Solved

Server rolles replication access problem

Posted on 2011-09-04
29
709 Views
Last Modified: 2012-05-12
I added new server in the network and everything worked fine. Old server is Windows 2003 SBS and new server is WIndows 2008 standard exchange (same domain). I mooved exchange from old server to new server and everyting was still OK (replication, acces, workstations). After some 5-6 days some of the workstaiton lost the connection to the old server (connection to the new server was OK). Afer restart of the workstations everything was again OK until next day. All WS are loosing connection to the old server from time to time and after restart is everything OK. I can not access the old server from the new one any more \\oldserver (nothing changed in password, updates or so). I get an error "Logon Failure: The target account name is incorrect". I would like to exchange rolles and remote old SBS from the net but in the menu for RID, PDC and Infrastructure I have always errors so I can not do it.
Thanks for help.
 
0
Comment
Question by:nera2001
  • 16
  • 13
29 Comments
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36480523
where are the active directory roles held now? netdom /query fsmo
Which server is handling DNS/DCHP? Does nslookup from 2003 server to 2008 work by name and IP? and 2008 to 2003?
can you access by \\192.168.1.23_old_server_ip ?
0
 

Author Comment

by:nera2001
ID: 36480728
Active directory roles are on WIn 2003 SBS like I wrote. Both servers have DNS. DHCP is in router.
I can access old server with IP. In hosts file I wrote the IP from old server and in DNS Server on new server is old serer and his IP listed. Nslookup from the new server to name and IP of old server are not OK. Error is saying Server unknown and non-existent domain
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36480851
Post ipconfig /all from old and new server
0
 

Author Comment

by:nera2001
ID: 36480877
IP New

Windows-IP-Konfiguration

   Hostname  . . . . . . . . . . . . : HPSERVER1
   Prim„res DNS-Suffix . . . . . . . : 3PGeotechnik.local
   Knotentyp . . . . . . . . . . . . : Hybrid
   IP-Routing aktiviert  . . . . . . : Nein
   WINS-Proxy aktiviert  . . . . . . : Nein
   DNS-Suffixsuchliste . . . . . . . : 3PGeotechnik.local

Ethernet-Adapter LAN-Verbindung:

   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : HP NC362i Integrated DP Gigabit Server Adapter
   Physikalische Adresse . . . . . . : 9C-8E-99-1D-85-36
   DHCP aktiviert. . . . . . . . . . : Nein
   Autokonfiguration aktiviert . . . : Ja
   Verbindungslokale IPv6-Adresse  . : fe80::2919:ba5f:e247:777d%11(Bevorzugt)
   IPv4-Adresse  . . . . . . . . . . : 192.168.106.101(Bevorzugt)
   Subnetzmaske  . . . . . . . . . . : 255.255.255.0
   Standardgateway . . . . . . . . . : 192.168.106.207
   DHCPv6-IAID . . . . . . . . . . . : 245141145
   DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-15-DF-07-7B-9C-8E-99-1D-85-36
   DNS-Server  . . . . . . . . . . . : ::1
                                       192.168.106.100
                                       192.168.106.101
                                       127.0.0.1
   NetBIOS ber TCP/IP . . . . . . . : Aktiviert



IP old

Windows-IP-Konfiguration



   Hostname  . . . . . . . . . . . . : projektsrv

   Primäres DNS-Suffix . . . . . . . : 3PGeotechnik.local

   Knotentyp . . . . . . . . . . . . : Hybrid

   IP-Routing aktiviert  . . . . . . : Nein

   WINS-Proxy aktiviert  . . . . . . : Nein

   DNS-Suffixsuchliste . . . . . . . : 3PGeotechnik.local



Ethernet-Adapter LAN-Verbindung des Servers:



   Verbindungsspezifisches DNS-Suffix:

   Beschreibung  . . . . . . . . . . : HP NC7761 Gigabit Server Adapter

   Physikalische Adresse . . . . . . : 00-13-21-AE-24-BC

   DHCP aktiviert  . . . . . . . . . : Nein

   IP-Adresse. . . . . . . . . . . . : 192.168.106.100

   Subnetzmaske  . . . . . . . . . . : 255.255.255.0

   Standardgateway . . . . . . . . . : 192.168.106.207

   DNS-Server  . . . . . . . . . . . : 192.168.106.100

                                       192.168.106.101

   Primärer WINS-Server  . . . . . . : 192.168.1.222
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36480887
try disabling ipv6 on new server and only point dns back to the old 2003 server
also run "dcdiag /v /c /d /e /s:dcname > c:\dcdiag.txt" and post the log file as a .zip

