We help IT Professionals succeed at work.

FRS error 13508 without 13509

jasonmichel
jasonmichel asked
on
3,045 Views
Last Modified: 2008-01-09
I had an earlier post concerning setting permissions on a shared folder, it seems that i've opened a larger can of worms.  I have a PDC in xcity, ohio, I recently set up 2 other domain controllers for the same domain in xcity, michigan and ycity, ohio.  The one in michigan is giving me the 13508 error and is the one i am having problems, setting permissions, mapping drives, having all workstations show up in network neighborhood etc.  I checked the NTDS settings on the problem DC and it shows that it is replicating TO the PDC and nothing in the replicate from.  Are all my issues coming from the FRS or is it a router/network issue.  I can ping the FQDN of the PDC and everything works fine that way.  I run Repadmin /showres and everything seems to complete successfully.   I am very frustrated that this isn't working. Have the one set up in ycity, ohio exactly the same role and everything works fine.  Please help and thanks in advance for your help
Comment
Watch Question

This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Okay, let me see if i can explain better.  On the secondary domain controller i have in my branch office.  DNS for that server is set to use the PDC at home datacenter as primary DNS and then the local ISP as secondary DNS.  In the DHCP scope it hands its IP as primary and the PDC as secondary. Netbios is set to default. Should i use netbios over TCP/IP?  I did get a KCC error event ID 1925, also getting userenv error event ID 1054, 1030, 1006.  No you did not misunderstand.. WHen i go to NTDS settings in S&S, under the secondary controller that i am having the issue with, it has nothing in the replicate from, but in the replicate to it has my primary domain controller, Is there a way to post screenshots on here?  there is an A record for the secondary domain controller on the DNS for the PDC,not sure what SRV record is.  Hope this helps clarify
Remove your ISP dns from your tcp/ip settings
yes you need netbios over tcp but if you have an internet face NIC, you should disable it on external NIC
If KCC couldn't generate connection object (the  entry you see in Sites&Services), incoming replication won't happen. what is the desc. in KCC error?
SRV records are those under _mcdcs zone. SRV records tell client where to get a particular service, such ldap

To manually trigger KCC, right click "NTDS settings", all tasks\check replication topology
To manually create a connection object instead of letting KCC do it, right click, new, connection (but I prefer KCC generating unless you have special needs. and even you can manually create a connection, it won't work with the underlying problem unsolved.)

A "netdiag /v> netdiag.txt" and "dcdiag /v>dcdiag.txt" will help you as well.

Author

Commented:
I manually created that connection to my primary domain controller, then manually replicated it.  However as you said it doesn't mean anything. I took the ISP out of my DNS record.  I only have 1 Nic active.  The NTDS replication error i get is

" Active Directory Could not use DNS to resolve the OP address of the source domain controller listed below. To maintain the consistency of security groups, group policy, user and computers and their passwords, Active Directory successfully replicated using the Netbios or fully qualified computer name of the source domain controller.

Invalid DNS configuration may be affecting other essential operation on member computers, domain controllers or application servers in this AD forest including logon authentication or access to network resources.

you should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS."


This was before i changed the DNS.  My DNS is now, my SDC as my primary DNS and my PDC as my secondary DNS.

WHen i try to check replication topology i get " The following error occurred during the attempt to contact the domain controller: The directory property cannot be found in the cache, having manually created the connection, the PDC shows up in the replicate from and replicate to, now

Author

Commented:
ran DSDIAG and this is the output


Directory Server Diagnosis

Performing initial setup:
   * Verifying that the local machine JASOUTHFS, is a Directory Server.
   * Connecting to directory service on server JASOUTHFS.
   * Identified AD Forest.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 3 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\JASOUTHFS
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... JASOUTHFS passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\JASOUTHFS
      Starting test: Replications
         * Replications Check
         [Replications Check,JASOUTHFS] A recent replication attempt failed:
            From JANEWCOMER to JASOUTHFS
            Naming Context: CN=Schema,CN=Configuration,DC=JA,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2007-01-31 11:59:17.
            The last success occurred at 2007-01-31 09:58:14.
            2 failures have occurred since the last success.
            [JANEWCOMER] DsBindWithSpnEx() failed with error 1722,
            The RPC server is unavailable..
            Printing RPC Extended Error Info:
            Error Record 1, ProcessID is 3940 (DcDiag)            
               System Time is: 1/31/2007 17:8:30:976
               Generating component is 8 (winsock)
               Status is 1722: The RPC server is unavailable.

               Detection location is 323
            Error Record 2, ProcessID is 3940 (DcDiag)            
               System Time is: 1/31/2007 17:8:30:976
               Generating component is 8 (winsock)
               Status is 1237: The operation could not be completed. A retry should be performed.

