• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1120
  • Last Modified:

Cannot replicate domain controllers: access denied

I have 5 Windows 2000 Domain Controllers: DC1, DC2, DC3, DC4, DC5.
DC1 and DC2 are located at the same site.  DC3, DC4 and DC5 are each located at different locations/sites. The 4 sites are connected by T1.  DC1 does not replicate with DC2 or any of the other DC’s.  

In AD Sites and Services when I try to replicate DC1 with DC2 I get the following error “The following error occurred during the attempt to synchronize the domain controllers: access denied.”

In AD Sites and Services when I try to replicate DC2 with DC1 I get the following error “The following error occurred during the attempt to synchronize the domain controllers: Logon Failure unknown username or bad password.”

I have been trying different things from docs that I have downloaded from MS and other sources, but nothing seems to work.  This has been going on for a couple of months.  According to MS knowledge base the error “Logon Failure unknown username or bad password” occurs when “A Windows 2000-based domain controller cannot replicate the configuration or the schema partitions with replication partners that belong to another domain of the forest”.  

However, my Domain Controllers belong to the same domain, same site, same room, same @*!&ing switch!  

Can someone please help me!  The DC that is not replicating holds the Forest Level FSMO roles (Schema Master and Domain naming master), is the Primary AD Integrated DNS server and it is also the Terminal Server Licensing server.
I have to get this to replicate!!



0
mitzoid1
Asked:
mitzoid1
  • 5
  • 5
1 Solution
 
Debsyl99Commented:
Hi
The two month period is worrying - if replication hasn't taken place for more than 60 days then the tombstone lifetime has been exceeded and in that case you're looking at a rebuild - although let's see if anyone offers any other opinions on that. Have you run dcdiag against DC1 yet? If so do that and post the output
Windows 2000 Support Tools: DCDiag.exe Utility Update
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=23870A87-8422-408C-9375-2D9AAF939FA3
0
 
mitzoid1Author Commented:
this is DCdiag run on DC1

C:\>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: SITE1\W2K-DC1
      Starting test: Connectivity
         ......................... W2K-DC1 passed test Connectivity

Doing primary tests

   Testing server: SITE1\W2K-DC1
      Starting test: Replications
         [Replications Check,W2K-DC1] A recent replication attempt failed:
            From W2K-DC2 to W2K-DC1
            Naming Context: CN=Schema,CN=Configuration,DC=chs,DC=local
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2006-05-19 11:59.37.
            The last success occurred at 2006-03-15 17:45.24.
            1567 failures have occurred since the last success.
         [W2K-DC2] DsBind() failed with error -2146893022,
         The target principal name is incorrect..
         [Replications Check,W2K-DC1] A recent replication attempt failed:
            From W2K-DC2 to W2K-DC1
            Naming Context: CN=Configuration,DC=chs,DC=local
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2006-05-19 11:59.37.
            The last success occurred at 2006-03-15 18:08.28.
            1574 failures have occurred since the last success.
         [Replications Check,W2K-DC1] A recent replication attempt failed:
            From W2K-DC2 to W2K-DC1
            Naming Context: DC=chs,DC=local
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2006-05-19 11:59.37.
            The last success occurred at 2006-03-15 18:22.06.
            1972 failures have occurred since the last success.
         ......................... W2K-DC1 passed test Replications
      Starting test: NCSecDesc
         ......................... W2K-DC1 passed test NCSecDesc
      Starting test: NetLogons
         ......................... W2K-DC1 passed test NetLogons
      Starting test: Advertising
         ......................... W2K-DC1 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Warning: W2K-DC2 is the PDC Owner, but is not responding to DS RPC Bind.
         [W2K-DC2] LDAP bind failed with error 31,
         A device attached to the system is not functioning..
         Warning: W2K-DC2 is the PDC Owner, but is not responding to LDAP Bind.
         Warning: W2K-DC2 is the Rid Owner, but is not responding to DS RPC Bind.
         Warning: W2K-DC2 is the Rid Owner, but is not responding to LDAP Bind.
         ......................... W2K-DC1 failed test KnowsOfRoleHolders
      Starting test: RidManager
         [W2K-DC1] DsBindWithCred() failed with error -2146893022. The target principal name

is incorrect.
         ......................... W2K-DC1 failed test RidManager
      Starting test: MachineAccount
         ......................... W2K-DC1 passed test MachineAccount
      Starting test: Services
         ......................... W2K-DC1 passed test Services
      Starting test: ObjectsReplicated
         ......................... W2K-DC1 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... W2K-DC1 passed test frssysvol
      Starting test: kccevent
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 05/19/2006   12:20:37
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 05/19/2006   12:20:37
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 05/19/2006   12:20:37
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 05/19/2006   12:20:37
            (Event String could not be retrieved)
         ......................... W2K-DC1 failed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x40011006
            Time Generated: 05/19/2006   12:00:11
            Event String: The connection was aborted by the remote WINS.
         An Error Event occured.  EventID: 0x40011006
            Time Generated: 05/19/2006   12:30:11
            Event String: The connection was aborted by the remote WINS.
         ......................... W2K-DC1 failed test systemlog

