NTDS KCC errors

I keep getting the following errors on my Domain Controllers. One is 2003 and is the PDC the second DC is an ISA 2004 server on windows 2000. Please help. Replication is not working correctly

Event Type:      Warning
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1925
Date:            4/25/2006
Time:            2:08:13 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      *****
Description:
The attempt to establish a replication link for the following writable directory partition failed.
 
Directory partition:
CN=Configuration,DC=(domain),DC=com
Source domain controller:
CN=NTDS Settings,CN=******,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=(domain),DC=com
Source domain controller address:
a11af467-bfc0-4064-a2ac-1f00be58d732._msdcs.(domain).com
Intersite transport (if any):
 
 
This domain controller will be unable to replicate with the source domain controller until this problem is corrected.  
 
User Action
Verify if the source domain controller is accessible or network connectivity is available.
 
Additional Data
Error value:
1722 The RPC server is unavailable.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Warning
Event Source:      NtFrs
Event Category:      None
Event ID:      13508
Date:            4/24/2006
Time:            3:18:22 PM
User:            N/A
Computer: *****
Description:
The File Replication Service is having trouble enabling replication from SR**** to SR*** for c:\windows\sysvol\domain using the DNS name sr****.(domain).com. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name sr****.(domain).com from this computer.
 [2] FRS is not running on srvisa.wealthmgmt.com.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: ba 06 00 00               º...    

Jennifer1024Asked:
Who is Participating?
 
S3quenceCommented:
Looking at the original error this looks like a DNS problem...

Can you resolve each server name from the other?

Can you access \\ServerA\SysVol?

The information that DooleyDog posted for FRS Troiubleshooting once you have amended the reg key you need to amend back (takes about 30mins from first editing it to take affect - you should get confirmation in the event viewer on the server to indicate that it has worked (or not))


These Microsoft Links may also be of help....
http://technet2.microsoft.com/WindowsServer/en/Library/5586ecc0-924b-4f08-800b-9fd6eef056191033.mspx
http://technet2.microsoft.com/WindowsServer/en/Library/5586ecc0-924b-4f08-800b-9fd6eef056191033.mspx
http://technet2.microsoft.com/WindowsServer/en/Library/4f504103-1a16-41e1-853a-c68b77bf3f7e1033.mspx

Hope this helps you resolve your error

S3quence
0
 
carl_legereCommented:
also when did this start?
when did you get ISA04?
Perhaps there is a security limitation enabled on the ISA04 system that is prohibiting it from talking domain chatter.
0
 
Jennifer1024Author Commented:
It started just before I put the ISA server on according to the dates in event vwr. Is there a way to force ISA server to allow domain chatter? I am new to administering ISA.

Thank you in advance for any help you can give me.

Jennifer
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
dooleydogCommented:
ISA should not affect FRS.

try this to fix a Journal Wrap Error and several other misc. replication errors.
a.      Open Regedit
b.      Goto HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTFRS\Parameters, click on the value “Enable Journal Wrap Automatic Restore”
i.      If value does not exist, create a new DWORD value.
c.      Set value to 1
d.      Stop and restart File Replication Service in computer_management|services
e.      Check File Replication Service in event viewer and wait for journal wrap error to be fixed.
 -  After this, go to a command prompt and type "net share" (no quotes) and when you see that the sysvol has been shared, it is fixed. ONLY after this, do step F: reset registry value...
f.      Reset registry value of “Enable Journal Wrap Automatic Restore” to 0.

Good luck,
0
 
Jennifer1024Author Commented:
No luck on this one. I did all that you said. How do I tell if sysvol has been shared. Still getting the same NtFrs error on both my DC servers. Both are running DNS, one is a windows 2000 with the backup DNS and the other is Windows 2003 running DNS and DHCP.

On 2003
**********
Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13508
Date 4/26/2006
Time 2:19:44 PM
User: N/A
Computer: SRV2003
Description:
The File REplication Service is having trouble enabling replication from {SRV2000} to {SRV2003} for c:\windows\sysvol\domain using the DNS name srv2000.{domain}.com. FRS will keep retrying. Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name {srv2000}.{domain}.com from this computer.
[2] FRS is not running on {srv2000}.{domain}.com.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.

Data:
0000:ba 06 00 00

**************
srv2000
**************
Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13508
Date 4/26/2006
Time 2:20:09 PM
User: N/A
Computer: SRV2000
Description:
The File REplication Service is having trouble enabling replication from {SRV2003} to {SRV2000} for c:\winnt\sysvol\domain using the DNS name srv2003.{domain}.com. FRS will keep retrying. Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name {srv2003}.{domain}.com from this computer.
[2] FRS is not running on {srv2003}.{domain}.com.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.

Data:
0000: 00 00 00 00

I also have NTDS Replication errors showing up on both which I am sure are related and they are as follows.

**************
srv2003
**************
Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1864
Date: 4/26/2006
Time: 1:15:24 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: {srv2003}
Description:
This is the replication status for the following directory partition on the local domain controller

Directory Partition:
CN=Schema,CN=Configuration,DC={domain},DC=Com

The local domain controller has not recently received replication from a number of domain controllers. The count of domain controllers is show, divided into the following intervals.

More than 24 hours:
1
More than a week:
1
More than one month:
0
More than two months:
0
More than a tombstone lifetime:
0
Tombstone lifetime (days):
60


***********************
srv2000
***********************
Event Type: Warning
Event Source: NTDS Replication
Event Category: (5)
Event ID: 1586
Date: 4/26/2006
Time: 11:47:28 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: {srv2000}
Description:
The checkpoint with the PDC was unsuccessful. THe checkpointing process will be retried again in four hours. A full synchronization of the security database to downlevel domain controllers may take place if this machine is promoted to be the PDC before the next successful checkpoint. THe error returned was: The naming context is in the process of being removed or is not replicated from the specified server.

