Re: Replication event errors
- From: Adam <Adam@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 23 Jun 2006 11:05:02 -0700
I dont think I have a phantom DC, as the metadata cleanup only shows my two
active DC's.
But as a test I manually added a dns alias for Domain controller:
bfad308c-dc3c-4dda-95b0-eed325c5dd4c._msdcs.DOMAIN.org
and the cleared up the error:
Active Directory failed to construct a mutual authentication service
principal name (SPN) for the following domain controller.
I know thats not really a fix but I also get this warning:
Active Directory could not use DNS to resolve the IP address of the source
domain controller listed below. To maintain the consistency of Security
groups, group policy, users and computers and their passwords, Active
Directory successfully replicated using the NetBIOS or fully qualified
computer name of the source domain controller.
Invalid DNS configuration may be affecting other essential operations on
member computers, domain controllers or application servers in this Active
Directory forest, including logon authentication or access to network
resources.
You should immediately resolve this DNS configuration error so that this
domain controller can resolve the IP address of the source domain controller
using DNS.
Alternate server name:
ccsad02
Failing DNS host name:
e94435ac-23a1-4b80-a50e-521f4e6be6cc._msdcs.DOMAIN.org
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour
period, even if more than 10 failures occur. To log all individual failure
events, set the following diagnostics registry value to 1:
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
User Action:
1) If the source domain controller is no longer functioning or its
operating system has been reinstalled with a different computer name or
NTDSDSA object GUID, remove the source domain controller's metadata with
ntdsutil.exe, using the steps outlined in MSKB article 216498.
2) Confirm that the source domain controller is running Active directory
and is accessible on the network by typing "net view \\<source DC name>" or
"ping <source DC name>".
3) Verify that the source domain controller is using a valid DNS server for
DNS services, and that the source domain controller's host record and CNAME
record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE
available on http://www.microsoft.com/dns
dcdiag /test:dns
4) Verify that that this destination domain controller is using a valid DNS
server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE
command on the console of the destination domain controller, as follows:
dcdiag /test:dns
5) For further analysis of DNS error failures see KB 824449:
http://support.microsoft.com/?kbid=824449
Additional Data
Error value:
11004 The requested name is valid, but no data of the requested type was
found.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
The "e94435ac-23a1-4b80-a50e-521f4e6be6cc" record is the one created via
ipconfig /all.
Does this look like a DNS issue or a computer account type issue?
"Paul Bergson" wrote:
If this dc was offline for more than 60 days than you will have dc's.
(Changes that can no longer be replicated because of lost tombstones) that
are out of sync and can't be properly sync'd up. You shouldn't bring this
dc back online but instead do a metadata cleanup of AD and do a dcpromo
/forceremoval then remove the machine (Locally) from the domain.
http://support.microsoft.com/kb/216993/en-us
Metadata Cleanup
http://support.microsoft.com/?id=216498
--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Adam" <Adam@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:98F508FE-6FD2-4AB8-8320-DF768D3A38C8@xxxxxxxxxxxxxxxx
Yes that is the replication partner.
How do I run the KCC again?
Remove connection objects andreboot?
I should also mention that my domain name is the same as my public
internet
name, not my doing.
I did have errors before when I ran dcdiag /test:dns couple of days ago.
I added my ISP as my forwarder and the cleared up the error.
A bit more history:
From what i can gather this was a windows 2000 domain then an windows 2003
DC was added and the windows 2000 DC was removed. But it looks like the
DC
was just turned off. I do not see a reference of that DC but I found the
physical box in a closet. When I powered it on I found it to be a DC for
the
same named Domain but 6 months out of date. ---This newwork was without
support for 6 months.
