AD Sync Issue

Hi, I have a situation. I just got customer who had deployed 2 x 2K3 R2 AD
and
had it sync with each other at the main office. They also deployed exchange
2007 at the main office. However, they split the network between 2 sites and
have moved 1 of the AD to a site office, but these 2 AD have not been
connected for the last 3 months. To access the domain and exchange, they
create the same new user account on the 2 AD server and exhange 2007. So
site office users login in to the site office AD, but access exchange via the
main office AD and exhange.

Question: If they connect the network together now and tried to sync the 2
AD, will the new accounts created on both sites conflict with each other or
will they just sync with each other and the users on both sides would
continue to work as per normal? Thanks.

Gilbert

In news:175368EF-3966-4E21-8B05-(E-Mail Removed),
Gilbert <(E-Mail Removed)> typed:
> Hi, I have a situation. I just got customer who had deployed 2 x 2K3
> R2 AD and
> had it sync with each other at the main office. They also deployed
> exchange 2007 at the main office. However, they split the network
> between 2 sites and have moved 1 of the AD to a site office, but
> these 2 AD have not been connected for the last 3 months. To access
> the domain and exchange, they create the same new user account on the
> 2 AD server and exhange 2007. So site office users login in to the
> site office AD, but access exchange via the main office AD and
> exhange.
>
> Question: If they connect the network together now and tried to sync
> the 2 AD, will the new accounts created on both sites conflict with
> each other or will they just sync with each other and the users on
> both sides would continue to work as per normal? Thanks.
>
> Gilbert

Yes they will. Matter of fact, loosely put, they each will reject the other.
What even log errors are you seeing? Can you post them please?

There's a 60 day tombstone for deleted objects in AD. This includes DC
objects. If the DCs don't replicate within that time, they will each treat
the other as a deleted object. You'll have to pick one of the DCs to use and
forcibaly remove the other out of it with a metadata cleanup You'll also
need to recreate accounts.

Fixing Replication Lingering Object Problems (From Technet) - Talks in
detail what happens when a DC is offline more than the tombstone.
http://jeremyphillips.org/

Best Practices for Adding Domain Controllers in Remote Sites (Good reading,
especially towards the bottom concerning what to do if past the 60
tombstone)
http://technet2.microsoft.com/window....mspx?mfr=true

Useful shelf life of a system-state backup of Active Directory
http://support.microsoft.com/kb/216993

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations

Hello Ace Fekay [MVP],

Double post.

See also "AD Sync problem" posting in m..p.w.s.active_directory from 05.05.08
18:18

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> In news:175368EF-3966-4E21-8B05-(E-Mail Removed), Gilbert
> <(E-Mail Removed)> typed:
>
>> Hi, I have a situation. I just got customer who had deployed 2 x 2K3
>> R2 AD and
>> had it sync with each other at the main office. They also deployed
>> exchange 2007 at the main office. However, they split the network
>> between 2 sites and have moved 1 of the AD to a site office, but
>> these 2 AD have not been connected for the last 3 months. To access
>> the domain and exchange, they create the same new user account on the
>> 2 AD server and exhange 2007. So site office users login in to the
>> site office AD, but access exchange via the main office AD and
>> exhange.
>> Question: If they connect the network together now and tried to sync
>> the 2 AD, will the new accounts created on both sites conflict with
>> each other or will they just sync with each other and the users on
>> both sides would continue to work as per normal? Thanks.
>>
>> Gilbert
>>
> Yes they will. Matter of fact, loosely put, they each will reject the
> other. What even log errors are you seeing? Can you post them please?
>
> There's a 60 day tombstone for deleted objects in AD. This includes DC
> objects. If the DCs don't replicate within that time, they will each
> treat the other as a deleted object. You'll have to pick one of the
> DCs to use and forcibaly remove the other out of it with a metadata
> cleanup You'll also need to recreate accounts.
>
> Fixing Replication Lingering Object Problems (From Technet) - Talks in
> detail what happens when a DC is offline more than the tombstone.
> http://jeremyphillips.org/
>
> Best Practices for Adding Domain Controllers in Remote Sites (Good
> reading,
>
> especially towards the bottom concerning what to do if past the 60
>
> tombstone)
>
> http://technet2.microsoft.com/window...405bc5f-b8bf-4
> 49e-b11a-f116d22f858a1033.mspx?mfr=true
>
> Useful shelf life of a system-state backup of Active Directory
> http://support.microsoft.com/kb/216993
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
> For urgent issues, you may want to contact Microsoft PSS directly.
> Please check http://support.microsoft.com for regional support phone
> numbers.
>
> Infinite Diversities in Infinite Combinations
>

Hello Gilbert,

See your other posting and plese do NOT multipost. Now you get answers in
different NG's and its really hard to follow and also to prevent double work
from the answering people. So refer to one posting!!!

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi, I have a situation. I just got customer who had deployed 2 x 2K3
> R2 AD and had it sync with each other at the main office. They also
> deployed exchange 2007 at the main office. However, they split the
> network between 2 sites and have moved 1 of the AD to a site office,
> but these 2 AD have not been connected for the last 3 months. To
> access the domain and exchange, they create the same new user account
> on the 2 AD server and exhange 2007. So site office users login in to
> the site office AD, but access exchange via the main office AD and
> exhange.
>
> Question: If they connect the network together now and tried to sync
> the 2 AD, will the new accounts created on both sites conflict with
> each other or will they just sync with each other and the users on
> both sides would continue to work as per normal? Thanks.
>
> Gilbert
>

In news:(E-Mail Removed) .com,
Meinolf Weber <meiweb(nospam)@gmx.de> typed:
> Hello Ace Fekay [MVP],
>
> Double post.
>
> See also "AD Sync problem" posting in m..p.w.s.active_directory from
> 05.05.08 18:18

Darn. Thanks, Meinolf. Hate to double-up our efforts.

He also may have not had the option if posting thru the newsgroup web
method. Was cross-posting feature added thru the web method?