[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

NTDS KCC errors

Posted on 2006-04-25
23
Medium Priority
?
7,780 Views
Last Modified: 2012-05-05
I keep getting the following errors on my Domain Controllers. One is 2003 and is the PDC the second DC is an ISA 2004 server on windows 2000. Please help. Replication is not working correctly

Event Type:      Warning
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1925
Date:            4/25/2006
Time:            2:08:13 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      *****
Description:
The attempt to establish a replication link for the following writable directory partition failed.
 
Directory partition:
CN=Configuration,DC=(domain),DC=com
Source domain controller:
CN=NTDS Settings,CN=******,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=(domain),DC=com
Source domain controller address:
a11af467-bfc0-4064-a2ac-1f00be58d732._msdcs.(domain).com
Intersite transport (if any):
 
 
This domain controller will be unable to replicate with the source domain controller until this problem is corrected.  
 
User Action
Verify if the source domain controller is accessible or network connectivity is available.
 
Additional Data
Error value:
1722 The RPC server is unavailable.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Warning
Event Source:      NtFrs
Event Category:      None
Event ID:      13508
Date:            4/24/2006
Time:            3:18:22 PM
User:            N/A
Computer: *****
Description:
The File Replication Service is having trouble enabling replication from SR**** to SR*** for c:\windows\sysvol\domain using the DNS name sr****.(domain).com. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name sr****.(domain).com from this computer.
 [2] FRS is not running on srvisa.wealthmgmt.com.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: ba 06 00 00               º...    

0
Comment
Question by:Jennifer1024
  • 12
  • 7
  • 2
  • +2
23 Comments
 
LVL 18

Expert Comment

by:carl_legere
ID: 16539399
also when did this start?
when did you get ISA04?
Perhaps there is a security limitation enabled on the ISA04 system that is prohibiting it from talking domain chatter.
0
 

Author Comment

by:Jennifer1024
ID: 16543703
It started just before I put the ISA server on according to the dates in event vwr. Is there a way to force ISA server to allow domain chatter? I am new to administering ISA.

Thank you in advance for any help you can give me.

Jennifer
0
 
LVL 9

Expert Comment

by:dooleydog
ID: 16544281
ISA should not affect FRS.

try this to fix a Journal Wrap Error and several other misc. replication errors.
a.      Open Regedit
b.      Goto HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTFRS\Parameters, click on the value “Enable Journal Wrap Automatic Restore”
i.      If value does not exist, create a new DWORD value.
c.      Set value to 1
d.      Stop and restart File Replication Service in computer_management|services
e.      Check File Replication Service in event viewer and wait for journal wrap error to be fixed.
 -  After this, go to a command prompt and type "net share" (no quotes) and when you see that the sysvol has been shared, it is fixed. ONLY after this, do step F: reset registry value...
f.      Reset registry value of “Enable Journal Wrap Automatic Restore” to 0.

Good luck,
0
New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

 

Author Comment

by:Jennifer1024
ID: 16547485
No luck on this one. I did all that you said. How do I tell if sysvol has been shared. Still getting the same NtFrs error on both my DC servers. Both are running DNS, one is a windows 2000 with the backup DNS and the other is Windows 2003 running DNS and DHCP.

On 2003
**********
Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13508
Date 4/26/2006
Time 2:19:44 PM
User: N/A
Computer: SRV2003
Description:
The File REplication Service is having trouble enabling replication from {SRV2000} to {SRV2003} for c:\windows\sysvol\domain using the DNS name srv2000.{domain}.com. FRS will keep retrying. Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name {srv2000}.{domain}.com from this computer.
[2] FRS is not running on {srv2000}.{domain}.com.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.

Data:
0000:ba 06 00 00

**************
srv2000
**************
Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13508
Date 4/26/2006
Time 2:20:09 PM
User: N/A
Computer: SRV2000
Description:
The File REplication Service is having trouble enabling replication from {SRV2003} to {SRV2000} for c:\winnt\sysvol\domain using the DNS name srv2003.{domain}.com. FRS will keep retrying. Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name {srv2003}.{domain}.com from this computer.
[2] FRS is not running on {srv2003}.{domain}.com.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.

Data:
0000: 00 00 00 00

I also have NTDS Replication errors showing up on both which I am sure are related and they are as follows.

