AD Replication

Posted on 2008-06-10
Medium Priority
Last Modified: 2013-12-05
I have an exchange 2000 mail server which is also a DC for our domain. This is multi site domain. Replication to this mail server will not work due to 'access is denied errors' & ERROR_REPLICA_SYNC_FAILED_ACCESS IS DENIED. The event log on that server is full of NTDS KCC entries in the event logs. It has failed to replicate for over 90 days. Therefore (a) it is fixable and (b) do I want to replicate if it has been offline for that long, bearing in mind our AD activity is pretty minimal.

Question by:championit
  • 2
  • 2

Expert Comment

ID: 21752722
You have major problems due to the fact you have exchnage on a domain controller. If you demote the server from being a domain controller, exchnage will not function correctly at all.

It is a bit tricky, you will have to use the dcdiag tool and ntdsutil tools to troubleshoot why the connection problems are occouring. If you get the connection working again, your latest updated Active directory on another server can be replicated to overwrite this domain controller that is not working correctly.

Hope this helps

Author Comment

ID: 21753642
I thought Exchange had to be installed on a DC for some reason!! We have 5 DC's across our WAN all running Exchange. I take it this is not best practice and we need to get Exchange off their asap.
I am running some dcdiag tests at present and will upload the results in a file when complete.

If I move Exchange to another server then rebuild the DC will Exchange as an enterprise function given that one Exchange server will be running on a member sercer and the other 4 on DC's ?

Author Comment

ID: 21753684
dcdiag attached, not sure whether this test the connectivity as it's a very long time since I used this. Will try ntdsutil also

Accepted Solution

Karl12347 earned 2000 total points
ID: 21759152
First of all you should start the windows time service on your mail box.  Kerberos will fail if it cannot verify the time on your systems.
w32time Service is stopped on [MCR-MAIL-02]
Try running DCdiag with the /fixall command.

MCR-MAIL-02 failed test kccevent indicates that you are having problems with the Kerberos Consistecy checker on your domain controller.

Without sitting infront of your servers and having a look, It is very doubtfull that anyone on her could provide a full solution.

If you have any further questions please let me know.


Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

There are literally thousands of Exchange recovery applications out there. So how do you end up picking one that’s ideal for your business & purpose? By carefully scouting the product’s features, the benefits it offers you, & reading ample reviews f…
This applies to Dell but may also apply to other manufacturers as well. We ran across a few machines that just dropped recently it trust relationship with the server. After doing the basic removing and joining the domain again, it changed to No logo…
Watch the video to know how one can repair corrupt Exchange OST file effortlessly and convert OST emails to MS Outlook PST file format by using Kernel for OST to PST converter tool. It can convert OST to MSG, MBOX, EML to access them. It can migrate…
To export Lotus Notes to Outlook PST or Exchange and Domino Server files to Exchange Server or PST files with ease, go for Kernel for Lotus Notes to Outlook conversion tool. Through the video, you can watch the conversion process. A common user with…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question