Re: SBS 2k3 and Windows 2k3 Server aren't replicating passwords.
- From: "kj" <kj@xxxxxxxxxxx>
- Date: Tue, 19 Jun 2007 08:44:42 -0700
mtrayne@xxxxxxxxx wrote:
On Jun 18, 6:14 pm, "kj" <k...@xxxxxxxxxxx> wrote:
mtra...@xxxxxxxxx wrote:
This morning at about 11am everyone who tried to go to our Intranet
site or the W2K3 share was prompted for a username and password. The
only thing that would get them through was resetting their passwords
on the W2K3 box.
As an experiment, if I changed a password on the W2K3 box (a
different pass from the SBS box), that account was completely
locked out from logging into the domain. If I changed it on SBS to
the same thing they were fine.
I used Replmon and replicated with Active Directory Sites and
Services and there doesn't seem to be any issues.
The events that seem related appear on the SBS box:
Event Type: Information
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1955
Date: 6/18/2007
Time: 11:01:04 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SBS1
Description:
Active Directory encountered a write conflict when applying
replicated changes to the following object.
Object:
CN=Marge Thomas (TRU),CN=Users,DC=truvo,DC=local
Time in seconds:
0
Event log entries preceding this entry will indicate whether or not
the update was accepted.
A write conflict can be caused by simultaneous changes to the same
object or simultaneous changes to other objects that have attributes
referencing this object. This commonly occurs when the object
represents a large group with many members, and the functional level
of the forest is set to Windows 2000. This conflict triggered
additional retries of the update. If the system appears slow, it
could be because replication of these changes is occurring.
User Action
Use smaller groups for this operation or raise the functional level
to Windows Server 2003.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
and
Event Type: Warning
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1083
Date: 6/18/2007
Time: 11:24:43 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SBS1
Description:
Active Directory could not update the following object with changes
received from the domain controller at the following network address
because Active Directory was busy processing information.
Object:
CN=Jessica Kim
(TRU),OU=SBSUsers,OU=Users,OU=MyBusiness,DC=truvo,DC=local
Network address:
21064b07-d8c1-46d6-a023-10199370447e._msdcs.truvo.local
This operation will be tried again later.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
These errors happen everytime I change a password on the W2K3 server
(but are logged on the SBS server). I looked up these errors and
followed the trail, but got nowhere.
I have a group policy for my users so that they need to change their
passwords every 60 days. Recently some people who had been getting
the "nag message" to change suddenly stopped getting it.
A month ago, the W2K2 server was completely passive to the SBS box.
If you tried to log into the network when the SBS box was down, you
couldn't. There was a JRNL_WRAP_ERROR on the SBS box, which I
corrected and then everything was happy -- until recently.
Any ideas? I don't want to have to manually change the W2K3
passwords everytime the sbs passwords expire.
Run DCdiag /c on each DC and repadmin /replsummary
(may need to install the support tools first)
--
/kj- Hide quoted text -
- Show quoted text -
Everything passed except for IsmServ on the SBS box. That doesn't seem
like a possible cause, but I'll look into it.
Domain Controller Diagnosis (SBS)
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\NEWMAN
Starting test: Connectivity
......................... NEWMAN passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\NEWMAN
Starting test: Replications
......................... NEWMAN passed test Replications
Starting test: Topology
......................... NEWMAN passed test Topology
Starting test: CutoffServers
......................... NEWMAN passed test CutoffServers
Starting test: NCSecDesc
......................... NEWMAN passed test NCSecDesc
Starting test: NetLogons
......................... NEWMAN passed test NetLogons
Starting test: Advertising
......................... NEWMAN passed test Advertising
Starting test: KnowsOfRoleHolders
......................... NEWMAN passed test
KnowsOfRoleHolders
Starting test: RidManager
......................... NEWMAN passed test RidManager
Starting test: MachineAccount
......................... NEWMAN passed test MachineAccount
Starting test: Services
IsmServ Service is stopped on [NEWMAN]
......................... NEWMAN failed test Services
Starting test: OutboundSecureChannels
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... NEWMAN passed test
OutboundSecureChannels
Starting test: ObjectsReplicated
......................... NEWMAN passed test
ObjectsReplicated
Starting test: frssysvol
......................... NEWMAN passed test frssysvol
Starting test: frsevent
......................... NEWMAN passed test frsevent
Starting test: kccevent
......................... NEWMAN passed test kccevent
Starting test: systemlog
......................... NEWMAN passed test systemlog
Starting test: VerifyReplicas
......................... NEWMAN passed test VerifyReplicas
Starting test: VerifyReferences
......................... NEWMAN passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
......................... NEWMAN passed test
VerifyEnterpriseReferences
Starting test: CheckSecurityError
[NEWMAN] No security related replication errors were found on
this DC! To target the connection to a specific source DC use /
ReplSource:<DC>.
......................... NEWMAN passed test
CheckSecurityError
DNS Tests are running and not hung. Please wait a few minutes...
