Solved

Windows 2003 DC's not replicating, Access is denied

Posted on 2004-10-13
8
1,113 Views
Last Modified: 2008-01-09
I have a small network with primarily Windows 2000 advanced servers providing web services with a back end MS SQL server cluster. I have two Domain Controllers with Active Directory installed. These two machines are Windows Server 2003 Enterprise Edition. AD is required for the SQL database cluster to work. The first DC machine has DNS services installed. When setting up this machine I just used the default wizard. The second DC was installed as the 2nd DC in the domain.

Machines are able to join the domain but then I keep seeing messages in security log of the DC Event ID 529: Unknown user name or bad password.  This has primarily been from the 2nd DC server. I have not been able to reliably get the two machines to talk to each other.  AD logon credentials for users work fine.

Using AD Sites and Services I have been able to force replication from the 2nd DC to the primary but not the other way. Right now I can't force a replication either way.  I'm consitently getting 529 errors listing the 2nd DC IP address.
I was able to get the system working for about 4 hours today with no error messages. This afternoon the system started having problems again where replication wouldn't work. When I run repadmin /showreps I get the response"DSA operation failed because of a DNS lookup failure." The last successful replication was this morning at about 8am.

I have the 1st DC set up to receive the SQL backups from the server cluster.  This has been working for about a week now but the process is now failing with the SQL service no longer able to use the drive.  On the primary DC I'm now getting a 529 error Unknown user or Bad password listing the DB server IP address.

When the system failed I showed the DNS server having 4004,4015 errors.

One minute the services work fine, later everything just stops working.  I'm at a loss on what to do to get the system stable.  This is also on a production system where do to an older server failure we had to move the production DB over to the cluster sooner than I had planned.

Can someone point me in the right direction?  
Please let me know if there are diagnostic tools that you need run to assist.

Thanks

Kevin
0
Comment
Question by:kbmccrory
  • 5
  • 2
8 Comments
 
LVL 11

Expert Comment

by:cfairley
Comment Utility
Have you tried the following:

Running ipconfig /registerdns from the 2nd DC.  This will properly register the DNS entries for the server.  Also, check the msds records for the server, you may have to create them manually.

I would also run dcdiag from both DCs and compare the results.

I'm sure you have rebooted many times, but I would also stop and restart the server service and netlogon service.

Another thing to try is stopping the KCC service and setting it to disabled on the 2nd DC.  Reboot the DC and restart the service and change it back to startup.  

I don't have all my tools with me now since I'm at home, but I'm sure the experts from this site will get you up and running in no time.  I can help some more first thing in the morning.

Thanks,
cfairley
0
 
LVL 2

Expert Comment

by:etracsupport
Comment Utility
install support tools and run dcdiag and netdiag on both servers.

how is dns setup on the dc's? dns server properties?

also use dnscmd from support tools to see status of zones.
dnscmd /enum zones: please post
it sounds like your dns zones are being stored in ad and in a file. How are your zones setup?
you can also use replmon in support tools to view replication and check usn's and many other options.

also check all services on all servers and see if services are using any domain accounts other than local service and network service.

0
 

Author Comment

by:kbmccrory
Comment Utility
Here's the results of running dnscmd /enumzones .
This is a local only domain that is used for the DB Server Cluster.

Enumerated zone list:

      Zone count = 4

 Zone name                      Type       Storage         Properties

 .                              Cache      AD-Legacy      
 _msdcs.mphqcops.opmg-eds.local Primary    AD-Forest       Secure
 40.168.192.in-addr.arpa        Primary    AD-Domain       Update Rev
 mphqcops.opmg-eds.local        Primary    AD-Domain       Update

Command completed successfully.


