Windows 2000 Server SYSVOL and replication failure

carpy7
carpy7 used Ask the Experts™
on
Hello,

I seem to be having a problem with my Windows 2000 PDC SYSVOL directory and my DsGetDcName entry.  Here are the details:

Windows 2000 Servers (all have service pack 4):
PDC – Domain Controller, and holds All Roles
Exchange2000 – Domain Controller
SQL – Domain Controller

The first problem I noticed was a inability to browse PDC from another server by DNS name, but I was able to browse by IP address.  It gave the error: Login Failure: Target Account Incorrect

I looked into the problem more and realized that active directory replication between DC was not functioning fully.  I could go into Sites and Services and use ‘Replicate Now’ to successfully replicate between Exchange2000 and SQL, and I could replicate by pulling from PDC to either server, but I could not pull from PDC to any other server to replicate.

I am getting ‘Error during contact: The target principal name is incorrect’ when trying to replicate PDC info.

I am getting these errors on Exchange2000 and SQL:  
Event id 1586 ‘Checkpoint w/PDC was unsuccessful. NTDS replication could not find domain controller.’
Event id 3034 ‘The redirector was unable to initialize security context or query context attributes’

PDC File Replication Service is not syncing properly either.  I am getting event id 13508 and 13566 which are saying: ‘Having trouble enabling replication from Exchange2000 to PDC for c:\winnt\sysvol\domain’

I then realized that PDC SYSVOL and NETLOGON shares were not showing on PDC.  They are being shared on the two other DC’s.  The SYSVOL directory has possibly gone corrupt on PDC.

DCDIAG Results from PDC:
      Starting test: Advertising
Warning: DsGetDcName returned information for \\sql.domain.com, when we were trying to reach PDC.
         Server is not responding or is not considered suitable.

      Starting test: frssysvol
         Error: No record of File Replication System, SYSVOL started.
         The Active Directory may be prevented from starting.
         There are errors after the SYSVOL has been shared.
         The SYSVOL can prevent the AD from starting.
         ......................... PDC passed test frssysvol

NetDiag Results from PDC:
Domain membership test . . . . . . : Failed
    [WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC.
    Machine is a . . . . . . . . . : Primary Domain Controller Emulator

RepAdmin Results from PDC:
==== INBOUND NEIGHBORS ======================================
DC=domain,DC=com
    Default-First-Site-Name\SQL via RPC
        objectGuid: 36d94cc5-06f0-440d-9600-2dff694cec9c
        Last attempt @ 2004-05-24 14:47.53 was successful.
    Default-First-Site-Name\Exchange2000 via RPC
        objectGuid: ad4d0717-08c5-4668-97ac-550fdb437550
        Last attempt @ 2004-05-24 15:02.02 was successful.

==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS =========

CN=Schema,CN=Configuration,DC=pundits,DC=com
    Default-First-Site-Name\ Exchange2000via RPC
        objectGuid: ad4d0717-08c5-4668-97ac-550fdb437550
    Default-First-Site-Name\SQL via RPC
        objectGuid: 36d94cc5-06f0-440d-9600-2dff694cec9c

CN=Configuration,DC=pundits,DC=com
    Default-First-Site-Name\ Exchange2000via RPC
        objectGuid: ad4d0717-08c5-4668-97ac-550fdb437550
    Default-First-Site-Name\SP-PERSONIC via RPC
        objectGuid: 36d94cc5-06f0-440d-9600-2dff694cec9c

I can ping all DC’s from any location using DNS names.  I can browse shares using names on all except PDC.  I can browse share on PDC by using the IP address.

I also tried to reset all secure channels from PDC.  None were reset.  The error from PDC was ‘The specified domain does not exist or could not be contacted’ and from the others ‘There are currently no logon servers available to service the logon request.’

All my default connection objects between DC’s are present.

This seems to be a catch-22.  FRS is not working on PDC because the SYSVOL is not working, but I need FRS to get a fresh copy of SYSVOL from anther DC.
Another big problem is the DCDiag result:
DsGetDcName returned information for \\sql.domain.com, when we were trying to reach PDC.

Do I need to manually rebuild SYSVOL dir?  
Any suggestions as to how to get my PDC communicating with the other DC’s again would be appreciated.

Carpy7
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Thanks for the links.

I have been looking over many MKB articles trying to figure out the problem.

