Re: AD 2003 Replication Failure/Authentication Failure
- From: "Brad" <Brad@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 19 May 2005 15:24:02 -0700
>Start with the basics.
>Verify time is synchronized (within 5 minutes) on all DCs.
Seidler-Root: 11:34
Seidler-LA: 11:34
Seidler-Irv: 11:32
(We use Tardis 2000, an external piece of software that syncs time for time
clocks in the office, and disabled the windows time service)
>Verify the access this computer from network has authenticated >users, and enterprise domain controllers.
Umm. A little bit confusing phrasing there, but I’ll take that to mean that
users can authenticate to the Seidler-root domain controller, and since
seidler-root is the enterprise domain controller that would also mean that
users can authenticate to the enterprise domain controller.
Well, the answer is that no regular users are set up to directly
authenticate to seidler-root, instead they authenticate to the child DCs of
seidler-root, which would be seidler-irv and seidler-la. The only user that
authenticates to seidler-root (and the seidlercos.local domain) is the
administrator for that root domain. The children DCs define the subdomain
US.seidlercos.local of the parent domain seidlercos.local (which seidler-root
is the DC of) Since both of those child DC’s cannot replicate DNS or AD data
with the parent DC, I don’t think that users can authenticate to the
enterprise DC, seidler-root. If you look at the event logs that I posted
before, one of the event ID’s, 3210 (event type NETLOGON) has this
description:
“This computer could not authenticate with \\SEIDLER-LA.US.Seidlercos.local,
a Windows domain controller for domain SEIDLER, and therefore this computer
might deny logon requests. This inability to authenticate might be caused by
another computer on the same network using the same name or the password for
this computer account is not recognized. If this message appears again,
contact your system administrator.”
>Verify there is at least one DC in each domain that has the KDC service running.
>From the services entry under Services and Applications:
Seidler-root: Kerberos Key Distribution Center; Status: Started; startup
type: automatic
Seidler-la: Kerberos Key Distribution Center; Status: Started; startup type:
automatic
Seidler-irv: Kerberos Key Distribution Center; Status: Started; startup
type: automatic
Though in the Directory Service Event log for Seidler-Root there were these
two errors/warnings:
Event Type: Warning
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1865
Date: 5/19/2005
Time: 11:50:23 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SEIDLER-ROOT
Description:
The Knowledge Consistency Checker (KCC) was unable to form a complete
spanning tree network topology. As a result, the following list of sites
cannot be reached from the local site.
Sites:
CN=Irvine,CN=Sites,CN=Configuration,DC=Seidlercos,DC=local
Event Type: Error
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1311
Date: 5/19/2005
Time: 11:50:23 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SEIDLER-ROOT
Description:
The Knowledge Consistency Checker (KCC) has detected problems with the
following directory partition.
Directory partition:
CN=Configuration,DC=Seidlercos,DC=local
There is insufficient site connectivity information in Active Directory
Sites and Services for the KCC to create a spanning tree replication
topology. Or, one or more domain controllers with this directory partition
are unable to replicate the directory partition information. This is probably
due to inaccessible domain controllers.
User Action
Use Active Directory Sites and Services to perform one of the following
actions:
- Publish sufficient site connectivity information so that the KCC can
determine a route by which this directory partition can reach this site. This
is the preferred option.
- Add a Connection object to a domain controller that contains the directory
partition in this site from a domain controller that contains the same
directory partition in another site.
If neither of the Active Directory Sites and Services tasks correct this
condition, see previous events logged by the KCC that identify the
inaccessible domain controllers.
>Make sure all DC computer objects have the trusted for delegation flag checked.
I assume that this can be verified in AD Users and Computers on the
enterprise DC, Seidler-root. There are no computer objects in the Computers
container under the seidlercos.local tree of Active Directory Users and
Computers. All the computer objects are on the child DCs Seidler-irv and
Seidler-la that define the us.seidlercos.local ad domain. Though under the
Domain Controllers container, the machine, Seidler-root does have “trust
computer for delegation” flag checked.
