One Domain Controller Cannot Replicate to other

I had a primary DC go down - I transferred all roles to secondary DC.  I Brought up failed DC again via backup and restored over secondary DC so all should have been fine.

Right now I can Replicated from DC1 (.34 subnet) to DC2 (.36 subnet) - But I cannot get a replication from DC2 to DC1.

Repadmin /showrpl on DC1 all were successful.  /Showrpl on DC2 has errors:

The Target Principal name is incorrect.

I have attached a picture of the command


REP-DC2.JPG
Travis HahnAsked:
Who is Participating?
 
snusgubbenConnect With a Mentor Commented:
Replication is based on Pull, so DC1 seems to be the failing server.

Syntax that you should run on DC1:

netdom resetpwd /server:DC2 /userd:FGH\administrator /passwordd:administrator_password

(just remember to disable the KDC)
/userd = a domain admin
/passwordd = the admins password

Or with PowerShell (2.0):

Test-ComputerSecureChannel -repair


0
 
Travis HahnAuthor Commented:
Also I am able to connect to DNS from DC1 to DC2 but cannot connect to DNS from DC2 to DC1
0
 
snusgubbenCommented:
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Travis HahnAuthor Commented:
So lets just say for argument that

Domain: FGH.com
Server_Name = DC1 (is the the GOOD server or Failing to replicate server)

domain_name\administrator
passwordd: (IS THIS A DOMAIN ADMIN ACCOUNT or a Local Machine Admin account)

(I thought that you could not login locally to a domain controller)

netdom resetpwd /server:server_name /userd:domain_name\administrator /passwordd:administrator_password


so my syntax would be:

netdom resetpwd /server:DC1 /userd:FGH\administrator /passwordd:administrator_password
0
 
Darius GhassemCommented:
Run dcdiag post results
0
 
Travis HahnAuthor Commented:
Here is the DCDIAG from the server that cannot replicate up to the main DC
DCDIAG-PSRV.txt
0
 
Darius GhassemCommented:
Can you ping the HQ DC from this server by IP address? Can you ping by name?

Post ipconfig /all from HQ and remote DC.
0
 
Travis HahnAuthor Commented:
Here is the IPCONFIG /ALL  data

I will try the NETDOM Command tonight and see if it works..
ipconfig.txt
0
 
Darius GhassemCommented:
You need to remove these DNS servers 208.67.222.22 208.67.220.220
0
 
Travis HahnAuthor Commented:
Okay I have done the NETDOM fix and that got what I believe the connector running however I am still having some errors in DCDIAG.

Looks like some SYSVOL replication errors  (FrsEvent, DFSREvent

NetLogon - An net or LsaPolicy operation failed with error 67, the network name cannot be found

Systemlog - The program lsass.exe with the assigned process id 616 couldnot authenticate locally by using the target name LDAP/
dcdiag-Iotadc-1122011.txt
0
 
snusgubbenCommented:
Please download and run "dnslint" to verify that all DNS records are registered correctly.

You'll find dnslint here: http://support.microsoft.com/kb/321045

Run: dnslint /ad /s <ip of iotadc> /v


Are both DCs 2008 or 2008R2?

0
 
Travis HahnAuthor Commented:
Here is the report

Iota-DC is the Primary dc Server 2008 Standard
Iota-prodsrv is Secondary Server 2008 R2 Standard
DNSLint-Report.txt
0
 
snusgubbenCommented:
Did you reboot the Iota-DC?
0
 
Travis HahnAuthor Commented:
I stopped the service - sent the command and reboot Iota-dc - thats when I say the connecter recreate itself.  But I havent rebooted Iota-Prodsrv or Iota-DC since the first reboot
0
 
snusgubbenCommented:
Can you reboot the iota-dc?
0
 
Travis HahnAuthor Commented:
I would not be able to do that until tonight - I am also seeing an error when I show Upstramcomputer

LDAP error 81 <server down> Win32 Err58

I can reboot both DC's tonight and post DCDIAG's tomorrow morning...
0
 
Darius GhassemConnect With a Mentor Commented:
Did you remove the external DNS servers?
0
 
Travis HahnAuthor Commented:
Yes I removed the external DNS servers
0
 
Darius GhassemCommented:
Did you run ipconfig /flushdns, ipconfig /registerdns and dcdiag /fix?
0
 
Travis HahnAuthor Commented:
Yes I did run those commands.  Here is another wierd thing is that my Network is not set to a Domain network it is set to "Private" . Which I think is strange because it should say "Domain"
Capturedc.JPG
0
 
Darius GhassemCommented:
Should be domain.

