Solved

Active Directory (W2K3) Replication and Time Sync Issues

Posted on 2007-04-10
8
1,524 Views
Last Modified: 2009-12-16
Active Directory (W2K3) Replication and Time Sync Issues -
Unable to contact or replicate Domains between root and child domains and all other child domains.

Topology:
ROOT DCS:
(UK)             EIXRODC01 and
            EIXRODC02
(UK DATACENTRE)       EFXRODC01  

CHILD DOMAIN DCS:
(FRANCE)              EFRDC01 and
            EFRDC02
(UK DATACENTRE)       EIXFRDC01

Unable to contact or replicate Domains between root and child domains and all other child domains.  Complete replication failure for the last 3 days.

If attempt to connect to Child Domain via AD Users and Computers utility, even though logged onto Root DC as Enterprise Administrator., the following appears:  "Windows cannot connect to the new domain because: The clocks on the client and server machines are skewed."

If attempt to logon to Child Domain DCs, the following appears: "The current time on this computer and the current time on the network are different. For more information about Date/Time Properiteis, see Help and Support.  To log on, contact your system adminsitrator."

If attempt to view Event Viewer on child domain, the following appears:  "Event Viewer, Access Denied."

Please help.
0
Comment
Question by:ActiveInfoSys
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 

Author Comment

by:ActiveInfoSys
ID: 18881766
From Root DC, the following is happening...so not able to set time it looks like:

C:\>NET TIME /domain:fr.avisrac.net /SET /YES
System error 5 has occurred.
Access is denied.
0
 

Author Comment

by:ActiveInfoSys
ID: 18881814
Event ID:  1926
Category:  Knowledge Consistency
Source:  NTDS KCC
"The attempt to establish a replication link to a read-only directory partition with the following parameters failed."
Additional Data:  Error Value:  5 Access is Denied.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18881943
You are in a catch-22: you are receiving these errors because time synchronization is off, and you cannot resolve these errors remotely because...time synchronization is off.  (Yes, you will receive an "Access is denied" error trying to run "net time" remotely if you are already experiencing time sync issues.)

Follow these steps to configure an authoritative time source in the forest root domain: http://support.microsoft.com/kb/816042

Once you have done so, log onto a DC in each child domain, stop and restart the w32time service using this command:

"net stop w32time && net start w32time"

You should also ensure that there are no physical connectivity or name resolution issues between the domains, which may have caused this issue to start occuring 3 days ago.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 

Author Comment

by:ActiveInfoSys
ID: 18882329
If on a child DC and attempt to replicate to another child DC,  

"Replicate Now.  The following error occurred during the attempt to contact the domain controller, EIXIXDC01: Acess is denied."
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18882354
Have you corrected the timesync issue and confirmed physical connectivity and name resolution?  You will need to do so before any other operations like replication can take place.
0
 

Author Comment

by:ActiveInfoSys
ID: 18889865
Hi Laura - Wow, as soon as I saw your name, I knew you, Thanks for your help here and all your great helpful articles on the Internet.  

Yes.
Timesync Issue corrected.

Using Dameware NT Utilities, and adding server to Favorites and then scheduling a Job in Task Scheduler to run w32tm command:  
/config [/computer:ComputerName] [ [/update] [/manualpeerlist:ListOfComputerNames] ] [/syncfromflags:ListOfFlags] :
/config /update /manualpeerlist:10.101.65.73 /syncfromflags:DOMHIER
So, full command:  w32tm /config /update /manualpeerlist:10.101.65.73 /syncfromflags:DOMHIER

And this worked a treat and successfully set 10.101.65.73 as the Time Source for the child domain DC. This ip is the primary DNS server for the IX domain so all is good.

I also added into all of France's Domain Controlllers, DNS Suffixes, for all other child domains and of course the Root Domain. This solved the Name Resolutions issues.

Monitoring the firewall, no packets were registered as dropped so no phyical connectivity issues persisted.  And I am glad to say replication is sucessful from the Data Centre, Root Domain and now France.  Horray!

I do have a related Question however, which takes things a bit futher.

Question regarding Access Denied replication error messages from Siites and Services:

When logged onto FranceDC01 as France Domain Admin and inside the FRANCE site--
if I force a replication from Child DC01 (UK) to Child DC01 (France), all is OK and working.
(pull replication FROM partners is sucessfull).

But...
When logged onto FranceDC01 as France Domain Admin and inside the SPANISH site--
if I force a replication from Child DC01 (Spain) to Child DC01 (France),  the following occurs:

"Replicate Now"  The following error ocurred during the attempt to synchronize naming context avisrac.net from Domain Controller GreeceDC01 to Domain Controller SpainDC01.
Replication access was denied.  This operation will not continue.

is this because the France Domain Admin can only pull into its own SITE, since no rights on other child domain SITE DCs.

And also, out of curiosity, is it possible to PUSH replication...each of the nodes in Sites and Services reads "FROM SERVER".
0
 

Author Comment

by:ActiveInfoSys
ID: 18889946
Does replmon PUSH replication and if so what are the commands, menus...I have been unable to locate these.
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 18890041
All AD replication is a pull operation, there is no push replication in AD such as you'll see in WINS replication. If you have two-way replication between DC1 and DC2, you have one pull connection from DC2 to DC1, and a 2nd pull connection from DC1 to DC2.  

Regarding that "Access is denied" error, it sounds like you're seeing the behaviour described in this KB: http://support.microsoft.com/kb/303305.  To be on the safe side, I would recommend running a dcdiag, netdiag and repadmin /replsum from all DCs in your environment to make sure that there are no lingering errors hanging around.

Hope this is helpful.

0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
Read this checklist to learn more about the 15 things you should never include in an email signature.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question