joe_edmond
asked on
DC Replication Issue
We are adding another branch to our main office that is on the other side of the city. We have a site to site VPN configured with two Cisco ASA 5505's. The Main site has a Server 2003 Domain Controller and the New site has a Server 2012 that we just made a Domain Controller. We raised forest functional levels to the appropriate level and successfully added the 2012 server as another Domain Controller.
I went into AD Site and Services and configured two sites, Site-Main and Site-Remote. I entered the appropriate subnets in place. I am able to ping their internal IP's successfully.
The problem I am having is they seem to not be able to replicate. I tried to manually replicate and I get the following message:
"the following error occurred during an attempt to synchronize naming context from domain.local from domain controller server 2 to domain controller server 1: The naming context is in the process of being removed or is not replicated from the specified server.
this operation will not continue."
I've tried dcdiag /fix as well as repadmin /syncall. Below are the dcdiag results:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = SERVER2
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: domain-Remote\SERVER2
Starting test: Connectivity
......................... SERVER2 passed test Connectivity
Doing primary tests
Testing server: domain-Remote\SERVER2
Starting test: Advertising
Warning: DsGetDcName returned information for \\SERVER1.domain.local,
when we were trying to reach SERVER2.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... SERVER2 failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... SERVER2 passed test FrsEvent
Starting test: DFSREvent
......................... SERVER2 passed test DFSREvent
Starting test: SysVolCheck
......................... SERVER2 passed test SysVolCheck
Starting test: KccEvent
......................... SERVER2 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... SERVER2 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... SERVER2 passed test MachineAccount
Starting test: NCSecDesc
......................... SERVER2 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\SERVER2\netlogon)
[SERVER2] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... SERVER2 failed test NetLogons
Starting test: ObjectsReplicated
......................... SERVER2 passed test ObjectsReplicated
Starting test: Replications
......................... SERVER2 passed test Replications
Starting test: RidManager
......................... SERVER2 passed test RidManager
Starting test: Services
......................... SERVER2 passed test Services
Starting test: SystemLog
......................... SERVER2 passed test SystemLog
Starting test: VerifyReferences
......................... SERVER2 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : domain
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Running enterprise tests on : domain.local
Starting test: LocatorCheck
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERV
1355
A Good Time Server could not be located.
......................... domain.local failed test LocatorCheck
Starting test: Intersite
......................... domain.local passed test Intersite
I went into AD Site and Services and configured two sites, Site-Main and Site-Remote. I entered the appropriate subnets in place. I am able to ping their internal IP's successfully.
The problem I am having is they seem to not be able to replicate. I tried to manually replicate and I get the following message:
"the following error occurred during an attempt to synchronize naming context from domain.local from domain controller server 2 to domain controller server 1: The naming context is in the process of being removed or is not replicated from the specified server.
this operation will not continue."
I've tried dcdiag /fix as well as repadmin /syncall. Below are the dcdiag results:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = SERVER2
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: domain-Remote\SERVER2
Starting test: Connectivity
......................... SERVER2 passed test Connectivity
Doing primary tests
Testing server: domain-Remote\SERVER2
Starting test: Advertising
Warning: DsGetDcName returned information for \\SERVER1.domain.local,
when we were trying to reach SERVER2.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... SERVER2 failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... SERVER2 passed test FrsEvent
Starting test: DFSREvent
......................... SERVER2 passed test DFSREvent
Starting test: SysVolCheck
......................... SERVER2 passed test SysVolCheck
Starting test: KccEvent
......................... SERVER2 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... SERVER2 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... SERVER2 passed test MachineAccount
Starting test: NCSecDesc
......................... SERVER2 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\SERVER2\netlogon)
[SERVER2] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... SERVER2 failed test NetLogons
Starting test: ObjectsReplicated
......................... SERVER2 passed test ObjectsReplicated
Starting test: Replications
......................... SERVER2 passed test Replications
Starting test: RidManager
......................... SERVER2 passed test RidManager
Starting test: Services
......................... SERVER2 passed test Services
Starting test: SystemLog
......................... SERVER2 passed test SystemLog
Starting test: VerifyReferences
......................... SERVER2 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : domain
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Running enterprise tests on : domain.local
Starting test: LocatorCheck
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERV
1355
A Good Time Server could not be located.