This is from the repmon for the 1st DC:

Current Direct Replication Partner Status
-----------------------------------------

     Directory Partition: DC=mphqcops,DC=opmg-eds,DC=local

          Partner Name: Default-First-Site-Name\MPHQ-N02-SPT
               Partner GUID: 4EF78F2E-4BB7-4281-BE14-FB2FC3E27AEC
               Last Attempted Replication: 10/14/2004 8:58:04 AM (local)
               Last Successful Replication: 10/13/2004 1:54:37 PM (local)
               Number of Failures:  23
               Failure Reason Error Code:  5
               Failure Description: Access is denied.
               Synchronization Flags: DRS_WRIT_REP,DRS_INIT_SYNC,DRS_PER_SYNC
               USN of Last Property Updated:  28789
               USN of Last Object Updated:  28789
               Transport: Intra-Site RPC

     Directory Partition: CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local

          Partner Name: Default-First-Site-Name\MPHQ-N02-SPT
               Partner GUID: 4EF78F2E-4BB7-4281-BE14-FB2FC3E27AEC
               Last Attempted Replication: 10/14/2004 8:58:04 AM (local)
               Last Successful Replication: 10/13/2004 1:54:37 PM (local)
               Number of Failures:  20
               Failure Reason Error Code:  5
               Failure Description: Access is denied.
               Synchronization Flags: DRS_WRIT_REP,DRS_INIT_SYNC,DRS_PER_SYNC
               USN of Last Property Updated:  28779
               USN of Last Object Updated:  28779
               Transport: Intra-Site RPC

     Directory Partition: CN=Schema,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local

          Partner Name: Default-First-Site-Name\MPHQ-N02-SPT
               Partner GUID: 4EF78F2E-4BB7-4281-BE14-FB2FC3E27AEC
               Last Attempted Replication: 10/14/2004 8:58:04 AM (local)
               Last Successful Replication: 10/13/2004 1:54:37 PM (local)
               Number of Failures:  20
               Failure Reason Error Code:  5
               Failure Description: Access is denied.
               Synchronization Flags: DRS_WRIT_REP,DRS_INIT_SYNC,DRS_PER_SYNC
               USN of Last Property Updated:  28764
               USN of Last Object Updated:  28764
               Transport: Intra-Site RPC

     Directory Partition: DC=DomainDnsZones,DC=mphqcops,DC=opmg-eds,DC=local

     Directory Partition: DC=ForestDnsZones,DC=mphqcops,DC=opmg-eds,DC=local


This is from repmon from the 2nd DC:

Current Direct Replication Partner Status
-----------------------------------------

     Directory Partition: DC=mphqcops,DC=opmg-eds,DC=local

          Partner Name: Default-First-Site-Name\MPHQ-N01-SPT
               Partner GUID: 3DDB7F5F-263F-4543-9E4A-B6DF4BC82FFE
               Last Attempted Replication: 10/14/2004 8:49:03 AM (local)
               Last Successful Replication: 10/13/2004 8:47:09 AM (local)
               Number of Failures:  45
               Failure Reason Error Code:  5
               Failure Description: Access is denied.
               Synchronization Flags: DRS_WRIT_REP,DRS_INIT_SYNC,DRS_PER_SYNC
               USN of Last Property Updated:  123834
               USN of Last Object Updated:  123834
               Transport: Intra-Site RPC

     Directory Partition: CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local

          Partner Name: Default-First-Site-Name\MPHQ-N01-SPT
               Partner GUID: 3DDB7F5F-263F-4543-9E4A-B6DF4BC82FFE
               Last Attempted Replication: 10/14/2004 8:49:03 AM (local)
               Last Successful Replication: 10/13/2004 8:47:06 AM (local)
               Number of Failures:  27
               Failure Reason Error Code:  5
               Failure Description: Access is denied.
               Synchronization Flags: DRS_WRIT_REP,DRS_INIT_SYNC,DRS_PER_SYNC
               USN of Last Property Updated:  123830
               USN of Last Object Updated:  123830
               Transport: Intra-Site RPC

     Directory Partition: CN=Schema,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local

