AD 2003 Replication Failure/Authentication Failure
- From: "Brad" <Brad@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 18 May 2005 13:53:09 -0700
Our parent DC in a root domain stopped AD replication with 2 children DCs in
a sub domain of the root domain. My hypothesis for this phenomenon is that
Kerberos authentication is failing between the parent and children DCs.
I would like to know how to reset or repair the account and password that AD
uses for replication between DCs.
Parent DC: SEIDLER-ROOT
Child DCs: SEIDLER-IRV, SEIDLER-LA
Here are the relevant system event log warnings/errors on the root DC,
SEIDLER-ROOT:
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 5/18/2005
Time: 12:05:11 PM
User: N/A
Computer: SEIDLER-ROOT
Description:
The Security System could not establish a secured connection with the server
LDAP/7b022361-4cc4-43f1-882a-9cc6c771dd48._msdcs.Seidlercos.local. No
authentication protocol was available.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 5/18/2005
Time: 12:05:11 PM
User: N/A
Computer: SEIDLER-ROOT
Description:
The Security System detected an authentication error for the server
LDAP/7b022361-4cc4-43f1-882a-9cc6c771dd48._msdcs.Seidlercos.local. The
failure code from authentication protocol Kerberos was "The attempted logon
is invalid. This is either due to a bad username or authentication
information.
(0xc000006d)".
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 3210
Date: 5/18/2005
Time: 11:07:51 AM
User: N/A
Computer: SEIDLER-ROOT
Description:
This computer could not authenticate with \\SEIDLER-LA.US.Seidlercos.local,
a Windows domain controller for domain SEIDLER, and therefore this computer
might deny logon requests. This inability to authenticate might be caused by
another computer on the same network using the same name or the password for
this computer account is not recognized. If this message appears again,
contact your system administrator.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 22 00 00 c0 "..
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5722
Date: 5/18/2005
Time: 11:14:57 AM
User: N/A
Computer: SEIDLER-ROOT
Description:
The session setup from the computer SEIDLER-LA failed to authenticate. The
name(s) of the account(s) referenced in the security database is
US.Seidlercos.local.. The following error occurred:
Access is denied.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 22 00 00 c0 "..
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5774
Date: 5/18/2005
Time: 7:23:39 AM
User: N/A
Computer: SEIDLER-ROOT
Description:
The dynamic registration of the DNS record
'88db9a1b-29c3-477a-ba69-aa32ff854404._msdcs.Seidlercos.local. 600 IN CNAME
seidler-root.Seidlercos.local.' failed on the following DNS server:
DNS server IP address: x.x.x.x
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain controller, this record must
be registered in DNS.
USER ACTION
Determine what might have caused this failure, resolve the problem, and
initiate registration of the DNS records by the domain controller. To
determine what might have caused this failure, run DCDiag.exe. You can find
this program on the Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about DCDiag.exe, see Help and
Support Center. To initiate registration of the DNS records by this domain
controller, run 'nltest.exe /dsregdns' from the command prompt on the domain
controller or restart Net Logon service. Nltest.exe is available in the
Microsoft Windows Server Resource Kit CD.
Or, you can manually add this record to DNS, but it is not recommended.
ADDITIONAL DATA
Error Value: DNS bad key.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 05 00 ..
Here are the relevant errors after running dcdiag on SEIDLER-ROOT:
Testing server: LA\SEIDLER-ROOT
Starting test: Replications
[Replications Check,SEIDLER-ROOT] No replication recently attempted:
From SEIDLER-IRV to SEIDLER-ROOT
Naming Context: DC=ForestDnsZones,DC=Seidlercos,DC=local
The last attempt occurred at 2005-05-11 22:23:39 (about 159
hours ag
o).
[Replications Check,SEIDLER-ROOT] A recent replication attempt
failed:
From SEIDLER-LA to SEIDLER-ROOT
Naming Context: DC=ForestDnsZones,DC=Seidlercos,DC=local
The replication generated an error (1908):
Could not find the domain controller for this domain.
The failure occurred at 2005-05-15 23:00:07.
