Re: AD 2003 Replication Failure/Authentication Failure
- From: "Glenn L" <the.only(delete)@gmail dot com>
- Date: Wed, 18 May 2005 23:03:25 -0700
Start with the basics.
Verify time is syncronized (within 5 minutes) on all DCs.
Verify the access this computer from network has authenicated users, and
enterprise domain controllers.
Verify there is at least one DC in each domain that has the KDC service
running.
Make sure all DC computer objects have the trusted for delegation flag
checked.
--
Glenn L
CCNA, MCSE 2000/2003 + Security
"Brad" <Brad@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C27124A2-0E88-4825-B108-B51B6404F900@xxxxxxxxxxxxxxxx
> Our parent DC in a root domain stopped AD replication with 2 children DCs
> in
> a sub domain of the root domain. My hypothesis for this phenomenon is
> that
> Kerberos authentication is failing between the parent and children DCs.
>
> I would like to know how to reset or repair the account and password that
> AD
> uses for replication between DCs.
>
> Parent DC: SEIDLER-ROOT
> Child DCs: SEIDLER-IRV, SEIDLER-LA
>
> Here are the relevant system event log warnings/errors on the root DC,
> SEIDLER-ROOT:
>
> Event Type: Warning
> Event Source: LSASRV
> Event Category: SPNEGO (Negotiator)
> Event ID: 40961
> Date: 5/18/2005
> Time: 12:05:11 PM
> User: N/A
> Computer: SEIDLER-ROOT
> Description:
> The Security System could not establish a secured connection with the
> server
> LDAP/7b022361-4cc4-43f1-882a-9cc6c771dd48._msdcs.Seidlercos.local. No
> authentication protocol was available.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 6d 00 00 c0 m..
>
>
> Event Type: Warning
> Event Source: LSASRV
> Event Category: SPNEGO (Negotiator)
> Event ID: 40960
> Date: 5/18/2005
> Time: 12:05:11 PM
> User: N/A
> Computer: SEIDLER-ROOT
> Description:
> The Security System detected an authentication error for the server
> LDAP/7b022361-4cc4-43f1-882a-9cc6c771dd48._msdcs.Seidlercos.local. The
> failure code from authentication protocol Kerberos was "The attempted
> logon
> is invalid. This is either due to a bad username or authentication
> information.
> (0xc000006d)".
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 6d 00 00 c0 m..
>
> Event Type: Error
> Event Source: NETLOGON
> Event Category: None
> Event ID: 3210
> Date: 5/18/2005
> Time: 11:07:51 AM
> User: N/A
> Computer: SEIDLER-ROOT
> Description:
> This computer could not authenticate with
> \\SEIDLER-LA.US.Seidlercos.local,
> a Windows domain controller for domain SEIDLER, and therefore this
> computer
> might deny logon requests. This inability to authenticate might be caused
> by
> another computer on the same network using the same name or the password
> for
> this computer account is not recognized. If this message appears again,
> contact your system administrator.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 22 00 00 c0 "..
>
>
> Event Type: Error
> Event Source: NETLOGON
> Event Category: None
> Event ID: 5722
> Date: 5/18/2005
> Time: 11:14:57 AM
> User: N/A
> Computer: SEIDLER-ROOT
> Description:
> The session setup from the computer SEIDLER-LA failed to authenticate. The
> name(s) of the account(s) referenced in the security database is
> US.Seidlercos.local.. The following error occurred:
> Access is denied.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 22 00 00 c0 "..
>
> Event Type: Error
> Event Source: NETLOGON
> Event Category: None
> Event ID: 5774
> Date: 5/18/2005
> Time: 7:23:39 AM
> User: N/A
> Computer: SEIDLER-ROOT
> Description:
> The dynamic registration of the DNS record
> '88db9a1b-29c3-477a-ba69-aa32ff854404._msdcs.Seidlercos.local. 600 IN
> CNAME
> seidler-root.Seidlercos.local.' failed on the following DNS server:
>
> DNS server IP address: x.x.x.x
> Returned Response Code (RCODE): 5
> Returned Status Code: 9017
>
> For computers and users to locate this domain controller, this record must
> be registered in DNS.
>
> USER ACTION
> Determine what might have caused this failure, resolve the problem, and
> initiate registration of the DNS records by the domain controller. To
> determine what might have caused this failure, run DCDiag.exe. You can
> find
> this program on the Windows Server 2003 installation CD in
> Support\Tools\support.cab. To learn more about DCDiag.exe, see Help and
> Support Center. To initiate registration of the DNS records by this
> domain
> controller, run 'nltest.exe /dsregdns' from the command prompt on the
> domain
> controller or restart Net Logon service. Nltest.exe is available in the
> Microsoft Windows Server Resource Kit CD.
> Or, you can manually add this record to DNS, but it is not recommended.
>
> ADDITIONAL DATA
> Error Value: DNS bad key.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 05 00 ..
