septje
asked on
Promoting a new server to be the second Domain Controller on the domain causes a "Replication Access was denied." message.
An active directory domain currently has one domain controller "BANANA". I am trying to create a second domain controller so I can have some redundancy on the network.
I built a new server up, added it to the domain successfully, rebooted, then attempted a DCPROMO. It asks me for my auth info, domain name, NTDS path etc, and when it attempts to replicate the domain to the new server, it fails with the following error message.
The operation failed because: Active Directory could not replicate the directory partition CN=Schema,CN=Configuration ,DC={domai n controller name removed},DC=qld,DC=edu,DC= au from the remote domain controller banana.={domain controller name removed}.qld.edu.au. "Replication access was denied."
The DCPROMO process creates an entry in the Default-first-site-name in "Sites and Services", but it has no NTDS information.
I performed a DCDIAG /V /C /E and the only failure is:
Starting test: VerifyReplicas
This NC (DC=DomainDnsZones,DC={dom ain controller name removed},DC=qld,DC=edu,DC= au) is supposed to be replicated to this server, but has not been replicated yet. This could be because the replica set changes haven't replicated here yet. If this problem persists, check replication of the Configuration Partition to this server.
This NC (DC=ForestDnsZones,DC={dom ain controller name removed},DC=qld,DC=edu,DC= au) is supposed to be replicated to this server, but has not been replicated yet. This could be because the replica set changes haven't replicated here yet. If this problem persists, check replication of the Configuration Partition to this server.
......................... BANANA failed test VerifyReplicas
This is odd because there isn't another domain controller to replicate to.
I am walking into this mess having never seen or had anything to do with this domain before, so I am desperate for some advice.
error.JPG
I built a new server up, added it to the domain successfully, rebooted, then attempted a DCPROMO. It asks me for my auth info, domain name, NTDS path etc, and when it attempts to replicate the domain to the new server, it fails with the following error message.
The operation failed because: Active Directory could not replicate the directory partition CN=Schema,CN=Configuration
The DCPROMO process creates an entry in the Default-first-site-name in "Sites and Services", but it has no NTDS information.
I performed a DCDIAG /V /C /E and the only failure is:
Starting test: VerifyReplicas
This NC (DC=DomainDnsZones,DC={dom
This NC (DC=ForestDnsZones,DC={dom
......................... BANANA failed test VerifyReplicas
This is odd because there isn't another domain controller to replicate to.
I am walking into this mess having never seen or had anything to do with this domain before, so I am desperate for some advice.
error.JPG
What credentials do you provide? Enterprise Admin or Domain Admin of your subdomain?
ASKER
Enterprise admin AND Domain Admin. I'm using the default administrator account which is a member of both Enterprise Admins and Domain Admins.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\BA NANA
Starting test: Connectivity
......................... BANANA passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\BA NANA
Starting test: CheckSecurityError
[BANANA] No security related replication errors were found on this DC! To target the connection to a specific source DC use /ReplSource:<DC>.
......................... BANANA passed test CheckSecurityError
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : {Domain NETBIOS Name remove for security}
Running enterprise tests on : {Domain Name remove for security}
All the tests on that technet article it says to perform pass successfully.
I have also performed an integrity check on the domain, as well as performing an Offline defragmentation in order to try and rectify this problem.
I was told by the previous admin that its possible the system drive may have become full at some stage so the possibility of a corrupted AD is likely. But all the tests i've performed seem to indicate otherwise.
It's frustrating because it is the ONLY domain controller. If there was a backup, it would be so easy to fix.
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\BA
Starting test: Connectivity
......................... BANANA passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\BA
Starting test: CheckSecurityError
[BANANA] No security related replication errors were found on this DC! To target the connection to a specific source DC use /ReplSource:<DC>.
......................... BANANA passed test CheckSecurityError
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : {Domain NETBIOS Name remove for security}
Running enterprise tests on : {Domain Name remove for security}
All the tests on that technet article it says to perform pass successfully.
I have also performed an integrity check on the domain, as well as performing an Offline defragmentation in order to try and rectify this problem.
