Active Directory複寫失敗,USN rollback

AD USN rollback

執行Dcdiag發現複寫失敗,且W32TM服務會停止,且Netlogon服務會暫停

執行Repadmin /Showrepl出現RPC ERROR

C:\Users\Administrator.OOOOO>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\OOOO-AD2
DSA Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL
Site Options: (none)
DSA object GUID: be5bb98a-52f6-40d2-a494-9ad3b5091657
DSA invocationID: 754e643d-ccf8-4d46-ab61-78ff892a00ba

==== INBOUND NEIGHBORS ======================================

DC=OOOOO,DC=com
    Default-First-Site-Name\OOOO-AD via RPC
        DSA object GUID: a57529fb-4a4b-4899-aae8-b4b86712052f
        Last attempt @ 2012-02-09 22:05:04 failed, result 8457 (0x2109):
            The destination server is currently rejecting replication requests.
        16185 consecutive failure(s).
        Last success @ 2012-01-19 14:02:08.

CN=Configuration,DC=OOOOO,DC=com
    Default-First-Site-Name\OOOO-AD via RPC
        DSA object GUID: a57529fb-4a4b-4899-aae8-b4b86712052f
        Last attempt @ 2012-02-09 21:50:06 failed, result 8457 (0x2109):
            The destination server is currently rejecting replication requests.
        263 consecutive failure(s).
        Last success @ 2012-01-19 13:47:54.

CN=Schema,CN=Configuration,DC=OOOOO,DC=com
    Default-First-Site-Name\OOOO-AD via RPC
        DSA object GUID: a57529fb-4a4b-4899-aae8-b4b86712052f
        Last attempt @ 2012-02-09 21:50:06 failed, result 8457 (0x2109):
            The destination server is currently rejecting replication requests.
        234 consecutive failure(s).
        Last success @ 2012-01-19 13:47:55.

DC=DomainDnsZones,DC=OOOOO,DC=com
    Default-First-Site-Name\OOOO-AD via RPC
        DSA object GUID: a57529fb-4a4b-4899-aae8-b4b86712052f
        Last attempt @ 2012-02-09 21:50:06 failed, result 8457 (0x2109):
            The destination server is currently rejecting replication requests.
        297 consecutive failure(s).
        Last success @ 2012-01-19 13:47:55.

DC=ForestDnsZones,DC=OOOOO,DC=com
    Default-First-Site-Name\OOOO-AD via RPC
        DSA object GUID: a57529fb-4a4b-4899-aae8-b4b86712052f
        Last attempt @ 2012-02-09 21:50:06 failed, result 8457 (0x2109):
            The destination server is currently rejecting replication requests.
        245 consecutive failure(s).
        Last success @ 2012-01-19 13:47:55.

Source: Default-First-Site-Name\OOOO-AD
******* 16180 CONSECUTIVE FAILURES since 2012-01-19 14:02:08
Last error: 8457 (0x2109):
            The destination server is currently rejecting replication requests.

如果是在另外一台AD上去執行,錯誤訊息將會是寫8456

那表示那部AD的資料庫是有問題,至於問題點,用Repadmin  /showutdvec 看看

C:\Users\Administrator.OOOOO>repadmin /showutdvec * DC=OOOOO,DC=com

Repadmin: running command /showutdvec against full DC OOOO-AD.OOOOO.com
Caching GUIDs.
..
Default-First-Site-Name\OOOO-AD     @ USN    385440 @ Time 2012-02-09 22:08:00
Default-First-Site-Name\OOOO-AD2    @ USN    156806 @ Time 2012-01-31 09:37:31
f7f02c4c-3f16-4ae7-b77a-80aea6aa5dba @ USN    659685 @ Time 2012-02-09 17:53:45

Repadmin: running command /showutdvec against full DC OOOO-AD2.OOOOO.com
Caching GUIDs.
..
Default-First-Site-Name\OOOO-AD     @ USN    283737 @ Time 2012-01-19 14:02:23
Default-First-Site-Name\OOOO-AD2    @ USN    106566 @ Time 2012-02-09 22:08:00
f7f02c4c-3f16-4ae7-b77a-80aea6aa5dba @ USN    462017 @ Time 2012-01-19 13:57:51

f7f02c4c-3f16-4ae7-b77a-80aea6aa5dba是以移除的DC,不予理會

從上面幾條訊息就可以知道以下事情

 DC:OOOO-AD.OOOOO.com在做USN查詢時

OOOO-AD亦即是它自己的資料庫USN是385440

OOOO-AD2在OOOO-AD上的USN是156806

但是在 DC:OOOO-AD.OOOOO.com在做USN查詢時結果卻是..

OOOO-AD2亦即是它自己的資料庫USN是106566

OOOO-AD在OOOO-AD上的USN是283737

 

換句話說,當OOOO-AD2本身的USN他自己都只紀錄到106566 ,他要如何跟來路不明的OOOO-AD裡USN是156806的資料庫做複寫呢?

這情況會發生的可能,通常是在有過還原DC時發生,所以導致此問題

 

根據原理,所以解決方法只有兩招

一.將OOOO-AD的NTDS還原,還原到裡面所紀錄的OOOO-AD2的USN小於106566 ,但是OOOO-AD又大於283737 的時間點

二.將OOOO-AD2降級,並清除相關NTDS資訊後,再重新升級成DC

 

解決步驟詳細請參考http://support.microsoft.com/kb/875495/en-us