How to change an incorrect dsa_Guid on a replication DC

I recently replaced the PDC in a 2 server network.  I did this by replicating the AD from the old server to a temporary server and then in turn replicating this to the new server.  Once I put the new server in place the 2nd server in the group (Engineerserv) lost the ability to replicate AD from it (the new server).  I have narrowed the problem down to DNS.  When I open the NTDS Settings properties under AD Sites and Services on the Engineerserv the DNS Alias is showing the wrong GUID.  How can I change or replace this incorrect information?
computerconceptsAsked:
Who is Participating?
 
Chris HudsonConnect With a Mentor Cloud Security ArchitectCommented:
Now we have to findout who is sending "0ff8a6aa-633a-4f3f-a62c-80b920d366ab._msdcs.NEWWAY"

There are 2 ways  to find out this guy
1) Netmon trace
2)DNS debug log
If you are seeing "0ff8a6aa-633a-4f3f-a62c-80b920d366ab._msdcs.NEWWAY" in very few minutes after deleting the ALIAS from DNs netmon will be the right one.I am using wireshark to capture tha packet.Follow the steps to find culprit through wireshark

-Start Capturing the packets from Ur DNS server
-Delete 0ff8a6aa-633a-4f3f-a62c-80b920d366ab._msdcs.NEWWAY record from DNS
-Keep refresh the dNS console
-As soon as U see the 0ff8a6aa-633a-4f3f-a62c-80b920d366ab._msdcs.NEWWAY id in DNS stop trace
-Filter  trace for dns and U wil see the sam epacket as follows

No.     Time        Source                Destination           Protocol Info
    536 51.336350   192.168.2.1           192.168.1.1           DNS      Dynamic update SOA _msdcs.Mydomain.com

Frame 536 (318 bytes on wire, 318 bytes captured)
Ethernet II, Src: Microsof_4c:ec:4d (00:15:5d:4c:ec:4d), Dst: Microsof_4c:ec:45 (00:15:5d:4c:ec:45)
Internet Protocol, Src: 192.168.2.1 (192.168.2.1), Dst: 192.168.1.1 (192.168.1.1)
User Datagram Protocol, Src Port: 63569 (63569), Dst Port: domain (53)
Domain Name System (query)
    [Response In: 538]
    Transaction ID: 0xf804
    Flags: 0x2800 (Dynamic update)
       
    Prerequisites: 0
    Updates: 2
    Additional RRs: 1
    Zone
    Updates
        15c9bbb6-9fc1-4e54-b827-e307a88f47e6._msdcs.Mydomain.com: type CNAME, class ANY
            Name: 15c9bbb6-9fc1-4e54-b827-e307a88f47e6._msdcs.Mydomain.com
            Type: CNAME (Canonical name for an alias)
            Class: ANY (0x00ff)
            Time to live: 0 time
            Data length: 0
        15c9bbb6-9fc1-4e54-b827-e307a88f47e6._msdcs.Mydomain.com: type CNAME, class IN, cname Mydomain-BLR-DC2.Mydomain.com
            Name: 15c9bbb6-9fc1-4e54-b827-e307a88f47e6._msdcs.Mydomain.com
            Type: CNAME (Canonical name for an alias)
            Class: IN (0x0001)
            Time to live: 10 minutes
            Data length: 29
            Primary name: Mydomain-BLR-DC2.Mydomain.com
 
The above trace will give the source machine ID
In the trace 15c9bbb6-9fc1-4e54-b827-e307a88f47e6._msdcs.Mydomain.com is the GUID for the server
Mydomain-BLR-DC2.Mydomain.com and IP of source machine is 192.168.2.1
Second method
---------------------
If U are Uncertain about the Update,Enable DNS debugging and U will see the below output with CNAME and IP
20090310 10:48:42 8D4 PACKET  UDP Rcv 192.168.2.1     170c   Q [0001   D   NOERROR] (36)15c9bbb6-9fc1-4e54-b827-e307a88f47e6(6)_msdcs(7)Mydomain(3)com(0)

Here 15c9bbb6-9fc1-4e54-b827-e307a88f47e6(6)_msdcs(7)Mydomain(3)com(0) is the GUID and 192.168.2.1 is the server IP who send the Update

...................................................................................
0
 
Chris DentPowerShell DeveloperCommented:

How do you know it's the wrong GUID? Kind of need to know how you arrived at that conclusion to be able to help.

