Solved

Event 1925 and 1926 appearing every few seconds- NTDS KCC

Posted on 2004-08-02
12
10,088 Views
Last Modified: 2009-08-30
Hi, my newly upgraded server (Root DC for around 30 Child 2k domains on a WAN) seems to work fine expect I get Event 1925 and 1926 appearing in the Directory Services log every few seconds. I believe my DNS to be fine (primary and Reverse lookup on Root DC). I have a feeling its to do with the WAN routers since I have done many servers on a LAN without a problem.

I can't find much on the web so any help would be great.

Thanks

James
0
Comment
Question by:m0bov
  • 8
  • 2
12 Comments
 

Author Comment

by:m0bov
ID: 11692020
Result from dcdiag on ROOT DC.

Doing initial required tests

   Testing server: Default-First-Site-Name\SWANSK
      Starting test: Connectivity
         ......................... SWANSK passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SWANSK
      Starting test: Replications
         [Replications Check,SWANSK] A recent replication attempt failed:
            From 2041C to SWANSK
            Naming Context: CN=Schema,CN=Configuration,DC=swanad,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2004-08-02 09:46:33.
            The last success occurred at 2004-08-02 07:46:10.
            2 failures have occurred since the last success.
            [2041C] DsBindWithSpnEx() failed with error 1722,
            The RPC server is unavailable..
            The source remains down. Please check the machine.
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source GROVESCH
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.
         [Replications Check,SWANSK] A recent replication attempt failed:
            From 2014C to SWANSK
            Naming Context: CN=Schema,CN=Configuration,DC=swanad,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2004-08-02 09:46:57.
            The last success occurred at 2004-07-31 02:56:26.
            55 failures have occurred since the last success.
            The source 2014C is responding now.
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source GROVESCH
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.
         [Replications Check,SWANSK] A recent replication attempt failed:
            From 2014C to SWANSK
            Naming Context: CN=Configuration,DC=swanad,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2004-08-02 09:45:45.
            The last success occurred at 2004-07-31 02:55:59.
            55 failures have occurred since the last success.
            The source 2014C is responding now.
         [Replications Check,SWANSK] A recent replication attempt failed:
            From 2041C to SWANSK
            Naming Context: CN=Configuration,DC=swanad,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2004-08-02 09:46:06.
            The last success occurred at 2004-08-02 08:41:11.
            2 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,SWANSK] No replication recently attempted:
            From 2014C to SWANSK
            Naming Context: DC=greenwrythe,DC=swanad,DC=local
            The last attempt occurred at 2004-07-31 02:56:33 (about 55 hou
).
         REPLICATION-RECEIVED LATENCY WARNING
         SWANSK:  Current time is 2004-08-02 10:42:21.
            CN=Schema,CN=Configuration,DC=swanad,DC=local
               Last replication recieved from 2014C at 2004-07-31 02:56:26
            CN=Configuration,DC=swanad,DC=local
               Last replication recieved from 2014C at 2004-07-31 02:55:59
            DC=greenwrythe,DC=swanad,DC=local
               Last replication recieved from 2014C at 2004-07-31 02:56:33
         ......................... SWANSK passed test Replications
      Starting test: NCSecDesc
         ......................... SWANSK passed test NCSecDesc
      Starting test: NetLogons
         ......................... SWANSK passed test NetLogons
      Starting test: Advertising
         ......................... SWANSK passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... SWANSK passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... SWANSK passed test RidManager
      Starting test: MachineAccount
         ......................... SWANSK passed test MachineAccount
      Starting test: Services
         ......................... SWANSK passed test Services
      Starting test: ObjectsReplicated
         ......................... SWANSK passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... SWANSK passed test frssysvol
      Starting test: frsevent
         ......................... SWANSK passed test frsevent
      Starting test: kccevent
         An Warning Event occured.  EventID: 0x80000785
            Time Generated: 08/02/2004   10:39:27
            Event String: The attempt to establish a replication link for
         An Warning Event occured.  EventID: 0x80000785
            Time Generated: 08/02/2004   10:39:27
            Event String: The attempt to establish a replication link for
         An Warning Event occured.  EventID: 0x80000786
            Time Generated: 08/02/2004   10:39:27
            Event String: The attempt to establish a replication link to a
         An Warning Event occured.  EventID: 0x80000785
            Time Generated: 08/02/2004   10:39:27
            Event String: The attempt to establish a replication link for
         An Warning Event occured.  EventID: 0x80000786
            Time Generated: 08/02/2004   10:39:27
            Event String: The attempt to establish a replication link to a
         ......................... SWANSK failed test kccevent
      Starting test: systemlog
         ......................... SWANSK passed test systemlog
      Starting test: VerifyReferences
         ......................... SWANSK passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefVali

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDo

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefVali

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDo

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValid
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : swanad
      Starting test: CrossRefValidation
         ......................... swanad passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... swanad passed test CheckSDRefDom

   Running enterprise tests on : swanad.local
      Starting test: Intersite
         ......................... swanad.local passed test Intersite
      Starting test: FsmoCheck
         ......................... swanad.local passed test FsmoCheck
0
 

Author Comment

by:m0bov
ID: 11693349
Got his on a server in a child domain at a remote site.
0
 

Author Comment

by:m0bov
ID: 11693494
Doing primary tests

   Testing server: Default-First-Site-Name\GROVESCH
      Starting test: Replications
         ......................... GROVESCH passed test Replications
      Starting test: NCSecDesc
         ......................... GROVESCH passed test NCSecDesc
      Starting test: NetLogons
         ......................... GROVESCH passed test NetLogons
      Starting test: Advertising
         ......................... GROVESCH passed test Advertising
      Starting test: KnowsOfRoleHolders
         [SWANSK] DsBind() failed with error 1722,
         The RPC server is unavailable..
         Warning: SWANSK is the Schema Owner, but is not responding to DS RPC Bi
nd.
         [SWANSK] LDAP connection failed with error 58,
         The specified server cannot perform the requested operation..
         Warning: SWANSK is the Schema Owner, but is not responding to LDAP Bind
.
         Warning: SWANSK is the Domain Owner, but is not responding to DS RPC Bi
nd.
         Warning: SWANSK is the Domain Owner, but is not responding to LDAP Bind
.
         ......................... GROVESCH failed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... GROVESCH passed test RidManager
      Starting test: MachineAccount
         ......................... GROVESCH passed test MachineAccount
      Starting test: Services
         ......................... GROVESCH passed test Services
      Starting test: ObjectsReplicated
         ......................... GROVESCH passed test ObjectsReplicated
      Starting test: frssysvol
         There are errors after the SYSVOL has been shared.
         The SYSVOL can prevent the AD from starting.
         ......................... GROVESCH passed test frssysvol
      Starting test: kccevent
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/02/2004   14:34:49
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/02/2004   14:34:49
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/02/2004   14:35:10
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/02/2004   14:35:31
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/02/2004   14:35:52
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/02/2004   14:36:13
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/02/2004   14:36:35
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/02/2004   14:36:56
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/02/2004   14:37:17
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/02/2004   14:37:38
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000583
            Time Generated: 08/02/2004   14:37:42
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/02/2004   14:37:59
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/02/2004   14:38:20
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/02/2004   14:38:41
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/02/2004   14:39:02
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/02/2004   14:39:24
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/02/2004   14:39:45
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/02/2004   14:40:06
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000583
            Time Generated: 08/02/2004   14:40:19
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/02/2004   14:40:27
            (Event String could not be retrieved)
         ......................... GROVESCH failed test kccevent
      Starting test: systemlog
         ......................... GROVESCH passed test systemlog

   Running enterprise tests on : swanad.local
      Starting test: Intersite
         ......................... swanad.local passed test Intersite
      Starting test: FsmoCheck
         ......................... swanad.local passed test FsmoCheck
0
 
LVL 3

Expert Comment

by:MartijnMoree
ID: 11697455
Check DNS and make sure the servers are pointing to one central DNS server. You may have to check those events for which servers are not replicating correctly and check if they can ping each other by GUID (Get the GUIDs from Active Directory Sites & Services).

The child domain's DNS should use the root domain as forwarder.

Again, check the events and single out the servers having the problems. If possible, paste a couple of those events here.
0
 

Author Comment

by:m0bov
ID: 11701272
Hi, thanks for info. I have a child domain server within a child ie sales.headoffice.acnecorp.com within headoffice.acnecorp.com, what forward should sales server have? Should it look to headoffice server or acnecorp root DC??

All servers out on site point to themselfs for DNS, they have a forwarder and reverse lookup, all AD integrated and dynamic non secure updates. They all have forwarders to the Root DC and out ISP DNS incase the Root DC goes down(to maintain surfing).

Is this correct?

Will paste some more info here.

Cheers,

james
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:m0bov
ID: 11701284
Just checked one of the off site child domain servers, its still thinks SWANSK is Schema mastr even though I have set it back to SWANSK2 which is an additional domain server I used during the upgrade.

