JamesAnctil
asked on
Virtualized Backup of DC and now Server is in USN rollback..
A Storagecraft backup image was used to virtualize the server.
After this was done the server showed showed the symptoms of usn rollback mode, netlogon paused ect..
I still have the physical server that the image was taken from... what would be the correct way to virtualize the dc?
After this was done the server showed showed the symptoms of usn rollback mode, netlogon paused ect..
I still have the physical server that the image was taken from... what would be the correct way to virtualize the dc?
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Im thinking the easiest way to get back to normal would be to turn the physical dc back on (shut down its virtual counterpart, then take a windows back up including a system state backup; create a new VM and use the windows backup to virtualize...
Thoughts?
Thoughts?
ASKER
OK after some more research this is what I plan to do.
(situation: primary DC gone, have active backup DC ready to take over)
Backup DC already has DNS/DHCP roles
1. Sieze Fsmo Roles and put them on the backup dc.
..that's it...what else?
(situation: primary DC gone, have active backup DC ready to take over)
Backup DC already has DNS/DHCP roles
1. Sieze Fsmo Roles and put them on the backup dc.
..that's it...what else?
ASKER
just found a TechNet article that says if I use dcprmo to demote the failed DC, that it will (ask?) transfer the FSMO roles to another DC on the network.
Can someone confirm/deny this.
That would seem to be the easiest way to "Promote" a backup dc to the primary DC.
"The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain controller in the forest root domain. The first domain controller in each new child or tree domain is assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they are reassigned by using one of the following methods:
•An administrator reassigns the role by using a GUI administrative tool.
•An administrator reassigns the role by using the ntdsutil /roles command.
•An administrator gracefully demotes a role-holding domain controller by using the Active Directory Installation Wizard. This wizard reassigns any locally-held roles to an existing domain controller in the forest. Demotions that are performed by using the dcpromo /forceremoval command leave FSMO roles in an invalid state until they are reassigned by an administrator."
Can someone confirm/deny this.
That would seem to be the easiest way to "Promote" a backup dc to the primary DC.
"The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain controller in the forest root domain. The first domain controller in each new child or tree domain is assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they are reassigned by using one of the following methods:
•An administrator reassigns the role by using a GUI administrative tool.
•An administrator reassigns the role by using the ntdsutil /roles command.
•An administrator gracefully demotes a role-holding domain controller by using the Active Directory Installation Wizard. This wizard reassigns any locally-held roles to an existing domain controller in the forest. Demotions that are performed by using the dcpromo /forceremoval command leave FSMO roles in an invalid state until they are reassigned by an administrator."
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
thank you for the response, I did come across this though..
Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.
The DC I am turning into the Primary DC is a GC. Should I not seize that role?
Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.
The DC I am turning into the Primary DC is a GC. Should I not seize that role?
ASKER
Another question before I perform this,
currently nothing is being replicated from the primary DC,
ex: user names
ex: group policy wont update.
Once I sieze the roles, essentially making my backup dc my primary, will this tart to work again?
currently nothing is being replicated from the primary DC,
ex: user names
ex: group policy wont update.
Once I sieze the roles, essentially making my backup dc my primary, will this tart to work again?
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Question
I Cleaned up the meta data on the new primary dc,
do I have to do the same to the dc that is offsite?
I Cleaned up the meta data on the new primary dc,
do I have to do the same to the dc that is offsite?
If the offsite DC is not replicating and is in USN then you need to demote the server followed by metadata cleanup and promote the server back as DC.Assuming that there is other online DC whcih is working good.
ASKER
offsite dc is not in usn, just a dc offsite
ASKER
gc dns dhcp as well for that location
After you facing any replication issue with offsite DC?Currently how many dc you have in the network.Run dcdiag /q and repadmin to verify the health.
ASKER
hmmm changes not replicating to offsite dc....
ASKER
potentially this offsite DC does not need to be a DC at all...
sites are connected via mpls w/ backup vpn..
im thinking demote the offsite dc, keep dhcp and dns.
Thoughts?
(server used as a fileserver for that site)
sites are connected via mpls w/ backup vpn..
im thinking demote the offsite dc, keep dhcp and dns.
Thoughts?
(server used as a fileserver for that site)
How many DCs you have in env currenly?
Nos of user and machine at offsite location?
Nos of user and machine at offsite location?
