Solved

FRS Issue

Posted on 2009-07-13
30
911 Views
Last Modified: 2013-12-05
I seem to have aome File Replication issues on my DC's.  The problem i have is that i'm not suree  where to start.  I am getting Directory Service Errors as well.  Here are the following errors i'm getting on my DC's  Any help with a push in the right direction would be appreciated.

FRS  error - 13508  (ntfrs - source)
Directory Serv. - 1863 (ntds replication - source)
Directory Serv. - 2093 (ntds replication - source)
Directory Serv. - 1084 (ntds replication - source)

Here is the errors i receive from the FRSDIAG tool.

Checking for minimum FRS version requirement ... passed
Checking for errors/warnings in ntfrsutl ds ... passed
Checking for Replica Set configuration triggers... passed
Checking for suspicious file Backlog size... passed
Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed
Checking for suspicious inlog entries ... passed
Checking for suspicious outlog entries ... passed
Checking for appropriate staging area size ... passed
Checking for errors in debug logs ...
      ERROR on NtFrs_0003.log : "ERROR_ACCESS_DENIED" : <FrsDsGetComputer:              2888:  8993: S1: 02:00:43> :DS: WARN - Could not find computer in computers CN=Computers,DC=LUTZCPA,DC=com; WStatus ERROR_ACCESS_DENIED
      ERROR on NtFrs_0003.log : "ERROR_ACCESS_DENIED" : <FrsDsGetComputer:              2888:  9006: S1: 02:00:43> :DS: WARN - Could not find computer in defaultnc DC=LUTZCPA,DC=com; WStatus ERROR_ACCESS_DENIED
      ERROR on NtFrs_0003.log : "ERROR_ACCESS_DENIED" : <FrsDsGetComputer:              2888:  9021: S1: 02:00:43> :DS: WARN - Could not find computer in defaultnc USER DC=LUTZCPA,DC=com; WStatus ERROR_ACCESS_DENIED

      Found 5 ERROR_ACCESS_DENIED error(s)! Latest ones (up to 3) listed above

 ......... failed with 5 error entries
Checking NtFrs Service (and dependent services) state...passed
Checking NtFrs related Registry Keys for possible problems...passed
Checking Repadmin Showreps for errors...passed


Final Result = failed with 5 error(s)
0
Comment
Question by:prutter
  • 15
  • 15
30 Comments
 
LVL 6

Expert Comment

by:ahmad2121
ID: 24843155
can you post error messages from your error logs please? Especially ones from the File Replication Service and any others that maybe applicable (warnings or errors). On both servers too.
0
 

Author Comment

by:prutter
ID: 24843184
Event Type:      Warning
Event Source:      NtFrs
Event Category:      None
Event ID:      13509
Date:            7/13/2009
Time:            8:06:08 AM
User:            N/A
Computer:      JERRY
Description:
The File Replication Service has enabled replication from DNSDHCP to JERRY for c:\windows\sysvol\domain after repeated retries.


Event Type:      Warning
Event Source:      NtFrs
Event Category:      None
Event ID:      13509
Date:            7/13/2009
Time:            8:06:08 AM
User:            N/A
Computer:      JERRY
Description:
The File Replication Service has enabled replication from DNSDHCP to JERRY for c:\windows\sysvol\domain after repeated retries.

DIREC SERVICES

Event Type:      Error
Event Source:      NTDS Replication
Event Category:      Replication
Event ID:      1863
Date:            7/13/2009
Time:            3:04:56 AM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      JERRY
Description:
This is the replication status for the following directory partition on the local domain controller.
 
Directory partition:
CN=Schema,CN=Configuration,DC=LUTZCPA,DC=com
 
The local domain controller has not received replication information from a number of domain controllers within the configured latency interval.
 
Latency Interval (Hours):
24
Number of domain controllers in all sites:
1
Number of domain controllers in this site:
1
 
The latency interval can be modified with the following registry key.
 