I have verified DNS settings.
I have also verified GUID's for AD vs. DNS - dnsLint
I still can not reset secure channels with netdom (which is confusing)- access denied
I can not pull replication information from PDC.
PDC SYSVOL is not being shared - it seems to be corrupt.

I do not see what other layers there are to Active Directory replication initiation:  GUID - DNS - secure channel
What am I missing?

As for the SYSVOL - The articles say (250545), I need replication working or I need to set a parent server source and I need to put the entry in the registry.  Can I do that for the PDC?  I also took a look at the registry and I did not see the exact path they give:
HKLM\SYSTEM\CCS\Services\NTFRS\Parameters\SysVol\SysVol Seeding\Domain System Volume (Sysvol Share)
I can follow it till the first SysVol. I do see a possible other location at ...Parameters/Replica Sets/

Thanks,
carpy7

 

Author

Commented:
Ah, the error for the netdom secure connection reset attempt was not access denied, but 'there are currently no logon servers available to service the logon request'
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

Author

Commented:
1stITMAN,

Stewart, the other guy you helped, seemed to have a similar errors as I have.  Once I get replication back in place SYSVOL should fall into place.  The first link you gave also shows how to declare a DC dominant, so I should be all set with that.  Thanks.

Looking at the replication problem:

Replication seems to be working pulling to PDC.
Last success for replication from PDC to other DC’s was 4-15-2004.
As for a history of the network, SQL was just added at the beginning of April.  I could see if just SQL was having connection issues, but MAIL is having trouble too.  PDC and SQL both have two network adapter cards.  SQL’s second adapter was pointing to a second LAN.  I have disabled that and adjusted DNS.  PDC had two adapters on the same network, this probably was part of the problem at the start, but I have disabled the second card and adjusted DNS.  

Netdiag membership test failed on PDC!  I do not see how this can be really.

DNS setting for non-PDC DC’s ok till I get to nltest to test for Global Catalogs – NO_LOGON_SERVER error
But, _gc entries for each DC (I read you are not to have to the Infrastructure Master be a GC, so I removed it.

NETDIAG:
Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'domain' is broken.
[ERROR_NO_LOGON_SERVERS]
I get this error for both non-PDC DC’s connecting to the domain.

I am getting the NO_LOGON_SERVERS error a lot throughout the testing.

Dnscmd from SQL to PDC errors out – access denied (no logon server maybe?)

I may have to eat my words about DNS being ok.  Or, one of the services on PDC is not functioning.  All services on PDC are running.  Active Directory event logging is not giving any errors.  RPC server maybe?

I have posted all my testing results to my website. It is not pretty format, but the info is there. Take a look if you like.
http://www.white-sphere.com/utilResults.html

Thanks,
Carpy7
Zaheer IqbalTechnical Assurance & Implementation

Commented:
Can u ping the domain controller?
Domain controller cannot be found.
So is it it visible on the network?
The NIC that u disabled was the right one, double check ur settings for IP etc..
As I say it will be something that is easy to fix but cant been seen in all the frustration!!
Zaheer IqbalTechnical Assurance & Implementation

Commented:
I was having similar problems. thought it was due to dns at first, then file replications seemed like the problem. After much trial and error, i found that my dc with the pdc role was not sahring the sysvol folder. This article on microsoft site helped:
http://support.microsoft.com/default.aspx?scid=kb;en-us;257338
I checked my registry and found that my syvol source folder was set to the wrong path (it was c:\winnt instead of d:\winnt) I corrected the apth, restatred both domain controllers and after 15 minutes or so, my sysvol and netlogon shares reappeared and all replication was back to normal. I did get and extra automotically generated connection object in AD sites and services for my second dc, but both the new and original worked, so I deleted the second one.
good luck
J

Author

Commented:
So, I am afraid I never found out Exactly what the problem was, I get annoyed when that happens but oh well.  I resorted to ripping the Master Roles away from the PDC and gave them to another DC without the ability to copy the information properly.  I then uninstalled active directory from PDC, removed the PDC DC entries in the domain, and then rebuilt active directory on PDC and reconnected her to the domain.  This cleared up the replication communication problem.  Luckily, this domain is pretty small and any data loss from the rough roles transfer did not affect the domain.
Btw, I did try the sysvol rebuild and that did not seem to do the trick after all.

Thank you for all the help guys,
Carpy7

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial