5/7/19

Today I had the unfortunate luxury of having a DC showcasing these errors and replication issues with a DC not having DNS, DHCP was orphaned, and authentication of users was occurring:

  • (1722) The RPC server is unavailable.
  • (5) Access is denied.
  • -2146893022 (0x80090322): The target principal name is incorrect.
  • (8606): 
    Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected

===========================================================

What you must do is ensure that the Kerberos Key Distribution Center is working correctly and that all of it’s tickets are purged from the DC’s having problems and then it’s helpful if you reset the password for the local computer service on the server (if they aren’t the same KDC won’t work), you to that with these commands on all DC’s:

  1. net stop kdc
  2. klist /purge
  3. netdom rsetpwd /s:[your DC’s name] /ud:domainadministrator /pd:domainadministratorpassword
  4. net start kdc
  5. reboot

================================================

So what you must do 2nd is enable a few registry commands in this location:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]

Modify: “Strict Replication Consistency”=dword:00000001

0 = off

1 = on

Change to a “0” to allow replication

Add: “Allow replication with divergent and corrupt partner”=dword:00000001 as a Dword 32-bit

0 = off

1 = on

Set it to 1 to allow corrupt replication

==========================================================

Then you need to enter in this command on the healthy Domain Controller:

‘repadmin /showreps’

and it will produce something like this:

C:\Users\Administrator.Contros>repadmin /showreps
Default-First-Site-Name\Contros-DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 364ff38f-83ff-4749-a3c2-649090907373
DSA invocationID: ed3d3e3c-48bc-41ec-788e-29caa0cf1f55

==== INBOUND NEIGHBORS ======================================

DC=Contros,DC=net
Default-First-Site-Name\Contros-DC2 via RPC
DSA object GUID: d79d7464-567a-1234-b2fa-e7da9902b73b
Last attempt @ 2019-05-07 15:11:40 was successful.

CN=Configuration,DC=Contros,DC=us
Default-First-Site-Name\Contros-DC2 via RPC
DSA object GUID: d79d7464-567a-1234-b2fa-e7da9902b73b
Last attempt @ 2019-05-07 14:47:35 was successful.

CN=Schema,CN=Configuration,DC=Contros,DC=us
Default-First-Site-Name\Contros-DC2 via RPC
DSA object GUID: d79d7464-567a-1234-b2fa-e7da9902b73b
Last attempt @ 2019-05-07 14:47:35 was successful.

DC=DomainDnsZones,DC=Contros,DC=us
Default-First-Site-Name\Contros-DC2 via RPC
DSA object GUID: d79d7464-567a-1234-b2fa-e7da9902b73b
Last attempt @ 2019-05-07 14:47:35 was successful.

DC=ForestDnsZones,DC=Contros,DC=us
Default-First-Site-Name\Contros-DC2 via RPC
DSA object GUID: d79d7464-567a-1234-b2fa-e7da9902b73b
Last attempt @ 2019-05-07 14:47:35 was successful.

C:\Users\Administrator.Contros>

=======================================================

Then you must you must remove any lingering objects that are left over from the disconnected DC and you do that with the following command (while using the above output from “repadmin /showreps”:

c:\>repadmin /removelingeringobjects <Dest_DSA_LIST> <Source DSA GUID> <NC> [/ADVISORY_MODE]
Example:
Key: Contros-DC1.contros.net = Bad DC
d79d7464-567a-1234-b2fa-e7da9902b73b = GUID of good DC
DC=Contros,DC=net = Naming Context
You can check this GUID by running the same command against the GOOD DC. 🙂
c:\>repadmin /removelingeringobjects Contros-DC1.contros.net d79d7464-567a-1234-b2fa-e7da9902b73b DC=Contros,DC=net [/force] or [/ADVISORY_MODE]
^ – if you do force it runs this no-matter-what and if you do advisory mode you only report the issues but don’t delete them..
=======================================================
Then once you remove the lingering objects you can do the following:
Contros-DC1.contros.net” = Bad DC
Contros-DC2.contros.net” = Good DC
DC=Contros,DC=net = Naming Context
repadmin /replicate Contros-DC1.contros.net Contros-DC2.contros.net DC=Contros,DC=net /force
repadmin /replicate Contros-DC1.contros.net Contros-DC2.contros.net “CN=Configuration,DC=Contros,DC=net /force
repadmin /replicate Contros-DC1.contros.net Contros-DC2.contros.net “CN=Schema,CN=Configuration,DC=Contros,DC=net /force
repadmin /replicate Contros-DC1.contros.net Contros-DC2.contros.net “DC=DomainDnsZones,DC=Contros,DC=net /force
repadmin /replicate Contros-DC1.contros.net Contros-DC2.contros.net “DC=ForestDnsZones,DC=Contros,DC=net /force
=================================================

After you do this you and you type ‘repadmin /replsummary’ your domain controller should be replicated. When done change both of the replication registry keys to the off stance and then check again and maybe run ‘dcdiag /fix’ and ‘repadmin /syncall ADeP’ if you want to check things over and make sure things are working correctly.

I hope this helps someone. 🙂

Cheers!