The last success occurred at 2005-05-11 22:24:09.
2 failures have occurred since the last success.
Kerberos Error.
A KDC was not found to authenticate the call.
Check that sufficient domain controllers are available.
[SEIDLER-LA] DsBindWithSpnEx() failed with error 5,
Access is denied..
[Replications Check,SEIDLER-ROOT] A recent replication attempt
failed:
From SEIDLER-LA to SEIDLER-ROOT
Naming Context: CN=Schema,CN=Configuration,DC=Seidlercos,DC=local
The replication generated an error (5):
Access is denied.
The failure occurred at 2005-05-18 12:59:38.
The last success occurred at 2005-05-11 21:53:38.
161 failures have occurred since the last success.
[Replications Check,SEIDLER-ROOT] A recent replication attempt
failed:
From SEIDLER-IRV to SEIDLER-ROOT
Naming Context: CN=Schema,CN=Configuration,DC=Seidlercos,DC=local
The replication generated an error (5):
Access is denied.
The failure occurred at 2005-05-18 13:29:38.
The last success occurred at 2005-05-11 22:23:39.
635 failures have occurred since the last success.
[Replications Check,SEIDLER-ROOT] A recent replication attempt
failed:
From SEIDLER-LA to SEIDLER-ROOT
Naming Context: CN=Configuration,DC=Seidlercos,DC=local
The replication generated an error (5):
Access is denied.
The failure occurred at 2005-05-18 12:59:38.
The last success occurred at 2005-05-11 22:16:23.
161 failures have occurred since the last success.
[Replications Check,SEIDLER-ROOT] A recent replication attempt
failed:
From SEIDLER-IRV to SEIDLER-ROOT
Naming Context: CN=Configuration,DC=Seidlercos,DC=local
The replication generated an error (5):
Access is denied.
The failure occurred at 2005-05-18 13:29:38.
The last success occurred at 2005-05-11 22:23:39.
635 failures have occurred since the last success.
[Replications Check,SEIDLER-ROOT] No replication recently attempted:
From SEIDLER-IRV to SEIDLER-ROOT
Naming Context: DC=US,DC=Seidlercos,DC=local
The last attempt occurred at 2005-05-11 22:23:39 (about 159
hours ag
o).
[Replications Check,SEIDLER-ROOT] A recent replication attempt
failed:
From SEIDLER-LA to SEIDLER-ROOT
Naming Context: DC=US,DC=Seidlercos,DC=local
The replication generated an error (1396):
Logon Failure: The target account name is incorrect.
The failure occurred at 2005-05-15 23:00:08.
The last success occurred at 2005-05-11 22:29:45.
2 failures have occurred since the last success.
Kerberos Error.
The KDC could not find the SPN for the server SEIDLER-LA.
This can be for several reasons:
(1) - The SPN is not registered on the KDC (usually
SEIDLER-ROOT). Check that the SPN is registered on at least
one other server besides SEIDLER-LA, and that replication is
progressing between this server and the KDC. The tool
repadmin/syncall can be used for this purpose.
(2) - This server could be a deleted server (and deleted DSA
object), and this deletion has not replicated across the
enterprise yet. This will rectify itself within the general
replication latency plus the latency of the KCC. Should be
less
than a day.
(3) - It's possible that this server was reclaimed, but it's
DSA object was not deleted and an old DNS record representing
the server is present. This can result in this error for the
duration of a DNS record lease. Often about 2 weeks. To fix
this, please clean up the DSA's metadata with ntdsutil.
(4) - Finally, it's possible that this server has acquired a
new IP address, the server's old IP address has been reused,
and
DNS hasn't been updated to reflect the new IP address. If this
problem persists, stop and restart the "Net Logon" service on
SEIDLER-LA, and delete the old DNS record.
REPLICATION-RECEIVED LATENCY WARNING
SEIDLER-ROOT: Current time is 2005-05-18 13:43:40.
DC=ForestDnsZones,DC=Seidlercos,DC=local
Last replication recieved from SEIDLER-LA at 2005-05-11
22:24:09.
