Re: replication failed access denied
- From: blink <blink@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 10 Apr 2008 13:55:01 -0700
Paul,
You are a Genius, great little program you wrote. I'm stumped though on the
output, been trying to fix every error but no luck. I hope you are still
watching this thread, but anyway here is the output on the BDC having the
problem. Errors about the downstream topology is disconnect for the domain
and the server having the problem can't get changes from the DC.
Another error : An Error Event occured. EventID: 0x40000004
Event String: The kerberos client received a KRB_AP_ERR_MODIFIED error from
the server host/BDC_Server.corp.contosa.com. The target name used was . This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named machine accounts in the target realm (CORP.contosa.com),
and the client realm.
This is the full output:
Domain Controller Diagnosis
Performing initial setup:
* Connecting to directory service on server corp.contosa.com.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 2 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\PDC_Server
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... PDC_Server passed test Connectivity
Testing server: Default-First-Site-Name\BDC_Server
Starting test: Connectivity
* Active Directory LDAP Services Check
[BDC_Server] LDAP bind failed with error 8341,
A directory service error has occurred..
......................... BDC_Server failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\PDC_Server
Starting test: Replications
* Replications Check
* Replication Latency Check
* Replication Site Latency Check
......................... PDC_Server passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
DC=ForestDnsZones,DC=corp,DC=contosa,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
DC=DomainDnsZones,DC=corp,DC=contosa,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=corp,DC=contosa,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
CN=Schema,CN=Configuration,DC=corp,DC=contosa,DC=com.
These servers can't get changes from home server PDC_Server:
Default-First-Site-Name/BDC_Server
* Analyzing the connection topology for
CN=Configuration,DC=corp,DC=contosa,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
CN=Configuration,DC=corp,DC=contosa,DC=com.
These servers can't get changes from home server PDC_Server:
Default-First-Site-Name/BDC_Server
* Analyzing the connection topology for DC=corp,DC=contosa,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
Downstream topology is disconnected for DC=corp,DC=contosa,DC=com.
These servers can't get changes from home server PDC_Server:
Default-First-Site-Name/BDC_Server
......................... PDC_Server failed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for
DC=ForestDnsZones,DC=corp,DC=contosa,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=DomainDnsZones,DC=corp,DC=contosa,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Schema,CN=Configuration,DC=corp,DC=contosa,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Configuration,DC=corp,DC=contosa,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=corp,DC=contosa,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... PDC_Server passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC PDC_Server.
* Security Permissions Check for
DC=ForestDnsZones,DC=corp,DC=contosa,DC=com
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=corp,DC=contosa,DC=com
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=corp,DC=contosa,DC=com
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=corp,DC=contosa,DC=com
(Configuration,Version 2)
* Security Permissions Check for
DC=corp,DC=contosa,DC=com
(Domain,Version 2)
......................... PDC_Server passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\PDC_Server\comlogon
Verified share \\PDC_Server\sysvol
......................... PDC_Server passed test NetLogons
Starting test: Advertising
The DC PDC_Server is advertising itself as a DC and having a DS.
The DC PDC_Server is advertising as an LDAP server
The DC PDC_Server is advertising as having a writeable directory
The DC PDC_Server is advertising as a Key Distribution Center
The DC PDC_Server is advertising as a time server
The DS PDC_Server is advertising as a GC.
......................... PDC_Server passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=PDC_Server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=contosa,DC=com
Role Domain Owner = CN=NTDS
Settings,CN=PDC_Server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=contosa,DC=com
Role PDC Owner = CN=NTDS
Settings,CN=PDC_Server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=contosa,DC=com
Role Rid Owner = CN=NTDS
Settings,CN=PDC_Server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=contosa,DC=com
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=PDC_Server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=contosa,DC=com
......................... PDC_Server passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 2103 to 1073741823
* PDC_Server.corp.contosa.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1603 to 2102
* rIDPreviousAllocationPool is 1103 to 1602
* rIDNextRID: 1481
......................... PDC_Server passed test RidManager
Starting test: MachineAccount
Checking machine account for DC PDC_Server on DC PDC_Server.
