Solved

Active Directory (W2K3) Replication and Time Sync Issues

Posted on 2007-04-10
8
1,512 Views
Last Modified: 2009-12-16
Active Directory (W2K3) Replication and Time Sync Issues -
Unable to contact or replicate Domains between root and child domains and all other child domains.

Topology:
ROOT DCS:
(UK)             EIXRODC01 and
            EIXRODC02
(UK DATACENTRE)       EFXRODC01  

CHILD DOMAIN DCS:
(FRANCE)              EFRDC01 and
            EFRDC02
(UK DATACENTRE)       EIXFRDC01

Unable to contact or replicate Domains between root and child domains and all other child domains.  Complete replication failure for the last 3 days.

If attempt to connect to Child Domain via AD Users and Computers utility, even though logged onto Root DC as Enterprise Administrator., the following appears:  "Windows cannot connect to the new domain because: The clocks on the client and server machines are skewed."

If attempt to logon to Child Domain DCs, the following appears: "The current time on this computer and the current time on the network are different. For more information about Date/Time Properiteis, see Help and Support.  To log on, contact your system adminsitrator."

If attempt to view Event Viewer on child domain, the following appears:  "Event Viewer, Access Denied."

Please help.
0
Comment
Question by:ActiveInfoSys
  • 5
  • 3
8 Comments
 

Author Comment

by:ActiveInfoSys
ID: 18881766
From Root DC, the following is happening...so not able to set time it looks like:

C:\>NET TIME /domain:fr.avisrac.net /SET /YES
System error 5 has occurred.
Access is denied.
0
 

Author Comment

by:ActiveInfoSys
ID: 18881814
Event ID:  1926
Category:  Knowledge Consistency
Source:  NTDS KCC
"The attempt to establish a replication link to a read-only directory partition with the following parameters failed."
Additional Data:  Error Value:  5 Access is Denied.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18881943
You are in a catch-22: you are receiving these errors because time synchronization is off, and you cannot resolve these errors remotely because...time synchronization is off.  (Yes, you will receive an "Access is denied" error trying to run "net time" remotely if you are already experiencing time sync issues.)

Follow these steps to configure an authoritative time source in the forest root domain: http://support.microsoft.com/kb/816042

Once you have done so, log onto a DC in each child domain, stop and restart the w32time service using this command:

"net stop w32time && net start w32time"

You should also ensure that there are no physical connectivity or name resolution issues between the domains, which may have caused this issue to start occuring 3 days ago.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:ActiveInfoSys
ID: 18882329
If on a child DC and attempt to replicate to another child DC,  

"Replicate Now.  The following error occurred during the attempt to contact the domain controller, EIXIXDC01: Acess is denied."
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18882354
Have you corrected the timesync issue and confirmed physical connectivity and name resolution?  You will need to do so before any other operations like replication can take place.
0
 

Author Comment

by:ActiveInfoSys
ID: 18889865
Hi Laura - Wow, as soon as I saw your name, I knew you, Thanks for your help here and all your great helpful articles on the Internet.  

Yes.
Timesync Issue corrected.

Using Dameware NT Utilities, and adding server to Favorites and then scheduling a Job in Task Scheduler to run w32tm command:  
/config [/computer:ComputerName] [ [/update] [/manualpeerlist:ListOfComputerNames] ] [/syncfromflags:ListOfFlags] :
/config /update /manualpeerlist:10.101.65.73 /syncfromflags:DOMHIER
So, full command:  w32tm /config /update /manualpeerlist:10.101.65.73 /syncfromflags:DOMHIER

And this worked a treat and successfully set 10.101.65.73 as the Time Source for the child domain DC. This ip is the primary DNS server for the IX domain so all is good.

I also added into all of France's Domain Controlllers, DNS Suffixes, for all other child domains and of course the Root Domain. This solved the Name Resolutions issues.

Monitoring the firewall, no packets were registered as dropped so no phyical connectivity issues persisted.  And I am glad to say replication is sucessful from the Data Centre, Root Domain and now France.  Horray!

I do have a related Question however, which takes things a bit futher.

Question regarding Access Denied replication error messages from Siites and Services:

When logged onto FranceDC01 as France Domain Admin and inside the FRANCE site--
if I force a replication from Child DC01 (UK) to Child DC01 (France), all is OK and working.
(pull replication FROM partners is sucessfull).

But...
When logged onto FranceDC01 as France Domain Admin and inside the SPANISH site--
if I force a replication from Child DC01 (Spain) to Child DC01 (France),  the following occurs:

"Replicate Now"  The following error ocurred during the attempt to synchronize naming context avisrac.net from Domain Controller GreeceDC01 to Domain Controller SpainDC01.
Replication access was denied.  This operation will not continue.

is this because the France Domain Admin can only pull into its own SITE, since no rights on other child domain SITE DCs.

And also, out of curiosity, is it possible to PUSH replication...each of the nodes in Sites and Services reads "FROM SERVER".
0
 

Author Comment

by:ActiveInfoSys
ID: 18889946
Does replmon PUSH replication and if so what are the commands, menus...I have been unable to locate these.
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 18890041
All AD replication is a pull operation, there is no push replication in AD such as you'll see in WINS replication. If you have two-way replication between DC1 and DC2, you have one pull connection from DC2 to DC1, and a 2nd pull connection from DC1 to DC2.  

Regarding that "Access is denied" error, it sounds like you're seeing the behaviour described in this KB: http://support.microsoft.com/kb/303305.  To be on the safe side, I would recommend running a dcdiag, netdiag and repadmin /replsum from all DCs in your environment to make sure that there are no lingering errors hanging around.

Hope this is helpful.

0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setting up a VPN 60 136
Error 554 5.4.6 Hop count exceeded - possible mail loop 16 43
Connect two buildings 6 31
Upgrade Exchange 2013 to Exchange 2016 8 36
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now