Re: Domain Replication Problems
- From: "Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Thu, 4 May 2006 07:49:31 -0500
Did you ever lose a dc in this network and just rebuild it w/o cleaning up
the AD metadata? I'm wondering if you can demote and go through a cleanup
process? If there is any old data residing in your Directory Services it
probably won;t know how to talk to your dc partners.
http://support.microsoft.com/Default.aspx?id=216498
Otherwise you may have to rebuild your sysvol. You would have to stop the
frs service, clean up sysvol and restore, change a registry setting and
restart the service.
http://support.microsoft.com/kb/315457/
--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Chip pellegrino" <Chippellegrino@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:79D1F9F6-E587-4E35-A178-761CBFFF3BCF@xxxxxxxxxxxxxxxx
I demoted the backup dc and removed it's entry from ad on the primary dc
and
deleted the sysvol directory on the backup computer. I then fixed all the
errors on the primary dc (it passed using frsdiag). I then made the
backup
computer be an additional dc. It replicated all the AD, created the
SYSVOL
folder with all the directories but scripts and policies. It also has not
created the netlogon share or sysvol shares or replicated the netlogon
files
and policies. I ran dcdiag against it and now get the following errors.
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\BACKUP\netlogon)
[BACKUP] An net use or LsaPolicy operation failed with error 1203,
No network provider accepted the given network path..
......................... BACKUP failed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for
\\SCOMPUTER2.FNBNEWTOWN.COM, when we were trying to reach BACKUP.
Server is not responding or is not considered suitable.
......................... BACKUP failed test Advertising
when i run frsdiag i get :
Checking for errors in debug logs ...
ERROR on NtFrs_0001.log : "ERROR_ACCESS_DENIED" : <FrsDsBindDs:
3136: 1700: S1: 16:05:02> :DS: WARN -
DsBind(\\SCOMPUTER2.FNBNEWTOWN.COM); WStatus: ERROR_ACCESS_DENIED
ERROR on NtFrs_0001.log : "ERROR_ACCESS_DENIED" : <FrsDsBindDs:
3136: 1700: S1: 16:05:07> :DS: WARN -
DsBind(\\SCOMPUTER2.FNBNEWTOWN.COM); WStatus: ERROR_ACCESS_DENIED
ERROR on NtFrs_0001.log : "ERROR_ACCESS_DENIED" : <FrsDsBindDs:
3136: 1700: S1: 16:05:37> :DS: WARN -
DsBind(\\SCOMPUTER2.FNBNEWTOWN.COM); WStatus: ERROR_ACCESS_DENIED
Found 35 ERROR_ACCESS_DENIED error(s)! Latest ones (up to 3) listed above
......... failed with 35 error entries
Checking NtFrs Service (and dependent services) state...
ERROR : Cannot access SYSVOL share on backup
ERROR : Cannot access NETLOGON share on backup
......... failed 2
Checking NtFrs related Registry Keys for possible problems...
SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\SysvolReady = 0 ::
ERROR: SysvolReady is not set to 1 :: SYSVOL is likely not Sharing! This
key
should NOT be changed manually but this should be addressed! See article
KB.327781 (How to Troubleshoot Missing SYSVOL and NETLOGON Shares on
Windows
Server) for further information!
failed with 1 error(s) and 0 warning(s)
"Paul Bergson" wrote:
I would demote and try runnnig some diagnostics against the current dc.
Run diagnostics against your Active Directory domain.
If you don't have the tools installed, install them from your server
install
disk.
d:\support\tools\setup.exe
Run dcdiag and netdiag in verbose mode.
If you download a gui script I wrote it should be simple to set and run.
It
also has the option to run individual tests without having to learn all
the
switch options. The details will be output in notepad text files that
pop
up automagically.
The script is located in the download section on my website at
http://www.pbbergs.com
Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)
When complete search for fail, error and warning messages.
--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Chip pellegrino" <Chippellegrino@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:31083005-C37C-406B-80B8-FDF3611FA81F@xxxxxxxxxxxxxxxx
About 5 months ago i upgraded our domain controller from nt 4.0 to
2003
standard (fresh install). Since i did not have a backup domain
controller
i
decided to promote our backup server,windows 2000 server (it just holds
workstation backups doesn't do anything else) to a BDC. Eveything
worked
ok,
but recently i noticed replication stopped working and computers that
were
authenticating against the backup domain controller were using an older
logon
script (because the replication was not working). Since i could not
figure
out why i thought it would be a good idea to just upgrade the bdc to
2003
as
well. Before i did the in place upgrade (i just put the cd in and
upgraded
it) i thought it would be a good idea to demote it, do i did. After the
upgrade i promoted it to a domain controller and it has not yet
replicated
anything. The Sysvol folders were created but not shared and there are
no
files replicated under the any sysvol folders. The PDC is called
scomputer2
and the BDC is called BACKUP. The following is the partial log from
frsdiag.exe
---------------------------------------------------------------------------------------------
NTDS Replication 4/28/2006 3:32:43 PM Error 1411 Active Directory
failed
to
construct a mutual authentication service principal name (SPN) for the
following domain controller. Domain controller:
41f8ab6e-6ed5-4489-bd94-f0662287ad5f._msdcs.FNBNEWTOWN.COM The
call
was denied. Communication with this domain controller might be
affected.
Additional Data Error value: 8589 The DS cannot derive a service
principal name (SPN) with which to mutually authenticate the target
server
because the corresponding server object in the local DS database has no
serverReference attribute.
WARNING: Found Directory Service Errors in the past 15 days! FRS
Depends
on
AD so Check AD Replication!
......... failed 112
Checking for minimum FRS version requirement ... passed
Checking for errors/warnings in ntfrsutl ds ...
ERROR: This server's "Member Ref" property for the SYSVOL volume does
NOT
seem to be correct !!!
To fix this, use ADSIEdit and edit the "fRSMemberReference" Property of
the nTFRSSubscriber object named "CN=Domain System Volume (SYSVOL
share)"
located under this Server's Computer Object.
This value should match the FQDN of this Server. Current Values are:
Current Value = "(null)"
Suggested Value = "CN=SCOMPUTER2,CN=Domain System Volume (SYSVOL
share),CN=File Replication Service,CN=System,DC=FNBNEWTOWN,DC=com"
Please note there is a small chance the above Suggested Value may
not be correct - See below for more info on what the Proper Value
should
be!
For more Info See KB Article : 312862 Recovering Missing FRS Objects
and
FRS Attributes in Active Directory - Search for the step about Updating
the
"fRSMemberReference" object (Step 8 on the "Recovering from Deleted FRS
Objects" section
......... failed with 1 error(s)
---------------------------------------------------------------------------------------------
I tried demoting the BDC and promoting again but that did not help.
Any
help would be appreciated.
.
- References:
- Re: Domain Replication Problems
- From: Paul Bergson
- Re: Domain Replication Problems
- From: Chip pellegrino
- Re: Domain Replication Problems
- Prev by Date: Re: Migrating from one machine to another
- Next by Date: Re: "Managed by"
- Previous by thread: Re: Domain Replication Problems
- Next by thread: Re: account lockouts after first logon attempt
- Index(es):
Relevant Pages
|