What is preventing the AD replication between the enterprise DC,
Seidler-root and the its two children DCs seidler-irv and seidler-la?
"Glenn L" wrote:
> Start with the basics.
> Verify time is syncronized (within 5 minutes) on all DCs.
> Verify the access this computer from network has authenicated users, and
> enterprise domain controllers.
> Verify there is at least one DC in each domain that has the KDC service
> running.
> Make sure all DC computer objects have the trusted for delegation flag
> checked.
>
>
>
> --
> Glenn L
> CCNA, MCSE 2000/2003 + Security
>
> "Brad" <Brad@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:C27124A2-0E88-4825-B108-B51B6404F900@xxxxxxxxxxxxxxxx
> > Our parent DC in a root domain stopped AD replication with 2 children DCs
> > in
> > a sub domain of the root domain. My hypothesis for this phenomenon is
> > that
> > Kerberos authentication is failing between the parent and children DCs.
> >
> > I would like to know how to reset or repair the account and password that
> > AD
> > uses for replication between DCs.
> >
> > Parent DC: SEIDLER-ROOT
> > Child DCs: SEIDLER-IRV, SEIDLER-LA
> >
> > Here are the relevant system event log warnings/errors on the root DC,
> > SEIDLER-ROOT:
> >
> > Event Type: Warning
> > Event Source: LSASRV
> > Event Category: SPNEGO (Negotiator)
> > Event ID: 40961
> > Date: 5/18/2005
> > Time: 12:05:11 PM
> > User: N/A
> > Computer: SEIDLER-ROOT
> > Description:
> > The Security System could not establish a secured connection with the
> > server
> > LDAP/7b022361-4cc4-43f1-882a-9cc6c771dd48._msdcs.Seidlercos.local. No
> > authentication protocol was available.
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> > Data:
> > 0000: 6d 00 00 c0 m..
> >
> >
> > Event Type: Warning
> > Event Source: LSASRV
> > Event Category: SPNEGO (Negotiator)
> > Event ID: 40960
> > Date: 5/18/2005
> > Time: 12:05:11 PM
> > User: N/A
> > Computer: SEIDLER-ROOT
> > Description:
> > The Security System detected an authentication error for the server
> > LDAP/7b022361-4cc4-43f1-882a-9cc6c771dd48._msdcs.Seidlercos.local. The
> > failure code from authentication protocol Kerberos was "The attempted
> > logon
> > is invalid. This is either due to a bad username or authentication
> > information.
> > (0xc000006d)".
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> > Data:
> > 0000: 6d 00 00 c0 m..
> >
> > Event Type: Error
> > Event Source: NETLOGON
> > Event Category: None
> > Event ID: 3210
> > Date: 5/18/2005
> > Time: 11:07:51 AM
> > User: N/A
> > Computer: SEIDLER-ROOT
> > Description:
> > This computer could not authenticate with
> > \\SEIDLER-LA.US.Seidlercos.local,
> > a Windows domain controller for domain SEIDLER, and therefore this
> > computer
> > might deny logon requests. This inability to authenticate might be caused
> > by
> > another computer on the same network using the same name or the password
> > for
> > this computer account is not recognized. If this message appears again,
> > contact your system administrator.
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> > Data:
> > 0000: 22 00 00 c0 "..
> >
> >
> > Event Type: Error
> > Event Source: NETLOGON
> > Event Category: None
> > Event ID: 5722
> > Date: 5/18/2005
> > Time: 11:14:57 AM
> > User: N/A
> > Computer: SEIDLER-ROOT
> > Description:
> > The session setup from the computer SEIDLER-LA failed to authenticate. The
> > name(s) of the account(s) referenced in the security database is
> > US.Seidlercos.local.. The following error occurred:
> > Access is denied.
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> > Data:
> > 0000: 22 00 00 c0 "..