Thanks
0
 

Author Comment

by:nera2001
ID: 36480910
Befehlszeile: "dcdiag.exe
/v /c /d /e /s:projektsrv"

Verzeichnisserverdiagnose


Anfangssetup wird ausgefhrt:

   * Die Verbindung (connection) mit dem Verzeichnisdienst (directory service) auf Server projektsrv wird hergestellt. (will be made)

   projektsrv.currentTime = 20110904172503.0Z

   projektsrv.highestCommittedUSN = 781442

   projektsrv.isSynchronized = 1

   projektsrv.isGlobalCatalogReady = 1

   [projektsrv] LDAP-Bindungsfehler 8341,

   Ein Verzeichnisdienstfehler (directory error) ist aufgetreten (happened)..
   DcDiag: Eine nicht erfasste Ausnahme ist aufgetreten. Suche wird
   fortgesetzt.

after this program crashes!
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36480921
Run dcdiag /fix from both servers
0
 

Author Comment

by:nera2001
ID: 36480945
DCdiag /fix on new server has some errors  dcdiagnewsrv.txt dcdiagnewsrv.txt
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36480996
Are there any failed DC promotions/demotions? or is this the first and only other AD controller you are adding to the SBS domain?
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36481005
it also looks like the new server never completed replication, and can not start directory services. What kind of errors are you seeing in event log on the 2003 and the 2010 server. What happens if you try to force AD replication?
0
 

Author Comment

by:nera2001
ID: 36481131
If I want to force replication I am getting the error "Target Principal Name is Incorrect"

I tried
netdom resetpwd /server:server_name /userd:domain_name\administrator /passwordd:administrator_password


but without any result
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36481144
Did you stop IFC service and reboot after resetpwd
0
 

Author Comment

by:nera2001
ID: 36481150
I restarted the server. What is IFC service?

I did everything like in Q288167 written
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36481762
Sorry kdc service.
0
Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

 

Author Comment

by:nera2001
ID: 36483796
After I stopped Kdc service, error message RID, PDC and Infrastracture on new server disapeared
but It was still not possible to move roles. After restart, everything was again the same. Errors, errors...
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36483837
Is the new server a global catalog server?
Check event logs for errors and post DNS errors or AD errors
0
 

Author Comment

by:nera2001
ID: 36483938
old and new server are global catalog server.

Errors in event viewer:

Protokollname: System
Quelle:        Microsoft-Windows-Security-Kerberos
Datum:         05.09.2011 14:42:28
Ereignis-ID:   4
Aufgabenkategorie:Keine
Ebene:         Fehler
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      HPSERVER1.3PGeotechnik.local
Beschreibung:
Der Kerberos-Client hat einen KRB_AP_ERR_MODIFIED-Fehler von Server "host/projektsrv.3pgeotechnik.local" empfangen. Der verwendete Zielname war cifs/projektsrv. Dies deutet darauf hin, dass der Zielserver das vom Client bereitgestellte Token nicht entschlüsseln konnte. Dies kann auftreten, wenn der Ziel-Serverprinzipalname (SPN) nicht bei dem Konto registriert ist, dass der Zieldienst verwendet. Stellen Sie sicher, dass der Ziel-SPN bei dem Konto registriert ist, das vom Server verwendet wird, und zwar ausschließlich bei diesem Konto. Dieser Fehler kann auch auftreten, wenn der Zieldienst ein anderes Kennwort für das Zieldienstkonto verwendet als das Kennwort, das vom Kerberos-KDC (Key Distribution Center) für das Zieldienstkonto verwendet wird. Stellen Sie sicher, dass der Dienst auf dem Server und im KDC beide für die Verwendung des aktuellen Kennworts aktualisiert wurden. Wenn der Servername nicht vollqualifiziert ist und sich die Zieldomäne (3PGEOTECHNIK.LOCAL) von der Clientdomäne (3PGEOTECHNIK.LOCAL) unterscheidet, prüfen Sie, ob sich in diesen beiden Domänen Serverkonten mit gleichem Namen befinden, oder verwenden Sie den vollqualifizierten Namen, um den Server zu identifizieren.
Ereignis-XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
    <EventID Qualifiers="16384">4</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2011-09-05T12:42:28.000000000Z" />
    <EventRecordID>10536</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>HPSERVER1.3PGeotechnik.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="Server">host/projektsrv.3pgeotechnik.local</Data>
    <Data Name="TargetRealm">3PGEOTECHNIK.LOCAL</Data>
    <Data Name="Targetname">cifs/projektsrv</Data>
    <Data Name="ClientRealm">3PGEOTECHNIK.LOCAL</Data>
    <Binary>
    </Binary>
  </EventData>
</Event>


