Solved

Replication issues between 2 Dcs

Posted on 2011-09-09
32
1,592 Views
Last Modified: 2012-05-12
Hi,

I've got a problem between 2 of my DCs. One is the Operation Master on 2008, the second is read-only on 2008 R2.

Servers can't achieve AD Replication.

Here is the result of DCdiag on the read-only server:
Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: DATACENTER\CESO-RODC
      Starting test: Connectivity
         ......................... CESO-RODC passed test Connectivity

Doing primary tests

   Testing server: DATACENTER\CESO-RODC
      Starting test: Replications
         [Replications Check,CESO-RODC] A recent replication attempt failed:
            From SRVCESO to CESO-RODC
            Naming Context: DC=ForestDnsZones,DC=CESO,DC=local
            The replication generated an error (8457):
            Le serveur de destination rejette actuellement les demandes de répli
cation.
            The failure occurred at 2011-09-09 08:51:22.
            The last success occurred at 2010-10-05 17:45:22.
            2702 failures have occurred since the last success.
            Replication has been explicitly disabled through the server options.

         [Replications Check,CESO-RODC] A recent replication attempt failed:
            From SRVCESO to CESO-RODC
            Naming Context: DC=DomainDnsZones,DC=CESO,DC=local
            The replication generated an error (8457):
            Le serveur de destination rejette actuellement les demandes de répli
cation.
            The failure occurred at 2011-09-09 08:51:22.
            The last success occurred at 2010-10-05 17:45:22.
            2702 failures have occurred since the last success.
            Replication has been explicitly disabled through the server options.

         [Replications Check,CESO-RODC] A recent replication attempt failed:
            From SRVCESO to CESO-RODC
            Naming Context: CN=Schema,CN=Configuration,DC=CESO,DC=local
            The replication generated an error (8457):
            Le serveur de destination rejette actuellement les demandes de répli
cation.
            The failure occurred at 2011-09-09 08:51:22.
            The last success occurred at 2010-10-05 17:45:21.
            2702 failures have occurred since the last success.
            Replication has been explicitly disabled through the server options.

         [Replications Check,CESO-RODC] A recent replication attempt failed:
            From SRVCESO to CESO-RODC
            Naming Context: CN=Configuration,DC=CESO,DC=local
            The replication generated an error (-2146893022):
            Le nom principal de la cible n'est pas correct.
            The failure occurred at 2011-09-09 09:46:37.
            The last success occurred at 2010-10-05 17:45:21.
            2708 failures have occurred since the last success.
         [Replications Check,CESO-RODC] A recent replication attempt failed:
            From SRVCESO to CESO-RODC
            Naming Context: DC=CESO,DC=local
            The replication generated an error (8457):
            Le serveur de destination rejette actuellement les demandes de répli
cation.
            The failure occurred at 2011-09-09 08:51:22.
            The last success occurred at 2010-10-05 17:45:22.
            2702 failures have occurred since the last success.
            Replication has been explicitly disabled through the server options.

