FRS DIAG ISSUES
Having issues with mixed Server OS's 2003 R2 and 2008 R2 with FRS Diag: The was working pretty well before. All servers were demoted except DC3 then brought back up over 3 day weeekend. All were working with no errors untill several days later, presumably afterl replications finally completed. Now its a mess. I cannot seem to get a fix on the cause(s). repadmin /showrepl shows everything replicating correctly. SPN's all appear to be correct. as well. Can anyone give me a clue on this one. I'm to close to itand tired and am beating my head against the wall out of frustration. DC2-3 are 2008 R2 all else are 2003 R2.
Thanks...
DC1
NtFrs 9/5/2010 8:02:36 PM Warning 13508 The File Replication Service is having trouble enabling replication from DC3 to DC1for c:\windows\sysvol\domain using the DNS name DC3.domain.com. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name DC3.domain.com from this computer. [2] FRS is not running on DC3.domain.com. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
WARNING: Found Event ID 13508 errors without trailing 13509 ... see above for (up to) the 3 latest entries!
DC2
NTDS Replication 9/6/2010 1:02:36 PM Error 1645 Active Directory did not perform an authenticated remote procedure call (RPC) to another domain controller because the desired service principal name (SPN) for the destination domain controller is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN. Destination domain controller: 50ecd707-d579-41e0-b220-1a
WARNING: Found Directory Service Errors in the past 15 days! FRS Depends on AD so Check AD Replication!
DC3
NtFrs 9/7/2010 9:31:57 PM Warning 13508 The File Replication Service is having trouble enabling replication from DC4 to DC3 for c:\windows\sysvol\domain using the DNS name DC4.domain.com. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name DC4.domain.com from this computer. [2] FRS is not running on DC4.domain.com. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
WARNING: Found Event ID 13508 errors without trailing 13509 ... see above for (up to) the 3 latest entries!
......... failed 1
Checking for errors in Directory Service Event Log ....
NTDS Replication 9/10/2010 11:29:16 AM Error 1791 Replication of Naming Context DC=domain,DC=org from source f7cab657-9f79-4b00-be4f-91
NTDS Replication 9/10/2010 11:29:16 AM Error 1791 Replication of Naming Context DC=DomainDnsZones,DC=domai
NTDS Replication 9/10/2010 11:26:37 AM Error 1791 Replication of Naming Context DC=domain,DC=org from source f7cab657-9f79-4b00-be4f-91
NTDS General 9/5/2010 12:16:45 AM Error 1311 The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: CN=Configuration,DC=domain
NTDS General 9/5/2010 12:16:45 AM Error 1311 The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: DC=ForestDnsZones,DC=domai
NTDS General 9/5/2010 12:16:45 AM Error 1311 The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: DC=DomainDnsZones,DC=domai
NTDS General 9/5/2010 12:16:45 AM Error 1311 The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: DC=domain,DC=org There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers. User Action Use Active Directory Sites and Services to perform one of the following actions: - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option. - Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site. If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.
NTDS General 9/5/2010 12:01:45 AM Error 1311 The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: CN=Configuration,DC=domain
NTDS General 9/5/2010 12:01:45 AM Error 1311 The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: DC=ForestDnsZones,DC=domai
NTDS General 9/5/2010 12:01:45 AM Error 1311 The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: DC=DomainDnsZones,DC=domai
NTDS General 9/5/2010 12:01:45 AM Error 1311 The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: DC=domain,DC=org There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers. User Action Use Active Directory Sites and Services to perform one of the following actions: - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option. - Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site. If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.
WARNING: Found Directory Service Errors in the past 15 days! FRS Depends on AD so Check AD Replication!
......... failed 11
Checking for minimum FRS version requirement ... passed
Checking for errors/warnings in ntfrsutl ds ... passed
Checking for Replica Set configuration triggers... passed
Checking for suspicious file Backlog size... passed
Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed
Checking for suspicious inlog entries ... passed
Checking for suspicious outlog entries ... passed
Checking for appropriate staging area size ... passed
Checking for errors in debug logs ...
ERROR on NtFrs_0001.log : "RPC_S_CALL_FAILED_DNE(Ind
ERROR on NtFrs_0001.log : "RPC_S_CALL_FAILED_DNE(Ind
ERROR on NtFrs_0001.log : "RPC_S_CALL_FAILED_DNE(Ind
Found 3 RPC_S_CALL_FAILED_DNE error(s)! Latest ones (up to 3) listed above
DC4
ONLY ONE PASSING
DC5
Checking for errors in debug logs ...