          Partner Name: Default-First-Site-Name\MPHQ-N01-SPT
               Partner GUID: 3DDB7F5F-263F-4543-9E4A-B6DF4BC82FFE
               Last Attempted Replication: 10/14/2004 8:49:03 AM (local)
               Last Successful Replication: 10/13/2004 8:47:06 AM (local)
               Number of Failures:  27
               Failure Reason Error Code:  5
               Failure Description: Access is denied.
               Synchronization Flags: DRS_WRIT_REP,DRS_INIT_SYNC,DRS_PER_SYNC
               USN of Last Property Updated:  123817
               USN of Last Object Updated:  123817
               Transport: Intra-Site RPC

          Change Notifications for this Directory Partition
          -------------------------------------------------
               Server Name: Default-First-Site-Name\MPHQ-N01-SPT
                    Object GUID: 3DDB7F5F-263F-4543-9E4A-B6DF4BC82FFE
                    Time Added:  <no value>
                    Flags:       DRS_WRIT_REP
                    Transport:   RPC


Please let me know if you need additonal information...
Thanks
Kevin
0
 

Author Comment

by:kbmccrory
Comment Utility
Would a flakey connection to a sntp time server cause some of these problems?

In comparing the event logs from the DB server and the DC I noticed that the DC reported problems with synchronizing with the SNTP servers. The DB server tried to sync with the DC and was refused.  This was also reported by the DC. Right after that the security audit showed failed logon attempts fro the DB server.  Prior to this the DB server had no issues with logging into the DC server.

Thanks.
Kevin
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:kbmccrory
Comment Utility
Here are the results of the dcdiag for both DC's. The most noticable problem seems to be the "Access is Denied" errors being generated by both servers when trying to replicate. Again this appears to be an intermittent problem.

mphq-n01-spt
Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine mphq-n01-spt, is a DC.
   * Connecting to directory service on server mphq-n01-spt.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\MPHQ-N01-SPT
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... MPHQ-N01-SPT passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\MPHQ-N01-SPT
      Starting test: Replications
         * Replications Check
         [Replications Check,MPHQ-N01-SPT] A recent replication attempt failed:
            From MPHQ-N02-SPT to MPHQ-N01-SPT
            Naming Context: CN=Schema,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2004-10-14 08:58:04.
            The last success occurred at 2004-10-13 13:54:37.
            20 failures have occurred since the last success.
         [Replications Check,MPHQ-N01-SPT] A recent replication attempt failed:
            From MPHQ-N02-SPT to MPHQ-N01-SPT
            Naming Context: CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2004-10-14 08:58:04.
            The last success occurred at 2004-10-13 13:54:37.
            20 failures have occurred since the last success.
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source MPHQ-N02-SPT
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.
         [Replications Check,MPHQ-N01-SPT] A recent replication attempt failed:
            From MPHQ-N02-SPT to MPHQ-N01-SPT
            Naming Context: DC=mphqcops,DC=opmg-eds,DC=local
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2004-10-14 08:58:04.
            The last success occurred at 2004-10-13 13:54:37.
            23 failures have occurred since the last success.
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source MPHQ-N02-SPT
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.
         * Replication Latency Check
         REPLICATION-RECEIVED LATENCY WARNING
         MPHQ-N01-SPT:  Current time is 2004-10-14 09:13:12.
            CN=Schema,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
               Last replication recieved from MPHQ-N02-SPT at 2004-10-13 13:54:37.
            CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
               Last replication recieved from MPHQ-N02-SPT at 2004-10-13 13:54:37.
            DC=mphqcops,DC=opmg-eds,DC=local
               Last replication recieved from MPHQ-N02-SPT at 2004-10-13 13:54:37.
         * Replication Site Latency Check
         ......................... MPHQ-N01-SPT passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions Check for
           DC=ForestDnsZones,DC=mphqcops,DC=opmg-eds,DC=local
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=mphqcops,DC=opmg-eds,DC=local
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=mphqcops,DC=opmg-eds,DC=local
            (Domain,Version 2)
         ......................... MPHQ-N01-SPT passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         ......................... MPHQ-N01-SPT passed test NetLogons
      Starting test: Advertising
         The DC MPHQ-N01-SPT is advertising itself as a DC and having a DS.
         The DC MPHQ-N01-SPT is advertising as an LDAP server
         The DC MPHQ-N01-SPT is advertising as having a writeable directory
         The DC MPHQ-N01-SPT is advertising as a Key Distribution Center
         The DC MPHQ-N01-SPT is advertising as a time server
         The DS MPHQ-N01-SPT is advertising as a GC.
         ......................... MPHQ-N01-SPT passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=MPHQ-N01-SPT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=MPHQ-N01-SPT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
         Role PDC Owner = CN=NTDS Settings,CN=MPHQ-N01-SPT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=MPHQ-N01-SPT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=MPHQ-N01-SPT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
         ......................... MPHQ-N01-SPT passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 2103 to 1073741823
         * mphq-n01-spt.mphqcops.opmg-eds.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1103 to 1602
         * rIDPreviousAllocationPool is 1103 to 1602
         * rIDNextRID: 1134
         ......................... MPHQ-N01-SPT passed test RidManager
      Starting test: MachineAccount
         * SPN found :LDAP/mphq-n01-spt.mphqcops.opmg-eds.local/mphqcops.opmg-eds.local
         * SPN found :LDAP/mphq-n01-spt.mphqcops.opmg-eds.local
         * SPN found :LDAP/MPHQ-N01-SPT
         * SPN found :LDAP/mphq-n01-spt.mphqcops.opmg-eds.local/MPHQCOPS
         * SPN found :LDAP/3ddb7f5f-263f-4543-9e4a-b6df4bc82ffe._msdcs.mphqcops.opmg-eds.local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/3ddb7f5f-263f-4543-9e4a-b6df4bc82ffe/mphqcops.opmg-eds.local
         * SPN found :HOST/mphq-n01-spt.mphqcops.opmg-eds.local/mphqcops.opmg-eds.local
         * SPN found :HOST/mphq-n01-spt.mphqcops.opmg-eds.local
         * SPN found :HOST/MPHQ-N01-SPT
         * SPN found :HOST/mphq-n01-spt.mphqcops.opmg-eds.local/MPHQCOPS
         * SPN found :GC/mphq-n01-spt.mphqcops.opmg-eds.local/mphqcops.opmg-eds.local
         ......................... MPHQ-N01-SPT passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... MPHQ-N01-SPT passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         MPHQ-N01-SPT is in domain DC=mphqcops,DC=opmg-eds,DC=local
         Checking for CN=MPHQ-N01-SPT,OU=Domain Controllers,DC=mphqcops,DC=opmg-eds,DC=local in domain DC=mphqcops,DC=opmg-eds,DC=local on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=MPHQ-N01-SPT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local in domain CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local on 1 servers
            Object is up-to-date on all servers.
         ......................... MPHQ-N01-SPT passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... MPHQ-N01-SPT passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the         SYSVOL has been shared.  Failing SYSVOL replication problems may cause         Group Policy problems.
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 10/13/2004   18:00:59
            Event String: The File Replication Service is having troubleenabling replication from MPHQ-N02-SPT toMPHQ-N01-SPT for e:\sysvol\domain using the DNSname mphq-n02-spt.mphqcops.opmg-eds.local. FRSwill keep retrying.  Following are some of the reasons you would seethis warning.   [1] FRS can not correctly resolve the DNS namemphq-n02-spt.mphqcops.opmg-eds.local from thiscomputer.  [2] FRS is not running onmphq-n02-spt.mphqcops.opmg-eds.local.  [3] The topology information in the ActiveDirectory for this replica has not yet replicatedto all the Domain Controllers.   This event log message will appear once perconnection, After the problem is fixed you willsee another event log message indicating that theconnection has been established.
         ......................... MPHQ-N01-SPT failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minutes.
         ......................... MPHQ-N01-SPT passed test kccevent
      Starting test: systemlog
         * The System Event log test
         Found no errors in System Event log in the last 60 minutes.
         ......................... MPHQ-N01-SPT passed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)         CN=MPHQ-N01-SPT,OU=Domain Controllers,DC=mphqcops,DC=opmg-eds,DC=local         and backlink on         CN=MPHQ-N01-SPT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local         are correct.
         The system object reference (frsComputerReferenceBL)         CN=MPHQ-N01-SPT,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mphqcops,DC=opmg-eds,DC=local         and backlink on         CN=MPHQ-N01-SPT,OU=Domain Controllers,DC=mphqcops,DC=opmg-eds,DC=local         are correct.
         The system object reference (serverReferenceBL)         CN=MPHQ-N01-SPT,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mphqcops,DC=opmg-eds,DC=local         and backlink on         CN=NTDS Settings,CN=MPHQ-N01-SPT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local         are correct.
         ......................... MPHQ-N01-SPT passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : mphqcops
      Starting test: CrossRefValidation
         ......................... mphqcops passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... mphqcops passed test CheckSDRefDom
   
