[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Not able to replicate child domain with the root domain in a single forest.

Posted on 2009-04-20
7
Medium Priority
?
2,117 Views
Last Modified: 2013-11-21
Not able to replicate child domain with the root domain in a single forest.

The setup mimics Active Directory Split-DNS. There is an empty Root domain with two DCs and a populated Child domain with two DCs.  Both domains reside in the same  single forest and on the same subnet.   The Schema is in the Root domain together with GC, Domain Naming, RID, PDC Emul and the Infrastructure Masters.  The Infrastructure Master is on the second DC in the Root as well as in the Child domains, so that GC and the Infrastructure Masters reside on different DCs.  I am able to complete successful replication on all DCs from the Root domain, however, from the Child domain; I am not able to replicate the DCs in the Child domain to the DCs in the Root domain.  I get an error: Replication access was denied. 
I think that I got this setup down, but what bothers me is that I cannot recall if in this model the child domain should have access to the root domain.  Therefore, I ran the DCDIAG /a /v /c from a DC in a Root and all came out OK and the DC in the Child domain, which produced the below listed failure events.

This is on MS Windows Server 2003 R2 SP2 with all the patches up to date.
NYC-W23-DC1 and NYC-W23-DC2 are in the Root domain, and NYC-W23-DC3 and NYC-W23-DC4 are in the Child domain.

I appreciate your help and time in advance.


Testing server: NYC\NYC-W23-DC1
      Starting test: Replications
         * Replications Check
         [Replications Check,NYC-W23-DC1] DsReplicaGetInfoW(PENDING_OPS) failed with error 8453,
         Replication access was denied..
         ......................... NYC-W23-DC1 failed test Replications


Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\NYC-W23-DC1\netlogon
         Verified share \\NYC-W23-DC1\sysvol
         [NYC-W23-DC1] User credentials does not have permission to perform this operation.
         The account used for this test must have network logon privileges
         for this machine's domain.
         ......................... NYC-W23-DC1 failed test NetLogons

Starting test: Services
         Could not open Service Control Manager on [NYC-W23-DC1]:failed with 5: Access is denied.
         ......................... NYC-W23-DC1 failed test Services

Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         The registry lookup failed to determine the state of the SYSVOL.  The

         error returned  was 5 (Access is denied.).  Check the FRS event log to

         see if the SYSVOL has successfully been shared.
         ......................... NYC-W23-DC1 failed test frssysvol

Starting test: frsevent
         * The File Replication Service Event log test
         Error 5 opening FRS eventlog \\NYC-W23-DC1:File Replication Service:
 Access is denied.

         ......................... NYC-W23-DC1 failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Error 5 opening FRS eventlog \\NYC-W23-DC1:Directory Service:
 Access is denied.
         Failed to enumerate event log records, error Access is denied.
         ......................... NYC-W23-DC1 failed test kccevent

      Starting test: systemlog
         * The System Event log test
         Error 5 opening FRS eventlog \\NYC-W23-DC1:System:
 Access is denied.
         Failed to enumerate event log records, error Access is denied.
         ......................... NYC-W23-DC1 failed test systemlog

     Starting test: CheckSecurityError
         * Dr Auth:  Beginning security errors check!
         Found KDC NYC-W23-DC1 for domain GLOBAL-NY.COM in site NYC
         Checking machine account for DC NYC-W23-DC1 on DC NYC-W23-DC1.
         * SPN found :LDAP/nyc-w23-dc1.GLOBAL-NY.COM/GLOBAL-NY.COM
         * SPN found :LDAP/nyc-w23-dc1.GLOBAL-NY.COM
         * SPN found :LDAP/NYC-W23-DC1
         * SPN found :LDAP/nyc-w23-dc1.GLOBAL-NY.COM/GLOBAL-NY
         * SPN found :LDAP/e7693de4-955b-443f-902c-8f177c9fbd5f._msdcs.GLOBAL-NY.COM
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/e7693de4-955b-443f-902c-8f177c9fbd5f/GLOBAL-NY.COM
         * SPN found :HOST/nyc-w23-dc1.GLOBAL-NY.COM/GLOBAL-NY.COM
         * SPN found :HOST/nyc-w23-dc1.GLOBAL-NY.COM
         * SPN found :HOST/NYC-W23-DC1
         * SPN found :HOST/nyc-w23-dc1.GLOBAL-NY.COM/GLOBAL-NY
         * SPN found :GC/nyc-w23-dc1.GLOBAL-NY.COM/GLOBAL-NY.COM
            [NYC-W23-DC1] DsReplicaGetInfo(KCC_DS_CONNECT_FAILURES) failed with error 8453,
            Replication access was denied..
            [NYC-W23-DC1] Unable to query the list of KCC connection failures.  Continuing...
         [NYC-W23-DC1] No security related replication errors were found on this DC!  To target the connection to a specific source DC use /ReplSource:<DC>.
         ......................... NYC-W23-DC1 passed test CheckSecurityError

