Re: Replication issue between domian controller server within same
- From: "Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Wed, 27 Feb 2008 07:50:26 -0600
Dang it, I hit send to quick. You also need to follow up on what Jorge
pointed out. By default Windows 2000 tombstone lifetime is 60 days, which
means changes that are more than 60 days old won't be replicated. So unless
you changed the default time on the tombstone attribute, you are going to
have to demote and promote your remote machine but if you have a longer
lifetime than you need to get this fixed soon.
http://support.microsoft.com/kb/216993
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"M H Affendi" <MHAffendi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E74ABB45-EBF1-4CEF-A063-20B6AE290FBC@xxxxxxxxxxxxxxxx
Dear Paul,
Earlier I have tried running dcdiag and below is some of the error that I
managed to extract:-
Testing server: XXX\DC1
Starting test: Replications
[Replications Check,DC1] A recent replication attempt failed:
From DC2 to DC1
Naming Context: DC=Prod,DC=HL,DC=com
The replication generated an error (1326):
Logon failure: unknown user name or bad password.
The failure occurred at 2008-02-22 12:51.53.
The last success occurred at 2007-12-07 15:48.19.
1242 failures have occurred since the last success.
Kerberos Error.
The machine account is not present, or does not match on the.
destination, source or KDC servers.
Verify domain partition of KDC is in sync with rest of
enterprise.
The tool repadmin/syncall can be used for this purpose.
===========================================================================================
Starting test: KnowsOfRoleHolders
[DC2] DsBind() failed with error -2146893022,
The target principal name is incorrect..
Warning: DC2 is the PDC Owner, but is not responding to DS RPC
Bind.
[DC2] LDAP bind failed with error 31,
A device attached to the system is not functioning..
Warning: DC2 is the PDC Owner, but is not responding to LDAP Bind.
Warning: DC2 is the Rid Owner, but is not responding to DS RPC
Bind.
Warning: DC2 is the Rid Owner, but is not responding to LDAP Bind.
Warning: DC2 is the Infrastructure Update Owner, but is not
responding to DS RPC Bind.
Warning: DC2 is the Infrastructure Update Owner, but is not
responding to LDAP Bind.
......................... DC1 failed test KnowsOfRoleHolders
===========================================================================================
I have checked at Microsoft website and found an article that mention
there
might be an issue with inter-domain trust account is not synchronized on
both
sides of the trust relationship
(http://support.microsoft.com/kb/892426/en).
I am not sure whether this article is really related to my problem. By the
way, here is some of the event viewer logs that I capture.
Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13508
Date: 2/25/2008
Time: 3:40:29 PM
User: N/A
Computer: DC1
Description:
The File Replication Service is having trouble enabling replication from
DC2
to DC1 for e:\nt\sysvol\domain using the DNS name DC2.Prod.HL.com. FRS
will
keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name DC2.Prod.HL.com from this
computer.
[2] FRS is not running on DC2.Prod.HL.com.
[3] The topology information in the Active Directory for this replica has
not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem
is fixed you will see another event log message indicating that the
connection has been established.
Data:
0000: 21 07 00 00 !...
Event Type: Warning
Event Source: NTDS KCC
Event Category: (1)
Event ID: 1265
Date: 2/26/2008
Time: 9:42:09 AM
User: N/A
Computer: DC1
Description:
The attempt to establish a replication link with parameters
Partition: DC=HL,DC=com
Source DSA DN: CN=NTDS
Settings,CN=DC2,CN=Servers,CN=WHL-Production,CN=Sites,CN=Configuration,DC=HL,DC=com
Source DSA Address: 7e803ca3-3524-4ef5-a48e-466e99375827._msdcs.HL.com
Inter-site Transport (if any): CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=HL,DC=com
failed with the following status:
Logon failure: unknown user name or bad password.
The record data is the status code. This operation will be retried.
Data:
0000: 2e 05 00 00 ....
"Paul Bergson [MVP-DS]" wrote:
8 minutes? Anything greater than 5 minutes stops Kerberos from working.
Sounds like you have problems with time as well, for starters follow
below.
Run diagnostics against your Active Directory domain.
If you don't have the support tools installed, install them from your
server
install disk.
d:\support\tools\setup.exe
Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
-> dnslint /ad /s "ip address of your dc"
**Note: Using the /E switch in dcdiag will run diagnostics against ALL
dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take
into account slow links to dc's will also add to the testing time.
If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be
output
in notepad text files that pop up automagically.
The script is located on my website at
http://www.pbbergs.com/windows/downloads.htm
Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)
When complete search for fail, error and warning messages.
Description and download for dnslint
http://support.microsoft.com/kb/321045
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"M H Affendi" <MHAffendi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C3B9B221-2869-4805-B5C6-8C1E391AF6BB@xxxxxxxxxxxxxxxx
Hi,
I am having a problem with the AD replication for one of my domain
controller server. The domain controller servers is running on Windows
2000
server SP4. Lets call the first server as DC1 and the second as DC2.
DC1
doesn't receive any update after changes has been done at DC2. DC2 is
replicating with another server, DC3 and there is no issue between
these
two.
I have checked hard disk space on DC1 and there is no problem. There is
plenty of disk space. However, the server time between DC1 and DC2 is 8
minutes difference. I have changed the time back so it is synchronized.
However, the problem still persist and DC1 doesn't get any update at
all.
.
- References:
- Re: Replication issue between domian controller server within same dom
- From: Paul Bergson [MVP-DS]
- Re: Replication issue between domian controller server within same
- From: M H Affendi
- Re: Replication issue between domian controller server within same dom
- Prev by Date: Re: Replication issue between domian controller server within same
- Next by Date: Re: Move Certification Aututhority
- Previous by thread: Re: Replication issue between domian controller server within same
- Next by thread: Re: Replication issue between domian controller server within same dom
- Index(es):
Relevant Pages
|
Loading