               Detection location is 313
            Error Record 3, ProcessID is 3940 (DcDiag)            
               System Time is: 1/31/2007 17:8:30:976
               Generating component is 8 (winsock)
               Status is 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

               Detection location is 311
               NumberOfParameters is 3
               Long val: 135
               Pointer val: 0
               Pointer val: 0
            Error Record 4, ProcessID is 3940 (DcDiag)            
               System Time is: 1/31/2007 17:8:30:976
               Generating component is 8 (winsock)
               Status is 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

               Detection location is 318
            The source remains down. Please check the machine.
         [Replications Check,JASOUTHFS] A recent replication attempt failed:
            From JANEWCOMER to JASOUTHFS
            Naming Context: CN=Configuration,DC=JA,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2007-01-31 11:58:56.
            The last success occurred at 2007-01-31 10:45:37.
            2 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,JASOUTHFS] A recent replication attempt failed:
            From JANEWCOMER to JASOUTHFS
            Naming Context: DC=JA,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2007-01-31 11:58:35.
            The last success occurred at 2007-01-31 09:58:14.
            2 failures have occurred since the last success.
            The source remains down. Please check the machine.
         * Replication Latency Check
            CN=Schema,CN=Configuration,DC=JA,DC=local
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=JA,DC=local
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=JA,DC=local
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         * Replication Site Latency Check
         ......................... JASOUTHFS passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC JASOUTHFS.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=JA,DC=local
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=JA,DC=local
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=JA,DC=local
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=JA,DC=local
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=JA,DC=local
            (Domain,Version 2)
         ......................... JASOUTHFS passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Unable to connect to the NETLOGON share! (\\JASOUTHFS\netlogon)
         [JASOUTHFS] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
         ......................... JASOUTHFS failed test NetLogons
      Starting test: Advertising
         Warning: DsGetDcName returned information for \\jane.JA.local, when we were trying to reach JASOUTHFS.
         Server is not responding or is not considered suitable.
         The DC JASOUTHFS is advertising itself as a DC and having a DS.
         The DC JASOUTHFS is advertising as an LDAP server
         The DC JASOUTHFS is advertising as having a writeable directory
         The DC JASOUTHFS is advertising as a Key Distribution Center
         The DC JASOUTHFS is advertising as a time server
         The DS JASOUTHFS is advertising as a GC.
         ......................... JASOUTHFS failed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=JANE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=JA,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=JANE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=JA,DC=local
         Role PDC Owner = CN=NTDS Settings,CN=JANE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=JA,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=JANE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=JA,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=JANE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=JA,DC=local
         ......................... JASOUTHFS passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 4110 to 1073741823
         * jane.JA.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 2110 to 2609
         * rIDPreviousAllocationPool is 2110 to 2609
         * rIDNextRID: 2110
         ......................... JASOUTHFS passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC JASOUTHFS on DC JASOUTHFS.
         * SPN found :LDAP/JASOUTHFS.JA.local/JA.local
         * SPN found :LDAP/JASOUTHFS.JA.local
         * SPN found :LDAP/JASOUTHFS
         * SPN found :LDAP/JASOUTHFS.JA.local/JA
         * SPN found :LDAP/c6ee1360-8d7d-49f7-bc6a-ae0920c7b2b5._msdcs.JA.local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/c6ee1360-8d7d-49f7-bc6a-ae0920c7b2b5/JA.local
         * SPN found :HOST/JASOUTHFS.JA.local/JA.local
         * SPN found :HOST/JASOUTHFS.JA.local
         * SPN found :HOST/JASOUTHFS
         * SPN found :HOST/JASOUTHFS.JA.local/JA
         * SPN found :GC/JASOUTHFS.JA.local/JA.local
         ......................... JASOUTHFS passed test MachineAccount
      Starting test: Services
         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... JASOUTHFS passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         JASOUTHFS is in domain DC=JA,DC=local
         Checking for CN=JASOUTHFS,OU=Domain Controllers,DC=JA,DC=local in domain DC=JA,DC=local on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=JASOUTHFS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=JA,DC=local in domain CN=Configuration,DC=JA,DC=local on 1 servers
            Object is up-to-date on all servers.
         ......................... JASOUTHFS passed test ObjectsReplicated
      Starting test: FrsSysVol
         * The File Replication Service SYSVOL ready test
         The registry lookup failed to determine the state of the SYSVOL.  The

