Crafu
asked on
Active Directory Replication and DNS Problems
Hi there,
I've been having some nasty looking error logs for a while and it seems to be gradually getting worse.
Our current setup is as follows:
Two windows 2000 Advanced Server 2000 machine called - AD1 and AD2
These should be setup to replicate to and from each other.
Currently AD1 has the following error logs:
App Log:
Error SceCli 1202 repeated every 5mins
Security policies are propagated with warning. 0x4b8 : An extended error has occurred.
For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202s".
Directory Service:
Error NTDS Replication 1084
Replication error: The directory replication agent (DRA) couldn't update object CN=D5334BA0F6094637B74D193
The error message is:
The replication operation encountered a database error.
The directory will try to update the object later on the next replication cycle. Synchronization of this server with the source is effectively blocked until the update problem is corrected.
If this condition appears to be related to a resource shortage, please stop and restart this Windows Domain Controller.
If this condition is an internal error, a database error, or an object relationship or constraint error, manual intervention will be required to correct the database and allow the update to proceed. It is valuable to note that the problem is caused by the fact that the change on the remote system cannot be applied locally. Manually updating the objects on the local system in not recommended. Instead, on the source system (which has the changes already), try to reverse or back out the change. Then, on the next replication cycle, observe whether the change can now be applied locally.
The record data is the status code.
Error NTDS KCC 1014
The replication topology update task terminated abnormally with code e0010001.
Error NTDS KCC 1130
The automatic topology generator was unable to complete the topology for site CN=XXXXX,CN=Sites,CN=Confi
DNS Log:
Error DNS 4011
The DNS server was unable to add or write an update of domain name XXXXX in zone letts.co.uk to the Active Directory. Check that the Active Directory is functioning properly and add or update this domain name using the DNS console. The event data contains the error.
Error DNS 4015
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The event data contains the error.
Error DNS 9999
The DNS server has encountered numerous run-time events. These are usually caused by the reception of bad or unexpected packets, or from problems with or excessive replication traffic. The data is the number of suppressed events encountered in the last 15 minute interval.
Error DNS 3000
The DNS server is logging numerous run-time events. For information about these events, see previous DNS Server event log entries. To prevent the DNS Server from clogging server logs, further logging of this event and other events with higher Event IDs will now be suppressed.
FRS:
Error NTFRS 13508
[1] FRS can not correctly resolve the DNS name ad2.co.uk from this computer.
[2] FRS is not running on ad2.co.uk.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
AD2 has the following:
App Log:
SceCli 1202
ESENT 454
Directory Service:
Error NTDS ISAM 701
FRS:
Error NTFRS 13568
I've also noticed the following AD 1, under Local Security Settings it displays: Windows Cannot open the local policy database. An unknown error occurred when attempting to open the database.
AND on AD2 under the same setting it says:
Windows cannot open the local policy database.Access to database has been denied.
So far I've tried to flush the DNS etc but no joy.
Any pointers where I should start looking?
Thanks in advance,
Craig
I've been having some nasty looking error logs for a while and it seems to be gradually getting worse.
Our current setup is as follows:
Two windows 2000 Advanced Server 2000 machine called - AD1 and AD2
These should be setup to replicate to and from each other.
Currently AD1 has the following error logs:
App Log:
Error SceCli 1202 repeated every 5mins
Security policies are propagated with warning. 0x4b8 : An extended error has occurred.
For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202s".
Directory Service:
Error NTDS Replication 1084
Replication error: The directory replication agent (DRA) couldn't update object CN=D5334BA0F6094637B74D193
The error message is:
The replication operation encountered a database error.
The directory will try to update the object later on the next replication cycle. Synchronization of this server with the source is effectively blocked until the update problem is corrected.
If this condition appears to be related to a resource shortage, please stop and restart this Windows Domain Controller.
