?
Solved

global catalog server issue

Posted on 2011-09-28
9
Medium Priority
?
394 Views
Last Modified: 2012-10-25
OK i am having issues with a GC server.  I have a flat forest with 4 GC servers.  The local server was installed as a "core" win2k8 box of which i know nothing about.  It began having issues replicating that i noticed about a week ago.  Its tombstone is sitting at 59 days right now.  I started seeing all kinds of issues with trust relationships etc today.  I tried various MS solutions to get the kerberos to work and it did not help.  So i promoted a member server to a GC.  The problem is that this server cannot talk to the existing server to get AD info.  How can i point the new GC to another site (flat network) GC to replicate AD info back to the site i am on?  I believe that if i simply demote the current GC that is having issues i may lose Exchange and other services tied to the GC..esp since the new GC is not getting replica sets from it..  any ideas?

thanks
Rick
0
Comment
Question by:brokenmatrix
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36718786
Run dcdiag post results.

Run netdom query fsmo to see what server is holding fsmo roles
0
 

Author Comment

by:brokenmatrix
ID: 36719080
FSMO all roles are held by corpdc1

here is the dcdiag:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = corpdc1

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: xxxx\CORPDC1

      Starting test: Connectivity

         ......................... CORPDC1 passed test Connectivity



Doing primary tests

   
   Testing server: sitename\CORPDC1

      Starting test: Advertising

         ......................... CORPDC1 passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... CORPDC1 passed test FrsEvent

      Starting test: DFSREvent

         ......................... CORPDC1 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... CORPDC1 passed test SysVolCheck

      Starting test: KccEvent

         ......................... CORPDC1 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... CORPDC1 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... CORPDC1 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... CORPDC1 passed test NCSecDesc

      Starting test: NetLogons

         [CORPDC1] User credentials does not have permission to perform this

         operation.

         The account used for this test must have network logon privileges

         for this machine's domain.

         ......................... CORPDC1 failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... CORPDC1 passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,CORPDC1] A recent replication attempt failed:

            From CORPDC2 to CORPDC1

            Naming Context: CN=Schema,CN=Configuration,DC=xxxxx,DC=com

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2011-09-28 10:45:25.

            The last success occurred at 2011-08-30 17:46:04.

            689 failures have occurred since the last success.

         [CORPDC2] DsBindWithSpnEx() failed with error -2146893022,

         The target principal name is incorrect..
         [Replications Check,CORPDC1] A recent replication attempt failed:

            From CORPDC2 to CORPDC1

            Naming Context: CN=Configuration,DC=xxxxx,DC=com

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2011-09-28 10:45:25.

            The last success occurred at 2011-08-30 17:46:04.

            690 failures have occurred since the last success.

         [Replications Check,CORPDC1] A recent replication attempt failed:

            From CORPDC2 to CORPDC1

            Naming Context: DC=xxxxx,DC=com

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2011-09-28 10:45:25.

            The last success occurred at 2011-08-30 18:01:42.

            692 failures have occurred since the last success.

         ......................... CORPDC1 failed test Replications

      Starting test: RidManager

         ......................... CORPDC1 passed test RidManager

      Starting test: Services

            IsmServ Service is stopped on [CORPDC1]

         ......................... CORPDC1 failed test Services

      Starting test: SystemLog

         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:24:02

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:25:15

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:25:52

            Event String: A Kerberos Error Message was received:


     


         An Warning Event occurred.  EventID: 0x000003FC

            Time Generated: 09/28/2011   10:31:46

            Event String:

            Scope, 10.1.103.0, is 93 percent full with only 1 IP addresses remaining.

         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:32:12

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:32:52

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:34:02

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:35:07

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:35:11

           Event String: A Kerberos Error Message was received:


       

       

            Time Generated: 09/28/2011   10:45:25

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server corpdc2$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/3ea337c5-b359-40c4-ab7f-e72bf8e61752/xxxxx.com@xxxxx.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (xxxxx.COM) is different from the client domain (xxxxx.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:45:38

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:46:23

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:46:39

            Event String: A Kerberos Error Message was received:


 

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x40000004

            Time Generated: 09/28/2011   10:54:04

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server corpdc2$. The target name used was xxxxx\CORPDC2$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (xxxxx.COM) is different from the client domain (xxxxx.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:56:02

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x40000004

            Time Generated: 09/28/2011   10:56:02

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server corpdc2$. The target name used was LDAP/3ea337c5-b359-40c4-ab7f-e72bf8e61752._msdcs.xxxxx.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (xxxxx.COM) is different from the client domain (xxxxx.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:56:39

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:56:42

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:57:31

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:57:35

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:57:52

            Event String: A Kerberos Error Message was received:


   



            Time Generated: 09/28/2011   11:15:38

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   11:16:24

            Event String: A Kerberos Error Message was received:


 

         ......................... CORPDC1 failed test SystemLog

      Starting test: VerifyReferences

         ......................... CORPDC1 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : xxxxx

      Starting test: CheckSDRefDom

         ......................... xxxxx passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... xxxxx passed test CrossRefValidation

   
   Running enterprise tests on : xxxxx.com

      Starting test: LocatorCheck

         ......................... xxxxx.com passed test LocatorCheck

      Starting test: Intersite

         ......................... xxxxx.com passed test Intersite
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36719168
Check DNS make sure all DCs are only pointing to internal DNS servers.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:brokenmatrix
ID: 36719248
i have 2 DCs that host DNS, both are pointing internal
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 1500 total points
ID: 36719280
0
 

Author Comment

by:brokenmatrix
ID: 36719314
yeah that second one is a bit tough, i tried using that from MS KB but it didnt seem to take, part of the issue is that this is Core server using Shell...the KB says to stop the KDC service, then put it in manual mode...then run the netdom string...i tried both local and from the other DC in the local OU neither seemed to take..

wonder if i need a specific password...
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36719382
You need domain admin password.

Quickest way is to demote the DC and seize roles over to  the other DC if this one is functioning properly
0
 

Author Comment

by:brokenmatrix
ID: 36719416
yeah i have the enterprise and domain admin passwords...just cant seem to find out how to edit the services of the KDC on the core server shell..
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question