   Running enterprise tests on : mphqcops.opmg-eds.local
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope         provided by the command line arguments provided.
         ......................... mphqcops.opmg-eds.local passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\mphq-n01-spt.mphqcops.opmg-eds.local
         Locator Flags: 0xe00001fd
         PDC Name: \\mphq-n01-spt.mphqcops.opmg-eds.local
         Locator Flags: 0xe00001fd
         Time Server Name: \\mphq-n01-spt.mphqcops.opmg-eds.local
         Locator Flags: 0xe00001fd
         Preferred Time Server Name: \\mphq-n01-spt.mphqcops.opmg-eds.local
         Locator Flags: 0xe00001fd
         KDC Name: \\mphq-n01-spt.mphqcops.opmg-eds.local
         Locator Flags: 0xe00001fd
         ......................... mphqcops.opmg-eds.local passed test FsmoCheck


*******************************************************************
2nd DC Results:
mphq-n02-spt
Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine mphq-n02-spt, is a DC.
   * Connecting to directory service on server mphq-n02-spt.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\MPHQ-N02-SPT
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... MPHQ-N02-SPT passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\MPHQ-N02-SPT
      Starting test: Replications
         * Replications Check
         [Replications Check,MPHQ-N02-SPT] A recent replication attempt failed:
            From MPHQ-N01-SPT to MPHQ-N02-SPT
            Naming Context: CN=Schema,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2004-10-14 08:49:03.
            The last success occurred at 2004-10-13 08:47:06.
            27 failures have occurred since the last success.
         [Replications Check,MPHQ-N02-SPT] A recent replication attempt failed:
            From MPHQ-N01-SPT to MPHQ-N02-SPT
            Naming Context: CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2004-10-14 08:49:03.
            The last success occurred at 2004-10-13 08:47:06.
            27 failures have occurred since the last success.
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source MPHQ-N01-SPT
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.
         [Replications Check,MPHQ-N02-SPT] A recent replication attempt failed:
            From MPHQ-N01-SPT to MPHQ-N02-SPT
            Naming Context: DC=mphqcops,DC=opmg-eds,DC=local
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2004-10-14 08:49:03.
            The last success occurred at 2004-10-13 08:47:09.
            45 failures have occurred since the last success.
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source MPHQ-N01-SPT
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.
         * Replication Latency Check
         REPLICATION-RECEIVED LATENCY WARNING
         MPHQ-N02-SPT:  Current time is 2004-10-14 09:15:51.
            CN=Schema,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
               Last replication recieved from MPHQ-N01-SPT at 2004-10-13 08:47:06.
            CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
               Last replication recieved from MPHQ-N01-SPT at 2004-10-13 08:47:06.
            DC=mphqcops,DC=opmg-eds,DC=local
               Last replication recieved from MPHQ-N01-SPT at 2004-10-13 08:47:09.
         * Replication Site Latency Check
         ......................... MPHQ-N02-SPT passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=mphqcops,DC=opmg-eds,DC=local
            (Domain,Version 2)
         ......................... MPHQ-N02-SPT passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         ......................... MPHQ-N02-SPT passed test NetLogons
      Starting test: Advertising
         The DC MPHQ-N02-SPT is advertising itself as a DC and having a DS.
         The DC MPHQ-N02-SPT is advertising as an LDAP server
         The DC MPHQ-N02-SPT is advertising as having a writeable directory
         The DC MPHQ-N02-SPT is advertising as a Key Distribution Center
         The DC MPHQ-N02-SPT is advertising as a time server
         The DS MPHQ-N02-SPT is advertising as a GC.
         ......................... MPHQ-N02-SPT passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=MPHQ-N01-SPT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=MPHQ-N01-SPT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
         Role PDC Owner = CN=NTDS Settings,CN=MPHQ-N01-SPT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=MPHQ-N01-SPT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=MPHQ-N01-SPT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local
