One way AD replication problem (Continued)

Jorge, I reposted this to get your attention since you didn't notice
my last updates.

I think I'm out of the woods. Here is what I did. I decided I
would try the easy ones first. The first thing I did was to backup
both domain controllers. Then I:

1. Ran an offline defragmentation. Didn't help.
2. Then I ran a semantic check of the data base. It showed some errors
in the log but not the error I expected to see.
3. Ran a semantic check of the data base with "fix". Didn't see any
messages of correcting any errors or failures to correct any errors
Output was identical to the output of #2.
4. Ran another off line defragmentation.
5. Ran another check of the database without fix and the same errors
were still there. Don't understand this. Is that an indication that
the errors were not serious?
6. Brought both DC's back up, cleared the Global Catalog check box on
the primary DC and rebooted. Primary DC said "No longer a global
catalog".
7. Used ldap to look at the GC through port 3269. Showed the bad
record was still there on the primary DC. Obvious that I don't
understand the active directory structure. I thought that I would be
unable to get to that port on the primarydc.
8. Set the primarydc to be a global catalog server again. Waited until
replication was complete and the event log said "Now a catalog
server".
9. I went to the Users computer that had the bad printer entry. I
removed it from the domain and made it a member of a workgroup and
rebooted it.
10. I went back into Users and computers on the domain controllers and
that computer name was now shown with a red X through it.
11. Using active directory Users and computers I deleted the computer
with the bad record from the domain.
12. Using ldp I checked the deleted items on both domain controllers
and the computer record was now in the deleted items branch on both
computers.
13. I went back to the users computer and attempted to rejoin it to
the domain. I got an error message that said the action could not be
completed because there was a duplicate name in the sam data base. I
tried it again and it worked. Going back to the domain controller I
looked in the event log and saw that duplicate entries had been
deleted from the sam data base followed by the successful join of the
computer to the domain.
14. Checking both DC's I saw that the entries in the active directory
for the computer were identical after replication completed.
15. I went back to the User computer that was the source of all the
problems in the first place and checked "List in directory" for the
laserjet printer.
16. The entry was successfully updated and replicated to both DC's
without any error messages.
17. After that I made sure that replication worked both directions,
online reorganization of the active directory data base worked, and I
could search the global catalog from machines logged on to both the
DC's.
18. I then took a full backup of both DC's.
19. They both seem to be running fine, although I don't know what will
happen in 90 days when the deleted objects tombstone out and the
system tries to delete them.

Now, just a couple of questions. I thought that ldap port 389 accessed
the active directory. I thought that port 3268 accessed the GC, and
that port 3269 accessed the GCSSL because that is what is displayed in
ldp when I open those ports. What is the real story? What is the GCSSL
anyhow? I thought port 3269 was used for secure access to the global
catalog, but I thought the same data being accessed as when I went
through port 3268. However, I got the bad record when using port 3269
and it was missing if I used port 3268 so that must not be true. Why
didn't recreating the global catalog fix my problem? Do you think I
have fixed the problem now?

Any words of wisdom appreciated.


On Sun, 11 Dec 2005 23:24:12 +0100, "Jorge de Almeida Pinto"
<SubstituteThisWithMyFullNameSeperatedByDots@xxxxxxxxx> wrote:

>Make sure you have a full backup of the server.
>
>Well as the repadmin tool will not work, you "un-GC" the DC, wait until it
>says it is no GC anymore, and make it a GC again
.

Relevant Pages

  • Re: One way AD replication problem
    ... both domain controllers. ... Used ldap to look at the GC through port 3269. ... Set the primarydc to be a global catalog server again. ... Using active directory Users and computers I deleted the computer ...
    (microsoft.public.windows.server.active_directory)
  • Re: One way AD replication problem (Continued)
    ... > both domain controllers. ... Used ldap to look at the GC through port 3269. ... Set the primarydc to be a global catalog server again. ... Using active directory Users and computers I deleted the computer ...
    (microsoft.public.windows.server.active_directory)
  • Re: global catalog vs directoy store
    ... In WIN2000 and WIN2003 Active Directory all Domain ... create a user account object on DC01 today and a user account object on DC02 ... create that user account object all of the Domain Controllers would have ... what is this Global Catalog Server? ...
    (microsoft.public.win2000.active_directory)
  • Re: How many Global Catalog Servers are needed?
    ... Directory Domain Controllers, and the third server is a member server used ... Both Domain Controllers are both Active Directory ... "A Global Catalog cannot be located to retrieve the icons for the ...
    (microsoft.public.windows.server.setup)
  • Re: Backup DC?
    ... Make both Domain Controllers also Global Catalog Servers (done in the ... Active Directory Sites and Services MMC) as well. ... > Is it a MUST to have my second server be a DNS? ...
    (microsoft.public.win2000.active_directory)
Loading