Chris
0
 
Chris HudsonCloud Security ArchitectCommented:
1)Delete the DC GUID from DNS
2)Make sure that the Dc point to the correct DNS
3)Restart Netlogon
           When you restart Netlogon,it will register all SRV records and GUID
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Chris HudsonCloud Security ArchitectCommented:
small correcton...all missing SRV records and GUID :)
0
 
computerconceptsAuthor Commented:
Chris-Dent -
On the PDC emulator that holds all of the roles, I checked the GUID ID there and it is 0ff8a6aa-633a-4f3f-a62c-80b920d366ab._msdcs.domainname.local for itself. When I check the entry on the Engineerserv it is showing the PDC GUID as b720044f-abc6-4355-8499-f8fcab1814ea._msdcs.newway.local

Now, could the b720044f-abc6-4355-8499-f8fcab1814ea be what the network is looking for and the Off8a... is the wrong one?  The reason I ask this is because I just logged in to the Engineerserv and it is now reporting the same GUID as the PDC (Off8a...) instead of the supposed wrong one of b7200...but now I have all kinds of Event ID 1030 and 1058 in the Application Event Log of the Engineerserv!  Every 5 min it reports a 1030 and 1058.
0
 
computerconceptsAuthor Commented:
chrishudson123 -
Do you mean I change the GUID from the PDC or from the Engineerserv?
0
 
Chris HudsonCloud Security ArchitectCommented:
don't change anything now.The DC GUID is mainly used for replication.check whether the repliaction is fine or not.If the replication is working fine,Ur GUID issue is fixed

Now about 1030 and 1058 events,these are userenv errors,there is no relation with DC GUID.
refer http://support.microsoft.com/kb/834649 for 1030 and 1058 errors
Let me know the status ASAP...I can give you further troubleshooting tips based on Ur env
0
 
Chris DentPowerShell DeveloperCommented:

The GUID value is set based on the GUID of the NTDS Settings folder you see in AD Sites and Services. It gets populated from %SystemRoot%\System32\Config\netlogon.dns. The value should not be changed within that file.

The output from DCDiag and NetDiag would be useful to further isolate the cause of your troubles.

Chris
0
 
computerconceptsAuthor Commented:
Chris and Chris,

Thanks for the help so far guys...I really appreciate it.

Info from the Eventvwr:

------->> Under the File Replication Service I am getting one of these every day:

Event ID 13508
The File Replication Service is having trouble enabling replication from NEWSERV to ENGINEERSERV for c:\windows\sysvol\domain using the DNS name newserv.NEWWAY.local. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name newserv.NEWWAY.local from this computer.
 [2] FRS is not running on newserv.NEWWAY.local.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

For more information, see Help and Support Center at
*************************************************
-------->> Also getting Directory Service Event ID 1864:
This is the replication status for the following directory partition on the local domain controller.
 
Directory partition:
DC=ForestDnsZones,DC=NEWWAY,DC=local
 
The local domain controller has not recently received replication information from a number of domain controllers.   The count of domain controllers is shown, divided into the following intervals.
 
