Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2008-02-09) RPC Errors And Weird REPADMIN Output After Demotion

Posted by Jorge on 2008-02-09


Let’s say you demote a DC within your AD forest to a member server. Then you go to another DC and execute: REPADMIN /SHOWREPS (or REPADMIN /SHOWREPL) and besides eventual RPC errors you also see something similar to:

[RFSRWDC1] C:>REPADMIN /SHOWREPL

Repadmin: running command /SHOWREPL against full DC localhost

DTCNTR01RFSRWDC1

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: c69face8-badf-480c-80c6-7309dd777160

DSA invocationID: c69face8-badf-480c-80c6-7309dd777160

==== INBOUND NEIGHBORS ======================================

DC=ADCORP,DC=DEMO

DTCNTR01RFSRWDC2 via RPC

DSA object GUID: e424d545-97d5-43ab-b8ae-05cab8683190

Last attempt @ 2008-02-09 10:46:28 was successful.

BRANCH01RFSRWDC3 (deleted DSA) via RPC

DSA object GUID: 70baaeee-b7b1-4635-af14-6d91f82e0403

CN=Configuration,DC=ADCORP,DC=DEMO

DTCNTR01RFSRWDC2 via RPC

DSA object GUID: e424d545-97d5-43ab-b8ae-05cab8683190

Last attempt @ 2008-02-09 10:46:28 was successful.

BRANCH01RFSRWDC3 (deleted DSA) via RPC

DSA object GUID: 70baaeee-b7b1-4635-af14-6d91f82e0403

CN=Schema,CN=Configuration,DC=ADCORP,DC=DEMO

DTCNTR01RFSRWDC2 via RPC

DSA object GUID: e424d545-97d5-43ab-b8ae-05cab8683190

Last attempt @ 2008-02-09 10:46:28 was successful.

BRANCH01RFSRWDC3 (deleted DSA) via RPC

DSA object GUID: 70baaeee-b7b1-4635-af14-6d91f82e0403

DC=DomainDnsZones,DC=ADCORP,DC=DEMO

DTCNTR01RFSRWDC2 via RPC

DSA object GUID: e424d545-97d5-43ab-b8ae-05cab8683190

Last attempt @ 2008-02-09 10:46:28 was successful.

BRANCH01RFSRWDC3 (deleted DSA) via RPC

DSA object GUID: 70baaeee-b7b1-4635-af14-6d91f82e0403

DC=ForestDnsZones,DC=ADCORP,DC=DEMO

DTCNTR01RFSRWDC2 via RPC

DSA object GUID: e424d545-97d5-43ab-b8ae-05cab8683190

Last attempt @ 2008-02-09 10:46:28 was successful.

BRANCH01RFSRWDC3 (deleted DSA) via RPC

DSA object GUID: 70baaeee-b7b1-4635-af14-6d91f82e0403

After a normal demotion, its previous replication partners will show that info. That also depends on the OS and service pack level. The behavior has been with W2K3 in SP1 and later.

The behavior is as follows:

  • For pre-Windows 2003 Server SP1 DCs:
    • "NTDS Settings" object IS DELETED during a demotion
    • Metadata on each root object of a NC, in the multivalued attribute repsFrom, is NOT CLEANED until the "replTopologyStayOfExecution" period has passed
    • replTopologyStayOfExecution period –> Default = 14 days and max. = ½ tombstone lifetime
    • The cleanup of the "repsFrom" attribute is done by the KCC by comparing the deletion time and "replTopologyStayOfExecution" period.

(look at the last three bullets. That is the reason for the RPC errors and the output that is shown above)

  • For Windows 2003 Server SP1 DCs AND later:
    • "NTDS Settings" object IS DELETED during a demotion
    • Metadata on each root object of a NC, in the multivalued attribute repsFrom, is also CLEANED
    • The stay-of-execution mechanism is disabled

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: