Link to home
Start Free TrialLog in
Avatar of gorriss
gorriss

asked on

Active Directory Replication problem on W2K Server

I have 2 window 2000 servers hosting 2 separate domains for our local network. The basic configuration is ServerA.domainA.<registered domain name>
ServerB.domainB.<registered domain name>

I cannot add users from domainB to groups in domainA, although I can do vice versa. When I try, I get the error "The specified user was not found. If the user exists on another domain controler in the enterprise, it may take 15 minutes or more for the user to be replicated to the global catalog."

I have been looking at my Active Directory Replication. When I try to manually replicate from Active Directory Sites and Services this is what I get:

On ServerB attempting to replicate ServerB to ServerA, I get "RPC Server is unavailable" (The service is running)

On ServerB attempting to replicate ServerA to ServerB, I get "DSA operation unable to proceed because of DNS lookup failure" (DNS seems to be working OK - Both servers are DNS servers)

On ServerA attempting to replicate ServerA to ServerB, I also get "DSA operation unable to proceed because of DNS lookup failure"

On ServerA attempting to replicate ServerB to ServerA, it works.

Perhaps there is a DNS problem on ServerA? I do get an error in DNS event log on ServerA when DNS tries to do a Dynamic Update. The error is shown below, and I have tried to fix it, but unsuccessfully.

"DNS Server has updated its own host (A) records.  In order to insure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update.  An error was encountered during this update, the record data is the error code.
 
If this DNS server does not have any DS-integrated peers, then this error should be ignored.
 
If this DNS server's ActiveDirectory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it.
 
To insure proper replication:
1) Find this server's ActiveDirectory replication partners that run the DNS server.
2) Open DnsManager and connect in turn to each of the replication partners.
3) On each server, check the host (A record) registration for THIS server.
4) Delete any A records that do NOT correspond to IP addresses of this server.
5) If there are no A records for this server, add at least one A record corresponding to an address on this server, that the replication partner can contact.  (In other words, if there multiple IP addresses for this DNS server, add at least one that is on the same network as the ActiveDirectory DNS server you are updating.)
6) Note, that is not necessary to update EVERY replication partner.  It is only necessary that the records are fixed up on enough replication partners so that every server that replicates with this server will receive (through replication) the new data."

Graham
ASKER CERTIFIED SOLUTION
Avatar of GUEEN
GUEEN
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ymash
ymash

Do your servers have more than one NIC? if so, make sure the correct NIC and IP is registered in your DNS server, look for multiple entries for your server with different IP addreses in DNS.

ALso, do you see _sites, _tcp, _udp, and _msdcs folders in DNS under your domain?
Avatar of gorriss

ASKER

Sorry about questions on similar subjects, but I have not solved my problems, and thought I'd try a different tack. Will be back at work 6th May and check these suggestions then.

Thanks
Graham
Avatar of gorriss

ASKER

DNS on both servers list forward lookup zones for both domains (ie serverA has forward lookup zones for domainA and domainB, ALSO serverB has forward lookup zones for the same 2 domains). The only difference is that on serverB, the forward lookup zone for domainA does NOT list a _udp folder, whereas all other zones list _msdcs, _sites, _tcp, and _udp.

Graham
Avatar of gorriss

ASKER

Shekerra

The article regarding the replication problem seems to apply to me. There is no TDO in the system folder on serverA. (ServerB does not even have a system folder in AD???) The instructions are to add the Trusts and then use NETDOM to reset the trust. The trusts already exist, so perhaps I should just try the NETDOM command?

Graham
Avatar of gorriss

ASKER

REPLMON will only run on serverA and reports a problem replicating from serverA to serverB. Nothing happens when I try to run it on serverB?

Regards
Graham
Hmmmm ok what is mentioned in the event logs on server B?
Avatar of gorriss

ASKER

There doesn't appear to be anything relevant in ServerB event log.

When I run REPLMON on serverA this is what I get...
Replication failure: Changes have not been successfully replicated from serverA for 460 attempts.
Replication failure: The reason is: The DSA operation is unable to proceed because of a DNS lookup failure.

When I run netdiag /test:DNS on both servers I get...
Warning DNS entries for this server not registered correctly on <ip of other server>.

Apart from this DNS seems to be working OK, and there are no constant error messages in the DNS event log. (I have had odd ones in the past tho). I am not totally sure how DNS should be set up. On both servers I have forward lookup zones for...
domainA.school registered domain
domainB.school registered domain
school registered domain

domainA is the domain for serverA, and vica versa. In each zone I now only have host records for the server hosting that domain, though previously I had both servers listed?

Graham
Avatar of gorriss

ASKER

Well I tried many things today! ipconfig /flushdns seemed to fix some of my DNS problems (So I am awarding shekerra with solving my problem). I also removed some of my forward lookup zones (like .) DNS seems OK, but there is something wrong with the global catalog on serverA. I added a new attribute thru AD Schema in the hope of resynching GC and fixing. This didn't work.

In the end I turned off the GC option on serverA, so that only serverB had a GC. Hey presto, this allowed me to add users from domainB to groups in domainA (perhaps the main issue I have trying to fix). I turned the GC back on on serverA and I can still add users. Hope it stays this way.

The only problem I still have is a 30sec to 1 minute delay browsing domainB in My Network Places from serverA. I did have this fixed at one stage in my DNS fiddling, but something has happened to slow it again.

Thanks guys
From control panel | network & dial-up Connections applet
go to the menu --> advanced  | advanced settings
adapters & bindings
under bindings for local area connection make sure that file & printer sharing for MS networks is at the top.

Avatar of gorriss

ASKER

I realised that because I run RAS on serverA, it is multihomed. Slow browsing is a known issue on multihomed servers. When I stopped the RAS service, browsing was quick. I restarted the service and browsing is still quick some 1 hour later (not sure if this will continue). Probably should put RAS on a separate server.

I checked the bindings nd they are as you say already. (PS I only use TCP/IP protocol.

Thanks
Graham
If you go to start |  run  and type   mmc  then go to file -- add/remove snapin  add 'local computer policy'
Then go to:
user configuration |  windows settings  | administrative templates  | control panel
click on 'hide specified control panel applets'
the name for the password applet is:  NUSRMGR
 
Comment from shekerra  03/28/2002 01:00PM PST  
Save as Console1  
Comment from pipi  03/28/2002 11:44PM PST  
shekerra,

I also had been thinking to try this but we have the Home edition and this is only possible in the Professional. That's what I know about it, if you think there is another way to accomplish the same in the Home edition, I would be happy to here about it. Thanks anyway.  
Comment from stevenlewis  03/29/2002 03:02AM PST  
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q288391 
Comment from stevenlewis  03/29/2002 03:04AM PST  
so in other words, make the students accounts standard or limited  
Comment from pipi  03/29/2002 03:42AM PST  
I did logged out and on again after changing the type of account for the student. But they still can change / delete their own password by control panel - useraccounts. I think with policy editor the administrator can hide or disable this option in the control panel, but this editor does not exist in XP Home edition. So maybe it just isn't possible ( but I doubt, maybe by changing some key-value in the regitor - but which one? ).  
Comment from shekerra  03/29/2002 03:12PM PST  
You would have to do this with each user logged in:

Paste this into notepad and once they are logged in have them (or you double-click this reg file and it will disable control panel.)

************begin here - copy everything below this line

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"DisallowCpl"=dword:00000001
"NoControlPanel"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl]
"1"="userpasswords2"

*************end here - copy everthing above this line
then save as "NCP.reg"  with the quotations and not as a text file.



 
Comment from pipi  04/01/2002 10:41PM PST  
Thanks shekerra,

I hope I will be able to try this today, if I have some minutes time.I let you know the result.

Has this to be done every time the user logs in, or can it be set to prevent the user forever to change his password?

till soon.  
Comment from shekerra  04/01/2002 10:47PM PST  
You should only have to do it one time - then it will remain with the user. (Well you will have to do it for every new user - but only once should suffice.)
 
Comment from pipi  04/02/2002 01:01AM PST  
I'm very curious to try it out and see the result.
Maybe this afternoon.  
Comment from pipi  04/02/2002 06:08AM PST  
Shekerra,
Yes,Yes,Yes
I just tried it out and it worked perfect. The whole control panel  is unavailable for the user. That 's more then I wanted, but I think it's safer this way, and will take me some work out of my hands.
So about the points, I think for the not so experienced user the solution that stevenlewis proposed was satisfying ( disable the button ' change password when the user hits crtl-alt-del), but for the more experienced user this is not enough and your solution helps here. So you both gave me a part of the solution.
I would like to give you both 300 points, if this is possible. If not  would sombody let me know.
Thanks again both off you.  
Comment from shekerra  04/02/2002 08:38AM PST  
Thanks pipi - glad the teamwork solution worked for you :)
You can award one expert the points in this particular Queue - then make a new question in XP awarding the other person 300 points.
Example:

300 points for thenameoftheexpert

then inside the question:
For your contribution to:
https://www.experts-exchange.com/winxp/Q.20282412.html

