AD replication issues

Hello all,

Kinda stumped at the moment. I have an issue involving a DC that is getting replication errors. A brief synopsis:

I have

DC 1 (FSMO role holder)
DC 2 (resides on the same LAN segment)
DC 3 (At remote site on seperate LAN segment)

DC 1 and DC 2 cannot seem to replicate to one another, however DC 1 and DC 2 can both replicate to DC 3.

I have KCC warning 2093 in the event log of DC2, If I run a dcdiag on DC2 I get errors trying to connect to DC1 with target principle name errors. Here is output of dcdiag:


C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Site 1\DC 2
      Starting test: Connectivity
         ......................... DC 2 passed test Connectivity

Doing primary tests

   Testing server: Site 1\DC 2
      Starting test: Replications
         [Replications Check,DC 2] A recent replication attempt failed:
            From DC 1 to DC 2
            Naming Context: DC=ForestDnsZones,DC=tsb,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
            The failure occurred at 2013-05-29 17:02:05.
            The last success occurred at 2013-04-24 11:48:55.
            889 failures have occurred since the last success.
         [DC 1] DsBindWithSpnEx() failed with error -2146893022,
         The target principal name is incorrect..
         [Replications Check,DC 2] A recent replication attempt failed:
            From DC 1 to DC 2
            Naming Context: DC=DomainDnsZones,DC=tsb,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
            The failure occurred at 2013-05-29 17:02:05.
            The last success occurred at 2013-04-24 11:48:55.
            889 failures have occurred since the last success.
         [Replications Check,DC 2] A recent replication attempt failed:
            From DC 1 to DC 2
            Naming Context: CN=Schema,CN=Configuration,DC=tsb,DC=local
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2013-05-29 17:02:05.
            The last success occurred at 2013-04-24 11:48:55.
            889 failures have occurred since the last success.
         [Replications Check,DC 2] A recent replication attempt failed:
            From DC 1 to DC 2
            Naming Context: CN=Configuration,DC=tsb,DC=local
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2013-05-29 17:02:05.
            The last success occurred at 2013-04-24 12:04:25.
            3168 failures have occurred since the last success.
         [Replications Check,DC 2] A recent replication attempt failed:
            From DC 1 to DC 2
            Naming Context: DC=tsb,DC=local
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2013-05-29 17:02:05.
            The last success occurred at 2013-04-24 12:21:01.
            12420 failures have occurred since the last success.
         REPLICATION-RECEIVED LATENCY WARNING
         DC 2:  Current time is 2013-05-29 17:02:14.
            DC=ForestDnsZones,DC=tsb,DC=local
               Last replication recieved from DC 1 at 2013-04-24 12:07:46.
            DC=DomainDnsZones,DC=tsb,DC=local
               Last replication recieved from DC 1 at 2013-04-24 12:07:46.
            CN=Schema,CN=Configuration,DC=tsb,DC=local
               Last replication recieved from DC 1 at 2013-04-24 12:07:46.
            CN=Configuration,DC=tsb,DC=local
               Last replication recieved from DC 1 at 2013-04-24 12:07:46.
            DC=tsb,DC=local
               Last replication recieved from DC 1 at 2013-04-24 12:21:01.
         ......................... DC 2 passed test Replications
      Starting test: NCSecDesc
         ......................... DC 2 passed test NCSecDesc
      Starting test: NetLogons
         ......................... DC 2 passed test NetLogons
      Starting test: Advertising
         ......................... DC 2 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Warning: DC 1 is the Schema Owner, but is not responding to DS RPC
Bind.
         [DC 1] LDAP bind failed with error 8341,
         A directory service error has occurred..
         Warning: DC 1 is the Schema Owner, but is not responding to LDAP Bi
nd.
         Warning: DC 1 is the Domain Owner, but is not responding to DS RPC
Bind.
         Warning: DC 1 is the Domain Owner, but is not responding to LDAP Bi
nd.
         Warning: DC 1 is the PDC Owner, but is not responding to DS RPC Bin
d.
         Warning: DC 1 is the PDC Owner, but is not responding to LDAP Bind.

         Warning: DC 1 is the Rid Owner, but is not responding to DS RPC Bin
d.
         Warning: DC 1 is the Rid Owner, but is not responding to LDAP Bind.