         REPLICATION-RECEIVED LATENCY WARNING
         CESO-RODC:  Current time is 2011-09-09 10:05:16.
            DC=ForestDnsZones,DC=CESO,DC=local
               Last replication recieved from SRVCESO at 2010-10-05 17:45:22.
               WARNING:  This latency is over the Tombstone Lifetime of 180 days
!
            DC=DomainDnsZones,DC=CESO,DC=local
               Last replication recieved from SRVCESO at 2010-10-05 17:45:22.
               WARNING:  This latency is over the Tombstone Lifetime of 180 days
!
            CN=Schema,CN=Configuration,DC=CESO,DC=local
               Last replication recieved from SRVCESO at 2010-10-05 17:45:21.
               WARNING:  This latency is over the Tombstone Lifetime of 180 days
!
            CN=Configuration,DC=CESO,DC=local
               Last replication recieved from SRVCESO at 2010-10-05 17:45:21.
               WARNING:  This latency is over the Tombstone Lifetime of 180 days
!
            DC=CESO,DC=local
               Last replication recieved from SRVCESO at 2010-10-05 17:45:22.
               WARNING:  This latency is over the Tombstone Lifetime of 180 days
!
         ......................... CESO-RODC passed test Replications
      Starting test: NCSecDesc
         ......................... CESO-RODC passed test NCSecDesc
      Starting test: NetLogons
         ......................... CESO-RODC passed test NetLogons
      Starting test: Advertising
         Warning: CESO-RODC is not advertising as a time server.
         ......................... CESO-RODC failed test Advertising
      Starting test: KnowsOfRoleHolders
         [SRVCESO] DsBindWithSpnEx() failed with error -2146893022,
         Le nom principal de la cible n'est pas correct..
         Warning: SRVCESO is the Schema Owner, but is not responding to DS RPC B
ind.
         [SRVCESO] LDAP bind failed with error 8341,
         Une erreur de service d'annuaire s'est produite..
         Warning: SRVCESO is the Schema Owner, but is not responding to LDAP Bin
d.
         Warning: SRVCESO is the Domain Owner, but is not responding to DS RPC B
ind.
         Warning: SRVCESO is the Domain Owner, but is not responding to LDAP Bin
d.
         Warning: SRVCESO is the PDC Owner, but is not responding to DS RPC Bind
.
         Warning: SRVCESO is the PDC Owner, but is not responding to LDAP Bind.
         Warning: SRVCESO is the Rid Owner, but is not responding to DS RPC Bind
.
         Warning: SRVCESO is the Rid Owner, but is not responding to LDAP Bind.
         Warning: SRVCESO is the Infrastructure Update Owner, but is not respond
ing to DS RPC Bind.
         Warning: SRVCESO is the Infrastructure Update Owner, but is not respond
ing to LDAP Bind.
         ......................... CESO-RODC failed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... CESO-RODC failed test RidManager
      Starting test: MachineAccount
         ......................... CESO-RODC passed test MachineAccount
      Starting test: Services
            NtFrs Service is stopped on [CESO-RODC]
            w32time Service is stopped on [CESO-RODC]
         ......................... CESO-RODC failed test Services
      Starting test: ObjectsReplicated
         ......................... CESO-RODC passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... CESO-RODC passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... CESO-RODC failed test frsevent
      Starting test: kccevent
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 09/09/2011   09:51:43
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/09/2011   09:51:43
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 09/09/2011   09:51:43
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 09/09/2011   09:51:43
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/09/2011   09:51:43
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 09/09/2011   09:51:43
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 09/09/2011   09:51:43
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/09/2011   09:51:43
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 09/09/2011   09:51:43
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 09/09/2011   09:51:43
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/09/2011   09:51:43
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 09/09/2011   09:51:43
            (Event String could not be retrieved)
         ......................... CESO-RODC failed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0xC00A0038
            Time Generated: 09/09/2011   09:19:49
            Event String: The Terminal Server security layer detected an
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 09/09/2011   09:45:37
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 09/09/2011   09:46:37
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 09/09/2011   09:49:00
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 09/09/2011   09:50:16
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 09/09/2011   09:56:47
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 09/09/2011   10:05:16
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 09/09/2011   10:05:17
            (Event String could not be retrieved)
         ......................... CESO-RODC failed test systemlog
      Starting test: VerifyReferences
         Some objects relating to the DC CESO-RODC have problems:
            [1] Problem: Missing Expected Value
             Base Object: CN=CESO-RODC,OU=Domain Controllers,DC=CESO,DC=local
             Base Object Description: "DC Account Object"
             Value Object Attribute Name: frsComputerReferenceBL
             Value Object Description: "SYSVOL FRS Member Object"
             Recommended Action: See Knowledge Base Article: Q312862

         ......................... CESO-RODC failed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : CESO
      Starting test: CrossRefValidation
         ......................... CESO passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... CESO passed test CheckSDRefDom

