Solved

global catalog server issue

Posted on 2011-09-28
9
390 Views
Last Modified: 2012-10-25
OK i am having issues with a GC server.  I have a flat forest with 4 GC servers.  The local server was installed as a "core" win2k8 box of which i know nothing about.  It began having issues replicating that i noticed about a week ago.  Its tombstone is sitting at 59 days right now.  I started seeing all kinds of issues with trust relationships etc today.  I tried various MS solutions to get the kerberos to work and it did not help.  So i promoted a member server to a GC.  The problem is that this server cannot talk to the existing server to get AD info.  How can i point the new GC to another site (flat network) GC to replicate AD info back to the site i am on?  I believe that if i simply demote the current GC that is having issues i may lose Exchange and other services tied to the GC..esp since the new GC is not getting replica sets from it..  any ideas?

thanks
Rick
0
Comment
Question by:brokenmatrix
  • 5
  • 4
9 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36718786
Run dcdiag post results.

Run netdom query fsmo to see what server is holding fsmo roles
0
 

Author Comment

by:brokenmatrix
ID: 36719080
FSMO all roles are held by corpdc1

here is the dcdiag:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = corpdc1

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: xxxx\CORPDC1

      Starting test: Connectivity

         ......................... CORPDC1 passed test Connectivity



Doing primary tests

   
   Testing server: sitename\CORPDC1

      Starting test: Advertising

         ......................... CORPDC1 passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... CORPDC1 passed test FrsEvent

      Starting test: DFSREvent

         ......................... CORPDC1 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... CORPDC1 passed test SysVolCheck

      Starting test: KccEvent

         ......................... CORPDC1 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... CORPDC1 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... CORPDC1 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... CORPDC1 passed test NCSecDesc

      Starting test: NetLogons

         [CORPDC1] User credentials does not have permission to perform this

         operation.

         The account used for this test must have network logon privileges

         for this machine's domain.

         ......................... CORPDC1 failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... CORPDC1 passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,CORPDC1] A recent replication attempt failed:

            From CORPDC2 to CORPDC1

            Naming Context: CN=Schema,CN=Configuration,DC=xxxxx,DC=com

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2011-09-28 10:45:25.

            The last success occurred at 2011-08-30 17:46:04.

            689 failures have occurred since the last success.

         [CORPDC2] DsBindWithSpnEx() failed with error -2146893022,

         The target principal name is incorrect..
         [Replications Check,CORPDC1] A recent replication attempt failed:

            From CORPDC2 to CORPDC1

            Naming Context: CN=Configuration,DC=xxxxx,DC=com

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2011-09-28 10:45:25.

            The last success occurred at 2011-08-30 17:46:04.

            690 failures have occurred since the last success.

         [Replications Check,CORPDC1] A recent replication attempt failed:

            From CORPDC2 to CORPDC1

            Naming Context: DC=xxxxx,DC=com

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2011-09-28 10:45:25.

            The last success occurred at 2011-08-30 18:01:42.

            692 failures have occurred since the last success.

         ......................... CORPDC1 failed test Replications

      Starting test: RidManager

         ......................... CORPDC1 passed test RidManager

      Starting test: Services

            IsmServ Service is stopped on [CORPDC1]

         ......................... CORPDC1 failed test Services

      Starting test: SystemLog

         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:24:02

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:25:15

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:25:52

            Event String: A Kerberos Error Message was received:


     


         An Warning Event occurred.  EventID: 0x000003FC

            Time Generated: 09/28/2011   10:31:46

            Event String:

            Scope, 10.1.103.0, is 93 percent full with only 1 IP addresses remaining.

         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:32:12

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:32:52

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:34:02

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:35:07

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:35:11

           Event String: A Kerberos Error Message was received:


       

       

            Time Generated: 09/28/2011   10:45:25

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server corpdc2$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/3ea337c5-b359-40c4-ab7f-e72bf8e61752/xxxxx.com@xxxxx.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (xxxxx.COM) is different from the client domain (xxxxx.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:45:38

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:46:23

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:46:39

            Event String: A Kerberos Error Message was received:


 

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x40000004

            Time Generated: 09/28/2011   10:54:04

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server corpdc2$. The target name used was xxxxx\CORPDC2$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (xxxxx.COM) is different from the client domain (xxxxx.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:56:02

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x40000004

            Time Generated: 09/28/2011   10:56:02

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server corpdc2$. The target name used was LDAP/3ea337c5-b359-40c4-ab7f-e72bf8e61752._msdcs.xxxxx.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (xxxxx.COM) is different from the client domain (xxxxx.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:56:39

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:56:42

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:57:31

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:57:35

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   10:57:52

            Event String: A Kerberos Error Message was received:


   



            Time Generated: 09/28/2011   11:15:38

            Event String: A Kerberos Error Message was received:


         An Error Event occurred.  EventID: 0x80000003

            Time Generated: 09/28/2011   11:16:24

            Event String: A Kerberos Error Message was received:


 

         ......................... CORPDC1 failed test SystemLog

      Starting test: VerifyReferences

         ......................... CORPDC1 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : xxxxx

      Starting test: CheckSDRefDom

         ......................... xxxxx passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... xxxxx passed test CrossRefValidation

   
   Running enterprise tests on : xxxxx.com

      Starting test: LocatorCheck

         ......................... xxxxx.com passed test LocatorCheck

      Starting test: Intersite

         ......................... xxxxx.com passed test Intersite
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36719168
Check DNS make sure all DCs are only pointing to internal DNS servers.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 

Author Comment

by:brokenmatrix
ID: 36719248
i have 2 DCs that host DNS, both are pointing internal
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
ID: 36719280
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36719284
0
 

Author Comment

by:brokenmatrix
ID: 36719314
yeah that second one is a bit tough, i tried using that from MS KB but it didnt seem to take, part of the issue is that this is Core server using Shell...the KB says to stop the KDC service, then put it in manual mode...then run the netdom string...i tried both local and from the other DC in the local OU neither seemed to take..

wonder if i need a specific password...
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36719382
You need domain admin password.

Quickest way is to demote the DC and seize roles over to  the other DC if this one is functioning properly
0
 

Author Comment

by:brokenmatrix
ID: 36719416
yeah i have the enterprise and domain admin passwords...just cant seem to find out how to edit the services of the KDC on the core server shell..
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question