?
Solved

How to change an incorrect dsa_Guid on a replication DC

Posted on 2009-02-13
33
Medium Priority
?
1,586 Views
Last Modified: 2012-05-06
I recently replaced the PDC in a 2 server network.  I did this by replicating the AD from the old server to a temporary server and then in turn replicating this to the new server.  Once I put the new server in place the 2nd server in the group (Engineerserv) lost the ability to replicate AD from it (the new server).  I have narrowed the problem down to DNS.  When I open the NTDS Settings properties under AD Sites and Services on the Engineerserv the DNS Alias is showing the wrong GUID.  How can I change or replace this incorrect information?
0
Comment
Question by:computerconcepts
  • 17
  • 14
  • 2
33 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 23640271

How do you know it's the wrong GUID? Kind of need to know how you arrived at that conclusion to be able to help.

Chris
0
 
LVL 3

Expert Comment

by:chrishudson123
ID: 23640299
1)Delete the DC GUID from DNS
2)Make sure that the Dc point to the correct DNS
3)Restart Netlogon
           When you restart Netlogon,it will register all SRV records and GUID
0
 
LVL 3

Expert Comment

by:chrishudson123
ID: 23640303
small correcton...all missing SRV records and GUID :)
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:computerconcepts
ID: 23650037
Chris-Dent -
On the PDC emulator that holds all of the roles, I checked the GUID ID there and it is 0ff8a6aa-633a-4f3f-a62c-80b920d366ab._msdcs.domainname.local for itself. When I check the entry on the Engineerserv it is showing the PDC GUID as b720044f-abc6-4355-8499-f8fcab1814ea._msdcs.newway.local

Now, could the b720044f-abc6-4355-8499-f8fcab1814ea be what the network is looking for and the Off8a... is the wrong one?  The reason I ask this is because I just logged in to the Engineerserv and it is now reporting the same GUID as the PDC (Off8a...) instead of the supposed wrong one of b7200...but now I have all kinds of Event ID 1030 and 1058 in the Application Event Log of the Engineerserv!  Every 5 min it reports a 1030 and 1058.
0
 

Author Comment

by:computerconcepts
ID: 23650111
chrishudson123 -
Do you mean I change the GUID from the PDC or from the Engineerserv?
0
 
LVL 3

Expert Comment

by:chrishudson123
ID: 23656557
don't change anything now.The DC GUID is mainly used for replication.check whether the repliaction is fine or not.If the replication is working fine,Ur GUID issue is fixed

Now about 1030 and 1058 events,these are userenv errors,there is no relation with DC GUID.
refer http://support.microsoft.com/kb/834649 for 1030 and 1058 errors
Let me know the status ASAP...I can give you further troubleshooting tips based on Ur env
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 23657534

The GUID value is set based on the GUID of the NTDS Settings folder you see in AD Sites and Services. It gets populated from %SystemRoot%\System32\Config\netlogon.dns. The value should not be changed within that file.

The output from DCDiag and NetDiag would be useful to further isolate the cause of your troubles.

Chris
0
 

Author Comment

by:computerconcepts
ID: 23661157
Chris and Chris,

Thanks for the help so far guys...I really appreciate it.

Info from the Eventvwr:

------->> Under the File Replication Service I am getting one of these every day:

Event ID 13508
The File Replication Service is having trouble enabling replication from NEWSERV to ENGINEERSERV for c:\windows\sysvol\domain using the DNS name newserv.NEWWAY.local. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name newserv.NEWWAY.local from this computer.
 [2] FRS is not running on newserv.NEWWAY.local.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

For more information, see Help and Support Center at
*************************************************
-------->> Also getting Directory Service Event ID 1864:
This is the replication status for the following directory partition on the local domain controller.
 
Directory partition:
DC=ForestDnsZones,DC=NEWWAY,DC=local
 
The local domain controller has not recently received replication information from a number of domain controllers.   The count of domain controllers is shown, divided into the following intervals.
 
