question

BenBroadfoot-7475 avatar image
0 Votes"
BenBroadfoot-7475 asked DSPatrick commented

The destination server is currently rejecting replication requests

I have recently restored 2 working Windows 2008R2 domain controllers (NPD-DC01 & NPD-DC02) into a test lab environment. I am getting the error "8457 The destination server is currently rejecting replication requests." in the Directory Service event log.

I have tried some suggestions already:

repadmin /options NPD-DC01 +DISABLE_OUTBOUND_REPL
repadmin /options NPD-DC01 -DISABLE_OUTBOUND_REPL
repadmin /options NPD-DC01 +DISABLE_INBOUND_REPL
repadmin /options NPD-DC01 -DISABLE_INBOUND_REPL


repadmin /options NPD-DC02 +DISABLE_OUTBOUND_REPL
repadmin /options NPD-DC02 -DISABLE_OUTBOUND_REPL
repadmin /options NPD-DC02 +DISABLE_INBOUND_REPL
repadmin /options NPD-DC02 -DISABLE_INBOUND_REPL

however I still cannot get them replicating - all network comms between the 2 are fine.

windows-server
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @BenBroadfoot-7475,

Could you share more details about the backup and restore operation? Also if they were Physical to Virtual or P2P-V2V?

In general is never a good idea to migrate DCs (instead promote new, then demote old) due to the several issues that might occur, and the length of checklists and pre-requisites that starts from taking correctly the backup, and then the restore operation. Even just a small mistake, such as not having disconnected from the network the machine before backup might create a number of issues, including the famous USN rollback.

I will recommend to track back your steps to spot any missed points in the checklist and process, or in case that you want to start from scratch from the production environment (if they are still available):
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controllers-hyper-v

As well USN rollback description for replication issues:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controllers-hyper-v#usn-and-usn-rollback

Hope this helps to track down the issue,
Best regards,

0 Votes 0 ·
DSPatrick avatar image
1 Vote"
DSPatrick answered DSPatrick commented

The current DC is not in the domain controller's OU NPD-DC01


Out-of-date attribute pwdLastSet on NPD-DC02 (writeable)
https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/use-netdom-reset-domain-controller-password

How long has this been going on?
https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/replication-error-8456-8457


w32time Service is stopped on [NPD-DC01] start it


Looks like NPD-DC02 tombstoned long ago. The only solution here is to remove it. Perform cleanup on NPD-DC01 to remove remnants
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564


then stand up a new one for replacement.


I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2008, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health.


--please don't forget to upvote and Accept as answer if the reply is helpful--



· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



1 Vote 1 ·

Hi DSPatrick, I will be demoting/metadata cleanup then standing up a new DC02 in the next few days so I will update you once I have finished.

Thanks for the feedback and followinf through! much appreciated :)

0 Votes 0 ·
DSPatrick avatar image DSPatrick BenBroadfoot-7475 ·

Sounds good, you're welcome.


0 Votes 0 ·
DSPatrick avatar image
1 Vote"
DSPatrick answered BenBroadfoot-7475 edited

You should never restore multiple domain controllers from backup.

Please run;

Dcdiag /v /c /d /e /s:%computername% >C:\dcdiag.log
repadmin /showrepl >C:\repl.txt
ipconfig /all > C:\dc1.txt
ipconfig /all > C:\dc2.txt
ipconfig /all > C:\dc3.txt

then put unzipped text files up on OneDrive and share a link.




· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks DSPatrick - yes not ideal but I have inherited a bit of a mess I am trying to get working.

Link to log files - https://1drv.ms/u/s!AnHSduvSfXm_g1tKBVJgFkLrUOWj?e=cNnCEZ

Thanks for your help!

Ben

0 Votes 0 ·