**************
srv2003
**************
Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1864
Date: 4/26/2006
Time: 1:15:24 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: {srv2003}
Description:
This is the replication status for the following directory partition on the local domain controller

Directory Partition:
CN=Schema,CN=Configuration,DC={domain},DC=Com

The local domain controller has not recently received replication from a number of domain controllers. The count of domain controllers is show, divided into the following intervals.

More than 24 hours:
1
More than a week:
1
More than one month:
0
More than two months:
0
More than a tombstone lifetime:
0
Tombstone lifetime (days):
60


***********************
srv2000
***********************
Event Type: Warning
Event Source: NTDS Replication
Event Category: (5)
Event ID: 1586
Date: 4/26/2006
Time: 11:47:28 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: {srv2000}
Description:
The checkpoint with the PDC was unsuccessful. THe checkpointing process will be retried again in four hours. A full synchronization of the security database to downlevel domain controllers may take place if this machine is promoted to be the PDC before the next successful checkpoint. THe error returned was: The naming context is in the process of being removed or is not replicated from the specified server.

Lastly I receive an error in DNS on my PDC srv2003

Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4004
Date: 4/22/20006
Time: 12:04:21 PM
User: N/A
Computer: {srv2003}
Description:
The DNS server was unable to complete directory service enumeration of zone {domain}.com. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.
Data:
0000:2a 23 00 00

Any help would be muchappreciated.

Thanks
0
 
LVL 2

Assisted Solution

by:lavazzza
lavazzza earned 600 total points
ID: 16549404
just maybe a kerberos problem, try this.

netdom resetpwd /server:replication_ partner_server_name /userd:domain_ name\admin_user /passwordd:*

on each of the 2 machines having replication issues it may require a reboot for it to take effect.
0
 

Author Comment

by:Jennifer1024
ID: 16552378
lavazzza
in this cmd line syntax just to be sure. /server= the server that i am on, :replication_parterner_server_name= the server it is replicating to, /uderd:= a command, domain_name=the domain I am on, admin_user=administrative user name /passwordd:=domain administrative password?

THanks in advance
0
 

Author Comment

by:Jennifer1024
ID: 16554444
lavazzza i ran this command on both servers. However for my windows 2000 server it would not let me enter the full domain.com only the domain without the .com. Could this be an issue?
Thank you,
0
 
LVL 2

Expert Comment

by:lavazzza
ID: 16558872
not a problem, server 2000 netdom command was just looking for the netbios name of the domain.  As for the command lets say you have contoso.com domain with server1 and server2, while logged on to server1 you run the command this way:
netdom resetpwd /server:server2 /userd:contoso\administrator /passwordd:*
when you hit enter it will prompt you for the password, type in the administrator password.
from server2
netdom resetpwd /server:server1 /userd:contoso\administrator /passwordd:*
and once again enter the password at the prompt

once it is done on both machines, they may requrie reboots.  some people suggest that you shut down the kerberos key distribution service  before running the command, but i have done it many times without it.
0
 

Author Comment

by:Jennifer1024
ID: 16561959
Thank you lavazza. I will try that tonight and restart the servers. You have been a great help. I will post tomorrow if it has helped my errors at all.
0
 
LVL 4

Accepted Solution

by:
S3quence earned 900 total points
ID: 16574069
Looking at the original error this looks like a DNS problem...

Can you resolve each server name from the other?

Can you access \\ServerA\SysVol?

The information that DooleyDog posted for FRS Troiubleshooting once you have amended the reg key you need to amend back (takes about 30mins from first editing it to take affect - you should get confirmation in the event viewer on the server to indicate that it has worked (or not))


These Microsoft Links may also be of help....
http://technet2.microsoft.com/WindowsServer/en/Library/5586ecc0-924b-4f08-800b-9fd6eef056191033.mspx
http://technet2.microsoft.com/WindowsServer/en/Library/5586ecc0-924b-4f08-800b-9fd6eef056191033.mspx
http://technet2.microsoft.com/WindowsServer/en/Library/4f504103-1a16-41e1-853a-c68b77bf3f7e1033.mspx

Hope this helps you resolve your error

S3quence
0
 

Author Comment

by:Jennifer1024
ID: 16577909
THis has not helped yet. I am still getting the following error.
Event Type:      Warning
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1925
Date:            5/1/2006
Time:            10:11:13 AM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      SRV2K
Description:
The attempt to establish a replication link for the following writable directory partition failed.
 
