Solved

2003 DC replication only working one way

Posted on 2009-05-10
12
552 Views
Last Modified: 2012-08-14
Earlier in the year one of our techs added a second domain controller to our 2003 server network. Everything seemed to be working fine until the other day I started getting calls about login problems, etc...Upon investigation we found the forward zone was missing on nthe main dc, and event viewer logs indicate it could not talk to active directory. Looking further we found replication only occurs one way -new dc to old dc. When attempting to replicate from old dc to new dc we get access denied errors. Not sure why that is. I do know most roles were transfered to the new dc.

Here is the output of repadmin

DC Options: IS_GC
Site Options: (none)
DC object GUID: af226a4a-38a3-4ae6-a07e-b16778be3731
DC invocationID: af226a4a-38a3-4ae6-a07e-b16778be3731

==== INBOUND NEIGHBORS ======================================

DC=loversoftruth,DC=priv
    Default-First-Site\TRUTH-DC2 via RPC
        DC object GUID: 28cea5d9-efc2-47fe-9476-c4df3b0ccd0b
        Last attempt @ 2009-05-10 08:52:57 failed, result 5 (0x5):
            Access is denied.
        2450 consecutive failure(s).
        Last success @ 2009-02-18 07:11:20.

CN=Configuration,DC=loversoftruth,DC=priv
    Default-First-Site\TRUTH-DC2 via RPC
        DC object GUID: 28cea5d9-efc2-47fe-9476-c4df3b0ccd0b
        Last attempt @ 2009-05-10 08:52:57 failed, result 5 (0x5):
            Access is denied.
        1959 consecutive failure(s).
        Last success @ 2009-02-18 06:59:35.

CN=Schema,CN=Configuration,DC=loversoftruth,DC=priv
    Default-First-Site\TRUTH-DC2 via RPC
        DC object GUID: 28cea5d9-efc2-47fe-9476-c4df3b0ccd0b
        Last attempt @ 2009-05-10 08:52:57 failed, result 5 (0x5):
            Access is denied.
        1959 consecutive failure(s).
        Last success @ 2009-02-18 06:58:07.

Source: Default-First-Site\TRUTH-DC2
******* 2450 CONSECUTIVE FAILURES since 2009-02-18 07:11:20
Last error: 5 (0x5):
            Access is denied.




######################################################################################

Default-First-Site\TRUTH-DC2
DC Options: IS_GC
Site Options: (none)
DC object GUID: 28cea5d9-efc2-47fe-9476-c4df3b0ccd0b
DC invocationID: 9db1d04c-d92d-4f18-86aa-c30efa0d9602

==== INBOUND NEIGHBORS ======================================

DC=loversoftruth,DC=priv
    Default-First-Site\TRUTH-DC1 via RPC
        DC object GUID: af226a4a-38a3-4ae6-a07e-b16778be3731
        Last attempt @ 2009-05-10 08:52:17 was successful.

CN=Configuration,DC=loversoftruth,DC=priv
    Default-First-Site\TRUTH-DC1 via RPC
        DC object GUID: af226a4a-38a3-4ae6-a07e-b16778be3731
        Last attempt @ 2009-05-10 08:52:17 was successful.

CN=Schema,CN=Configuration,DC=loversoftruth,DC=priv
    Default-First-Site\TRUTH-DC1 via RPC
        DC object GUID: af226a4a-38a3-4ae6-a07e-b16778be3731
        Last attempt @ 2009-05-10 08:52:17 was successful.
0
Comment
Question by:tamray_tech
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 5

Expert Comment

by:DTAHARLEV
Comment Utility
try replmon.exe with force replication, cross site boundaries, replicate all zones, and post what happens
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
Have the servers been out of communications for any period of time? This sort of thing could be down to the two servers holding different passwords for the DC which is getting denied.

Have a look at this : http://technet.microsoft.com/en-gb/library/bb727057.aspx#XSLTsection124121120120. Look in the section referring to troubleshooting access denied errors during replication. See if this helps.
0
 

Author Comment

by:tamray_tech
Comment Utility
I am not sure how to accomplish the force replication, cross site bounderies, etc. I get a gui, but it is new to me.

