Replication Problems After DC Demotion
My servers are in an Active Directory forest (Server 2003 functional domain level). I have 2 AD DCs that are also GCs and a 3rd that is not a GC. I recently demoted a Server 2003 R2 server from the forest (we'll call this DCOLD). It held all of the FSMOs but I moved them to other servers before demotion. Now, after demotion, the server that I transfered most of the FSMO roles to (DC1 - Server 2008 R2) is having replication issues with the other two (DC2 - Server 2008 - and DC3 - Server 2003 R2). I'm getting error 13508 (Source NtFRS) on DC1 which reads:
The File Replication Service is having trouble enabling replication from DC2 to DC1 for c:\windows\sysvol\domain using the DNS name dc2.domain.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name dc2.domain.local from this computer.
[2] FRS is not running on dc2.domain.local.
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
A second later, I receive the same warning on the same machine (DC1) about replication between DC3 and DC1. Obviously, since SYSVOL isn't replicating, group policy application isn't working and I'm getting errors 1645, 1655, and 1126 from ActiveDirectory_DomainServ
The File Replication Service is having trouble enabling replication from DC2 to DC1 for c:\windows\sysvol\domain using the DNS name dc2.domain.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name dc2.domain.local from this computer.
[2] FRS is not running on dc2.domain.local.
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
A second later, I receive the same warning on the same machine (DC1) about replication between DC3 and DC1. Obviously, since SYSVOL isn't replicating, group policy application isn't working and I'm getting errors 1645, 1655, and 1126 from ActiveDirectory_DomainServ
ASKER
*DC and domain names changed to protect the innocent.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The DC was cleanly removed. During the ntdsutil procedure I do not see the old DC in the list of available DCs to remove. Also, the old DC is no longer in any AD snap-in nor is it listed anywhere in DNS. I had to manually remove the DNS entries for the old server after it was demoted, but that was before these replication issues started occurring.
All tests for DCDIAG come out clean on DC2 and DC3 except for the system log test which just shows some entries related to the application of a Group Policy printer (and one on DC3 about a KDC certificate being invalid).
I've poured over DNS and all of the entries look correct. There are entries for each of the DCs and GCs (where applicable). I'm really stumped. Thanks for the first response and please let me know if you have any other suggestions.
All tests for DCDIAG come out clean on DC2 and DC3 except for the system log test which just shows some entries related to the application of a Group Policy printer (and one on DC3 about a KDC certificate being invalid).
I've poured over DNS and all of the entries look correct. There are entries for each of the DCs and GCs (where applicable). I'm really stumped. Thanks for the first response and please let me know if you have any other suggestions.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The issue described above seems to have gone away. I am no longer receiving these errors and replication seems to be happening normally. Thanks to everyone for your help.
ASKER
C:\Users\Administrator.DOM
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DC
Starting test: Connectivity
......................... DC1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DC
Starting test: Advertising
......................... DC1 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DC1 passed test FrsEvent
Starting test: DFSREvent
......................... DC1 passed test DFSREvent
Starting test: SysVolCheck
......................... DC1 passed test SysVolCheck
Starting test: KccEvent
......................... DC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC1 passed test MachineAccount
Starting test: NCSecDesc
......................... DC1 passed test NCSecDesc
Starting test: NetLogons
......................... DC1 passed test NetLogons
Starting test: ObjectsReplicated
......................... DC1 passed test ObjectsReplicated
Starting test: Replications
......................... DC1 passed test Replications
Starting test: RidManager
......................... DC1 passed test RidManager
Starting test: Services
......................... DC1 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x000003EE
Time Generated: 02/22/2011 14:31:50
Event String:
The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
An error event occurred. EventID: 0x000003EE
Time Generated: 02/22/2011 14:36:51
Event String:
The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
An error event occurred. EventID: 0x000003EE
Time Generated: 02/22/2011 14:41:53
Event String:
The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
An error event occurred. EventID: 0x00000457
Time Generated: 02/22/2011 14:43:01
Event String:
Driver HP LaserJet 4100 Series PCL required for printer !!fileserv2!
HP LaserJet 4100 Series PCL is unknown. Contact the administrator to install the
driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 02/22/2011 14:43:33
Event String:
Driver Kyocera FS-C5400DN KX required for printer Kyocera FS-C5400DN
KX is unknown. Contact the administrator to install the driver before you log i
n again.
An error event occurred. EventID: 0x00000457
Time Generated: 02/22/2011 14:43:45
Event String:
Driver Kyocera KM-4050 NW-FAX required for printer Kyocera KM-4050 N
W-FAX is unknown. Contact the administrator to install the driver before you log
in again.
An error event occurred. EventID: 0x00000457
Time Generated: 02/22/2011 14:43:45
Event String:
Driver Microsoft Office Live Meeting 2007 Document Writer Driver req
uired for printer Microsoft Office Live Meeting 2007 Document Writer is unknown.
Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 02/22/2011 14:43:46
Event String:
Driver Adobe PDF Converter required for printer Adobe PDF is unknown
. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 02/22/2011 14:43:47
Event String:
Driver Kyocera KM-4050 KX required for printer Kyocera KM-4050 KX is
unknown. Contact the administrator to install the driver before you log in agai
n.
An error event occurred. EventID: 0x00000457
Time Generated: 02/22/2011 14:43:48
Event String:
Driver Send To Microsoft OneNote 2010 Driver required for printer Se
nd To OneNote 2010 is unknown. Contact the administrator to install the driver b
efore you log in again.