If this condition is an internal error, a database error, or an object relationship or constraint error, manual intervention will be required to correct the database and allow the update to proceed. It is valuable to note that the problem is caused by the fact that the change on the remote system cannot be applied locally. Manually updating the objects on the local system in not recommended. Instead, on the source system (which has the changes already), try to reverse or back out the change. Then, on the next replication cycle, observe whether the change can now be applied locally.
The record data is the status code.
Error NTDS KCC 1014
The replication topology update task terminated abnormally with code e0010001.
Error NTDS KCC 1130
The automatic topology generator was unable to complete the topology for site CN=XXXXX,CN=Sites,CN=Confi
DNS Log:
Error DNS 4011
The DNS server was unable to add or write an update of domain name XXXXX in zone letts.co.uk to the Active Directory. Check that the Active Directory is functioning properly and add or update this domain name using the DNS console. The event data contains the error.
Error DNS 4015
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The event data contains the error.
Error DNS 9999
The DNS server has encountered numerous run-time events. These are usually caused by the reception of bad or unexpected packets, or from problems with or excessive replication traffic. The data is the number of suppressed events encountered in the last 15 minute interval.
Error DNS 3000
The DNS server is logging numerous run-time events. For information about these events, see previous DNS Server event log entries. To prevent the DNS Server from clogging server logs, further logging of this event and other events with higher Event IDs will now be suppressed.
FRS:
Error NTFRS 13508
[1] FRS can not correctly resolve the DNS name ad2.co.uk from this computer.
[2] FRS is not running on ad2.co.uk.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
AD2 has the following:
App Log:
SceCli 1202
ESENT 454
Directory Service:
Error NTDS ISAM 701
FRS:
Error NTFRS 13568
I've also noticed the following AD 1, under Local Security Settings it displays: Windows Cannot open the local policy database. An unknown error occurred when attempting to open the database.
AND on AD2 under the same setting it says:
Windows cannot open the local policy database.Access to database has been denied.
So far I've tried to flush the DNS etc but no joy.
Any pointers where I should start looking?
Thanks in advance,
Craig
Make sure your time is synchronized properly between the DC's.
ASKER
Thanks for getting back to me.
I've carried out the instructions above and here's the log results for both machines:
AD1
OK DCDiag:
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: AD1
Starting test: Connectivity
......................... AD1 passed test Connectivity
Doing primary tests
Testing server: AD1
Starting test: Replications
.........................A
Starting test: NCSecDesc
......................... AD1 passed test NCSecDesc
Starting test: NetLogons
......................... AD1 passed test NetLogons
Starting test: Advertising
......................... AD1 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... AD1 passed test KnowsOfRoleHo
Starting test: RidManager
......................... AD1 passed test RidManager
Starting test: MachineAccount
......................... AD1 passed test MachineAccoun
Starting test: Services
......................... AD1 passed test Services
Starting test: ObjectsReplicated
......................... AD1 passed test ObjectsReplic
Starting test: frssysvol
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... AD1 passed test frssysvol
Starting test: kccevent
......................... AD1 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0xC000271A
Time Generated: 07/19/2007 17:02:32
Event String: The server {5A5AA0AA-1DEB-4683-96B0-B
An Error Event occured. EventID: 0xC000000F
Time Generated: 07/19/2007 17:05:54
Event String: No adapter is configured to be the default
An Error Event occured. EventID: 0xC0001B6F
Time Generated: 07/19/2007 17:06:21
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0040066
Time Generated: 07/19/2007 17:07:02
Event String: Unable to register COM class objects.
......................... AD1 failed test systemlog
Running enterprise tests on : AD1.xxxx.co.uk
Starting test: Intersite
.........................A
Starting test: FsmoCheck
......................... AD1.xxxx.co.uk passed test FsmoCheck
..........................
Computer Name: AD1
DNS Host Name: ad1.xxxx.co.uk
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 15 Model 2 Stepping 7, GenuineIntel
List of installed hotfixes :
Deleted for space
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : onboard ip.25 1GB
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : ad1.xxxx.co.uk
IP Address . . . . . . . . : 192.9.200.25
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.9.200.202
Primary WINS Server. . . . : 192.9.200.25
Dns Servers. . . . . . . . : 192.9.200.137
192.9.200.25
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Passed
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{8EAE1141-DF77
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '192.9.200.13
7' and other DCs also have some of the names registered.
