AD USN rollback
執行Dcdiag發現複寫失敗,且W32TM服務會停止,且Netlogon服務會暫停
執行Repadmin /Showrepl出現RPC ERROR
C:\Users\Administrator.OOOOO>repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\OOOO-AD2
DSA Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL
Site Options: (none)
DSA object GUID: be5bb98a-52f6-40d2-a494-9ad3b5091657
DSA invocationID: 754e643d-ccf8-4d46-ab61-78ff892a00ba
==== INBOUND NEIGHBORS ======================================
DC=OOOOO,DC=com
Default-First-Site-Name\OOOO-AD via RPC
DSA object GUID: a57529fb-4a4b-4899-aae8-b4b86712052f
Last attempt @ 2012-02-09 22:05:04 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
16185 consecutive failure(s).
Last success @ 2012-01-19 14:02:08.
CN=Configuration,DC=OOOOO,DC=com
Default-First-Site-Name\OOOO-AD via RPC
DSA object GUID: a57529fb-4a4b-4899-aae8-b4b86712052f
Last attempt @ 2012-02-09 21:50:06 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
263 consecutive failure(s).
Last success @ 2012-01-19 13:47:54.
CN=Schema,CN=Configuration,DC=OOOOO,DC=com
Default-First-Site-Name\OOOO-AD via RPC
DSA object GUID: a57529fb-4a4b-4899-aae8-b4b86712052f
Last attempt @ 2012-02-09 21:50:06 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
234 consecutive failure(s).
Last success @ 2012-01-19 13:47:55.
DC=DomainDnsZones,DC=OOOOO,DC=com
Default-First-Site-Name\OOOO-AD via RPC
DSA object GUID: a57529fb-4a4b-4899-aae8-b4b86712052f
Last attempt @ 2012-02-09 21:50:06 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
297 consecutive failure(s).
Last success @ 2012-01-19 13:47:55.
DC=ForestDnsZones,DC=OOOOO,DC=com
Default-First-Site-Name\OOOO-AD via RPC
DSA object GUID: a57529fb-4a4b-4899-aae8-b4b86712052f
Last attempt @ 2012-02-09 21:50:06 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
245 consecutive failure(s).
Last success @ 2012-01-19 13:47:55.
Source: Default-First-Site-Name\OOOO-AD
******* 16180 CONSECUTIVE FAILURES since 2012-01-19 14:02:08
Last error: 8457 (0x2109):
The destination server is currently rejecting replication requests.
如果是在另外一台AD上去執行,錯誤訊息將會是寫8456
那表示那部AD的資料庫是有問題,至於問題點,用Repadmin /showutdvec 看看
C:\Users\Administrator.OOOOO>repadmin /showutdvec * DC=OOOOO,DC=com
Repadmin: running command /showutdvec against full DC OOOO-AD.OOOOO.com
Caching GUIDs.
..
Default-First-Site-Name\OOOO-AD @ USN 385440 @ Time 2012-02-09 22:08:00
Default-First-Site-Name\OOOO-AD2 @ USN 156806 @ Time 2012-01-31 09:37:31
f7f02c4c-3f16-4ae7-b77a-80aea6aa5dba @ USN 659685 @ Time 2012-02-09 17:53:45
Repadmin: running command /showutdvec against full DC OOOO-AD2.OOOOO.com
Caching GUIDs.
..
Default-First-Site-Name\OOOO-AD @ USN 283737 @ Time 2012-01-19 14:02:23
Default-First-Site-Name\OOOO-AD2 @ USN 106566 @ Time 2012-02-09 22:08:00
f7f02c4c-3f16-4ae7-b77a-80aea6aa5dba @ USN 462017 @ Time 2012-01-19 13:57:51
f7f02c4c-3f16-4ae7-b77a-80aea6aa5dba是以移除的DC,不予理會
從上面幾條訊息就可以知道以下事情
DC:OOOO-AD.OOOOO.com在做USN查詢時
OOOO-AD亦即是它自己的資料庫USN是385440
OOOO-AD2在OOOO-AD上的USN是156806
但是在 DC:OOOO-AD.OOOOO.com在做USN查詢時結果卻是..
OOOO-AD2亦即是它自己的資料庫USN是106566
OOOO-AD在OOOO-AD上的USN是283737
換句話說,當OOOO-AD2本身的USN他自己都只紀錄到106566 ,他要如何跟來路不明的OOOO-AD裡USN是156806的資料庫做複寫呢?
這情況會發生的可能,通常是在有過還原DC時發生,所以導致此問題
根據原理,所以解決方法只有兩招
一.將OOOO-AD的NTDS還原,還原到裡面所紀錄的OOOO-AD2的USN小於106566 ,但是OOOO-AD又大於283737 的時間點
二.將OOOO-AD2降級,並清除相關NTDS資訊後,再重新升級成DC
解決步驟詳細請參考http://support.microsoft.com/kb/875495/en-us