E15 CU3–Update Failed–AD replicated Exceeded the tombstone lifetime.

-

 

Exchange 2013 CU3



  1. image



  2. image

  3. The naming context is in the process of being removed or is not replicated

    image



  4. http://technet.microsoft.com/en-us/library/replication-error-8452-the-naming-context-is-in-the-process-of-being-removed-or-is-not-replicated-from-the-specified-server(v=ws.10).aspx 

  5. C:\>REPADMIN /SHOWREPS
    Root\RDC01
    DSA Options: IS_GC
    Site Options: (none)
    DSA object GUID: f1694974-47c4-4555-a214-db3c86854aeb
    DSA invocationID: f1694974-47c4-4555-a214-db3c86854aeb

    ==== INBOUND NEIGHBORS ======================================

    CN=Schema,CN=Configuration,DC=lab7,DC=root
        TW\AD02 via RPC
            DSA object GUID: bfcc1053-e1da-46fd-8b9d-179c79921331
            Last attempt @ 2013-12-19 17:04:52 failed, result 8524 (0x214c):
                The DSA operation is unable to proceed because of a DNS lookup failure.
            2 consecutive failure(s).
            Last success @ 2013-12-18 22:49:19.
        TW\AD01 via RPC
            DSA object GUID: 4e5476da-9c30-439b-867f-70fe502aff1e
            Last attempt @ (never) was successful.

    Source: TW\AD02
    ******* 1 CONSECUTIVE FAILURES since 2013-12-19 17:08:12
    Last error: 8418 (0x20e2):
                The replication operation failed because of a schema mismatch between the servers involved.

    Naming Context: DC=ForestDnsZones,DC=lab7,DC=root
    Source: TW\AD02
    ******* WARNING: KCC could not add this REPLICA LINK due to error.

    Naming Context: DC=TW,DC=lab7,DC=root
    Source: TW\AD02
    ******* WARNING: KCC could not add this REPLICA LINK due to error.

    Naming Context: CN=Configuration,DC=lab7,DC=root
    Source: TW\AD02
    ******* WARNING: KCC could not add this REPLICA LINK due to error.

    Source: TW\AD01
    ******* 1 CONSECUTIVE FAILURES since 2013-12-19 17:08:12
    Last error: 8418 (0x20e2):
                The replication operation failed because of a schema mismatch between the servers involved.

    Naming Context: DC=ForestDnsZones,DC=lab7,DC=root
    Source: TW\AD01
    ******* WARNING: KCC could not add this REPLICA LINK due to error.

    Naming Context: DC=TW,DC=lab7,DC=root
    Source: TW\AD01
    ******* WARNING: KCC could not add this REPLICA LINK due to error.

    Naming Context: CN=Configuration,DC=lab7,DC=root
    Source: TW\AD01
    ******* WARNING: KCC could not add this REPLICA LINK due to error.






  6. C:\>REPADMIN /REPLSUM
    Replication Summary Start Time: 2013-12-19 17:14:07

    Beginning data collection for replication summary, this may take awhile:
      ......


    Source DSA          largest delta    fails/total %%   error
    AD01                      09m:02s    0 /   7    0
    AD02                  18h:24m:48s    3 /   7   42  (8524) The DSA operation is unable to proceed because of a DNS lookup failure.
    RDC01            >60 days            4 /   4  100  (8614) The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.


    Destination DSA     largest delta    fails/total %%   error
    AD01             >60 days            6 /  10   60  (8614) The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
    AD02                      09m:02s    0 /   6    0
    RDC01               (unknown)        1 /   2   50  (8524) The DSA operation is unable to proceed because of a DNS lookup failure.



  7. C:\>REPADMIN /SYNCALL
    CALLBACK MESSAGE: SyncAll Finished.
    SyncAll terminated with no errors.







    9. Replication error 8614 The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime

    http://technet.microsoft.com/en-us/library/replication-error-8614-the-active-directory-cannot-replicate-with-this-server-because-the-time-since-the-last-replication-with-this-server-has-exceeded-the-tombstone-lifetime(v=ws.10).aspx




  9. Resolution

    10. 1. Check for nondefault values of tombstone lifetime.
    By default, tombstone lifetime uses either 60 or 180 days, depending on the version of Windows that is deployed in your forest. Microsoft Support regularly sees DCs that have failed inbound replication for those periods of time. It is also possible that the tombstone lifetime has been configured to a very short period such as 2 days. If this is the case, DCs that did not inbound-replicate for, say, 5 days will fail the "all DCs must replicate with a rolling TSL number of days" test.

    Use repadmin /showattr to see whether a nondefault value for the TombstoneLifetime attribute has been configured.

    repadmin /showattr . "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=<forest root domain>,DC=<top level domain>"

    If the attribute is not present in the showattr output, an internal default value is being used.

    image


    C:\>repadmin /showattr

    Repadmin: running command /showattr against full DC localhost
    Must specify a Naming Context.


    C:\>repadmin /showattr "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=lab7,DC=root"

    Repadmin experienced the following error trying to resolve the DSA_NAME: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=lab7,DC=root
    If you are trying to connect to an AD LDS instance, you must use <server>:<port>
    If you are trying to connect to an AD LDS instance with wildcarding support, you must use the /homes
    erver option.

    Error: An error occurred:
        Win32 Error 8419(0x20e3): The DSA object could not be found.





    11. 2. Check for DCs that failed inbound replication for TSL number of days.

    Run "repadmin /showrepl * /csv" parsed by using Microsoft Office Excel as specified in Verify successful replication to a domain controllCheck for DCs that failed inbound replication for TSL number of days.

    Run "repadmin /showrepl * /csv" parsed by using Microsoft Office Excel as specified in Verify successful replication to a domain controller. Sort the replsum output in Excel on the last replication success column from least current to the most current date and time order.er. Sort the replsum output in Excel on the last replication success column from least current to the most current date and time order.







    13.  



     

Comments

Post a Comment

Popular posts from this blog

202301 - Exchange onpreme - PowerShell Serialization Payload Signing

-
Image
Released: January 2023 Exchange Server Security Updates https://techcommunity.microsoft.com/t5/exchange-team-blog/released-january-2023-exchange-server-security-updates/ba-p/3711808 https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/SerializedDataSigningCheck/ 1.  Update KB5022143 (Exchange SU) 2. Run latest HealthCherker 3.  PowerShell Serialization Payload Signing https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/SerializedDataSigningCheck/ Certificate signing of PowerShell serialization payload in Exchange Server https://support.microsoft.com/en-us/topic/certificate-signing-of-powershell-serialization-payload-in-exchange-server-90fbf219-b0dd-4b2c-8a68-9d73b3309eb1 4.  MonitorExchangeAuthCertificate    https://microsoft.github.io/CSS-Exchange/Admin/MonitorExchangeAuthCertificate/ 5.                 New-SettingOverride -Name "EnableSigningVerification" -Component Data -Secti...
Read more

Ticket: RemoteAPP certificate revocation check error

-
Image
  . certutil -f –urlfetch -verify <your_certificate>.cer From internet client (Win7 ultimate x64) Issuer:     CN=TWCA Secure CA -Evaluation Only     OU=SSL Certification Service Provider-Evaluation Only     O=TAIWAN-CA INC.     C=TW Subject:     CN=deep2.msft.com     OU=ITS     O=Msft Corporation     L=Taipei     S=Taiwan     C=TW Cert Serial Number: 04bd dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1) dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2) dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8) dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwErrorStatu...
Read more