         ......................... DC 2 failed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... DC 2 failed test RidManager
      Starting test: MachineAccount
         ......................... DC 2 passed test MachineAccount
      Starting test: Services
         ......................... DC 2 passed test Services
      Starting test: ObjectsReplicated
         ......................... DC 2 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... DC 2 passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... DC 2 failed test frsevent
      Starting test: kccevent
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 05/29/2013   16:54:32
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 05/29/2013   16:54:32
            Event String: The Knowledge Consistency Checker (KCC) was
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 05/29/2013   16:54:32
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 05/29/2013   16:54:32
            Event String: The Knowledge Consistency Checker (KCC) was
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 05/29/2013   16:54:32
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 05/29/2013   16:54:32
            Event String: The Knowledge Consistency Checker (KCC) was
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 05/29/2013   16:54:32
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 05/29/2013   16:54:32
            Event String: The Knowledge Consistency Checker (KCC) was
         ......................... DC 2 failed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 05/29/2013   16:08:57
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 05/29/2013   16:13:32
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 05/29/2013   16:17:33
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 05/29/2013   16:23:11
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 05/29/2013   16:24:11
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 05/29/2013   16:47:04
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 05/29/2013   16:52:25
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0002719
            Time Generated: 05/29/2013   16:52:25
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0002719
            Time Generated: 05/29/2013   16:52:47
            (Event String could not be retrieved)
         ......................... DC 2 failed test systemlog
      Starting test: VerifyReferences
         ......................... DC 2 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : tsb
      Starting test: CrossRefValidation
         ......................... tsb passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... tsb passed test CheckSDRefDom

   Running enterprise tests on : tsb.local
      Starting test: Intersite
         ......................... tsb.local passed test Intersite
      Starting test: FsmoCheck
         ......................... tsb.local passed test FsmoCheck
compunet1Asked:
Who is Participating?
 
Mike KlineConnect With a Mentor Commented:
Ok that  -2146893022  what was I was looking for.  Check this TechNet article

http://support.microsoft.com/kb/2090913

DC2 is the problem box

Thanks

Mike
0
 
compunet1Author Commented:
I forgot to add,

I cannot find any issues with network connectivity. PortQueryUI not seeing any issues. I can ping and resolve all servers from one another.

Results from dcdiag /test:dns

C:\Program Files\Support Tools>dcdiag /test:dns

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Site 1\DC 2
      Starting test: Connectivity
         ......................... DC 2 passed test Connectivity

Doing primary tests

   Testing server: Site 1\DC 2

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : tsb

   Running enterprise tests on : tsb.local
      Starting test: DNS
         Test results for domain controllers:

            DC: DC 2.tsb.local
            Domain: tsb.local


               TEST: Dynamic update (Dyn)
                  Warning: Dynamic update is enabled on the zone but not secure
tsb.local.

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: tsb.local
               DC 2                     PASS PASS PASS PASS WARN PASS n/a

         ......................... tsb.local passed test DNS
0
 
Mike KlineCommented:
can you run repadmin /showreps on DC1 or DC2
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
compunet1Author Commented:
The is repadmin from DC 2:

C:\Program Files\Support Tools>repadmin /showreps
Site 1\DC 2
DC Options: (none)
Site Options: (none)
DC object GUID: 1d315cbc-311c-4ee7-8a10-b240f804d453
DC invocationID: 8ff7c14c-b201-4dab-aadd-1ec591330e9f

==== INBOUND NEIGHBORS ======================================

DC=tsb,DC=local
    Site 2\DC 3 via RPC
        DC object GUID: 643b2081-1dd9-4290-b9e7-7dac00d81b13
        Last attempt @ 2013-05-29 17:02:04 was successful.
    Site 1\DC 1 via RPC
        DC object GUID: c2e3a820-65e6-45e3-a066-73c83f34209f
        Last attempt @ 2013-05-29 17:07:50 failed, result -2146893022 (0x8009032
2):
            The target principal name is incorrect.
        12422 consecutive failure(s).
        Last success @ 2013-04-24 12:21:01.

CN=Configuration,DC=tsb,DC=local
    Site 2\DC 3 via RPC
        DC object GUID: 643b2081-1dd9-4290-b9e7-7dac00d81b13
        Last attempt @ 2013-05-29 17:02:06 was successful.
    Site 1\DC 1 via RPC
        DC object GUID: c2e3a820-65e6-45e3-a066-73c83f34209f
        Last attempt @ 2013-05-29 17:09:38 failed, result -2146893022 (0x8009032
2):
            The target principal name is incorrect.
        3169 consecutive failure(s).
        Last success @ 2013-04-24 12:04:25.

CN=Schema,CN=Configuration,DC=tsb,DC=local
    Site 1\DC 1 via RPC
        DC object GUID: c2e3a820-65e6-45e3-a066-73c83f34209f
        Last attempt @ 2013-05-29 17:02:05 failed, result -2146893022 (0x8009032
2):
            The target principal name is incorrect.
        889 consecutive failure(s).
        Last success @ 2013-04-24 11:48:55.
    Site 2\DC 3 via RPC
        DC object GUID: 643b2081-1dd9-4290-b9e7-7dac00d81b13
        Last attempt @ 2013-05-29 17:02:06 was successful.

DC=DomainDnsZones,DC=tsb,DC=local
    Site 1\DC 1 via RPC
        DC object GUID: c2e3a820-65e6-45e3-a066-73c83f34209f
        Last attempt @ 2013-05-29 17:02:05 failed, result 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
        889 consecutive failure(s).
        Last success @ 2013-04-24 11:48:55.
    Site 2\DC 3 via RPC
        DC object GUID: 643b2081-1dd9-4290-b9e7-7dac00d81b13
        Last attempt @ 2013-05-29 17:02:06 was successful.