I was told by the previous admin that its possible the system drive may have become full at some stage so the possibility of a corrupted AD is likely. But all the tests i've performed seem to indicate otherwise.
It's frustrating because it is the ONLY domain controller. If there was a backup, it would be so easy to fix.
ASKER
There are some interesting ones. But they seem to indicate what the first error was showing.
The local domain controller failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send the change requests to the domain controller at the following network address.
-----Event Log Entry 1-----
Directory partition:
CN=Schema,CN=Configuration ,DC={FQDN removed for security},DC=qld,DC=edu,DC =au
Network address:
6afab99c-6e26-464a-975f-f5 8f105218bc ._msdcs.{F QDN removed for security},.qld.edu.au
Extended request code:
0
Additional Data
Error value:
8453 Replication access was denied.
----- Event Log Entry 2 ------
The local domain controller could not disable the software-based disk write cache on the following hard disk.
Hard disk:
c:
Data might be lost during system failures.
----- Event Log Entry 3 -----
Internal error: An Active Directory error has occurred.
Additional Data
Error value (decimal):
1053
Error value (hex):
41d
Internal ID:
30004f4
The local domain controller failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send the change requests to the domain controller at the following network address.
-----Event Log Entry 1-----
Directory partition:
CN=Schema,CN=Configuration
Network address:
6afab99c-6e26-464a-975f-f5
Extended request code:
0
Additional Data
Error value:
8453 Replication access was denied.
----- Event Log Entry 2 ------
The local domain controller could not disable the software-based disk write cache on the following hard disk.
Hard disk:
c:
Data might be lost during system failures.
----- Event Log Entry 3 -----
Internal error: An Active Directory error has occurred.
Additional Data
Error value (decimal):
1053
Error value (hex):
41d
Internal ID:
30004f4
Regarding write cache: http://support.microsoft.com/kb/233541/en-us
ASKER
I tried both resetting the secure channel password and checking the Domain Controllers properties in ADSIEDIT as the KB article suggested and it still didn't work. I try to do a DCPROMO on the server and it still fails.
My domain is in 2003 Native mode btw.
My domain is in 2003 Native mode btw.
Have a look at %systemroot%\debug\dcpromo .log
Maybe there are other warnings/errors before the security error.
Verify that the Admin account for joining isn't locked and the password has not expired...
Maybe there are other warnings/errors before the security error.
Verify that the Admin account for joining isn't locked and the password has not expired...
ASKER
The admin account isn't locked
dcpromoui 1064.1140 0422 Calling DsRoleDcAsReplica
dcpromoui 1064.1140 0423 lpServer : (null)
dcpromoui 1064.1140 0424 lpDnsDomainName : {Domain Name Hidden for Security}
dcpromoui 1064.1140 0425 lpReplicaServer : (null)
dcpromoui 1064.1140 0426 lpSiteName : (null)
dcpromoui 1064.1140 0427 lpDsDatabasePath : C:\WINDOWS\NTDS
dcpromoui 1064.1140 0428 lpDsLogPath : C:\WINDOWS\NTDS
dcpromoui 1064.1140 0429 lpRestorePath : (null)
dcpromoui 1064.1140 042A lpSystemVolumeRootPath : C:\WINDOWS\SYSVOL
dcpromoui 1064.1140 042B lpAccount : {Domain Name Hidden for Security}\administrator
dcpromoui 1064.1140 042C Options : 0xC0
dcpromoui 1064.1140 042D Enter DoProgressLoop
dcpromoui 1064.1140 042E Enter State::GetOperation REPLICA
dcpromoui 1064.1140 042F Enter ProgressDialog::UpdateButt on
dcpromoui 1064.1140 0430 Enter ProgressDialog::UpdateButt on Cancel
dcpromoui 1064.1140 0431 Enter ProgressDialog::UpdateText Stopping service NETLOGON
dcpromoui 1064.1140 0432 Enter ProgressDialog::UpdateText Configuring the local domain controller to host Active Directory
dcpromoui 1064.1140 0433 Enter ProgressDialog::UpdateText Replicating the schema directory partition
dcpromoui 1064.1140 0434 Enter ProgressDialog::UpdateText The attempted domain controller operation has completed
dcpromoui 1064.1140 0435 Enter ProgressDialog::UpdateButt on
dcpromoui 1064.1140 0436 Progress loop complete.