   Running enterprise tests on : chs.local
      Starting test: Intersite
         ......................... MyDomain.local passed test Intersite
      Starting test: FsmoCheck
         ......................... MyDomain.local passed test FsmoCheck

C:\>
0
 
Debsyl99Commented:
Oh dear - it's really not a happy bunny. This is what worries me deeply
"The last success occurred at 2006-03-15 18:22.06"

Which is easily more than 60 days ago - I think you've got a big job in front of you - you're going to need to take this server down - clean up ad and repromote it into the domain. Most importantly though - what happened to this dc after 2006-03-15 18:22.06 - and is there any reason why this problem has been left so long?
Here's what I suggest:

Read the articles below and formulate a plan for how you're going to manage this and what needs to be taken account of. Here are some thoughts from me - Take a note of any user/computer accounts in ad, security groups etc - if you can get into ad users and computers on this server. Any changes won't have replicated over to your other dc's and you'll lose them so you'll need to add them back in. Also where are users at this site logging on and authenticating to? Logon to a workstation and type "set" at a command prompt and it'll give you the logon server. Am really hoping that this isn't dc1. Which dc's are global catalogs and is dns replicating correctly between the other dc's? I'd also run dcdiag against the other dc's.

Then post back what you find.
I think what you're going to need to do is the following - but wait for now and let's see what you report and I suggest a careful plan before you do anything. If you're not confident about this what are your chances of being able to get a consultant in to sort it out? I'm worried that this is a tough fix to do completely via EE.


Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server
http://support.microsoft.com/default.aspx?scid=kb;en-us;332199

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/kb/255504/

How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/kb/216498/

Go through the articles posted as they cover most things, partiularly the first article. I don't think I've left anything out for now - but am sure others will contribute to this.
Deb :))
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

 
mitzoid1Author Commented:
First of all thanks for answering.  I feel better just having someone to discuss this with.  

At Site 1, most of the servers and user workstations are loging into DC2, EVEN DC1 has DC2 as its logonserver.  I checked all of the 24 servers on site and only 4 were set to log into DC1.  I went into the resgistry and changed one of the servers to logon to DC2 instead of DC1 and rebooted it so now it also logs into DC2.   We have around 800 workstations at this site, I remoted into around 50 of them and 46 of them had DC2 as their logonserver.  Our exchange server however, had DC1 as its logonserver :-(  I suppose this is because DC1 holds the Schema Master. When I check the other sites all the DC's have themselves as the logon server and the application servers logon to the DC local to them.

The other DC's are all replicating with each other, in fact KCC regenerated  a new topology (EXCLUDING DC1).  It's like KCC kicked DC1 out the club.  Now DC1 only has one NTDS connector at Site1 where DC2 is located.  I will run DCdiag against the other DC's to see what it reveals.

In answer to your question about letting it go so long, I just realized this towards the end of April (after one month of no replication).  This server holds the Schema Master, Domain naming Master and the infrastructure master (although I just transfered/forced the infrastructure master to DC2) I could not transfer the other two roles.  All of DC's have a catalog on them since the begining.  

So anyway, users were still able ot log into the domain and DC2 is newer and faster so I always used DC2 to create OU's, user accounts etc.   Til one day I tried to create an account on DC1 and the user could not logon with it.  So then I tried to replicate and thats when I realized it was not working.  Then I created the account on DC2 and the user was able to logon.  Since that time i've been trying to resolve the problem to no avail.  I've already read the three articles that you suggested and many many others.  I'm so very busy at work we're very short staffed and I'm the only network admin.  So i couldn't spend as much time on this as I should have.  I didn't realize it was this serious.

My company is strapped for cash so I can't get a consultant to come in.  I have to come up with some type of plan.  I haven't even told my boss yet.  He wanted a 1200 user Workgroup and I begged him to let me setup a 2000 Domain three years ago and everythings been working well until this.

My main concerns are the DNS, the terminal licensing, and the Forest level FSMO roles which all reside on DC1.  I figure I have to get them over to DC2 somehow.   I know that once I seize the FSMO roles, I cannot bring that server DC1 back online.  

As for the DNS it appears to be working fine.  I did a test by creating an couple of A records and did a zone transfer and it transferred to my secondary DNS just fine.  And as I said I can open AD users and computers and connect to and manage any computer.  Also my Term Serve users can get their licenses.  The only thing it cannot do is replicate with the other DCs.  I had a project last month where I setup 30 new users and 2 OU’s at one of the remote sites and this DC does not have those OU’s or users.   But they replicated to the other DC’s.

