Solved

Active Directory Replication problem on W2K Server

Posted on 2002-04-23
15
348 Views
Last Modified: 2010-04-13
I have 2 window 2000 servers hosting 2 separate domains for our local network. The basic configuration is ServerA.domainA.<registered domain name>
ServerB.domainB.<registered domain name>

I cannot add users from domainB to groups in domainA, although I can do vice versa. When I try, I get the error "The specified user was not found. If the user exists on another domain controler in the enterprise, it may take 15 minutes or more for the user to be replicated to the global catalog."

I have been looking at my Active Directory Replication. When I try to manually replicate from Active Directory Sites and Services this is what I get:

On ServerB attempting to replicate ServerB to ServerA, I get "RPC Server is unavailable" (The service is running)

On ServerB attempting to replicate ServerA to ServerB, I get "DSA operation unable to proceed because of DNS lookup failure" (DNS seems to be working OK - Both servers are DNS servers)

On ServerA attempting to replicate ServerA to ServerB, I also get "DSA operation unable to proceed because of DNS lookup failure"

On ServerA attempting to replicate ServerB to ServerA, it works.

Perhaps there is a DNS problem on ServerA? I do get an error in DNS event log on ServerA when DNS tries to do a Dynamic Update. The error is shown below, and I have tried to fix it, but unsuccessfully.

"DNS Server has updated its own host (A) records.  In order to insure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update.  An error was encountered during this update, the record data is the error code.
 
If this DNS server does not have any DS-integrated peers, then this error should be ignored.
 
If this DNS server's ActiveDirectory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it.
 
To insure proper replication:
1) Find this server's ActiveDirectory replication partners that run the DNS server.
2) Open DnsManager and connect in turn to each of the replication partners.
3) On each server, check the host (A record) registration for THIS server.
4) Delete any A records that do NOT correspond to IP addresses of this server.
5) If there are no A records for this server, add at least one A record corresponding to an address on this server, that the replication partner can contact.  (In other words, if there multiple IP addresses for this DNS server, add at least one that is on the same network as the ActiveDirectory DNS server you are updating.)
6) Note, that is not necessary to update EVERY replication partner.  It is only necessary that the records are fixed up on enough replication partners so that every server that replicates with this server will receive (through replication) the new data."

Graham
0
Comment
Question by:gorriss
  • 7
  • 5
  • 2
  • +1
15 Comments
 
LVL 16

Accepted Solution

by:
GUEEN earned 300 total points
Comment Utility
Gorris - you have 2 questions that are basically the same (though this one is more extensive) - you should delete one of them.

Posted from your other question:
Have you tried running 'ipconfig /flushdns' on all computers?
How many DNS servers do you have?
You also might have a replication issue (Use the REPLMON tool from the Res Kit and view each server)
Also read this:
http://www.jsifaq.com/SUBG/TIP3300/rh3370.htm
What is the error code that you get?

0
 
LVL 16

Expert Comment

by:GUEEN
Comment Utility
0
 
LVL 1

Expert Comment

by:ymash
Comment Utility
Do your servers have more than one NIC? if so, make sure the correct NIC and IP is registered in your DNS server, look for multiple entries for your server with different IP addreses in DNS.

ALso, do you see _sites, _tcp, _udp, and _msdcs folders in DNS under your domain?
0
 

Author Comment

by:gorriss
Comment Utility
Sorry about questions on similar subjects, but I have not solved my problems, and thought I'd try a different tack. Will be back at work 6th May and check these suggestions then.

Thanks
Graham
0
 

Author Comment

by:gorriss
Comment Utility
DNS on both servers list forward lookup zones for both domains (ie serverA has forward lookup zones for domainA and domainB, ALSO serverB has forward lookup zones for the same 2 domains). The only difference is that on serverB, the forward lookup zone for domainA does NOT list a _udp folder, whereas all other zones list _msdcs, _sites, _tcp, and _udp.

Graham
0
 

Author Comment

by:gorriss
Comment Utility
Shekerra

The article regarding the replication problem seems to apply to me. There is no TDO in the system folder on serverA. (ServerB does not even have a system folder in AD???) The instructions are to add the Trusts and then use NETDOM to reset the trust. The trusts already exist, so perhaps I should just try the NETDOM command?

Graham
0
 

Author Comment

by:gorriss
Comment Utility
REPLMON will only run on serverA and reports a problem replicating from serverA to serverB. Nothing happens when I try to run it on serverB?

Regards
Graham
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 16

Expert Comment

by:GUEEN
Comment Utility
Hmmmm ok what is mentioned in the event logs on server B?
0
 

Author Comment

by:gorriss
Comment Utility
There doesn't appear to be anything relevant in ServerB event log.

When I run REPLMON on serverA this is what I get...
Replication failure: Changes have not been successfully replicated from serverA for 460 attempts.
Replication failure: The reason is: The DSA operation is unable to proceed because of a DNS lookup failure.