DC=ForestDnsZones,DC=tsb,DC=local
    Site 1\DC 1 via RPC
        DC object GUID: c2e3a820-65e6-45e3-a066-73c83f34209f
        Last attempt @ 2013-05-29 17:02:05 failed, result 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
        889 consecutive failure(s).
        Last success @ 2013-04-24 11:48:55.
    Site 2\DC 3 via RPC
        DC object GUID: 643b2081-1dd9-4290-b9e7-7dac00d81b13
        Last attempt @ 2013-05-29 17:02:06 was successful.

Source: Site 1\DC 1
******* 3360 CONSECUTIVE FAILURES since 2013-04-24 14:01:54
Last error: -2146893022 (0x80090322):
            The target principal name is incorrect.
0
 
compunet1Author Commented:
repadmin from DC 1:

C:\Program Files\Windows Resource Kits\Tools>repadmin /showreps
Site 1\DC 1
DC Options: IS_GC
Site Options: (none)
DC object GUID: c2e3a820-65e6-45e3-a066-73c83f34209f
DC invocationID: 7b9d6bae-8fe9-4f49-a6a0-de41c4c3f396

==== INBOUND NEIGHBORS ======================================

DC=tsb,DC=local
    Site 1\DC 2 via RPC
        DC object GUID: 1d315cbc-311c-4ee7-8a10-b240f804d453
        Last attempt @ 2013-05-29 16:54:23 was successful.
    Site 2\DC 3 via RPC
        DC object GUID: 643b2081-1dd9-4290-b9e7-7dac00d81b13
        Last attempt @ 2013-05-29 17:09:22 was successful.

CN=Configuration,DC=tsb,DC=local
    Site 1\DC 2 via RPC
        DC object GUID: 1d315cbc-311c-4ee7-8a10-b240f804d453
        Last attempt @ 2013-05-29 16:54:23 was successful.
    Site 2\DC 3 via RPC
        DC object GUID: 643b2081-1dd9-4290-b9e7-7dac00d81b13
        Last attempt @ 2013-05-29 17:09:22 was successful.

CN=Schema,CN=Configuration,DC=tsb,DC=local
    Site 1\DC 2 via RPC
        DC object GUID: 1d315cbc-311c-4ee7-8a10-b240f804d453
        Last attempt @ 2013-05-29 16:54:23 was successful.
    Site 2\DC 3 via RPC
        DC object GUID: 643b2081-1dd9-4290-b9e7-7dac00d81b13
        Last attempt @ 2013-05-29 17:09:22 was successful.

DC=DomainDnsZones,DC=tsb,DC=local
    Site 1\DC 2 via RPC
        DC object GUID: 1d315cbc-311c-4ee7-8a10-b240f804d453
        Last attempt @ 2013-05-29 16:54:23 was successful.
    Site 2\DC 3 via RPC
        DC object GUID: 643b2081-1dd9-4290-b9e7-7dac00d81b13
        Last attempt @ 2013-05-29 17:09:23 was successful.

DC=ForestDnsZones,DC=tsb,DC=local
    Site 1\DC 2 via RPC
        DC object GUID: 1d315cbc-311c-4ee7-8a10-b240f804d453
        Last attempt @ 2013-05-29 16:54:23 was successful.
    Site 2\DC 3 via RPC
        DC object GUID: 643b2081-1dd9-4290-b9e7-7dac00d81b13
        Last attempt @ 2013-05-29 17:09:23 was successful.
0
 
ZenVenkyConnect With a Mentor ArchitectCommented:
Agree with Mike, in addition to his update, I would suggest you to check the Secure Channel between DC1 to DC2 and DC2 to DC1. I doubt there is a SC broken issue between DCs. Use NLTest to check the same.

NLTest

http://blogs.technet.com/b/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx
0
 
Premkumar YogeswaranAnalyst II - System AdministratorCommented:
Hi,

Can you able to resolve, DC1 via nslookup in DC2.

I hope the record is seems to be incorrect.

If yes, Login to DC1, configure DC2 as primary DC.
type command
ipconfig /registerdns

Then the address will be registered in DC2.

Check the nslookup output of DC1 in DC2.
If it resolves, isue would fix in some time..

Regards,
Prem
0
 
compunet1Author Commented:
Prem,

Issue is not due to name resolution unfortunately. I wish it were that easy. I am currently going through steps listed in the link that Mike provided. Will update as soon as I am done.
0
 
compunet1Author Commented:
This actually was a broken channel issue of sorts. I also wast having Kerberos event ID 4 in event logs.

What eventually fixed the issue was launching kerbtray.exe on both machines and stopping the KDC with the command net stop kdc and then purging the tickets. I didnt have to change the computer account password as noted here:

http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/

everything is successful when I run repadmin /showreps and repadmin /syncall.
0
All Courses

From novice to tech pro — start learning today.