Give  me another ipconfig /all
0
 
Travis HahnAuthor Commented:
Windows IP Configuration

   Host Name . . . . . . . . . . . . : iota-dc
   Primary Dns Suffix  . . . . . . . : iota.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : iota.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-50-56-AB-70-C0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.34.240(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.34.95
   DNS Servers . . . . . . . . . . . : 192.168.34.240
                                       192.168.36.3
   Primary WINS Server . . . . . . . : 192.168.34.240
   NetBIOS over Tcpip. . . . . . . . : Enabled
0
 
Darius GhassemCommented:
You don't have two network cards enabled, right?
0
 
Travis HahnAuthor Commented:
There is not two However it is listed as Network 2
0
 
Darius GhassemCommented:
Make sure your enabled network card is listed first in the binding order

http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/
0
 
Travis HahnAuthor Commented:
It listed as the first one - it may have to do with us having to reset GPO's including the Default Domain and Default Domain Controller GPO?
0
 
Darius GhassemCommented:
dcdiag /test:dns
0
 
Travis HahnAuthor Commented:
Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = iota-dc
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\IOTA-DC
      Starting test: Connectivity
         ......................... IOTA-DC passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\IOTA-DC

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minute
         ......................... IOTA-DC passed test DNS

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : iota

   Running enterprise tests on : iota.com
      Starting test: DNS
         ......................... iota.com passed test DNS
0
 
Darius GhassemCommented:
repadmin /syncall
0
 
Travis HahnAuthor Commented:
C:\Users\sshell>repadmin /syncall
CALLBACK MESSAGE: Error contacting server 0f102f88-8f44-4654-a0b4-ba78688e8fdc._
msdcs.iota.com (network error): 5 (0x5):
    Access is denied.

SyncAll exited with fatal Win32 error: 8440 (0x20f8):
    The naming context specified for this replication operation is invalid.


That GUID is the DNS alias of my primary DC as recoded in the GUI of AD Sites and Services
0
 
Darius GhassemCommented:
Do you have AV installed? Remote it for testing
0
 
Travis HahnAuthor Commented:
No AV on Servers
0
 
Darius GhassemCommented:
Still seems like your secure channel password is still bad
0
 
Travis HahnAuthor Commented:
Do I need to run

netdom resetpwd /server:DC2 /userd:FGH\administrator /passwordd:administrator_password

On both DC's to ensure the proper password?  And would I stop KCC on both servers?
0
 
Darius GhassemCommented:
Run on DC1 I think that is the trouble DC
0
 
Travis HahnAuthor Commented:
Okay - Will have to do that tongiht - I will let you know...
0
 
Travis HahnAuthor Commented:
Here are a bumch of outputs - see if you see anything that I can change before the reboot tonight...
AD-Trouble-Iota.zip
0
 
Travis HahnAuthor Commented:
Here are the same outputs from the other DC
AD-Info-IOTAPRODSRV.zip
0
 
Travis HahnAuthor Commented:
I also found this article

http://support.microsoft.com/kb/967336

and I do not have that key that they list I have a key that says "Migrating SysVols"
0
 
snusgubbenCommented:
The outputs you provided says replication is healthy.

Can you run a dcdiag from the 2008R2 DC?

dcdiag /v /e /c /f:dcdiag.txt

and attach the text file.
0
 
Travis HahnAuthor Commented:
Here you go
dcdiag.txt
0
 
snusgubbenCommented:
It looked like you had a file named dcdiag.txt and the new dcdiag was appended?
Correct me if I'm wrong.
0
 
Travis HahnAuthor Commented:
its possible - ill delete it and rerun - sorry
0
 
Travis HahnAuthor Commented:
Here is new file
dcdiag.txt
0
 
Travis HahnAuthor Commented:
When I am in the GUI of AD Sites and Services and I say to Replicate Now on the IOTA-DC it tells me access denied
0
 
snusgubbenConnect With a Mentor Commented:
From the diag (suddenly with many FRS events):

The KDC on IOTA-PRODSRV isn't responsive, please verify that it's running and advertising.
Try to reset the SC on this DC also. Run the command from the iota-prodserver. Remember to disable the kdc service, reboot, set the service back to auto and start it.

netdom resetpwd /server:iota-dc /userd:FGH\administrator /passwordd:administrator_password

Do you have two network cards in a NIC team or something? It says you have two adapters.