Registry Key:  
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)
 
To identify the domain controllers by name, install the support tools included on the installation  CD and run dcdiag.exe.
You can also use the support tool repadmin.exe to display the replication latencies of the domain controllers in the forest.   The command is "repadmin /showvector /latency <partition-dn>".


Event Type:      Warning
Event Source:      NTDS Replication
Event Category:      Replication
Event ID:      2093
Date:            7/13/2009
Time:            3:04:56 AM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      JERRY
Description:

The remote server which is the owner of a FSMO role is not responding.  This server has not replicated with the FSMO role owner recently.
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
 
FSMO Role: CN=Schema,CN=Configuration,DC=LUTZCPA,DC=com
FSMO Server DN: CN=NTDS Settings,CN=DNSDHCP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=LUTZCPA,DC=com
Latency threshold (hours): 24
Elapsed time since last successful replication (hours): 85
 
User Action:
 
This server has not replicated successfully with the FSMO role holder server.
1. The FSMO role holder server may be down or not responding. Please address the problem with this server.
2. Determine whether the role is set properly on the FSMO role holder server. If the role needs to be adjusted, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
3. If the FSMO role holder server used to be a domain controller, but was not demoted successfully, then the objects representing that server are still in the forest. This can occur if a domain controller has its operating system reinstalled or if a forced removal is performed.  These lingering state objects should be removed using the NTDSUTIL.EXE metadata cleanup function.
4. The FSMO role holder may not be a direct replication partner. If it is an indirect or transitive partner, then there are one or more intermediate replication partners through which replication data must flow. The total end to end replication latency should be smaller than the replication latency threshold, or else this warning may be reported prematurely.
5. Replication is blocked somewhere along the path of servers between the FSMO role holder server and this server.  Consult your forest topology plan to determine the likely route for replication between these servers. Check the status of replication using repadmin /showrepl at each of these servers.
 
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.







0
 
LVL 6

Expert Comment

by:ahmad2121
ID: 24843269
Sounds like your FSMO roles are not configured correctly. Please read this on how to set them up

http://support.microsoft.com/default.aspx?scid=kb;en-us;223346
0
 
LVL 6

Expert Comment

by:ahmad2121
ID: 24843291
given your description, this:

If the FSMO role holder server used to be a domain controller, but was not demoted successfully, then the objects representing that server are still in the forest. This can occur if a domain controller has its operating system reinstalled or if a forced removal is performed.  These lingering state objects should be removed using the NTDSUTIL.EXE metadata cleanup function.

might apply to you. Was this the case? I mean did you have a DC that get demoted?
0
 

Author Comment

by:prutter
ID: 24843532
I had a DC that got demoted several months ago.  This issue only started a couple weeks ago.  The servers mentioned in these events are both active DC's.  The server JERRY is the older of the two DC's  and the other (DNSDHCP) server is the newer and it holds the FSMO roles.
0
 
LVL 6

Accepted Solution

by:
ahmad2121 earned 250 total points
ID: 24843551
it can't hurt to do a cleanup :)

Open a command prompt.

Type the following command, and then press ENTER:

ntdsutil

At the ntdsutil: prompt, type:

metadata cleanup

Once you do that, run frsdiag and see what happens.
0
 

Author Comment

by:prutter
ID: 24843660
I will do that at let you know.  Thanks!
0
 

Author Comment

by:prutter
ID: 24843957
No change on teh FRSdiag.   When i typed in metadata cleanup and the NTDSUTIL prompt it just took me to a METADATA CLEANUP prompt.  Was there another command.  If not then it was completed with no luck.
0
 
LVL 6

Expert Comment

by:ahmad2121
ID: 24843980
oops, yes there is more:

remove selected server 'ServerName' (server that was demoted)

0
 

Author Comment

by:prutter
ID: 24844102
Is there a commant do show what servers are showing int eh metadata?  I think i did this when i removed it in the first place a long time ago.  There should only be two servers listed there.  
0
 
LVL 6

Expert Comment

by:ahmad2121
ID: 24844121
0
 

Author Comment

by:prutter
ID: 24844250
I found the doc i needed but when i type in LIST SERVERS i get the following error

