Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

3 2003 DCs - Replication issue with one DC

Posted on 2007-07-31
8
Medium Priority
?
1,335 Views
Last Modified: 2008-05-31
Hi all!

I have been having a few problems with my servers and only now am able to address them.  My environment consists of 3 windows 2003 standard servers (SCSERVER1, SCSERVER2, SCSERVER3).  All three are a distance apart and all three are on their own subnets.  Server 1 and 2 are connected through a wireless bridge.  The internet connection for both is at the same location as server 1 (server 2 is quite remote).  Server 3 is connected through a VPN.  Server 3 does not carry any roles, as the vpn does go down sometimes.  All three are DC's and part of the same domain.

My problem seems to be with replication.  Replication seems to be fine between servers 1 & 2.  Server 3 will not replicate.  When I try to force replication through sites and services I get the error message: "The following error occured during the attempt to syncronize naming context SENTREX.local from domain controller SCSERVER1 to domain controler SCSERVER3:  The target principle name is incorrect.  This operation will not continue."  

Physically I can connect to server 3 no problem.  I can ping with no problem.  I can also browse files on and from all servers no problem.  Every now and then my users get a kerbos error in their event logs "KRB_AP_ERR_MODIFIED".  The servers all have warning events 13508 for replication in the FRS event log for every day.

Any help to resolve this problems would be so greatly appreciated!

Below I will attach dcdiag for server 3 and then server 1:

C:\>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site\SCSERVER3
      Starting test: Connectivity
         ......................... SCSERVER3 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site\SCSERVER3
      Starting test: Replications
         [Replications Check,SCSERVER3] A recent replication attempt failed:
            From SCSERVER2 to SCSERVER3
            Naming Context: DC=ForestDnsZones,DC=SENTREX,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
            The failure occurred at 2007-07-31 11:57:16.
            The last success occurred at 2007-05-15 17:56:04.
            1849 failures have occurred since the last success.
         [SCSERVER2] DsBindWithSpnEx() failed with error -2146893022,
         The target principal name is incorrect..
         [Replications Check,SCSERVER3] A recent replication attempt failed:
            From SCSERVER1 to SCSERVER3
            Naming Context: DC=ForestDnsZones,DC=SENTREX,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
            The failure occurred at 2007-07-31 11:57:17.
            The last success occurred at 2007-05-15 17:56:04.
            1849 failures have occurred since the last success.
         [SCSERVER1] DsBindWithSpnEx() failed with error -2146893022,
         The target principal name is incorrect..
         [Replications Check,SCSERVER3] A recent replication attempt failed:
            From SCSERVER2 to SCSERVER3
            Naming Context: DC=DomainDnsZones,DC=SENTREX,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
            The failure occurred at 2007-07-31 11:57:16.
            The last success occurred at 2007-05-15 17:56:03.
            1849 failures have occurred since the last success.
         [Replications Check,SCSERVER3] A recent replication attempt failed:
            From SCSERVER1 to SCSERVER3
            Naming Context: DC=DomainDnsZones,DC=SENTREX,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
            The failure occurred at 2007-07-31 11:57:17.
            The last success occurred at 2007-05-15 17:56:04.
            1849 failures have occurred since the last success.
         [Replications Check,SCSERVER3] A recent replication attempt failed:
            From SCSERVER2 to SCSERVER3
            Naming Context: CN=Schema,CN=Configuration,DC=SENTREX,DC=local
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2007-07-31 11:57:17.
            The last success occurred at 2007-05-15 17:56:03.
            1849 failures have occurred since the last success.
         [Replications Check,SCSERVER3] A recent replication attempt failed:
            From SCSERVER1 to SCSERVER3
            Naming Context: CN=Schema,CN=Configuration,DC=SENTREX,DC=local
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2007-07-31 11:57:17.
            The last success occurred at 2007-05-15 17:56:03.
            1849 failures have occurred since the last success.
         [Replications Check,SCSERVER3] A recent replication attempt failed:
            From SCSERVER2 to SCSERVER3
            Naming Context: CN=Configuration,DC=SENTREX,DC=local
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2007-07-31 11:57:16.
            The last success occurred at 2007-05-15 17:56:03.
            1849 failures have occurred since the last success.
         [Replications Check,SCSERVER3] A recent replication attempt failed:
            From SCSERVER1 to SCSERVER3
            Naming Context: CN=Configuration,DC=SENTREX,DC=local
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2007-07-31 11:57:17.
            The last success occurred at 2007-05-15 17:56:03.
            1849 failures have occurred since the last success.
         [Replications Check,SCSERVER3] A recent replication attempt failed:
            From SCSERVER2 to SCSERVER3
            Naming Context: DC=SENTREX,DC=local
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2007-07-31 11:57:16.
            The last success occurred at 2007-05-15 18:23:24.
            1849 failures have occurred since the last success.
         [Replications Check,SCSERVER3] A recent replication attempt failed:
            From SCSERVER1 to SCSERVER3
            Naming Context: DC=SENTREX,DC=local
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2007-07-31 12:18:08.
            The last success occurred at 2007-05-15 18:23:50.
            1852 failures have occurred since the last success.
         REPLICATION-RECEIVED LATENCY WARNING
         SCSERVER3:  Current time is 2007-07-31 12:20:15.
            DC=ForestDnsZones,DC=SENTREX,DC=local
               Last replication recieved from SCSERVER1 at 2007-05-15 17:56:04.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!

