?
Solved

FRS DIAG ISSUES

Posted on 2010-09-13
29
Medium Priority
?
1,434 Views
Last Modified: 2012-05-10
Having issues with mixed Server OS's 2003 R2 and 2008 R2 with FRS Diag: The was working pretty well before. All servers were demoted except DC3 then brought back up over 3 day weeekend. All were working with no errors untill several days later, presumably afterl replications finally completed. Now its a mess. I cannot seem to get a fix on the cause(s). repadmin /showrepl shows everything replicating correctly. SPN's all appear to be correct. as well. Can anyone give me a clue on this one. I'm to close to itand tired and am beating my head against the wall out of frustration.  DC2-3 are 2008 R2 all else are 2003 R2.
Thanks...

DC1
NtFrs      9/5/2010 8:02:36 PM      Warning      13508      The File Replication Service is having trouble enabling replication  from DC3 to DC1for c:\windows\sysvol\domain using the DNS name DC3.domain.com. FRS will keep retrying.     Following are some of the reasons you would see this warning.         [1] FRS can not correctly resolve the DNS name DC3.domain.com from this computer.     [2] FRS is not running on DC3.domain.com.     [3] The topology information in the Active Directory for this replica has not  yet replicated to all the Domain Controllers.         This event log message will appear once per connection, After the problem  is fixed you will see another event log message indicating that the connection  has been established.
      WARNING: Found Event ID 13508 errors without trailing 13509 ... see above for (up to) the 3 latest entries!

DC2
NTDS Replication      9/6/2010 1:02:36 PM      Error      1645      Active Directory did not perform an authenticated remote procedure call (RPC) to another domain controller because the desired service principal name (SPN) for the destination domain controller is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.        Destination domain controller:  50ecd707-d579-41e0-b220-1ac48dfcba76._msdcs.domain.com    SPN:  E3514235-4B06-11D1-AB04-00C04FC2DCD2/50ecd707-d579-41e0-b220-1ac48dfcba76/domain.com@domain.com        User Action    Verify that the names of the destination domain controller and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination domain controller has been recently promoted, it will be necessary for the local domain controller’s computer account data to replicate to the KDC before this computer can be authenticated.
      WARNING: Found Directory Service Errors in the past 15 days! FRS Depends on AD so Check AD Replication!

DC3
NtFrs      9/7/2010 9:31:57 PM      Warning      13508      The File Replication Service is having trouble enabling replication  from DC4 to DC3 for c:\windows\sysvol\domain using the DNS name DC4.domain.com. FRS will keep retrying.     Following are some of the reasons you would see this warning.         [1] FRS can not correctly resolve the DNS name DC4.domain.com from this computer.     [2] FRS is not running on DC4.domain.com.     [3] The topology information in the Active Directory for this replica has not  yet replicated to all the Domain Controllers.         This event log message will appear once per connection, After the problem  is fixed you will see another event log message indicating that the connection  has been established.
      WARNING: Found Event ID 13508 errors without trailing 13509 ... see above for (up to) the 3 latest entries!

 ......... failed 1
Checking for errors in Directory Service Event Log ....       
NTDS Replication      9/10/2010 11:29:16 AM      Error      1791      Replication of Naming Context DC=domain,DC=org from source f7cab657-9f79-4b00-be4f-91735ec9cbc0 (DC5.domain.com) has been aborted.  Replication requires consistent schema but last attempt to sync  the schema had failed. It is crucial that schema replication  functions properly. See previous errors for more diagnostics.  If this issue persists, please contact Microsoft Product DC4  Services for assistance.  Error 8418: The replication operation failed because of a schema mismatch between the servers involved..      
NTDS Replication      9/10/2010 11:29:16 AM      Error      1791      Replication of Naming Context DC=DomainDnsZones,DC=domain,DC=org from source f7cab657-9f79-4b00-be4f-91735ec9cbc0 (DC5.domain.com) has been aborted.  Replication requires consistent schema but last attempt to sync  the schema had failed. It is crucial that schema replication  functions properly. See previous errors for more diagnostics.  If this issue persists, please contact Microsoft Product DC4  Services for assistance.  Error 8418: The replication operation failed because of a schema mismatch between the servers involved..      
NTDS Replication      9/10/2010 11:26:37 AM      Error      1791      Replication of Naming Context DC=domain,DC=org from source f7cab657-9f79-4b00-be4f-91735ec9cbc0 (DC5.domain.com) has been aborted.  Replication requires consistent schema but last attempt to sync  the schema had failed. It is crucial that schema replication  functions properly. See previous errors for more diagnostics.  If this issue persists, please contact Microsoft Product DC4  Services for assistance.  Error 8418: The replication operation failed because of a schema mismatch between the servers involved..      
NTDS General      9/5/2010 12:16:45 AM      Error      1311      The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.        Directory partition:  CN=Configuration,DC=domain,DC=org        There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.        User Action    Use Active Directory Sites and Services to perform one of the following actions:    - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.    - Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.        If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.      
NTDS General      9/5/2010 12:16:45 AM      Error      1311      The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.        Directory partition:  DC=ForestDnsZones,DC=domain,DC=org        There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.        User Action    Use Active Directory Sites and Services to perform one of the following actions:    - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.    - Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.        If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.      
NTDS General      9/5/2010 12:16:45 AM      Error      1311      The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.        Directory partition:  DC=DomainDnsZones,DC=domain,DC=org        There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.        User Action    Use Active Directory Sites and Services to perform one of the following actions:    - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.    - Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.        If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.      
NTDS General      9/5/2010 12:16:45 AM      Error      1311      The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.        Directory partition:  DC=domain,DC=org        There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.        User Action    Use Active Directory Sites and Services to perform one of the following actions:    - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.    - Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.        If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.      
NTDS General      9/5/2010 12:01:45 AM      Error      1311      The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.        Directory partition:  CN=Configuration,DC=domain,DC=org        There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.        User Action    Use Active Directory Sites and Services to perform one of the following actions:    - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.    - Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.        If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.      
NTDS General      9/5/2010 12:01:45 AM      Error      1311      The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.        Directory partition:  DC=ForestDnsZones,DC=domain,DC=org        There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.        User Action    Use Active Directory Sites and Services to perform one of the following actions:    - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.    - Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.        If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.      
NTDS General      9/5/2010 12:01:45 AM      Error      1311      The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.        Directory partition:  DC=DomainDnsZones,DC=domain,DC=org        There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.        User Action    Use Active Directory Sites and Services to perform one of the following actions:    - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.    - Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.        If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.      
NTDS General      9/5/2010 12:01:45 AM      Error      1311      The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.        Directory partition:  DC=domain,DC=org        There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.        User Action    Use Active Directory Sites and Services to perform one of the following actions:    - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.    - Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.        If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.
      WARNING: Found Directory Service Errors in the past 15 days! FRS Depends on AD so Check AD Replication!

