josh732
asked on
Active Directory user accounts are not replicating one way after an upgrade.
I was brought in to attempt to fix an issue that has appeared after a server upgrade. I wasn't involved in the initial setup, or the upgrade, so while I'll do my best to answer questions, there's a lot of information I don't have.
Before the upgrade, there were two domain controllers, STANTS2 and STANTS4, both running Windows 2000. STANTS2 was not upgraded or changed and is the PDC. STANTS4 is the Exchange server. (It was running Exchange 2003, despite being Windows 2000.) It is the one that was upgraded, or rather, replaced. The server was backed up, using Backup Exec 10d, demoted from being a DC, then shut down. A new Windows 2003 server was built and given the name STANTS4, along with the old IP address. Then, I don't know the exact order, but I hope it was in whatever order would be appropriate, Exchange was installed, it was promoted to a DC, and backups were restored for the users' home directories, Exchange, and maybe AD (or would that have just been brought back in from STANTS2?).
Old user accounts still work, and email for existing accounts works. The problem comes in when creating new accounts. Accounts that require email are created in AD on STANTS4, but those accounts never show up in AD on STANTS2, and the user can not log in (to a workstation, or to the web-based interface for email). Accounts created on STANTS2, do show up on STANTS4, but don't have any Exchange attributes configured.
STANTS2's Directory Service event log has a lot of this:
Event ID: 1265
The attempt to establish a replication link with parameters
Partition: CN=Schema,CN=Configuration
Source DSA DN: CN=NTDS Settings,CN=STANTS4,CN=Ser
Source DSA Address: c060ac79-f97a-48a8-a2ca-95
Inter-site Transport (if any):
failed with the following status:
The DSA operation is unable to proceed because of a DNS lookup failure.
The record data is the status code. This operation will be retried.
And STANTS4's Directory Service event log has a lot of this:
Event ID: 1587
This domain controller has been restored or has been configured to host an application partition. As a result, its replication identity has changed. A partner has requested replication changes using our old identity. The starting sequence number has been adjusted.
The destination domain controller corresponding to the following object GUID has requested changes starting at a USN that precedes the USN at which the local domain controller was restored from backup media.
Object GUID:
08cde4a7-9666-49f1-b4fe-87
USN at the time of restore:
0
As a result, the up-to-dateness vector of the destination domain controller has been configured with the following settings.
Previous database GUID:
6f043e89-6b02-496a-81d3-65
Previous object USN:
2397269
Previous property USN:
2397269
New database GUID:
d5b8f1c0-d985-436e-9afb-bd
New object USN:
0
New property USN:
0
And this:
Event ID: 1586
The Windows NT 4.0 or earlier replication checkpoint with the PDC emulator master was unsuccessful.
A full synchronization of the security accounts manager (SAM) database to domain controllers running Windows NT 4.0 and earlier might take place if the PDC emulator master role is transferred to the local domain controller before the next successful checkpoint.
The checkpoint process will be tried again in four hours.
Additional Data
Error value:
8452 The naming context is in the process of being removed or is not replicated from the specified server.
Before the upgrade, there were two domain controllers, STANTS2 and STANTS4, both running Windows 2000. STANTS2 was not upgraded or changed and is the PDC. STANTS4 is the Exchange server. (It was running Exchange 2003, despite being Windows 2000.) It is the one that was upgraded, or rather, replaced. The server was backed up, using Backup Exec 10d, demoted from being a DC, then shut down. A new Windows 2003 server was built and given the name STANTS4, along with the old IP address. Then, I don't know the exact order, but I hope it was in whatever order would be appropriate, Exchange was installed, it was promoted to a DC, and backups were restored for the users' home directories, Exchange, and maybe AD (or would that have just been brought back in from STANTS2?).
Old user accounts still work, and email for existing accounts works. The problem comes in when creating new accounts. Accounts that require email are created in AD on STANTS4, but those accounts never show up in AD on STANTS2, and the user can not log in (to a workstation, or to the web-based interface for email). Accounts created on STANTS2, do show up on STANTS4, but don't have any Exchange attributes configured.
STANTS2's Directory Service event log has a lot of this:
Event ID: 1265
The attempt to establish a replication link with parameters
Partition: CN=Schema,CN=Configuration
Source DSA DN: CN=NTDS Settings,CN=STANTS4,CN=Ser
Source DSA Address: c060ac79-f97a-48a8-a2ca-95
Inter-site Transport (if any):
failed with the following status:
The DSA operation is unable to proceed because of a DNS lookup failure.
The record data is the status code. This operation will be retried.
And STANTS4's Directory Service event log has a lot of this:
Event ID: 1587
This domain controller has been restored or has been configured to host an application partition. As a result, its replication identity has changed. A partner has requested replication changes using our old identity. The starting sequence number has been adjusted.
The destination domain controller corresponding to the following object GUID has requested changes starting at a USN that precedes the USN at which the local domain controller was restored from backup media.
Object GUID:
08cde4a7-9666-49f1-b4fe-87
USN at the time of restore:
0
As a result, the up-to-dateness vector of the destination domain controller has been configured with the following settings.
Previous database GUID:
6f043e89-6b02-496a-81d3-65
Previous object USN:
2397269
Previous property USN:
2397269
New database GUID:
d5b8f1c0-d985-436e-9afb-bd
New object USN:
0
New property USN:
0
And this:
Event ID: 1586
The Windows NT 4.0 or earlier replication checkpoint with the PDC emulator master was unsuccessful.
A full synchronization of the security accounts manager (SAM) database to domain controllers running Windows NT 4.0 and earlier might take place if the PDC emulator master role is transferred to the local domain controller before the next successful checkpoint.
The checkpoint process will be tried again in four hours.
Additional Data
Error value:
8452 The naming context is in the process of being removed or is not replicated from the specified server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. Unfortunately, I've been pulled off this project, to another client who's network is completely down. The guy who did the upgrade is going back in on Sunday to try to fix it, so I passed along the suggestions. I made sure to emphasize the suggestion of NOT making the Exchange server a DC. I've asked to be kept in the loop, so I'll be back to report what the solution ended up being.
ASKER
Ok, quick update. The upgrade was done in the order Laura said it needed to be done in. It seems the issue was DNS related, as indicated by the error message on STANTS2.
ASKER
The problem showed up after an upgrade. Laura's suggestion was based on the premise that the problem was due to the upgrade being done in the wrong order. However, the upgrade was done in the correct order (the same one Laura suggested). It turned out to be a DNS issue... Oh, wait, "you should also confirm that DNS is working correctly" I missed that. Sorry, yep, that's the solution.
1) You can't (shouldn't) install Exchange and then do a DCPROMO so there may well be some problems.
2) You don't get any Exchange tabs or anything in ADU&C unless you install the Exchange System Manager onto the server. So, you will see the Exchange tabs on STANTS4 but unless you run the Exchange setup.exe on STANTS2 you won't get anything. That's normal and correct. You're confusing the schema a little. Tabs in ADU&C don't have anything to do with the schema.