?
Solved

One Domain Controller Cannot Replicate to other

Posted on 2011-10-31
74
Medium Priority
?
1,306 Views
Last Modified: 2012-08-13
I had a primary DC go down - I transferred all roles to secondary DC.  I Brought up failed DC again via backup and restored over secondary DC so all should have been fine.

Right now I can Replicated from DC1 (.34 subnet) to DC2 (.36 subnet) - But I cannot get a replication from DC2 to DC1.

Repadmin /showrpl on DC1 all were successful.  /Showrpl on DC2 has errors:

The Target Principal name is incorrect.

I have attached a picture of the command


REP-DC2.JPG
0
Comment
Question by:Travis Hahn
  • 38
  • 21
  • 15
74 Comments
 

Author Comment

by:Travis Hahn
ID: 37057812
Also I am able to connect to DNS from DC1 to DC2 but cannot connect to DNS from DC2 to DC1
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 37057820
0
 

Author Comment

by:Travis Hahn
ID: 37058395
So lets just say for argument that

Domain: FGH.com
Server_Name = DC1 (is the the GOOD server or Failing to replicate server)

domain_name\administrator
passwordd: (IS THIS A DOMAIN ADMIN ACCOUNT or a Local Machine Admin account)

(I thought that you could not login locally to a domain controller)

netdom resetpwd /server:server_name /userd:domain_name\administrator /passwordd:administrator_password


so my syntax would be:

netdom resetpwd /server:DC1 /userd:FGH\administrator /passwordd:administrator_password
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37058536
Run dcdiag post results
0
 

Author Comment

by:Travis Hahn
ID: 37058620
Here is the DCDIAG from the server that cannot replicate up to the main DC
DCDIAG-PSRV.txt
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37058652
Can you ping the HQ DC from this server by IP address? Can you ping by name?

Post ipconfig /all from HQ and remote DC.
0
 
LVL 21

Accepted Solution

by:
snusgubben earned 1600 total points
ID: 37058877
Replication is based on Pull, so DC1 seems to be the failing server.

Syntax that you should run on DC1:

netdom resetpwd /server:DC2 /userd:FGH\administrator /passwordd:administrator_password

(just remember to disable the KDC)
/userd = a domain admin
/passwordd = the admins password

Or with PowerShell (2.0):

Test-ComputerSecureChannel -repair


0
 

Author Comment

by:Travis Hahn
ID: 37058979
Here is the IPCONFIG /ALL  data

I will try the NETDOM Command tonight and see if it works..
ipconfig.txt
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37059160
You need to remove these DNS servers 208.67.222.22 208.67.220.220
0
 

Author Comment

by:Travis Hahn
ID: 37069984
Okay I have done the NETDOM fix and that got what I believe the connector running however I am still having some errors in DCDIAG.

Looks like some SYSVOL replication errors  (FrsEvent, DFSREvent

NetLogon - An net or LsaPolicy operation failed with error 67, the network name cannot be found

Systemlog - The program lsass.exe with the assigned process id 616 couldnot authenticate locally by using the target name LDAP/
dcdiag-Iotadc-1122011.txt
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 37070022
Please download and run "dnslint" to verify that all DNS records are registered correctly.

You'll find dnslint here: http://support.microsoft.com/kb/321045

Run: dnslint /ad /s <ip of iotadc> /v


Are both DCs 2008 or 2008R2?

0
 

Author Comment

by:Travis Hahn
ID: 37070092
Here is the report

Iota-DC is the Primary dc Server 2008 Standard
Iota-prodsrv is Secondary Server 2008 R2 Standard
DNSLint-Report.txt
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 37070233
Did you reboot the Iota-DC?
0
 

Author Comment

by:Travis Hahn
ID: 37070419
I stopped the service - sent the command and reboot Iota-dc - thats when I say the connecter recreate itself.  But I havent rebooted Iota-Prodsrv or Iota-DC since the first reboot
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 37070955
Can you reboot the iota-dc?
0
 

Author Comment

by:Travis Hahn
ID: 37071488
I would not be able to do that until tonight - I am also seeing an error when I show Upstramcomputer

LDAP error 81 <server down> Win32 Err58

I can reboot both DC's tonight and post DCDIAG's tomorrow morning...
0
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 400 total points
ID: 37071502
Did you remove the external DNS servers?
0
 

Author Comment

by:Travis Hahn
ID: 37071513
Yes I removed the external DNS servers
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37071535
Did you run ipconfig /flushdns, ipconfig /registerdns and dcdiag /fix?
0
 

Author Comment

by:Travis Hahn
ID: 37071856
Yes I did run those commands.  Here is another wierd thing is that my Network is not set to a Domain network it is set to "Private" . Which I think is strange because it should say "Domain"
Capturedc.JPG
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37072207
Should be domain.

Give  me another ipconfig /all
0
 

Author Comment

by:Travis Hahn
ID: 37072245
Windows IP Configuration

   Host Name . . . . . . . . . . . . : iota-dc
   Primary Dns Suffix  . . . . . . . : iota.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : iota.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-50-56-AB-70-C0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.34.240(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.34.95
   DNS Servers . . . . . . . . . . . : 192.168.34.240
                                       192.168.36.3
   Primary WINS Server . . . . . . . : 192.168.34.240
   NetBIOS over Tcpip. . . . . . . . : Enabled
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37072536
You don't have two network cards enabled, right?
0
 

Author Comment

by:Travis Hahn
ID: 37072714
There is not two However it is listed as Network 2
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37072759
Make sure your enabled network card is listed first in the binding order

http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/
0
 

Author Comment

by:Travis Hahn
ID: 37073166
It listed as the first one - it may have to do with us having to reset GPO's including the Default Domain and Default Domain Controller GPO?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37077099
dcdiag /test:dns
0
 

Author Comment

by:Travis Hahn
ID: 37077151
Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = iota-dc
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\IOTA-DC
      Starting test: Connectivity
         ......................... IOTA-DC passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\IOTA-DC

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minute
         ......................... IOTA-DC passed test DNS

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : iota

   Running enterprise tests on : iota.com
      Starting test: DNS
         ......................... iota.com passed test DNS
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37077216
repadmin /syncall
0
 

Author Comment

by:Travis Hahn
ID: 37077270
C:\Users\sshell>repadmin /syncall
CALLBACK MESSAGE: Error contacting server 0f102f88-8f44-4654-a0b4-ba78688e8fdc._
msdcs.iota.com (network error): 5 (0x5):
    Access is denied.

SyncAll exited with fatal Win32 error: 8440 (0x20f8):
    The naming context specified for this replication operation is invalid.


That GUID is the DNS alias of my primary DC as recoded in the GUI of AD Sites and Services
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37077306
Do you have AV installed? Remote it for testing
0
 

Author Comment

by:Travis Hahn
ID: 37077335
No AV on Servers
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37077353
Still seems like your secure channel password is still bad
0
 

Author Comment

by:Travis Hahn
ID: 37077442
Do I need to run

netdom resetpwd /server:DC2 /userd:FGH\administrator /passwordd:administrator_password

On both DC's to ensure the proper password?  And would I stop KCC on both servers?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37077478
Run on DC1 I think that is the trouble DC
0
 

Author Comment

by:Travis Hahn
ID: 37077663
Okay - Will have to do that tongiht - I will let you know...
0
 

Author Comment

by:Travis Hahn
ID: 37077770
Here are a bumch of outputs - see if you see anything that I can change before the reboot tonight...
AD-Trouble-Iota.zip
0
 

Author Comment

by:Travis Hahn
ID: 37077805
Here are the same outputs from the other DC
AD-Info-IOTAPRODSRV.zip
0
 

Author Comment

by:Travis Hahn
ID: 37077911
I also found this article

http://support.microsoft.com/kb/967336

and I do not have that key that they list I have a key that says "Migrating SysVols"
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 37077957
The outputs you provided says replication is healthy.

Can you run a dcdiag from the 2008R2 DC?

dcdiag /v /e /c /f:dcdiag.txt

and attach the text file.
0
 

Author Comment

by:Travis Hahn
ID: 37078015
Here you go
dcdiag.txt
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 37078124
It looked like you had a file named dcdiag.txt and the new dcdiag was appended?
Correct me if I'm wrong.
0
 

Author Comment

by:Travis Hahn
ID: 37078157
its possible - ill delete it and rerun - sorry
0
 

Author Comment

by:Travis Hahn
ID: 37078230
Here is new file
dcdiag.txt
0
 

Author Comment

by:Travis Hahn
ID: 37078309
When I am in the GUI of AD Sites and Services and I say to Replicate Now on the IOTA-DC it tells me access denied
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 1600 total points
ID: 37079099
From the diag (suddenly with many FRS events):

The KDC on IOTA-PRODSRV isn't responsive, please verify that it's running and advertising.
Try to reset the SC on this DC also. Run the command from the iota-prodserver. Remember to disable the kdc service, reboot, set the service back to auto and start it.

netdom resetpwd /server:iota-dc /userd:FGH\administrator /passwordd:administrator_password

Do you have two network cards in a NIC team or something? It says you have two adapters.

Adapter [00000006] Intel(R) PRO/1000 MT Network Connection:

                     MAC address is 00:50:56:AB:70:C0
                     IP Address is static
                     IP address: 192.168.34.240
                     DNS servers:

                        192.168.34.240 (IOTA-DC) [Valid]
                        192.168.36.8 (IOTA-PRODSRV) [Valid]
                  Adapter [00000007] Intel(R) PRO/1000 MT Network Connection:

                     MAC address is 00:50:56:AB:70:C0
                     IP Address is static
                     IP address: 192.168.34.240
                     DNS servers:

                        192.168.34.240 (IOTA-DC) [Valid]
                        192.168.36.8 (IOTA-PRODSRV) [Valid


It said earlier thay SYSVOL was shared, but NETLOGON share is not shared. See this KB for a possible workaround.
http://support.microsoft.com/kb/947022/en-us

You should also remove your internal IPs from the DNS forwarders. You forwards non-authoritative queries to public DNS servers and between your internal DNS servers (Loop).

From your initial post: I Brought up failed DC again via backup and restored over secondary DC so all should have been fine.
What do you mean by "restored over secondary DC"?


Run a new "dcdiag /v /e /c /f:dcdiag2.txt" from the R2 DC.

0
 
LVL 21

Expert Comment

by:snusgubben
ID: 37079116
*You forwards non-authoritative queries to public DNS servers not and between
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 37079123
How hard could it be?! :)

You forwards non-authoritative queries to public DNS servers and not between...
0
 

Author Comment

by:Travis Hahn
ID: 37079306
So in my Iota-dc DNS Properties - I want to remove my Servers and only have in there the Servers that I want to do my Forwarding (i.e. Google, My ISP, OpenDNS)

I do not have another nic installed.  The system is running on VMWARE.  What happened is that we removed the server from the domain without DCPROMO and when we went to restart the DC via VmWARE it BlueScreened  

So I transferred all FSMO Roles to iota-prodsrv

We then did create another VM with the same name but were having problems getting it to join (Even though I had cleaned MetaData up).  

I hap taken a SNAPSHOT of Prodserv as it was and we were able to REPAIR the original DC with media - then we did a RESTORE to a previous day via BACKUP Exec.

So in the interim - I think there is all kinds of Problems - but my users are working....But I would like to get these errors midigated so that performance on my DC goes back to normal.  Right now the lsass.exe process is killing it...
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 37079396
No, you configure the DNS forwarders in the DNS management consol. Non-local queries are routed that way (ie. google DNS or your ISP's DNS)

http://technet.microsoft.com/en-us/library/cc787071(WS.10).aspx

Snapshots are not AD's best friend when you have more than one DC, but..

Did you sieze the FSMOs or was you able to transfer them?
0
 

Author Comment

by:Travis Hahn
ID: 37079702
All FSMO roles are now on the appropriate DC - So now I have 2 Polices and 2 Scripts folders in Sysvol

And thanks for helping me out - I appreciate it.
Capture4.JPG
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 1600 total points
ID: 37079898
They are called morphed folders. It happens when ie. two folders have the same name. This is also something you should fix.

Take a backup of the folders. Just copy them to somewhere on the disc outside the SYSVOL folder.
Stop NTFRS service
Find out what folder is up to date. If both are equal, rename them both. To something like "policies_keep" and the other one to "polices_delete". Same goes with the scripts folder.
Start NTFRS.
When the changes are replicated to the other DC, delete the folders you marked "_delete".  

http://support.microsoft.com/kb/328492
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 37079910
* and rename the "polices_keep" to just "policies".
0
 

Author Comment

by:Travis Hahn
ID: 37079942
It wont let me rename - says I dont have permission.

