Wednesday, July 10, 2013

Active Directory DC - How to solve error 8614 and eventID 2042

One day, you wanna rename a domain controller in the forest just like me did a couple days ago. You wanna make sure everything OK before making any changes to the system using repadmin tool (included in Windows Server 2008):

> repadmin /showrepl

But, a domain, called it DC-A, in the forest raises the 8614 error indicates that: "The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime"


In this situation, to troubleshoot, I suggest that you should use 2 tools of the Windows server environment:

+ Event Viewer: to open it: Start -> Run -> type eventvwr

+ Command Prompt: Start -> Run -> cmd (if you find  the size of the command prompt window is too small, you can extend it following the instructions in my blog post here)

Here is how I can fix the issue:

1. Verify which Domain Controller raised the 8614 error by using:

> repadmin /showrepl
> repadmin /showreps

* Run this command line in any DC not DC-A.

* In addition, open Event Viewer, in Applications and Services Logs, Directory Service, you will see an error with event ID 2042

According to Mirosoft knowledge base, it's maybe because the domain controller contains what so called lingering objects: This is the most possible reason for the error, because everything else are OK (time, default tombstone lifetime).

2. So, I have to remove those lingering objects from all DCs:

> repadmin /removelingeringobjects DC-A.MYDOMAIN.COM 5b0b944e-de7b-4f96-942b-1e040169db36 "CN=Configuration,DC=MYDOMAIN,DC=COM"


+ 5b0b944e-de7b-4f96-942b-1e040169db36 : the GUID of DC-A. You can get it from the command repadmin /showrepl DC-A.

+ "CN=Configuration,DC=MYDOMAIN,DC=COM": NC in which DC-A raise the error (from the output of the command repadmin /showrepl)

* Repeat in all other DCs in forest.

3. Evaluate setting strict replication on all DCs in forest:

> repadmin /regkey * +strict

4. Set "Allow replication with divergent and corrupt partner = 1" on all DCs:

> repadmin /regkey * +allowDivergent

5. Flush DNS Cache and restart netlogon service in DC-A:

> ipconfig /flushdns

> net stop netlogon

+ rename netlogon.dns and netlogon.dnb file which locate in C:\Windows\System32\

+ > ipconfig /flushdns

+ > net start netlogon (this command will re-create netlogon.dns and netlogon.dnb files)

+ > ipconfig /registerdns

6. Check the replication of all DCs again using repadmin and Event Viewer

> repadmin /showrepl

7. Delete "Allow replication with divergent and corrupt partner" or set "Allow replication with divergent and corrupt partner = 0" in the registry of all DCs.

> repadmin /regkey * -allowDivergent

8. Check the replication of all DCs again using repadmin and Event Viewer

And all the DCs will replicate successfully!

Now you can rename the DC as you wish.