Directory Service Event Log Errors 1925 & 1645 On Win 2003 x32 Server
Hello All -
Another member of my team set up a new DC for a domain that we support which is located off site on a different subnet than the other ones. From what I hear, it worked fine for a couple of days, but today, users could not authenticate or retrieve profiles from it. I'm receiving the two errors below every few minutes (attached screen shot #3):
--------------------------
NTDS Replication - Category = DS RPC Client (attached screenshot #1)
Error 1645
Active Directory did not perform an authenticated remote procedure call (RPC) to another domain controller because the desired service principal name (SPN) for the destination domain controller is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
Destination domain controller:
a2854d9e-e5d3-417c-a31d-6e
SPN:
E3514235-4B06-11D1-AB04-00
User Action
Verify that the names of the destination domain controller and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination domain controller has been recently promoted, it will be necessary for the local domain controller’s computer account data to replicate to the KDC before this computer can be authenticated.
--------------------------
NTDS Replication - Category = Knowledge Consistancy (attached screenshot #2)
Error 1925
The attempt to establish a replication link for the following writable directory partition failed.
Directory partition:
DC=DOMAINABC,DC=LOCAL
Source domain controller:
CN=NTDS Settings,CN=OPS-DC,CN=Serv
Source domain controller address:
a2854d9e-e5d3-417c-a31d-6e
Intersite transport (if any):
This domain controller will be unable to replicate with the source domain controller until this problem is corrected.
--------------------------
Also, I don't know if it's related, but am getting this error in the DNS Server event log:
Source = DNS - Category = None
Event ID 4515
The zone PSBOC.LOCAL was previously loaded from the directory partition MicrosoftDNS but another copy of the zone has been found in directory partition DomainDnsZones.PSBOC.LOCAL
If an administrator has moved this zone from one directory partition to another this may be a harmless transient condition. In this case, no action is necessary. The deletion of the original copy of the zone should soon replicate to this server.
If there are two copies of this zone in two different directory partitions but this is not a transient caused by a zone move operation then one of these copies should be deleted as soon as possible to resolve this
--------------------------
I've done a bit of research and so far have tried to:
- Flush, then register DNS then restarting NETLOGON.
- Restart
- Verify that system time is correct
- Created an InterSite Transport from one of the existing servers to the remote site one. I really don't know much about this so may have done it wrong.
Please help! - Thanks!
1.png
2.png
3.png
4.png
Another member of my team set up a new DC for a domain that we support which is located off site on a different subnet than the other ones. From what I hear, it worked fine for a couple of days, but today, users could not authenticate or retrieve profiles from it. I'm receiving the two errors below every few minutes (attached screen shot #3):
--------------------------
NTDS Replication - Category = DS RPC Client (attached screenshot #1)
Error 1645
Active Directory did not perform an authenticated remote procedure call (RPC) to another domain controller because the desired service principal name (SPN) for the destination domain controller is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
Destination domain controller:
a2854d9e-e5d3-417c-a31d-6e
SPN:
E3514235-4B06-11D1-AB04-00
User Action
Verify that the names of the destination domain controller and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination domain controller has been recently promoted, it will be necessary for the local domain controller’s computer account data to replicate to the KDC before this computer can be authenticated.
--------------------------
NTDS Replication - Category = Knowledge Consistancy (attached screenshot #2)
Error 1925
The attempt to establish a replication link for the following writable directory partition failed.
Directory partition:
DC=DOMAINABC,DC=LOCAL
Source domain controller:
CN=NTDS Settings,CN=OPS-DC,CN=Serv
Source domain controller address:
a2854d9e-e5d3-417c-a31d-6e
Intersite transport (if any):
This domain controller will be unable to replicate with the source domain controller until this problem is corrected.
--------------------------
Also, I don't know if it's related, but am getting this error in the DNS Server event log:
Source = DNS - Category = None
Event ID 4515
The zone PSBOC.LOCAL was previously loaded from the directory partition MicrosoftDNS but another copy of the zone has been found in directory partition DomainDnsZones.PSBOC.LOCAL
If an administrator has moved this zone from one directory partition to another this may be a harmless transient condition. In this case, no action is necessary. The deletion of the original copy of the zone should soon replicate to this server.
If there are two copies of this zone in two different directory partitions but this is not a transient caused by a zone move operation then one of these copies should be deleted as soon as possible to resolve this
--------------------------
I've done a bit of research and so far have tried to:
- Flush, then register DNS then restarting NETLOGON.
- Restart
- Verify that system time is correct
- Created an InterSite Transport from one of the existing servers to the remote site one. I really don't know much about this so may have done it wrong.
Please help! - Thanks!
1.png
2.png
3.png
4.png
ASKER
Thanks for your reply -
To answer your questions...
- Windows firewall is and has been Off. The service (ICS) isn't even running.
- The DCDIAG for DNS (the string you specified) results are in screenshot #1 below.
- The results for NET SHARE are in screenshot #2 below.
- Don't know if this makes a difference, but when looking at Sites & Services, I found that under the Site we are having trouble with, there are two DCs listed - OPS-DC and OPSDC. OPS-DC doesn't exist - can't ping it and isn't in AD. I assume it was put there by mistake. I tried to delete it, but Windows won't let me. (Screenshot #3)
- I connected to it's partner (i think) and opened DNS. i don't see a "Name Servers" tab. However, I was able to ping the troublesome server from that server successfully.