               Last replication recieved from SCSERVER2 at 2007-05-15 17:56:04.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!

            DC=DomainDnsZones,DC=SENTREX,DC=local
               Last replication recieved from SCSERVER1 at 2007-05-15 17:56:04.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!

               Last replication recieved from SCSERVER2 at 2007-05-15 17:56:03.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!

            CN=Schema,CN=Configuration,DC=SENTREX,DC=local
               Last replication recieved from SCSERVER1 at 2007-05-15 17:56:03.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!

               Last replication recieved from SCSERVER2 at 2007-05-15 17:56:03.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!

            CN=Configuration,DC=SENTREX,DC=local
               Last replication recieved from SCSERVER1 at 2007-05-15 17:56:03.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!

               Last replication recieved from SCSERVER2 at 2007-05-15 17:56:03.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!

            DC=SENTREX,DC=local
               Last replication recieved from SCSERVER1 at 2007-05-15 18:23:50.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!

               Last replication recieved from SCSERVER2 at 2007-05-15 18:23:27.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!

         ......................... SCSERVER3 passed test Replications
      Starting test: NCSecDesc
         ......................... SCSERVER3 passed test NCSecDesc
      Starting test: NetLogons
         ......................... SCSERVER3 passed test NetLogons
      Starting test: Advertising
         Warning: SCSERVER3 is not advertising as a time server.
         ......................... SCSERVER3 failed test Advertising
      Starting test: KnowsOfRoleHolders
         Warning: SCSERVER2 is the Schema Owner, but is not responding to DS RPC
 Bind.
         [SCSERVER2] LDAP bind failed with error 8341,
         A directory service error has occurred..
         Warning: SCSERVER2 is the Schema Owner, but is not responding to LDAP B
ind.
         Warning: SCSERVER2 is the Domain Owner, but is not responding to DS RPC
 Bind.
         Warning: SCSERVER2 is the Domain Owner, but is not responding to LDAP B
ind.
         Warning: SCSERVER2 is the PDC Owner, but is not responding to DS RPC Bi
nd.
         Warning: SCSERVER2 is the PDC Owner, but is not responding to LDAP Bind
.
         Warning: SCSERVER2 is the Rid Owner, but is not responding to DS RPC Bi
nd.
         Warning: SCSERVER2 is the Rid Owner, but is not responding to LDAP Bind
.
         Warning: SCSERVER2 is the Infrastructure Update Owner, but is not respo
nding to DS RPC Bind.
         Warning: SCSERVER2 is the Infrastructure Update Owner, but is not respo
nding to LDAP Bind.
         ......................... SCSERVER3 failed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... SCSERVER3 failed test RidManager
      Starting test: MachineAccount
         ......................... SCSERVER3 passed test MachineAccount
      Starting test: Services
         ......................... SCSERVER3 passed test Services
      Starting test: ObjectsReplicated
         ......................... SCSERVER3 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... SCSERVER3 passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... SCSERVER3 failed test frsevent
      Starting test: kccevent
         ......................... SCSERVER3 passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 07/31/2007   11:30:38
            Event String: The kerberos client received a
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 07/31/2007   11:30:43
            Event String: The kerberos client received a
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 07/31/2007   11:30:44
            Event String: The kerberos client received a
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 07/31/2007   11:49:13
            Event String: The kerberos client received a
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 07/31/2007   11:57:16
            Event String: The kerberos client received a
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 07/31/2007   12:01:20
            Event String: The kerberos client received a
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 07/31/2007   12:20:15
            Event String: The kerberos client received a
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 07/31/2007   12:20:15
            Event String: The kerberos client received a
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 07/31/2007   12:20:17
            Event String: The kerberos client received a
         ......................... SCSERVER3 failed test systemlog
      Starting test: VerifyReferences
         ......................... SCSERVER3 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : SENTREX
      Starting test: CrossRefValidation
         ......................... SENTREX passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... SENTREX passed test CheckSDRefDom

   Running enterprise tests on : SENTREX.local
      Starting test: Intersite
         ......................... SENTREX.local passed test Intersite
      Starting test: FsmoCheck
         ......................... SENTREX.local passed test FsmoCheck

C:\>
---------------------------------------------------------------------------------------------------------------
AND FROM SERVER 1:
---------------------------------------------------------------------------------------------------------------