 ......... failed 11
Checking for minimum FRS version requirement ... passed
Checking for errors/warnings in ntfrsutl ds ... passed
Checking for Replica Set configuration triggers... passed
Checking for suspicious file Backlog size... passed
Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed
Checking for suspicious inlog entries ... passed
Checking for suspicious outlog entries ... passed
Checking for appropriate staging area size ... passed
Checking for errors in debug logs ...
      ERROR on NtFrs_0001.log : "RPC_S_CALL_FAILED_DNE(Indicates RPC Session was established to target, but there was a failure to send RPC call package. Check for Networking problems!)" : <SndCsMain:                     6760:   883: S0: 05:00:21> ++ ERROR - EXCEPTION (000006bf) :  WStatus: RPC_S_CALL_FAILED_DNE
      ERROR on NtFrs_0001.log : "RPC_S_CALL_FAILED_DNE(Indicates RPC Session was established to target, but there was a failure to send RPC call package. Check for Networking problems!)" : <SndCsMain:                     6760:   884: S0: 05:00:21> :SR: Cmd 12716f80, CxtG efb7a625, WS RPC_S_CALL_FAILED_DNE, To   DC4.domain.com Len:  (374) [SndFail - rpc exception]
      ERROR on NtFrs_0001.log : "RPC_S_CALL_FAILED_DNE(Indicates RPC Session was established to target, but there was a failure to send RPC call package. Check for Networking problems!)" : <SndCsMain:                     6760:   904: S0: 05:00:21> :SR: Cmd 12716f80, CxtG efb7a625, WS RPC_S_CALL_FAILED_DNE, To   DC4.domain.com Len:  (374) [SndFail - Send Penalty]

      Found 3 RPC_S_CALL_FAILED_DNE error(s)! Latest ones (up to 3) listed above

DC4
ONLY ONE PASSING

DC5
Checking for errors in debug logs ...
      ERROR on NtFrs_0004.log : "ERROR_ACCESS_DENIED" : <SndCsMain:                     5832:   904: S0: 00:36:08> :SR: Cmd 0152a9d0, CxtG 7a31f797, WS ERROR_ACCESS_DENIED, To   DC2.domain.com Len:  (372) [SndFail - Send Penalty]
      ERROR on NtFrs_0004.log : "ERROR_ACCESS_DENIED" : <SndCsMain:                     5832:   877: S0: 00:37:34> :SR: Cmd 01539168, CxtG 7a31f797, WS ERROR_ACCESS_DENIED, To   DC2.domain.com Len:  (372) [SndFail - rpc call]
      ERROR on NtFrs_0004.log : "ERROR_ACCESS_DENIED" : <SndCsMain:                     5832:   904: S0: 00:37:34> :SR: Cmd 01539168, CxtG 7a31f797, WS ERROR_ACCESS_DENIED, To   DC2.domain.com Len:  (372) [SndFail - Send Penalty]
0
Comment
Question by:Lazarus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 15
  • 12
29 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33665759
Make sure all DCs are pointing to internal DNS servers only in their TCP\IP settings.