         ......................... MPHQ-N02-SPT passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 2103 to 1073741823
         * mphq-n01-spt.mphqcops.opmg-eds.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1603 to 2102
         * rIDPreviousAllocationPool is 1603 to 2102
         * rIDNextRID: 1607
         ......................... MPHQ-N02-SPT passed test RidManager
      Starting test: MachineAccount
         * SPN found :LDAP/mphq-n02-spt.mphqcops.opmg-eds.local/mphqcops.opmg-eds.local
         * SPN found :LDAP/mphq-n02-spt.mphqcops.opmg-eds.local
         * SPN found :LDAP/MPHQ-N02-SPT
         * SPN found :LDAP/mphq-n02-spt.mphqcops.opmg-eds.local/MPHQCOPS
         * SPN found :LDAP/20519221-4a6f-481b-bcfa-452d8e49e9d6._msdcs.mphqcops.opmg-eds.local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/20519221-4a6f-481b-bcfa-452d8e49e9d6/mphqcops.opmg-eds.local
         * SPN found :HOST/mphq-n02-spt.mphqcops.opmg-eds.local/mphqcops.opmg-eds.local
         * SPN found :HOST/mphq-n02-spt.mphqcops.opmg-eds.local
         * SPN found :HOST/MPHQ-N02-SPT
         * SPN found :HOST/mphq-n02-spt.mphqcops.opmg-eds.local/MPHQCOPS
         * SPN found :GC/mphq-n02-spt.mphqcops.opmg-eds.local/mphqcops.opmg-eds.local
         ......................... MPHQ-N02-SPT passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... MPHQ-N02-SPT passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         MPHQ-N02-SPT is in domain DC=mphqcops,DC=opmg-eds,DC=local
         Checking for CN=MPHQ-N02-SPT,OU=Domain Controllers,DC=mphqcops,DC=opmg-eds,DC=local in domain DC=mphqcops,DC=opmg-eds,DC=local on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=MPHQ-N02-SPT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local in domain CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local on 1 servers
            Object is up-to-date on all servers.
         ......................... MPHQ-N02-SPT passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... MPHQ-N02-SPT passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the         SYSVOL has been shared.  Failing SYSVOL replication problems may cause         Group Policy problems.
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 10/13/2004   16:36:52
            Event String: The File Replication Service is having troubleenabling replication from MPHQ-N01-SPT toMPHQ-N02-SPT for e:\sysvol\domain using the DNSname mphq-n01-spt.mphqcops.opmg-eds.local. FRSwill keep retrying.  Following are some of the reasons you would seethis warning.   [1] FRS can not correctly resolve the DNS namemphq-n01-spt.mphqcops.opmg-eds.local from thiscomputer.  [2] FRS is not running onmphq-n01-spt.mphqcops.opmg-eds.local.  [3] The topology information in the ActiveDirectory for this replica has not yet replicatedto all the Domain Controllers.   This event log message will appear once perconnection, After the problem is fixed you willsee another event log message indicating that theconnection has been established.
         ......................... MPHQ-N02-SPT failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minutes.
         ......................... MPHQ-N02-SPT passed test kccevent
      Starting test: systemlog
         * The System Event log test
         Found no errors in System Event log in the last 60 minutes.
         ......................... MPHQ-N02-SPT passed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)         CN=MPHQ-N02-SPT,OU=Domain Controllers,DC=mphqcops,DC=opmg-eds,DC=local         and backlink on         CN=MPHQ-N02-SPT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local         are correct.
         The system object reference (frsComputerReferenceBL)         CN=MPHQ-N02-SPT,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mphqcops,DC=opmg-eds,DC=local         and backlink on         CN=MPHQ-N02-SPT,OU=Domain Controllers,DC=mphqcops,DC=opmg-eds,DC=local         are correct.
         The system object reference (serverReferenceBL)         CN=MPHQ-N02-SPT,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mphqcops,DC=opmg-eds,DC=local         and backlink on         CN=NTDS Settings,CN=MPHQ-N02-SPT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mphqcops,DC=opmg-eds,DC=local         are correct.
         ......................... MPHQ-N02-SPT passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : mphqcops
      Starting test: CrossRefValidation
         ......................... mphqcops passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... mphqcops passed test CheckSDRefDom
   
