Solved

Active Directory (W2K3) Replication and Time Sync Issues

Posted on 2007-04-10
8
1,501 Views
Last Modified: 2009-12-16
Active Directory (W2K3) Replication and Time Sync Issues -
Unable to contact or replicate Domains between root and child domains and all other child domains.

Topology:
ROOT DCS:
(UK)             EIXRODC01 and
            EIXRODC02
(UK DATACENTRE)       EFXRODC01  

CHILD DOMAIN DCS:
(FRANCE)              EFRDC01 and
            EFRDC02
(UK DATACENTRE)       EIXFRDC01

Unable to contact or replicate Domains between root and child domains and all other child domains.  Complete replication failure for the last 3 days.

If attempt to connect to Child Domain via AD Users and Computers utility, even though logged onto Root DC as Enterprise Administrator., the following appears:  "Windows cannot connect to the new domain because: The clocks on the client and server machines are skewed."

If attempt to logon to Child Domain DCs, the following appears: "The current time on this computer and the current time on the network are different. For more information about Date/Time Properiteis, see Help and Support.  To log on, contact your system adminsitrator."

If attempt to view Event Viewer on child domain, the following appears:  "Event Viewer, Access Denied."

Please help.
0
Comment
Question by:ActiveInfoSys
  • 5
  • 3
8 Comments
 

Author Comment

by:ActiveInfoSys
ID: 18881766
From Root DC, the following is happening...so not able to set time it looks like:

C:\>NET TIME /domain:fr.avisrac.net /SET /YES
System error 5 has occurred.
Access is denied.
0
 

Author Comment

by:ActiveInfoSys
ID: 18881814
Event ID:  1926
Category:  Knowledge Consistency
Source:  NTDS KCC
"The attempt to establish a replication link to a read-only directory partition with the following parameters failed."
Additional Data:  Error Value:  5 Access is Denied.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18881943
You are in a catch-22: you are receiving these errors because time synchronization is off, and you cannot resolve these errors remotely because...time synchronization is off.  (Yes, you will receive an "Access is denied" error trying to run "net time" remotely if you are already experiencing time sync issues.)

Follow these steps to configure an authoritative time source in the forest root domain: http://support.microsoft.com/kb/816042

Once you have done so, log onto a DC in each child domain, stop and restart the w32time service using this command:

"net stop w32time && net start w32time"

You should also ensure that there are no physical connectivity or name resolution issues between the domains, which may have caused this issue to start occuring 3 days ago.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 

Author Comment

by:ActiveInfoSys
ID: 18882329
If on a child DC and attempt to replicate to another child DC,  

"Replicate Now.  The following error occurred during the attempt to contact the domain controller, EIXIXDC01: Acess is denied."
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18882354
Have you corrected the timesync issue and confirmed physical connectivity and name resolution?  You will need to do so before any other operations like replication can take place.
0
 

Author Comment

by:ActiveInfoSys
ID: 18889865
Hi Laura - Wow, as soon as I saw your name, I knew you, Thanks for your help here and all your great helpful articles on the Internet.  

Yes.
Timesync Issue corrected.

Using Dameware NT Utilities, and adding server to Favorites and then scheduling a Job in Task Scheduler to run w32tm command:  
/config [/computer:ComputerName] [ [/update] [/manualpeerlist:ListOfComputerNames] ] [/syncfromflags:ListOfFlags] :
/config /update /manualpeerlist:10.101.65.73 /syncfromflags:DOMHIER
So, full command:  w32tm /config /update /manualpeerlist:10.101.65.73 /syncfromflags:DOMHIER

And this worked a treat and successfully set 10.101.65.73 as the Time Source for the child domain DC. This ip is the primary DNS server for the IX domain so all is good.

I also added into all of France's Domain Controlllers, DNS Suffixes, for all other child domains and of course the Root Domain. This solved the Name Resolutions issues.

Monitoring the firewall, no packets were registered as dropped so no phyical connectivity issues persisted.  And I am glad to say replication is sucessful from the Data Centre, Root Domain and now France.  Horray!

I do have a related Question however, which takes things a bit futher.

Question regarding Access Denied replication error messages from Siites and Services:

When logged onto FranceDC01 as France Domain Admin and inside the FRANCE site--
if I force a replication from Child DC01 (UK) to Child DC01 (France), all is OK and working.
(pull replication FROM partners is sucessfull).

But...
When logged onto FranceDC01 as France Domain Admin and inside the SPANISH site--
if I force a replication from Child DC01 (Spain) to Child DC01 (France),  the following occurs:

"Replicate Now"  The following error ocurred during the attempt to synchronize naming context avisrac.net from Domain Controller GreeceDC01 to Domain Controller SpainDC01.
Replication access was denied.  This operation will not continue.

is this because the France Domain Admin can only pull into its own SITE, since no rights on other child domain SITE DCs.

And also, out of curiosity, is it possible to PUSH replication...each of the nodes in Sites and Services reads "FROM SERVER".
0
 

Author Comment

by:ActiveInfoSys
ID: 18889946
Does replmon PUSH replication and if so what are the commands, menus...I have been unable to locate these.
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 18890041
All AD replication is a pull operation, there is no push replication in AD such as you'll see in WINS replication. If you have two-way replication between DC1 and DC2, you have one pull connection from DC2 to DC1, and a 2nd pull connection from DC1 to DC2.  

Regarding that "Access is denied" error, it sounds like you're seeing the behaviour described in this KB: http://support.microsoft.com/kb/303305.  To be on the safe side, I would recommend running a dcdiag, netdiag and repadmin /replsum from all DCs in your environment to make sure that there are no lingering errors hanging around.

Hope this is helpful.

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now