   Running enterprise tests on : CESO.local
      Starting test: Intersite
         ......................... CESO.local passed test Intersite
      Starting test: FsmoCheck
         ......................... CESO.local passed test FsmoCheck

Open in new window


And Here is the result on the OM:

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: CESO\SRVCESO
      Starting test: Connectivity
         ......................... SRVCESO passed test Connectivity

Doing primary tests

   Testing server: CESO\SRVCESO
      Starting test: Replications
         [Replications Check,SRVCESO] A recent replication attempt failed:
            From CESO-RODC to SRVCESO
            Naming Context: DC=ForestDnsZones,DC=CESO,DC=local
            The replication generated an error (8456):
            Le serveur source rejette actuellement les demandes de réplication.
            The failure occurred at 2011-09-09 08:59:47.
            The last success occurred at 2010-10-06 08:46:15.
            2736 failures have occurred since the last success.
            Replication has been explicitly disabled through the server options.

         [Replications Check,SRVCESO] A recent replication attempt failed:
            From CESO-RODC to SRVCESO
            Naming Context: DC=DomainDnsZones,DC=CESO,DC=local
            The replication generated an error (8456):
            Le serveur source rejette actuellement les demandes de réplication.
            The failure occurred at 2011-09-09 08:59:47.
            The last success occurred at 2010-10-06 08:46:15.
            2736 failures have occurred since the last success.
            Replication has been explicitly disabled through the server options.

         [Replications Check,SRVCESO] A recent replication attempt failed:
            From CESO-RODC to SRVCESO
            Naming Context: CN=Schema,CN=Configuration,DC=CESO,DC=local
            The replication generated an error (8456):
            Le serveur source rejette actuellement les demandes de réplication.
            The failure occurred at 2011-09-09 08:59:47.
            The last success occurred at 2010-10-06 08:46:15.
            2736 failures have occurred since the last success.
            Replication has been explicitly disabled through the server options.

         [Replications Check,SRVCESO] A recent replication attempt failed:
            From CESO-RODC to SRVCESO
            Naming Context: CN=Configuration,DC=CESO,DC=local
            The replication generated an error (8456):
            Le serveur source rejette actuellement les demandes de réplication.
            The failure occurred at 2011-09-09 08:59:47.
            The last success occurred at 2010-10-06 08:46:15.
            2736 failures have occurred since the last success.
            Replication has been explicitly disabled through the server options.

         [Replications Check,SRVCESO] A recent replication attempt failed:
            From CESO-RODC to SRVCESO
            Naming Context: DC=CESO,DC=local
            The replication generated an error (8456):
            Le serveur source rejette actuellement les demandes de réplication.
            The failure occurred at 2011-09-09 08:59:47.
            The last success occurred at 2010-10-06 08:46:14.
            2736 failures have occurred since the last success.
            Replication has been explicitly disabled through the server options.

