asked on

KCC EVENTS 1371 & 1168 - NTDS Inter-Site Messaging.

Hello there,
I have the following problem and I need help from anyone who has deal with the same problem.
I manually remove data from Active Directory -after an unsuccessful domain controller demotion- using Ntdsutil utility.
Although the whole procedure was successful (no error messages or warnings during the metadata cleanup),
since then the following event messages are record every 15 min:

Source: NTDS Inter-site
Category: Inter-Site Messaging
EventID: 1371
Type: Warning

The attempt to send 4076 bytes to service NTDS Replication
at address 3d19f55b-ae91-4e26-bedd-21f3b01818b3._msdcs.myDomain.com
via transport CN=SMTP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,
DC=myDomain,DC=com failed with the following status:

The parameter is incorrect.

The record data is the status code.

...and

Source: NTDS Inter-site
Category: Internal Processing
EventID: 1168
Type: Error

Error -2147024809(80070057) has occurred (Internal ID 11070503).
Please contact Microsoft Product Support Services for assistance.

Any suggestions from anyone?

etracsupport

Did you clean up sites and services make sure that the dc is gone and all connectors

cfairley

If you ping the GUID 3d19f55b-ae91-4e26-bedd-21f3b01818b3._msdcs.myDomain.com it will tell you which DC it's trying to talk to, which is probably the one that was demoted. If so, you need to run adsiedit.msc and delete the DC and site if it is no longer used.

crissand

Event id 1168: Looks like you have orphaned objects in active directory. One recomandation is to restart the server in directory service restore mode and to use ntdsutil to do semantic check. Microsoft said that you must increase the server's memory, but I don't think it is aplicable here.

fratomb

ASKER

Hello guys and thanks for your response. My answers to your comments are:

To etracsupport:
Yes I've already clean up sites and services and connectors. There are no more references to the demoted DC.

To cfairley:
Yes I do know that this GUID belongs to the demoted DC and I've already run ADSIEdit to clean up all the references to the demoted DC.

To crissand:
Yes this is the problem, some remains of orphaned objects are still in Active Directory. Regarding the Microsoft's suggestion, I agree with you it's not applicable here because, fisrt of all, the server has already 1.5GB of RAM, and second, i don't see any relation of server's memory to my problem. Now about your recommendation to restart the server in directory service restore mode and to use ntdsutil to do semantic check, this a thing I didn't do until now but I will.

Anyway some things I also did until now are DCDiag and NetDiag with the following results:

DCDiag:
Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: MySite\MYSERVER
Starting test: Connectivity
......................... MYSERVER passed test Connectivity

Doing primary tests

Testing server: MySite\MYSERVER
Starting test: Replications
......................... MYSERVER passed test Replications
Starting test: NCSecDesc
......................... MYSERVER passed test NCSecDesc
Starting test: NetLogons
......................... MYSERVER passed test NetLogons
Starting test: Advertising
......................... MYSERVER passed test Advertising
Starting test: KnowsOfRoleHolders
......................... MYSERVER passed test KnowsOfRoleHolders
Starting test: RidManager
......................... MYSERVER passed test RidManager
Starting test: MachineAccount
......................... MYSERVER passed test MachineAccount
Starting test: Services
Could not open SMTPSVC Service on [MYSERVER]:failed with 1060: Win32 Error 1060
......................... MYSERVER failed test Services
Starting test: ObjectsReplicated
......................... MYSERVER passed test ObjectsReplicated
Starting test: frssysvol
Error: No record of File Replication System, SYSVOL started.
The Active Directory may be prevented from starting.
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... MYSERVER passed test frssysvol
Starting test: kccevent
An Error Event occured. EventID: 0xC0000490
Time Generated: 10/06/2004 13:08:35
Event String: Error -2147024809(80070057) has occurred

An Warning Event occured. EventID: 0x8000055B
Time Generated: 10/06/2004 13:08:35
Event String: The attempt to send 4052 bytes to service