ERROR on NtFrs_0004.log : "ERROR_ACCESS_DENIED" : <SndCsMain: 5832: 904: S0: 00:36:08> :SR: Cmd 0152a9d0, CxtG 7a31f797, WS ERROR_ACCESS_DENIED, To DC2.domain.com Len: (372) [SndFail - Send Penalty]
ERROR on NtFrs_0004.log : "ERROR_ACCESS_DENIED" : <SndCsMain: 5832: 877: S0: 00:37:34> :SR: Cmd 01539168, CxtG 7a31f797, WS ERROR_ACCESS_DENIED, To DC2.domain.com Len: (372) [SndFail - rpc call]
ERROR on NtFrs_0004.log : "ERROR_ACCESS_DENIED" : <SndCsMain: 5832: 904: S0: 00:37:34> :SR: Cmd 01539168, CxtG 7a31f797, WS ERROR_ACCESS_DENIED, To DC2.domain.com Len: (372) [SndFail - Send Penalty]
Thanks...
DC1
NtFrs 9/5/2010 8:02:36 PM Warning 13508 The File Replication Service is having trouble enabling replication from DC3 to DC1for c:\windows\sysvol\domain using the DNS name DC3.domain.com. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name DC3.domain.com from this computer. [2] FRS is not running on DC3.domain.com. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
WARNING: Found Event ID 13508 errors without trailing 13509 ... see above for (up to) the 3 latest entries!
DC2
NTDS Replication 9/6/2010 1:02:36 PM Error 1645 Active Directory did not perform an authenticated remote procedure call (RPC) to another domain controller because the desired service principal name (SPN) for the destination domain controller is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN. Destination domain controller: 50ecd707-d579-41e0-b220-1a
WARNING: Found Directory Service Errors in the past 15 days! FRS Depends on AD so Check AD Replication!
DC3
NtFrs 9/7/2010 9:31:57 PM Warning 13508 The File Replication Service is having trouble enabling replication from DC4 to DC3 for c:\windows\sysvol\domain using the DNS name DC4.domain.com. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name DC4.domain.com from this computer. [2] FRS is not running on DC4.domain.com. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
WARNING: Found Event ID 13508 errors without trailing 13509 ... see above for (up to) the 3 latest entries!
......... failed 1
Checking for errors in Directory Service Event Log ....
NTDS Replication 9/10/2010 11:29:16 AM Error 1791 Replication of Naming Context DC=domain,DC=org from source f7cab657-9f79-4b00-be4f-91
NTDS Replication 9/10/2010 11:29:16 AM Error 1791 Replication of Naming Context DC=DomainDnsZones,DC=domai
NTDS Replication 9/10/2010 11:26:37 AM Error 1791 Replication of Naming Context DC=domain,DC=org from source f7cab657-9f79-4b00-be4f-91
NTDS General 9/5/2010 12:16:45 AM Error 1311 The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: CN=Configuration,DC=domain
NTDS General 9/5/2010 12:16:45 AM Error 1311 The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: DC=ForestDnsZones,DC=domai
NTDS General 9/5/2010 12:16:45 AM Error 1311 The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: DC=DomainDnsZones,DC=domai
NTDS General 9/5/2010 12:16:45 AM Error 1311 The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: DC=domain,DC=org There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers. User Action Use Active Directory Sites and Services to perform one of the following actions: - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option. - Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site. If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.
NTDS General 9/5/2010 12:01:45 AM Error 1311 The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: CN=Configuration,DC=domain
NTDS General 9/5/2010 12:01:45 AM Error 1311 The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: DC=ForestDnsZones,DC=domai
NTDS General 9/5/2010 12:01:45 AM Error 1311 The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: DC=DomainDnsZones,DC=domai
NTDS General 9/5/2010 12:01:45 AM Error 1311 The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: DC=domain,DC=org There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers. User Action Use Active Directory Sites and Services to perform one of the following actions: - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option. - Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site. If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.
WARNING: Found Directory Service Errors in the past 15 days! FRS Depends on AD so Check AD Replication!
......... failed 11
Checking for minimum FRS version requirement ... passed
Checking for errors/warnings in ntfrsutl ds ... passed
Checking for Replica Set configuration triggers... passed
Checking for suspicious file Backlog size... passed
Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed
Checking for suspicious inlog entries ... passed
Checking for suspicious outlog entries ... passed
Checking for appropriate staging area size ... passed
Checking for errors in debug logs ...
ERROR on NtFrs_0001.log : "RPC_S_CALL_FAILED_DNE(Ind
ERROR on NtFrs_0001.log : "RPC_S_CALL_FAILED_DNE(Ind
ERROR on NtFrs_0001.log : "RPC_S_CALL_FAILED_DNE(Ind
Found 3 RPC_S_CALL_FAILED_DNE error(s)! Latest ones (up to 3) listed above
DC4
ONLY ONE PASSING
DC5
Checking for errors in debug logs ...