Adapter [00000006] Intel(R) PRO/1000 MT Network Connection:

                     MAC address is 00:50:56:AB:70:C0
                     IP Address is static
                     IP address: 192.168.34.240
                     DNS servers:

                        192.168.34.240 (IOTA-DC) [Valid]
                        192.168.36.8 (IOTA-PRODSRV) [Valid]
                  Adapter [00000007] Intel(R) PRO/1000 MT Network Connection:

                     MAC address is 00:50:56:AB:70:C0
                     IP Address is static
                     IP address: 192.168.34.240
                     DNS servers:

                        192.168.34.240 (IOTA-DC) [Valid]
                        192.168.36.8 (IOTA-PRODSRV) [Valid


It said earlier thay SYSVOL was shared, but NETLOGON share is not shared. See this KB for a possible workaround.
http://support.microsoft.com/kb/947022/en-us

You should also remove your internal IPs from the DNS forwarders. You forwards non-authoritative queries to public DNS servers and between your internal DNS servers (Loop).

From your initial post: I Brought up failed DC again via backup and restored over secondary DC so all should have been fine.
What do you mean by "restored over secondary DC"?


Run a new "dcdiag /v /e /c /f:dcdiag2.txt" from the R2 DC.

0
 
snusgubbenCommented:
*You forwards non-authoritative queries to public DNS servers not and between
0
 
snusgubbenCommented:
How hard could it be?! :)

You forwards non-authoritative queries to public DNS servers and not between...
0
 
Travis HahnAuthor Commented:
So in my Iota-dc DNS Properties - I want to remove my Servers and only have in there the Servers that I want to do my Forwarding (i.e. Google, My ISP, OpenDNS)

I do not have another nic installed.  The system is running on VMWARE.  What happened is that we removed the server from the domain without DCPROMO and when we went to restart the DC via VmWARE it BlueScreened  

So I transferred all FSMO Roles to iota-prodsrv

We then did create another VM with the same name but were having problems getting it to join (Even though I had cleaned MetaData up).  

I hap taken a SNAPSHOT of Prodserv as it was and we were able to REPAIR the original DC with media - then we did a RESTORE to a previous day via BACKUP Exec.

So in the interim - I think there is all kinds of Problems - but my users are working....But I would like to get these errors midigated so that performance on my DC goes back to normal.  Right now the lsass.exe process is killing it...
0
 
snusgubbenCommented:
No, you configure the DNS forwarders in the DNS management consol. Non-local queries are routed that way (ie. google DNS or your ISP's DNS)

http://technet.microsoft.com/en-us/library/cc787071(WS.10).aspx

Snapshots are not AD's best friend when you have more than one DC, but..

Did you sieze the FSMOs or was you able to transfer them?
0
 
Travis HahnAuthor Commented:
All FSMO roles are now on the appropriate DC - So now I have 2 Polices and 2 Scripts folders in Sysvol

And thanks for helping me out - I appreciate it.
Capture4.JPG
0
 
snusgubbenConnect With a Mentor Commented:
They are called morphed folders. It happens when ie. two folders have the same name. This is also something you should fix.

Take a backup of the folders. Just copy them to somewhere on the disc outside the SYSVOL folder.
Stop NTFRS service
Find out what folder is up to date. If both are equal, rename them both. To something like "policies_keep" and the other one to "polices_delete". Same goes with the scripts folder.
Start NTFRS.
When the changes are replicated to the other DC, delete the folders you marked "_delete".  

http://support.microsoft.com/kb/328492
0
 
snusgubbenCommented:
* and rename the "polices_keep" to just "policies".
0
 
Travis HahnAuthor Commented:
It wont let me rename - says I dont have permission.