dcpromoui 1064.1140 0437 Calling DsRoleGetDcOperationResult s
dcpromoui 1064.1140 0438 Error 0x0 (!0 => error)
dcpromoui 1064.1140 0439 Operation results:
dcpromoui 1064.1140 043A OperationStatus : 0x2105 !0 => error
dcpromoui 1064.1140 043B DisplayString : Active Directory could not replicate the directory partition CN=Schema,CN=Configuration ,DC={Domai n Name Hidden for Security},DC=qld,DC=edu,DC =au from the remote domain controller banana.{Domain Name Hidden for Security}.qld.edu.au.
dcpromoui 1064.1140 043C ServerInstalledSite : (null)
dcpromoui 1064.1140 043D OperationResultsFlags: 0x0
dcpromoui 1064.1140 043E Enter ProgressDialog::UpdateText Active Directory could not replicate the directory partition CN=Schema,CN=Configuration ,DC={Domai n Name Hidden for Security},DC=qld,DC=edu,DC =au from the remote domain controller banana.princeofpeace.qld.e du.au.
dcpromoui 1064.1140 043F Enter State::SetOperationResults Message Active Directory could not replicate the directory partition CN=Schema,CN=Configuration ,DC={Domai n Name Hidden for Security},DC=qld,DC=edu,DC =au from the remote domain controller banana.{Domain Name Hidden for Security}.qld.edu.au.
dcpromoui 1064.1140 0440 Enter State::SetOperationResults Flags 0x0
dcpromoui 1064.1140 0441 Exception caught
dcpromoui 1064.1140 0442 catch completed
dcpromoui 1064.1140 0443 handling exception
dcpromoui 1064.1140 0444 Enter State::ClearHiddenWhileUna ttended
dcpromoui 1064.1140 0445 Enter State::GetRunContext NT5_MEMBER_SERVER
dcpromoui 1064.1140 0446 Enter State::GetRunContext NT5_MEMBER_SERVER
dcpromoui 1064.1140 0447 Enter EnableConsoleLocking
dcpromoui 1064.1140 0448 Enter RegistryKey::Create SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
dcpromoui 1064.1140 0449 Enter RegistryKey::SetValue-DWOR D DisableLockWorkstation
dcpromoui 1064.1140 044A Enter State::SetOperationResults result FAILURE
dcpromoui 1064.1140 044B Enter ProgressDialog::UpdateText
dcpromoui 1064.1140 044C Enter State::IsOperationRetryAll owed
dcpromoui 1064.1140 044D true
dcpromoui 1064.1140 044E Enter GetErrorMessage 80072105
dcpromoui 1064.1140 044F Enter State::GetOperationResults Message Active Directory could not replicate the directory partition CN=Schema,CN=Configuration ,DC={Domai n Name Hidden for Security},DC=qld,DC=edu,DC =au from the remote domain controller banana.princeofpeace.qld.e du.au.
dcpromoui 1064.1140 0450 Enter Dialog::ModalExecute
dcpromoui 1064.1140 0451 Enter GetCredentialsDialog::OnIn it
dcpromoui 1064.1140 0452 Enter Computer::GetNetbiosName
dcpromoui 1064.1140 0453 JUPITER
dcpromoui 1064.1140 0454 Enter Computer::IsJoinedToDomain JUPITER
dcpromoui 1064.1140 0455 is domain joined
dcpromoui 1064.1140 0456 Enter State::GetOperation REPLICA
dcpromoui 1064.1140 0457 Enter GetCredentialMessage
dcpromoui 1064.1140 0458 Enter State::GetOperation REPLICA
dcpromoui 1064.1140 0459 Enter State::GetReplicaDomainDNS Name {Domain Name Hidden for Security}.qld.edu.au
dcpromoui 1064.1140 045A Enter State::GetUserDomainName {Domain Name Hidden for Security}.qld.edu.au
dcpromoui 1064.1140 045B Enter State::GetUsername administrator
dcpromoui 1064.1140 045C Enter CredUi::SetUsername
dcpromoui 1064.1140 045D Enter State::GetPassword
dcpromoui 1064.1140 045E Enter CredUi::SetPassword
dcpromoui 1064.1140 045F credential retry canceled
dcpromoui 1064.1140 0460 Enter ComposeFailureMessage
dcpromoui 1064.1140 0461 Enter State::GetOperationResults Message Active Directory could not replicate the directory partition CN=Schema,CN=Configuration ,DC={Domai n Name Hidden for Security},DC=qld,DC=edu,DC =au from the remote domain controller banana.princeofpeace.qld.e du.au.