Lastly I receive an error in DNS on my PDC srv2003

Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4004
Date: 4/22/20006
Time: 12:04:21 PM
User: N/A
Computer: {srv2003}
Description:
The DNS server was unable to complete directory service enumeration of zone {domain}.com. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.
Data:
0000:2a 23 00 00

Any help would be muchappreciated.

Thanks
0
 
lavazzzaCommented:
just maybe a kerberos problem, try this.

netdom resetpwd /server:replication_ partner_server_name /userd:domain_ name\admin_user /passwordd:*

on each of the 2 machines having replication issues it may require a reboot for it to take effect.
0
 
Jennifer1024Author Commented:
lavazzza
in this cmd line syntax just to be sure. /server= the server that i am on, :replication_parterner_server_name= the server it is replicating to, /uderd:= a command, domain_name=the domain I am on, admin_user=administrative user name /passwordd:=domain administrative password?

THanks in advance
0
 
Jennifer1024Author Commented:
lavazzza i ran this command on both servers. However for my windows 2000 server it would not let me enter the full domain.com only the domain without the .com. Could this be an issue?
Thank you,
0
 
lavazzzaCommented:
not a problem, server 2000 netdom command was just looking for the netbios name of the domain.  As for the command lets say you have contoso.com domain with server1 and server2, while logged on to server1 you run the command this way:
netdom resetpwd /server:server2 /userd:contoso\administrator /passwordd:*
when you hit enter it will prompt you for the password, type in the administrator password.
from server2
netdom resetpwd /server:server1 /userd:contoso\administrator /passwordd:*
and once again enter the password at the prompt

once it is done on both machines, they may requrie reboots.  some people suggest that you shut down the kerberos key distribution service  before running the command, but i have done it many times without it.
0
 
Jennifer1024Author Commented:
Thank you lavazza. I will try that tonight and restart the servers. You have been a great help. I will post tomorrow if it has helped my errors at all.
0
 
Jennifer1024Author Commented:
THis has not helped yet. I am still getting the following error.
Event Type:      Warning
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1925
Date:            5/1/2006
Time:            10:11:13 AM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      SRV2K
Description:
The attempt to establish a replication link for the following writable directory partition failed.
 
Directory partition:
CN=Configuration,DC=DOMAIN,DC=com
Source domain controller:
CN=NTDS Settings,CN=SRV2000,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=com
Source domain controller address:
a11af467-bfc0-4064-a2ac-1f00be58d732._msdcs.DOMAIN.com
Intersite transport (if any):
 
 
This domain controller will be unable to replicate with the source domain controller until this problem is corrected.  
 
User Action
Verify if the source domain controller is accessible or network connectivity is available.
 
Additional Data
Error value:
1722 The RPC server is unavailable.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The domain controller address that is listed is the address that shows up in sites and services on both domain controllers for srv2000. RPC service is started on both domain controllers as well and still the error. When I try to force replication I get an error that the RPC service is not working when going from SRV2003 to serv2000 and when I try to force the other way around srv2000 to srv2003 I get "The following error occurred during the attempt to synchronize naming context domain.com from domain controller srv2000 to domain controller srv2003. The naming context is in the process of being removed or is not replicated from the specified server.  This operation will not continue.

Any help on this???
0
 
S3quenceCommented:
Microsoft Article http://technet2.microsoft.com/WindowsServer/en/Library/5586ecc0-924b-4f08-800b-9fd6eef056191033.mspx
shows that this is a DNS Error. Try creating a new DNS ZOne on one of the server and add that server as the DNS Servers for Server2000 and 2003
0
 
S3quenceCommented:
Also you could try demoting DC2000 and repromoting it??
0
 
Jennifer1024Author Commented:
S3quence,

Yes I can access both sysvol shares. For example:

On srv2003 I type \\srv2000\sysvol
I get an explorer window that opens with 4 folders in it that are called exactly as follows:
domain
staging
staging areas
sysvol

On srv2000 I type \\srv2003\sysvol
I get an explorer window that opens with a folder in it called {domain.com} where domain is the domain I am working on.

Thanks
0
 
S3quenceCommented:
Try demoting DC2000 and repromoting it
0
 
Jennifer1024Author Commented:
My worry about doing that is that it runs an ISA server 2004 and terminal services. What issues can I expect by demoting this server?
0
 
S3quenceCommented:
Should be fine as long as it doesnt hold one of the FSMO roles and there is a copy of AD on the 2003 Server then should be fine
0
 
Jennifer1024Author Commented:
There is a copy of AD on 2003 server and the 03 server holds all th FSMO roles. Any clue if I will need to reinstall terminal services due to the demotion?
0
 
S3quenceCommented:
no shouldnt need to as it would only affect the clients if they couldnt resolve the servers DNS name. There is nothing in AD that links to terminal services

All you are doing ixs removing AD, (the NTDIS.DIT) file on the Server and recreating it
0
 
Jennifer1024Author Commented:
another question S3quence. Is there anything I have to do after demoting the secondary domain controller to clean up active directory or will demoting it do that for me?
0
 
S3quenceCommented:
Demoting will do that for you and make it a standard member server. Promoting it will recreate this information
0
 
Jennifer1024Author Commented:
Thank you very much S3quence. I will try that this weekend.
0
 
Jennifer1024Author Commented:
Issue has been resolved. I could not demote the troublesome server however I found out that the RPC server was not published in the ISA server 2004 configuration. Once I did this and restarted both the domain controllers the issue resolved itself and started to replicate. I am recieving a few minor errors since then but nothing major. THank you for all your help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.