Solved

global catalog server issue

Posted on 2011-09-28
9
388 Views
Last Modified: 2012-10-25
OK i am having issues with a GC server.  I have a flat forest with 4 GC servers.  The local server was installed as a "core" win2k8 box of which i know nothing about.  It began having issues replicating that i noticed about a week ago.  Its tombstone is sitting at 59 days right now.  I started seeing all kinds of issues with trust relationships etc today.  I tried various MS solutions to get the kerberos to work and it did not help.  So i promoted a member server to a GC.  The problem is that this server cannot talk to the existing server to get AD info.  How can i point the new GC to another site (flat network) GC to replicate AD info back to the site i am on?  I believe that if i simply demote the current GC that is having issues i may lose Exchange and other services tied to the GC..esp since the new GC is not getting replica sets from it..  any ideas?

thanks
Rick
0
Comment
Question by:brokenmatrix
  • 5
  • 4
9 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Run dcdiag post results.

Run netdom query fsmo to see what server is holding fsmo roles
0
 

Author Comment

by:brokenmatrix
Comment Utility
FSMO all roles are held by corpdc1

here is the dcdiag:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = corpdc1

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: xxxx\CORPDC1

      Starting test: Connectivity

         ......................... CORPDC1 passed test Connectivity



Doing primary tests

   
   Testing server: sitename\CORPDC1

      Starting test: Advertising

         ......................... CORPDC1 passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... CORPDC1 passed test FrsEvent

      Starting test: DFSREvent

         ......................... CORPDC1 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... CORPDC1 passed test SysVolCheck

      Starting test: KccEvent

         ......................... CORPDC1 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... CORPDC1 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... CORPDC1 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... CORPDC1 passed test NCSecDesc

      Starting test: NetLogons

         [CORPDC1] User credentials does not have permission to perform this

         operation.

         The account used for this test must have network logon privileges

         for this machine's domain.

         ......................... CORPDC1 failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... CORPDC1 passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,CORPDC1] A recent replication attempt failed:

            From CORPDC2 to CORPDC1

            Naming Context: CN=Schema,CN=Configuration,DC=xxxxx,DC=com

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2011-09-28 10:45:25.

            The last success occurred at 2011-08-30 17:46:04.

            689 failures have occurred since the last success.

         [CORPDC2] DsBindWithSpnEx() failed with error -2146893022,

         The target principal name is incorrect..
         [Replications Check,CORPDC1] A recent replication attempt failed:

            From CORPDC2 to CORPDC1

            Naming Context: CN=Configuration,DC=xxxxx,DC=com

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2011-09-28 10:45:25.

            The last success occurred at 2011-08-30 17:46:04.

            690 failures have occurred since the last success.

         [Replications Check,CORPDC1] A recent replication attempt failed:

            From CORPDC2 to CORPDC1

            Naming Context: DC=xxxxx,DC=com

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2011-09-28 10:45:25.

            The last success occurred at 2011-08-30 18:01:42.

            692 failures have occurred since the last success.

         ......................... CORPDC1 failed test Replications

      Starting test: RidManager

         ......................... CORPDC1 passed test RidManager

      Starting test: Services

            IsmServ Service is stopped on [CORPDC1]

         ......................... CORPDC1 failed test Services

      Starting test: SystemLog

         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:24:02

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:25:15

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:25:52

            Event String: A Kerberos Error Message was received:


     


         An Warning Event occurred.  EventID: 0x000003FC

            Time Generated: 09/28/2011   10:31:46

            Event String:

            Scope, 10.1.103.0, is 93 percent full with only 1 IP addresses remaining.

         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:32:12

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:32:52

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:34:02

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:35:07

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:35:11

           Event String: A Kerberos Error Message was received:


       

       

            Time Generated: 09/28/2011   10:45:25

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server corpdc2$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/3ea337c5-b359-40c4-ab7f-e72bf8e61752/xxxxx.com@xxxxx.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (xxxxx.COM) is different from the client domain (xxxxx.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:45:38

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:46:23

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:46:39

            Event String: A Kerberos Error Message was received:


 

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x40000004

            Time Generated: 09/28/2011   10:54:04

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server corpdc2$. The target name used was xxxxx\CORPDC2$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (xxxxx.COM) is different from the client domain (xxxxx.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:56:02

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x40000004

            Time Generated: 09/28/2011   10:56:02

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server corpdc2$. The target name used was LDAP/3ea337c5-b359-40c4-ab7f-e72bf8e61752._msdcs.xxxxx.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (xxxxx.COM) is different from the client domain (xxxxx.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:56:39

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:56:42

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:57:31

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:57:35

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:57:52

            Event String: A Kerberos Error Message was received:


   



            Time Generated: 09/28/2011   11:15:38

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   11:16:24

            Event String: A Kerberos Error Message was received:


 

         ......................... CORPDC1 failed test SystemLog

      Starting test: VerifyReferences

         ......................... CORPDC1 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : xxxxx

      Starting test: CheckSDRefDom

         ......................... xxxxx passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... xxxxx passed test CrossRefValidation

   
   Running enterprise tests on : xxxxx.com

      Starting test: LocatorCheck

         ......................... xxxxx.com passed test LocatorCheck

      Starting test: Intersite

         ......................... xxxxx.com passed test Intersite
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Check DNS make sure all DCs are only pointing to internal DNS servers.
0
 

Author Comment

by:brokenmatrix
Comment Utility
i have 2 DCs that host DNS, both are pointing internal
0
Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
Comment Utility
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
0
 

Author Comment

by:brokenmatrix
Comment Utility
yeah that second one is a bit tough, i tried using that from MS KB but it didnt seem to take, part of the issue is that this is Core server using Shell...the KB says to stop the KDC service, then put it in manual mode...then run the netdom string...i tried both local and from the other DC in the local OU neither seemed to take..

wonder if i need a specific password...
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
You need domain admin password.

Quickest way is to demote the DC and seize roles over to  the other DC if this one is functioning properly
0
 

Author Comment

by:brokenmatrix
Comment Utility
yeah i have the enterprise and domain admin passwords...just cant seem to find out how to edit the services of the KDC on the core server shell..
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now