[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Active Directory (W2K3) Replication and Time Sync Issues

Posted on 2007-04-10
8
Medium Priority
?
1,533 Views
Last Modified: 2009-12-16
Active Directory (W2K3) Replication and Time Sync Issues -
Unable to contact or replicate Domains between root and child domains and all other child domains.

Topology:
ROOT DCS:
(UK)             EIXRODC01 and
            EIXRODC02
(UK DATACENTRE)       EFXRODC01  

CHILD DOMAIN DCS:
(FRANCE)              EFRDC01 and
            EFRDC02
(UK DATACENTRE)       EIXFRDC01

Unable to contact or replicate Domains between root and child domains and all other child domains.  Complete replication failure for the last 3 days.

If attempt to connect to Child Domain via AD Users and Computers utility, even though logged onto Root DC as Enterprise Administrator., the following appears:  "Windows cannot connect to the new domain because: The clocks on the client and server machines are skewed."

If attempt to logon to Child Domain DCs, the following appears: "The current time on this computer and the current time on the network are different. For more information about Date/Time Properiteis, see Help and Support.  To log on, contact your system adminsitrator."

If attempt to view Event Viewer on child domain, the following appears:  "Event Viewer, Access Denied."

Please help.
0
Comment
Question by:ActiveInfoSys
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 

Author Comment

by:ActiveInfoSys
ID: 18881766
From Root DC, the following is happening...so not able to set time it looks like:

C:\>NET TIME /domain:fr.avisrac.net /SET /YES
System error 5 has occurred.
Access is denied.
0
 

Author Comment

by:ActiveInfoSys
ID: 18881814
Event ID:  1926
Category:  Knowledge Consistency
Source:  NTDS KCC
"The attempt to establish a replication link to a read-only directory partition with the following parameters failed."
Additional Data:  Error Value:  5 Access is Denied.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18881943
You are in a catch-22: you are receiving these errors because time synchronization is off, and you cannot resolve these errors remotely because...time synchronization is off.  (Yes, you will receive an "Access is denied" error trying to run "net time" remotely if you are already experiencing time sync issues.)

Follow these steps to configure an authoritative time source in the forest root domain: http://support.microsoft.com/kb/816042

Once you have done so, log onto a DC in each child domain, stop and restart the w32time service using this command:

"net stop w32time && net start w32time"

You should also ensure that there are no physical connectivity or name resolution issues between the domains, which may have caused this issue to start occuring 3 days ago.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:ActiveInfoSys
ID: 18882329
If on a child DC and attempt to replicate to another child DC,  

"Replicate Now.  The following error occurred during the attempt to contact the domain controller, EIXIXDC01: Acess is denied."
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18882354
Have you corrected the timesync issue and confirmed physical connectivity and name resolution?  You will need to do so before any other operations like replication can take place.
0
 

Author Comment

by:ActiveInfoSys
ID: 18889865
Hi Laura - Wow, as soon as I saw your name, I knew you, Thanks for your help here and all your great helpful articles on the Internet.  

Yes.
Timesync Issue corrected.

Using Dameware NT Utilities, and adding server to Favorites and then scheduling a Job in Task Scheduler to run w32tm command:  
/config [/computer:ComputerName] [ [/update] [/manualpeerlist:ListOfComputerNames] ] [/syncfromflags:ListOfFlags] :
/config /update /manualpeerlist:10.101.65.73 /syncfromflags:DOMHIER
So, full command:  w32tm /config /update /manualpeerlist:10.101.65.73 /syncfromflags:DOMHIER

And this worked a treat and successfully set 10.101.65.73 as the Time Source for the child domain DC. This ip is the primary DNS server for the IX domain so all is good.

I also added into all of France's Domain Controlllers, DNS Suffixes, for all other child domains and of course the Root Domain. This solved the Name Resolutions issues.

Monitoring the firewall, no packets were registered as dropped so no phyical connectivity issues persisted.  And I am glad to say replication is sucessful from the Data Centre, Root Domain and now France.  Horray!

I do have a related Question however, which takes things a bit futher.

Question regarding Access Denied replication error messages from Siites and Services:

When logged onto FranceDC01 as France Domain Admin and inside the FRANCE site--
if I force a replication from Child DC01 (UK) to Child DC01 (France), all is OK and working.
(pull replication FROM partners is sucessfull).

But...
When logged onto FranceDC01 as France Domain Admin and inside the SPANISH site--
if I force a replication from Child DC01 (Spain) to Child DC01 (France),  the following occurs:

"Replicate Now"  The following error ocurred during the attempt to synchronize naming context avisrac.net from Domain Controller GreeceDC01 to Domain Controller SpainDC01.
Replication access was denied.  This operation will not continue.

is this because the France Domain Admin can only pull into its own SITE, since no rights on other child domain SITE DCs.

And also, out of curiosity, is it possible to PUSH replication...each of the nodes in Sites and Services reads "FROM SERVER".
0
 

Author Comment

by:ActiveInfoSys
ID: 18889946
Does replmon PUSH replication and if so what are the commands, menus...I have been unable to locate these.
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 2000 total points
ID: 18890041
All AD replication is a pull operation, there is no push replication in AD such as you'll see in WINS replication. If you have two-way replication between DC1 and DC2, you have one pull connection from DC2 to DC1, and a 2nd pull connection from DC1 to DC2.  

Regarding that "Access is denied" error, it sounds like you're seeing the behaviour described in this KB: http://support.microsoft.com/kb/303305.  To be on the safe side, I would recommend running a dcdiag, netdiag and repadmin /replsum from all DCs in your environment to make sure that there are no lingering errors hanging around.

Hope this is helpful.

0

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
Are you an Exchange administrator employed with an organization? And, have you encountered a corrupt Exchange database due to which you are not able to open its EDB file. This article will explain all the steps to repair corrupt Exchange database.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question