Replication Issues - Event ID 1202 0x534 - gpotool gives sysvol mismatch - dcdiag and repadmin give error 1326 : Microsoft, Windows Server, Windows Server 2000, Replication Issues

May 17, 2008 10:53am pdt

1. KCTS 61,865
2. Chris-Dent 26,475
3. toniur 19,625
4. PlaceboC6 17,400
5. oBdA 16,450
6. leew 16,099
7. RobWill 13,236
8. ebjers 13,200
9. Shift-3 12,500
10. Netman66 11,575
11. lnkevin 10,000
12. tsmvp 9,920
13. Paka 9,868
14. rindi 9,750
14. mattee76 9,750

1. KCTS 257,106
2. oBdA 76,061
3. Sembee 75,401
4. leew 68,363
5. Chris-Dent 65,570
6. Jay_Jay70 64,769
7. toniur 56,312
8. RobWill 43,521
9. LauraEHu... 41,593
10. Shift-3 35,400
11. MrHusy 29,575
12. sirbounty 29,524
13. rindi 28,216
14. Netman66 25,005
15. andyalder 24,700

02.13.2008 at 02:29PM PST, ID: 23161402

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

7.2

Replication Issues - Event ID 1202 0x534 - gpotool gives sysvol mismatch - dcdiag and repadmin give error 1326

Zones: Windows 2000 Server, Server, Windows 2000 Active Directory

Tags: Microsoft, Windows Server, Windows Server 2000, Replication Issues

Hi Experts,

We are having replication issues between our 3 DCs which is causing various issues with our 4 Exchange Servers. All the DCs and Exchange Servers are in different states, but they are all in 1 single domain, 2k.network.com. Examples of problems are: certain mailboxes stop working and wont receive mail, new AD accounts arent showing up on some Exchange Servers, unable to move some mailboxes between Exchange Servers, etc. The problem appears to be rooted at the schema master which is also the main Exchange Server called D2 running Windows 2000 Advanced Server. D2 is getting in the Application Log every 5 minutes this warning:

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
User: N/A
Computer: D2
Description: Security policies are propagated with warning. 0x534: No mapping between account names and security IDs was done.

I found Microsoft KB 324383 Troubleshooting SCECLI 1202 Events under the section 0x534: No mapping between account names and security IDs was done. After following step 1 and 2 (creating the ExtensionDebugLevel value and refreshing the policy settings), we type the following and receive:

C:\>find /i "cannot find" %systemroot%\security\logs\winlogon.log

---------- C:\WINNT\SECURITY\LOGS\WINLOGON.LOG
Cannot find NetShowServices.
Cannot find NetShowServices.
Cannot find NetShowServices.

C:\>find /i "netshowservices" %systemroot%\security\templates\policies\gpt*.*

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.INF
SeServiceLogonRight = NetShowServices,*S-1-5-32-544,*S-1-5-21-746137067-77656174
1-839522115-1108,*S-1-5-21-746137067-776561741-839522115-500

So NetShowServices is the problem account in the Log on as a service policy.

When I go to Administrative Tools > Local Security Settings > Security Settings > Local Policies > User Rights Assignment > open Log on as a service policy, NetShowServices has an Effective Policy Setting that is checked and greyed out.

To find out more information about the problem policy, I type:

