Solved

Active Directory (W2K3) Replication and Time Sync Issues

Posted on 2007-04-10
8
1,526 Views
Last Modified: 2009-12-16
Active Directory (W2K3) Replication and Time Sync Issues -
Unable to contact or replicate Domains between root and child domains and all other child domains.

Topology:
ROOT DCS:
(UK)             EIXRODC01 and
            EIXRODC02
(UK DATACENTRE)       EFXRODC01  

CHILD DOMAIN DCS:
(FRANCE)              EFRDC01 and
            EFRDC02
(UK DATACENTRE)       EIXFRDC01

Unable to contact or replicate Domains between root and child domains and all other child domains.  Complete replication failure for the last 3 days.

If attempt to connect to Child Domain via AD Users and Computers utility, even though logged onto Root DC as Enterprise Administrator., the following appears:  "Windows cannot connect to the new domain because: The clocks on the client and server machines are skewed."

If attempt to logon to Child Domain DCs, the following appears: "The current time on this computer and the current time on the network are different. For more information about Date/Time Properiteis, see Help and Support.  To log on, contact your system adminsitrator."

If attempt to view Event Viewer on child domain, the following appears:  "Event Viewer, Access Denied."

Please help.
0
Comment
Question by:ActiveInfoSys
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 

Author Comment

by:ActiveInfoSys
ID: 18881766
From Root DC, the following is happening...so not able to set time it looks like:

C:\>NET TIME /domain:fr.avisrac.net /SET /YES
System error 5 has occurred.
Access is denied.
0
 

Author Comment

by:ActiveInfoSys
ID: 18881814
Event ID:  1926
Category:  Knowledge Consistency
Source:  NTDS KCC
"The attempt to establish a replication link to a read-only directory partition with the following parameters failed."
Additional Data:  Error Value:  5 Access is Denied.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18881943
You are in a catch-22: you are receiving these errors because time synchronization is off, and you cannot resolve these errors remotely because...time synchronization is off.  (Yes, you will receive an "Access is denied" error trying to run "net time" remotely if you are already experiencing time sync issues.)

Follow these steps to configure an authoritative time source in the forest root domain: http://support.microsoft.com/kb/816042

Once you have done so, log onto a DC in each child domain, stop and restart the w32time service using this command:

"net stop w32time && net start w32time"

You should also ensure that there are no physical connectivity or name resolution issues between the domains, which may have caused this issue to start occuring 3 days ago.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:ActiveInfoSys
ID: 18882329
If on a child DC and attempt to replicate to another child DC,  

"Replicate Now.  The following error occurred during the attempt to contact the domain controller, EIXIXDC01: Acess is denied."
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18882354
Have you corrected the timesync issue and confirmed physical connectivity and name resolution?  You will need to do so before any other operations like replication can take place.
0
 

Author Comment

by:ActiveInfoSys
ID: 18889865
Hi Laura - Wow, as soon as I saw your name, I knew you, Thanks for your help here and all your great helpful articles on the Internet.  

Yes.
Timesync Issue corrected.

Using Dameware NT Utilities, and adding server to Favorites and then scheduling a Job in Task Scheduler to run w32tm command:  
/config [/computer:ComputerName] [ [/update] [/manualpeerlist:ListOfComputerNames] ] [/syncfromflags:ListOfFlags] :
/config /update /manualpeerlist:10.101.65.73 /syncfromflags:DOMHIER
So, full command:  w32tm /config /update /manualpeerlist:10.101.65.73 /syncfromflags:DOMHIER

And this worked a treat and successfully set 10.101.65.73 as the Time Source for the child domain DC. This ip is the primary DNS server for the IX domain so all is good.

I also added into all of France's Domain Controlllers, DNS Suffixes, for all other child domains and of course the Root Domain. This solved the Name Resolutions issues.

Monitoring the firewall, no packets were registered as dropped so no phyical connectivity issues persisted.  And I am glad to say replication is sucessful from the Data Centre, Root Domain and now France.  Horray!

I do have a related Question however, which takes things a bit futher.

Question regarding Access Denied replication error messages from Siites and Services:

When logged onto FranceDC01 as France Domain Admin and inside the FRANCE site--
if I force a replication from Child DC01 (UK) to Child DC01 (France), all is OK and working.
(pull replication FROM partners is sucessfull).

But...
When logged onto FranceDC01 as France Domain Admin and inside the SPANISH site--
if I force a replication from Child DC01 (Spain) to Child DC01 (France),  the following occurs:

"Replicate Now"  The following error ocurred during the attempt to synchronize naming context avisrac.net from Domain Controller GreeceDC01 to Domain Controller SpainDC01.
Replication access was denied.  This operation will not continue.

is this because the France Domain Admin can only pull into its own SITE, since no rights on other child domain SITE DCs.

And also, out of curiosity, is it possible to PUSH replication...each of the nodes in Sites and Services reads "FROM SERVER".
0
 

Author Comment

by:ActiveInfoSys
ID: 18889946
Does replmon PUSH replication and if so what are the commands, menus...I have been unable to locate these.
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 18890041
All AD replication is a pull operation, there is no push replication in AD such as you'll see in WINS replication. If you have two-way replication between DC1 and DC2, you have one pull connection from DC2 to DC1, and a 2nd pull connection from DC1 to DC2.  

Regarding that "Access is denied" error, it sounds like you're seeing the behaviour described in this KB: http://support.microsoft.com/kb/303305.  To be on the safe side, I would recommend running a dcdiag, netdiag and repadmin /replsum from all DCs in your environment to make sure that there are no lingering errors hanging around.

Hope this is helpful.

0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question