>
>
> Here are the relevant errors after running dcdiag on SEIDLER-ROOT:
>
> Testing server: LA\SEIDLER-ROOT
> Starting test: Replications
> [Replications Check,SEIDLER-ROOT] No replication recently
> attempted:
> From SEIDLER-IRV to SEIDLER-ROOT
> Naming Context: DC=ForestDnsZones,DC=Seidlercos,DC=local
> The last attempt occurred at 2005-05-11 22:23:39 (about 159
> hours ag
> o).
> [Replications Check,SEIDLER-ROOT] A recent replication attempt
> failed:
> From SEIDLER-LA to SEIDLER-ROOT
> Naming Context: DC=ForestDnsZones,DC=Seidlercos,DC=local
> The replication generated an error (1908):
> Could not find the domain controller for this domain.
> The failure occurred at 2005-05-15 23:00:07.
> The last success occurred at 2005-05-11 22:24:09.
> 2 failures have occurred since the last success.
> Kerberos Error.
> A KDC was not found to authenticate the call.
> Check that sufficient domain controllers are available.
> [SEIDLER-LA] DsBindWithSpnEx() failed with error 5,
> Access is denied..
> [Replications Check,SEIDLER-ROOT] A recent replication attempt
> failed:
> From SEIDLER-LA to SEIDLER-ROOT
> Naming Context:
> CN=Schema,CN=Configuration,DC=Seidlercos,DC=local
> The replication generated an error (5):
> Access is denied.
> The failure occurred at 2005-05-18 12:59:38.
> The last success occurred at 2005-05-11 21:53:38.
> 161 failures have occurred since the last success.
> [Replications Check,SEIDLER-ROOT] A recent replication attempt
> failed:
> From SEIDLER-IRV to SEIDLER-ROOT
> Naming Context:
> CN=Schema,CN=Configuration,DC=Seidlercos,DC=local
> The replication generated an error (5):
> Access is denied.
> The failure occurred at 2005-05-18 13:29:38.
> The last success occurred at 2005-05-11 22:23:39.
> 635 failures have occurred since the last success.
> [Replications Check,SEIDLER-ROOT] A recent replication attempt
> failed:
> From SEIDLER-LA to SEIDLER-ROOT
> Naming Context: CN=Configuration,DC=Seidlercos,DC=local
> The replication generated an error (5):
> Access is denied.
> The failure occurred at 2005-05-18 12:59:38.
> The last success occurred at 2005-05-11 22:16:23.
> 161 failures have occurred since the last success.
> [Replications Check,SEIDLER-ROOT] A recent replication attempt
> failed:
> From SEIDLER-IRV to SEIDLER-ROOT
> Naming Context: CN=Configuration,DC=Seidlercos,DC=local
> The replication generated an error (5):
> Access is denied.
> The failure occurred at 2005-05-18 13:29:38.
> The last success occurred at 2005-05-11 22:23:39.
> 635 failures have occurred since the last success.
> [Replications Check,SEIDLER-ROOT] No replication recently
> attempted:
> From SEIDLER-IRV to SEIDLER-ROOT
> Naming Context: DC=US,DC=Seidlercos,DC=local
> The last attempt occurred at 2005-05-11 22:23:39 (about 159
> hours ag
> o).
> [Replications Check,SEIDLER-ROOT] A recent replication attempt
> failed:
> From SEIDLER-LA to SEIDLER-ROOT
> Naming Context: DC=US,DC=Seidlercos,DC=local
> The replication generated an error (1396):
> Logon Failure: The target account name is incorrect.
> The failure occurred at 2005-05-15 23:00:08.
> The last success occurred at 2005-05-11 22:29:45.
> 2 failures have occurred since the last success.
> Kerberos Error.
> The KDC could not find the SPN for the server SEIDLER-LA.
> This can be for several reasons:
>
> (1) - The SPN is not registered on the KDC (usually
> SEIDLER-ROOT). Check that the SPN is registered on at
> least
> one other server besides SEIDLER-LA, and that replication is
> progressing between this server and the KDC. The tool
> repadmin/syncall can be used for this purpose.
> (2) - This server could be a deleted server (and deleted
> DSA
> object), and this deletion has not replicated across the
> enterprise yet. This will rectify itself within the general
> replication latency plus the latency of the KCC. Should be
> less
> than a day.
> (3) - It's possible that this server was reclaimed, but
> it's
> DSA object was not deleted and an old DNS record
> representing
> the server is present. This can result in this error for
> the
> duration of a DNS record lease. Often about 2 weeks. To
> fix
> this, please clean up the DSA's metadata with ntdsutil.
> (4) - Finally, it's possible that this server has acquired
> a
> new IP address, the server's old IP address has been reused,
> and
> DNS hasn't been updated to reflect the new IP address. If
> this
> problem persists, stop and restart the "Net Logon" service
> on
> SEIDLER-LA, and delete the old DNS record.