C:\>gpotool /verbose
Domain: 2k.network.com
Validating DCs...
D1.2k.network.com: OK
C1.2k.network.com: OK
D2.2k.network.com: OK
Available DCs:
D1.2k.network.com
C1.2k.network.com
D2.2k.network.com
Searching for policies...
Found 2 policies
============================================================
Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
gpotool: e ERROR: Err: Size different between system.adm
Error: D1.2k.network.com - C1.2k.network.com sysvol mismatch
Details:
------------------------------------------------------------
DC: D1.2k.network.com
Friendly name: Default Domain Policy
Created: 9/18/2002 5:38:40 PM
Changed: 10/25/2006 10:48:57 PM
DS version: 1(user) 57(machine)
Sysvol version: 1(user) 57(machine)
Flags: 0
User extensions: [{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D
-00C04FA372D4}]
Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A
28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D
0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-
00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: C1.2k.network.com
Friendly name: Default Domain Policy
Created: 9/18/2002 5:38:40 PM
Changed: 10/25/2006 10:46:33 PM
DS version: 1(user) 57(machine)
Sysvol version: 1(user) 57(machine)
Flags: 0
User extensions: [{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D
-00C04FA372D4}]
Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A
28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D
0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-
00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: D2.2k.network.com
Friendly name: Default Domain Policy
Created: 9/18/2002 5:38:40 PM
Changed: 10/25/2006 10:46:27 PM
DS version: 1(user) 57(machine)
Sysvol version: 1(user) 57(machine)
Flags: 0
User extensions: [{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D
-00C04FA372D4}]
Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A
28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D
0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-
00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
Error: Version mismatch on D2.2k.network.com, DS=64, sysvol=62
Details:
------------------------------------------------------------
DC: D1.2k.network.com
Friendly name: Default Domain Controllers Policy
Created: 9/18/2002 5:38:40 PM
Changed: 3/13/2007 8:43:21 PM
DS version: 0(user) 62(machine)
Sysvol version: 0(user) 62(machine)
Flags: 0
User extensions: not found
Machine extensions: [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A
0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: C1.2k.network.com
Friendly name: Default Domain Controllers Policy
Created: 9/18/2002 5:38:40 PM
Changed: 2/11/2008 9:57:02 PM
DS version: 0(user) 64(machine)
Sysvol version: 0(user) 64(machine)
Flags: 0
User extensions: not found
Machine extensions: [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A
0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: D2.2k.network.com
Friendly name: Default Domain Controllers Policy
Created: 9/18/2002 5:38:40 PM
Changed: 2/11/2008 9:53:01 PM
DS version: 0(user) 64(machine)
Sysvol version: 0(user) 62(machine)
Flags: 0
User extensions: not found
Machine extensions: [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A
0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------

Errors found

The friendly name is not appearing because of the Error: Version mismatch on D2.2k.network.com, DS=64, sysvol=62

Im guessing the sysvol mismatch may be a result of the replication problem. So I ran the following:

C:\>dcdiag

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\D2
Starting test: Connectivity
......................... D2 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\D2
Starting test: Replications
[Replications Check,D2] A recent replication attempt failed:
From D1 to D2
Naming Context: CN=Schema,CN=Configuration,DC=2k,DC=network,DC=c
om
The replication generated an error (1326):
Logon failure: unknown user name or bad password.
The failure occurred at 2008-02-13 11:55.03.
The last success occurred at 2008-01-27 22:56.21.
363 failures have occurred since the last success.
Kerberos Error.
The machine account is not present, or does not match on the.
destination, source or KDC servers.
Verify domain partition of KDC is in sync with rest of enterprise.
The tool repadmin/syncall can be used for this purpose.
[Replications Check,D2] A recent replication attempt failed:
From D1 to D2
Naming Context: CN=Configuration,DC=2k,DC=network,DC=com
The replication generated an error (1326):
Logon failure: unknown user name or bad password.
The failure occurred at 2008-02-13 11:55.03.
The last success occurred at 2008-01-27 22:56.21.
363 failures have occurred since the last success.
Kerberos Error.
The machine account is not present, or does not match on the.
destination, source or KDC servers.
Verify domain partition of KDC is in sync with rest of enterprise.
The tool repadmin/syncall can be used for this purpose.
[Replications Check,D2] A recent replication attempt failed:
From D1 to D2
Naming Context: DC=2k,DC=network,DC=com
The replication generated an error (1326):
Logon failure: unknown user name or bad password.
The failure occurred at 2008-02-13 11:55.03.
The last success occurred at 2008-01-27 22:56.21.
363 failures have occurred since the last success.
Kerberos Error.
The machine account is not present, or does not match on the.
destination, source or KDC servers.
Verify domain partition of KDC is in sync with rest of enterprise.
The tool repadmin/syncall can be used for this purpose.
......................... D2 passed test Replications
Starting test: NCSecDesc
......................... D2 passed test NCSecDesc
Starting test: NetLogons
......................... D2 passed test NetLogons
Starting test: Advertising
......................... D2 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... D2 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... D2 passed test RidManager
Starting test: MachineAccount
......................... D2 passed test MachineAccount
Starting test: Services
......................... D2 passed test Services
Starting test: ObjectsReplicated
......................... D2 passed test ObjectsReplicated
Starting test: frssysvol
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... D2 passed test frssysvol
Starting test: kccevent
......................... D2 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x80001774
Time Generated: 02/13/2008 12:12:12
Event String: A driver packet received from the I/O subsystem
An Error Event occured. EventID: 0x80001774
Time Generated: 02/13/2008 12:12:07
Event String: A driver packet received from the I/O subsystem
......................... D2 failed test systemlog