More than 24 hours:
1
More than a week:
1
More than one month:
0
More than two months:
0
More than a tombstone lifetime:
0
Tombstone lifetime (days):
180
 Domain controllers that do not replicate in a timely manner may encounter errors. It may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
 
To identify the domain controllers by name, install the support tools included on the installation  CD and run dcdiag.exe.
You can also use the support tool repadmin.exe to display the replication latencies of the domain controllers in the forest.   The command is "repadmin /showvector /latency <partition-dn>".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
******************************************
-------->> Also getting Event ID 2093

The remote server which is the owner of a FSMO role is not responding.  This server has not replicated with the FSMO role owner recently.
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
 
FSMO Role: CN=Schema,CN=Configuration,DC=NEWWAY,DC=local
FSMO Server DN: CN=NTDS Settings,CN=NEWSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=NEWWAY,DC=local
Latency threshold (hours): 24
Elapsed time since last successful replication (hours): 252
 
User Action:
 
This server has not replicated successfully with the FSMO role holder server.
1. The FSMO role holder server may be down or not responding. Please address the problem with this server.
2. Determine whether the role is set properly on the FSMO role holder server. If the role needs to be adjusted, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
3. If the FSMO role holder server used to be a domain controller, but was not demoted successfully, then the objects representing that server are still in the forest. This can occur if a domain controller has its operating system reinstalled or if a forced removal is performed.  These lingering state objects should be removed using the NTDSUTIL.EXE metadata cleanup function.
4. The FSMO role holder may not be a direct replication partner. If it is an indirect or transitive partner, then there are one or more intermediate replication partners through which replication data must flow. The total end to end replication latency should be smaller than the replication latency threshold, or else this warning may be reported prematurely.
5. Replication is blocked somewhere along the path of servers between the FSMO role holder server and this server.  Consult your forest topology plan to determine the likely route for replication between these servers. Check the status of replication using repadmin /showrepl at each of these servers.
 
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
****************************************
--------->> From System Eventvwr i am getting Event ID 4:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/newserv.newway.local.  The target name used was NEWWAY\NEWSERV$. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (NEWWAY.LOCAL), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
************************************
------->> This is what I WAS getting from the Directory Service Eventvwr log when I originally posted this question:  EVENT ID 1645:

Active Directory did not perform an authenticated remote procedure call (RPC) to another domain controller because the desired service principal name (SPN) for the destination domain controller is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
 
Destination domain controller:
b720044f-abc6-4355-8499-f8fcab1814ea._msdcs.NEWWAY.local
SPN:
E3514235-4B06-11D1-AB04-00C04FC2DCD2/b720044f-abc6-4355-8499-f8fcab1814ea/NEWWAY.local@NEWWAY.local
 
User Action
Verify that the names of the destination domain controller and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination domain controller has been recently promoted, it will be necessary for the local domain controllers computer account data to replicate to the KDC before this computer can be authenticated.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I will post the dcdiag and netdiag logs here in just a bit.
0
 
computerconceptsAuthor Commented:
I am going to attach the dcdiag and netdiag files to this message so the thread does'nt get rediculously long.
1st one is from the PDC
2nd one is from the DC
DCDIAG-and-NETDIAG-from-PDC.txt
DCDIAG-and-NETDIAG-from-DC.txt
0
 
Chris HudsonCloud Security ArchitectCommented:
Checked the DCdiag
NEWSERV works fine ,I hope the syvol is hsared in this server
ENGINEERSERV shows AD replication failure with error " The RPC server is unavailable"
It looks like DNS issue (if DNS is rt we have to check RPC traffic)

Follow the given steps
1)Point both ENGINEERSERV and NEWSERV to NEWSERV as DNS server (No changes needed since they are pointing to NEWSERV now)
2)delete both of the GUIDs from DNS console(Under _msdcs.<domainName>
3)Restart NEtlogon service from both the DCs
4)Open Ad sites and services and delete connection objects Under Sites>Default-First-Site-Name>Servers>ENGINEERSERV >NTDS Settings
5)Wait till it recreate the new connection objects,if it didn't create "right click NTDS Settings>All Tasks>Check replication Topology"

6) give 5-10 minutes and check replication

let me know the repadmin /showreps output after following all these steps

Your AD replication is broken.Let's fix AD repliaction first
0
 
computerconceptsAuthor Commented:
You want I should delete the GUIDs from the DNS console on the Engineerserv? or the Newserv?  and by both GUIDs you mean the GUID for both the Engineerserv and Newserv?  Do I leave the NS records?