C:\Program Files\Support Tools>dcdiag

DC Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial non skippeable tests

   Testing server: Default-First-Site-Name\GROVESCH
      Starting test: Connectivity
         ......................... GROVESCH passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\GROVESCH
      Starting test: Replications
         ......................... GROVESCH passed test Replications
      Starting test: NCSecDesc
         ......................... GROVESCH passed test NCSecDesc
      Starting test: NetLogons
         ......................... GROVESCH passed test NetLogons
      Starting test: Advertising
         ......................... GROVESCH passed test Advertising
      Starting test: KnowsOfRoleHolders
         [SWANSK] DsBind() failed with error 1722,
         The RPC server is unavailable..
         Warning: SWANSK is the Schema Owner, but is not responding to DS R
nd.
         [SWANSK] LDAP connection failed with error 58,
         The specified server cannot perform the requested operation..
         Warning: SWANSK is the Schema Owner, but is not responding to LDAP
.
         Warning: SWANSK is the Domain Owner, but is not responding to DS R
nd.
         Warning: SWANSK is the Domain Owner, but is not responding to LDAP
.
         ......................... GROVESCH failed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... GROVESCH passed test RidManager
      Starting test: MachineAccount
         ......................... GROVESCH passed test MachineAccount
      Starting test: Services
         ......................... GROVESCH passed test Services
      Starting test: ObjectsReplicated
         ......................... GROVESCH passed test ObjectsReplicated
      Starting test: frssysvol
         There are errors after the SYSVOL has been shared.
         The SYSVOL can prevent the AD from starting.
         ......................... GROVESCH passed test frssysvol
      Starting test: kccevent
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:34:39
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:34:39
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:35:00
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:35:21
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:35:42
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:36:03
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:36:24
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:36:45
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:37:06
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:37:28
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:37:49
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:38:10
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:38:31
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:38:52
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:39:13
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:39:34
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:39:55
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000583
            Time Generated: 08/03/2004   08:40:08
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:40:17
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:40:17
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:40:17
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:40:38
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000583
            Time Generated: 08/03/2004   08:40:39
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:40:59
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:41:20
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:41:41
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:42:02
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:42:23
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:42:44
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:43:05
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:43:27
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:43:48
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:44:09
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:44:30
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:44:51
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800004F1
            Time Generated: 08/03/2004   08:45:12
            (Event String could not be retrieved)
         ......................... GROVESCH failed test kccevent
      Starting test: systemlog
         ......................... GROVESCH passed test systemlog

   Running enterprise tests on : swanad.local
      Starting test: Intersite
         ......................... swanad.local passed test Intersite
      Starting test: FsmoCheck
         ......................... swanad.local passed test FsmoCheck

C:\Program Files\Support Tools>
0
 

Author Comment

by:m0bov
ID: 11701340
Event Type:      Error
Event Source:      NTDS Replication
Event Category:      (5)
Event ID:      1411
Date:            03/08/2004
Time:            08:54:14
User:            Everyone
Computer:      GROVESCH
Description:
The Directory Service failed to construct a mutual authentication Service Principal Name (SPN) for server 24d4d79e-b660-4e66-a535-888c8778f776._msdcs.swanad.local.  The call is denied. The error was:
 The DSA object could not be found.
 
 The record data is the status code.
Data:
0000: e3 20 00 00               ã ..    




Event Type:      Warning
Event Source:      NTDS KCC
Event Category:      (1)
Event ID:      1265
Date:            03/08/2004
Time:            08:45:12
User:            N/A
Computer:      GROVESCH
Description:
The attempt to establish a replication link with parameters
 
 Partition: CN=Schema,CN=Configuration,DC=swanad,DC=local
 Source DSA DN: CN=NTDS Settings,CN=3500C,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=swanad,DC=local
 Source DSA Address: a3013ad8-087e-4823-a355-bcd389f0cd11._msdcs.swanad.local
 Inter-site Transport (if any):
 
 failed with the following status:
 
 The RPC server is unavailable.
 
 The record data is the status code.  This operation will be retried.
Data:
0000: ba 06 00 00               º...    


Got the above on one of the childs, I think there all doing it.
0
 

Author Comment

by:m0bov
ID: 11701477
Hi, could ping a remote server using the DNS Alias.
0
 

Author Comment

by:m0bov
ID: 11701870
Have tried using replmon to force a sync, now got the following for each domain.

Event Type:      Information
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1482
Date:            03/08/2004
Time:            09:57:38
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      SWANSK
Description:
The following directory partition is no longer available on the domain controller at the following network address.
 
Directory partition:
DC=victorseymour,DC=swanad,DC=local
Domain controller:
CN=NTDS Settings,CN=SWANSK2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=swanad,DC=local
Network address:
24d4d79e-b660-4e66-a535-888c8778f776._msdcs.swanad.local
 
As a result, the local domain controller will no longer replicate this directory partition from this domain controller.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


0
 
LVL 3

Accepted Solution

by:
MartijnMoree earned 500 total points
ID: 11719581
What server is listed when you ping 24d4d79e-b660-4e66-a535-888c8778f776._msdcs.swanad.local  ?

It should come back with the name of a server and with an IP address. It looks like the Domain Controllers are looking for a machine that no longer exists.

If that is the case, remove it from active directory using this KB article
http://support.microsoft.com/default.aspx?scid=kb;en-us;2216498
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now