I am logged in as a Domain Admin
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 37080040
Have you stopped the NTFRS service?
0
 

Author Comment

by:Travis Hahn
ID: 37080066
I stopped it on the server that I was trying to rename on - do I need to do it on both?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 37080121
No you shouldn't have to do that. Have you checked the effective permissions on the folder?

http://support.microsoft.com/kb/319808
0
 

Author Comment

by:Travis Hahn
ID: 37083522
I did look at the article - however I am getting a little lost.  I'll show you what I have

I have attched the Permissions and Share Permissions for the SYSVOL folder
NTFS.zip
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 37087726
In 4.jpg it says administrators have read permissions (that take precedence over the share permissions). There is also a "special permission" that I can't see. You should look at those permissions to see what they say.
0
 

Author Comment

by:Travis Hahn
ID: 37094807
Here are some screen shots of the Administator Special permissions
p5.JPG
p6.JPG
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 37094954
Set the permissions on the scripts_xxx and policies_xxx so you can delete one of them and rename the other. When done, set the permissions back to its orgin.
0
 

Author Comment

by:Travis Hahn
ID: 37094989
this is going to sound stupid.  So I need to change the permissions on the scripts_XXX folder so that I have permission to change its name - then delete the other ones.

Should I just give the Domain Admin full access?
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 1600 total points
ID: 37096373
Normally you can rename and delete scripts and the policies folders if they become morphed. You could try to give domain admins full access, but morphed folders are not so seriously that they would stop the FRS replication. Though it could stall the FRS a little.

From what you have said, it sounds like you have done an unsupported restore of a DC with snapshots (and backup exec). Correct me if I'm wrong. When you do that you can/will get all sort of weird errors like broken secure channel, missing FRS objects/references (FRS event 13562) and problems with AD replication. Since lsass.exe also consume alot of CPU, it sounds all wrong.

I think you got 3 options:

If you want it fixed asap, I would demote the DC you restored, check that the metadata is removed, and reinstall it. Fix the other DC, which should be easy. Then promote the reinstalled DC.

Call Microsoft PSS and open a support case. There will be a fee to pay.

Continue troubleshooting here with both DCs as they are, but it might take some time to get it fixed.

I dunno if dariusq has something to add?

0
 

Author Comment

by:Travis Hahn
ID: 37096426
What about creating a whole new DC in the same subnet as the failed DC - Change Name. Change IP, and then transfer FSMO roles to new server.

Basicly make the NEW DC the Primary and have the other two running and then demote the original to a membewr server.

Would that be a better option?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37096502
I would demote the server fully rebuild the server.
0
 

Author Comment

by:Travis Hahn
ID: 37096512
Its on VMWARE, so I could easily create a new DC - Transfer FSMO to new DC - then demote current DC.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37096659
I would transfer roles to another existing DC not a new DC. Do not demote until you know then new DC is functioning properly
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 37096851
You shouldn't bring another DC in before your domain is healthy.
0
 

Author Comment

by:Travis Hahn
ID: 37097352
I have attached dcdiag's from both DC's - I believe I have eliminated most of the errors.  If you can review for me that would be great.  The only issue I have right now is the duplicate folders in SYSVOL
dcdiag-1172011.zip
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 37098565
It looks good from the AD view.

Can't you rename the morphed folders on any DC? Did you try to give domain admins Delete permissions?
0
 

Author Comment

by:Travis Hahn
ID: 37100671
I have deleted the two extra folders - I also created a TEST script in the Scripts folder and waited 15 minutes and verified that the EXTRA folders and the test script appeared on the second DC.  I also modified a GPO and created a TEST GPO to see if it syncs through.
0
 

Author Comment

by:Travis Hahn
ID: 37101222
So far so good - I created a GPO to put in a BOOKMARK that worked and the GPO that I modified changed its "Date Modified" time stamp.

So - would you guys call this issue resolved in your opinon?  Or is there some more TEST's that I could run to confirm?

Again I really appreciate your help...
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 37101708
You latest dcdiag looked ok besides some small issues with a registry key for the print spooler, and a DCOM connection towards some public DNS. You should take a look at them.

You should check the event logs. If they are clean things sounds ok.
0
 

Author Closing Comment

by:Travis Hahn
ID: 37101857
Thank you for helping
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

755 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question