         REPLICATION-RECEIVED LATENCY WARNING
         SRVCESO:  Current time is 2011-09-09 10:15:26.
            DC=ForestDnsZones,DC=CESO,DC=local
               Last replication recieved from CESO-RODC at 2010-10-06 08:46:15.
               WARNING:  This latency is over the Tombstone Lifetime of 180 days
!
            DC=DomainDnsZones,DC=CESO,DC=local
               Last replication recieved from CESO-RODC at 2010-10-06 08:46:15.
               WARNING:  This latency is over the Tombstone Lifetime of 180 days
!
            CN=Schema,CN=Configuration,DC=CESO,DC=local
               Last replication recieved from CESO-RODC at 2010-10-06 08:46:15.
               WARNING:  This latency is over the Tombstone Lifetime of 180 days
!
            CN=Configuration,DC=CESO,DC=local
               Last replication recieved from CESO-RODC at 2010-10-06 08:46:14.
               WARNING:  This latency is over the Tombstone Lifetime of 180 days
!
            DC=CESO,DC=local
               Last replication recieved from CESO-RODC at 2010-10-06 08:46:14.
               WARNING:  This latency is over the Tombstone Lifetime of 180 days
!
         ......................... SRVCESO passed test Replications
      Starting test: NCSecDesc
         ......................... SRVCESO passed test NCSecDesc
      Starting test: NetLogons
         ......................... SRVCESO passed test NetLogons
      Starting test: Advertising
         ......................... SRVCESO passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... SRVCESO passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... SRVCESO passed test RidManager
      Starting test: MachineAccount
         ......................... SRVCESO passed test MachineAccount
      Starting test: Services
            NtFrs Service is stopped on [SRVCESO]
         ......................... SRVCESO failed test Services
      Starting test: ObjectsReplicated
         ......................... SRVCESO passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... SRVCESO passed test frssysvol
      Starting test: frsevent
         ......................... SRVCESO passed test frsevent
      Starting test: kccevent
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 09/09/2011   10:06:48
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/09/2011   10:06:48
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 09/09/2011   10:06:48
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 09/09/2011   10:06:48
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/09/2011   10:06:48
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 09/09/2011   10:06:48
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 09/09/2011   10:06:48
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/09/2011   10:06:48
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 09/09/2011   10:06:48
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 09/09/2011   10:06:48
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/09/2011   10:06:48
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 09/09/2011   10:06:48
            (Event String could not be retrieved)
         ......................... SRVCESO failed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0xC00010DF
            Time Generated: 09/09/2011   09:18:30
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0002720
            Time Generated: 09/09/2011   09:19:06
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0002720
            Time Generated: 09/09/2011   09:19:06
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0002720
            Time Generated: 09/09/2011   09:35:23
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0002720
            Time Generated: 09/09/2011   09:35:23
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC00010DF
            Time Generated: 09/09/2011   09:39:00
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC00010DF
            Time Generated: 09/09/2011   09:39:02
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC00010DF
            Time Generated: 09/09/2011   09:46:59
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0002720
            Time Generated: 09/09/2011   09:51:20
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0002720
            Time Generated: 09/09/2011   09:51:20
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0002720
            Time Generated: 09/09/2011   10:07:17
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0002720
            Time Generated: 09/09/2011   10:07:17
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC00010DF
            Time Generated: 09/09/2011   10:12:32
            (Event String could not be retrieved)
         ......................... SRVCESO failed test systemlog
      Starting test: VerifyReferences
         Some objects relating to the DC SRVCESO have problems:
            [1] Problem: Missing Expected Value
             Base Object: CN=SRVCESO,OU=Domain Controllers,DC=CESO,DC=local
             Base Object Description: "DC Account Object"
             Value Object Attribute Name: frsComputerReferenceBL
             Value Object Description: "SYSVOL FRS Member Object"
             Recommended Action: See Knowledge Base Article: Q312862

         ......................... SRVCESO failed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : CESO
      Starting test: CrossRefValidation
         ......................... CESO passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... CESO passed test CheckSDRefDom

   Running enterprise tests on : CESO.local
      Starting test: Intersite
         ......................... CESO.local passed test Intersite
      Starting test: FsmoCheck

Open in new window


I already did the microsoft procedure to reset the KDC passwd with no issues but that doesn't change anything.

regards,
0
Comment
Question by:Gagnaire_Thibaut
  • 13
  • 10
  • 5
  • +1
32 Comments
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
From each server can you ping the other server by name? is name resolution working correctly for both servers?
0
 
LVL 6

Expert Comment

by:IanMurphy
Comment Utility
Your problem is this message:
   Le serveur source rejette actuellement les demandes de réplication.

If both machines are DCs then the necessary firewall changes should have been made automatically but its possible you have an AV or a network firewall which is blocking the DC replication traffic.

This is not going to be a complex AD related problem but will be something like security or a service which is not running which should be running. My bet is on a firewall blocking something.

