caused by replication latency. ......................... DC01 failed test RidManager An Warning Event occured. EventID: 0x8000072D Time Generated: 09/14/2016 14:11:57 (Event String could not be retrieved) ......................... DC01 failed test kccevent An Error Event occured. EventID: 0x40000004 Time Generated: 09/14/2016 13:32:33 Event String: The kerberos client received a An Error Event occured. EventID: 0xC000001B Time Generated: 09/14/2016 14:01:07 Event String: While processing a TGS request for the target An Error Event occured. EventID: 0x40000004 Time Generated: 09/14/2016 14:01:15 Event String: The kerberos client received a ......................... DC01 failed test systemlog Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355 A Primary Domain Controller could not be located. The server holding the PDC role is down. ......................... domain.com failed test FsmoCheck

Netdom query fsmo:

Schema owner DC01.domain.com Domain role owner DC01.domain.com The parameter is incorrect. Try "NETDOM HELP" for more information

1. Try to transfer the FSMO roles instead of seizing them. 2. If that's successful then demote the new DC and promote it again. 3. If the first two steps aren't successful then shutdown the new DC, seize the FSMO roles and rebuild the new DC from scratch. — joeqwerty, Sep 14 '16 at 11:57
@joeqwerty Thanks for your reply! Would you mind terribly to look at the updated post with the dcdiag output? Option 1 to try and transfer failed and said it couldn't contact currect role holder. Before I go with option 3 I'd like to know all is well with that DC. — jcrossbeam, Sep 14 '16 at 13:26
If you're seeing ERROR for FSMO role holders in AD Users and Computers, that can be cause by inability to communicate with the FSMO role holders . Try `netdom query fsmo`. — Greg Askew, Sep 14 '16 at 13:29
@GregAskew Yes, that's what I've concluded as well. Updated with output. — jcrossbeam, Sep 14 '16 at 13:53
Check your DNS configuration on the NICs on all DC's. 127.0.0.1 should be listed last, and at least 2 other DC's should be listed before 127.0.0.1. Also, make sure you don't make islands where, for example, 1 and 2 and 3 are configured to each other, and 4 and 5 and 6 are configured to each other. — longneck, Sep 14 '16 at 15:57

score 2 · Accepted Answer · answered Sep 15 '16 at 13:48

2

Try to transfer the FSMO roles instead of seizing them.
If that's successful then demote the new DC and promote it again.
If the first two steps aren't successful then shutdown the new DC, seize the FSMO roles and rebuild the new DC from scratch.

answered Sep 15 '16 at 13:48

joeqwerty

108,377
6
80
171

score 0 · Answer 2 · answered Sep 15 '16 at 13:39

0

This should have been attributed to @joeqwerty, but I'm not sure on how to do that.

The solution to this was to take the faulty DC offline, and seize the roles back to the original holder.

There are numerous guides available on how to do that.

answered Sep 15 '16 at 13:39

jcrossbeam

260
2
13

Mark @joeqwerty's answer as accepted http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work – Clayton Sep 15 '16 at 14:01
Yes, his answer wasn't there at the time I posted my answer, it was only a comment. It is marked now. – jcrossbeam Sep 15 '16 at 14:30

FSMO-owner not replicating

2 Answers2