> >
> > Event Type: Error
> > Event Source: NETLOGON
> > Event Category: None
> > Event ID: 5774
> > Date: 5/18/2005
> > Time: 7:23:39 AM
> > User: N/A
> > Computer: SEIDLER-ROOT
> > Description:
> > The dynamic registration of the DNS record
> > '88db9a1b-29c3-477a-ba69-aa32ff854404._msdcs.Seidlercos.local. 600 IN
> > CNAME
> > seidler-root.Seidlercos.local.' failed on the following DNS server:
> >
> > DNS server IP address: x.x.x.x
> > Returned Response Code (RCODE): 5
> > Returned Status Code: 9017
> >
> > For computers and users to locate this domain controller, this record must
> > be registered in DNS.
> >
> > USER ACTION
> > Determine what might have caused this failure, resolve the problem, and
> > initiate registration of the DNS records by the domain controller. To
> > determine what might have caused this failure, run DCDiag.exe. You can
> > find
> > this program on the Windows Server 2003 installation CD in
> > Support\Tools\support.cab. To learn more about DCDiag.exe, see Help and
> > Support Center. To initiate registration of the DNS records by this
> > domain
> > controller, run 'nltest.exe /dsregdns' from the command prompt on the
> > domain
> > controller or restart Net Logon service. Nltest.exe is available in the
> > Microsoft Windows Server Resource Kit CD.
> > Or, you can manually add this record to DNS, but it is not recommended.
> >
> > ADDITIONAL DATA
> > Error Value: DNS bad key.
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> > Data:
> > 0000: 05 00 ..
> >
> >
> > Here are the relevant errors after running dcdiag on SEIDLER-ROOT:
> >
> > Testing server: LA\SEIDLER-ROOT
> > Starting test: Replications
> > [Replications Check,SEIDLER-ROOT] No replication recently
> > attempted:
> > From SEIDLER-IRV to SEIDLER-ROOT
> > Naming Context: DC=ForestDnsZones,DC=Seidlercos,DC=local
> > The last attempt occurred at 2005-05-11 22:23:39 (about 159
> > hours ag
> > o).
> > [Replications Check,SEIDLER-ROOT] A recent replication attempt
> > failed:
> > From SEIDLER-LA to SEIDLER-ROOT
> > Naming Context: DC=ForestDnsZones,DC=Seidlercos,DC=local
> > The replication generated an error (1908):
> > Could not find the domain controller for this domain.
> > The failure occurred at 2005-05-15 23:00:07.
> > The last success occurred at 2005-05-11 22:24:09.
> > 2 failures have occurred since the last success.
> > Kerberos Error.
> > A KDC was not found to authenticate the call.
> > Check that sufficient domain controllers are available.
> > [SEIDLER-LA] DsBindWithSpnEx() failed with error 5,
> > Access is denied..
> > [Replications Check,SEIDLER-ROOT] A recent replication attempt
> > failed:
> > From SEIDLER-LA to SEIDLER-ROOT
> > Naming Context:
> > CN=Schema,CN=Configuration,DC=Seidlercos,DC=local
> > The replication generated an error (5):
> > Access is denied.
> > The failure occurred at 2005-05-18 12:59:38.
> > The last success occurred at 2005-05-11 21:53:38.
> > 161 failures have occurred since the last success.
> > [Replications Check,SEIDLER-ROOT] A recent replication attempt
> > failed:
> > From SEIDLER-IRV to SEIDLER-ROOT
> > Naming Context:
> > CN=Schema,CN=Configuration,DC=Seidlercos,DC=local
> > The replication generated an error (5):
> > Access is denied.
> > The failure occurred at 2005-05-18 13:29:38.
> > The last success occurred at 2005-05-11 22:23:39.
> > 635 failures have occurred since the last success.
> > [Replications Check,SEIDLER-ROOT] A recent replication attempt
> > failed:
> > From SEIDLER-LA to SEIDLER-ROOT
> > Naming Context: CN=Configuration,DC=Seidlercos,DC=local
> > The replication generated an error (5):
> > Access is denied.
> > The failure occurred at 2005-05-18 12:59:38.
> > The last success occurred at 2005-05-11 22:16:23.
> > 161 failures have occurred since the last success.