dcpromoui 1064.1140 0462 Enter State::GetOperationResults Flags 0x0
dcpromoui 1064.1140 0463 Enter State::SetFailureMessage The operation failed because:
Active Directory could not replicate the directory partition CN=Schema,CN=Configuration ,DC={Domai n Name Hidden for Security},DC=qld,DC=edu,DC =au from the remote domain controller banana.{Domain Name Hidden for Security}.qld.edu.au.
"Replication access was denied."
dcpromoui 1064.1140 0422 Calling DsRoleDcAsReplica
dcpromoui 1064.1140 0423 lpServer : (null)
dcpromoui 1064.1140 0424 lpDnsDomainName : {Domain Name Hidden for Security}
dcpromoui 1064.1140 0425 lpReplicaServer : (null)
dcpromoui 1064.1140 0426 lpSiteName : (null)
dcpromoui 1064.1140 0427 lpDsDatabasePath : C:\WINDOWS\NTDS
dcpromoui 1064.1140 0428 lpDsLogPath : C:\WINDOWS\NTDS
dcpromoui 1064.1140 0429 lpRestorePath : (null)
dcpromoui 1064.1140 042A lpSystemVolumeRootPath : C:\WINDOWS\SYSVOL
dcpromoui 1064.1140 042B lpAccount : {Domain Name Hidden for Security}\administrator
dcpromoui 1064.1140 042C Options : 0xC0
dcpromoui 1064.1140 042D Enter DoProgressLoop
dcpromoui 1064.1140 042E Enter State::GetOperation REPLICA
dcpromoui 1064.1140 042F Enter ProgressDialog::UpdateButt
dcpromoui 1064.1140 0430 Enter ProgressDialog::UpdateButt
dcpromoui 1064.1140 0431 Enter ProgressDialog::UpdateText
dcpromoui 1064.1140 0432 Enter ProgressDialog::UpdateText
dcpromoui 1064.1140 0433 Enter ProgressDialog::UpdateText
dcpromoui 1064.1140 0434 Enter ProgressDialog::UpdateText
dcpromoui 1064.1140 0435 Enter ProgressDialog::UpdateButt
dcpromoui 1064.1140 0436 Progress loop complete.
dcpromoui 1064.1140 0437 Calling DsRoleGetDcOperationResult
dcpromoui 1064.1140 0438 Error 0x0 (!0 => error)
dcpromoui 1064.1140 0439 Operation results:
dcpromoui 1064.1140 043A OperationStatus : 0x2105 !0 => error
dcpromoui 1064.1140 043B DisplayString : Active Directory could not replicate the directory partition CN=Schema,CN=Configuration
dcpromoui 1064.1140 043C ServerInstalledSite : (null)
dcpromoui 1064.1140 043D OperationResultsFlags: 0x0
dcpromoui 1064.1140 043E Enter ProgressDialog::UpdateText
dcpromoui 1064.1140 043F Enter State::SetOperationResults
dcpromoui 1064.1140 0440 Enter State::SetOperationResults
dcpromoui 1064.1140 0441 Exception caught
dcpromoui 1064.1140 0442 catch completed
dcpromoui 1064.1140 0443 handling exception
dcpromoui 1064.1140 0444 Enter State::ClearHiddenWhileUna
dcpromoui 1064.1140 0445 Enter State::GetRunContext NT5_MEMBER_SERVER
dcpromoui 1064.1140 0446 Enter State::GetRunContext NT5_MEMBER_SERVER
dcpromoui 1064.1140 0447 Enter EnableConsoleLocking
dcpromoui 1064.1140 0448 Enter RegistryKey::Create SOFTWARE\Microsoft\Windows
dcpromoui 1064.1140 0449 Enter RegistryKey::SetValue-DWOR
dcpromoui 1064.1140 044A Enter State::SetOperationResults
dcpromoui 1064.1140 044B Enter ProgressDialog::UpdateText
dcpromoui 1064.1140 044C Enter State::IsOperationRetryAll
dcpromoui 1064.1140 044D true
dcpromoui 1064.1140 044E Enter GetErrorMessage 80072105
dcpromoui 1064.1140 044F Enter State::GetOperationResults
dcpromoui 1064.1140 0450 Enter Dialog::ModalExecute
dcpromoui 1064.1140 0451 Enter GetCredentialsDialog::OnIn
dcpromoui 1064.1140 0452 Enter Computer::GetNetbiosName
dcpromoui 1064.1140 0453 JUPITER
dcpromoui 1064.1140 0454 Enter Computer::IsJoinedToDomain