PASS - All the DNS entries for DC are registered on DNS server '192.9.200.25
' and other DCs also have some of the names registered.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{8EAE1141-DF77
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{8EAE1141-DF77
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC 'ad2.xxxx.co.uk'.
[WARNING] Failed to query SPN registration on DC 'ad1.xxxx.co.uk'.
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.
The command completed successfully
AD2
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: AD2
Starting test: Connectivity
......................... AD2 passed test Connectivity
Doing primary tests
Testing server: AD2
Starting test: Replications
......................... AD2 passed test Replications
Starting test: NCSecDesc
......................... AD2 passed test NCSecDesc
Starting test: NetLogons
......................... AD2 passed test NetLogons
Starting test: Advertising
......................... AD2 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... AD2 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... AD2 passed test RidManager
Starting test: MachineAccount
......................... AD2 passed test MachineAccount
Starting test: Services
......................... AD2 passed test Services
Starting test: ObjectsReplicated
......................... AD2 passed test ObjectsReplicated
Starting test: frssysvol
Error: No record of File Replication System, SYSVOL started.
The Active Directory may be prevented from starting.
......................... AD2 passed test frssysvol
Starting test: kccevent
......................... AD2 passed test kccevent
Starting test: systemlog
......................... AD2 passed test systemlog
Running enterprise tests on : xxxx.co.uk
Starting test: Intersite
......................... xxxxx.co.uk passed test Intersite
Starting test: FsmoCheck
......................... xxxxx.co.uk passed test FsmoCheck
..........................
Computer Name: AD2
DNS Host Name: ad2.xxxx.co.uk
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 15 Model 2 Stepping 7, GenuineIntel
List of installed hotfixes :
Deleted for space
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Intel Pro 1000 MT Gigabit Ethernet Adapter - onboard
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : ad2.xxxx.co.uk
IP Address . . . . . . . . : 192.9.200.137
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.9.200.3
Primary WINS Server. . . . : 192.9.200.137
Dns Servers. . . . . . . . : 192.9.200.137
192.9.200.25
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Passed
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{B52AB651-EEB6
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
[WARNING] The DNS host name 'ad2.xxxx.co.uk' valid only on Windows 20
00 DNS Servers. [DNS_ERROR_NON_RFC_NAME]
PASS - All the DNS entries for DC are registered on DNS server '192.9.200.13
7' and other DCs also have some of the names registered.
PASS - All the DNS entries for DC are registered on DNS server '192.9.200.25
' and other DCs also have some of the names registered.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{B52AB651-EEB6
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{B52AB651-EEB6
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Passed
Secure channel for domain 'DALKEITH' is to '\\ad1.xxxx.co.uk'.
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC 'ad2.xxxx.co.uk'.
[WARNING] Failed to query SPN registration on DC 'ad1.xxxx.co.uk'.
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.
The command completed successfully
I then continued with the TCP IP repointing and the services stop and start
I'll keep refreshing the Event Viewer and see if it's helped.
I've carried out the instructions above and here's the log results for both machines:
AD1
OK DCDiag:
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: AD1
Starting test: Connectivity
......................... AD1 passed test Connectivity
Doing primary tests
Testing server: AD1
Starting test: Replications
.........................A
Starting test: NCSecDesc
......................... AD1 passed test NCSecDesc
Starting test: NetLogons
......................... AD1 passed test NetLogons
Starting test: Advertising
......................... AD1 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... AD1 passed test KnowsOfRoleHo
Starting test: RidManager
......................... AD1 passed test RidManager
Starting test: MachineAccount
......................... AD1 passed test MachineAccoun
Starting test: Services
......................... AD1 passed test Services
Starting test: ObjectsReplicated
......................... AD1 passed test ObjectsReplic
Starting test: frssysvol
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... AD1 passed test frssysvol
Starting test: kccevent
......................... AD1 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0xC000271A
Time Generated: 07/19/2007 17:02:32
Event String: The server {5A5AA0AA-1DEB-4683-96B0-B
An Error Event occured. EventID: 0xC000000F
Time Generated: 07/19/2007 17:05:54
Event String: No adapter is configured to be the default
An Error Event occured. EventID: 0xC0001B6F
Time Generated: 07/19/2007 17:06:21
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0040066
Time Generated: 07/19/2007 17:07:02
Event String: Unable to register COM class objects.
