carpy7
asked on
Windows 2000 Server SYSVOL and replication failure
Hello,
I seem to be having a problem with my Windows 2000 PDC SYSVOL directory and my DsGetDcName entry. Here are the details:
Windows 2000 Servers (all have service pack 4):
PDC – Domain Controller, and holds All Roles
Exchange2000 – Domain Controller
SQL – Domain Controller
The first problem I noticed was a inability to browse PDC from another server by DNS name, but I was able to browse by IP address. It gave the error: Login Failure: Target Account Incorrect
I looked into the problem more and realized that active directory replication between DC was not functioning fully. I could go into Sites and Services and use ‘Replicate Now’ to successfully replicate between Exchange2000 and SQL, and I could replicate by pulling from PDC to either server, but I could not pull from PDC to any other server to replicate.
I am getting ‘Error during contact: The target principal name is incorrect’ when trying to replicate PDC info.
I am getting these errors on Exchange2000 and SQL:
Event id 1586 ‘Checkpoint w/PDC was unsuccessful. NTDS replication could not find domain controller.’
Event id 3034 ‘The redirector was unable to initialize security context or query context attributes’
PDC File Replication Service is not syncing properly either. I am getting event id 13508 and 13566 which are saying: ‘Having trouble enabling replication from Exchange2000 to PDC for c:\winnt\sysvol\domain’
I then realized that PDC SYSVOL and NETLOGON shares were not showing on PDC. They are being shared on the two other DC’s. The SYSVOL directory has possibly gone corrupt on PDC.
DCDIAG Results from PDC:
Starting test: Advertising
Warning: DsGetDcName returned information for \\sql.domain.com, when we were trying to reach PDC.
Server is not responding or is not considered suitable.
Starting test: frssysvol
Error: No record of File Replication System, SYSVOL started.
The Active Directory may be prevented from starting.
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... PDC passed test frssysvol
NetDiag Results from PDC:
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC.
Machine is a . . . . . . . . . : Primary Domain Controller Emulator
RepAdmin Results from PDC:
==== INBOUND NEIGHBORS ==========================
DC=domain,DC=com
Default-First-Site-Name\SQ
objectGuid: 36d94cc5-06f0-440d-9600-2d
Last attempt @ 2004-05-24 14:47.53 was successful.
Default-First-Site-Name\Ex
objectGuid: ad4d0717-08c5-4668-97ac-55
Last attempt @ 2004-05-24 15:02.02 was successful.
==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS =========
CN=Schema,CN=Configuration
Default-First-Site-Name\ Exchange2000via RPC
objectGuid: ad4d0717-08c5-4668-97ac-55
Default-First-Site-Name\SQ
objectGuid: 36d94cc5-06f0-440d-9600-2d
CN=Configuration,DC=pundit
Default-First-Site-Name\ Exchange2000via RPC
objectGuid: ad4d0717-08c5-4668-97ac-55
Default-First-Site-Name\SP
objectGuid: 36d94cc5-06f0-440d-9600-2d
I can ping all DC’s from any location using DNS names. I can browse shares using names on all except PDC. I can browse share on PDC by using the IP address.
I also tried to reset all secure channels from PDC. None were reset. The error from PDC was ‘The specified domain does not exist or could not be contacted’ and from the others ‘There are currently no logon servers available to service the logon request.’
All my default connection objects between DC’s are present.
This seems to be a catch-22. FRS is not working on PDC because the SYSVOL is not working, but I need FRS to get a fresh copy of SYSVOL from anther DC.
Another big problem is the DCDiag result:
DsGetDcName returned information for \\sql.domain.com, when we were trying to reach PDC.
Do I need to manually rebuild SYSVOL dir?
Any suggestions as to how to get my PDC communicating with the other DC’s again would be appreciated.
Carpy7
I seem to be having a problem with my Windows 2000 PDC SYSVOL directory and my DsGetDcName entry. Here are the details:
Windows 2000 Servers (all have service pack 4):
PDC – Domain Controller, and holds All Roles
Exchange2000 – Domain Controller
SQL – Domain Controller
The first problem I noticed was a inability to browse PDC from another server by DNS name, but I was able to browse by IP address. It gave the error: Login Failure: Target Account Incorrect
I looked into the problem more and realized that active directory replication between DC was not functioning fully. I could go into Sites and Services and use ‘Replicate Now’ to successfully replicate between Exchange2000 and SQL, and I could replicate by pulling from PDC to either server, but I could not pull from PDC to any other server to replicate.
I am getting ‘Error during contact: The target principal name is incorrect’ when trying to replicate PDC info.
I am getting these errors on Exchange2000 and SQL:
Event id 1586 ‘Checkpoint w/PDC was unsuccessful. NTDS replication could not find domain controller.’
Event id 3034 ‘The redirector was unable to initialize security context or query context attributes’
PDC File Replication Service is not syncing properly either. I am getting event id 13508 and 13566 which are saying: ‘Having trouble enabling replication from Exchange2000 to PDC for c:\winnt\sysvol\domain’
I then realized that PDC SYSVOL and NETLOGON shares were not showing on PDC. They are being shared on the two other DC’s. The SYSVOL directory has possibly gone corrupt on PDC.