Step 4 - Is that on the Engineerserv or Newserv?
0
 
Chris HudsonCloud Security ArchitectCommented:
no need to touch Engineerserv  as the DCs are pointing to Newserv as DNS.
delete both the GUIDs from Newserv  DNS Mgmt console
After step 3 check replication is fine or not.
If the replication still failing,then folow step 4 on EngineerSrv
0
 
computerconceptsAuthor Commented:
Didn't work.  I have some of th same eventlog errors.  Here is the results from the /repadmin command

Default-First-Site-Name\ENGINEERSERV
DC Options: (none)
Site Options: (none)
DC object GUID: f916f0ee-0d67-4dba-8ddf-34100dd89a5a
DC invocationID: a734b6dd-61f1-41ca-8daf-dee1efa65c85


Source: Default-First-Site-Name\newserv
******* 1 CONSECUTIVE FAILURES since 2009-02-23 11:08:52
Last error: -2146893022 (0x80090322):
            The target principal name is incorrect.

Naming Context: DC=ForestDnsZones,DC=NEWWAY,DC=local
Source: Default-First-Site-Name\newserv
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: DC=NEWWAY,DC=local
Source: Default-First-Site-Name\newserv
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: DC=DomainDnsZones,DC=NEWWAY,DC=local
Source: Default-First-Site-Name\newserv
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Configuration,DC=NEWWAY,DC=local
Source: Default-First-Site-Name\newserv
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Schema,CN=Configuration,DC=NEWWAY,DC=local
Source: Default-First-Site-Name\newserv
******* WARNING: KCC could not add this REPLICA LINK due to error.
0
 
Chris HudsonCloud Security ArchitectCommented:
"Target Principal Name is incorrect is due to broken secure channel"

Go ahead and reset secure channel from "ENGINEERSERV" by executing following command
netdom resetpwd /server:<Name of PDC>  /userd:domain_name\administrator /passwordd:administrator_password
0
 
Chris HudsonCloud Security ArchitectCommented:
0
 
computerconceptsAuthor Commented:
I tried this and still no joy.  I am thinking it is a deeper issue with DNS.  I have users reporting log in issues and trouble conecting to mapped drives using the servername but if i switch the mapped drives to IP address of the server then it works.  I am losing patience with this server.  I am starting to think DNS was messed up during the transfer somehow.  Reloading is not an option so I am going to have to troubleshoot DNS til I can find the answer.  If you are interested in helping me troubleshoot DNS I would appreciate it...if not, I understand :)  

Thanks for you help thus far.
0
 
Chris HudsonCloud Security ArchitectCommented:
DNS troubleshooting
1)Test whether Ur client/DC can resolve SRV records properly
======================================================
go to the command prompt of Ur client or problem DC and type the following command
nslookup
>set q=srv
>_ldap._tcp.Newway.local
>_kerberos._tcp.Newway.local
>_gc._tcp.Newway.local

If the above commads are showing all Ur DC's IP and name properly..then DNS is fine
for replication purpose get GUID from DNS console and try to ping with GUID._msdcs.Newway.local

Let me know  the results

0
 
computerconceptsAuthor Commented:
Will do..give me a bit, have a busy morning.
0
 
computerconceptsAuthor Commented:
Here is something strange:  Now all of a sudden I have 2 entries for the CNAME in DNS on the PDC:

off8a...._msdcs.newway.local
and
681acf.._msdcs.newway.local

This is also on the Engineerserv.

I don't know which one is correct...
0
 
Chris HudsonCloud Security ArchitectCommented:
could you ping with the cname and check replication also.To check which one is correct,Open Active directory sites and services,Under Sites>Default-First-Site-Name>Servers>ENGINEERSERV >right click "NTDS Settings" and U will see the GUID of the DC
0
 
computerconceptsAuthor Commented:
I can ping 681acfc0-8017-4a14-894f-c3e25d6b6c63._msdcs.NEWWAY.local from the Engineerserv.

