Solved

Replication issues after server conflict

Posted on 2010-09-17
6
496 Views
Last Modified: 2012-05-10
I have 2 domain controllers.  One at site A and one at site B.

At site A, I converted the domain controller (DC) to a virtual machine.  After I booted the new VM DC, I started the old one to check something and forgot to remove the network cables.  So, it tried to get on the network and gave me a conflicting machine message.  I remove the cables from the old machine, but now I am getting a bunch of errors.  Basically, the new DC doesn't look valid to the other DC at site B.

Here is a list of errors and the DCDIAG.exe output

Your help is GREATLY appreciated!


 
Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Ottawa\DC2
      Starting test: Connectivity
         ......................... DC2 passed test Connectivity

Doing primary tests

   Testing server: Ottawa\DC2
      Starting test: Replications
         [Replications Check,DC2] A recent replication attempt failed:
            From DC1 to DC2
            Naming Context: DC=ForestDnsZones,DC=DOMAIN,DC=local
            The replication generated an error (1256):
            Win32 Error 1256
            The failure occurred at 2010-09-17 13:33:27.
            The last success occurred at 2010-09-15 13:34:09.
            191 failures have occurred since the last success.
         [Replications Check,DC2] A recent replication attempt failed:
            From DC1 to DC2
            Naming Context: DC=DomainDnsZones,DC=DOMAIN,DC=local
            The replication generated an error (1256):
            Win32 Error 1256
            The failure occurred at 2010-09-17 13:33:27.
            The last success occurred at 2010-09-15 13:34:09.
            191 failures have occurred since the last success.
         [Replications Check,DC2] A recent replication attempt failed:
            From DC1 to DC2
            Naming Context: CN=Schema,CN=Configuration,DC=DOMAIN,DC=local
            The replication generated an error (-2146893022):
            Win32 Error -2146893022
            The failure occurred at 2010-09-17 13:33:28.
            The last success occurred at 2010-09-15 13:34:09.
            191 failures have occurred since the last success.
         [Replications Check,DC2] A recent replication attempt failed:
            From DC1 to DC2
            Naming Context: CN=Configuration,DC=DOMAIN,DC=local
            The replication generated an error (-2146893022):
            Win32 Error -2146893022
            The failure occurred at 2010-09-17 13:33:27.
            The last success occurred at 2010-09-15 13:34:09.
            191 failures have occurred since the last success.
         [Replications Check,DC2] A recent replication attempt failed:
            From DC1 to DC2
            Naming Context: DC=DOMAIN,DC=local
            The replication generated an error (-2146893022):
            Win32 Error -2146893022
            The failure occurred at 2010-09-17 13:33:27.
            The last success occurred at 2010-09-15 13:34:09.
            191 failures have occurred since the last success.
         REPLICATION-RECEIVED LATENCY WARNING
         DC2:  Current time is 2010-09-17 13:45:11.
            DC=ForestDnsZones,DC=DOMAIN,DC=local
               Last replication recieved from DC1 at 2010-09-15 13:34:09.
            DC=DomainDnsZones,DC=DOMAIN,DC=local
               Last replication recieved from DC1 at 2010-09-15 13:34:09.
            CN=Schema,CN=Configuration,DC=DOMAIN,DC=local
               Last replication recieved from DC1 at 2010-09-15 13:34:09.
            CN=Configuration,DC=DOMAIN,DC=local
               Last replication recieved from DC1 at 2010-09-15 13:34:09.
            DC=DOMAIN,DC=local
               Last replication recieved from DC1 at 2010-09-15 13:34:09.
         REPLICATION-RECEIVED LATENCY WARNING
          Source site:
         CN=NTDS Site Settings,CN=Markham,CN=Sites,CN=Configuration,DC=DOMAIN,DC=local
          Current time: 2010-09-17 13:45:12
          Last update time: 2010-09-15 12:52:37
          Check if source site has an elected ISTG running.
          Check replication from source site to this server.
         ......................... DC2 passed test Replications
      Starting test: NCSecDesc
         ......................... DC2 passed test NCSecDesc
      Starting test: NetLogons
         ......................... DC2 passed test NetLogons
      Starting test: Advertising
         ......................... DC2 passed test Advertising
      Starting test: KnowsOfRoleHolders
         [DC1] DsBindWithSpnEx() failed with error -2146893022,
         Win32 Error -2146893022.
         Warning: DC1 is the Schema Owner, but is not responding to DS RPC Bind.
         [DC1] LDAP bind failed with error 8341,
         Win32 Error 8341.
         Warning: DC1 is the Schema Owner, but is not responding to LDAP Bind.
         Warning: DC1 is the Domain Owner, but is not responding to DS RPC Bind.
         Warning: DC1 is the Domain Owner, but is not responding to LDAP Bind.
         Warning: DC1 is the PDC Owner, but is not responding to DS RPC Bind.
         Warning: DC1 is the PDC Owner, but is not responding to LDAP Bind.
         Warning: DC1 is the Rid Owner, but is not responding to DS RPC Bind.
         Warning: DC1 is the Rid Owner, but is not responding to LDAP Bind.
         Warning: DC1 is the Infrastructure Update Owner, but is not responding to DS RPC Bind.
         Warning: DC1 is the Infrastructure Update Owner, but is not responding to LDAP Bind.
         ......................... DC2 failed test KnowsOfRoleHolders