DCDIAG Results from PDC:
Starting test: Advertising
Warning: DsGetDcName returned information for \\sql.domain.com, when we were trying to reach PDC.
Server is not responding or is not considered suitable.
Starting test: frssysvol
Error: No record of File Replication System, SYSVOL started.
The Active Directory may be prevented from starting.
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... PDC passed test frssysvol
NetDiag Results from PDC:
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC.
Machine is a . . . . . . . . . : Primary Domain Controller Emulator
RepAdmin Results from PDC:
==== INBOUND NEIGHBORS ==========================
DC=domain,DC=com
Default-First-Site-Name\SQ
objectGuid: 36d94cc5-06f0-440d-9600-2d
Last attempt @ 2004-05-24 14:47.53 was successful.
Default-First-Site-Name\Ex
objectGuid: ad4d0717-08c5-4668-97ac-55
Last attempt @ 2004-05-24 15:02.02 was successful.
==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS =========
CN=Schema,CN=Configuration
Default-First-Site-Name\ Exchange2000via RPC
objectGuid: ad4d0717-08c5-4668-97ac-55
Default-First-Site-Name\SQ
objectGuid: 36d94cc5-06f0-440d-9600-2d
CN=Configuration,DC=pundit
Default-First-Site-Name\ Exchange2000via RPC
objectGuid: ad4d0717-08c5-4668-97ac-55
Default-First-Site-Name\SP
objectGuid: 36d94cc5-06f0-440d-9600-2d
I can ping all DC’s from any location using DNS names. I can browse shares using names on all except PDC. I can browse share on PDC by using the IP address.
I also tried to reset all secure channels from PDC. None were reset. The error from PDC was ‘The specified domain does not exist or could not be contacted’ and from the others ‘There are currently no logon servers available to service the logon request.’
All my default connection objects between DC’s are present.
This seems to be a catch-22. FRS is not working on PDC because the SYSVOL is not working, but I need FRS to get a fresh copy of SYSVOL from anther DC.
Another big problem is the DCDiag result:
DsGetDcName returned information for \\sql.domain.com, when we were trying to reach PDC.
Do I need to manually rebuild SYSVOL dir?
Any suggestions as to how to get my PDC communicating with the other DC’s again would be appreciated.
Carpy7
ASKER
Thanks for the links.
I have been looking over many MKB articles trying to figure out the problem.
I have verified DNS settings.
I have also verified GUID's for AD vs. DNS - dnsLint
I still can not reset secure channels with netdom (which is confusing)- access denied
I can not pull replication information from PDC.
PDC SYSVOL is not being shared - it seems to be corrupt.
I do not see what other layers there are to Active Directory replication initiation: GUID - DNS - secure channel
What am I missing?
As for the SYSVOL - The articles say (250545), I need replication working or I need to set a parent server source and I need to put the entry in the registry. Can I do that for the PDC? I also took a look at the registry and I did not see the exact path they give:
HKLM\SYSTEM\CCS\Services\N
I can follow it till the first SysVol. I do see a possible other location at ...Parameters/Replica Sets/
Thanks,
carpy7
I have been looking over many MKB articles trying to figure out the problem.
I have verified DNS settings.
I have also verified GUID's for AD vs. DNS - dnsLint
I still can not reset secure channels with netdom (which is confusing)- access denied
I can not pull replication information from PDC.
PDC SYSVOL is not being shared - it seems to be corrupt.
I do not see what other layers there are to Active Directory replication initiation: GUID - DNS - secure channel
What am I missing?
As for the SYSVOL - The articles say (250545), I need replication working or I need to set a parent server source and I need to put the entry in the registry. Can I do that for the PDC? I also took a look at the registry and I did not see the exact path they give:
HKLM\SYSTEM\CCS\Services\N
I can follow it till the first SysVol. I do see a possible other location at ...Parameters/Replica Sets/
Thanks,
carpy7
ASKER
Ah, the error for the netdom secure connection reset attempt was not access denied, but 'there are currently no logon servers available to service the logon request'
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
1stITMAN,
Stewart, the other guy you helped, seemed to have a similar errors as I have. Once I get replication back in place SYSVOL should fall into place. The first link you gave also shows how to declare a DC dominant, so I should be all set with that. Thanks.
Looking at the replication problem:
Replication seems to be working pulling to PDC.
Last success for replication from PDC to other DC’s was 4-15-2004.
As for a history of the network, SQL was just added at the beginning of April. I could see if just SQL was having connection issues, but MAIL is having trouble too. PDC and SQL both have two network adapter cards. SQL’s second adapter was pointing to a second LAN. I have disabled that and adjusted DNS. PDC had two adapters on the same network, this probably was part of the problem at the start, but I have disabled the second card and adjusted DNS.
Netdiag membership test failed on PDC! I do not see how this can be really.
DNS setting for non-PDC DC’s ok till I get to nltest to test for Global Catalogs – NO_LOGON_SERVER error
But, _gc entries for each DC (I read you are not to have to the Infrastructure Master be a GC, so I removed it.