As a basic test you need to be able to do the following:

From CESO-RODC  dir \\SRVCESO.CESO.local\sysvol should work
and from SRVCESO dir \\CESO-RODC.CESO.local\sysvol should work

Ian
0
 

Author Comment

by:Gagnaire_Thibaut
Comment Utility
Yes I can ping each servers and name resolution is also correct.

I installed replmon from the support tools and I get errors:
Active Directory Replication Domain Controller Replication Failure Output
Printed at    09/09/2011 10:46:16

Below are the replication failures detected on Domain Controllers for this domain:

Domain Controller Name:                   CESO-RODC
              Directory Partition:        CN=Schema,CN=Configuration,DC=CESO,DC=local
              Replication Partner:        CESO\SRVCESO
              Failure Code:                8457
              Failure Reason:             Destination server is rejecting queries.

Domain Controller Name:                   CESO-RODC
              Directory Partition:        DC=CESO,DC=local
              Replication Partner:        CESO\SRVCESO
              Failure Code:                8457
              Failure Reason:             Destination server is rejecting queries.

Domain Controller Name:                   CESO-RODC
              Directory Partition:        DC=DomainDnsZones,DC=CESO,DC=local
              Replication Partner:        CESO\SRVCESO
              Failure Code:                8457
              Failure Reason:            Destination server is rejecting queries.

Domain Controller Name:                   CESO-RODC
              Directory Partition:        DC=ForestDnsZones,DC=CESO,DC=local
              Replication Partner:        CESO\SRVCESO
              Failure Code:                8457
              Failure Reason:             Destination server is rejecting queries.

Domain Controller Name:                   SRVCESO
              Directory Partition:        CN=Configuration,DC=CESO,DC=local
              Replication Partner:        DATACENTER\CESO-RODC
              Failure Code:                8456
              Failure Reason:            Source server is rejecting queries.

Domain Controller Name:                   SRVCESO
              Directory Partition:        CN=Schema,CN=Configuration,DC=CESO,DC=local
              Replication Partner:        DATACENTER\CESO-RODC
              Failure Code:                8456
              Failure Reason:             Source server is rejecting queries.

Domain Controller Name:                   SRVCESO
              Directory Partition:        DC=CESO,DC=local
              Replication Partner:        DATACENTER\CESO-RODC
              Failure Code:                8456
              Failure Reason:             Source server is rejecting queries.

Domain Controller Name:                   SRVCESO
              Directory Partition:        DC=DomainDnsZones,DC=CESO,DC=local
              Replication Partner:        DATACENTER\CESO-RODC
              Failure Code:                8456
              Failure Reason:             Source server is rejecting queries.

Domain Controller Name:                   SRVCESO
              Directory Partition:        DC=ForestDnsZones,DC=CESO,DC=local
              Replication Partner:        DATACENTER\CESO-RODC
              Failure Code:                8456
              Failure Reason:             Source server is rejecting queries.

Open in new window


0
 

Author Comment

by:Gagnaire_Thibaut
Comment Utility
I tried:

dir \\SRVCESO.CESO.local\sysvol on SRVCESO .... OK
dir \\SRVCESO.CESO.local\sysvol on CESO-RODC ... NOK : "Incorrect target account"
dir \\CESO-RODC.CESO.local\sysvol on SRVCESO .... OK
dir \\CESO-RODC.CESO.local\sysvol on CESO-RODC ... OK

I have firewall and Antivirus disabled on both servers.
0
 
LVL 6

Expert Comment

by:IanMurphy
Comment Utility
Try running through this troubleshooting list:

http://www.petenetlive.com/KB/Article/0000301.htm

0
 

Author Comment

by:Gagnaire_Thibaut
Comment Utility
Got an error when doing this:
4. Start > run > adsiedit.msc
5. Expand > Configuration > Expand "cn=configuration,dc=domainname" > Expand "cn=sites".