An Error Event occured. EventID: 0xC0000490
Time Generated: 10/06/2004 13:08:35
Event String: Error -2147024809(80070057) has occurred

An Warning Event occured. EventID: 0x8000055B
Time Generated: 10/06/2004 13:08:35
Event String: The attempt to send 4076 bytes to service

......................... MYSERVER failed test kccevent
Starting test: systemlog
......................... MYSERVER passed test systemlog

Running enterprise tests on : MyDomain.com
Starting test: Intersite
......................... MyDomain.com passed test Intersite
Starting test: FsmoCheck
......................... MyDomain.com passed test FsmoCheck

...and

NETDiag:

Computer Name: MYSERVER
DNS Host Name: MYSERVER.MyDomain
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 6 Model 8 Stepping 6, GenuineIntel
List of installed hotfixes :
KB329115
KB820888
KB822831
KB823182
KB823559
KB823980
KB824105
KB824141
KB824146
KB825119
KB826232
KB828028
KB828035
KB828741
KB828749
KB829558
KB835732
KB837001
KB837272
KB839643-DirectX9
KB839645
KB840315
KB841872
KB841873
KB842526
KB842933
Q147222
Q816093
Q828026

Netcard queries test . . . . . . . : Passed

Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : MYSERVER
IP Address . . . . . . . . : 192.168.2.6
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.2.1
NetBIOS over Tcpip . . . . : Disabled
Dns Servers. . . . . . . . : 192.168.2.6
192.168.1.6

AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

WINS service test. . . . . : Skipped
NetBT is disable on this interface. [Test skipped].

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Skipped
There are no interfaces that have NetBT enabled. [Test skipped]

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Skipped
There are no interfaces that have NetBT enabled. [Test skipped]

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '192.168.2.6' and other DCs also have some of the names registered.
PASS - All the DNS entries for DC are registered on DNS server '192.168.1.6' and other DCs also have some of the names registered.

Redir and Browser test . . . . . . : Skipped
There are no interfaces that have NetBT enabled. [Test skipped]

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Skipped

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped
No active remote access connections.

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.

The command completed successfully

Thanks again.
Waiting for your, or anyone's else, responce.

crissand

The ntdsutil in directory service restore mode will fix the errors.

fratomb

ASKER

Hello there again.
This morning I tried to run the ntdsutil in directory service restore mode, which according to crissand will solve the problem.
The following represends what i did:

C:\>ntdsutil
ntdsutil: files
file maintenance: repair
Opening database [Current].
Executing Command: C:\WINNT\system32\esentutl.exe /p "C:\WINNT\NTDS\ntds.dit" /!10240 /8 /v /x /o

Initiating REPAIR mode...
Database: C:\WINNT\NTDS\ntds.dit
Temp. Database: REPAIR.EDB
got 149217 buffers
checking database header
forcing database to consistent state

checking database integrity

Scanning Status ( % complete )