An error event occurred. EventID: 0x0000168F
Time Generated: 02/22/2011 14:45:17
Event String:
The dynamic deletion of the DNS record '_kerberos._tcp.dc._msdcs.
ccr.local. 600 IN SRV 0 100 88 DC1.DOMAIN.local.' failed on the following
DNS server:
An error event occurred. EventID: 0x0000168F
Time Generated: 02/22/2011 14:45:17
Event String:
The dynamic deletion of the DNS record '_kerberos._tcp.Default-Fi
-Site-Name._sites.dc._msdc
ocal.' failed on the following DNS server:
An error event occurred. EventID: 0x0000168F
Time Generated: 02/22/2011 14:45:17
Event String:
The dynamic deletion of the DNS record '_kerberos._tcp.DOMAIN.loc
600 IN SRV 0 100 88 DC1.DOMAIN.local.' failed on the following DNS server
:
An error event occurred. EventID: 0x0000168F
Time Generated: 02/22/2011 14:45:17
Event String:
The dynamic deletion of the DNS record '_kerberos._tcp.Default-Fi
-Site-Name._sites.DOMAIN.l
led on the following DNS server:
An error event occurred. EventID: 0x0000168F
Time Generated: 02/22/2011 14:45:17
Event String:
The dynamic deletion of the DNS record '_kerberos._udp.DOMAIN.loc
600 IN SRV 0 100 88 DC1.DOMAIN.local.' failed on the following DNS server
:
An error event occurred. EventID: 0x0000168F
Time Generated: 02/22/2011 14:45:17
Event String:
The dynamic deletion of the DNS record '_kpasswd._tcp.DOMAIN.loca
600 IN SRV 0 100 464 DC1.DOMAIN.local.' failed on the following DNS server
:
An error event occurred. EventID: 0x0000168F
Time Generated: 02/22/2011 14:45:17
Event String:
The dynamic deletion of the DNS record '_kpasswd._udp.DOMAIN.loca
600 IN SRV 0 100 464 DC1.DOMAIN.local.' failed on the following DNS server
:
A warning event occurred. EventID: 0x00001695
Time Generated: 02/22/2011 14:46:01
Event String:
Dynamic registration or deletion of one or more DNS records associat
ed with DNS domain 'DOMAIN.local.' failed. These records are used by other comp
uters to locate this server as a domain controller (if the specified domain is a
n Active Directory domain) or as an LDAP server (if the specified domain is an a
pplication partition).
A warning event occurred. EventID: 0x00001695
Time Generated: 02/22/2011 14:46:01
Event String:
Dynamic registration or deletion of one or more DNS records associat
ed with DNS domain 'ForestDnsZones.DOMAIN.loc
d by other computers to locate this server as a domain controller (if the specif
ied domain is an Active Directory domain) or as an LDAP server (if the specified
domain is an application partition).
A warning event occurred. EventID: 0x00001695
Time Generated: 02/22/2011 14:46:01
Event String:
Dynamic registration or deletion of one or more DNS records associat
ed with DNS domain 'DomainDnsZones.DOMAIN.loc
d by other computers to locate this server as a domain controller (if the specif
ied domain is an Active Directory domain) or as an LDAP server (if the specified
domain is an application partition).
An error event occurred. EventID: 0x000003EE
Time Generated: 02/22/2011 14:46:54
Event String:
The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
An error event occurred. EventID: 0x000003EE
Time Generated: 02/22/2011 14:51:55
Event String:
The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
An error event occurred. EventID: 0x000003EE
Time Generated: 02/22/2011 14:56:56
Event String:
The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
An error event occurred. EventID: 0x000003EE
Time Generated: 02/22/2011 15:01:57
Event String:
The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
An error event occurred. EventID: 0x000003EE
Time Generated: 02/22/2011 15:06:58
Event String:
The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
An error event occurred. EventID: 0x000003EE
Time Generated: 02/22/2011 15:11:59
Event String:
The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
A warning event occurred. EventID: 0x0000A001
Time Generated: 02/22/2011 15:14:45
Event String:
The Security System could not establish a secured connection with th
e server LDAP/DC1.DOMAIN.local/DOMA
n protocol was available.
An error event occurred. EventID: 0x000003EE
Time Generated: 02/22/2011 15:15:32
Event String:
The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
A warning event occurred. EventID: 0x0000A001
Time Generated: 02/22/2011 15:17:11
Event String:
The Security System could not establish a secured connection with th
e server ldap/DC1.DOMAIN.local/DOMA
n protocol was available.
An error event occurred. EventID: 0x000003EE
Time Generated: 02/22/2011 15:20:33
Event String:
The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
An error event occurred. EventID: 0x000003EE
Time Generated: 02/22/2011 15:25:34
Event String:
The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
An error event occurred. EventID: 0x000003EE
Time Generated: 02/22/2011 15:30:35
Event String:
The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
......................... DC1 failed test SystemLog
Starting test: VerifyReferences
......................... DC1 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : DOMAIN
Starting test: CheckSDRefDom
......................... DOMAIN passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DOMAIN passed test CrossRefValidation
Running enterprise tests on : DOMAIN.local
Starting test: LocatorCheck
......................... DOMAIN.local passed test LocatorCheck
Starting test: Intersite
......................... DOMAIN.local passed test Intersite