J Wolfgang Goerlich's thoughts on Information Security
Replication and Transfering Operations Master Roles

By wolfgang. 17 April 2009 09:52

Replication must be up-to-date before transferring operation master roles. If replication has not converged, then several symptoms may occur. The role may take significantly longer to transfer, or it may not transfer at all. Likewise, the new operations master may not receive changes that were initially sent to the original operations master. This could result in an inconsistent Active Directory. Thus all replications must be completed before beginning the process.

Check the replication status first. If necessary, follow the article below to resolve any replication issues.

Active Directory Operations Overview: Troubleshooting Active Directory Replication Problems
http://technet.microsoft.com/en-us/library/bb727057.aspx

Once replication has synchronized end-to-end, and Active Directory has converged, the roles can be transferred. Follow the article below to transfer the role in question.

How to view and transfer FSMO roles in Windows Server 2003
http://support.microsoft.com/kb/324801

The risk of Active Directory becoming inconsistent is higher if the role is seized rather than transferred. For that reason, Microsoft recommends you let a full replication cycle elapse between any changes before attempting a seizure.

Tags:

Active Directory

Domain controller holds the last replica

By wolfgang. 3 April 2009 14:42

Error when demoting an Active Directory domain controller: This domain controller holds the last replica of the following application directory partitions: DC=MSTAPI,DC=yourdomain,DC=com

Active Directory has the following partitions: Application partition, Configuration partition, Domain partition, and Schema partition. The Application partition is used to store data from Active Directory-integrated software. This error indicates that an Application partition exists on this DC. There are two possibilities: this is the last DC in the domain or it is not.

If this is the last DC in the domain, and the domain information is no longer needed, then it is safe to delete the replica.

If this is not the last DC and you require the Application partition, you must remove the DC from the Application partition’s replica set. Use ADSIEdit and consult Microsoft’s help to perform this operation.

Tags:

Troubleshooting | Active Directory

Troubleshooting Active Directory replication

By wolfgang. 3 April 2009 13:11

Some tips on troubleshooting Active Directory replication:

You may notice that objects in the directory are not the same across all domain controllers, or that people and computers are not receiving their group policy settings, or that the SYSVOL share is not synchronized across the domain. These are symptoms of replication failures.

To troubleshoot replication failures, begin with the basics. Are all the replication links up? Are all the domain controllers synchronized to the same date and time? Then, run Dcdiag.exe to get status of the domain controllers. Run Netdiag.exe to get a report on the network connectivity. Address any issues that these utilities find. Then run Repadmin.exe and validate the connections, site links, and queues. Once everything is validated, run Repadmin.exe and force a synchronization of AD objects. To synchronize group policy settings and the SYSVOL, use Ntfrsutil.exe to troubleshoot and re-replicate the files.

Tags:

Troubleshooting | Active Directory

    Log in