Directory partition:
CN=Configuration,DC=DOMAIN,DC=com
Source domain controller:
CN=NTDS Settings,CN=SRV2000,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=com
Source domain controller address:
a11af467-bfc0-4064-a2ac-1f00be58d732._msdcs.DOMAIN.com
Intersite transport (if any):
 
 
This domain controller will be unable to replicate with the source domain controller until this problem is corrected.  
 
User Action
Verify if the source domain controller is accessible or network connectivity is available.
 
Additional Data
Error value:
1722 The RPC server is unavailable.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The domain controller address that is listed is the address that shows up in sites and services on both domain controllers for srv2000. RPC service is started on both domain controllers as well and still the error. When I try to force replication I get an error that the RPC service is not working when going from SRV2003 to serv2000 and when I try to force the other way around srv2000 to srv2003 I get "The following error occurred during the attempt to synchronize naming context domain.com from domain controller srv2000 to domain controller srv2003. The naming context is in the process of being removed or is not replicated from the specified server.  This operation will not continue.

Any help on this???
0
 
LVL 4

Expert Comment

by:S3quence
ID: 16578120
Microsoft Article http://technet2.microsoft.com/WindowsServer/en/Library/5586ecc0-924b-4f08-800b-9fd6eef056191033.mspx
shows that this is a DNS Error. Try creating a new DNS ZOne on one of the server and add that server as the DNS Servers for Server2000 and 2003
0
 
LVL 4

Expert Comment

by:S3quence
ID: 16578134
Also you could try demoting DC2000 and repromoting it??
0
 

Author Comment

by:Jennifer1024
ID: 16578158
S3quence,

Yes I can access both sysvol shares. For example:

On srv2003 I type \\srv2000\sysvol
I get an explorer window that opens with 4 folders in it that are called exactly as follows:
domain
staging
staging areas
sysvol

On srv2000 I type \\srv2003\sysvol
I get an explorer window that opens with a folder in it called {domain.com} where domain is the domain I am working on.

Thanks
0
 
LVL 4

Expert Comment

by:S3quence
ID: 16578280
Try demoting DC2000 and repromoting it
0
 

Author Comment

by:Jennifer1024
ID: 16578655
My worry about doing that is that it runs an ISA server 2004 and terminal services. What issues can I expect by demoting this server?
0
 
LVL 4

Expert Comment

by:S3quence
ID: 16578754
Should be fine as long as it doesnt hold one of the FSMO roles and there is a copy of AD on the 2003 Server then should be fine
0
 

Author Comment

by:Jennifer1024
ID: 16578892
There is a copy of AD on 2003 server and the 03 server holds all th FSMO roles. Any clue if I will need to reinstall terminal services due to the demotion?
0
 
LVL 4

Expert Comment

by:S3quence
ID: 16578916
no shouldnt need to as it would only affect the clients if they couldnt resolve the servers DNS name. There is nothing in AD that links to terminal services

All you are doing ixs removing AD, (the NTDIS.DIT) file on the Server and recreating it
0
 

Author Comment

by:Jennifer1024
ID: 16578996
another question S3quence. Is there anything I have to do after demoting the secondary domain controller to clean up active directory or will demoting it do that for me?
0
 
LVL 4

Expert Comment

by:S3quence
ID: 16579013
Demoting will do that for you and make it a standard member server. Promoting it will recreate this information
0
 

Author Comment

by:Jennifer1024
ID: 16579254
Thank you very much S3quence. I will try that this weekend.
0
 

Author Comment

by:Jennifer1024
ID: 16630783
Issue has been resolved. I could not demote the troublesome server however I found out that the RPC server was not published in the ISA server 2004 configuration. Once I did this and restarted both the domain controllers the issue resolved itself and started to replicate. I am recieving a few minor errors since then but nothing major. THank you for all your help.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
MSSQL DB-maintenance also needs implementation of multiple activities. However, unprecedented errors can hamper the database management. In that case, deploying Stellar SQL Database Toolkit ensures fast and accurate database and backup repair as wel…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month17 days, 16 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question