here is the log from a DCdiag /c:
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\CCSAD01
Starting test: Connectivity
......................... CCSAD01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\CCSAD01
Starting test: Replications
......................... CCSAD01 passed test Replications
Starting test: Topology
......................... CCSAD01 passed test Topology
Starting test: CutoffServers
......................... CCSAD01 passed test CutoffServers
Starting test: NCSecDesc
......................... CCSAD01 passed test NCSecDesc
Starting test: NetLogons
......................... CCSAD01 passed test NetLogons
Starting test: Advertising
......................... CCSAD01 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... CCSAD01 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... CCSAD01 passed test RidManager
Starting test: MachineAccount
......................... CCSAD01 passed test MachineAccount
Starting test: Services
......................... CCSAD01 passed test Services
Starting test: OutboundSecureChannels
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... CCSAD01 passed test
OutboundSecureChannels
Starting test: ObjectsReplicated
......................... CCSAD01 passed test ObjectsReplicated
Starting test: frssysvol
......................... CCSAD01 passed test frssysvol
Starting test: frsevent
......................... CCSAD01 passed test frsevent
Starting test: kccevent
An Warning Event occured. EventID: 0x80250828
Time Generated: 06/22/2006 16:00:36
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000583
Time Generated: 06/22/2006 16:01:00
(Event String could not be retrieved)
......................... CCSAD01 failed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00000457
Time Generated: 06/22/2006 15:12:21
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/22/2006 15:12:21
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 06/22/2006 15:45:16
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 06/22/2006 15:45:58
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC00010E1
Time Generated: 06/22/2006 16:00:50
Event String: The name "CCS2001 :1d" could not be
An Error Event occured. EventID: 0x00000457
Time Generated: 06/22/2006 16:04:54
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/22/2006 16:04:55
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 06/22/2006 16:08:41
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 06/22/2006 16:09:23
(Event String could not be retrieved)
......................... CCSAD01 failed test systemlog
Starting test: VerifyReplicas
......................... CCSAD01 passed test VerifyReplicas
Starting test: VerifyReferences
......................... CCSAD01 passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
......................... CCSAD01 passed test
VerifyEnterpriseReferences
Starting test: CheckSecurityError
[CCSAD01] No security related replication errors were found on
this
DC! To target the connection to a specific source DC use
/ReplSource:<DC>.
......................... CCSAD01 passed test CheckSecurityError
DNS Tests are running and not hung. Please wait a few minutes...
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : PUBLIC
Starting test: CrossRefValidation
......................... PUBLIC passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... PUBLIC passed test CheckSDRefDom
Running enterprise tests on : PUBLIC.org
Starting test: Intersite
......................... PUBLIC.org passed test Intersite
Starting test: FsmoCheck
......................... PUBLIC.org passed test FsmoCheck
Starting test: DNS
......................... PUBLIC.org passed test DNS
"strongline" wrote:
it's netlog service, instead of ipconfig command, that register those
SRV records.
bfad308c-dc3c-4dda-95b0-eed325c5dd4c._msdcs.domain.com should be this
DC's replication partner rather than itself.
IF you are sure your DNS is working properly, I would try
1. restart ntlong servers on all DC
2. remove connection objects from Sites and Services, and run KCC again
to re-generate replication topology
3. observe if there is any KCC error
Adam wrote:
Source:NTDS Replication
Catagory:DS RPC Client
Event Id:1411
Active Directory failed to construct a mutual authentication service
principal name (SPN) for the following domain controller.
Domain controller:
bfad308c-dc3c-4dda-95b0-eed325c5dd4c._msdcs.domain.com
Theentry in DNS for this server is
e94435ac-23a1-4b80-a50e-521f4e6be6cc._msdcs.domain.com
I even removed the record and ran ipconfig /registerdns wich created
the
above record.
It there a way to make sure file replication is looking for the correct
record?
The call was denied. Communication with this domain controller might be
affected.
I have tested and rebuilt my DNS, Seems ok
- Follow-Ups:
- Re: Replication event errors
- From: Paul Bergson
- Re: Replication event errors
- References:
- Re: Replication event errors
- From: strongline
- Re: Replication event errors
- From: Adam
- Re: Replication event errors
- From: Paul Bergson
- Re: Replication event errors
- Prev by Date: Re: How to perform upgrade to 2003 domain
- Next by Date: Re: Apply group policy to selected computers
- Previous by thread: Re: Replication event errors
- Next by thread: Re: Replication event errors
- Index(es):
Relevant Pages
|