ASKER
virtual enviorment @ mani location
-1 DC (can create a backup dc)
-50 users
Offsite - connected via MPLS /backup VPN
-1 DC
-15 users
---
(converging offices into one new building within a year/ plan was to virtualize the offsite server then)
-1 DC (can create a backup dc)
-50 users
Offsite - connected via MPLS /backup VPN
-1 DC
-15 users
---
(converging offices into one new building within a year/ plan was to virtualize the offsite server then)
If you have single DC then plan to have second DC for redundancy.Assuming currently you have 1 DC in main and 1 DC in offsite.If you remove the DC then you will be left with one DC only.
ASKER
yes, not worried about that as I am currently building another virtual dc...
only now worried about the ad not replicating, its breaking other applications..
only now worried about the ad not replicating, its breaking other applications..
ASKER
do I have to do meta data cleanup on the offsite dc as well? or was that suppose to replicate automatically from the other dc?
Can you post the dcdiag /q and repadmin /replsum to verify the health of both DCs(Main & office)
ASKER
New Primary DC
Dcdiag /q
PS C:\Users\techadmin2> dcdiag /q
A warning event occurred. EventID: 0x8000061E
Time Generated: 07/24/2013 17:02:12
Event String:
All directory servers in the following site that can replicate the directory partition over this transport a
re currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 07/24/2013 17:02:12
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x8000061E
Time Generated: 07/24/2013 17:02:12
Event String:
All directory servers in the following site that can replicate the directory partition over this transport a
re currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 07/24/2013 17:02:12
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x8000061E
Time Generated: 07/24/2013 17:02:12
Event String:
All directory servers in the following site that can replicate the directory partition over this transport a
re currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 07/24/2013 17:02:12
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x8000061E
Time Generated: 07/24/2013 17:02:12
Event String:
All directory servers in the following site that can replicate the directory partition over this transport a
re currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 07/24/2013 17:02:12
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
......................... DC2 failed test KccEvent
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=ALLON E,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=ALLON E,DC=local
......................... DC2 failed test NCSecDesc
[DC2] User credentials does not have permission to perform this operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... DC2 failed test NetLogons
[Replications Check,DC2] A recent replication attempt failed:
From SALES-SERVER to DC2
Naming Context: DC=DomainDnsZones,DC=ALLON E,DC=local
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2013-07-24 16:57:12.
The last success occurred at 2013-07-24 11:38:04.
23 failures have occurred since the last success.
[Replications Check,DC2] A recent replication attempt failed:
From SALES-SERVER to DC2
Naming Context: DC=ForestDnsZones,DC=ALLON E,DC=local
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2013-07-24 16:57:12.
The last success occurred at 2013-07-24 11:38:04.
23 failures have occurred since the last success.
[Replications Check,DC2] A recent replication attempt failed:
From SALES-SERVER to DC2
Naming Context: CN=Schema,CN=Configuration ,DC=ALLONE ,DC=local
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2013-07-24 16:57:12.
The last success occurred at 2013-07-24 11:38:03.
24 failures have occurred since the last success.
[Replications Check,DC2] A recent replication attempt failed:
From SALES-SERVER to DC2
Naming Context: CN=Configuration,DC=ALLONE ,DC=local
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2013-07-24 16:57:12.
The last success occurred at 2013-07-24 11:38:03.
24 failures have occurred since the last success.
[Replications Check,DC2] A recent replication attempt failed:
From SALES-SERVER to DC2
Naming Context: DC=ALLONE,DC=local
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2013-07-24 16:57:12.
The last success occurred at 2013-07-24 11:38:03.
24 failures have occurred since the last success.
......................... DC2 failed test Replications
Could not open NTDS Service on DC2, error 0x5 "Access is denied."