         error returned  was 0 (The operation completed successfully.).  Check

         the FRS event log to see if the SYSVOL has successfully been shared.
         ......................... JASOUTHFS passed test FrsSysVol
      Starting test: FrsEvent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         An Warning Event occured.  EventID: 0x800034FD
            Time Generated: 01/31/2007   09:07:55
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 01/31/2007   09:09:36
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 01/31/2007   09:17:36
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 01/31/2007   09:17:37
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800034FA
            Time Generated: 01/31/2007   11:52:56
            (Event String could not be retrieved)
         ......................... JASOUTHFS failed test FrsEvent
      Starting test: KccEvent
         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... JASOUTHFS passed test KccEvent
      Starting test: SystemLog
         * The System Event log test
         Found no errors in System Event log in the last 60 minutes.
         ......................... JASOUTHFS passed test SystemLog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)

         CN=JASOUTHFS,OU=Domain Controllers,DC=JA,DC=local and backlink on

         CN=JASOUTHFS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=JA,DC=local

         are correct.
         The system object reference (frsComputerReferenceBL)

         CN=JASOUTHFS,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=JA,DC=local

         and backlink on CN=JASOUTHFS,OU=Domain Controllers,DC=JA,DC=local are

         correct.
         The system object reference (serverReferenceBL)

         CN=JASOUTHFS,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=JA,DC=local

         and backlink on

         CN=NTDS Settings,CN=JASOUTHFS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=JA,DC=local

         are correct.
         ......................... JASOUTHFS passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : JA
      Starting test: CrossRefValidation
         ......................... JA passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... JA passed test CheckSDRefDom
   
   Running enterprise tests on : JA.local
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope

         provided by the command line arguments provided.
         ......................... JA.local passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\jane.JA.local
         Locator Flags: 0xe00003fd
         PDC Name: \\jane.JA.local
         Locator Flags: 0xe00003fd
         Time Server Name: \\jane.JA.local
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\jane.JA.local
         Locator Flags: 0xe00003fd
         KDC Name: \\jane.JA.local
         Locator Flags: 0xe00003fd
         ......................... JA.local passed test FsmoCheck

> Warning: DsGetDcName returned information for \\jane.JA.local, when we
> were trying to reach JASOUTHFS

for sure we still have DNS issue here. Try this
1. use only one DNS server on JAsouthfs. Use your the one that Jane uses
2. make sure zone ja.local and _msdcs.ja.local are accepting dynamic updates
3. verify that A record jashouthfs.ja.local is correct on the only DNS server we are using
4. remove everything under _msdcs.ja.local, restart netlogon service on all DCs
    (it's very safe to do so despite the fact it appears scarry. if you are uncomfortable with this, remove everything that points to jasouthfs in _msdcs zone, then restart netlogon service, which should register all SRV records again for you)

Author

Commented:
just to clarify, Use the IP of the PDC for the primary DNS of the JAsouthfs and leave secondary empty, and delete everything in _msdcs.ja.local on both servers.  Another thing i should point out after digging a little.  The jasouthfs is the remote DC and DNS is not installed on it, the Jane is the PDC and has DNS but it is set as a primary zone and not AD-integrated.  Should i rectify this situation prior to continuing?
it's ok to have non-ad-integrated zone and has only one DNS server. In multiple dns server case, remove things on primary DNS and the deletion should be replicated out. And yes use PDC as primary DNS and leave secondary empty.

Author

Commented:
I"ve done everything you've suggest and i'm still getting DNS type errors and still can't get it to let me add users to a shared drive, still gives me replication errors.  I don't know why this is acting like this. I have another one set up and a different remote location identical and there are no issues.  Anything else you think i can try?
jasonmichel,
>          Unable to connect to the NETLOGON share! (\\JASOUTHFS\netlogon)
>          [JASOUTHFS] An net use or LsaPolicy operation failed with
> error 1203, No network provider accepted the given network path..
>          ......................... JASOUTHFS failed test NetLogons

ok I checked back the netdiag result and above caught my eyes. See if 257338 helps.
http://support.microsoft.com/?kbid=257338

Author

Commented:
I ran repadmin /showreps %upstreamcomputer% and also for downstream to check replication and i get same error on both: "[d:\r2\ds\adam\src\util\repadmin\repbind.c, 207]  LDAP error 81 (server Down) WIn32 error 58

Author

Commented:
heres a strange twist, it seems when i go to network places and select the JA domain, all the workstations show up.  If i find the secondary DC that is giving me issues and go into it and access the share, I can right click on it go properties and then security.  If i type a name and then hit check name, boom, pops right up.  But if i click advanced..it times outs and locks up, If i access the same share by going through my computer and go to security, it can't find the name either way and locks up.  What the heck is goin on..  Real close to wiping that server and starting over
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.