> > [Replications Check,SEIDLER-ROOT] A recent replication attempt
> > failed:
> > From SEIDLER-IRV to SEIDLER-ROOT
> > Naming Context: CN=Configuration,DC=Seidlercos,DC=local
> > The replication generated an error (5):
> > Access is denied.
> > The failure occurred at 2005-05-18 13:29:38.
> > The last success occurred at 2005-05-11 22:23:39.
> > 635 failures have occurred since the last success.
> > [Replications Check,SEIDLER-ROOT] No replication recently
> > attempted:
> > From SEIDLER-IRV to SEIDLER-ROOT
> > Naming Context: DC=US,DC=Seidlercos,DC=local
> > The last attempt occurred at 2005-05-11 22:23:39 (about 159
> > hours ag
> > o).
> > [Replications Check,SEIDLER-ROOT] A recent replication attempt
> > failed:
> > From SEIDLER-LA to SEIDLER-ROOT
> > Naming Context: DC=US,DC=Seidlercos,DC=local
> > The replication generated an error (1396):
> > Logon Failure: The target account name is incorrect.
> > The failure occurred at 2005-05-15 23:00:08.
> > The last success occurred at 2005-05-11 22:29:45.
> > 2 failures have occurred since the last success.
> > Kerberos Error.
> > The KDC could not find the SPN for the server SEIDLER-LA.
> > This can be for several reasons:
> >
> > (1) - The SPN is not registered on the KDC (usually
> > SEIDLER-ROOT). Check that the SPN is registered on at
> > least
> > one other server besides SEIDLER-LA, and that replication is
> > progressing between this server and the KDC. The tool
> > repadmin/syncall can be used for this purpose.
> > (2) - This server could be a deleted server (and deleted
> > DSA
> > object), and this deletion has not replicated across the
> > enterprise yet. This will rectify itself within the general
> > replication latency plus the latency of the KCC. Should be
> > less
> > than a day.
> > (3) - It's possible that this server was reclaimed, but
> > it's
> > DSA object was not deleted and an old DNS record
> > representing
> > the server is present. This can result in this error for
> > the
> > duration of a DNS record lease. Often about 2 weeks. To
> > fix
> > this, please clean up the DSA's metadata with ntdsutil.
> > (4) - Finally, it's possible that this server has acquired
> > a
> > new IP address, the server's old IP address has been reused,
> > and
> > DNS hasn't been updated to reflect the new IP address. If
> > this
> > problem persists, stop and restart the "Net Logon" service
> > on
> > SEIDLER-LA, and delete the old DNS record.
> > REPLICATION-RECEIVED LATENCY WARNING
> > SEIDLER-ROOT: Current time is 2005-05-18 13:43:40.
> > DC=ForestDnsZones,DC=Seidlercos,DC=local
> > Last replication recieved from SEIDLER-LA at 2005-05-11
> > 22:24:09.
> >
> > Last replication recieved from SEIDLER-IRV at 2005-05-11
> > 22:23:39
> > .
> > CN=Schema,CN=Configuration,DC=Seidlercos,DC=local
> > Last replication recieved from SEIDLER-LA at 2005-05-11
> > 21:53:38.
> >
> > Last replication recieved from SEIDLER-IRV at 2005-05-11
> > 22:23:39
> > .
> > CN=Configuration,DC=Seidlercos,DC=local
> > Last replication recieved from SEIDLER-LA at 2005-05-11
> > 22:16:23.
> >
> > Last replication recieved from SEIDLER-IRV at 2005-05-11
.
- References:
- AD 2003 Replication Failure/Authentication Failure
- From: Brad
- Re: AD 2003 Replication Failure/Authentication Failure
- From: Glenn L
- AD 2003 Replication Failure/Authentication Failure
- Prev by Date: Is sysprep required for Windows Server 2003 AD?
- Next by Date: Migration from Win2000 domain to Win2003domain
- Previous by thread: Re: AD 2003 Replication Failure/Authentication Failure
- Next by thread: Re: adam bind-redirect
- Index(es):
Relevant Pages
|
