Solved

cannot replicate ad - windows 2003 to sbs domain

Posted on 2008-10-04
16
993 Views
Last Modified: 2012-06-22
Hi,

I have joined a windows 2003 server to a sbs domain. The Windows 2003 svr is running as a 2nd DC, the first time I did this the servers wouldnt replicate, so I removed the windows 2003 as a DC manually and did a tidy up on the sbs - ran metadata cleanup .I then re-promoted my 2003 svr to the sbs domain but after reboot it still wouldnt replicate. I have DNS running on both machines, but on my 2003 svr the FLZ for the sbs do not appear (i.e msdcs.companyname.local and companyname.local), the RLZ however do. Its network card (windows 2003) is pointing to itself and has the sbs domain as it secondary, i have allowed dynamic updates .when I try to force replication via repadmin command this is the error I get.

C:\Program Files\Support Tools>repadmin /syncall /A /e /P
Syncing all NC's held on localhost.
Syncing partition: CN=Schema,CN=Configuration,DC=companyname,DC=local
CALLBACK MESSAGE: Error contacting server a8a2ce57-4191-4953-89ad-76cba0a1ab9f._
msdcs.companyname.local (network error): 1722 (0x6ba):
    Can't retrieve message string 1722 (0x6ba), error 1815.
CALLBACK MESSAGE: Error contacting server 7dfc4a9a-134c-42f1-b84b-7af24c56c420._
msdcs.ACRELEC.local (network error): 1722 (0x6ba):
    Can't retrieve message string 1722 (0x6ba), error 1815.

SyncAll exited with fatal Win32 error: 8440 (0x20f8):
    Can't retrieve message string 8440 (0x20f8), error 1815.



*additional info*
The windows 2003 r2 server is comunicating with the SBS over a hardare vpn tunnel.
active directory takes a long time to load
logging in time takes ages!
0
Comment
Question by:Dan560
  • 7
  • 5
  • 4
16 Comments
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 22645474
Please make sure your remote DC is configured as a Global Catalog server.  Then, follow the recommendations provided in this newsgroup post:  http://sbsurl.com/branchdns

Jeff
TechSoEasy
0
 
LVL 6

Expert Comment

by:Hardeep_Saluja
ID: 22674464
Hi Dan,

As Servers are communicating over VPN tunnel, the failing of replication is very obvious in networking cases
1) Check the MTU size for this do following:
From both servers:
Ping <destination_server_name> -f -l 1472

Make sure it pings and if it does not.. u got the issue..
Create registry key at HKLM/system/CCS/Control/Services/Tcpip/Parameters
Key name: MTU
Set value to 1

2) Force TCP over UDP by creating "MaxPacketSize" key at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters with value 1
(MS Kb 244474)

After you have set these things, now if you would like to repromote win 2003 standard server as DC, make sure it is pointing to SBS as primary DNS at that point. Also, make sure you are able to ping sbs by hostname and IP. Also you should and should be able to access shared resources of sbs by name as well as IP.

If these conditions are met, 99.9+% , there should be no further problems at all.

Please let me know
Thanks
Hardeep Saluja
0
 
LVL 6

Expert Comment

by:Hardeep_Saluja
ID: 22674487
Please note you need to create these regisry keys on both the sides
0
 
LVL 2

Author Comment

by:Dan560
ID: 22676184
not sure if this is the issue, because when it replicates the standard server does not replicate all the forward lookup zones that are visible on the sbs,
both the msdcs zone and the domain.local zone. do not replicate on windows 03 server (and i have allowed secure updates)
It only copies a basic forward lookup zone which I use to access our fqdn (mail.mycompny.com. I will check if it a networking issue, thanks for your advice.
0
 
LVL 2

Author Comment

by:Dan560
ID: 22676381
results of the ping
guess you were correct!

Pinging 10.13.1.10 with 1472 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.


Pinging 192.168.0.2 with 1472 bytes of data:
Reply from 10.13.1.1: Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
 
0
 
LVL 2

Author Comment

by:Dan560
ID: 22677847
I cannot seem to find KLM/system/CCS/Control/Services/Tcpip/Parameters

is it under  KLM/system/CCS/services//Tcpip/Parameters

because I cannot seem to find it under control
0
 
LVL 6

Expert Comment

by:Hardeep_Saluja
ID: 22683366
Hi Dan,
I think i missed the correct path .. it should be ..
HKey_Local_Machine/System/CurrentControlSet/Services/Tcpip/Parameters
Create following value on BOTH the sides .. (Kb 314825)
Value Name: EnablePMTUBHDetect
Data Type: REG_DWORD
Value: 1

Now,  on both sides ... Force TCP over UDP by creating "MaxPacketSize" key at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters with value 1
(MS Kb 244474)

Also, on BOTH sides,
Create MaxUserPort with RegDword value 65534
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
(http://technet.microsoft.com/en-us/library/cc758002.aspx)

Remove the connectors
repadmin /kcc
repadmin /syncall /A /e /P
repadmin /syncall /A /e /p
Hope this should take care of the issue
0
 
LVL 6

Expert Comment

by:Hardeep_Saluja
ID: 22683369
Dont create MTU as we are creating EnablePMTUBHDetect
0
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

 
LVL 2

Author Comment

by:Dan560
ID: 22685548
thanks

but i still seem to be getting this responce when I ping the sites

from 1013.1.10

Reply from 10.13.1.1: Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

and the 192.168.0.0
all I get is request time outs

0
 
LVL 6

Expert Comment

by:Hardeep_Saluja
ID: 22691575
you will still get the same response after setting up these registry entries..in regards to ping as Packets are sent automatically on whatever they are getting recieved. It happens in background.
Check your replication after following all steps
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 22743234
How exactly did you join the Server 2003 R2 to the SBS domain?  Did you update the AD Schema on the SBS to be compliant with Server 2003 R2?

Jeff
TechSoEasy
0
 
LVL 2

Author Comment

by:Dan560
ID: 22743953
Ran adprep on the sbs
configured sites and services - names and subnets on SBS
configured a rlz for subnet of the remote R2 site on the SBS
checked to allow secure updates on DNS so it would allow replication to the R2.

Ran a demotion on the r2 server - because this was running as a DC on remote site.
I added the r2 svr to a member server on the SBS
then had the nic card pointing its DNS to the sbs.
Ran the dcpromo wizard.

0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 500 total points
ID: 22744832
"Ran a demotion on the r2 server - because this was running as a DC on remote site"

So this was a DC on a separate DOMAIN?  I wouldn't ever add a server that was originally configured on a different domain (even if that domain had the same domain name).  Because you now have legacy stuff left over in the registry and DNS.  

Jeff
TechSoEasy
0
 
LVL 2

Author Comment

by:Dan560
ID: 22744882
Yeah I know not the smartest thing I've done, but its hard to avoid down time when re-installing an OS, I suppose thats what I was meant to do then?
I've notice errors in my DNS events logs since I put it back to way it was. Ah damn, if I was to re-install the OS on the R2 (Windows 2003) I should be ok to go?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 22744946
Yep.  Sorry that it's not simpler than that.

Jeff
TechSoEasy
0
 
LVL 2

Author Comment

by:Dan560
ID: 22744968
no its fine, your advice is much appreciated.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now