......................... DC2 failed test Services
An error event occurred. EventID: 0x40000004
Time Generated: 07/24/2013 16:10:36
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/sales-server.allone.l ocal. The
target name used was cifs/SALES-SERVER.ALLONE.l ocal. This indicates that the target server failed to decrypt the ticket
provided by the client. This can occur when the target server principal name (SPN) is registered on an account other th
an the account the target service is using. Please ensure that the target SPN is registered on, and only registered on,
the account used by the server. This error can also happen when the target service is using a different password for the
target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please
ensure that the service on the server and the KDC are both updated to use the current password. If the server name is no
t fully qualified, and the target domain (ALLONE.LOCAL) is different from the client domain (ALLONE.LOCAL), check if the
re are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 07/24/2013 16:12:12
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/sales-server.allone.l ocal. The
target name used was E3514235-4B06-11D1-AB04-00 C04FC2DCD2 /01100e28- 6589-4040- 8504-0e556 c129e8f/AL LONE.local @ALLONE.lo ca
l. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the ta
rget server principal name (SPN) is registered on an account other than the account the target service is using. Please
ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also
happen when the target service is using a different password for the target service account than what the Kerberos Key
Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC a
re both updated to use the current password. If the server name is not fully qualified, and the target domain (ALLONE.LO
CAL) is different from the client domain (ALLONE.LOCAL), check if there are identically named server accounts in these t
wo domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 07/24/2013 16:15:14
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/sales-server.allone.l ocal. The
target name used was ALLONE\SALES-SERVER$. This indicates that the target server failed to decrypt the ticket provided
by the client. This can occur when the target server principal name (SPN) is registered on an account other than the acc
ount the target service is using. Please ensure that the target SPN is registered on, and only registered on, the accoun
t used by the server. This error can also happen when the target service is using a different password for the target se
rvice account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure tha
t the service on the server and the KDC are both updated to use the current password. If the server name is not fully qu
alified, and the target domain (ALLONE.LOCAL) is different from the client domain (ALLONE.LOCAL), check if there are ide
ntically named server accounts in these two domains, or use the fully-qualified name to identify the server.
......................... DC2 failed test SystemLog
Repadmin /replsum
PS C:\Users\techadmin2> repadmin /relsum
Usage: repadmin <cmd> <args> [/u:{domain\user}] [/pw:{password|*}]
[/retry[:<retries>][:<dela y>]]
[/csv]
Use these commands to see the help:
/? Displays a list of commands available for use in repadmin and their
description.
/help Same as /?
/?:<cmd> Displays the list of possible arguments <args>, appropriate
syntaxes and examples for the specified command <cmd>.
/help:<cmd> Same as /?:<cmd>
/experthelp Displays a list of commands for use by advanced users only.
/listhelp Displays the variations of syntax available for the DSA_NAME,
DSA_LIST, NCNAME and OBJ_LIST strings.
/oldhelp Displays a list of deprecated commands that still work but
are no longer supported by Microsoft.
Supported <cmd> commands (use /?<cmd> for detailed help):
/kcc Forces the KCC on targeted domain controller(s) to immediately
recalculate its inbound replication topology.
/prp This command allows an admin to view or modify the
password replication policy for RODCs.
/queue Displays inbound replication requests that the DC needs to issue
to become consistent with its source replication partners.
/replicate Triggers the immediate replication of the specified directory
partition to the destination domain controller from the source DC.
/replsingleobj Replicates a single object between any two domain
controllers that have common directory partitions.
/replsummary The replsummary operation quickly and concisely summarizes
the replication state and relative health of a forest.
/rodcpwdrepl Triggers replication of passwords for the specified user(s)
from the source (Hub DC) to one or more Read Only DC's.
/showattr Displays the attributes of an object.
/showobjmeta Displays the replication metadata for a specified object
stored in Active Directory, such as attribute ID, version
number, originating and local Update Sequence Number (USN), and
originating server's GUID and Date and Time stamp.
/showrepl Displays the replication status when specified domain controller
last attempted to inbound replicate Active Directory partitions.
/showutdvec displays the highest committed Update Sequence Number (USN)
that the targeted DC's copy of Active Directory shows as
committed for itself and its transitive partners.
/syncall Synchronizes a specified domain controller with all replication
partners.
Supported additional parameters:
/u: Specifies the domain and user name separated by a backslash
{domain\user} that has permissions to perform operations in
Active Directory. UPN logons not supported.
/pw: Specifies the password for the user name entered with the /u
parameter.
/retry This parameter will cause repadmin to repeat its attempt to bind
to the target dc should the first attempt fail with one of the
following error status:
1722 / 0x6ba : "The RPC Server is unavailable"
1753 / 0x6d9 : "There are no more endpoints available from the
endpoint mapper"
/csv Used with /showrepl to output results in comma separated
value format. See /csvhelp
Note: Most commands take their parameters in the order of "Destination or
Target DSA_LIST", then a "Source DSA_NAME" if required, and finally the
NC or Object DN if required.
