Sep 15 2021 01:53 PM - edited Sep 15 2021 01:53 PM
Scenario
DC is Virtualized in VMware, I got it restored from Veeam backup, meaning it is not in the current state, that caused Active Directory Broken, how could I get it fixed? I forced replication between 2 DCs it failed. Here and there we got several PCs that have the error:
“The trust relationship between this Workstation and the primary Domain failed”
Based on above use case, identified certain errors.
Investigation
So first, a piece of advice that, you should never restore a domain controller in a multi-domain controller environment. Instead, you should stand up a new DC and start replication, it will take time but will replicate from a fully healthy DC.
Then we ran the below command-lets and collected the logs for review.
Dcdiag /v /c /d /e /s:%computername% >C:\dcdiag.log
repadmin /showrepl >C:\repl.txt
ipconfig /all > C:\dc1.txt
ipconfig /all > C:\dc2.txt
ipconfig /all > C:\problemworkstation.txt
Errors Observed in DC Diagnostic Report & Replication Summary
We found following two errors in DC diagnostic report and Replication summary :
Logging Conditions for Error 8606
Upon further research, we found out that Error 8606 is logged when the following conditions are true:
Cause of Error 8606
The error is caused by one of the following:
Key Points to Remember for Troubleshooting Error 8606
When you troubleshoot 8606 errors, think about the following points:
Resolution
For our need, to check the replication status in between only 2 DCs (The affected one and a healthy one), we have also tried disabling “Strict Replication Consistency” that prevents destination domain controllers from replicating in lingering objects, but it is highly recommended not to disable “Strict Replication Consistency”, there can be a risk that lingering objects could be replicated to a domain controller or many where this setting is not enabled.
Reference Microsoft Documentation for enabling this setting:
As an actual fix, we must have to remove the lingering objects from the recovered DC for the smooth replication. While many methods exist to remove lingering objects, there are two primary tools commonly used: Lingering Object Liquidator (LoL) and repadmin.exe.
The easiest method to clean up Lingering Objects is to use the LoL. The LoL tool was developed to help automate the cleanup process against an Active Directory Forest. The tool is GUI-based and can scan the current Active Directory Forest and detect and cleanup lingering objects.
The tool is available on Microsoft Download Center.
The following command in REPADMIN.EXE can remove lingering objects from directory partitions:
Repadmin.Exe /RemoveLingeringObjects
Repadmin / RemoveLingeringObjects can be used to remove lingering objects from writable and read-only directory partitions on source domain controllers. The syntax is as follows:
c:\>repadmin /removelingeringobjects <Dest_DSA_LIST> <Source DSA GUID> <NC> [/ADVISORY_MODE]
Where:
Monitoring Active Directory Replication Health Daily
If error 8606 / Event 1988 was caused by the domain controller's failing to replicate Active Directory changes in the last tombstone lifetime number of days, make sure that Active Directory replication health is being monitored on a day-to-day basis going forward. Replication health may be monitored by using a dedicated monitoring application or by viewing the output from the one inexpensive but effective option to run "repadmin /showrepl * /csv" command in a spreadsheet application such as Microsoft Excel.
Thus, keeping tabs on Active Directory Health overall is significant. In order to do that, its important for an IT Professional to have an understanding of How to define Active Directory Health?
Sep 15 2021 01:59 PM
Is there a question?
Sep 15 2021 02:09 PM