and then DNS error

Protokollname: DNS Server
Quelle:        Microsoft-Windows-DNS-Server-Service
Datum:         30.08.2011 23:33:06
Ereignis-ID:   4013
Aufgabenkategorie:Keine
Ebene:         Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      HPSERVER1.3PGeotechnik.local
Beschreibung:
Der DNS-Server wartet darauf, dass von den Active Directory-Domänendiensten angezeigt wird, dass die Erstsynchronisierung des Verzeichnisses durchgeführt wurde. Der DNS-Serverdienst kann erst nach der Erstsynchronisierung gestartet werden, da wichtige DNS-Daten möglicherweise noch nicht auf diesen Domänencontroller repliziert wurden. Sofern die im Ereignisprotokoll der Active Directory-Domänendienste protokollierten Ereignisse deutlich machen, dass Probleme bei der DNS-Namensauflösung vorliegen, sollte ggf. die IP-Adresse eines weiteren DNS-Servers für diese Domäne der DNS-Serverliste in den Internetprotokolleigenschaften dieses Computers hinzugefügt werden. Dieses Ereignis wird alle zwei Minuten protokolliert, bis von den Active Directory-Domänendiensten angezeigt wird, dass die Erstsynchronisierung durchgeführt wurde.
Ereignis-XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-DNS-Server-Service" Guid="{71A551F5-C893-4849-886B-B5EC8502641E}" EventSourceName="DNS" />
    <EventID Qualifiers="32768">4013</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2011-08-30T21:33:06.000000000Z" />
    <EventRecordID>41</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>DNS Server</Channel>
    <Computer>HPSERVER1.3PGeotechnik.local</Computer>
    <Security />
  </System>
  <EventData Name="DNS_EVENT_DS_OPEN_WAIT">
  </EventData>
</Event>

if you need any translation please let me know
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36483970
okay so DNS is not starting because AD replication has not completed.
The previous errors in the dcdiag regarding the server not responding to ldap bind is because AD services are not running because replication is not complete.
On the new server, if you open active directory users and computers do you see all of your domain user accounts and computer accounts?
0
 

Author Comment

by:nera2001
ID: 36484577
yes I can see all users and groups. But new users are not replicating (both direction). First week was everything OK. I made new users and they were immidiately on the second server.

0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36485326
Ok if you type on a workstation 'echo %logonserver% does it return the sbs or the 2008 server?
Does this server hold anything other than active directory?
Is it possible to demote it and re-promote it?
0
 

Author Comment

by:nera2001
ID: 36485643
windows 2008 server is now exchange server and can not demote it

echo returns sbs (old server)
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36486145
ok
Since we know that ADDS is working on sbs2003, as far as being ready for the work week, I would configure you DHCP server (router) to hand out DNS server entries only for the sbs server. Exchange server should be configured to only point to the SBS server as well. (exchange management console, highlight server config, go to configuration domain controller and set to the sbs server. Then backup your AD integrated DNS, and then remove all SRV records that point to the 2008 server in the running dns server. I would then have all of the clients reboot to get a  new ip address from the dhcp server
Temporarily anyway

0
 

Author Comment

by:nera2001
ID: 36486685
But...
WS were pointing only to SBS. Router DHCP was always pointing only to SBS (running 4 years so).
If I leave on WS DNS primary server SBS then I have all the time connection loss for the WS. They can connect all the time to new server. So they are now pointing to new server and everyting is little better (I think). Can I reinstall DNS server on both servers and install it again and then restart. Do you know why this everything started after some days (some maschine password expiredor so?). I am not sitting in the office so I am doing this changes remotely (team viewer). Last change (Kerberbos service stop on SBS caused that all WS lost connection with SBS - permanent, so I went there to configure it again). Can I force PD, RID, infrastructure on new server and then take SBS out somehow and then take it back in again like primary?


0
 

Author Comment

by:nera2001
ID: 36499372
Replication functions from new server to the old one (I made new user on the new server)
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36499706
Sorry friend, I had to work an extremely long shift and had to sleep. What changed? Why is replication function correctly now?
Does dcdiag pass now?
0
 

Author Comment

by:nera2001
ID: 36500857
I did nothing. Replication from the new server to the old one worked for new user but the rest is still the same. DCDIAG /FIX from the new server is still not ok (remote pc not reachable...)
0
 

Author Comment

by:nera2001
ID: 36511755
I solved it. Thank you for your help
0
 

Accepted Solution

by:
nera2001 earned 0 total points
ID: 36511764
0
 

Author Closing Comment

by:nera2001
ID: 36534729
Solved by me
0

Featured Post

Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

Join & Write a Comment

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now