<DSA_NAME> (or <DSA_LIST>) is a Directory Service Agent binding
string. For Active Directory Domain Services, this is simply a network
label (such as a DNS, NetBios, or IP address) of a Domain Controller.
For Active Directory Lightweight Directory Services, this must be a
network label of the AD LDS server followed by a colon and the LDAP
port of the AD LDS instance
Examples (AD DS): dc-01
dc-01.microsoft.com
Examples (AD LDS): ad-am-01:2000
ad-am-01.microsoft.com:200 0
<Naming Context> is the Distinguished Name of the root of the NC
Example: DC=My-Domain,DC=Microsoft, DC=Com
Note: Text (Naming Context names, server names, etc) with International or
Unicode characters will only display correctly if appropriate fonts and
language support are loaded.
PS C:\Users\techadmin2> min to view or
Dcdiag /q
PS C:\Users\techadmin2> dcdiag /q
A warning event occurred. EventID: 0x8000061E
Time Generated: 07/24/2013 17:02:12
Event String:
All directory servers in the following site that can replicate the directory partition over this transport a
re currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 07/24/2013 17:02:12
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x8000061E
Time Generated: 07/24/2013 17:02:12
Event String:
All directory servers in the following site that can replicate the directory partition over this transport a
re currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 07/24/2013 17:02:12
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x8000061E
Time Generated: 07/24/2013 17:02:12
Event String:
All directory servers in the following site that can replicate the directory partition over this transport a
re currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 07/24/2013 17:02:12
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x8000061E
Time Generated: 07/24/2013 17:02:12
Event String:
All directory servers in the following site that can replicate the directory partition over this transport a
re currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 07/24/2013 17:02:12
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
......................... DC2 failed test KccEvent
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=ALLON
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=ALLON
......................... DC2 failed test NCSecDesc
[DC2] User credentials does not have permission to perform this operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... DC2 failed test NetLogons
[Replications Check,DC2] A recent replication attempt failed:
From SALES-SERVER to DC2
Naming Context: DC=DomainDnsZones,DC=ALLON
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2013-07-24 16:57:12.
The last success occurred at 2013-07-24 11:38:04.
23 failures have occurred since the last success.
[Replications Check,DC2] A recent replication attempt failed:
From SALES-SERVER to DC2
Naming Context: DC=ForestDnsZones,DC=ALLON
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2013-07-24 16:57:12.
The last success occurred at 2013-07-24 11:38:04.
23 failures have occurred since the last success.
[Replications Check,DC2] A recent replication attempt failed:
From SALES-SERVER to DC2
Naming Context: CN=Schema,CN=Configuration
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2013-07-24 16:57:12.
The last success occurred at 2013-07-24 11:38:03.
24 failures have occurred since the last success.
[Replications Check,DC2] A recent replication attempt failed:
From SALES-SERVER to DC2
Naming Context: CN=Configuration,DC=ALLONE
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2013-07-24 16:57:12.
The last success occurred at 2013-07-24 11:38:03.
24 failures have occurred since the last success.
[Replications Check,DC2] A recent replication attempt failed:
From SALES-SERVER to DC2
Naming Context: DC=ALLONE,DC=local
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2013-07-24 16:57:12.
The last success occurred at 2013-07-24 11:38:03.
24 failures have occurred since the last success.
......................... DC2 failed test Replications
Could not open NTDS Service on DC2, error 0x5 "Access is denied."