dcpromoui 1064.1140 0455 is domain joined
dcpromoui 1064.1140 0456 Enter State::GetOperation REPLICA
dcpromoui 1064.1140 0457 Enter GetCredentialMessage
dcpromoui 1064.1140 0458 Enter State::GetOperation REPLICA
dcpromoui 1064.1140 0459 Enter State::GetReplicaDomainDNS
dcpromoui 1064.1140 045A Enter State::GetUserDomainName {Domain Name Hidden for Security}.qld.edu.au
dcpromoui 1064.1140 045B Enter State::GetUsername administrator
dcpromoui 1064.1140 045C Enter CredUi::SetUsername
dcpromoui 1064.1140 045D Enter State::GetPassword
dcpromoui 1064.1140 045E Enter CredUi::SetPassword
dcpromoui 1064.1140 045F credential retry canceled
dcpromoui 1064.1140 0460 Enter ComposeFailureMessage
dcpromoui 1064.1140 0461 Enter State::GetOperationResults
dcpromoui 1064.1140 0462 Enter State::GetOperationResults
dcpromoui 1064.1140 0463 Enter State::SetFailureMessage The operation failed because:
Active Directory could not replicate the directory partition CN=Schema,CN=Configuration
"Replication access was denied."
Running out of ideas... it looks like a typical permission problem, but you say the Admin account is okay and has all permissions but it doesn't work...
So maybe just create a new account, add it to the required groups (Domain Admin, Enterprise Admin, etc.) and use this one for joining...
Or check if any weird Group Policy is removing required permissions/user rights from the admin account you're using...
Also someone might have messed with the permissions on your active directory. I'd expect some serious error events on your dc, if thats the case... but who knows.
So maybe just create a new account, add it to the required groups (Domain Admin, Enterprise Admin, etc.) and use this one for joining...
Or check if any weird Group Policy is removing required permissions/user rights from the admin account you're using...
Also someone might have messed with the permissions on your active directory. I'd expect some serious error events on your dc, if thats the case... but who knows.
ASKER
Yeah checked all that..
Thanks for your help. It's been driving me nuts for two days. I think i'm resigned to the outcome that I'm going to have to rebuild the domain. I don't mind doing that, it's just a few extra days work I'd hoped to avoid. Oh well. Least this way I will know the domain is built properly :)
Most of the KB articles I read said If it got to this point, you're better off rebuilding the domain anyway, so I think it's the best thing I can do.
Thanks for your help. It's been driving me nuts for two days. I think i'm resigned to the outcome that I'm going to have to rebuild the domain. I don't mind doing that, it's just a few extra days work I'd hoped to avoid. Oh well. Least this way I will know the domain is built properly :)
Most of the KB articles I read said If it got to this point, you're better off rebuilding the domain anyway, so I think it's the best thing I can do.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Nup. theres no metadata relevant on the server. It's only aware of itself from any reference I can find.
ASKER
From what I can see, It seems as though this domain was once part of a forest, that it no longer has access to. Hence why the schema catalogs won't replicate. They simply arent there.