......................... domain.local failed test LocatorCheck
Starting test: Intersite
......................... domain.local passed test Intersite
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ALl of these commands were done on Server 2, the new server at the branch office.
From a replicaiton stand point it looks fine. Can you run the same commands on the DC in the main office? Also check the event logs on both DC's to ensure there are no warning/errors.
ASKER
what about the operation was unable to proceed because of a DNS lookup failure? I'd like to be able to manually replicate...but the errors still persist.
Here is what I found in the event viewer of Server 1, the main office:
DNS Event Log
The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
Directory Service Error Event ID 1311
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
CN=Configuration,DC=Domain
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.
User Action
Use Active Directory Sites and Services to perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.
If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.
Here is what I found in the event viewer of Server 1, the main office:
DNS Event Log
The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
Directory Service Error Event ID 1311
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
CN=Configuration,DC=Domain
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.
User Action
Use Active Directory Sites and Services to perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.
If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.
ASKER
Also to note, I created an Active Directory Integrated, Reverse Lookup Zone on Server 2 and it is NOT replicated onto Server 1.
-I really do appreciate all of the help
-I really do appreciate all of the help
Is the DC at the remote site part of the name servers for your internal domain? Also what is the DC using for DNS? Is it point to itself or the DC at the main site?
ASKER
Server 1 - Main Site DC (Site A)
Server 2 - Remote Site DC (Site B)
Server 1 is part of the name servers for my internal domain. It's the primary DNS Server for Site A.
Server 2 is part of the name servers for my internal domain. It's the primary DNS Server for Site B
Server 2 has Server 1 as the primary DNS & Itself as backup. Server 1 has Server 2 as primary DNS and itself as backup.
I fixed the DNS Lookup error I was getting in the bridgehead repadmin command by adding the DNS settings like i have just typed. So no more replication errors.
I am however getting the same errors on my dcdiag...
Server 2 - Remote Site DC (Site B)
Server 1 is part of the name servers for my internal domain. It's the primary DNS Server for Site A.
Server 2 is part of the name servers for my internal domain. It's the primary DNS Server for Site B
Server 2 has Server 1 as the primary DNS & Itself as backup. Server 1 has Server 2 as primary DNS and itself as backup.
I fixed the DNS Lookup error I was getting in the bridgehead repadmin command by adding the DNS settings like i have just typed. So no more replication errors.
I am however getting the same errors on my dcdiag...
DC's should be pointing to themselves. What errors are you getting in dcdiag?
ASKER
I have also noticed some event logs in the Directory Service log. All other logs are clear... I've attached the file for review.
EventLog.txt
EventLog.txt
ASKER
DCDiag results are in my original post.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here are the results I got from Server 3 (Remote Site). You are correct that there are no SYSVOL or NETLOGON shares
server3-repadmin.txt
server3-ipconfig.txt
server3-portqry.txt
server3-dcdiag.txt
server3-repadmin.txt
server3-ipconfig.txt
server3-portqry.txt
server3-dcdiag.txt
ASKER
I'm confused, why would I need to do restores? It looks like maybe the site topology is having issues connecting to the other side?
After seeing the results is a restore from Both sides still necessary?
After seeing the results is a restore from Both sides still necessary?
From the above you have set loopback ip address as primary,If loopback IP address (127.0.0.1) is configured as primary dns setting then remove the same and add IP address of Server.If it is set as alternate DNS setting then no problems.See this:http://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx
As mentioned earlier there is sysvol replication.Have you verified netlogon share and sysvol content if policies and script folder is missing you need to perfrom authorative and non authorative restore of sysvol.On helath DC it should be D4 and on faulty DC it should be D2."http://support.microsoft.com/kb/290762/"
As mentioned earlier there is sysvol replication.Have you verified netlogon share and sysvol content if policies and script folder is missing you need to perfrom authorative and non authorative restore of sysvol.On helath DC it should be D4 and on faulty DC it should be D2."http://support.microsoft.com/kb/290762/"
ASKER
What is D4 and D2 mean? Doesn't the SYSVOL folder just copy over if replication is successful? This is a brand new Domain Controller just implemented.
