brokenmatrix
asked on
global catalog server issue
OK i am having issues with a GC server. I have a flat forest with 4 GC servers. The local server was installed as a "core" win2k8 box of which i know nothing about. It began having issues replicating that i noticed about a week ago. Its tombstone is sitting at 59 days right now. I started seeing all kinds of issues with trust relationships etc today. I tried various MS solutions to get the kerberos to work and it did not help. So i promoted a member server to a GC. The problem is that this server cannot talk to the existing server to get AD info. How can i point the new GC to another site (flat network) GC to replicate AD info back to the site i am on? I believe that if i simply demote the current GC that is having issues i may lose Exchange and other services tied to the GC..esp since the new GC is not getting replica sets from it.. any ideas?
thanks
Rick
thanks
Rick
ASKER
FSMO all roles are held by corpdc1
here is the dcdiag:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = corpdc1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: xxxx\CORPDC1
Starting test: Connectivity
......................... CORPDC1 passed test Connectivity
Doing primary tests
Testing server: sitename\CORPDC1
Starting test: Advertising
......................... CORPDC1 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... CORPDC1 passed test FrsEvent
Starting test: DFSREvent
......................... CORPDC1 passed test DFSREvent
Starting test: SysVolCheck
......................... CORPDC1 passed test SysVolCheck
Starting test: KccEvent
......................... CORPDC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... CORPDC1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... CORPDC1 passed test MachineAccount
Starting test: NCSecDesc
......................... CORPDC1 passed test NCSecDesc
Starting test: NetLogons
[CORPDC1] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... CORPDC1 failed test NetLogons
Starting test: ObjectsReplicated
......................... CORPDC1 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,CORPDC1] A recent replication attempt failed:
From CORPDC2 to CORPDC1
Naming Context: CN=Schema,CN=Configuration ,DC=xxxxx, DC=com
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2011-09-28 10:45:25.
The last success occurred at 2011-08-30 17:46:04.
689 failures have occurred since the last success.
[CORPDC2] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
[Replications Check,CORPDC1] A recent replication attempt failed:
From CORPDC2 to CORPDC1
Naming Context: CN=Configuration,DC=xxxxx, DC=com
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2011-09-28 10:45:25.
The last success occurred at 2011-08-30 17:46:04.
690 failures have occurred since the last success.
[Replications Check,CORPDC1] A recent replication attempt failed:
From CORPDC2 to CORPDC1
Naming Context: DC=xxxxx,DC=com
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2011-09-28 10:45:25.
The last success occurred at 2011-08-30 18:01:42.
692 failures have occurred since the last success.
......................... CORPDC1 failed test Replications
Starting test: RidManager
......................... CORPDC1 passed test RidManager
Starting test: Services
IsmServ Service is stopped on [CORPDC1]
......................... CORPDC1 failed test Services
Starting test: SystemLog
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:24:02
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:25:15
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:25:52
Event String: A Kerberos Error Message was received:
An Warning Event occurred. EventID: 0x000003FC
Time Generated: 09/28/2011 10:31:46
Event String:
Scope, 10.1.103.0, is 93 percent full with only 1 IP addresses remaining.
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:32:12
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:32:52
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:34:02
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:35:07
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:35:11
Event String: A Kerberos Error Message was received:
Time Generated: 09/28/2011 10:45:25
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server corpdc2$. The target name used was E3514235-4B06-11D1-AB04-00 C04FC2DCD2 /3ea337c5- b359-40c4- ab7f-e72bf 8e61752/xx xxx.com@xx xxx.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (xxxxx.COM) is different from the client domain (xxxxx.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:45:38
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:46:23
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:46:39
Event String: A Kerberos Error Message was received:
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x40000004
Time Generated: 09/28/2011 10:54:04
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server corpdc2$. The target name used was xxxxx\CORPDC2$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (xxxxx.COM) is different from the client domain (xxxxx.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:56:02
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x40000004
Time Generated: 09/28/2011 10:56:02
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server corpdc2$. The target name used was LDAP/3ea337c5-b359-40c4-ab 7f-e72bf8e 61752._msd cs.xxxxx.c om. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (xxxxx.COM) is different from the client domain (xxxxx.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:56:39
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:56:42
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:57:31
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:57:35
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:57:52
Event String: A Kerberos Error Message was received:
Time Generated: 09/28/2011 11:15:38
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 11:16:24
Event String: A Kerberos Error Message was received:
......................... CORPDC1 failed test SystemLog
Starting test: VerifyReferences
......................... CORPDC1 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : xxxxx
Starting test: CheckSDRefDom
......................... xxxxx passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... xxxxx passed test CrossRefValidation
Running enterprise tests on : xxxxx.com
Starting test: LocatorCheck
......................... xxxxx.com passed test LocatorCheck
Starting test: Intersite
......................... xxxxx.com passed test Intersite
here is the dcdiag:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = corpdc1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: xxxx\CORPDC1
Starting test: Connectivity
......................... CORPDC1 passed test Connectivity
Doing primary tests
Testing server: sitename\CORPDC1
Starting test: Advertising
......................... CORPDC1 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... CORPDC1 passed test FrsEvent
Starting test: DFSREvent
......................... CORPDC1 passed test DFSREvent
Starting test: SysVolCheck
......................... CORPDC1 passed test SysVolCheck
Starting test: KccEvent
......................... CORPDC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... CORPDC1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... CORPDC1 passed test MachineAccount
Starting test: NCSecDesc
......................... CORPDC1 passed test NCSecDesc
Starting test: NetLogons
[CORPDC1] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... CORPDC1 failed test NetLogons
Starting test: ObjectsReplicated
......................... CORPDC1 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,CORPDC1] A recent replication attempt failed:
From CORPDC2 to CORPDC1
Naming Context: CN=Schema,CN=Configuration
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2011-09-28 10:45:25.