Running enterprise tests on : 2k.network.com
Starting test: Intersite
......................... 2k.network.com passed test Intersite
Starting test: FsmoCheck
......................... 2k.network.com passed test FsmoCheck

I also ran repadmin /showreps:

C:\>repadmin /showreps
Default-First-Site-Name\D2
DSA Options : IS_GC
objectGuid : 425a32e2-2e0c-4828-af82-b509a2715a12
invocationID: ee4b41f8-9fc4-479b-8c1d-919f04b2824e

==== INBOUND NEIGHBORS ======================================

CN=Schema,CN=Configuration,DC=2k,DC=network,DC=com
Default-First-Site-Name\C1 via RPC
objectGuid: 19ec1769-6ab5-4464-973c-856da2414e70
Last attempt @ 2008-02-13 11:55.03 was successful.
Default-First-Site-Name\D1 via RPC
objectGuid: 9526741d-927b-42de-a9e5-b11ae75c5929
Last attempt @ 2008-02-13 11:55.03 failed, result 1326:
Logon failure: unknown user name or bad password.
Last success @ 2008-01-27 22:56.21.
363 consecutive failure(s).

CN=Configuration,DC=2k,DC=network,DC=com
Default-First-Site-Name\D1 via RPC
objectGuid: 9526741d-927b-42de-a9e5-b11ae75c5929
Last attempt @ 2008-02-13 11:55.03 failed, result 1326:
Logon failure: unknown user name or bad password.
Last success @ 2008-01-27 22:56.21.
363 consecutive failure(s).
Default-First-Site-Name\C1 via RPC
objectGuid: 19ec1769-6ab5-4464-973c-856da2414e70
Last attempt @ 2008-02-13 12:26.58 was successful.

DC=2k,DC=network,DC=com
Default-First-Site-Name\D1 via RPC
objectGuid: 9526741d-927b-42de-a9e5-b11ae75c5929
Last attempt @ 2008-02-13 11:55.03 failed, result 1326:
Logon failure: unknown user name or bad password.
Last success @ 2008-01-27 22:56.21.
363 consecutive failure(s).
Default-First-Site-Name\C1 via RPC
objectGuid: 19ec1769-6ab5-4464-973c-856da2414e70
Last attempt @ 2008-02-13 12:23.39 was successful.

