Solved

Unable to replicate Active Directory between two sites

Posted on 2008-10-06
7
4,349 Views
Last Modified: 2013-12-05
I have a Windows 2000 Native Domain with 14 sites.  Each of my 13 remote sites is physically connected to my central site (Seattle) with a site-to-site VPN tunnel.  There is no tunnel between remote sites.  In Seattle, I have 2 DCs - both on Win2k.  We'll call them SeaDC1 and SeaDC2.  SeaDC1 is the PDC and Infrastructure Master. SeaDC2 is the Schema Master, Domain Naming Master, and RID Master.  Both are Global Catalog Servers.  Each remote site has a Win2003 DC - none of these are a GC Server.

In AD Sites and Services, I have one InterSite Transport Link set up for each remote site - each Transport Link contains two sites:  one of the remote sites and Seattle.  Unfortunately, I discovered today that for one of my remote sites (Aberdeen), the corresponding Transport Link didn't contain Seattle, but instead contained another remote site that Aberdeen does not have physical connectivity with.  Thus Aberdeen's DC (ABDSERVER) has been isolated for some time.  I believe it has been since 8/21.  When I discovered this, I saw that I was getting very frequent 1566, 1311, 1865, and 1925 error messages from NTDC KCC, as well as error message 4 from Kerberos, all on ABDSERVER.

I added the Seattle site to Aberdeen's Transport Link (and removed the other remote site), so the Transport Link now contains both Aberdeen and Seattle.  Then, in AD Sites and Services, I added a connection to SeaDC1 under Aberdeen-ABDSERVER-NTDS Settings.  I removed the connection to the other remote server.  All of the steps in this paragraph I performed on both ABDSERVER and SeaDC1.

Then I right-clicked on the new SeaDC1 connection I had created and chose Replicate Now.  I got the following error message: "The following error occurred during the attempt to synchronize naming context [domain name] from domain controller SeaDC1 to domain controller ABDSERVER: The naming context is in the process of being removed or is not replicated from the specified server.  This operation will not continue."

I tried restarting the net logon service and continue to get the same error message.  Also, when I look at the event logs for ABDSERVER, I see that I am still getting all error messages above as well as 13508 from NtFrs.  See below for content of error messages.  Please advise - I'd really appreciate it.  Thanks.

1.
Event Type:      Warning
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1925
Date:            10/6/2008
Time:            2:27:42 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      ABDSERVER
Description:
The attempt to establish a replication link for the following writable directory partition failed.
 
Directory partition:
CN=Configuration,DC=nwjustice,DC=corp
Source domain controller:
CN=NTDS Settings,CN=SeaDC2,CN=Servers,CN=Seattle,CN=Sites,CN=Configuration,DC={domain name},DC=corp
Source domain controller address:
3daf82c8-07e9-4ff5-a725-fc3e7cc499c0._msdcs.{domain name}.corp
Intersite transport (if any):
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC={domain name},DC=corp
 
This domain controller will be unable to replicate with the source domain controller until this problem is corrected.  
 
User Action
Verify if the source domain controller is accessible or network connectivity is available.
 
Additional Data
Error value:
2148074274 The target principal name is incorrect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


2.
Event Type:      Warning
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1865
Date:            10/6/2008
Time:            2:27:39 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      ABDSERVER
Description:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
 
Sites:
CN=Olympia,CN=Sites,CN=Configuration,DC={domain name},DC=corp
CN=Yakima,CN=Sites,CN=Configuration,DC={domain name},DC=corp
CN=Colville,CN=Sites,CN=Configuration,DC={domain name},DC=corp
CN=Spokane,CN=Sites,CN=Configuration,DC={domain name},DC=corp
CN=Seattle,CN=Sites,CN=Configuration,DC={domain name},DC=corp
CN=Wenatchee,CN=Sites,CN=Configuration,DC={domain name},DC=corp
CN=Omak,CN=Sites,CN=Configuration,DC={domain name},DC=corp
CN=PortAngeles,CN=Sites,CN=Configuration,DC={domain name},DC=corp

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


3.
Event Type:      Error
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1311
Date:            10/6/2008
Time:            2:27:39 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      ABDSERVER
Description:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
 
Directory partition:
CN=Configuration,DC={domain name},DC=corp
 
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.
 
User Action
Use Active Directory Sites and Services to perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.
 
If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


4.
Event Type:      Warning
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1566
Date:            10/6/2008
Time:            2:27:39 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      ABDSERVER
Description:
All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable.
 
Site:
CN=Seattle,CN=Sites,CN=Configuration,DC={domain name},DC=corp
Directory partition:
CN=Configuration,DC={domain name},DC=corp
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC={domain name},DC=corp

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


5.
Event Type:      Warning
Event Source:      NtFrs
Event Category:      None
Event ID:      13508
Date:            10/6/2008
Time:            11:02:34 AM
User:            N/A
Computer:      ABDSERVER
Description:
The File Replication Service is having trouble enabling replication from SeaDC1 to ABDSERVER for c:\windows\sysvol\domain using the DNS name SeaDC1.{domain name}.corp. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name SeaDC1.{domain name}.corp from this computer.
 [2] FRS is not running on SeaDC1.{domain name}.corp.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 21 07 00 00               !...    