The last success occurred at 2011-08-30 17:46:04.
689 failures have occurred since the last success.
[CORPDC2] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
[Replications Check,CORPDC1] A recent replication attempt failed:
From CORPDC2 to CORPDC1
Naming Context: CN=Configuration,DC=xxxxx,
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2011-09-28 10:45:25.
The last success occurred at 2011-08-30 17:46:04.
690 failures have occurred since the last success.
[Replications Check,CORPDC1] A recent replication attempt failed:
From CORPDC2 to CORPDC1
Naming Context: DC=xxxxx,DC=com
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2011-09-28 10:45:25.
The last success occurred at 2011-08-30 18:01:42.
692 failures have occurred since the last success.
......................... CORPDC1 failed test Replications
Starting test: RidManager
......................... CORPDC1 passed test RidManager
Starting test: Services
IsmServ Service is stopped on [CORPDC1]
......................... CORPDC1 failed test Services
Starting test: SystemLog
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:24:02
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:25:15
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:25:52
Event String: A Kerberos Error Message was received:
An Warning Event occurred. EventID: 0x000003FC
Time Generated: 09/28/2011 10:31:46
Event String:
Scope, 10.1.103.0, is 93 percent full with only 1 IP addresses remaining.
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:32:12
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:32:52
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:34:02
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:35:07
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:35:11
Event String: A Kerberos Error Message was received:
Time Generated: 09/28/2011 10:45:25
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server corpdc2$. The target name used was E3514235-4B06-11D1-AB04-00
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:45:38
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:46:23
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:46:39
Event String: A Kerberos Error Message was received:
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x40000004
Time Generated: 09/28/2011 10:54:04
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server corpdc2$. The target name used was xxxxx\CORPDC2$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (xxxxx.COM) is different from the client domain (xxxxx.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:56:02
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x40000004
Time Generated: 09/28/2011 10:56:02
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server corpdc2$. The target name used was LDAP/3ea337c5-b359-40c4-ab
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:56:39
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:56:42
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:57:31
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:57:35
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 10:57:52
Event String: A Kerberos Error Message was received:
Time Generated: 09/28/2011 11:15:38
Event String: A Kerberos Error Message was received:
An Error Event occurred. EventID: 0x80000003
Time Generated: 09/28/2011 11:16:24
Event String: A Kerberos Error Message was received:
......................... CORPDC1 failed test SystemLog
Starting test: VerifyReferences
......................... CORPDC1 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : xxxxx
Starting test: CheckSDRefDom
......................... xxxxx passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... xxxxx passed test CrossRefValidation
Running enterprise tests on : xxxxx.com
Starting test: LocatorCheck
......................... xxxxx.com passed test LocatorCheck
Starting test: Intersite
......................... xxxxx.com passed test Intersite
Check DNS make sure all DCs are only pointing to internal DNS servers.
ASKER
i have 2 DCs that host DNS, both are pointing internal
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yeah that second one is a bit tough, i tried using that from MS KB but it didnt seem to take, part of the issue is that this is Core server using Shell...the KB says to stop the KDC service, then put it in manual mode...then run the netdom string...i tried both local and from the other DC in the local OU neither seemed to take..
wonder if i need a specific password...
wonder if i need a specific password...
You need domain admin password.
Quickest way is to demote the DC and seize roles over to the other DC if this one is functioning properly
Quickest way is to demote the DC and seize roles over to the other DC if this one is functioning properly
ASKER
yeah i have the enterprise and domain admin passwords...just cant seem to find out how to edit the services of the KDC on the core server shell..
Run netdom query fsmo to see what server is holding fsmo roles