==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============

CN=Schema,CN=Configuration,DC=2k,DC=network,DC=com
Default-First-Site-Name\D1 via RPC
objectGuid: 9526741d-927b-42de-a9e5-b11ae75c5929
Default-First-Site-Name\C1 via RPC
objectGuid: 19ec1769-6ab5-4464-973c-856da2414e70

CN=Configuration,DC=2k,DC=network,DC=com
Default-First-Site-Name\D1 via RPC
objectGuid: 9526741d-927b-42de-a9e5-b11ae75c5929
Default-First-Site-Name\C1 via RPC
objectGuid: 19ec1769-6ab5-4464-973c-856da2414e70

DC=2k,DC=network,DC=com
Default-First-Site-Name\D1 via RPC
objectGuid: 9526741d-927b-42de-a9e5-b11ae75c5929
Default-First-Site-Name\C1 via RPC
objectGuid: 19ec1769-6ab5-4464-973c-856da2414e70

dcdiag and repadmin both showed Error 1326. So I found a Knowledge Base article on this error: Microsoft KB 892426 - Replication error message 1326 and event message ID 1265 "Unknown user name or bad password" on Windows 2000.

The problem with this article and all the other articles I found is we dont have more than one domain. We just have the one domain. And we dont receive the Event ID 1265 in the Directory Service Event Log or any other Log like the article says we should. We do receive an Event that the article mentions:

Event ID: 63
Source: W32Time
Description:
The time service cannot provide secure (signed) time to client IP because the attempt to validate its computer account failed with error 1317. Falling back to insecure (unsigned) time for this client.

Does anyone know how we can solve our replication problem? Any help is appreciated.

Thank you,
Ryan

Start your free trial to view this solution

Question Stats

Zone: OS

Question Asked By: TheNewLobo

Solution Provided By: Chris-Dent

Participating Experts: 1

Solution Grade: B

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

02.14.2008 at 04:21AM PST, ID: 20892672

Rank: Guru

Chris-Dent:

It all seems to point back to the computer account. Does that account even exist?

Chris

02.14.2008 at 08:43AM PST, ID: 20894868

TheNewLobo:

Hi Chris, sorry for the delay in responding. Are you referring to the Administrator account? We use two, the standard built-in Administrator account and another created Administrator account. Both accounts do exist in active directory on the schema master D2 and appear to be normal. D2 uses the created Administrator account. Thank you for your response, please let me know if you need anymore information or want me to try anything.

Ryan

02.14.2008 at 09:16AM PST, ID: 20895148

Rank: Guru

Chris-Dent:

Nope, to the computer account. Hopefully one exists and is in the Domain Controllers OU?

Chris

02.14.2008 at 10:12AM PST, ID: 20895653

TheNewLobo:

Chris, sorry. There is a computer account for D2 in the Domain Controllers OU on all the Domain Controllers including D2.

Thank you,
Ryan

02.14.2008 at 10:56AM PST, ID: 20896037

Rank: Guru

Chris-Dent:

Hmmm....

There's a knowledge base article that will let you reset the Win 2000 Domain Controllers password on the domain (for the Computer Account). I feel this may work towards solving the problem... But...

I have serious reservations about recommending you run this against a DC which is also running Exchange.

I'm tempted to advise you contact Microsoft Product Support Services prior to doing any of this and make sure they agree that it's the correct course of action (or see if they can advise on what is the correct course).

The downside to that, as always, is they'll charge you for it. But you may consider that to be worthwhile.

If you consider the risk worthwhile then here's the KB article:

http://support.microsoft.com/kb/260575

Chris

Accepted Solution

02.14.2008 at 11:00AM PST, ID: 20896065

TheNewLobo:

Chris, thank you. I will try them and let you know how that goes.

Thank you,
Ryan

02.14.2008 at 11:20AM PST, ID: 20896253

Rank: Guru

Chris-Dent:

Good luck, sorry I can't help further, it really wouldn't do to break your Exchange system.

Chris

TheNewLobo

02.25.2008 at 03:37PM PST, ID: 20980376

Thank you for your help Chris, I contacted Microsoft Tech Support and they solved the problems. There were two separate problems: 1. For the 1202 Event ID message they removed the "NetShowServices" account in the "Log on as a service" policy. It wasn't required to be there. 2. The replication problems were caused because the Windows Time service some how got disabled on one of the DCs. After starting the service, it fixed the replication problems and all the other symptoms we were experiencing.

Ryan

20080236-EE-VQP-29 / EE_QW_2_20070628