This was a pretty tough one to crack, a client over night had the situation where there NTP ( time server ) had an issue and set all the clocks in the domain forward by 8 months. During this period all the domain controllers replicated. When the client resolved the time server issues all the server clocks across the network went back the the correct time. The result? all the domain controllers thought that they had not replicated in 6 months and they all tomb stoned each other. This guide applies to server 2000, server 2003 server 2008 and server 2012.
The error messages that where logged where as follows.
- Evernt ID 1126: Active Directory was unable to establish a connection with the global catalog.Additional Data
8430 The directory service encountered an internal failure.
- Evernt ID 1655: Active Directory attempted to communicate with the following global catalog and the attempts were unsuccessful.Global catalog:
- Evernt ID 1925: he attempt to establish a replication link for the following writable directory partition failed.Directory partition:
Source domain controller:
8614 The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
- Evernt ID 4: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server my-dc$. The target name used was LDAP/10fc5b93-e8be-4495-8333-bba75064a4fb._msdcs.myPC.CO.UK
Allowing Replication With Tomb stoned Domain Controllers
In a normal situation you would not do this as the chances are active directory on a domain controller that has not replicated for 6 months would be well past its sell by date. However in this situation I knew all the domain controllers where current. We need to enable a setting that allows replication with divergent and corrupt partner.
This setting needs to be on ALL YOUR DOMAIN CONTROLLERS that you want to replicate, there are two ways of adding this setting, the first is via registry.
Run regedit and browse to the following key.
Then create a DWord Value of Allow Replication With Divergent and Corrupt Partner
Allow replication with divergent and corrupt partner
set its value to 1 for allow.
The other way we can enable this across all of our domain controllers is with the following command.
repadmin /regkey * +allowDivergent
Now that we have these settings on all of our domain controllers we can now force them to replicate, the standard way is to use the GUI in active directory sites and service, select the server, NTDS, then right click and replicate with the connector. Here we use the repadmin command. Make sure you run this on each controller.
repadmin /syncall /d /e
/d Identifies servers by distinguished name in messages.
/e Synchronizes domain controllers across all sites in the enterprise. By default, this command does not synchronize domain controllers in other sites.
Now that all of your servers are synchronizing you will need to remove that registry key or set it to 0 to disallow. The process is now complete.