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test
CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test
CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test
CheckSDRefDom
Running partition tests on : truvo
Starting test: CrossRefValidation
......................... truvo passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... truvo passed test CheckSDRefDom
Running enterprise tests on : truvo.local
Starting test: Intersite
......................... truvo.local passed test Intersite
Starting test: FsmoCheck
......................... truvo.local passed test FsmoCheck
Starting test: DNS
Test results for domain controllers:
DC: newman.truvo.local
Domain: truvo.local
TEST: Dynamic update (Dyn)
Warning: Dynamic update is enabled on the zone but
not secure tru.local.
Summary of DNS test results:
Auth Basc Forw Del Dyn
RReg Ext
________________________________________________________________
Domain: truvo.local
newman PASS PASS PASS PASS WARN
PASS n/a
......................... truvo.local passed test DNS
Replication Summary Start Time: 2007-06-19 09:12:52
Beginning data collection for replication summary, this may take
awhile:
.....
Source DC largest delta fails/total %% error
EXCHANGE 04m:42s 0 / 5 0
NEWMAN 04m:42s 0 / 5 0
Destination DC largest delta fails/total %% error
EXCHANGE 04m:42s 0 / 5 0
NEWMAN 04m:42s 0 / 5 0
Domain Controller Diagnosis (Windows 2003)
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\EXCHANGE
Starting test: Connectivity
......................... EXCHANGE passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\EXCHANGE
Starting test: Replications
......................... EXCHANGE passed test Replications
Starting test: Topology
......................... EXCHANGE passed test Topology
Starting test: CutoffServers
......................... EXCHANGE passed test CutoffServers
Starting test: NCSecDesc
......................... EXCHANGE passed test NCSecDesc
Starting test: NetLogons
......................... EXCHANGE passed test NetLogons
Starting test: Advertising
......................... EXCHANGE passed test Advertising
Starting test: KnowsOfRoleHolders
......................... EXCHANGE passed test
KnowsOfRoleHolders
Starting test: RidManager
......................... EXCHANGE passed test RidManager
Starting test: MachineAccount
......................... EXCHANGE passed test MachineAccount
Starting test: Services
......................... EXCHANGE passed test Services
Starting test: OutboundSecureChannels
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... EXCHANGE passed test
OutboundSecureChannels
Starting test: ObjectsReplicated
......................... EXCHANGE passed test
ObjectsReplicated
Starting test: frssysvol
......................... EXCHANGE passed test frssysvol
Starting test: frsevent
......................... EXCHANGE passed test frsevent
Starting test: kccevent
......................... EXCHANGE passed test kccevent
Starting test: systemlog
......................... EXCHANGE passed test systemlog
Starting test: VerifyReplicas
......................... EXCHANGE passed test VerifyReplicas
Starting test: VerifyReferences
......................... EXCHANGE passed test
VerifyReferences
Starting test: VerifyEnterpriseReferences
......................... EXCHANGE passed test
VerifyEnterpriseReferences
Starting test: CheckSecurityError
[EXCHANGE] No security related replication errors were found
on this DC! To target the connection to a specific source DC use /
ReplSource:<DC>.
......................... EXCHANGE passed test
CheckSecurityError
DNS Tests are running and not hung. Please wait a few minutes...
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test
CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test
CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test
CheckSDRefDom
Running partition tests on : truvo
Starting test: CrossRefValidation
......................... truvo passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... truvo passed test CheckSDRefDom
Running enterprise tests on : truvo.local
Starting test: Intersite
......................... truvo.local passed test Intersite
Starting test: FsmoCheck
......................... truvo.local passed test FsmoCheck
Starting test: DNS
Test results for domain controllers:
DC: exchange.truvo.local
Domain: truvo.local
TEST: Dynamic update (Dyn)
Warning: Dynamic update is enabled on the zone but
not secure truvo.local.
Summary of DNS test results:
Auth Basc Forw Del Dyn
RReg Ext
________________________________________________________________
Domain: truvo.local
exchange PASS PASS PASS PASS WARN
PASS n/a
......................... truvo.local passed test DNS
Replication Summary Start Time: 2007-06-19 08:54:04
Beginning data collection for replication summary, this may take
awhile:
.....
Source DC largest delta fails/total %% error
EXCHANGE :25s 0 / 5 0
NEWMAN :25s 0 / 5 0
Destination DC largest delta fails/total %% error
EXCHANGE :25s 0 / 5 0
NEWMAN :25s 0 / 5 0
Looks good ( Ismserv is normal for SBS).
Was the event log posting ">>> Computer: SBS1" a manual edit to disguise
the name of "NEWMAN"?
--
/kj
.
- Follow-Ups:
- References:
- Prev by Date: Re: Users Can't logon to network - Help
- Next by Date: Re: Enable RPC over http
- Previous by thread: Re: SBS 2k3 and Windows 2k3 Server aren't replicating passwords.
- Next by thread: Re: SBS 2k3 and Windows 2k3 Server aren't replicating passwords.
- Index(es):
Relevant Pages
|
