How to change LDAP record /how to fix Active Directory Replication problem on Windows 2000 Server

Hi there,

Before you do anything like that you need to verify which is the right value. Or have you already done so?

If not, the GUID listed in DNS matches the objectGUID of the NTDS Settings folder under your server in the Configuration Naming Context.

This VbScript (save as .vbs) will tell you that GUID, you will have to correct the server name, site name and Domain Components below. Mine is included as an example.

Chris

NTDS_SETTINGS_FOR_SERVER = "CN=NTDS Settings,CN=SOL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=highorbit,DC=local"
 
 
Function FormatGUID(arrGUID)
	' Return Type: String
	'
	' Converts a GUID into a readable format, matches format used by MS.
 
	Dim strGUID, strTemp
	Dim i
 
	For i = LBound(arrGUID) To UBound(arrGUID)
		strTemp = strTemp & Hex(AscB(MidB(arrGUID, i + 1, 1)) \ 16) &_
			Hex(AscB(MidB(arrGUID, i + 1, 1)) Mod 16)
	Next
 
	' Reversed Pairs - Each of these blocks must have it's pairs reversed to match the format we expect
 
	i = 0
	strGUID = "{"
	Do Until i = 8  ' First Block - Last pair in the block to first pair in the block.
		strGUID = strGUID & Mid(strTemp, 7 - i, 1)
		strGUID = strGUID & Mid(strTemp, 8 - i, 1)
		i = i + 2
	Loop
	strGUID = strGUID & "-"
	Do Until i = 12  ' Second Block
		strGUID = strGUID & Mid(strTemp, 19 - i, 1)
		strGUID = strGUID & Mid(strTemp, 20 - i, 1)
		i = i + 2
	Loop
	strGUID = strGUID & "-"
	Do Until i = 16  ' Third Block
		strGUID = strGUID & Mid(strTemp, 27 - i, 1)
		strGUID = strGUID & Mid(strTemp, 28 - i, 1)
		i = i + 2
	Loop
	strGUID = strGUID & "-"
 
	' Normal Pairs
 
	For i = 17 to 20  ' Forth Block
		strGUID = strGUID & Mid(strTemp, i, 1)
	Next
	strGUID = strGUID & "-"
	For i = 21 to 32  ' Fifth Block
		strGUID = strGUID & Mid(strTemp, i, 1)
	Next
	strGUID = strGUID & "}"
	FormatGUID = strGUID
End Function
 
Set objNTDSSettings = GetObject("LDAP://" & NTDS_SETTINGS_FOR_SERVER)
WScript.Echo FormatGUID(objNTDSSettings.Get("objectGUID"))

Select allOpen in new window

If you get as far as finding which is correct and still need to change the registration, the first step should be to regenerate the files NetLogon uses to register those records.

Head to:

%SystemRoot%\System32\Config

You will see two files there, netlogon.dns and netlogon.dnb (as well as a lot of others). Rename both of those two files to (add onto the end) .old then restart the NetLogon Service, or restart the server.

Check the Event Log for NetLogon errors on service restart. Then check the records registered, or check the netlogon.dns file to see if it contains the correct value.

Chris

Hi Chris,

In your script, where is the parameter i need to change to my one before i run the script ?
thanks alot for your time

Hi Chris,

Rename and restart the Netlogon service will refresh the LDAP record for the server itself R-DC1
not for the DC1

What i need is to find a way to change the LDAP record for the DC1 which is current wrong on R-DC1 database,
and because R-DC1 has the wrong LDAP record for DC1, it cant talk to DC1  to do the replication.
so back to my original question, how do i change the LDAP record on R-DC1 ?
.

Hi Chris,


when i run dcdiag on R-DC1

C:\Support Tools>setspn -L DC1
Registered ServicePrincipalNames for CN=DC1,OU=Domain Controllers,DC=mydomain,DC=net,DC=au:
    E3514235-4B06-11D1-AB04-00C04FC2DCD2/b2494b16-99e1-493b-b95f-f54acb3c86fe/mydomain.net.au

    LDAP/14e0463a-0489-47c2-b25a-245dc5da12a9._msdcs.mydomain.net.au -----> this is WRONG

i need to change it to :

LDAP/b2494b16-99e1-493b-b95f-f54acb3c86fe._msdcs.mydomain.net.au

WHERE does this information come from ? is it in the LDAP database?
if so, how can i go there and change it ?

Sorry, the parameter is at the top:

NTDS_SETTINGS_FOR_SERVER = "CN=NTDS Settings,CN=SOL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=highorbit,DC=local"

That needs changing to reflect the NTDS Settings folder for the server in question (the one you want to be changing the GUID for).

> Rename and restart the Netlogon service will refresh the LDAP record for the server
> itself R-DC1 not for the DC1

Re: Renaming netlogon.dns and netlogon.dnb

> Rename and restart the Netlogon service will refresh the LDAP record for the server
> itself R-DC1

This step needs performing on DC1 if DC1 is the system with incorrect entries. It's either that or the inter-site / site connector used by R-DC1 is incorrect.

> WHERE does this information come from ? is it in the LDAP database?