When I run netdiag /test:DNS on both servers I get...
Warning DNS entries for this server not registered correctly on <ip of other server>.

Apart from this DNS seems to be working OK, and there are no constant error messages in the DNS event log. (I have had odd ones in the past tho). I am not totally sure how DNS should be set up. On both servers I have forward lookup zones for...
domainA.school registered domain
domainB.school registered domain
school registered domain

domainA is the domain for serverA, and vica versa. In each zone I now only have host records for the server hosting that domain, though previously I had both servers listed?

Graham
0
 
LVL 16

Expert Comment

by:GUEEN
Comment Utility
0
 

Author Comment

by:gorriss
Comment Utility
Well I tried many things today! ipconfig /flushdns seemed to fix some of my DNS problems (So I am awarding shekerra with solving my problem). I also removed some of my forward lookup zones (like .) DNS seems OK, but there is something wrong with the global catalog on serverA. I added a new attribute thru AD Schema in the hope of resynching GC and fixing. This didn't work.

In the end I turned off the GC option on serverA, so that only serverB had a GC. Hey presto, this allowed me to add users from domainB to groups in domainA (perhaps the main issue I have trying to fix). I turned the GC back on on serverA and I can still add users. Hope it stays this way.

The only problem I still have is a 30sec to 1 minute delay browsing domainB in My Network Places from serverA. I did have this fixed at one stage in my DNS fiddling, but something has happened to slow it again.

Thanks guys
0
 
LVL 16

Expert Comment

by:GUEEN
Comment Utility
From control panel | network & dial-up Connections applet
go to the menu --> advanced  | advanced settings
adapters & bindings
under bindings for local area connection make sure that file & printer sharing for MS networks is at the top.

0
 

Author Comment

by:gorriss
Comment Utility
I realised that because I run RAS on serverA, it is multihomed. Slow browsing is a known issue on multihomed servers. When I stopped the RAS service, browsing was quick. I restarted the service and browsing is still quick some 1 hour later (not sure if this will continue). Probably should put RAS on a separate server.

I checked the bindings nd they are as you say already. (PS I only use TCP/IP protocol.

Thanks
Graham
0
 

Expert Comment

by:liloXwin
Comment Utility
If you go to start |  run  and type   mmc  then go to file -- add/remove snapin  add 'local computer policy'
Then go to:
user configuration |  windows settings  | administrative templates  | control panel
click on 'hide specified control panel applets'
the name for the password applet is:  NUSRMGR
 
Comment from shekerra  03/28/2002 01:00PM PST  
Save as Console1  
Comment from pipi  03/28/2002 11:44PM PST  
shekerra,

I also had been thinking to try this but we have the Home edition and this is only possible in the Professional. That's what I know about it, if you think there is another way to accomplish the same in the Home edition, I would be happy to here about it. Thanks anyway.  
Comment from stevenlewis  03/29/2002 03:02AM PST  
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q288391  
Comment from stevenlewis  03/29/2002 03:04AM PST  
so in other words, make the students accounts standard or limited  
Comment from pipi  03/29/2002 03:42AM PST  
I did logged out and on again after changing the type of account for the student. But they still can change / delete their own password by control panel - useraccounts. I think with policy editor the administrator can hide or disable this option in the control panel, but this editor does not exist in XP Home edition. So maybe it just isn't possible ( but I doubt, maybe by changing some key-value in the regitor - but which one? ).  
Comment from shekerra  03/29/2002 03:12PM PST  
You would have to do this with each user logged in:

Paste this into notepad and once they are logged in have them (or you double-click this reg file and it will disable control panel.)

************begin here - copy everything below this line

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"DisallowCpl"=dword:00000001
"NoControlPanel"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl]
"1"="userpasswords2"

*************end here - copy everthing above this line
then save as "NCP.reg"  with the quotations and not as a text file.



 
Comment from pipi  04/01/2002 10:41PM PST  
Thanks shekerra,

I hope I will be able to try this today, if I have some minutes time.I let you know the result.

Has this to be done every time the user logs in, or can it be set to prevent the user forever to change his password?

till soon.  
Comment from shekerra  04/01/2002 10:47PM PST  
You should only have to do it one time - then it will remain with the user. (Well you will have to do it for every new user - but only once should suffice.)
 
Comment from pipi  04/02/2002 01:01AM PST  
I'm very curious to try it out and see the result.
Maybe this afternoon.  
Comment from pipi  04/02/2002 06:08AM PST  
Shekerra,
Yes,Yes,Yes
I just tried it out and it worked perfect. The whole control panel  is unavailable for the user. That 's more then I wanted, but I think it's safer this way, and will take me some work out of my hands.
So about the points, I think for the not so experienced user the solution that stevenlewis proposed was satisfying ( disable the button ' change password when the user hits crtl-alt-del), but for the more experienced user this is not enough and your solution helps here. So you both gave me a part of the solution.
I would like to give you both 300 points, if this is possible. If not  would sombody let me know.
Thanks again both off you.  
Comment from shekerra  04/02/2002 08:38AM PST  
Thanks pipi - glad the teamwork solution worked for you :)
You can award one expert the points in this particular Queue - then make a new question in XP awarding the other person 300 points.
Example:

300 points for thenameoftheexpert

then inside the question:
For your contribution to:
http://www.experts-exchange.com/winxp/Q.20282412.html

 
Comment from stevenlewis  04/02/2002 03:34PM PST  
pipi, glad we were able to help
Bev, teamwork rulez!
Steve  
Comment from pipi  04/02/2002 10:39PM PST  
shekerra,

do you mean I give one expert the 300 points, ask a new question with the text you proposed inside and then wait until the second expert answers to give him the other 300  
0
 

Expert Comment

by:liloXwin
Comment Utility
From: gorriss
Date: 04/23/2002 08:30PM PST
Answer Grade: B Points: 30
 
I have 2 window 2000 servers hosting 2 separate domains for our local network. The basic configuration is ServerA.domainA.<registered domain name>
ServerB.domainB.<registered domain name>

I cannot add users from domainB to groups in domainA, although I can do vice versa. When I try, I get the error "The specified user was not found. If the user exists on another domain controler in the enterprise, it may take 15 minutes or more for the user to be replicated to the global catalog."

I have been looking at my Active Directory Replication. When I try to manually replicate from Active Directory Sites and Services this is what I get:

On ServerB attempting to replicate ServerB to ServerA, I get "RPC Server is unavailable" (The service is running)

On ServerB attempting to replicate ServerA to ServerB, I get "DSA operation unable to proceed because of DNS lookup failure" (DNS seems to be working OK - Both servers are DNS servers)

On ServerA attempting to replicate ServerA to ServerB, I also get "DSA operation unable to proceed because of DNS lookup failure"

On ServerA attempting to replicate ServerB to ServerA, it works.

Perhaps there is a DNS problem on ServerA? I do get an error in DNS event log on ServerA when DNS tries to do a Dynamic Update. The error is shown below, and I have tried to fix it, but unsuccessfully.

"DNS Server has updated its own host (A) records.  In order to insure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update.  An error was encountered during this update, the record data is the error code.

If this DNS server does not have any DS-integrated peers, then this error should be ignored.

If this DNS server's ActiveDirectory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it.

To insure proper replication:
1) Find this server's ActiveDirectory replication partners that run the DNS server.
2) Open DnsManager and connect in turn to each of the replication partners.
3) On each server, check the host (A record) registration for THIS server.
4) Delete any A records that do NOT correspond to IP addresses of this server.
5) If there are no A records for this server, add at least one A record corresponding to an address on this server, that the replication partner can contact.  (In other words, if there multiple IP addresses for this DNS server, add at least one that is on the same network as the ActiveDirectory DNS server you are updating.)
6) Note, that is not necessary to update EVERY replication partner.  It is only necessary that the records are fixed up on enough replication partners so that every server that replicates with this server will receive (through replication) the new data."

Graham  

View Accepted Answer

 
Question History
Accepted Answer from shekerra  04/23/2002 09:51PM PST  
Gorris - you have 2 questions that are basically the same (though this one is more extensive) - you should delete one of them.

Posted from your other question:
Have you tried running 'ipconfig /flushdns' on all computers?
How many DNS servers do you have?
You also might have a replication issue (Use the REPLMON tool from the Res Kit and view each server)
Also read this:
http://www.jsifaq.com/SUBG/TIP3300/rh3370.htm
What is the error code that you get?

 
Comment from shekerra  04/23/2002 09:55PM PST  
Is this your event ID?
http://www.eventid.net/display.asp?eventid=1085&source=NTDS+Replication+
 
Comment from ymash  04/24/2002 01:43PM PST  
Do your servers have more than one NIC? if so, make sure the correct NIC and IP is registered in your DNS server, look for multiple entries for your server with different IP addreses in DNS.

ALso, do you see _sites, _tcp, _udp, and _msdcs folders in DNS under your domain?  
Comment from gorriss  05/01/2002 10:01PM PST  
Sorry about questions on similar subjects, but I have not solved my problems, and thought I'd try a different tack. Will be back at work 6th May and check these suggestions then.

Thanks
Graham  
Comment from gorriss  05/05/2002 08:50PM PST  
DNS on both servers list forward lookup zones for both domains (ie serverA has forward lookup zones for domainA and domainB, ALSO serverB has forward lookup zones for the same 2 domains). The only difference is that on serverB, the forward lookup zone for domainA does NOT list a _udp folder, whereas all other zones list _msdcs, _sites, _tcp, and _udp.

Graham  
Comment from gorriss  05/05/2002 09:14PM PST  
Shekerra

The article regarding the replication problem seems to apply to me. There is no TDO in the system folder on serverA. (ServerB does not even have a system folder in AD???) The instructions are to add the Trusts and then use NETDOM to reset the trust. The trusts already exist, so perhaps I should just try the NETDOM command?

Graham  
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now