I'm a bit confused...under Sites>Default-First-Site-Name>Servers>ENGINEERSERV >right click "NTDS Settings" and U will see the GUID of the DC - this is the GUID of NEWSERV?

So if I go to the Sites>Default-First-Site-Name>Servers>NEWSERV >right click "NTDS Settings" and U will see the GUID of the DC this will be the GUID of the ENGINEERSERV?
0
 
computerconceptsAuthor Commented:
Where is this 0ff8a stuff coming from?  Why do i have this in my DNS as a CNAME for my NEWSERV?
0
 
computerconceptsAuthor Commented:
UGH...I can ping 0ff8a6aa-633a-4f3f-a62c-80b920d366ab._msdcs.NEWWAY.local as well and it gets me the NEWSERV address...
0
 
Chris HudsonCloud Security ArchitectCommented:
You will be able to ping to that ID since it is CNAME,pointing ti NEWServ host address....Could I get the GUIDs of NEwSrv and EngineerSRV from NTDS Settings properties.Just I wanna make sure that these 2 GUIDS are registered under DNS.
0
 
computerconceptsAuthor Commented:
From under Engineerserv NTDS properties:  681acfc0-8017-4a14-894f-c3e25d6b6c63

From under NewServ NTDS properties: 39eacdd2-d7c6-424e-9fcb-760bf2ab5bb9

Sorry havnt gotten back to you.  Been a heckofa couple weeks.
0
 
Chris HudsonCloud Security ArchitectCommented:
If the Update is from NewSrv,rename c:\windows\System32\config\netlogon.dns to netlogon.dns.old and restart netlogon service
0
 
computerconceptsAuthor Commented:
Finally am getting back to this problem.  I had a question for you before i setup Wireshark.  The primary server NewServ has 2 GUID entries for itself in DNS.  Will the above method help me figure out which of the 2 is the correct one or is there an easier way?
0
 
Chris HudsonCloud Security ArchitectCommented:
copying Ur prev post
From under Engineerserv NTDS properties:  681acfc0-8017-4a14-894f-c3e25d6b6c63

From under NewServ NTDS properties: 39eacdd2-d7c6-424e-9fcb-760bf2ab5bb9

39eacdd2-d7c6-424e-9fcb-760bf2ab5bb9 is the right GUID of NewServ
0
 
Chris HudsonCloud Security ArchitectCommented:
you can send netmon trace and c:\windows\System32\config\netlogon.dns to chrishudson@rediffmail.com
0
 
computerconceptsAuthor Commented:
Chris,
I'm having problems getting the trace run.  Prob cuz I don't know enough about how to do it. :(
I will keep working on it since i am running out of time on the tombstone date! :)
0
 
computerconceptsAuthor Commented:
Chris,

I no longer get the rogue GUID in DNS but I still can not replicate.  The Directory Service Event Log event ID 1925 tells me: (notice the incorrect source domain controller address)

The attempt to establish a replication link for the following writable directory partition failed.
 Directory partition:
DC=NEWWAY,DC=local
Source domain controller:
CN=NTDS Settings,CN=NEWSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=NEWWAY,DC=local
Source domain controller address:
b720044f-abc6-4355-8499-f8fcab1814ea._msdcs.NEWWAY.local
Intersite transport (if any):
 
This domain controller will be unable to replicate with the source domain controller until this problem is corrected.  
 User Action
Verify if the source domain controller is accessible or network connectivity is available.
 Additional Data
Error value:
2148074274 The target principal name is incorrect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

-----------> I have tried to remove the spn value with no luck.  How do I find where that value keeps coming from?
0
 
computerconceptsAuthor Commented:
Thanks for the help!  It was greatly appreciated.  I have corrected this problem but I have found another.  I will enter another question in the spirit of fairplay.  Thanks again!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.