I can set the Primary DNS to it's real IP address and will do it now.
I can set the Primary DNS to it's real IP address and will do it now.
ASKER
Ok, the IP's are changed.
I understand what D2 and D4 are now. MY question was this was a new DC implementation, and apparently, SYSVOL and NETLOGON never got copied over when DCPromo was ran from the server 2012 console.
So wouldn't a restore not work in this situation if it never replicated to begin with?
I understand what D2 and D4 are now. MY question was this was a new DC implementation, and apparently, SYSVOL and NETLOGON never got copied over when DCPromo was ran from the server 2012 console.
So wouldn't a restore not work in this situation if it never replicated to begin with?
Yes,if the sysvol data is not replicated to new DC running d2 on new server will pull sysvol data from old server.As you have only two DC on old server run d4 and on new server were share and sysvol data is missing run d2.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Deleted Comment
ASKER
Explaining to users how to reset the time server after you configure the NTP Service on the domain controller.
ASKER
Then I associated new subnets with the sites
Then I went into the DefaultIPSiteLink and noticed that the Sites were already configured, and I closed out.
Summary of repadmin /replsum:
[i]Replication Summary Start Time: 2013-10-04 14:52:16
Beginning data collection for replication summary, this may take awhile:
.....
Source DSA largest delta fails/total %% error
SERVER1 09m:31s 0 / 5 0
Destination DSA largest delta fails/total %% error
SERVER2 09m:31s 0 / 5 0[/i]
Results of Showrepl:
Repadmin: running command /showrepl against full DC localhost
Domain-Remote\SERVER2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: fa715963-9248-452b-9e5a-ac
DSA invocationID: b4487471-1014-4847-aa4e-af
==== INBOUND NEIGHBORS ==========================
DC=Domain,DC=local
Domain-Main\SERVER1 via RPC
DSA object GUID: ee645915-2dfb-445c-8d42-41
Last attempt @ 2013-10-04 14:42:45 was successful.
CN=Configuration,DC=Domain
Domain-Main\SERVER1 via RPC
DSA object GUID: ee645915-2dfb-445c-8d42-41
Last attempt @ 2013-10-04 14:42:45 was successful.
CN=Schema,CN=Configuration
Domain-Main\SERVER1 via RPC
DSA object GUID: ee645915-2dfb-445c-8d42-41
Last attempt @ 2013-10-04 14:42:45 was successful.
DC=ForestDnsZones,DC=Domai
Domain-Main\SERVER1 via RPC
DSA object GUID: ee645915-2dfb-445c-8d42-41
Last attempt @ 2013-10-04 14:42:45 was successful.
DC=DomainDnsZones,DC=Domai
Domain-Main\SERVER1 via RPC
DSA object GUID: ee645915-2dfb-445c-8d42-41
Last attempt @ 2013-10-04 14:42:45 was successful.
Results from birdgeheads:
Repadmin: running command /bridgeheads against full DC localhost
Gathering topology from site Domain-Remote (SERVER2.Domain.local):
Bridgeheads for site Domain-Remote (SERVER2.Domain.local):
Source Site Local Bridge Trns Fail. Time # Status
=============== ============== ==== ================= === =======
=
Domain-Main SERVER2 IP (never) 0 The ope
ration completed successfully.
DomainDnsZones ForestDnsZones Domain Configuration
Bridgeheads for site Domain-Main (SERVER1.Domain.local):
Source Site Local Bridge Trns Fail. Time # Status
=============== ============== ==== ================= === =======
=
Domain-Remote SERVER1 IP 2013-10-03 18:12:24 83 The DSA
operation is unable to proceed because of a DNS lookup failure.
Configuration Domain