0 10 20 30 40 50 60 70 80 90 100
|----|----|----|----|----|----|----|----|----|----|
checking SystemRoot
SystemRoot (OE)
SystemRoot (AE)
checking system table
MSysObjectsShadow
MSysObjects
Name
RootObjects
rebuilding and comparing indexes
checking table "datatable" (6)
checking data
......................... checking long value tree (48)
......... checking index "PhantomIndex" (117)
checking index "INDEX_000906B6" (116)
checking index "INDEX_000905A3" (115)
checking index "INDEX_00090656" (114)
checking index "INDEX_000905A2" (113)
checking index "LCL_ABVIEW_index00000408" (112)
checking index "INDEX_00150002" (109)
checking index "INDEX_00020107" (108)
checking index "INDEX_74D4827B" (107)
checking index "INDEX_27F8005A" (106)
checking index "INDEX_27F80030" (105)
checking index "INDEX_00020160" (104)
checking index "INDEX_27F8005D" (103)
checking index "INDEX_27F80051" (102)
checking index "INDEX_27F82B32" (101)
checking index "INDEX_27F81B7D" (100)
checking index "INDEX_27F81B7C" (99)
checking index "INDEX_27F81B7B" (98)
checking index "INDEX_27F81B7E" (97)
checking index "INDEX_27F82711" (96)
checking index "INDEX_0002018A" (95)
checking index "INDEX_27F8003F" (94)
checking index "INDEX_27F80065" (93)
checking index "INDEX_000201BF" (92)
checking index "INDEX_27F81B70" (91)
checking index "INDEX_27F82329" (90)
checking index "DNT_IsDeleted_Index" (88)
. checking index "INDEX_000901FD" (87)
checking index "INDEX_000901F6" (86)
checking index "INDEX_000900DE" (85)
checking index "INDEX_000201D5" (84)
checking index "INDEX_000902BB" (83)
checking index "INDEX_000903B4" (82)
checking index "INDEX_000200A9" (81)
checking index "INDEX_0009039D" (80)
checking index "INDEX_0009039A" (79)
checking index "INDEX_00090098" (78)
checking index "INDEX_00090395" (77)
checking index "INDEX_00090089" (76)
checking index "INDEX_00090587" (75)
checking index "INDEX_00090586" (74)
checking index "INDEX_00090582" (73)
checking index "INDEX_00090573" (72)
checking index "INDEX_00090073" (71)
checking index "INDEX_00090571" (70)
checking index "INDEX_0009056C" (69)
checking index "INDEX_00090167" (68)
checking index "INDEX_00090553" (67)
checking index "INDEX_0009014E" (66)
checking index "INDEX_0009014D" (65)
checking index "INDEX_0009014C" (64)
checking index "INDEX_00090147" (63)
checking index "INDEX_00090141" (62)
checking index "INDEX_00090140" (61)
checking index "INDEX_0009013A" (60)
checking index "INDEX_00090138" (59)
checking index "INDEX_00090330" (58)
. checking index "INDEX_00090030" (57)
checking index "INDEX_00020013" (56)
checking index "INDEX_00090013" (55)
checking index "INDEX_00000013" (54)
checking index "INDEX_0000000B" (53)
checking index "INDEX_00000007" (52)
checking index "INDEX_00000003" (51)
.. checking index "INDEX_00150003" (50)
checking index "INDEX_00090202" (49)
checking index "INDEX_000904E1" (46)
checking index "INDEX_00090363" (45)
checking index "INDEX_0009030E" (44)
checking index "INDEX_00090303" (43)
checking index "INDEX_000902EE" (42)
checking index "INDEX_00090290" (41)
. checking index "INDEX_0009028F" (40)
checking index "INDEX_00090261" (39)
checking index "INDEX_000901FF" (38)
checking index "INDEX_00090171" (37)
checking index "INDEX_0009012E" (36)
checking index "INDEX_000900DD" (35)
checking index "INDEX_00090085" (34)
checking index "INDEX_00090062" (33)
checking index "INDEX_00090057" (32)
checking index "INDEX_0009001C" (31)
checking index "INDEX_00090008" (30)
checking index "INDEX_000201CC" (29)
checking index "INDEX_000200D2" (28)
checking index "INDEX_00020078" (27)
. checking index "INDEX_00020073" (26)
checking index "INDEX_0002000D" (25)
checking index "INDEX_0000002A" (24)
checking index "INDEX_00000004" (23)
checking index "NC_Acc_Type_Name" (22)
checking index "PDNT_index" (21)
.. checking index "INDEX_00090001" (20)
. checking index "Ancestors_index" (13)
. checking index "DRA_USN_CREATED_index" (12)
checking index "DRA_USN_index" (11)
. checking index "del_index" (10)
checking index "INDEX_00090002" (9)
. checking index "NC_Acc_Type_Sid" (8)
checking index "INDEX_00090092" (7)
rebuilding and comparing indexes
checking table "hiddentable" (16)
checking data
rebuilding and comparing indexes
checking table "link_table" (14)
checking data
checking index "backlink_index" (15)
rebuilding and comparing indexes
checking table "MSysDefrag1" (110)
checking data
checking index "TablesToDefrag" (111)
rebuilding and comparing indexes
checking table "sdproptable" (17)
checking data
checking index "clientid_index" (19)
checking index "trim_index" (18)
rebuilding and comparing indexes
.....