More than 24 hours:
1
More than a week:
1
More than one month:
0
More than two months:
0
More than a tombstone lifetime:
0
Tombstone lifetime (days):
180
 Domain controllers that do not replicate in a timely manner may encounter errors. It may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
 
To identify the domain controllers by name, install the support tools included on the installation  CD and run dcdiag.exe.
You can also use the support tool repadmin.exe to display the replication latencies of the domain controllers in the forest.   The command is "repadmin /showvector /latency <partition-dn>".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
******************************************
-------->> Also getting Event ID 2093

The remote server which is the owner of a FSMO role is not responding.  This server has not replicated with the FSMO role owner recently.
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
 
FSMO Role: CN=Schema,CN=Configuration,DC=NEWWAY,DC=local
FSMO Server DN: CN=NTDS Settings,CN=NEWSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=NEWWAY,DC=local
Latency threshold (hours): 24
Elapsed time since last successful replication (hours): 252
 
User Action:
 
This server has not replicated successfully with the FSMO role holder server.
1. The FSMO role holder server may be down or not responding. Please address the problem with this server.
2. Determine whether the role is set properly on the FSMO role holder server. If the role needs to be adjusted, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
3. If the FSMO role holder server used to be a domain controller, but was not demoted successfully, then the objects representing that server are still in the forest. This can occur if a domain controller has its operating system reinstalled or if a forced removal is performed.  These lingering state objects should be removed using the NTDSUTIL.EXE metadata cleanup function.
4. The FSMO role holder may not be a direct replication partner. If it is an indirect or transitive partner, then there are one or more intermediate replication partners through which replication data must flow. The total end to end replication latency should be smaller than the replication latency threshold, or else this warning may be reported prematurely.
5. Replication is blocked somewhere along the path of servers between the FSMO role holder server and this server.  Consult your forest topology plan to determine the likely route for replication between these servers. Check the status of replication using repadmin /showrepl at each of these servers.
 
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
****************************************
--------->> From System Eventvwr i am getting Event ID 4:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/newserv.newway.local.  The target name used was NEWWAY\NEWSERV$. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (NEWWAY.LOCAL), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
************************************
------->> This is what I WAS getting from the Directory Service Eventvwr log when I originally posted this question:  EVENT ID 1645:

Active Directory did not perform an authenticated remote procedure call (RPC) to another domain controller because the desired service principal name (SPN) for the destination domain controller is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
 
Destination domain controller:
b720044f-abc6-4355-8499-f8fcab1814ea._msdcs.NEWWAY.local
SPN:
E3514235-4B06-11D1-AB04-00C04FC2DCD2/b720044f-abc6-4355-8499-f8fcab1814ea/NEWWAY.local@NEWWAY.local
 
User Action
Verify that the names of the destination domain controller and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination domain controller has been recently promoted, it will be necessary for the local domain controllers computer account data to replicate to the KDC before this computer can be authenticated.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I will post the dcdiag and netdiag logs here in just a bit.
0
 

Author Comment

by:computerconcepts
ID: 23663448
I am going to attach the dcdiag and netdiag files to this message so the thread does'nt get rediculously long.
1st one is from the PDC
2nd one is from the DC
DCDIAG-and-NETDIAG-from-PDC.txt
DCDIAG-and-NETDIAG-from-DC.txt
0
 
LVL 3

Expert Comment

by:chrishudson123
ID: 23667245
Checked the DCdiag
NEWSERV works fine ,I hope the syvol is hsared in this server
ENGINEERSERV shows AD replication failure with error " The RPC server is unavailable"
It looks like DNS issue (if DNS is rt we have to check RPC traffic)

Follow the given steps
1)Point both ENGINEERSERV and NEWSERV to NEWSERV as DNS server (No changes needed since they are pointing to NEWSERV now)
2)delete both of the GUIDs from DNS console(Under _msdcs.<domainName>
3)Restart NEtlogon service from both the DCs
4)Open Ad sites and services and delete connection objects Under Sites>Default-First-Site-Name>Servers>ENGINEERSERV >NTDS Settings
5)Wait till it recreate the new connection objects,if it didn't create "right click NTDS Settings>All Tasks>Check replication Topology"

6) give 5-10 minutes and check replication

let me know the repadmin /showreps output after following all these steps

Your AD replication is broken.Let's fix AD repliaction first
0
 

Author Comment

by:computerconcepts
ID: 23670373
You want I should delete the GUIDs from the DNS console on the Engineerserv? or the Newserv?  and by both GUIDs you mean the GUID for both the Engineerserv and Newserv?  Do I leave the NS records?