The DNS registration, GUID CNAME, comes from netlogon.dns / .dnb files. The GUID used maps to the NTDS Settings object in the Directory, a replication end-point in effect.

The SPN is created and added when the system is promoted to a Domain Controller and the NTDS Settings folder is first created.

You need to determine whether or not that GUID really is wrong before you change anything at all.

Chris

Hi
can we highlight or color the texts here ?  i see no option to do so.?!


if you look at this log output from R-DC1:
when i run dcdiag on R-DC1, i have this error:

[Replications Check,R-DC1] A recent replication attempt failed:
    From DC1 to R-DC1
    Naming Context: DC=mydomain,DC=net,DC=au
    The replication generated an error (8524):
    Win32 Error 8524
    The failure occurred at 2008-04-12 06:53.15.
    The last success occurred at 2008-03-31 21:49.07.
    576 failures have occurred since the last success.
    The guid-based DNS name 14e0463a-0489-47c2-b25a-245dc5da12a9._msdcs.mydomainnet.au is not registered on one or more DNS servers

just look at the last line :¨ The guid-based DNS name 14e0463a-0489-47c2-b25a-245dc5da12a9._msdcs.mydomainnet.au is not registered on one or more DNS servers¨
this is what i want to correct on R-DC1 not on DC1
basically what it means is that R-DC1 said it can not contact DC1 because it has a wrong guid for DC1.
all DC1, DC2, DC3 at the Head office have a correct guid for DC1, it is fine, but they cant repplicate back to R-DC1 to correct it.
that is the problem,
and i have to somehow change the ¨The guid-based DNS name 14e0463a-0489-47c2-b25a-245dc5da12a9._msdcs.mydomain.net.au ¨ to the correct one which is ¨b2494b16-99e1-493b-b95f-f54acb3c86fe._msdcs.mydomain.net.au¨
but i cant do it on R-DC1.
You still dont tell me how to change this one on R-DC1, do you?

Renaming netlogon.dns and netlogon.dnb and restart the Netlogon on R-DC1 will not help as it will only update DNS record for R-DC1 only and nothing else.

what we want is R-DC1 has to update its own active directory database to have a correct guid for DC1, but it cant do it by itself because it cant repplicate with  DC1 or DC2 or DC3 at all.
that is exactly what it said in this dcdiag output on R-DC1 :¨The guid-based DNS name 14e0463a-0489-47c2-b25a-245dc5da12a9._msdcs.mydomainnet.au is not registered on one or more DNS servers.¨

Thanks

Text highlightly? Afraid not, no. Would be nice :)

Apologies for any misunderstanding, but you're quoting changing DNS entries and such which are registered by the DC itself, never by remote DCs.

> that is why i wanted to change this 14e0463a-0489-47c2-b25a-245dc5da12a9._msdcs.mydomainnet.au
> to this correct one : b2494b16-99e1-493b-b95f-f54acb3c86fe._msdcs.mydomain.net.au

This is a DNS Registration, but really you're asking to change the query, not the registration?

If R-DC1 is having problems replicating it should, under no circumstances be using itself as a DNS Server. It can't be considered reliable.

Still, it would be good to check the DNS registration. Is the GUID record set correctly in DNS for DC1? I mean on all servers, not just R-DC1. If it is set correctly there you have a problem with the DC object on R-DC1 and it's associated connection endpoint, DC1\NTDS Settings (again listed in the Directory version on R-DC1).

If that is the case, we absolutely must, as a first step, determine what R-DC1 and the other DCs see the GUID to be. GUIDs are Read Only, so if R-DC1 has an incorrect entry for NTDS Settings you're fairly unlikely to be able to make replication work.

Is R-DC1 failing to replicate on all connectors? Or does it only have a connector to DC1?

Could you also run:

repadmin /showreps

And see what it thinks about the inbound and outbound replication on all connectors?

Chris

Hi Chris,

when i run netdiag on R-DC1, below is the Warning:

LDAP test. . . . . . . . . . . . . : Passed
    [WARNING] Failed to query SPN registration on DC 'DC1.mydomain.net.au'.

    [WARNING] Failed to query SPN registration on DC 'R-DC2.mydomain.net.au'.

    [WARNING] Failed to query SPN registration on DC 'R-DC3.mydomain.net.au'.

    [WARNING] Failed to query SPN registration on DC 'DC2.mydomain.net.au'.

what does that mean ? and how do i fix this ?


This is the output of repadmin /showreps on R-DC1:



C:\Support Tools>repadmin /showreps
Remote-Site\R-DC1
DSA Options : IS_GC
objectGuid  : 61cd6147-9a28-4e34-a11c-3a55cdef0d0b
invocationID: d8e33656-c5a0-48b9-be9c-fd98b1cf1292

==== INBOUND NEIGHBORS ======================================

CN=Schema,CN=Configuration,DC=my-domain,DC=net,DC=au
    Head-Office site\Subdomain-DC2 via RPC
        objectGuid: f55b9f1b-3095-40ea-8822-7ef43fc65688
        Last attempt @ 2008-04-13 16:53.25 failed, result 1326:
            Can't retrieve message string 1326 (0x52e), error 1815.
        Last success @ 2008-03-31 22:49.02.
        615 consecutive failure(s).
    Head-Office site\DC1 via RPC
        objectGuid: 14e0463a-0489-47c2-b25a-245dc5da12a9
        Last attempt @ 2008-04-13 16:53.25 failed, result 8524:
            Can't retrieve message string 8524 (0x214c), error 1815.
        Last success @ 2008-03-31 21:49.07.
        644 consecutive failure(s).