My secondary DNS server is not on a DC just a member server, I can't promote it to a DC because because DC1 has the Domain Naming Master.

Also all 1200 user workstations and 36 servers are pointing to DC1 IP address for DNS.

Do you know if I can have more than one secondary DNS server?  Maybe install DNS on DC2 as a secondary DNS server then promote it to the primary DNS server just before I seize the FSMO roles then change the IP???

I’m so dead
0
 
Debsyl99Commented:
Hi
Don't worry - this doesn't sound as bad as I feared - I think you can get this back up again although the steps I mentioned still apply. If you run dcpromo /forceremoval against the dc1 then it will remove ad from it - you *should* be able to get it back online - the only worry is if there's an OS corruption somewhere... but we'll deal with that. I've got to go to bed as it's very late here but to start with tell your boss that a 1200 user workgroup was never ever going to be a good idea. If he's anything like my boss he won't really have a clue what you're on about so just baffle him with some techno-speak and let him know that you know what you're doing because you will. No one else has jumped in on this thread yet so it looks like it may be just me and you but I won't bail out on you and I do know a thing or two about this.

First change this as it shouldn't hurt so long as you test it first:
"Also all 1200 user workstations and 36 servers are pointing to DC1 IP address for DNS." - Change it so they point at DC2 - am assuming you must be running dhcp so that should be fairly easy to do although that's going to need moving to dc2 if it's running on dc1. Try it with one workstation first though - test as much of this lot as you can. First point DC2 at itself for primary DNS and make sure it's AD-integrated. If DNS isn't running on it then install it and point it at DC1 first so it can load the zone data. Once loaded point it at itself as primary and DC1 for now as secondary. I think we need to get dc2 running dns effectively first.
How do I install and configure Windows 2000 DNS server?
http://www.petri.co.il/install_and_configure_w2k_dns_server.htm
Frequently asked questions about Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/kb/291382

Most importantly - don't panic. 1200 workstations, 36 servers and one network admin? Ok I'll leave out unhelpful comments about un-tech savvy bosses who don't understand what we do.......

Buy yourself some time with your boss to sort this because you need to. If he doesn't get it I'll happily email him ;-)

Catch you tomorrow
Deb :))
0
 
mitzoid1Author Commented:
We don't have DHCP,  my boss doesn't want it (thats another story) anyway we have all static IP addresses, that's why I want to also transfer the IP from the other server.  I'm going to install DNS on DC2 but not configure it for now.

I've read the articles that you suggested and I also read several others.  It seems as if I can have more than one AD integrated DNS server, I thought I could only have one and then one secondary DNS server.  I wonder if the zone information would transfer over if I made DC2 AD integrated DNS also.  Then I would have time (me and the 5 Desktop support techs) to change everyone over to point to DC2. Or I can make DC2 a secondary server first then promote it to AD inegrated.  What do you think?
0
 
mitzoid1Author Commented:
Guess what,  once I installed DNS on DC2 it automatically populated itself with DNS records although some of the info is a bit old and the two records i created last night are not in DC2 DNS.  I changed my PC to get DNS from DC2 and rebooted.  I was able to log into the Domain okay.

I'm thinking that I should change DC2 to point to itself for DNS, then start changing over the PC's and lastly the servers to point to DC2 DNS.  I turned on scavenging on DC2 DNS.
0
 
Debsyl99Commented:
"I'm thinking that I should change DC2 to point to itself for DNS, then start changing over the PC's and lastly the servers to point to DC2 DNS.  I turned on scavenging on DC2 DNS."

Yep - that's the way I'd go. Get dns sorted firt as dc1 isn't going anywhere or doing anything. You can have lots of ad-integrated dns servers - I'd suggest at least two for redundancy and at least one at each remote site you've got. Make sure everything points at dc2 then make sure you have at least one other secondary dns server. Point it at dc2 as well and point it at itself as secondary. Ensure the zones are ad-integrated and can accept zone transfers and they should keep themselves up to date. The beauty of 2000 dhcp is that it integrates with dns and automatically updates host records in dns so you don't end up with loads if stale records or worse duplicates - you can also set primary dns servers, gateways etc for each scope. Your boss sounds like a nightmare. I guess I'm pretty lucky as I get to call all the shots with my networks.

I'm assuming dc2 must be a global cat server - you can also point your pc's to other dns servers if you need to balance traffic etc.

I'd also get as many services/apps that run on dc1 offloaded to other servers. When you eventually take dc1 down it should be pretty seamless. Let me know how you,
Deb :))

0
 
mitzoid1Author Commented:
thanks
0
 
Debsyl99Commented:
Good luck - let me know if you ask any further questions on this one :))
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now