0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
You right click 'Monitored Servers', add your server, then right click it, select 'Synchronise Each Directory partition...'. The next menu lets you select the other options.

You'll most likely get the same error message - access denied. You'll have to refresh the right hand of the screen to get any feedback.
0
 

Author Comment

by:tamray_tech
Comment Utility
DC-1 seems to work, DC-2 says I do not have the right credentials
0
 

Author Comment

by:tamray_tech
Comment Utility
I am trying to rest the machine pasword with the following, but it does not like the syntax I am using. What corrections do I need to make here:

H:\>netdom resetpwd /server:truth-dc1 /userid:loversoftruth.priv\administrator /
password:*

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 5

Expert Comment

by:qf3l3k
Comment Utility
In fact what you can do is:
 - make sure that on both DCs you can communicate properly with DNS which has registered entries for AD properly
 - In AD Sites & Services you can remove connection object which is not replication
 - After removal just Check Replication Topology in AD Sires & Services

Once DNS is configured properly replication connection will be recreated and after about 15-30 minutes will work properly.

In the meantime, maybe you can give us more details about your environment:
 - are both DCs in same subnet or these are different sites
 - what DNS server is set on both DCs and does that DNS server hosts AD zone
 - if DCs are in different subnets do you have subnet objects defined

Replication issues are mainly driven by DNS mis-configurations and replication connections issues as per my experience.
Sometimes (if multi-site/multi-subnet configuration) issue might be on firewall side.

Usually if replication doesn;t work removing replication connection and re-creating them helps as Windows is able to recover those based on DNS.

If DNS will be cause it will be easy to fix. Just point both DC's on one DNS server you recon is reliable... (I think server which hosts DNS will be one of those DCs) then bounce NetLogon service to re-create all DNS entries and try to re-create replication connections.

That is few quick thoughts. Hope that will help a little bit.
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
Don't think it would be dns or connection based as the error returned is access denied so it seems comms is ok. Drop the .priv bit. I can't check the exact syntax at the moment but that looks like your problem.
0
 
LVL 5

Expert Comment

by:qf3l3k
Comment Utility
In regards to connection I meant Replication Connection Object you can see in AD Sites & Services console.
Usually when Access Denied occurs when you try to replicate AD it might mean that there can be something wrong with that thing.
Apart of that there is zone missing from DNS as far as I understood from description... which means that if each DC is pointing to itself as DNS server and something went wrong with replication KCC might not be able to check Replication Connection and exchange data between DCs.
So, it might be connected... DNS and Replication Connection Object.

In fact if there is possibility to logon to both domain controllers there is no need to reset password... just set password to exactly the same on both DCs... but there is no indication that it is not possible to logon to DC.
0
 

Author Comment

by:tamray_tech
Comment Utility
I am not sure if there would have been a better solution, but this is what I found wrong, and the measures I took to correct it. I found out the problem domain controller had been tombstoned because it had not replicated for a long time. Googling around it seemed the best action was to run dcpromo to remove active directory. I then removed the connection from Sites & Services, and ran dcpromo again after restarting the server. I cannot explain why, but for some reason the new domain controller could not ping the old one, but the old one could ping the new one. I could not find a reason for this, but found I was able to get communication between the servers working again by changing the IP of the old dc, and updating the dns records. Things seem to be replicating properly again. Not sure if what I did could have been accomplished another way, but this worked for me.
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 500 total points
Comment Utility
Re-promoting the server would have reset to the default computer password, thus enabling the two to communicate.

qf3l3k - I was referring to the machine password, not a user password. This is used to establish a trust between the machines. Because of the fact they had been out of comms for a while, the two DCs had different passwords for the problem DC, hence access denied.

At least that's what it looks like to me. Glad you got is sorted though.
0
 

Author Closing Comment

by:tamray_tech
Comment Utility
I'm not convinced it was a password issue, since I was able to reset the password prior to using dcpromo. However, according to other docs I found, demoting and re-promoting  the server was the fix.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now