integrity check completed.
Warning:
You MUST delete the logfiles for this database

Note:
It is recommended that you immediately perform a full backup
of this database. If you restore a backup made before the
repair, the database will be rolled back to the state
it was in at the time of that backup.

Operation completed successfully in 23.844 seconds.

Spawned Process Exit code 0x0(0)

Check repair.txt and event log for repair info.
If repair was successful, it is recommended
you run semantic database analysis to insure
semantic database consistency as well.

file maintenance: quit
ntdsutil: semantic database analysis

semantic checker: go
Fixup mode is turned off
Opening database [Current].....Done.

Getting record count...10109 records
Writing summary into log file dsdit.dmp.0
Records scanned: 10100
Processing records..
Error: Missing subrefs detected.
Done.

semantic checker: go fixup
Fixup mode is turned on

Opening DIT database... Done.

Done.

Opening database [Current].....Done.

Getting record count...10109 records
Writing summary into log file dsdit.dmp.1
Records scanned: 10100
Processing records..
Error: Missing subrefs detected.

Error: Inconsistent refcounts detected.
Done.

semantic checker: go
Fixup mode is turned off
Opening database [Current].....Done.

Getting record count...10109 records
Writing summary into log file dsdit.dmp.2
Records scanned: 10100
Processing records..Done.

semantic checker: quit
file maintenance: quit
ntdsutil: quit

C:\>

The repair.txt file was empty and the there were no events.
The following are the log files:

dsdit.dmp.0

Missing subref entry for 17138 on 1161.
Summary:
Active Objects        9411
Phantoms        73
Deleted        625

dsdit.dmp.1

Missing subref entry for 17138 on 1161.
Added subref 17138 to object 1161.
Summary:
Active Objects        9411
Phantoms        73
Deleted        625

RefCount mismatch for DNT 17138 [RefCount 13 References 14] [Fixed]

...and

dsdit.dmp.2

Summary:
Active Objects        9411
Phantoms        73
Deleted        625

Unfortunately the problem still exists.

Any other suggestions? Anyone?

crissand

Run only semantic check and fixup. While in directory restore mode:

type:

ntdsutil semantic database analysis

if errors reported, type:

ntdsutil go fixup

fratomb

ASKER

I did the semantic check and fixup for a second time with no errors report.

The following is the dsdit.dmp file:

Summary:
Active Objects 9380
Phantoms 81
Deleted 636

As you can see nothing changed from the last ntdsutil and also the problem still exists.

What's next?

crissand

Have you installed the last service pack?

Microsoft consider this can be related to controlling the 389 port. The suggestion is to use lpd from support tools to see how the dc is connecting to AD.

I know there are viruses that tries to use port 389, but I guess the server is protected.