> REPLICATION-RECEIVED LATENCY WARNING
> SEIDLER-ROOT: Current time is 2005-05-18 13:43:40.
> DC=ForestDnsZones,DC=Seidlercos,DC=local
> Last replication recieved from SEIDLER-LA at 2005-05-11
> 22:24:09.
>
> Last replication recieved from SEIDLER-IRV at 2005-05-11
> 22:23:39
> .
> CN=Schema,CN=Configuration,DC=Seidlercos,DC=local
> Last replication recieved from SEIDLER-LA at 2005-05-11
> 21:53:38.
>
> Last replication recieved from SEIDLER-IRV at 2005-05-11
> 22:23:39
> .
> CN=Configuration,DC=Seidlercos,DC=local
> Last replication recieved from SEIDLER-LA at 2005-05-11
> 22:16:23.
>
> Last replication recieved from SEIDLER-IRV at 2005-05-11
> 22:23:39
> .
> DC=US,DC=Seidlercos,DC=local
> Last replication recieved from SEIDLER-LA at 2005-05-11
> 22:29:45.
>
> Last replication recieved from SEIDLER-IRV at 2005-05-11
> 22:23:39
> .
> REPLICATION-RECEIVED LATENCY WARNING
> Source site:
> CN=NTDS Site
> Settings,CN=Irvine,CN=Sites,CN=Configuration,DC=Seidlercos
> ,DC=local
> Current time: 2005-05-18 13:43:41
> Last update time: 2005-05-11 22:07:24
> Check if source site has an elected ISTG running.
> Check replication from source site to this server.
>
> Starting test: kccevent
> An Warning Event occured. EventID: 0x8000061E
> Time Generated: 05/18/2005 13:35:12
> Event String: All domain controllers in the following site that
> An Warning Event occured. EventID: 0x8000061E
> Time Generated: 05/18/2005 13:35:12
> Event String: All domain controllers in the following site that
> An Error Event occured. EventID: 0xC000051F
> Time Generated: 05/18/2005 13:35:12
> Event String: The Knowledge Consistency Checker (KCC) has
> An Warning Event occured. EventID: 0x80000749
> Time Generated: 05/18/2005 13:35:12
> Event String: The Knowledge Consistency Checker (KCC) was
> An Warning Event occured. EventID: 0x8000061E
> Time Generated: 05/18/2005 13:35:12
> Event String: All domain controllers in the following site that
> An Warning Event occured. EventID: 0x8000061E
> Time Generated: 05/18/2005 13:35:12
> Event String: All domain controllers in the following site that
> An Error Event occured. EventID: 0xC000051F
> Time Generated: 05/18/2005 13:35:12
> Event String: The Knowledge Consistency Checker (KCC) has
> An Warning Event occured. EventID: 0x80000749
> Time Generated: 05/18/2005 13:35:12
> Event String: The Knowledge Consistency Checker (KCC) was
> An Warning Event occured. EventID: 0x8000061E
> Time Generated: 05/18/2005 13:35:12
> Event String: All domain controllers in the following site that
> An Error Event occured. EventID: 0xC000051F
> Time Generated: 05/18/2005 13:35:12
> Event String: The Knowledge Consistency Checker (KCC) has
> An Warning Event occured. EventID: 0x80000749
> Time Generated: 05/18/2005 13:35:12
> Event String: The Knowledge Consistency Checker (KCC) was
> An Warning Event occured. EventID: 0x8000061E
> Time Generated: 05/18/2005 13:35:12
> Event String: All domain controllers in the following site that
> An Error Event occured. EventID: 0xC000051F
> Time Generated: 05/18/2005 13:35:12
> Event String: The Knowledge Consistency Checker (KCC) has
> An Warning Event occured. EventID: 0x80000749
> Time Generated: 05/18/2005 13:35:12
> Event String: The Knowledge Consistency Checker (KCC) was
> ......................... SEIDLER-ROOT failed test kccevent
>
> Here are the results of running repadmin /syncall
>
> CALLBACK MESSAGE: Error contacting server
> 7b022361-4cc4-43f1-882a-9cc6c771dd48._
> msdcs.Seidlercos.local (network error): 5 (0x5):
> Access is denied.
> CALLBACK MESSAGE: SyncAll Finished.
>
> SyncAll reported the following errors:
> Error contacting server
> 7b022361-4cc4-43f1-882a-9cc6c771dd48._msdcs.Seidlercos.l
> ocal (network error): 5 (0x5):
> Access is denied.
>
>
> What steps should I take to solve this problem?
>
.
- Follow-Ups:
- References:
- Prev by Date: Re: adam bind-redirect
- Next by Date: How can I migrate the local profile on the domain profile ?
- Previous by thread: AD 2003 Replication Failure/Authentication Failure
- Next by thread: Re: AD 2003 Replication Failure/Authentication Failure
- Index(es):
Relevant Pages
|