I don't have any "cn=configuration"

All i have is this:

Nom	Classe	Nom unique
CN=Builtin	builtinDomain	CN=Builtin,DC=CESO,DC=local
CN=Computers	container	CN=Computers,DC=CESO,DC=local
CN=ForeignSecurityPrincipals	container	CN=ForeignSecurityPrincipals,DC=CESO,DC=local
CN=Infrastructure	infrastructureUpdate	CN=Infrastructure,DC=CESO,DC=local
CN=LostAndFound	lostAndFound	CN=LostAndFound,DC=CESO,DC=local
CN=Managed Service Accounts	container	CN=Managed Service Accounts,DC=CESO,DC=local
CN=Microsoft Exchange System Objects	msExchSystemObjectsContainer	CN=Microsoft Exchange System Objects,DC=CESO,DC=local
CN=NTDS Quotas	msDS-QuotaContainer	CN=NTDS Quotas,DC=CESO,DC=local
CN=Program Data	container	CN=Program Data,DC=CESO,DC=local
CN=System	container	CN=System,DC=CESO,DC=local
CN=Users	container	CN=Users,DC=CESO,DC=local
OU=ComptesFictifs	organizationalUnit	OU=ComptesFictifs,DC=CESO,DC=local
OU=DATACENTER	organizationalUnit	OU=DATACENTER,DC=CESO,DC=local
OU=Domain Controllers	organizationalUnit	OU=Domain Controllers,DC=CESO,DC=local
OU=GTO	organizationalUnit	OU=GTO,DC=CESO,DC=local
OU=Microsoft Exchange Security Groups	organizationalUnit	OU=Microsoft Exchange Security Groups,DC=CESO,DC=local

Open in new window

0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
on the left right click on Default naming context, select settings and Select a well known contect, change to configuration
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
But i would go with checking that ALL firewall and AV software is dissabled on both servers for a few minutes and then try again, just to rule out that as a possible issue.
0
 

Author Comment

by:Gagnaire_Thibaut
Comment Utility
As already said, I removed all antivirus and firewall from the servers before testing. Furthermore, i had the system working for about one year from now.

All stations can connect through \\SRVCESO\Sysvol - Except the RODC server.
0
 

Author Comment

by:Gagnaire_Thibaut
Comment Utility
Here are the new errors following the procedure:

Active Directory Replication Domain Controller Replication Failure Output
Printed at    09/09/2011 15:05:50

Below are the replication failures detected on Domain Controllers for this domain:

Domain Controller Name:                   CESO-RODC
              Directory Partition:        DC=DomainDnsZones,DC=CESO,DC=local
              Replication Partner:        CESO\SRVCESO
              Failure Code:                1256
              Failure Reason:             Le système distant n’est pas disponible. Pour obtenir des informations à propos du dépannage réseau, consulter l’Aide Windows.

Domain Controller Name:                   CESO-RODC
              Directory Partition:        DC=ForestDnsZones,DC=CESO,DC=local
              Replication Partner:        CESO\SRVCESO
              Failure Code:                1256
              Failure Reason:             Le système distant n’est pas disponible. Pour obtenir des informations à propos du dépannage réseau, consulter l’Aide Windows.

Domain Controller Name:                   SRVCESO
              Directory Partition:        ERROR reading partition: DC=CESO,DC=local
              Replication Partner:        
              Failure Code:               
              Failure Reason:             

Domain Controller Name:                   SRVCESO
              Directory Partition:        ERROR reading partition: CN=Configuration,DC=CESO,DC=local
              Replication Partner:        
              Failure Code:               
              Failure Reason:             

Domain Controller Name:                   SRVCESO
              Directory Partition:        ERROR reading partition: CN=Schema,CN=Configuration,DC=CESO,DC=local
              Replication Partner:        
              Failure Code:               
              Failure Reason:             

Domain Controller Name:                   SRVCESO
              Directory Partition:        ERROR reading partition: DC=DomainDnsZones,DC=CESO,DC=local
              Replication Partner:        
              Failure Code:               
              Failure Reason:             

Domain Controller Name:                   SRVCESO
              Directory Partition:        ERROR reading partition: DC=ForestDnsZones,DC=CESO,DC=local
              Replication Partner:        
              Failure Code:               
              Failure Reason:             

