Tuesday, April 10, 2012

Domain Controller doesn't replicate DNS and has other replication issues

We recently demoted a global catalog domain controller and then re-promoted because of issues we were having post-demotion. When a DC is demoted it changes it's computer account to have less rights then it would if it were a DC. Somewhere along the line the promotion didn't change it's account back and after the computer account password expired we started having replications issues. This didn't really affect us too much until 14 days after the password expired and the DC couldn't replicate back to the domain. All of our DNS zones couldn't replicate to it and subsequently became "stale" and were scavenged and removed. This caused issues for everyone at that site as they couldn't access various resources that we utilize DNS for.

The symptoms were:
All DNS zones were gone except for the primary zone.
"error no trust sam account" occurred while running "nltest /dsregdns"
This error was in the DNS event log:
"The DNS server detected that it is not enlisted in the replication scope of the directory partition ForestDnsZones.ccs.corp. This prevents the zones that should be replicated to all DNS servers in the ccs.corp forest from replicating to this DNS server.

To create or repair the forest-wide DNS directory partition, open the the DNS console. Right-click the applicable DNS server, and then click 'Create Default Application Directory Partitions'. Follow the instructions to create the default DNS application directory partitions. For more information, see 'To create the default DNS application directory partitions' in Help and Support. "
And this error:
The attempt to establish a replication link for the following writable directory partition failed.
dcdiag reported the last replication was 2 weeks ago
repadmin /showreps reported it failed.

The solution was from here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;329860

WARNING: If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Exchange 2000 Server, or both. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
On a domain controller that is in the "healthy" part of the domain (not the domain controller with which you experience the issue), install the Windows 2000 Support Tools if they have not already been installed. For additional information about how to install the Windows 2000 Support Tools, click the article number below to view the article in the Microsoft Knowledge Base:
301423 How to Install the Windows 2000 Support Tools to a Windows 2000 Server-Based Computer
Start the ADSI Edit snap-in. To do so, click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit.
Expand Domain NC [server.example.com] (where server is the name of the domain controller and example.com is the name of the domain.
Expand DC=example,DC=com.
Expand OU=Domain Controllers, right-click CN=ServerName (where ServerName is the domain controller with which you experience the issues that are described in the "Symptoms" section of this article), and then click Properties.
Click the Attributes tab (if it is not already selected).
In the Select which properties to view list, click Both, and then click userAccountControl in the Select a property to view list.
If the Value(s) box does not contain 532480, type 532480 in the Edit Attribute box, and then click Set.
Click Apply, click OK, and then quit the ADSI Edit snap-in