CN=Configuration,DC=my-domain,DC=net,DC=au
    Head-Office site\Subdomain-DC2 via RPC
        objectGuid: f55b9f1b-3095-40ea-8822-7ef43fc65688
        Last attempt @ 2008-04-13 16:53.25 failed, result 1326:
            Can't retrieve message string 1326 (0x52e), error 1815.
        Last success @ 2008-03-31 22:49.01.
        615 consecutive failure(s).
    Head-Office site\SYD14 via RPC
        objectGuid: 14e0463a-0489-47c2-b25a-245dc5da12a9
        Last attempt @ 2008-04-13 16:53.25 failed, result 8524:
            Can't retrieve message string 8524 (0x214c), error 1815.
        Last success @ 2008-03-31 21:49.07.
        644 consecutive failure(s).

DC=my-domain,DC=net,DC=au
    Head-Office site\DC1 via RPC
        objectGuid: 14e0463a-0489-47c2-b25a-245dc5da12a9
        Last attempt @ 2008-04-13 16:53.25 failed, result 8524:
            Can't retrieve message string 8524 (0x214c), error 1815.
        Last success @ 2008-03-31 21:49.07.
        644 consecutive failure(s).

DC=sca02,DC=my-domain,DC=net,DC=au
    Head-Office site\Subdomain-DC2 via RPC
        objectGuid: f55b9f1b-3095-40ea-8822-7ef43fc65688
        Last attempt @ 2008-04-13 16:53.25 failed, result 1326:
            Can't retrieve message string 1326 (0x52e), error 1815.
        Last success @ 2008-03-31 22:49.03.
        615 consecutive failure(s).
    Head-Office site\DC1 via RPC
        objectGuid: 14e0463a-0489-47c2-b25a-245dc5da12a9
        Last attempt @ 2008-04-13 16:53.25 failed, result 8524:
            Can't retrieve message string 8524 (0x214c), error 1815.
        Last success @ 2008-03-31 21:49.07.
        644 consecutive failure(s).

==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============

CN=Schema,CN=Configuration,DC=my-domain,DC=net,DC=au
    Head-Office site\DC1 via RPC
        objectGuid: 14e0463a-0489-47c2-b25a-245dc5da12a9
    Head-Office site\DC2 via RPC
        objectGuid: c766ed03-cbcf-43ad-8487-2a17921138f0

CN=Configuration,DC=my-domain,DC=net,DC=au
    Head-Office site\DC2 via RPC
        objectGuid: c766ed03-cbcf-43ad-8487-2a17921138f0

DC=my-domain,DC=net,DC=au
    Head-Office site\DC2 via RPC
        objectGuid: c766ed03-cbcf-43ad-8487-2a17921138f0


> Still, it would be good to check the DNS registration. Is the GUID record set correctly in DNS for DC1? I mean on all servers, not just R-DC1. If it is set correctly there you have a problem with the DC object on R-DC1 and it's associated connection endpoint, DC1\NTDS Settings (again listed in the Directory version on R-DC1).

Answer : the GUID record is set correctly for DC1 on all DCs in the head office and remote offices,

i think you are correct by saying this :"there you have a problem with the DC object on R-DC1 and it's associated connection endpoint, DC1\NTDS Settings (again listed in the Directory version on R-DC1)."

so how do i fix this ? i know that R-DC1 has a wrong DNS record for DC1 , that is why you see this error when running

dcdiag on R-DC1, here it is again:

[Replications Check,R-DC1] A recent replication attempt failed:
    From DC1 to R-DC1
    Naming Context: DC=mydomain,DC=net,DC=au
    The replication generated an error (8524):
    Win32 Error 8524
    The failure occurred at 2008-04-12 06:53.15.
    The last success occurred at 2008-03-31 21:49.07.
    576 failures have occurred since the last success.
    The guid-based DNS name 14e0463a-0489-47c2-b25a-245dc5da12a9._msdcs.mydomainnet.au is not registered on one or more DNS servers


i say this one again :

this :"14e0463a-0489-47c2-b25a-245dc5da12a9._msdcs.mydomainnet.au is not registered on one or more DNS servers"

is the wrong DNS record for DC1 saved on R-DC1, and that is how R-DC1 see DC1 at the moment, that is the reason why R-DC1 cant repplicate with DC1.
to corect this, i went to DNS server on R-DC1 and manually add an Alias CNAME for DC1 as follow :

"b2494b16-99e1-493b-b95f-f54acb3c86fe._msdcs.mydomain.net.au"

but it doesnt help.

thanks Chris.