Testing server: NYC\NYC-W23-DC2
      Starting test: Replications
         * Replications Check
         [Replications Check,NYC-W23-DC2] DsReplicaGetInfoW(PENDING_OPS) failed with error 8453,
         Replication access was denied..
         ......................... NYC-W23-DC2 failed test Replications

Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\NYC-W23-DC2\netlogon
         Verified share \\NYC-W23-DC2\sysvol
         [NYC-W23-DC2] User credentials does not have permission to perform this operation.
         The account used for this test must have network logon privileges
         for this machine's domain.
         ......................... NYC-W23-DC2 failed test NetLogons

Starting test: Services
         Could not open Service Control Manager on [NYC-W23-DC2]:failed with 5: Access is denied.
         ......................... NYC-W23-DC2 failed test Services

      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         The registry lookup failed to determine the state of the SYSVOL.  The

         error returned  was 5 (Access is denied.).  Check the FRS event log to

         see if the SYSVOL has successfully been shared.
         ......................... NYC-W23-DC2 failed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         Error 5 opening FRS eventlog \\NYC-W23-DC2:File Replication Service:
 Access is denied.
         ......................... NYC-W23-DC2 failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Error 5 opening FRS eventlog \\NYC-W23-DC2:Directory Service:
 Access is denied.
         Failed to enumerate event log records, error Access is denied.
         ......................... NYC-W23-DC2 failed test kccevent
      Starting test: systemlog
         * The System Event log test
         Error 5 opening FRS eventlog \\NYC-W23-DC2:System:
 Access is denied.
         Failed to enumerate event log records, error Access is denied.
         ......................... NYC-W23-DC2 failed test systemlog

Checking for CN=NYC-W23-DC2,OU=Domain Controllers,DC=GLOBAL-NY,DC=COM in domain DC=GLOBAL-NY,DC=COM on 2 servers
            Object is up-to-date on all servers.
            [NYC-W23-DC2] DsReplicaGetInfo(KCC_DS_CONNECT_FAILURES) failed with error 8453,
            Replication access was denied..

Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0xC004000F
            Time Generated: 04/20/2009   13:21:39
            Event String: RSM cannot manage library CdRom0. The database is

corrupt.
         ......................... NYC-W23-DC3 failed test systemlog

Starting test: DNS
         Test results for domain controllers:
           
            DC: nyc-w23-dc1.GLOBAL-NY.COM
            Domain: GLOBAL-NY.COM

                 
               TEST: Authentication (Auth)
                  Authentication test: Successfully completed
                 
               TEST: Basic (Basc)
                  Error: No WMI connectivity
                  [Error details: 0x80070005 (Type: HRESULT - Facility: Win32, Description: Access is denied.) - Connection to WMI server failed]
         

      Starting test: DNS
         Test results for domain controllers:
           
            DC: nyc-w23-dc1.GLOBAL-NY.COM
            Domain: GLOBAL-NY.COM

                 
               TEST: Authentication (Auth)
                  Authentication test: Successfully completed
                 
               TEST: Basic (Basc)
                  Error: No WMI connectivity
                  [Error details: 0x80070005 (Type: HRESULT - Facility: Win32, Description: Access is denied.) - Connection to WMI server failed]
         
           
            DC: nyc-w23-dc2.GLOBAL-NY.COM
            Domain: GLOBAL-NY.COM

                 
               TEST: Authentication (Auth)
                  Authentication test: Successfully completed
                 
               TEST: Basic (Basc)
                  Error: No WMI connectivity
                  [Error details: 0x80070005 (Type: HRESULT - Facility: Win32, Description: Access is denied.) - Connection to WMI server failed]


0
Comment
Question by:VLG33K_NY
  • 4
  • 3
7 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 24187418
You use a Enterprise Admin account to run this. Are you sure you are using one of these accounts?
0
 

Author Comment

by:VLG33K_NY
ID: 24187449
Yes, I am useing the Ent Adm accnt.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 24187491
Are you getting any errors in the Event log?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:VLG33K_NY
ID: 24187527
Cosmetic errors, nothing major.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 24187569
Usually these errors come from not using a Enterprise Admin account in a two domain system or domain admin in a one domain system. Anything is are you sure are using the correct netdiag verison for your system?
0
 

Author Comment

by:VLG33K_NY
ID: 24187600
dariusq: I resolved the issue and you were right about the populating the Dom Adm accnt fomr Child into the Ent Admns group in Root.  This is what not sleeping for 48+ hrs can do to a man! Everything works. Thank you!
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 2000 total points
ID: 24187667
Not a problem go a head and close the question out. Good luck!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question