Solved

global catalog server issue

Posted on 2011-09-28
9
389 Views
Last Modified: 2012-10-25
OK i am having issues with a GC server.  I have a flat forest with 4 GC servers.  The local server was installed as a "core" win2k8 box of which i know nothing about.  It began having issues replicating that i noticed about a week ago.  Its tombstone is sitting at 59 days right now.  I started seeing all kinds of issues with trust relationships etc today.  I tried various MS solutions to get the kerberos to work and it did not help.  So i promoted a member server to a GC.  The problem is that this server cannot talk to the existing server to get AD info.  How can i point the new GC to another site (flat network) GC to replicate AD info back to the site i am on?  I believe that if i simply demote the current GC that is having issues i may lose Exchange and other services tied to the GC..esp since the new GC is not getting replica sets from it..  any ideas?

thanks
Rick
0
Comment
Question by:brokenmatrix
  • 5
  • 4
9 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36718786
Run dcdiag post results.

Run netdom query fsmo to see what server is holding fsmo roles
0
 

Author Comment

by:brokenmatrix
ID: 36719080
FSMO all roles are held by corpdc1

here is the dcdiag:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = corpdc1

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: xxxx\CORPDC1

      Starting test: Connectivity

         ......................... CORPDC1 passed test Connectivity



Doing primary tests

   
   Testing server: sitename\CORPDC1

      Starting test: Advertising

         ......................... CORPDC1 passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... CORPDC1 passed test FrsEvent

      Starting test: DFSREvent

         ......................... CORPDC1 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... CORPDC1 passed test SysVolCheck

      Starting test: KccEvent

         ......................... CORPDC1 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... CORPDC1 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... CORPDC1 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... CORPDC1 passed test NCSecDesc

      Starting test: NetLogons

         [CORPDC1] User credentials does not have permission to perform this

         operation.

         The account used for this test must have network logon privileges

         for this machine's domain.

         ......................... CORPDC1 failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... CORPDC1 passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,CORPDC1] A recent replication attempt failed:

            From CORPDC2 to CORPDC1

            Naming Context: CN=Schema,CN=Configuration,DC=xxxxx,DC=com

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2011-09-28 10:45:25.

            The last success occurred at 2011-08-30 17:46:04.

            689 failures have occurred since the last success.

         [CORPDC2] DsBindWithSpnEx() failed with error -2146893022,

         The target principal name is incorrect..
         [Replications Check,CORPDC1] A recent replication attempt failed:

            From CORPDC2 to CORPDC1

            Naming Context: CN=Configuration,DC=xxxxx,DC=com

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2011-09-28 10:45:25.

            The last success occurred at 2011-08-30 17:46:04.

            690 failures have occurred since the last success.

         [Replications Check,CORPDC1] A recent replication attempt failed:

            From CORPDC2 to CORPDC1

            Naming Context: DC=xxxxx,DC=com

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2011-09-28 10:45:25.

            The last success occurred at 2011-08-30 18:01:42.

            692 failures have occurred since the last success.

         ......................... CORPDC1 failed test Replications

      Starting test: RidManager

         ......................... CORPDC1 passed test RidManager

      Starting test: Services

            IsmServ Service is stopped on [CORPDC1]

         ......................... CORPDC1 failed test Services

      Starting test: SystemLog

         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:24:02

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:25:15

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:25:52

            Event String: A Kerberos Error Message was received:


     


         An Warning Event occurred.  EventID: 0x000003FC

            Time Generated: 09/28/2011   10:31:46

            Event String:

            Scope, 10.1.103.0, is 93 percent full with only 1 IP addresses remaining.

         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:32:12

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:32:52

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:34:02

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:35:07

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:35:11

           Event String: A Kerberos Error Message was received:


       

       

            Time Generated: 09/28/2011   10:45:25

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server corpdc2$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/3ea337c5-b359-40c4-ab7f-e72bf8e61752/xxxxx.com@xxxxx.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (xxxxx.COM) is different from the client domain (xxxxx.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:45:38

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:46:23

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:46:39

            Event String: A Kerberos Error Message was received:


 

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x40000004

            Time Generated: 09/28/2011   10:54:04

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server corpdc2$. The target name used was xxxxx\CORPDC2$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (xxxxx.COM) is different from the client domain (xxxxx.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:56:02

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x40000004

            Time Generated: 09/28/2011   10:56:02

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server corpdc2$. The target name used was LDAP/3ea337c5-b359-40c4-ab7f-e72bf8e61752._msdcs.xxxxx.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (xxxxx.COM) is different from the client domain (xxxxx.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:56:39

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:56:42

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:57:31

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:57:35

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:57:52

            Event String: A Kerberos Error Message was received:


   



            Time Generated: 09/28/2011   11:15:38

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   11:16:24

            Event String: A Kerberos Error Message was received:


 

         ......................... CORPDC1 failed test SystemLog

      Starting test: VerifyReferences

         ......................... CORPDC1 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : xxxxx

      Starting test: CheckSDRefDom

         ......................... xxxxx passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... xxxxx passed test CrossRefValidation

   
   Running enterprise tests on : xxxxx.com

      Starting test: LocatorCheck

         ......................... xxxxx.com passed test LocatorCheck

      Starting test: Intersite

         ......................... xxxxx.com passed test Intersite
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36719168
Check DNS make sure all DCs are only pointing to internal DNS servers.
0
 

Author Comment

by:brokenmatrix
ID: 36719248
i have 2 DCs that host DNS, both are pointing internal
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
ID: 36719280
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36719284
0
 

Author Comment

by:brokenmatrix
ID: 36719314
yeah that second one is a bit tough, i tried using that from MS KB but it didnt seem to take, part of the issue is that this is Core server using Shell...the KB says to stop the KDC service, then put it in manual mode...then run the netdom string...i tried both local and from the other DC in the local OU neither seemed to take..

wonder if i need a specific password...
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36719382
You need domain admin password.

Quickest way is to demote the DC and seize roles over to  the other DC if this one is functioning properly
0
 

Author Comment

by:brokenmatrix
ID: 36719416
yeah i have the enterprise and domain admin passwords...just cant seem to find out how to edit the services of the KDC on the core server shell..
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Recently, I was asked to look into SCCM 2007 by my employer, having a degree of experience of earlier versions of SMS and some previous SCCM knowledge I didn't expect the procedure to involve to much time. I read a number of guides concerning it…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now