The burflag method is an option.

Stopped NTFRS service on both DCs.
Make one of the DC authoritative server by modifying registry setting : Navigate to registry HKLM\System\CCS\Services\NTFRS\Parameters\CumlativeReplicaSets and Set the Burflags value to D4. This should be done with server which has the Updated information available or correct data.
Go to other DC and make that Non-authoritative by navigating to same registry location HKLM\System\CCS\Services\NTFRS\Parameters\CumlativeReplicaSets and Set the Burflags value to D2.
0
 
LVL 20

Author Comment

by:Lazarus
ID: 33666262
Now to make sure your talking teh same lingo. Your talking,  point Preferred DNS server to self correct? Which I am already doing.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33666287
Yes.

Run dcdiag
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 20

Author Comment

by:Lazarus
ID: 33666382
I have run DCDIAG on all of them. All passing, with the exception of systemlogs, which is not abnormal really and DC3 not passing Advertising.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33666402
DC03 is not passing what advertising Time? Or could be that DC3 is not advertising as a DC as well.

You can clear your syslogs to see if new ones populate
0
 
LVL 20

Author Comment

by:Lazarus
ID: 33666476
I didnt really understand that. Can you perhaps rephrase? Also clear which logs? System Event logs or which?
0
 
LVL 20

Author Comment

by:Lazarus
ID: 33666550
DCDIAG.txt file attached if that helps.

dcdiag.txt
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33672354
You are passing everything. Are you getting new errors in the Event logs?
0
 
LVL 20

Author Comment

by:Lazarus
ID: 33674019
No, I'm just getting the errors in FRSDIAG. I did find that there were a couple of DNS issues, minor though. No Zone transfers betwwen DNS Servers. Also a slightly off DHCP Setting. But no others reaslly. Waiting for a bit before I rerun FRSDIAG again.
0
 
LVL 20

Author Comment

by:Lazarus
ID: 33677310
Still even after fixing what seemed very minor, FRSDIAG has not change. I still have the issues above.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33681680
What errors are you gettingin FRSDIAG. Run repadmin /syncall.
0
 
LVL 20

Author Comment

by:Lazarus
ID: 33685972
Ive already run "repadmin /syncall" The errors I'm getting in FRSDIAG are all pasted above.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33685997
Those could be old errors. What are the results from repadmin /syncall
0
 
LVL 20

Author Comment

by:Lazarus
ID: 33686071
I get no errors on it, from any dc.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33691933
Looks like you are ok there was an issue in the pass but I don't see any current issues FRSDIAG looks at your logs which can be very old logs.
0
 
LVL 20

Author Comment

by:Lazarus
ID: 33693950
ok, so what can I do to see if they are passing now? Do I need to delete all my logs the rerun FRS?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33694986
Are you getting any errors in the Event viewer now?
0
 
LVL 20

Author Comment

by:Lazarus
ID: 33695425
I still get a 13508 on DC1, 1791 and 1311 on DC3 and 5832 on DC5, DC2 and DC4 pass
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33695940
You might are going to have to demote DC3 then repromote
0
 
LVL 20

Author Comment

by:Lazarus
ID: 33696438
I'll have to try that, but it will be next week before I can attempt it.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33696781
Once you demote run metadata cleanup to make sure you don't have any lingering objects
0
 
LVL 20

Author Comment

by:Lazarus
ID: 33702311
ok after trying to clean a tad more up.

DC1 - 1 error, 13508.
DC2 - 4 errors, 13508 and 1791 which points at replication on DC5.
DC3 - passes
DC4 - passes
DC5 - 70 errors, 5832 access denied to DC3.

I have tried in site and services to deleted and let it rebuild the link which it does but seems to be no help.
After looking at these errors do you still think DC3 needs rebuilt, sices it passes? I would think there are other things to do?
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 2000 total points
ID: 33702327
Seems like DC5 has a bunch of issues.

Do this with DC5.

Stopped NTFRS service on both DCs.
Make one of the DC authoritative server by modifying registry setting : Navigate to registry HKLM\System\CCS\Services\NTFRS\Parameters\CumlativeReplicaSets and Set the Burflags value to D4. This should be done with server which has the Updated information available or correct data.
Go to other DC and make that Non-authoritative by navigating to same registry location HKLM\System\CCS\Services\NTFRS\Parameters\CumlativeReplicaSets and Set the Burflags value to D2.
0
 
LVL 20

Author Comment

by:Lazarus
ID: 33702442
Shouldnt that be Stop NTFRS on ALL DCs? make one of the passing DCs a burflag D4, then all others D2?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33703167
Just the ones you are going to place the burflag in
0
 
LVL 20

Author Comment

by:Lazarus
ID: 33703214
I must mis-understand then how the burflag works. I had thought that by setting D4 on the one that it would affect ALL DCs, not just the one with D2.
0
 
LVL 20

Author Comment

by:Lazarus
ID: 34660848
Sorry, this had forgoten.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 34690035
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question