Re: Different Directory Information Trees
- From: Edog <edog@xxxxxxxxxxxxxxx>
- Date: Thu, 09 Feb 2006 08:59:20 -0600
Edog wrote:
I am working on some recurring issues between two domain controllers.
background: 2 DCs in a single forest. Due to hardware changes, rebuilt and restored both machines from backup. Did the Primary (DC1) first by demoting it, upgraded the hardware, brought it back online, promoted it. Seized roles back. All good. Did the second (DC2), same routine. All good...seemingly...
observed problems: it started with a couple of UserEnv 1030 and 1058 errors on DC2. Access denied. The DCs were not able to apply group policy to themselves. I think that was a DC account password issue that I have since cleaned up. Those errors are gone. While cleaning those, I noticed some NTDS Replication 1955 and 1083 errors that come together. They are all related to my account. Go figure! They correspond to when I changed my password recently. Weird side-effect I also noticed was that I can no longer launch the Active Directory related Management tools from my workstation (could before) unless I use the Active Directory Management MMC. Works fine on the server (DC2 and DC1) when I am logged in with same account. Get an access denied error. Also, I noticed a lot if DNS 4015 errors on the server (DC1) it appears that the DNS or Active Directory is "busy". Kinda the same thing as the 1955 and 1083 errors. AD is busy, will try again later.
Troubleshooting steps: Confirmed time is ok. Reset the secure channel and password for the two domain controllers. Changed my user account password again. I decided to also start digging under the hood, so I ran a dsastat /t:false and got the Different Directory Information Trees <<<fail>>> error. There are ~350 errors. Specifically these errors are "vector 2 is missing meta data for the replicated attribute 0x20001" or 0x20002. When I look at replmon, and "Show Retired Replication Partners" I have 4 **DELETED SERVERS #n in the list for each DC. These are listed as Transitive Replication Partner when I view their properties, and when I replicate, these servers show that "Server has seen all changes for this directory partition through USN:nnnnn"
So, I am at a situation where I think replication is getting fouled up. The deleted servers make sense since I did a restore on both domain controllers, but the 2 week tombstone period has passed, and I would assume these would be gone. Also, when looking using NTDSUTIL to clean up the metadata, only the 2 legitimate DCs are listed.
Any ideas where to head next?
And today I came in and my account was locked out. It's as if the locked out state attribute was copied over the other DC overnight. This has been happening a lot...where I get locked out when I am logged into a session on my workstation. I am not using any net credentials, but all of a sudden I am locked out.
.
- References:
- Different Directory Information Trees
- From: Edog
- Different Directory Information Trees
- Prev by Date: Re: automatical registration client
- Next by Date: Re: ADAM Replication - 1 instance off issue
- Previous by thread: Different Directory Information Trees
- Next by thread: Re: ADAM multivalue limit
- Index(es):
Relevant Pages
|
Loading