Domain - DC=LUTZCPA,DC=com
No current server
No current Naming Context
select operation target: list servers
Error 80070057 parsing input - illegal syntax?
select operation target:
0
 

Author Comment

by:prutter
ID: 24844280
i had the wrong syntax.  I got the server list and it only shows 2 servers that those are the two servers in the event logs.
0
 
LVL 6

Expert Comment

by:ahmad2121
ID: 24844290
its actually a process, type the following:

select operation target

list sites

select site SiteNumber

list domains in site

select domain DomainNumber

list servers in site

then you can do select server ServerNumber

i dont know why they made it this nasty, but I guess its not something you'd do regularly!
0
 
LVL 6

Expert Comment

by:ahmad2121
ID: 24844294
ok sorry, disregard previous message
0
 

Author Comment

by:prutter
ID: 24844325
Thanks.  According to that there are no other stray servers listed.  
0
 
LVL 6

Expert Comment

by:ahmad2121
ID: 24844399
the part thats nagging at me is:

Number of domain controllers in all sites:
1
Number of domain controllers in this site:
1
 
another thing to check,

can you go to ad users and computers > domain > domain controllers ou > rightclick on your domain controller (the newer one, primary) > ntds settings > is global catalog checked?
0
 

Author Comment

by:prutter
ID: 24844529
i can't see that from within ADUC but i from sites and service.  Both servers are checked as global catalogs.  
0
 
LVL 6

Expert Comment

by:ahmad2121
ID: 24844565
How come your DCs are not in the DC ou? Or they are there but just don't show that option?
0
 

Author Comment

by:prutter
ID: 24844579
the DC's are in there but when i right click i can't see a GC option
0
 
LVL 6

Expert Comment

by:ahmad2121
ID: 24844587
does dcdiag complete successfully on both pcs?
0
 

Author Comment

by:prutter
ID: 24844638
Yes it does.  Here is DNSDHCP's results...


C:\WINDOWS\system32>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DNSDHCP
      Starting test: Connectivity
         ......................... DNSDHCP passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DNSDHCP
      Starting test: Replications
         ......................... DNSDHCP passed test Replications
      Starting test: NCSecDesc
         ......................... DNSDHCP passed test NCSecDesc
      Starting test: NetLogons
         ......................... DNSDHCP passed test NetLogons
      Starting test: Advertising
         ......................... DNSDHCP passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... DNSDHCP passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... DNSDHCP passed test RidManager
      Starting test: MachineAccount
         ......................... DNSDHCP passed test MachineAccount
      Starting test: Services
         ......................... DNSDHCP passed test Services
      Starting test: ObjectsReplicated
         ......................... DNSDHCP passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... DNSDHCP passed test frssysvol
      Starting test: frsevent
         ......................... DNSDHCP passed test frsevent
      Starting test: kccevent
         ......................... DNSDHCP passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 07/13/2009   17:12:16
            Event String: The kerberos client received a
         ......................... DNSDHCP failed test systemlog
      Starting test: VerifyReferences
         ......................... DNSDHCP passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : LUTZCPA
      Starting test: CrossRefValidation
         ......................... LUTZCPA passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... LUTZCPA passed test CheckSDRefDom

   Running enterprise tests on : LUTZCPA.com
      Starting test: Intersite
         ......................... LUTZCPA.com passed test Intersite
      Starting test: FsmoCheck
         ......................... LUTZCPA.com passed test FsmoCheck



Here is Jerry's results...


U:\>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\JERRY
      Starting test: Connectivity
         ......................... JERRY passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\JERRY
      Starting test: Replications
         ......................... JERRY passed test Replications
      Starting test: NCSecDesc
         ......................... JERRY passed test NCSecDesc
      Starting test: NetLogons
         ......................... JERRY passed test NetLogons
      Starting test: Advertising
         ......................... JERRY passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... JERRY passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... JERRY passed test RidManager
      Starting test: MachineAccount
         ......................... JERRY passed test MachineAccount
      Starting test: Services
         ......................... JERRY passed test Services
      Starting test: ObjectsReplicated
         ......................... JERRY passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... JERRY passed test frssysvol
      Starting test: frsevent
         ......................... JERRY passed test frsevent
      Starting test: kccevent
         ......................... JERRY passed test kccevent
      Starting test: systemlog
         ......................... JERRY passed test systemlog
      Starting test: VerifyReferences
         ......................... JERRY passed test VerifyReferences