Try a forced replication.

fratomb

ASKER

Yes the DC has installed the SP4, and sure is virus protected.
The server is using the port 389 to connect to AD and seems to connect without problems as you can see...

ld = ldap_open("MyServer", 389);
Established connection to MyServer.
Retrieving base DSA information...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn:
      1> currentTime: 10/12/2004 8:40:53 GTB Standard Time GTB Daylight Time;
      1> subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=MyDomain,DC=com;
      1> dsServiceName: CN=NTDS Settings,CN=MyServer,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=MyDomain,DC=com;
      3> namingContexts: CN=Schema,CN=Configuration,DC=MyDomain,DC=com; CN=Configuration,DC=MyDomain,DC=com; DC=MyDomain,DC=com;
      1> defaultNamingContext: DC=MyDomain,DC=com;
      1> schemaNamingContext: CN=Schema,CN=Configuration,DC=MyDomain,DC=com;
      1> configurationNamingContext: CN=Configuration,DC=MyDomain,DC=com;
      1> rootDomainNamingContext: DC=MyDomain,DC=com;
      16> supportedControl: 1.2.840.113556.1.4.319; 1.2.840.113556.1.4.801; 1.2.840.113556.1.4.473; 1.2.840.113556.1.4.528; 1.2.840.113556.1.4.417; 1.2.840.113556.1.4.619; 1.2.840.113556.1.4.841; 1.2.840.113556.1.4.529; 1.2.840.113556.1.4.805; 1.2.840.113556.1.4.521; 1.2.840.113556.1.4.970; 1.2.840.113556.1.4.1338; 1.2.840.113556.1.4.474; 1.2.840.113556.1.4.1339; 1.2.840.113556.1.4.1340; 1.2.840.113556.1.4.1413;
      2> supportedLDAPVersion: 3; 2;
      12> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxActiveQueries; MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MaxNotificationPerConn;
      1> highestCommittedUSN: 2130148;
      2> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO;
      1> dnsHostName: MyServer.MyDomain.com;
      1> ldapServiceName: MyDomain.com:MyServer$@MyDomain.com;
      1> serverName: CN=MyServer,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=MyDomain,DC=com;
      2> supportedCapabilities: 1.2.840.113556.1.4.800; 1.2.840.113556.1.4.1791;
      1> isSynchronized: TRUE;
      1> isGlobalCatalogReady: TRUE;
-----------

Regarding the replication, please take a look at the following log files:

"MyServer-CN=Configuration,DC=MyDomain,DC=com--NO DATA-.log" which includes the following info:

"DateTime","12/10/2004 8:00:48 πμ"
"USNData","254069"
"DateTime","12/10/2004 8:00:48 πμ"
"USNData","14611"
"DateTime","12/10/2004 8:00:48 πμ"
"USNData","340118"
"DateTime","12/10/2004 8:00:48 πμ"
"PartnerType",">> Direct Replication Partner Data <<"
"DirectPartnerUSN","Property Update USN: 340117"
"DirectPartnerFailure","Changes have not been successfully replicated from **DELETED SERVER #3 for 1187 attempt(s)."
"DirectPartnerFailure","The reason is: The parameter is incorrect."
"DirectPartnerFailure","The last replication attempt was: 10/12/2004 7:56:00 AM (local)"
"DateTime","12/10/2004 8:00:48 πμ"
"USNData","12523"
"DateTime","12/10/2004 8:00:48 πμ"
"USNData","307941"
"DateTime","12/10/2004 8:00:48 πμ"
"USNData","11353"
"DateTime","12/10/2004 8:00:48 πμ"
"USNData","143393"
"DateTime","12/10/2004 8:00:48 πμ"
"USNData","4064"
"DateTime","12/10/2004 8:00:48 πμ"
"USNData","215426"
"DateTime","12/10/2004 8:00:48 πμ"
"USNData","204380"

...and

"MyServer-CN=Schema,CN=Configuration,DC=MyDomain,DC=com--NO DATA-.log" which includes the following info:

"DateTime","12/10/2004 8:00:47 πμ"
"USNData","254041"
"DateTime","12/10/2004 8:00:47 πμ"
"USNData","14611"
"DateTime","12/10/2004 8:00:48 πμ"
"USNData","340118"
"DateTime","12/10/2004 8:00:48 πμ"
"PartnerType",">> Direct Replication Partner Data <<"
"DirectPartnerUSN","Property Update USN: 338138"
"DirectPartnerFailure","Changes have not been successfully replicated from **DELETED SERVER #3 for 1198 attempt(s)."
"DirectPartnerFailure","The reason is: The parameter is incorrect."
"DirectPartnerFailure","The last replication attempt was: 10/12/2004 7:56:01 AM (local)"
"DateTime","12/10/2004 8:00:48 πμ"
"USNData","12523"
"DateTime","12/10/2004 8:00:48 πμ"
"USNData","307941"
"DateTime","12/10/2004 8:00:48 πμ"
"USNData","11353"
"DateTime","12/10/2004 8:00:48 πμ"
"USNData","143393"
"DateTime","12/10/2004 8:00:48 πμ"
"USNData","4064"
"DateTime","12/10/2004 8:00:48 πμ"
"USNData","215426"
"DateTime","12/10/2004 8:00:48 πμ"
"USNData","204380"

Any conclusions?

crissand

It seems you lost one of the dc's that has a fsmo roles. You can use dumpfsmos.cmd from http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpfsmos-o.asp
to see what dc's have those roles.

fratomb

ASKER

All the five FSMO roles are assigned to 2 different DC's.
One of these is actually the server which has the problem we are trying to solve.
This server holds up the 3/5 of the roles ie: Schema, PDC, Rid.
The other one holds the Infrastructure and the Domain Tree Operations.
All the 5 roles are assigned to alive DC's.
What else?

crissand

Maybe there is not enough free space on the new server's disk? Or is a difference in date and time between the new server and the pdc emulator? Do you have warnings about time in event log?

There is a posibility that the sysvol share on the new dc is missing, or the followind users doesn't have access to that share: full access for Administrators, Creator/Owner and system, read for server operators and authenticated users. Also see who is the owner of that share: must be reset to Administrators.

The time difference error create a lot of problems with replication, and dcpromo can fail.

fratomb

ASKER

Hello again.
The DC we are talking about is not new. It is running since 2000.
It is the Schema, PDC and Rid, of the domain and has about 1.5GB free disk space.
The sysvol share exists on it and the permissions to that share are according to your suggestion.
Although the time and date are synchronized on all DC's in the domain, I do have w32time EventID:54 and EventID:64 warnings on that DC.
Is this rings any bells to you?
Thanks in advance.

crissand

There is a posibility that this domain controller to have a name already existing. Plese, verify.

Verify the tcp/ip properties to have: <Append primary and connection specific DNS suffixes> enabled.

Move the PDC role to another computer. If this computer is the PDC emulator, then it is the source fo time for every other dc's.

The time cannot be synchronized if:

Norton autoprotect is on.
The server cannot find a dns. Run
netdiag /v

if ok run
“w32tm /resync /nowait

fratomb

ASKER

"There is a posibility that this domain controller to have a name already existing." What do you mean by that?

The tcp/ip is ok.
The netdiag runs without errors.

When tried to transfer the PDC role to another DC, (in other site because I don't have another DC in mine), netlogon errors occured. These, are the following:

Source: NETLOGON
EventID: 5705
Type: Error

The change log cache maintained by the Netlogon service for database changes is corrupted.
The Netlogon service is resetting the change log.

Source: NETLOGON
EventID: 3096
Type: Error

The Windows NT domain controller for this domain could not be located.

Source: NETLOGON
EventID: 5719
Type: Error

No Windows NT or Windows 2000 Domain Controller is available for
domain MYDOMAIN.
The following error occurred:
There are currently no logon servers available to service the logon request.

The "w32tm /resync /nowait" it doesn't run.
W32tm does not recognise switches "/resync" or "/nowait" or both.
See "w32tm/?".

Any ideas?

ASKER CERTIFIED SOLUTION

crissand

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

KCC EVENTS 1371 &amp; 1168 - NTDS Inter-Site Messaging.

KCC EVENTS 1371 & 1168 - NTDS Inter-Site Messaging.