NETDIAG:
Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'domain' is broken.
[ERROR_NO_LOGON_SERVERS]
I get this error for both non-PDC DC’s connecting to the domain.
I am getting the NO_LOGON_SERVERS error a lot throughout the testing.
Dnscmd from SQL to PDC errors out – access denied (no logon server maybe?)
I may have to eat my words about DNS being ok. Or, one of the services on PDC is not functioning. All services on PDC are running. Active Directory event logging is not giving any errors. RPC server maybe?
I have posted all my testing results to my website. It is not pretty format, but the info is there. Take a look if you like.
http://www.white-sphere.com/utilResults.html
Thanks,
Carpy7
Stewart, the other guy you helped, seemed to have a similar errors as I have. Once I get replication back in place SYSVOL should fall into place. The first link you gave also shows how to declare a DC dominant, so I should be all set with that. Thanks.
Looking at the replication problem:
Replication seems to be working pulling to PDC.
Last success for replication from PDC to other DC’s was 4-15-2004.
As for a history of the network, SQL was just added at the beginning of April. I could see if just SQL was having connection issues, but MAIL is having trouble too. PDC and SQL both have two network adapter cards. SQL’s second adapter was pointing to a second LAN. I have disabled that and adjusted DNS. PDC had two adapters on the same network, this probably was part of the problem at the start, but I have disabled the second card and adjusted DNS.
Netdiag membership test failed on PDC! I do not see how this can be really.
DNS setting for non-PDC DC’s ok till I get to nltest to test for Global Catalogs – NO_LOGON_SERVER error
But, _gc entries for each DC (I read you are not to have to the Infrastructure Master be a GC, so I removed it.
NETDIAG:
Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'domain' is broken.
[ERROR_NO_LOGON_SERVERS]
I get this error for both non-PDC DC’s connecting to the domain.
I am getting the NO_LOGON_SERVERS error a lot throughout the testing.
Dnscmd from SQL to PDC errors out – access denied (no logon server maybe?)
I may have to eat my words about DNS being ok. Or, one of the services on PDC is not functioning. All services on PDC are running. Active Directory event logging is not giving any errors. RPC server maybe?
I have posted all my testing results to my website. It is not pretty format, but the info is there. Take a look if you like.
http://www.white-sphere.com/utilResults.html
Thanks,
Carpy7
Can u ping the domain controller?
Domain controller cannot be found.
So is it it visible on the network?
The NIC that u disabled was the right one, double check ur settings for IP etc..
As I say it will be something that is easy to fix but cant been seen in all the frustration!!
Domain controller cannot be found.
So is it it visible on the network?
The NIC that u disabled was the right one, double check ur settings for IP etc..
As I say it will be something that is easy to fix but cant been seen in all the frustration!!
This should help I hope.. http://support.microsoft.com/default.aspx?scid=kb;en-us;288167
I was having similar problems. thought it was due to dns at first, then file replications seemed like the problem. After much trial and error, i found that my dc with the pdc role was not sahring the sysvol folder. This article on microsoft site helped:
http://support.microsoft.com/default.aspx?scid=kb;en-us;257338
I checked my registry and found that my syvol source folder was set to the wrong path (it was c:\winnt instead of d:\winnt) I corrected the apth, restatred both domain controllers and after 15 minutes or so, my sysvol and netlogon shares reappeared and all replication was back to normal. I did get and extra automotically generated connection object in AD sites and services for my second dc, but both the new and original worked, so I deleted the second one.
good luck
J
http://support.microsoft.com/default.aspx?scid=kb;en-us;257338
I checked my registry and found that my syvol source folder was set to the wrong path (it was c:\winnt instead of d:\winnt) I corrected the apth, restatred both domain controllers and after 15 minutes or so, my sysvol and netlogon shares reappeared and all replication was back to normal. I did get and extra automotically generated connection object in AD sites and services for my second dc, but both the new and original worked, so I deleted the second one.
good luck
J
ASKER
So, I am afraid I never found out Exactly what the problem was, I get annoyed when that happens but oh well. I resorted to ripping the Master Roles away from the PDC and gave them to another DC without the ability to copy the information properly. I then uninstalled active directory from PDC, removed the PDC DC entries in the domain, and then rebuilt active directory on PDC and reconnected her to the domain. This cleared up the replication communication problem. Luckily, this domain is pretty small and any data loss from the rough roles transfer did not affect the domain.
Btw, I did try the sysvol rebuild and that did not seem to do the trick after all.
Thank you for all the help guys,
Carpy7
Btw, I did try the sysvol rebuild and that did not seem to do the trick after all.
Thank you for all the help guys,
Carpy7
http://www.eventid.net/display.asp?eventid=1586&eventno=781&source=NTDS%20Replication&phase=1
http://www.eventid.net/display.asp?eventid=3034&eventno=326&source=MRxSmb&phase=1
http://www.eventid.net/display.asp?eventid=13508&eventno=349&source=NtFrs&phase=1
http://www.eventid.net/display.asp?eventid=13566&eventno=1810&source=NtFrs&phase=1