Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations
Course Of The Month
7 days, 8 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
AD Replication Errors - Between Two Domain Controllers
Posted on 2013-05-17
I'm having quite an issue that began a few days ago. Let me just lay out exactly what happened - also I've inherited this environment, please keep that in mind.
1st DC - Windows Server 2003 R2 Std
2nd DC - Windows Server 2008 R2 Ent
In the last couple days, when a user boots up and attempts to log in from any workstation I have recently freshly installed encounters a Trust error upon login. So, I logged in as local admin and rejoined to the domain - however when the Trust failed multiple times across several machines I dug deeper.
On one of the workstations, I checked event viewer and found this:
So for some reason, it led me to believe that this workstation was authenticating directly to the 2nd DC versus the 1st DC.
Looking at the PDC Event Viewer, I found this error:
Followed by:
So I looked on the 1st DC to find almost identical errors:
I'm not entirely sure what caused these replication (I think?) start occuring. It's literally been in the last few days. I'm guessing at this point, they both are not communicating with each other properly. If I make a change on one DC, it should show up on the other DC right? For example changing user properties on the 1st DC should shortly show up on the 2nd DC as well?
What steps can I take to really get this resolved?
1st DC - Windows Server 2003 R2 Std
2nd DC - Windows Server 2008 R2 Ent
In the last couple days, when a user boots up and attempts to log in from any workstation I have recently freshly installed encounters a Trust error upon login. So, I logged in as local admin and rejoined to the domain - however when the Trust failed multiple times across several machines I dug deeper.
On one of the workstations, I checked event viewer and found this:
Log Name: System
Source: NETLOGON
Date: 5/16/2013 12:06:07 PM
Event ID: 3210
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: WIN7-2083.Domain.DomainName.com
Description:
This computer could not authenticate with \\BDCName.Domain.DomainName.com, a Windows domain controller for domain DOMAIN, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NETLOGON" />
<EventID Qualifiers="0">3210</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords >
<TimeCreated SystemTime="2013-05-16T17:06:07.0000 00000Z" />
<EventRecordID>52991</EventRecordID>
<Channel>System</Channel>
<Computer>WIN7-2083.Domain.DomainNam e.com</Com puter>
<Security />
</System>
<EventData>
<Data>DOMAIN</Data>
<Data>\\BDCName.Domain.DomainName.co m</Data>
<Binary>220000C0</Binary>
</EventData>
</Event>
So for some reason, it led me to believe that this workstation was authenticating directly to the 2nd DC versus the 1st DC.
Looking at the PDC Event Viewer, I found this error:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
CN=Configuration,DC=Domain,DC=Domain Name,DC=co m
There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.
User Action
Perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.
If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.
Followed by:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
Sites:
CN=Default-First-Site-Name,CN=Sites, CN=Configu ration,DC= Domain,DC= DomainName ,DC=com
So I looked on the 1st DC to find almost identical errors:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
Sites:
CN=Jackson,CN=Sites,CN=Configuration ,DC=Domain ,DC=Domain Name,DC=co m
I'm not entirely sure what caused these replication (I think?) start occuring. It's literally been in the last few days. I'm guessing at this point, they both are not communicating with each other properly. If I make a change on one DC, it should show up on the other DC right? For example changing user properties on the 1st DC should shortly show up on the 2nd DC as well?
What steps can I take to really get this resolved?
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2 Comments
Active today
First thing I always recommend when encountering problems on a DC (especially anything to do with replication), is to run the following commands (on each DC).
dcdiag /v
dcdiag /v /test:dns
repadmin /showrepl
I would also suggest installing and running the AD Replication Status Tool which can be found here.
http://www.microsoft.com/en-us/download/details.aspx?id=30005
dcdiag /v
dcdiag /v /test:dns
repadmin /showrepl
I would also suggest installing and running the AD Replication Status Tool which can be found here.
http://www.microsoft.com/en-us/download/details.aspx?id=30005
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP, Windows Server…
- Ransomware
- Experts Exchange
- Windows XP
- Windows OS
- Windows Server 2008
- Windows Server 2003, Security
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders.
Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility.
Directly connect an external storage device such as a USB drive, or CD\DVD burner:
If the device is a USB drive, ensure i…
Suggested Courses
Course of the Month7 days, 8 hours left to enroll
728 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.