 
Comment from stevenlewis  04/02/2002 03:34PM PST  
pipi, glad we were able to help
Bev, teamwork rulez!
Steve  
Comment from pipi  04/02/2002 10:39PM PST  
shekerra,

do you mean I give one expert the 300 points, ask a new question with the text you proposed inside and then wait until the second expert answers to give him the other 300  
From: gorriss
Date: 04/23/2002 08:30PM PST
Answer Grade: B Points: 30
 
I have 2 window 2000 servers hosting 2 separate domains for our local network. The basic configuration is ServerA.domainA.<registered domain name>
ServerB.domainB.<registered domain name>

I cannot add users from domainB to groups in domainA, although I can do vice versa. When I try, I get the error "The specified user was not found. If the user exists on another domain controler in the enterprise, it may take 15 minutes or more for the user to be replicated to the global catalog."

I have been looking at my Active Directory Replication. When I try to manually replicate from Active Directory Sites and Services this is what I get:

On ServerB attempting to replicate ServerB to ServerA, I get "RPC Server is unavailable" (The service is running)

On ServerB attempting to replicate ServerA to ServerB, I get "DSA operation unable to proceed because of DNS lookup failure" (DNS seems to be working OK - Both servers are DNS servers)

On ServerA attempting to replicate ServerA to ServerB, I also get "DSA operation unable to proceed because of DNS lookup failure"

On ServerA attempting to replicate ServerB to ServerA, it works.

Perhaps there is a DNS problem on ServerA? I do get an error in DNS event log on ServerA when DNS tries to do a Dynamic Update. The error is shown below, and I have tried to fix it, but unsuccessfully.

"DNS Server has updated its own host (A) records.  In order to insure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update.  An error was encountered during this update, the record data is the error code.

If this DNS server does not have any DS-integrated peers, then this error should be ignored.

If this DNS server's ActiveDirectory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it.

To insure proper replication:
1) Find this server's ActiveDirectory replication partners that run the DNS server.
2) Open DnsManager and connect in turn to each of the replication partners.
3) On each server, check the host (A record) registration for THIS server.
4) Delete any A records that do NOT correspond to IP addresses of this server.
5) If there are no A records for this server, add at least one A record corresponding to an address on this server, that the replication partner can contact.  (In other words, if there multiple IP addresses for this DNS server, add at least one that is on the same network as the ActiveDirectory DNS server you are updating.)
6) Note, that is not necessary to update EVERY replication partner.  It is only necessary that the records are fixed up on enough replication partners so that every server that replicates with this server will receive (through replication) the new data."

Graham  

View Accepted Answer

 
Question History
Accepted Answer from shekerra  04/23/2002 09:51PM PST  
Gorris - you have 2 questions that are basically the same (though this one is more extensive) - you should delete one of them.

Posted from your other question:
Have you tried running 'ipconfig /flushdns' on all computers?
How many DNS servers do you have?
You also might have a replication issue (Use the REPLMON tool from the Res Kit and view each server)
Also read this:
http://www.jsifaq.com/SUBG/TIP3300/rh3370.htm
What is the error code that you get?

 
Comment from shekerra  04/23/2002 09:55PM PST  
Is this your event ID?
http://www.eventid.net/display.asp?eventid=1085&source=NTDS+Replication+
 
Comment from ymash  04/24/2002 01:43PM PST  
Do your servers have more than one NIC? if so, make sure the correct NIC and IP is registered in your DNS server, look for multiple entries for your server with different IP addreses in DNS.

ALso, do you see _sites, _tcp, _udp, and _msdcs folders in DNS under your domain?  
Comment from gorriss  05/01/2002 10:01PM PST  
Sorry about questions on similar subjects, but I have not solved my problems, and thought I'd try a different tack. Will be back at work 6th May and check these suggestions then.

Thanks
Graham  
Comment from gorriss  05/05/2002 08:50PM PST  
DNS on both servers list forward lookup zones for both domains (ie serverA has forward lookup zones for domainA and domainB, ALSO serverB has forward lookup zones for the same 2 domains). The only difference is that on serverB, the forward lookup zone for domainA does NOT list a _udp folder, whereas all other zones list _msdcs, _sites, _tcp, and _udp.

Graham  
Comment from gorriss  05/05/2002 09:14PM PST  
Shekerra

The article regarding the replication problem seems to apply to me. There is no TDO in the system folder on serverA. (ServerB does not even have a system folder in AD???) The instructions are to add the Trusts and then use NETDOM to reset the trust. The trusts already exist, so perhaps I should just try the NETDOM command?

Graham