      Starting test: RidManager
         ......................... DC2 failed test RidManager
      Starting test: MachineAccount
         ......................... DC2 passed test MachineAccount
      Starting test: Services
         ......................... DC2 passed test Services
      Starting test: ObjectsReplicated
         ......................... DC2 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... DC2 passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... DC2 failed test frsevent
      Starting test: kccevent
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 09/17/2010   13:41:34
            Event String: All domain controllers in the following site that
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/17/2010   13:41:34
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 09/17/2010   13:41:34
            Event String: The Knowledge Consistency Checker (KCC) was
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 09/17/2010   13:41:34
            Event String: All domain controllers in the following site that
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/17/2010   13:41:34
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 09/17/2010   13:41:34
            Event String: The Knowledge Consistency Checker (KCC) was
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 09/17/2010   13:41:34
            Event String: All domain controllers in the following site that
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/17/2010   13:41:34
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 09/17/2010   13:41:34
            Event String: The Knowledge Consistency Checker (KCC) was
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 09/17/2010   13:41:34
            Event String: All domain controllers in the following site that
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/17/2010   13:41:34
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 09/17/2010   13:41:34
            Event String: The Knowledge Consistency Checker (KCC) was
         ......................... DC2 failed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 09/17/2010   13:07:04
            Event String: The kerberos client received a
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 09/17/2010   13:18:27
            Event String: The kerberos client received a
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 09/17/2010   13:26:42
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 09/17/2010   13:26:42
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 09/17/2010   13:26:43
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 09/17/2010   13:26:43
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 09/17/2010   13:45:06
            Event String: The kerberos client received a
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 09/17/2010   13:45:07
            Event String: The kerberos client received a
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 09/17/2010   13:45:12
            Event String: The kerberos client received a
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 09/17/2010   13:45:12
            Event String: The kerberos client received a
         ......................... DC2 failed test systemlog
      Starting test: VerifyReferences
         ......................... DC2 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : EFC
      Starting test: CrossRefValidation
         ......................... EFC passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... EFC passed test CheckSDRefDom

   Running enterprise tests on : EFC.local
      Starting test: Intersite
         ......................... EFC.local passed test Intersite
      Starting test: FsmoCheck
         ......................... EFC.local passed test FsmoCheck
         
         
         
         

         
         
         
         
         
         
         
         
         
Event Type:	Error
Event Source:	Kerberos
Event Category:	None
Event ID:	4
Date:		9/17/2010
Time:		2:09:05 PM
User:		N/A
Computer:	DC2
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/DC1.efc.local.  The target name used was . This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DOMAIN.LOCAL), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:	Warning
Event Source:	NtFrs
Event Category:	None
Event ID:	13508
Date:		9/17/2010
Time:		3:17:24 PM
User:		N/A
Computer:	DC1
Description:
The File Replication Service is having trouble enabling replication from EFC-S09-OTTAWA to EFC-DC1 for c:\windows\sysvol\domain using the DNS DC2.DOMAIN.local. FRS will keep retrying. 
 Following are some of the reasons you would see this warning. 
 
 [1] FRS can not correctly resolve the DNS name DC2.DOMAIN.local from this computer. 
 [2] FRS is not running DC2.DOMAIN.local. 
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. 
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: d5 04 00 00               Õ...    




Event Type:	Warning
Event Source:	NTDS Replication
Event Category:	Replication 
Event ID:	2092
Date:		9/17/2010
Time:		4:07:44 PM
User:		NT AUTHORITY\ANONYMOUS LOGON
Computer:	DC1
Description:

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role. 
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected. 
 
FSMO Role: DC=DOMAIN,DC=local 
 
User Action: 
 
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476. 
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication. 
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com. 
 
The following operations may be impacted: 
Schema: You will no longer be able to modify the schema for this forest. 
Domain Naming: You will no longer be able to add or remove domains from this forest. 
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory accounts. 
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups. 
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Open in new window

0
Comment
Question by:dauyeung
6 Comments
 
LVL 12

Assisted Solution

by:FDiskWizard
FDiskWizard earned 100 total points
ID: 33705112
You could go crazy trying to look up what MIGHT cause those errors from Diag...

Look at some basics. Have you rebooted the VM? Or at least restart Netlogon (that will do some registration in AD)
0
 
LVL 10

Assisted Solution

by:Bawer
Bawer earned 50 total points
ID: 33705118
If you have converted DC to VM, then why still the old DC is running , try to demote it and make sure all the roles which were in old are now in new....
0
 
LVL 5

Assisted Solution

by:koquito
koquito earned 100 total points
ID: 33705787
Is there any firewall in between blocking traffic from site A to B?
0
 

Author Comment

by:dauyeung
ID: 33706010
Tried rebooting.

The old DC isn't running anymore.  I was restarted it accidentally with the network cables in.  I had to take a look at something on it before I rebuilt it.

There is a VPN between the sites.  Nothing's changed there for months.

I believe it has something to do with either the computer passwords, something called SPN, SID's or something like that.
0
 
LVL 5

Expert Comment

by:koquito
ID: 33706118
Let me see if I get it straight. This error has nothing to do with site B, rather with a DC you had running at site A (which you call old DC), which in addition to it,  you had running in parallel (accidentally)  with its own DC VM ,  Right?
Do both DC share the same name?
Have you tried NTDSUTIL.EXE


0
 

Accepted Solution

by:
dauyeung earned 0 total points
ID: 33719377
I figured it out.

I reset the kerberos password for the duplicated DC according to the following article

http://support.microsoft.com/kb/325850
0

Join & Write a Comment

Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now