......................... AD1 failed test systemlog
Running enterprise tests on : AD1.xxxx.co.uk
Starting test: Intersite
.........................A
Starting test: FsmoCheck
......................... AD1.xxxx.co.uk passed test FsmoCheck
..........................
Computer Name: AD1
DNS Host Name: ad1.xxxx.co.uk
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 15 Model 2 Stepping 7, GenuineIntel
List of installed hotfixes :
Deleted for space
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : onboard ip.25 1GB
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : ad1.xxxx.co.uk
IP Address . . . . . . . . : 192.9.200.25
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.9.200.202
Primary WINS Server. . . . : 192.9.200.25
Dns Servers. . . . . . . . : 192.9.200.137
192.9.200.25
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Passed
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{8EAE1141-DF77
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '192.9.200.13
7' and other DCs also have some of the names registered.
PASS - All the DNS entries for DC are registered on DNS server '192.9.200.25
' and other DCs also have some of the names registered.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{8EAE1141-DF77
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{8EAE1141-DF77
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC 'ad2.xxxx.co.uk'.
[WARNING] Failed to query SPN registration on DC 'ad1.xxxx.co.uk'.
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.
The command completed successfully
AD2
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: AD2
Starting test: Connectivity
......................... AD2 passed test Connectivity
Doing primary tests
Testing server: AD2
Starting test: Replications
......................... AD2 passed test Replications
Starting test: NCSecDesc
......................... AD2 passed test NCSecDesc
Starting test: NetLogons
......................... AD2 passed test NetLogons
Starting test: Advertising
......................... AD2 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... AD2 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... AD2 passed test RidManager
Starting test: MachineAccount
......................... AD2 passed test MachineAccount
Starting test: Services
......................... AD2 passed test Services
Starting test: ObjectsReplicated
......................... AD2 passed test ObjectsReplicated
Starting test: frssysvol
Error: No record of File Replication System, SYSVOL started.
The Active Directory may be prevented from starting.
......................... AD2 passed test frssysvol
Starting test: kccevent
......................... AD2 passed test kccevent
Starting test: systemlog
......................... AD2 passed test systemlog
Running enterprise tests on : xxxx.co.uk
Starting test: Intersite
......................... xxxxx.co.uk passed test Intersite
Starting test: FsmoCheck
......................... xxxxx.co.uk passed test FsmoCheck
..........................
Computer Name: AD2
DNS Host Name: ad2.xxxx.co.uk
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 15 Model 2 Stepping 7, GenuineIntel
List of installed hotfixes :
Deleted for space
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Intel Pro 1000 MT Gigabit Ethernet Adapter - onboard
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : ad2.xxxx.co.uk
IP Address . . . . . . . . : 192.9.200.137
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.9.200.3
Primary WINS Server. . . . : 192.9.200.137
Dns Servers. . . . . . . . : 192.9.200.137
192.9.200.25
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Passed
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{B52AB651-EEB6
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
[WARNING] The DNS host name 'ad2.xxxx.co.uk' valid only on Windows 20
00 DNS Servers. [DNS_ERROR_NON_RFC_NAME]
PASS - All the DNS entries for DC are registered on DNS server '192.9.200.13
7' and other DCs also have some of the names registered.
PASS - All the DNS entries for DC are registered on DNS server '192.9.200.25
' and other DCs also have some of the names registered.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{B52AB651-EEB6
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{B52AB651-EEB6
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Passed
Secure channel for domain 'DALKEITH' is to '\\ad1.xxxx.co.uk'.