* SPN found :LDAP/PDC_Server.corp.contosa.com/corp.contosa.com
* SPN found :LDAP/PDC_Server.corp.contosa.com
* SPN found :LDAP/PDC_Server
* SPN found :LDAP/PDC_Server.corp.contosa.com/contosa
* SPN found
:LDAP/a3787208-1cc3-46d3-8118-27fd2239fe71._msdcs.corp.contosa.com
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/a3787208-1cc3-46d3-8118-27fd2239fe71/corp.contosa.com
* SPN found :HOST/PDC_Server.corp.contosa.com/corp.contosa.com
* SPN found :HOST/PDC_Server.corp.contosa.com
* SPN found :HOST/PDC_Server
* SPN found :HOST/PDC_Server.corp.contosa.com/contosa
* SPN found :GC/PDC_Server.corp.contosa.com/corp.contosa.com
......................... PDC_Server passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... PDC_Server passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... PDC_Server passed test
OutboundSecureChannels
Starting test: ObjectsReplicated
PDC_Server is in domain DC=corp,DC=contosa,DC=com
Checking for CN=PDC_Server,OU=Domain
Controllers,DC=corp,DC=contosa,DC=com in domain DC=corp,DC=contosa,DC=com on
1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=PDC_Server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=contosa,DC=com
in domain CN=Configuration,DC=corp,DC=contosa,DC=com on 1 servers
Object is up-to-date on all servers.
......................... PDC_Server passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... PDC_Server passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... PDC_Server passed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15
minutes.
......................... PDC_Server passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40000004
Time Generated: 04/10/2008 15:37:50
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/BDC_Server.corp.contosa.com. The target name used
was . This indicates that the password used to
encrypt the kerberos service ticket is different
than that on the target server. Commonly, this is
due to identically named machine accounts in the
target realm (CORP.contosa.com), and the client
realm. Please contact your system
administrator.
......................... PDC_Server failed test systemlog
Starting test: VerifyReplicas
......................... PDC_Server passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=PDC_Server,OU=Domain Controllers,DC=corp,DC=contosa,DC=com and
backlink on
CN=PDC_Server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=contosa,DC=com
are correct.
The system object reference (frsComputerReferenceBL)
CN=PDC_Server,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=corp,DC=contosa,DC=com
and backlink on CN=PDC_Server,OU=Domain
Controllers,DC=corp,DC=contosa,DC=com
are correct.
The system object reference (serverReferenceBL)
CN=PDC_Server,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=corp,DC=contosa,DC=com
and backlink on
CN=NTDS
Settings,CN=PDC_Server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=contosa,DC=com
are correct.
......................... PDC_Server passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various important
DN
references. Note, that these problems can be reported because of
latency in replication. So follow up to resolve the following
problems, only if the same problem is reported on all DCs for a given
domain or if the problem persists after replication has had
reasonable time to replicate changes.
[1] Problem: Missing Expected Value
Base Object:
CN=BDC_Server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=contosa,DC=com
Base Object Description: "Server Object"
Value Object Attribute: serverReference
Value Object Description: "DC Account Object"
Recommended Action: This could hamper authentication (and thus
replication, etc). Check if this server is deleted, and if so
clean up this DCs Account Object. If the
Thats the end of the text file?
Thanks in advance.
"Paul Bergson [MVP-DS]" wrote:
Run diagnostics against your Active Directory domain..
If you don't have the support tools installed, install them from your server
install disk.
d:\support\tools\setup.exe
Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
-> dnslint /ad /s "ip address of your dc"
**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take
into account slow links to dc's will also add to the testing time.
If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be output
in notepad text files that pop up automagically.
The script is located on my website at
http://www.pbbergs.com/windows/downloads.htm
Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)
When complete search for fail, error and warning messages.
Description and download for dnslint
http://support.microsoft.com/kb/321045
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"blink" <blink@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:31539977-6B38-49F9-BFB7-E0E937480D97@xxxxxxxxxxxxxxxx
Hi all,
2003 AD Domain functional level running windows server 2003 and the Forest
Level is running at 2000.
I am trying to setup my second domain controller, went through the wizard
and I am able to logon to the domain on the second controller. I am also
always logging in as the domain admin. I am able to open and make changes
to
the AD User and Computers Console. When I run replmon from the secondary
DC
and try to sync with the PDC I keep getting the following error: There was
an
error during queuing the synchronization. The error code was:
ERROR_REPLICA_SYNC_FAILED_ACCESS IS DENIED.
I am logged in as the DC admin even set as the Enterprise Admin also. I
ran
the same procedure on the PDC and get the same error.
I will post netdiag in another post.
Thanks in advance.
- Follow-Ups:
- Re: replication failed access denied
- From: blink
- Re: replication failed access denied
- Prev by Date: Re: First DC off over 24 hours
- Next by Date: Placing script at the GPO under logon (User object)
- Previous by thread: Restore Active Directory appears on desktop after adding 2 DC´s
- Next by thread: Re: replication failed access denied
- Index(es):
Relevant Pages
|