Step 4 - Is that on the Engineerserv or Newserv?
0
 
LVL 3

Expert Comment

by:chrishudson123
ID: 23678013
no need to touch Engineerserv  as the DCs are pointing to Newserv as DNS.
delete both the GUIDs from Newserv  DNS Mgmt console
After step 3 check replication is fine or not.
If the replication still failing,then folow step 4 on EngineerSrv
0
 

Author Comment

by:computerconcepts
ID: 23713528
Didn't work.  I have some of th same eventlog errors.  Here is the results from the /repadmin command

Default-First-Site-Name\ENGINEERSERV
DC Options: (none)
Site Options: (none)
DC object GUID: f916f0ee-0d67-4dba-8ddf-34100dd89a5a
DC invocationID: a734b6dd-61f1-41ca-8daf-dee1efa65c85


Source: Default-First-Site-Name\newserv
******* 1 CONSECUTIVE FAILURES since 2009-02-23 11:08:52
Last error: -2146893022 (0x80090322):
            The target principal name is incorrect.

Naming Context: DC=ForestDnsZones,DC=NEWWAY,DC=local
Source: Default-First-Site-Name\newserv
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: DC=NEWWAY,DC=local
Source: Default-First-Site-Name\newserv
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: DC=DomainDnsZones,DC=NEWWAY,DC=local
Source: Default-First-Site-Name\newserv
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Configuration,DC=NEWWAY,DC=local
Source: Default-First-Site-Name\newserv
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Schema,CN=Configuration,DC=NEWWAY,DC=local
Source: Default-First-Site-Name\newserv
******* WARNING: KCC could not add this REPLICA LINK due to error.
0
 
LVL 3

Expert Comment

by:chrishudson123
ID: 23718233
"Target Principal Name is incorrect is due to broken secure channel"

Go ahead and reset secure channel from "ENGINEERSERV" by executing following command
netdom resetpwd /server:<Name of PDC>  /userd:domain_name\administrator /passwordd:administrator_password
0
 
LVL 3

Expert Comment

by:chrishudson123
ID: 23718236
0
 

Author Comment

by:computerconcepts
ID: 23752143
I tried this and still no joy.  I am thinking it is a deeper issue with DNS.  I have users reporting log in issues and trouble conecting to mapped drives using the servername but if i switch the mapped drives to IP address of the server then it works.  I am losing patience with this server.  I am starting to think DNS was messed up during the transfer somehow.  Reloading is not an option so I am going to have to troubleshoot DNS til I can find the answer.  If you are interested in helping me troubleshoot DNS I would appreciate it...if not, I understand :)  

Thanks for you help thus far.
0
 
LVL 3

Expert Comment

by:chrishudson123
ID: 23752920
DNS troubleshooting
1)Test whether Ur client/DC can resolve SRV records properly
======================================================
go to the command prompt of Ur client or problem DC and type the following command
nslookup
>set q=srv
>_ldap._tcp.Newway.local
>_kerberos._tcp.Newway.local
>_gc._tcp.Newway.local

If the above commads are showing all Ur DC's IP and name properly..then DNS is fine
for replication purpose get GUID from DNS console and try to ping with GUID._msdcs.Newway.local

Let me know  the results

0
 

Author Comment

by:computerconcepts
ID: 23755583
Will do..give me a bit, have a busy morning.
0
 

Author Comment

by:computerconcepts
ID: 23756060
Here is something strange:  Now all of a sudden I have 2 entries for the CNAME in DNS on the PDC:

off8a...._msdcs.newway.local
and
681acf.._msdcs.newway.local

This is also on the Engineerserv.