Open in new window


I still can't access \\srvceso\sysvol\ from the RODC

0
 
LVL 6

Expert Comment

by:IanMurphy
Comment Utility
dir \\SRVCESO.CESO.local\sysvol on CESO-RODC ... NOK : "Incorrect target account"

ok, this may indicate a password problem. Machine password or account password which has not been syncronized between them. Each machine and account is an object in AD. If on one of the DC's the other has been marcked for delete, or the account password has been changed or the object disabled but this info has not been replicated then you will see odd behaviour like this.

From a workstation can you log on a administrator and do
dir \\SRVCESO.CESO.local\sysvol
dir \\CESO-RODC.CESO.local\sysvol

It should work, but if it doesn't then it will indicate which of the two we have to look at.
From your last posting it would seem like SRVCESO is the one with problems, but its not a problem I've seen before.



0
 
LVL 6

Expert Comment

by:IanMurphy
Comment Utility
Have you been playing arround with SPN definitions in the recent past?
0
 
LVL 6

Expert Comment

by:IanMurphy
Comment Utility
This may be of use - though it refers mainly to creation of new DC's
http://support.microsoft.com/kb/296993/en-us

A very basic question: Are your two DC's using each other as DNS servers? As a quick test

on CESO configure SRVCESO as the primary dns and 127.0.0.1 as the secondary
on SRVCESO configure CESO as the primary dns and 127.0.0.1 as the secondary

and on each machine stop and restart the NTFRS service. (File replication service)

This will provoke a whole load of activity in the eventlog and will guarantee that each finds the other.
0
 

Author Comment

by:Gagnaire_Thibaut
Comment Utility
Can't access SRVCESO from a "worksatation" datacenter-side.
I can access CESO-RODC though.

I don't even know what SPN is :shy:. I would be pleased to know about that ;)
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
Can you resolve SRVCESO correctly? Ping it by name? By IP?
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
Is the Netlogon service running on SRVCESO ? It may have failed and that cause.
Do you have any event id: 13561  in the eventlog?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 300 total points
Comment Utility
From the log it is clear that the server CESO-RODC has not replicated with the primary DC for many months the Last replication recieved from CESO-RODC was at 2010-10-06.As latency is over the Tombstone Lifetime you need to demote the DC CESO-RODC followed by metadata cleanup and re promote the server back.

Refer this link:http://technet.microsoft.com/en-us/library/cc835490(WS.10).aspx
0
 

Author Comment

by:Gagnaire_Thibaut
Comment Utility
Hi,

Netlogon is running on SRVCESO.

I de-joined a workstation datacenter side, but I can't join it back:
"Incorrect target account"

Can't figure out where the problem is.
0
 
LVL 6

Assisted Solution

by:IanMurphy
IanMurphy earned 200 total points
Comment Utility
@Sandeshdubey:duh, stupid of me. Well spotted. I should have seen that on my first reading.

@Gagnaire: You can't join a pc in the data center because that DC is readonly and cannot make changes. Normally a domain add would be made against the main DC. I would assume that this is failing because of the lack of communication between the two.

Its been so long since they last replicated that its now impossible to get them to talk again. After a number of weeks (6 if I remember correctly) without communication with the rest of the domain a DC simply cannot restart communications.

You have no choice. You have to demote your readonly DC with dcpromo and run dcpromo again to re-add it as a DC.

bad luck - in the future you need to check the eventlogs on dcs to make sure this sort of thing is not occuring.

Ian
0
 

Author Comment

by:Gagnaire_Thibaut
Comment Utility
Yes, but there's still one problem.

I can't DCPromo. Got the same issue:
Operation Failed: Failed to open network session manager with SRVCESO.CESO.local.
"Netlogon error: Target account incorrect"

I managed to add one workstation to the domain, datacenterr side by putting SRVCESO for DNS resolution.

