Terminal server and Active Directory replication issues

Posted on 2005-03-24
Medium Priority
Last Modified: 2010-04-12
It's been a long and winding road to get where I am now sow I'll skip all that and get right to the current status. My client has a pair of W2000 servers. #1 contains SQL 2000, DNS, TS licensing server, DHCP and ADC. #2 contains Exchange 2000, DNS, and ADC. The also have a Terminal Server.
The AD replicas between #1 and #2 are not syncronized. I suspect the rest of the sysptoms I'm going to describe are related to this.

1. When login as Administrator, bring up DNS on #1 and attempt to manage #2 I get an "Access Denied" error. Going from #2 to #1 works OK. From the Terminal server if I bring up Computer Management and try to connect to #2 it says Access Denied. #1 comes up OK.
2. Periodically the log on #2 contains a 13508 FRS error.
3. Exchange System Attendant would not start until I changed it from System account to Administrator.
Exchange then worked except that no one had access to Public folders. Mid afternoon it stopped sending and recieving mail. I restarted the server and now the System Attendant will not start.
4. Every couple of hours the log has a "couldn't contact the global catalog" error.
5. All the logs are filled with 3034 errors.
6. Terminal server was giving a "can't find a licensing server" error. I added the registry value to point to it and that error went away. However, everytime a non-2000 client trys to connect it refuses and puts an "unable to issue a Terminal server license" error in the log.

I am going out tomorrow with the idea of demoting #1 and promoting it again to see if it will replicate. I am offerring 500 points for urgency and difficulty. My questions are:
Is it reasonable to think that all these problems stem from the AD inconsistancy?
Is the demote-promote idea to restablish replication also reasonble?
Is there any other problem that these symptoms would point to?
Is there a way to tell exchange to use the other DC as a global catalog?
Question by:scarpenter104
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13628339
What is your exact problem? Please explain in short.

Thank You.
LVL 20

Expert Comment

ID: 13629705
Hi  scarpenter104,

Sounds like your AD replication has taken a beating and the DC's are out of sync, this may help:
Error Message "Target Principal Name is Incorrect" When Manually Replicating Data Between Domain Controllers

Demoting on of the DC's (the one without the FSMO roles) would help out. Let AD settled down (i.e. no event log errors appearing) for a day then promote the server again and check replication is working correctly. Exchange doesn't like being on the same server as a DC, but it will still work okay.

Exchange by default queries AD to find the GC servers, but if you want to manually repoint them then open ESM and find the server. Right click on it and in properties tabs you'll see the option for GC's used. pick the one you want.


Author Comment

ID: 13641039
Unfortunately I was already at the customer site working when these messages came in so I was unable to respond to them. For future reader's information though, this is how the problem was solved:

After copying both AD drives to backup drives so I could experiment wildly without fear, I checked to make sure #2 was specified as a Global Catalog and it was. Even so I was seeing "unable to locate global catalog" errors in the log so I shut down both servers, booted #2 into DSREPAIR mode, ran NTDSUTIL and began running checks on the domain controller. Initial checks passed but eventually a test revealed an RPC Endpoint Mapper error. Since NTDSUTIL has no means to diagnose this further, rebooted and ran DCDIAG.
Initial DCDIAG results showed a multitude of errors, the most significant being the fact that SYSVOL was no longer being shared.
Followed MicroSoft guidelines (Q315457) on rebuilding the SYSVOL tree and got the SYSVOL mounted and the DC online.
According to DCDIAG,  "Builtin/Administrators did not have the "Access this computer from network" right." It appeared that AD was replicating, but the SYSVOLs were still not consistant.
Attempted to open Domain Poicy editor and it said that Administrator does not have the right to do so. It appeared at this point that we were stuck in a catch 22: The Administrator is missing a right but is also missing the right to give himself that right. Determined that this must be a result of errant policy settings and after determining that those policys are contained in the SYSVOL volume, decided to go back to the procedure for rebuilding the SYSVOL tree and rebuild a SYSVOL with no default policies. While setting up for this, created a new folder in SYSVOL which triggered a replication between the two SYSVOL volumes and surprisingly corrected the problem. Rights are restored and replication is now happening.
As suspected, as soon as AD started replicating properly, Exchange started up properly on normal accounts, the Terminal Server began issuing licenses, access problems went away, the clouds broke, the birds sang, and life is good.

Accepted Solution

OzzMod earned 0 total points
ID: 13686765
Closed, 500 points refunded.
Community Support Moderator (Graveyard shift)

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question