C:\>dcdiag

DC Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial non skippeable tests

   Testing server: Default-First-Site\SCSERVER1
      Starting test: Connectivity
         ......................... SCSERVER1 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site\SCSERVER1
      Starting test: Replications
         ......................... SCSERVER1 passed test Replications
      Starting test: NCSecDesc
         ......................... SCSERVER1 passed test NCSecDesc
      Starting test: NetLogons
         ......................... SCSERVER1 passed test NetLogons
      Starting test: Advertising
         ......................... SCSERVER1 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... SCSERVER1 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... SCSERVER1 passed test RidManager
      Starting test: MachineAccount
         ......................... SCSERVER1 passed test MachineAccount
      Starting test: Services
            RPCLOCATOR Service is stopped on [SCSERVER1]
            TrkWks Service is stopped on [SCSERVER1]
            TrkSvr Service is stopped on [SCSERVER1]
         ......................... SCSERVER1 failed test Services
      Starting test: ObjectsReplicated
         ......................... SCSERVER1 passed test ObjectsReplicated
      Starting test: frssysvol
         There are errors after the SYSVOL has been shared.
         The SYSVOL can prevent the AD from starting.
         ......................... SCSERVER1 passed test frssysvol
      Starting test: kccevent
         ......................... SCSERVER1 passed test kccevent
      Starting test: systemlog
         ......................... SCSERVER1 passed test systemlog

   Running enterprise tests on : SENTREX.local
      Starting test: Intersite
         ......................... SENTREX.local passed test Intersite
      Starting test: FsmoCheck
         ......................... SENTREX.local passed test FsmoCheck

C:\>
0
Comment
Question by:JP D
  • 4
  • 3
8 Comments
 
LVL 13

Accepted Solution

by:
ocon827679 earned 1500 total points
ID: 19602864
How is your DNS setup?  Are all DC's running AD integrated DNS?  Is server 3 pointed to server 1 for DNS?  Are there SRV records for server 3 in DNS?  Where are the FSMO roles located?  Ensure that the FSMO roles are not located on server 3.

It looks like server 3 hasn't replicated in the past 60 days which is what those tombstone errors are.

You may want to do a dcpromo /forceremoval on server 3, ensure that connectivity is good, then repromote it to a dc.  
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 19603079
This exact error is covered in Microsoft's KB aticle 288167.  
http://support.microsoft.com/kb/288167

Go through the steps in the article and you should be ok.
0
 

Author Comment

by:JP D
ID: 19644956
Hi,

So it doesn't look as though the MS KB article helped any.  Now my users which are connected to server 2 (PDC) are getting Access Denied errors to server drives.  Right now when they restart their computers everything is fine.

As for the other questions asked:  All DC's are running AD integrated DNS.  Server 3 is pointed to Server 1 (I would point it to the PDC (server 2) but that would have it go through a vpn and then the bridge just to get to server 2....server 1 is just through the vpn).  I beleive that the SRV records for server 3 are in DNS, everything appears to be there but how do I confirm that everything is correct?  The FSMO roles are located on server 2.

Is there any way that I can check things before doing a forceremoval?  If I do a forceremoval, would I then still have to run a meta data cleanup?  I am also a little confused now how this would effect the users connected to server 2?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 13

Expert Comment

by:ocon827679
ID: 19646081
Replmon will show you the replication errors that have been going on.  From the command line "repadmin /showreps /all will show you inbound as well as outbound rpelication and connections.  If your replication has been unavailable to server 3 for 60 days you will have to do the dcpromo.  Try just dcpromo first, if it doesn't work then do the forceremoval option.  (Actually I believe that the forceremoval will try a normal first, then do the force is there is a failure.)  After the forceremoval you will have to do a metadata cleanup on one of the remaining dc's.  The you can try the repromote, but you really need to ensure your connectivity first.  The metadata cleanup is a very simeple procedure, just a lot of steps.
0
 

Author Comment

by:JP D
ID: 19687435
Sorry for the delay....i was off for a few days.

You were right, I could not just use dcpromo, so i did a forceremoval.  Then a metadata cleanup.  Everything looked good at that point so I did the repromote which also went smoothly.  Although it has only been about 30min or so since the dcpromo, but the DNS records don't seem to be reflecting the repromoted server.  Plus in sites and services there is no connections under the re-promoted server.

Is this right?  or do i have to start manually updating the connections and DNS records?

Or am i too quick and should give it a short bit to replicate and populate?

Thx!
0
 
LVL 13

Expert Comment

by:ocon827679
ID: 19693717
I have no idea why DNS takes its time, but it does.  Sometimes you can force it by restarting the DNS Server service.  Somtimes its a waiting game.
0
 

Author Comment

by:JP D
ID: 19719902
hmmmm.....still not updated.  I think that something is wrong.  Sites and services still shows the server, but no connections inside it.  The other two servers show that they are set to replicate from server 3.  DNS doesn't have a CNAME record for server 3 under _msdcs in the forward lookup.  Obviously I am getting errors and warnings in the file replication and dcdiag for that server.  I can connect to it, but only using the ip address.

Should I try demoting it again?

On the plus side, my users aren't getting the access denied errors any more...but we can't browse that server by the server name.  It's like it half registered in DNS.
0
 

Author Comment

by:JP D
ID: 19876491
Looks like I have everything fixed up.  For some reason dynamic updates were set to none on servers 1 and 2, server 3 was set to secure.  Once I set all to secure, everything went back to normal.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question