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC 'ad2.xxxx.co.uk'.
[WARNING] Failed to query SPN registration on DC 'ad1.xxxx.co.uk'.
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.
The command completed successfully
I then continued with the TCP IP repointing and the services stop and start
I'll keep refreshing the Event Viewer and see if it's helped.
ASKER
OK Checked the logs this morning and the DNS errors seem to have cleared on AD1 - however I'm still getting the following:
AD1 -
FRS Error 13508
The File Replication Service is having trouble enabling replication from AD2 to LETTSAD1 for c:\winnt\sysvol\domain using the DNS name ad2.xxxx.co.uk. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name ad2.xxxx.co.uk from this computer.
[2] FRS is not running on ad2.xxxx.co.uk.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
I can PING the AD2 server using Name and IP from AD1 and I've checked the FRS on both machines and it seems to be running.
I'm also getting Error 1202 every 5 mins on AD1
Security policies are propagated with warning. 0x4b8 : An extended error has occurred.
For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202s".
On AD2 I'm still getting the following errors:
Error 1202
Security policies are propagated with warning. 0x5 : Access is denied.
For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202s".
Error 454
Security policies are propagated with warning. 0x5 : Access is denied.
For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202s".
Error 439
services (372) Unable to write a shadowed header for file C:\WINNT\Security\tmp.edb.
Error 427
services (372) The database engine could not access the file called C:\WINNT\Security\tmp.edb.
All the DNS errors on both servers now seemed to be cleared, so thanks very much for that help.
I'm still getting the problem with the Windows cannot open the local policy database.Access to database has been denied.
AD1 -
FRS Error 13508
The File Replication Service is having trouble enabling replication from AD2 to LETTSAD1 for c:\winnt\sysvol\domain using the DNS name ad2.xxxx.co.uk. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name ad2.xxxx.co.uk from this computer.
[2] FRS is not running on ad2.xxxx.co.uk.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
I can PING the AD2 server using Name and IP from AD1 and I've checked the FRS on both machines and it seems to be running.
I'm also getting Error 1202 every 5 mins on AD1
Security policies are propagated with warning. 0x4b8 : An extended error has occurred.
For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202s".
On AD2 I'm still getting the following errors:
Error 1202
Security policies are propagated with warning. 0x5 : Access is denied.
For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202s".
Error 454
Security policies are propagated with warning. 0x5 : Access is denied.
For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202s".
Error 439
services (372) Unable to write a shadowed header for file C:\WINNT\Security\tmp.edb.
Error 427
services (372) The database engine could not access the file called C:\WINNT\Security\tmp.edb.
All the DNS errors on both servers now seemed to be cleared, so thanks very much for that help.
I'm still getting the problem with the Windows cannot open the local policy database.Access to database has been denied.
Did you verify that time is synchronized properly?
ASKER
Hi there,
Yes the times are exactly the same.
Crafu
Yes the times are exactly the same.
Crafu
Your DNS is still questionable. AD1 should point to itself. AD2 should point to AD1. (or the other way around. As long as the same DNS server is the primary for both DC's). Is that the way it is setup?
Also do you have multiple NICs on the DC's?
Also do you have multiple NICs on the DC's?
ASKER
Yeah I've got AD1 pointing to itself and AD2 points to AD1, single NIC on both.
Still getting the above errors on AD1 though. AD2 seems to be a lot better but still getting replication probs.
Still getting the above errors on AD1 though. AD2 seems to be a lot better but still getting replication probs.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Run a DCDiag on both your DC's and look for errors.
Run a NetDiag on both your DC's and look for errors.
Make AD1 point to itself for DNS in its TCP/IP properties
Make AD2 point to AD1 for DNS in its TCP/IP properties
Make sure the DHCP Client service is running on both DCs (this service is responsible for registering the SRV records).
Do an IPCONFIG /REGISTERDNS from the command line.
Now restart the Netlogon service on both machines one at a time. This will cause the DCs to register their DNS SRV records.