I am logged in as a Domain Admin
0
 
snusgubbenCommented:
Have you stopped the NTFRS service?
0
 
Travis HahnAuthor Commented:
I stopped it on the server that I was trying to rename on - do I need to do it on both?
0
 
snusgubbenCommented:
No you shouldn't have to do that. Have you checked the effective permissions on the folder?

http://support.microsoft.com/kb/319808
0
 
Travis HahnAuthor Commented:
I did look at the article - however I am getting a little lost.  I'll show you what I have

I have attched the Permissions and Share Permissions for the SYSVOL folder
NTFS.zip
0
 
snusgubbenCommented:
In 4.jpg it says administrators have read permissions (that take precedence over the share permissions). There is also a "special permission" that I can't see. You should look at those permissions to see what they say.
0
 
Travis HahnAuthor Commented:
Here are some screen shots of the Administator Special permissions
p5.JPG
p6.JPG
0
 
snusgubbenCommented:
Set the permissions on the scripts_xxx and policies_xxx so you can delete one of them and rename the other. When done, set the permissions back to its orgin.
0
 
Travis HahnAuthor Commented:
this is going to sound stupid.  So I need to change the permissions on the scripts_XXX folder so that I have permission to change its name - then delete the other ones.

Should I just give the Domain Admin full access?
0
 
snusgubbenConnect With a Mentor Commented:
Normally you can rename and delete scripts and the policies folders if they become morphed. You could try to give domain admins full access, but morphed folders are not so seriously that they would stop the FRS replication. Though it could stall the FRS a little.

From what you have said, it sounds like you have done an unsupported restore of a DC with snapshots (and backup exec). Correct me if I'm wrong. When you do that you can/will get all sort of weird errors like broken secure channel, missing FRS objects/references (FRS event 13562) and problems with AD replication. Since lsass.exe also consume alot of CPU, it sounds all wrong.

I think you got 3 options:

If you want it fixed asap, I would demote the DC you restored, check that the metadata is removed, and reinstall it. Fix the other DC, which should be easy. Then promote the reinstalled DC.

Call Microsoft PSS and open a support case. There will be a fee to pay.

Continue troubleshooting here with both DCs as they are, but it might take some time to get it fixed.

I dunno if dariusq has something to add?

0
 
Travis HahnAuthor Commented:
What about creating a whole new DC in the same subnet as the failed DC - Change Name. Change IP, and then transfer FSMO roles to new server.

Basicly make the NEW DC the Primary and have the other two running and then demote the original to a membewr server.

Would that be a better option?
0
 
Darius GhassemCommented:
I would demote the server fully rebuild the server.
0
 
Travis HahnAuthor Commented:
Its on VMWARE, so I could easily create a new DC - Transfer FSMO to new DC - then demote current DC.
0
 
Darius GhassemCommented:
I would transfer roles to another existing DC not a new DC. Do not demote until you know then new DC is functioning properly
0
 
snusgubbenCommented:
You shouldn't bring another DC in before your domain is healthy.
0
 
Travis HahnAuthor Commented:
I have attached dcdiag's from both DC's - I believe I have eliminated most of the errors.  If you can review for me that would be great.  The only issue I have right now is the duplicate folders in SYSVOL
dcdiag-1172011.zip
0
 
snusgubbenCommented:
It looks good from the AD view.

Can't you rename the morphed folders on any DC? Did you try to give domain admins Delete permissions?
0
 
Travis HahnAuthor Commented:
I have deleted the two extra folders - I also created a TEST script in the Scripts folder and waited 15 minutes and verified that the EXTRA folders and the test script appeared on the second DC.  I also modified a GPO and created a TEST GPO to see if it syncs through.
0
 
Travis HahnAuthor Commented:
So far so good - I created a GPO to put in a BOOKMARK that worked and the GPO that I modified changed its "Date Modified" time stamp.

So - would you guys call this issue resolved in your opinon?  Or is there some more TEST's that I could run to confirm?

Again I really appreciate your help...
0
 
snusgubbenCommented:
You latest dcdiag looked ok besides some small issues with a registry key for the print spooler, and a DCOM connection towards some public DNS. You should take a look at them.

You should check the event logs. If they are clean things sounds ok.
0
 
Travis HahnAuthor Commented:
Thank you for helping
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.