Last replication recieved from SEIDLER-IRV at 2005-05-11
22:23:39
..
CN=Schema,CN=Configuration,DC=Seidlercos,DC=local
Last replication recieved from SEIDLER-LA at 2005-05-11
21:53:38.
Last replication recieved from SEIDLER-IRV at 2005-05-11
22:23:39
..
CN=Configuration,DC=Seidlercos,DC=local
Last replication recieved from SEIDLER-LA at 2005-05-11
22:16:23.
Last replication recieved from SEIDLER-IRV at 2005-05-11
22:23:39
..
DC=US,DC=Seidlercos,DC=local
Last replication recieved from SEIDLER-LA at 2005-05-11
22:29:45.
Last replication recieved from SEIDLER-IRV at 2005-05-11
22:23:39
..
REPLICATION-RECEIVED LATENCY WARNING
Source site:
CN=NTDS Site
Settings,CN=Irvine,CN=Sites,CN=Configuration,DC=Seidlercos
,DC=local
Current time: 2005-05-18 13:43:41
Last update time: 2005-05-11 22:07:24
Check if source site has an elected ISTG running.
Check replication from source site to this server.
Starting test: kccevent
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/18/2005 13:35:12
Event String: All domain controllers in the following site that
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/18/2005 13:35:12
Event String: All domain controllers in the following site that
An Error Event occured. EventID: 0xC000051F
Time Generated: 05/18/2005 13:35:12
Event String: The Knowledge Consistency Checker (KCC) has
An Warning Event occured. EventID: 0x80000749
Time Generated: 05/18/2005 13:35:12
Event String: The Knowledge Consistency Checker (KCC) was
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/18/2005 13:35:12
Event String: All domain controllers in the following site that
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/18/2005 13:35:12
Event String: All domain controllers in the following site that
An Error Event occured. EventID: 0xC000051F
Time Generated: 05/18/2005 13:35:12
Event String: The Knowledge Consistency Checker (KCC) has
An Warning Event occured. EventID: 0x80000749
Time Generated: 05/18/2005 13:35:12
Event String: The Knowledge Consistency Checker (KCC) was
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/18/2005 13:35:12
Event String: All domain controllers in the following site that
An Error Event occured. EventID: 0xC000051F
Time Generated: 05/18/2005 13:35:12
Event String: The Knowledge Consistency Checker (KCC) has
An Warning Event occured. EventID: 0x80000749
Time Generated: 05/18/2005 13:35:12
Event String: The Knowledge Consistency Checker (KCC) was
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/18/2005 13:35:12
Event String: All domain controllers in the following site that
An Error Event occured. EventID: 0xC000051F
Time Generated: 05/18/2005 13:35:12
Event String: The Knowledge Consistency Checker (KCC) has
An Warning Event occured. EventID: 0x80000749
Time Generated: 05/18/2005 13:35:12
Event String: The Knowledge Consistency Checker (KCC) was
......................... SEIDLER-ROOT failed test kccevent
Here are the results of running repadmin /syncall
CALLBACK MESSAGE: Error contacting server
7b022361-4cc4-43f1-882a-9cc6c771dd48._
msdcs.Seidlercos.local (network error): 5 (0x5):
Access is denied.
CALLBACK MESSAGE: SyncAll Finished.
SyncAll reported the following errors:
Error contacting server
7b022361-4cc4-43f1-882a-9cc6c771dd48._msdcs.Seidlercos.l
ocal (network error): 5 (0x5):
Access is denied.
What steps should I take to solve this problem?
.
- Follow-Ups:
- Re: AD 2003 Replication Failure/Authentication Failure
- From: Glenn L
- Re: AD 2003 Replication Failure/Authentication Failure
- Prev by Date: Re: Redirecting newly created computers to different OU for different users
- Next by Date: RE: Domain controller restore on different hardware
- Previous by thread: Domain controller restore on different hardware
- Next by thread: Re: AD 2003 Replication Failure/Authentication Failure
- Index(es):
Relevant Pages
|