......................... DC2 failed test Services
An error event occurred. EventID: 0x40000004
Time Generated: 07/24/2013 16:10:36
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/sales-server.allone.l
target name used was cifs/SALES-SERVER.ALLONE.l
provided by the client. This can occur when the target server principal name (SPN) is registered on an account other th
an the account the target service is using. Please ensure that the target SPN is registered on, and only registered on,
the account used by the server. This error can also happen when the target service is using a different password for the
target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please
ensure that the service on the server and the KDC are both updated to use the current password. If the server name is no
t fully qualified, and the target domain (ALLONE.LOCAL) is different from the client domain (ALLONE.LOCAL), check if the
re are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 07/24/2013 16:12:12
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/sales-server.allone.l
target name used was E3514235-4B06-11D1-AB04-00
l. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the ta
rget server principal name (SPN) is registered on an account other than the account the target service is using. Please
ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also
happen when the target service is using a different password for the target service account than what the Kerberos Key
Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC a
re both updated to use the current password. If the server name is not fully qualified, and the target domain (ALLONE.LO
CAL) is different from the client domain (ALLONE.LOCAL), check if there are identically named server accounts in these t
wo domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 07/24/2013 16:15:14
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/sales-server.allone.l
target name used was ALLONE\SALES-SERVER$. This indicates that the target server failed to decrypt the ticket provided
by the client. This can occur when the target server principal name (SPN) is registered on an account other than the acc
ount the target service is using. Please ensure that the target SPN is registered on, and only registered on, the accoun
t used by the server. This error can also happen when the target service is using a different password for the target se
rvice account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure tha
t the service on the server and the KDC are both updated to use the current password. If the server name is not fully qu
alified, and the target domain (ALLONE.LOCAL) is different from the client domain (ALLONE.LOCAL), check if there are ide
ntically named server accounts in these two domains, or use the fully-qualified name to identify the server.
......................... DC2 failed test SystemLog
Repadmin /replsum
PS C:\Users\techadmin2> repadmin /relsum
Usage: repadmin <cmd> <args> [/u:{domain\user}] [/pw:{password|*}]
[/retry[:<retries>][:<dela
[/csv]
Use these commands to see the help:
/? Displays a list of commands available for use in repadmin and their
description.
/help Same as /?
/?:<cmd> Displays the list of possible arguments <args>, appropriate
syntaxes and examples for the specified command <cmd>.
/help:<cmd> Same as /?:<cmd>
/experthelp Displays a list of commands for use by advanced users only.
/listhelp Displays the variations of syntax available for the DSA_NAME,
DSA_LIST, NCNAME and OBJ_LIST strings.
/oldhelp Displays a list of deprecated commands that still work but
are no longer supported by Microsoft.
Supported <cmd> commands (use /?<cmd> for detailed help):
/kcc Forces the KCC on targeted domain controller(s) to immediately
recalculate its inbound replication topology.
/prp This command allows an admin to view or modify the
password replication policy for RODCs.
/queue Displays inbound replication requests that the DC needs to issue
to become consistent with its source replication partners.
/replicate Triggers the immediate replication of the specified directory
partition to the destination domain controller from the source DC.
/replsingleobj Replicates a single object between any two domain
controllers that have common directory partitions.
/replsummary The replsummary operation quickly and concisely summarizes
the replication state and relative health of a forest.
/rodcpwdrepl Triggers replication of passwords for the specified user(s)
from the source (Hub DC) to one or more Read Only DC's.
/showattr Displays the attributes of an object.
/showobjmeta Displays the replication metadata for a specified object
stored in Active Directory, such as attribute ID, version
number, originating and local Update Sequence Number (USN), and
originating server's GUID and Date and Time stamp.
/showrepl Displays the replication status when specified domain controller
last attempted to inbound replicate Active Directory partitions.
/showutdvec displays the highest committed Update Sequence Number (USN)
that the targeted DC's copy of Active Directory shows as
committed for itself and its transitive partners.
/syncall Synchronizes a specified domain controller with all replication
partners.
Supported additional parameters:
/u: Specifies the domain and user name separated by a backslash
{domain\user} that has permissions to perform operations in
Active Directory. UPN logons not supported.
/pw: Specifies the password for the user name entered with the /u
parameter.
/retry This parameter will cause repadmin to repeat its attempt to bind
to the target dc should the first attempt fail with one of the
following error status:
1722 / 0x6ba : "The RPC Server is unavailable"
1753 / 0x6d9 : "There are no more endpoints available from the
endpoint mapper"
/csv Used with /showrepl to output results in comma separated
value format. See /csvhelp
Note: Most commands take their parameters in the order of "Destination or
Target DSA_LIST", then a "Source DSA_NAME" if required, and finally the
NC or Object DN if required.
<DSA_NAME> (or <DSA_LIST>) is a Directory Service Agent binding
string. For Active Directory Domain Services, this is simply a network
label (such as a DNS, NetBios, or IP address) of a Domain Controller.