   Running enterprise tests on : mphqcops.opmg-eds.local
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope         provided by the command line arguments provided.
         ......................... mphqcops.opmg-eds.local passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\mphq-n02-spt.mphqcops.opmg-eds.local
         Locator Flags: 0xe00001fc
         PDC Name: \\mphq-n01-spt.mphqcops.opmg-eds.local
         Locator Flags: 0xe00001fd
         Time Server Name: \\mphq-n02-spt.mphqcops.opmg-eds.local
         Locator Flags: 0xe00001fc
         Preferred Time Server Name: \\mphq-n02-spt.mphqcops.opmg-eds.local
         Locator Flags: 0xe00001fc
         KDC Name: \\mphq-n02-spt.mphqcops.opmg-eds.local
         Locator Flags: 0xe00001fc
         ......................... mphqcops.opmg-eds.local passed test FsmoCheck
0
 
LVL 2

Accepted Solution

by:
etracsupport earned 500 total points
Comment Utility
your dc that holds the pdc emulator role should be the time server getting its time from an outside source. the second dc should look to the first dc to sync it's clock. make sure that both have the same time and use the net time /setsntp:DC1 on the 2nd dc, and net time /setsntp:OUTSIDE SOURCE on the 1st dc.

in ad sites and services do you have 1 or 2 sites?
in ad sites and servies do you have ad connectors linking the 2 dcs?
0
 

Author Comment

by:kbmccrory
Comment Utility
I have the time services set up as  dc1 shown to an outside source and DC2 pointing to DC1.

I have 1 site set up in AD Sites and Services.  There are connectors linking the 2 DCs as well.  These are the default links set up automatically.
0
 

Author Comment

by:kbmccrory
Comment Utility
I've got this issue resolved.  
COmpleted the following steps:

1. Installed DNS server tied to active directory to DC2.
2. Reapplied the security profile to DC1 and rebooted.
  This cleared up the problems of the servers not being able to access DC1.  Replication from DC1 to DC2 now works.
3. Reapplied the security profile to DC2 and rebooted.
   Checked replmon for both servers. Replication is now working in both directions.

In addition, I've corrected a sntp time server problem. No longer getting intermittent w32time errors in the event logs.

Thanks for the help....
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Learn about cloud computing and its benefits for small business owners.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now