Solved DCs out of sync

thwr

Well, looks like that my little problem yesterday (full harddrive on DC-2) caused more trouble than expected: My two DCs are out of sync now, and the second one even refuses to start AD services. Replication log / status lists quite a few lingering objects, Kerberos ticket issues and so on. The faulty DC is powered off right now to prevent user issues and further damage.

No substantial changes have been made during the last couple of weeks. Just a few new users and password changes plus maybe 2 or 3 new machine accounts. Some clients and servers now refuse to authenticate users during login due to the well known "trust could not be established between..." error.

I'm just trying to figure out how to fix this in an "elegant" way. Problem: I'll be out of office for the next two days because I will attend to a project meeting some hundred kilometers to the south. My train will depart in 3 hours. Murphy.

Possible approaches:

• My plan is to leave the faulty DC powered off and deploy a new DC and (hard) remove the faulty one when the new DC is in sync with the working DC.
• Or should I better try to reanimate the dead one?

Any thoughts about this?

I'm aware that I might loose some AD objects, but that's ok. Like I said, it's just about a few accounts etc.

PS: The working one is confirmed to be the one with the most current replication state. No wonder.

scottalanmiller

Anytime something happens to a DC to get out of sync, just rebuild fresh.

thwr

@scottalanmiller said in DCs out of sync:

Anytime something happens to a DC to get out of sync, just rebuild fresh.

So you would just deploy a new DC?

scottalanmiller

Yes, new DC would be my choice. No worries of lingering problems.

thwr

@scottalanmiller said in DCs out of sync:

Yes, new DC would be my choice. No worries of lingering problems.

That's what I'm always praying. But better safe than sorry, that's why I asked. Thanks Scott.

scottalanmiller

Good luck, and enjoy your trip!

thwr

@scottalanmiller said in DCs out of sync:

Good luck, and enjoy your trip!

Thanks. dcpromo looks good so far. Waiting for the reboot.

Still one hour left until I need to leave to catch the train

thwr

@thwr said in DCs out of sync:

@scottalanmiller said in DCs out of sync:

Good luck, and enjoy your trip!

Thanks. dcpromo looks good so far. Waiting for the reboot.

Still one hour left until I need to leave to catch the train

And... done

repadmin /showrepl does not show any errors. Same for dcdiag, which only complains about minor things as far as I can tell right now.

scottalanmiller

Cool

StrongBad

I think that I'm too late, but I concur that rebuilding is better than trying to find a way to recover the out of sync node - just not worth it.

thwr

@StrongBad said in DCs out of sync:

I think that I'm too late, but I concur that rebuilding is better than trying to find a way to recover the out of sync node - just not worth it.

That's the point. As long as you still have a working DC, issues are better solved by depolying a new machine.

Dashrender

@thwr said in DCs out of sync:

No substantial changes have been made during the last couple of weeks. Just a few new users and password changes plus maybe 2 or 3 new machine accounts. Some clients and servers now refuse to authenticate users during login due to the well known "trust could not be established between..." error.

Where you still getting those errors after you powered down the broken DC? I'm guessing not since you moved forward with the install of another DC.

thwr

@Dashrender said in DCs out of sync:

@thwr said in DCs out of sync:

No substantial changes have been made during the last couple of weeks. Just a few new users and password changes plus maybe 2 or 3 new machine accounts. Some clients and servers now refuse to authenticate users during login due to the well known "trust could not be established between..." error.

Where you still getting those errors after you powered down the broken DC? I'm guessing not since you moved forward with the install of another DC.

Nope. Only "missing that other DC" errors now, which is fine. I've got some crappy internet connection (free WiFi in the train, next to no 3G/4G signal) here and can't check the current state. but it was fine half an our ago.

Dashrender

@thwr said in DCs out of sync:

@Dashrender said in DCs out of sync:

@thwr said in DCs out of sync:

No substantial changes have been made during the last couple of weeks. Just a few new users and password changes plus maybe 2 or 3 new machine accounts. Some clients and servers now refuse to authenticate users during login due to the well known "trust could not be established between..." error.

Where you still getting those errors after you powered down the broken DC? I'm guessing not since you moved forward with the install of another DC.

Nope. Only "missing that other DC" errors now, which is fine. I've got some crappy internet connection (free WiFi in the train, next to no 3G/4G signal) here and can't check the current state. but it was fine half an our ago.

OK, reading your OP, it seemed that you were getting those errors after turning off the broken DC, but since you're not - seems like you found a good solution.