For Active Directory Lightweight Directory Services, this must be a
network label of the AD LDS server followed by a colon and the LDAP
port of the AD LDS instance
Examples (AD DS): dc-01
dc-01.microsoft.com
Examples (AD LDS): ad-am-01:2000
ad-am-01.microsoft.com:200
<Naming Context> is the Distinguished Name of the root of the NC
Example: DC=My-Domain,DC=Microsoft,
Note: Text (Naming Context names, server names, etc) with International or
Unicode characters will only display correctly if appropriate fonts and
language support are loaded.
PS C:\Users\techadmin2> min to view or
ASKER
sorry replsum here
Beginning data collection for replication summary, this may take awhile:
.....
Source DSA largest delta fails/total %% error
SALES-SERVER 05h:37m:59s 5 / 5 100 (2148074274) The target principal name is incorrect.
Destination DSA largest delta fails/total %% error
DC2 05h:37m:59s 5 / 5 100 (2148074274) The target principal name is incorrect.
Experienced the following operational errors trying to retrieve replication information:
8341 - SALES-SERVER.ALLONE.local
Beginning data collection for replication summary, this may take awhile:
.....
Source DSA largest delta fails/total %% error
SALES-SERVER 05h:37m:59s 5 / 5 100 (2148074274) The target principal name is incorrect.
Destination DSA largest delta fails/total %% error
DC2 05h:37m:59s 5 / 5 100 (2148074274) The target principal name is incorrect.
Experienced the following operational errors trying to retrieve replication information:
8341 - SALES-SERVER.ALLONE.local
ASKER
dcdiag on the offsite server
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\techadmin2>dcdiag /q
The host 01100e28-6589-4040-8504-0e 556c129e8f ._msdcs.AL LONE.local could
not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(01100e28-6589-4040-8504-0 e556c129e8 f._msdcs.A LLONE.loca l) couldn't be
resolved, the server name (SALES-SERVER.ALLONE.local ) resolved to the
IP address (10.10.0.2) and was pingable. Check that the IP address is
registered correctly with the DNS server.
......................... SALES-SERVER failed test Connectivity
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERV ER_PREFERR ED) call failed, error 135
5
A Good Time Server could not be located.
......................... ALLONE.local failed test FsmoCheck
C:\Documents and Settings\techadmin2>
looks like the dns got Haxed somehow...
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\techadmin2>dcdiag
The host 01100e28-6589-4040-8504-0e
not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(01100e28-6589-4040-8504-0
resolved, the server name (SALES-SERVER.ALLONE.local
IP address (10.10.0.2) and was pingable. Check that the IP address is
registered correctly with the DNS server.
......................... SALES-SERVER failed test Connectivity
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERV
5
A Good Time Server could not be located.
......................... ALLONE.local failed test FsmoCheck
C:\Documents and Settings\techadmin2>
looks like the dns got Haxed somehow...
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
C:\Documents and Settings\techadmin2>netdom /resetpwd /server:sales-server /user
d:xxxx.local\xxxxx /passwordd:xxxxxx
The machine account password for the local machine could not be reset.
Logon failure: unknown user name or bad password.
The command failed to complete successfully.
C:\Documents and Settings\techadmin2>repadm in /syncall
CALLBACK MESSAGE: Error contacting server 01100e28-6589-4040-8504-0e 556c129e8f ._
msdcs.ALLONE.local (network error): -2146893022 (0x80090322):
The target principal name is incorrect.
SyncAll exited with fatal Win32 error: 8440 (0x20f8):
The naming context specified for this replication operation is invalid.
C:\Documents and Settings\xxxxxx>
d:xxxx.local\xxxxx /passwordd:xxxxxx
The machine account password for the local machine could not be reset.
Logon failure: unknown user name or bad password.
The command failed to complete successfully.
C:\Documents and Settings\techadmin2>repadm
CALLBACK MESSAGE: Error contacting server 01100e28-6589-4040-8504-0e
msdcs.ALLONE.local (network error): -2146893022 (0x80090322):
The target principal name is incorrect.
SyncAll exited with fatal Win32 error: 8440 (0x20f8):
The naming context specified for this replication operation is invalid.
C:\Documents and Settings\xxxxxx>
ASKER
Awesome, it was the secure channel, I was using the command wrong.
Everything is working now Thanks to all !!
Everything is working now Thanks to all !!
ASKER
Again Experts-Exchange saves the day!
ASKER
If I can I would like to promote it to the primary dc and just scrap the old primary dc...