I don't know which one is correct...
0
 
LVL 3

Expert Comment

by:chrishudson123
ID: 23757164
could you ping with the cname and check replication also.To check which one is correct,Open Active directory sites and services,Under Sites>Default-First-Site-Name>Servers>ENGINEERSERV >right click "NTDS Settings" and U will see the GUID of the DC
0
 

Author Comment

by:computerconcepts
ID: 23758230
I can ping 681acfc0-8017-4a14-894f-c3e25d6b6c63._msdcs.NEWWAY.local from the Engineerserv.

I'm a bit confused...under Sites>Default-First-Site-Name>Servers>ENGINEERSERV >right click "NTDS Settings" and U will see the GUID of the DC - this is the GUID of NEWSERV?

So if I go to the Sites>Default-First-Site-Name>Servers>NEWSERV >right click "NTDS Settings" and U will see the GUID of the DC this will be the GUID of the ENGINEERSERV?
0
 

Author Comment

by:computerconcepts
ID: 23758246
Where is this 0ff8a stuff coming from?  Why do i have this in my DNS as a CNAME for my NEWSERV?
0
 

Author Comment

by:computerconcepts
ID: 23758267
UGH...I can ping 0ff8a6aa-633a-4f3f-a62c-80b920d366ab._msdcs.NEWWAY.local as well and it gets me the NEWSERV address...
0
 
LVL 3

Expert Comment

by:chrishudson123
ID: 23761494
You will be able to ping to that ID since it is CNAME,pointing ti NEWServ host address....Could I get the GUIDs of NEwSrv and EngineerSRV from NTDS Settings properties.Just I wanna make sure that these 2 GUIDS are registered under DNS.
0
 

Author Comment

by:computerconcepts
ID: 23840802
From under Engineerserv NTDS properties:  681acfc0-8017-4a14-894f-c3e25d6b6c63

From under NewServ NTDS properties: 39eacdd2-d7c6-424e-9fcb-760bf2ab5bb9

Sorry havnt gotten back to you.  Been a heckofa couple weeks.
0
 
LVL 3

Accepted Solution

by:
chrishudson123 earned 2000 total points
ID: 23843780
Now we have to findout who is sending "0ff8a6aa-633a-4f3f-a62c-80b920d366ab._msdcs.NEWWAY"

There are 2 ways  to find out this guy
1) Netmon trace
2)DNS debug log
If you are seeing "0ff8a6aa-633a-4f3f-a62c-80b920d366ab._msdcs.NEWWAY" in very few minutes after deleting the ALIAS from DNs netmon will be the right one.I am using wireshark to capture tha packet.Follow the steps to find culprit through wireshark

-Start Capturing the packets from Ur DNS server
-Delete 0ff8a6aa-633a-4f3f-a62c-80b920d366ab._msdcs.NEWWAY record from DNS
-Keep refresh the dNS console
-As soon as U see the 0ff8a6aa-633a-4f3f-a62c-80b920d366ab._msdcs.NEWWAY id in DNS stop trace
-Filter  trace for dns and U wil see the sam epacket as follows

No.     Time        Source                Destination           Protocol Info
    536 51.336350   192.168.2.1           192.168.1.1           DNS      Dynamic update SOA _msdcs.Mydomain.com

Frame 536 (318 bytes on wire, 318 bytes captured)
Ethernet II, Src: Microsof_4c:ec:4d (00:15:5d:4c:ec:4d), Dst: Microsof_4c:ec:45 (00:15:5d:4c:ec:45)
Internet Protocol, Src: 192.168.2.1 (192.168.2.1), Dst: 192.168.1.1 (192.168.1.1)
User Datagram Protocol, Src Port: 63569 (63569), Dst Port: domain (53)
Domain Name System (query)
    [Response In: 538]
    Transaction ID: 0xf804
    Flags: 0x2800 (Dynamic update)
       