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : LUTZCPA
      Starting test: CrossRefValidation
         ......................... LUTZCPA passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... LUTZCPA passed test CheckSDRefDom

   Running enterprise tests on : LUTZCPA.com
      Starting test: Intersite
         ......................... LUTZCPA.com passed test Intersite
      Starting test: FsmoCheck
         ......................... LUTZCPA.com passed test FsmoCheck
0
 

Author Comment

by:prutter
ID: 24844646
I have to leave for a bit.  I should be back on this in  awhile if you have any suggestions.  Thank you very much for your efforts!!!
0
 
LVL 6

Expert Comment

by:ahmad2121
ID: 24844846
what does

repadmin /showrepl

show on both servers?
0
 
LVL 6

Expert Comment

by:ahmad2121
ID: 24844897
open AD u&c, View > Advanced Features,

Then check for a new folder called "System"

open it, expand File Replication > Domain System Volume

are both dcs listed?
0
 

Author Comment

by:prutter
ID: 24848785
Here is the repadmin output from the first one...

==== INBOUND NEIGHBORS ======================================

DC=LUTZCPA,DC=com
    Default-First-Site-Name\JERRY via RPC
        DC object GUID: 0f0efdd2-86f7-455c-a12c-8bb63c419db0
        Last attempt @ 2009-07-14 07:42:38 was successful.

CN=Configuration,DC=LUTZCPA,DC=com
    Default-First-Site-Name\JERRY via RPC
        DC object GUID: 0f0efdd2-86f7-455c-a12c-8bb63c419db0
        Last attempt @ 2009-07-14 07:37:05 was successful.

CN=Schema,CN=Configuration,DC=LUTZCPA,DC=com
    Default-First-Site-Name\JERRY via RPC
        DC object GUID: 0f0efdd2-86f7-455c-a12c-8bb63c419db0
        Last attempt @ 2009-07-14 06:58:26 was successful.

The second...

==== INBOUND NEIGHBORS =====================================

DC=LUTZCPA,DC=com
    Default-First-Site-Name\DNSDHCP via RPC
        DC object GUID: d3e72caf-26c6-4af6-9826-22595270d63d
        Last attempt @ 2009-07-14 07:44:27 was successful.

CN=Configuration,DC=LUTZCPA,DC=com
    Default-First-Site-Name\DNSDHCP via RPC
        DC object GUID: d3e72caf-26c6-4af6-9826-22595270d63d
        Last attempt @ 2009-07-14 07:37:20 was successful.

CN=Schema,CN=Configuration,DC=LUTZCPA,DC=com
    Default-First-Site-Name\DNSDHCP via RPC
        DC object GUID: d3e72caf-26c6-4af6-9826-22595270d63d
        Last attempt @ 2009-07-14 06:46:44 was successful.
0
 

Author Comment

by:prutter
ID: 24849132
Both DC's are listed in the File ep Service folder.  
0
 
LVL 6

Expert Comment

by:ahmad2121
ID: 24851024
then where are you seeing errors?

from what I can see everything is working exactly as it should. Were you just concerned over the errors presented by FRSdiag?

it seems like your dc's are replicating just fine.
0
 

Author Comment

by:prutter
ID: 24851832
I can see what you mean.  It seems like they may run just fine for a few days, or maybe a week then i start getting these erros again.  The same errors that i get in the event log above.  My biggest progblem is i'm not sure where to start looking.  I will let it go for a few days and see what happens.  
0
 
LVL 6

Expert Comment

by:ahmad2121
ID: 24851880
Yeah the FSMO errors are strange, but I think messages like "couldn't connect for replication" are common, and as long as it reconnects you shouldn't worry about it.
0

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now