6.
Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            10/6/2008
Time:            2:12:35 PM
User:            N/A
Computer:      ABDSERVER
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server SeaDC1$.  The target name used was LDAP/29d040c8-9bfb-4266-9726-c62adcae6ae6._msdcs.{domain name}.corp. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm ({domain name}.CORP), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


0
Comment
Question by:NWJustice
  • 4
  • 2
7 Comments
 
LVL 4

Assisted Solution

by:lscapa
lscapa earned 400 total points
ID: 22654840
Quick fix...
1. WIth less than 128 DC's there is no reason to manually setup replication links. AD will manage these just fine as you create sites.
2. dcpromo /force
http://support.microsoft.com/kb/332199
Since you still have other DC's this is the quickest fix for this issue.
3. dcpromo after AD is cleaned up. If you want to troubleshoot:
Download MPSreport run on abdserver and seadc1 and 2. post.
quick fix is better 15-30 minutes...
0
 

Author Comment

by:NWJustice
ID: 22655053
Thanks for the quick response.

1.Are you saying that (a) I don't need to manually set up the Intersite Transport Links?  Or that (b) I don't need to manually set up the Server Connections in NTDS settings?  

If you mean (a): When I had all sites on one Intersite Transport Link, I was getting lots of replication errors between sites that had no physical connectivity, so I set up the Transport Links to mimic my physical connectivity.

If you mean (b): I only manually set up this connection because the last time I added a site (8/21), I inadvertently messed up the Intersite Transport Link containing Aberdeen and the server it should be replicating with (either SeaDC1 or SeaDC2) were not listed, so I thought it made sense to manually add them.

2. So your solution is to demote and then promote it again?  If I do that, will I need to be onsite to log back on to this server?  I ask because the link you point to says the following:  "Before you use either of the following workarounds, make sure that the you can successfully start in Directory Services Restore mode. Otherwise, you will not be able to log on after you forcefully demote the computer."

I have never started in Directory Services Restore mode, so I don't know what it looks like.  Is it something that I can do over remote desktop?  I suspect that I'll have to be onsite.

Thanks.
0
 
LVL 4

Assisted Solution

by:lscapa
lscapa earned 400 total points
ID: 22655120
1. AD SHOULD (and I say that loosly) automaticlly handle both the intersite transports and Server Connections. If this is across a VPN router then manual might be needed I said that in a general term...

2. The artical is in CASE dcpromo does not successfully demote this machine. If you still have DNS resolution ect. it should demote just fine. My experience is always better to be onsite or at least have a competent person available. DCPROMO should work though since it's only been 2 months the server object hasn't tombstoned yet. If DCPROMO works then it will restart as a member server. If your an admin you should be able to log back on.

Also do this on a weekend since all logons will be handeled by a remote DC during the brief demote of the DC.
0
 
LVL 4

Expert Comment

by:placebo69a
ID: 22655165
If the server had not replicated in over 60 dyas it could have tombstoned.
Follow this article's instructions to revive the server without demoting and promoting the aberdeen dc.
Let me know if this helps. :)
0
 

Author Comment

by:NWJustice
ID: 22655206
Is there a way I can definitively check the last replication date?  I believe it's 8/21, but not positive.

placebo69a:  Are you suggesting this solution only if it has tombstoned?  If not, would you say this is a better option than demoting and promoting the Aberdeen DC?  Advantages/disadvantages?

Thanks both of you.
0
 

Author Comment

by:NWJustice
ID: 22661369
lscapa:  Assuming the demote works successfully, how long should I wait before I promote?  Is there something I should check for, perhaps on one of my other DCs?
0
 

Accepted Solution

by:
NWJustice earned 0 total points
ID: 22664778
Ok, here is the full solution to my particular problem:

1.  Attempt to run DCPROMO on ABDSERVER to demote the server.  This failed with the following message: "The operation failed because: Managing the network session with SeaDC2.{domain name}.corp failed. 'Logon Failure: The target account name is incorrect.'"

2.  Use lscapa's suggestion to run dcpromo /forceremoval detailed in this article: http://support.microsoft.com/kb/332199

3.  Clean up data as recommended in this article: http://support.microsoft.com/kb/216498/

4.  On ABDSERVER, log in as a local admin (as the computer is no longer a member of the domain).  

5.  On ABDSERVER, stop the DNS Server service and set it to manual.  Also, in the properties of the NIC, remove itself from the list of preferred DNS servers.

6.  Join ABDSERVER to the domain. Run DCPROMO. Start the DNS Server service and set it to Automatic.

7.  Keep checking Event logs for error messages.  Run DCDIAG and NETDIAG to make sure all is well.  So far so good!

Thanks lscapa for pointing me in the right direction.
0

Join & Write a Comment

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now