    Prerequisites: 0
    Updates: 2
    Additional RRs: 1
    Zone
    Updates
        15c9bbb6-9fc1-4e54-b827-e307a88f47e6._msdcs.Mydomain.com: type CNAME, class ANY
            Name: 15c9bbb6-9fc1-4e54-b827-e307a88f47e6._msdcs.Mydomain.com
            Type: CNAME (Canonical name for an alias)
            Class: ANY (0x00ff)
            Time to live: 0 time
            Data length: 0
        15c9bbb6-9fc1-4e54-b827-e307a88f47e6._msdcs.Mydomain.com: type CNAME, class IN, cname Mydomain-BLR-DC2.Mydomain.com
            Name: 15c9bbb6-9fc1-4e54-b827-e307a88f47e6._msdcs.Mydomain.com
            Type: CNAME (Canonical name for an alias)
            Class: IN (0x0001)
            Time to live: 10 minutes
            Data length: 29
            Primary name: Mydomain-BLR-DC2.Mydomain.com
 
The above trace will give the source machine ID
In the trace 15c9bbb6-9fc1-4e54-b827-e307a88f47e6._msdcs.Mydomain.com is the GUID for the server
Mydomain-BLR-DC2.Mydomain.com and IP of source machine is 192.168.2.1
Second method
---------------------
If U are Uncertain about the Update,Enable DNS debugging and U will see the below output with CNAME and IP
20090310 10:48:42 8D4 PACKET  UDP Rcv 192.168.2.1     170c   Q [0001   D   NOERROR] (36)15c9bbb6-9fc1-4e54-b827-e307a88f47e6(6)_msdcs(7)Mydomain(3)com(0)

Here 15c9bbb6-9fc1-4e54-b827-e307a88f47e6(6)_msdcs(7)Mydomain(3)com(0) is the GUID and 192.168.2.1 is the server IP who send the Update

...................................................................................
0
 
LVL 3

Expert Comment

by:chrishudson123
ID: 23843799
If the Update is from NewSrv,rename c:\windows\System32\config\netlogon.dns to netlogon.dns.old and restart netlogon service
0
 

Author Comment

by:computerconcepts
ID: 23899448
Finally am getting back to this problem.  I had a question for you before i setup Wireshark.  The primary server NewServ has 2 GUID entries for itself in DNS.  Will the above method help me figure out which of the 2 is the correct one or is there an easier way?
0
 
LVL 3

Expert Comment

by:chrishudson123
ID: 23904907
copying Ur prev post
From under Engineerserv NTDS properties:  681acfc0-8017-4a14-894f-c3e25d6b6c63

From under NewServ NTDS properties: 39eacdd2-d7c6-424e-9fcb-760bf2ab5bb9

39eacdd2-d7c6-424e-9fcb-760bf2ab5bb9 is the right GUID of NewServ
0
 
LVL 3

Expert Comment

by:chrishudson123
ID: 23904913
you can send netmon trace and c:\windows\System32\config\netlogon.dns to chrishudson@rediffmail.com
0
 

Author Comment

by:computerconcepts
ID: 23992642
Chris,
I'm having problems getting the trace run.  Prob cuz I don't know enough about how to do it. :(
I will keep working on it since i am running out of time on the tombstone date! :)
0
 

Author Comment

by:computerconcepts
ID: 24204570
Chris,

I no longer get the rogue GUID in DNS but I still can not replicate.  The Directory Service Event Log event ID 1925 tells me: (notice the incorrect source domain controller address)

The attempt to establish a replication link for the following writable directory partition failed.
 Directory partition:
DC=NEWWAY,DC=local
Source domain controller:
CN=NTDS Settings,CN=NEWSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=NEWWAY,DC=local
Source domain controller address:
b720044f-abc6-4355-8499-f8fcab1814ea._msdcs.NEWWAY.local
Intersite transport (if any):
 
This domain controller will be unable to replicate with the source domain controller until this problem is corrected.  
 User Action
Verify if the source domain controller is accessible or network connectivity is available.
 Additional Data
Error value:
2148074274 The target principal name is incorrect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

-----------> I have tried to remove the spn value with no luck.  How do I find where that value keeps coming from?
0
 

Author Closing Comment

by:computerconcepts
ID: 31546861
Thanks for the help!  It was greatly appreciated.  I have corrected this problem but I have found another.  I will enter another question in the spirit of fairplay.  Thanks again!
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question