- I haven't done anything in the registry - especially with RPC
- I've also attached a full dcdiag from the troublesome server (DCDIAG.txt)
Thanks again!
1.png
2.png
3.png
DCDIAG.txt
To answer your questions...
- Windows firewall is and has been Off. The service (ICS) isn't even running.
- The DCDIAG for DNS (the string you specified) results are in screenshot #1 below.
- The results for NET SHARE are in screenshot #2 below.
- Don't know if this makes a difference, but when looking at Sites & Services, I found that under the Site we are having trouble with, there are two DCs listed - OPS-DC and OPSDC. OPS-DC doesn't exist - can't ping it and isn't in AD. I assume it was put there by mistake. I tried to delete it, but Windows won't let me. (Screenshot #3)
- I connected to it's partner (i think) and opened DNS. i don't see a "Name Servers" tab. However, I was able to ping the troublesome server from that server successfully.
- I haven't done anything in the registry - especially with RPC
- I've also attached a full dcdiag from the troublesome server (DCDIAG.txt)
Thanks again!
1.png
2.png
3.png
DCDIAG.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check on the new DC that someone has not created a DNS zone as a primary zone (not ad integrated) that is the same as your ad DNS zone. If therre is delete it and restart DNS. If it is ad integrated do not delete it.
ASKER
Thanks Guys!
I went through all the steps to delete the metadata. I can't believe that I've never seen that in all of my experience.
eridzone: I followed your instructions to the letter which were perfect, but I do have a question.
Before, I mentioned that my manager who created the server did something wrong or decided to change the name - anyways - as you know by now, the hostname of the troublesome server is "OPSDC." In everything including DNS and AD Sites & Services, there is an "OPSDC" & an "OPS-DC." "OPS-DC" does not exist as I cannot ping it or even find a record for it as a computer in AD.
When I followed your metadata instructions, I removed all of the "OPS-DC" references, but left the "OPSDC" (correct name) ones. After re-reading your post, should I go ahead and remove BOTH "OPS-DC" and "OPSDC," to basically start all over and then repromote as you mentioned at the end?
Either way, please suggest the best way to re-promote given the scenario.
Thanks again for your help -
I went through all the steps to delete the metadata. I can't believe that I've never seen that in all of my experience.
eridzone: I followed your instructions to the letter which were perfect, but I do have a question.
Before, I mentioned that my manager who created the server did something wrong or decided to change the name - anyways - as you know by now, the hostname of the troublesome server is "OPSDC." In everything including DNS and AD Sites & Services, there is an "OPSDC" & an "OPS-DC." "OPS-DC" does not exist as I cannot ping it or even find a record for it as a computer in AD.
When I followed your metadata instructions, I removed all of the "OPS-DC" references, but left the "OPSDC" (correct name) ones. After re-reading your post, should I go ahead and remove BOTH "OPS-DC" and "OPSDC," to basically start all over and then repromote as you mentioned at the end?
Either way, please suggest the best way to re-promote given the scenario.
Thanks again for your help -
ASKER
After deleting the OPS-DC, I still had trouble so I went ahead and dleted the OPSDC too with plans to re-promote. Followed your instructions as well as the similar ones from:
http://support.microsoft.com/?kbid=216498
I restarted OPSDC and ran "dcpromo." After clicking the first "Next", the next prompts I get is asking me to Remove Active Directory. (Screenshot #1)
I didn't go any further.
Did I miss s step while doing all of this? Thanks!
1.png
http://support.microsoft.com/?kbid=216498
I restarted OPSDC and ran "dcpromo." After clicking the first "Next", the next prompts I get is asking me to Remove Active Directory. (Screenshot #1)
I didn't go any further.
Did I miss s step while doing all of this? Thanks!
1.png
how many DC's do you have ?
if you want to do it from the scratch then it's fine you are on right track just dont tick the checkbox "This server is the last domain controller in the domain" or to play safe try to run dcpromo /forceremoval and after that repeat the same meta data cleanup excercise as you did for previous DC.
after that wait until your all DC's update this change then try to promote using same name or if you are in hurry just rename the machine and promote it using a new name.
Before promotion of a new DC always check the machine dont have any viruses or corrupted system files if possible do it by re-installation of OS, Patches and updated antivirus.
if you want to do it from the scratch then it's fine you are on right track just dont tick the checkbox "This server is the last domain controller in the domain" or to play safe try to run dcpromo /forceremoval and after that repeat the same meta data cleanup excercise as you did for previous DC.
after that wait until your all DC's update this change then try to promote using same name or if you are in hurry just rename the machine and promote it using a new name.
Before promotion of a new DC always check the machine dont have any viruses or corrupted system files if possible do it by re-installation of OS, Patches and updated antivirus.
don t tick the box and just continue on.
have you checked that healthy DC's are accessible from this DC, turn off the firewall if on.
Open DNS console on its replication partner and check its NameServer record on "Name Servers" tab
run dcdiag /test:DNS //what is the result
open command prompt and run "net share" does it show NETLOGON and SYSVOL shares
have you created the entry RPC Replication Timeout (mins) in registry of new DC to extend its DC replication timeout