ERROR on NtFrs_0004.log : "ERROR_ACCESS_DENIED" : <SndCsMain: 5832: 904: S0: 00:36:08> :SR: Cmd 0152a9d0, CxtG 7a31f797, WS ERROR_ACCESS_DENIED, To DC2.domain.com Len: (372) [SndFail - Send Penalty]
ERROR on NtFrs_0004.log : "ERROR_ACCESS_DENIED" : <SndCsMain: 5832: 877: S0: 00:37:34> :SR: Cmd 01539168, CxtG 7a31f797, WS ERROR_ACCESS_DENIED, To DC2.domain.com Len: (372) [SndFail - rpc call]
ERROR on NtFrs_0004.log : "ERROR_ACCESS_DENIED" : <SndCsMain: 5832: 904: S0: 00:37:34> :SR: Cmd 01539168, CxtG 7a31f797, WS ERROR_ACCESS_DENIED, To DC2.domain.com Len: (372) [SndFail - Send Penalty]
Last Comment
ASKER
Now to make sure your talking teh same lingo. Your talking, point Preferred DNS server to self correct? Which I am already doing.
Yes.
Run dcdiag
Run dcdiag
ASKER
I have run DCDIAG on all of them. All passing, with the exception of systemlogs, which is not abnormal really and DC3 not passing Advertising.
DC03 is not passing what advertising Time? Or could be that DC3 is not advertising as a DC as well.
You can clear your syslogs to see if new ones populate
You can clear your syslogs to see if new ones populate
ASKER
I didnt really understand that. Can you perhaps rephrase? Also clear which logs? System Event logs or which?
ASKER
You are passing everything. Are you getting new errors in the Event logs?
ASKER
No, I'm just getting the errors in FRSDIAG. I did find that there were a couple of DNS issues, minor though. No Zone transfers betwwen DNS Servers. Also a slightly off DHCP Setting. But no others reaslly. Waiting for a bit before I rerun FRSDIAG again.
ASKER
Still even after fixing what seemed very minor, FRSDIAG has not change. I still have the issues above.
What errors are you gettingin FRSDIAG. Run repadmin /syncall.
ASKER
Ive already run "repadmin /syncall" The errors I'm getting in FRSDIAG are all pasted above.
Those could be old errors. What are the results from repadmin /syncall
ASKER
I get no errors on it, from any dc.
Looks like you are ok there was an issue in the pass but I don't see any current issues FRSDIAG looks at your logs which can be very old logs.
ASKER
ok, so what can I do to see if they are passing now? Do I need to delete all my logs the rerun FRS?
Are you getting any errors in the Event viewer now?
ASKER
I still get a 13508 on DC1, 1791 and 1311 on DC3 and 5832 on DC5, DC2 and DC4 pass
You might are going to have to demote DC3 then repromote
ASKER
I'll have to try that, but it will be next week before I can attempt it.
Once you demote run metadata cleanup to make sure you don't have any lingering objects
ASKER
ok after trying to clean a tad more up.
DC1 - 1 error, 13508.
DC2 - 4 errors, 13508 and 1791 which points at replication on DC5.
DC3 - passes
DC4 - passes
DC5 - 70 errors, 5832 access denied to DC3.
I have tried in site and services to deleted and let it rebuild the link which it does but seems to be no help.
After looking at these errors do you still think DC3 needs rebuilt, sices it passes? I would think there are other things to do?
DC1 - 1 error, 13508.
DC2 - 4 errors, 13508 and 1791 which points at replication on DC5.
DC3 - passes
DC4 - passes
DC5 - 70 errors, 5832 access denied to DC3.
I have tried in site and services to deleted and let it rebuild the link which it does but seems to be no help.
After looking at these errors do you still think DC3 needs rebuilt, sices it passes? I would think there are other things to do?
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Shouldnt that be Stop NTFRS on ALL DCs? make one of the passing DCs a burflag D4, then all others D2?
Just the ones you are going to place the burflag in
ASKER
I must mis-understand then how the burflag works. I had thought that by setting D4 on the one that it would affect ALL DCs, not just the one with D2.
ASKER
Sorry, this had forgoten.
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
Windows Server 2003
Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).
129K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
The burflag method is an option.
Stopped NTFRS service on both DCs.
Make one of the DC authoritative server by modifying registry setting : Navigate to registry HKLM\System\CCS\Services\N
Go to other DC and make that Non-authoritative by navigating to same registry location HKLM\System\CCS\Services\N