Re: Need Help with Odd LDAP Error, NCSecDesc Failure running DCDIA

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Al Mulnick (amulnick_No_SPAM_at_ncDOTrr.com)
Date: 01/22/05 

Date: Sat, 22 Jan 2005 18:51:44 -0500

Are you saying that you need to be there to dcrpomo the machine? If so, why
don't you have remote access turned on (rdp)? In 2k3, you can have console
access to it as long as the OS is running. Won't work for directory restore
mode IIRC, but it's been a while since I tried that ;)

If Replmon is showing some oddities, you need to investigate. I'm just
saying that demoting the machine might be faster. Go back to square one
sort of thing.

Al

"Douglas H. Quebbeman" <dhquebbeman@theestopinalgroup.com> wrote in message
news:%23dXgH5MAFHA.3592@TK2MSFTNGP09.phx.gbl...
> In news:eruUnNMAFHA.2032@tk2msftngp13.phx.gbl,
> Al Mulnick <amulnick_No_SPAM@ncDOTrr.com> screib:
>> That makes a LOT more sense and makes it much better in terms of dcpromo
>> steps. ;)
>>
>> Question: When you change the logs with your script, do you change any of
>> the servers in the south domain to south-server-2k3 (or at least change
>> them
>> all to the same name? It was kind of odd to see a server transfer roles
>> to
>> itself on the way out the door).
>
> The south domain has one server, its nickname for these discussions is
> indeed
> south-server-2k3; I'm adding the 2k3 to indicate its a Win 2003 Server in
> case
> the differences between it and Windows 2000 Server might be important in
> figuring this out.
>
> What was the other server you thought you were seeing in the south domain?
>
> In the postings, I've made reference to "old-south-server", but its only
> appearance in logs would be in that NETDIAG output thats shows it
> as a deleted DSA object. And according to Microsoft, a deleted server
> including a demoted domain controller lingers like that for two weeks,
> just in case its admins are going to bring it back alive.
>
>> You can't assume that because East says it's replicating that West is
>> replicating with it. Verification might be easier with replmon vs.
>> repadmin. Easier to read and spot issues if they're there. You should
>> verify that all servers are replicating as expected with every other
>> server.
>> Sure, you could diddle with the occupancy requirement, but at what cost?
>
> I am seeing some things in REPLMON that don't make sense. In ADSIEdit,
> I can clearly see that in the south site, the south server (2k3) has a
> copy of the
> directory partition for the west domain. But in REPLMON, its not there.
>
> And REPLMON shows (on south server) that the inbound connections to
> both HQ domain and west domain are for replicating the hqdom directory
> partition. I would expect the inbound connection to hqdom to be for the
> hqdom
> directory parition, and the inbound connection to westdom to be for the
> westdom directory partition.
>
> Additionally, in several cases, when I click on a server in REPLMON,
> choose Properties, then look at Inbound Replication Connections, it
> doesn't show anything at all.
>
>> I would have to say that it might be worthwhile to depromote it and start
>> with a clean server. No RRAS or anything until after it's fully
>> configured.
>> Not because it couldn't work, but because it would be less to wonder
>> about.
>
> If you mean "south-server-2k3", there's just no way, it's not happening.
>
> The weather is acceptable down there this time of year, I hate having to
> go there April to October, but November to March, it's kinda nice. I'm
> unsure
> of why the boss is so adamant about keeping me up here. We own our own
> Citation II for cryin' out loud.
>
> And Mardis Gras approacheth...
>
>
>
>

Relevant Pages

  • Re: Replmon utility doesnt work
    ... Instead of replmon try running Ultrasound ... If you don't have the tools installed, install them from your server install ... > already transferred to the PDC emulator and everything else seemed fine. ...
    (microsoft.public.win2000.active_directory)
  • =?UTF-8?Q?Re:_AD/DNS_Problem_mit_neuem_200?= =?UTF-8?Q?8er_in_2003_dom=C3=A4ne?=
    ... die AD-Replikation REPADMIN oder was ich eher vermute "Replmon". ... nicht mehr unter "Windows Server 2008". ... [Event ID 4015 Source DNS] ...
    (microsoft.public.de.german.windows.server.active_directory)
  • RE: Probleme beim erstellen eines Users
    ... Führe ich den selben test auf dem DC aus mit dem GC; erhalte ich die selbe meldung Bsp. ... replmon; kenne ich nicht! ... Wie kann ich per FQDN pingen? ... > Kannst Du den benutzer vom Server aus anlegen? ...
    (microsoft.public.de.exchange)
  • Re: Need Help with Odd LDAP Error, NCSecDesc Failure running DCDIA
    ... The south domain has one server, its nickname for these discussions is ... I am seeing some things in REPLMON that don't make sense. ... directory partition for the west domain. ... I would expect the inbound connection to hqdom to be for the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Partial Replication of W2K3 DC After DCPROMO
    ... Verifying that the local machine willdc01, ... Connecting to directory service on server willdc01. ... Latency information for 1 entries in the vector were ... replicas and are not verifiably latent, or dc's no longer replicating ...
    (microsoft.public.windows.server.active_directory)