But I still need to get the RODC Working for my Dynamics to work properly.

thx in advance,
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 300 total points
Comment Utility
You cannot gracefully demote the server you need to do force removal.Ran dcpromo /forceremoval and once the dc is demoted ran matadata clean to remove the instance of server and then promote it back as RODC.
0
 

Author Comment

by:Gagnaire_Thibaut
Comment Utility
Okay,

I tried to demote CESO-RODC but now i can't promote it back.It says the port 88 is still open. Should I remove some configurations ?

regards,
0
 
LVL 6

Expert Comment

by:IanMurphy
Comment Utility
After demoting the readonly controller you will need to reboot and make sure that it can access the domain as a normal node.

You will then need to do a metadata cleanup as sandeshdubey said.

Its not a very complex operation. You just need to be careful.

Open ntdsutil.exe on your working domain controller and follow this: http://support.microsoft.com/kb/216498
As usual petri has an easier to follow article than the MS one: http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Ian
0
 
LVL 24

Expert Comment

by:Sandeshdubey
Comment Utility
Make sure that below ports are open for AD on firewall.

Port Assignments for Active Directory Replication
Service Name                UDP              TCP
LDAP                             389               389
LDAP                                                  636
Global catalog LDAP                          3268
Kerboros                       88                 88
DNS                               53                 53
smb over IP                   445               445

As mentioned before once the forecfull removal of DC is done reboot the Server.Ran metadatclean to remove the instances of RODC server from AD database and DNS.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

0
 

Author Comment

by:Gagnaire_Thibaut
Comment Utility
Thx guys, I already cleaned the metadata from the DC.

I joined the server to the domain succesfully, but now i can't promote it. I still have the 88 port problem.

The port is already used by a system service.

"netstat -aop" shows 0.0.0.0:88 LISTENING PID:4 => System

"Telnet 127.0.0.1 88" Answers and I can connect to something

regards
0
 
LVL 6

Expert Comment

by:IanMurphy
Comment Utility
odd. 88 is kerberos. I'm not familiar with read only domain controllers - do you have a kerberos component still installed.
0
 

Author Comment

by:Gagnaire_Thibaut
Comment Utility
Yes, it's installed. But kdc is stopped 0o

My actions on the RODC:
- DCPROMO /forceremoval
- AD DS role removal.
- Reboot
- AD DS Install
- Reboot
- DC PROMO => Error 88 port used.

0
 
LVL 24

Expert Comment

by:Sandeshdubey
Comment Utility
Kerberos port is 88,hence KDC will stop working.

Use belwo netstat command to find which application is using the port 88 and realse the same

netstat -ano | find "88"  .......to check is the port listening and what is the PID for port 88.

netstat -ano | tasklist /svc  ......This will show the process name and PID.

Check which process is using the port 88 and release the same.
0
 
LVL 6

Expert Comment

by:IanMurphy
Comment Utility
He's already done this above
netstat -aop" shows 0.0.0.0:88 LISTENING PID:4 => System

Given that its listed as System I assume that he is somehow still running a kerberos server - what I don't understand is how he's managed this.
Having said that I've never set up a RODC so I'm not sure if it has separate roles which get installed and which you have to uninstall separately. I dont think this is the case, but if its not, what on earth is responding on 88? PID 4 shouldn't be running any listeners.

Ian


0
 

Author Comment

by:Gagnaire_Thibaut
Comment Utility
Err, I'm ashamed ...

I killed the processes of every other applications running on the RODC:
- SQL
- Sharepoint

I'm not sure they're used but It freed the port.

Now i can dcpromo again. I hope the SQL will restart correctly after :(

thx for assistance,
0
 
LVL 6

Expert Comment

by:IanMurphy
Comment Utility
How strange, neither of these should be using 88 - unless you have sharepoint/iis configured to answer http://portal:88

Ian
0
 

Author Comment

by:Gagnaire_Thibaut
Comment Utility
Okay, everything works now.

What a pain in the ass.

thx all
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now