Solved

New 2012 DC online to replace 2003 and getting Event ID 14550 DfsSvc error

Posted on 2013-12-05
16
2,138 Views
Last Modified: 2014-01-22
Hello,

We have a 2003 server online and we have a 2012 I just prompted to a DC that will eventually replace the 2003 server, but I want to bring them up side by side to configure.  However I am getting a event is14550 DfsSvc error but all seems to be working.  Any help would be great.  Been through several google articles and not able to figure the issue.
0
Comment
Question by:bergquistcompany
  • 10
  • 4
  • 2
16 Comments
 
LVL 30

Expert Comment

by:renazonse
ID: 39699093
This is a cross forest trust failure. Do you have any trust relationships with another forest or is this a single domain? http://technet.microsoft.com/en-us/library/ee411032(v=ws.10).aspx

If it's a single domain you may need to check for some orphaned objects in AD by running dcdiag to see if it complains about any issues.
0
 

Author Comment

by:bergquistcompany
ID: 39699211
We have an old configuration where we have an empty root domain forest and the users domain child.

Forest Root
Child Domain Controller (DC1 2003 server)

Everything works

Forest Root
Child Domain Controller (DC1 2003 server)
Child Domain Controller (DC2 2012 server) - just bringing up to eventually replace 2003 DC.
Event log showing errors on the new 2012 server.
0
 
LVL 30

Expert Comment

by:renazonse
ID: 39699227
Did you AD/Domain/Forest prep both domains? Did you run DCDiAG to see if it shows any errors?
0
 

Author Comment

by:bergquistcompany
ID: 39699453
prep has been run on both domains yes

dcdiag
Microsoft Windows [Version 6.2.9200]
(c) 2012 Microsoft Corporation. All rights reserved.

C:\Windows\system32>dcdiag
Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = IS2288
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Chanhassen\IS2288
      Starting test: Connectivity
         ......................... IS2288 passed test Connectivity

Doing primary tests

   Testing server: Chanhassen\IS2288
      Starting test: Advertising
         ......................... IS2288 passed test Advertising
      Starting test: FrsEvent
         ......................... IS2288 passed test FrsEvent
      Starting test: DFSREvent
         ......................... IS2288 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... IS2288 passed test SysVolCheck
      Starting test: KccEvent
         A warning event occurred.  EventID: 0x80000B46
            Time Generated: 12/05/2013   13:56:27
            Event String:
            The security of this directory server can be significantly enhanced
by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest)
 LDAP binds that do not request signing (integrity verification) and LDAP simple
 binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  E
ven if no clients are using such binds, configuring the server to reject them wi
ll improve the security of this server.
         A warning event occurred.  EventID: 0x80000828
            Time Generated: 12/05/2013   13:56:57
            Event String:
            Active Directory Domain Services could not use DNS to resolve the IP
 address of the source domain controller listed below. To maintain the consisten
cy of Security groups, group policy, users and computers and their passwords, Ac
tive Directory Domain Services successfully replicated using the NetBIOS or full
y qualified computer name of the source domain controller.
         A warning event occurred.  EventID: 0x8000051C
            Time Generated: 12/05/2013   14:01:28
            Event String:
            The Knowledge Consistency Checker (KCC) has detected that successive
 attempts to replicate with the following directory service has consistently fai
led.
         A warning event occurred.  EventID: 0x80000786
            Time Generated: 12/05/2013   14:01:28
            Event String:
            The attempt to establish a replication link to a read-only directory
 partition with the following parameters failed.
         A warning event occurred.  EventID: 0x80000786
            Time Generated: 12/05/2013   14:01:28
            Event String:
            The attempt to establish a replication link to a read-only directory
 partition with the following parameters failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 12/05/2013   14:01:28
            Event String:
            The attempt to establish a replication link for the following writab
le directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 12/05/2013   14:01:28
            Event String:
            The attempt to establish a replication link for the following writab
le directory partition failed.
         A warning event occurred.  EventID: 0x80000786
            Time Generated: 12/05/2013   14:01:28
            Event String:
            The attempt to establish a replication link to a read-only directory
 partition with the following parameters failed.
         ......................... IS2288 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         [BQDC1] DsBindWithSpnEx() failed with error -2146892976,
         The system cannot contact a domain controller to service the authentica
tion request. Please try again later..
         Warning: BQDC1 is the Schema Owner, but is not responding to DS RPC
         Bind.
         [BQDC1] LDAP bind failed with error 8341,
         A directory service error has occurred..
         Warning: BQDC1 is the Schema Owner, but is not responding to LDAP
         Bind.
         [BQDC2] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         Warning: BQDC2 is the Domain Owner, but is not responding to DS RPC
         Bind.
         Ldap search capability attribute search failed on server BQDC2, return
         value = 81
         Warning: BQDC2 is the Domain Owner, but is not responding to LDAP
         Bind.
         ......................... IS2288 failed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... IS2288 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... IS2288 passed test NCSecDesc
      Starting test: NetLogons
         ......................... IS2288 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... IS2288 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,IS2288] A recent replication attempt failed:
            From BQDC2 to IS2288
            Naming Context:
            CN=Schema,CN=Configuration,DC=bergquistcompany,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2013-12-05 13:56:58.
            The last success occurred at 2013-12-05 07:54:28.
            12 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,IS2288] A recent replication attempt failed:
            From BQDC2 to IS2288
            Naming Context: CN=Configuration,DC=bergquistcompany,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2013-12-05 14:02:47.
            The last success occurred at 2013-12-05 07:54:28.
            20 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,IS2288] A recent replication attempt failed:
            From BQDC2 to IS2288
            Naming Context: DC=bergquistcompany,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2013-12-05 13:58:01.
            The last success occurred at 2013-12-05 07:54:28.
            67 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,IS2288] A recent replication attempt failed:
            From BQDC2 to IS2288
            Naming Context: DC=BQAsia,DC=bergquistcompany,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2013-12-05 13:56:58.
            The last success occurred at 2013-12-05 07:54:28.
            13 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,IS2288] A recent replication attempt failed:
            From BQDC2 to IS2288
            Naming Context: DC=eu,DC=bergquistcompany,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2013-12-05 13:56:58.
            The last success occurred at 2013-12-05 07:54:28.
            12 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         ......................... IS2288 failed test Replications
      Starting test: RidManager
         ......................... IS2288 passed test RidManager
      Starting test: Services
         ......................... IS2288 passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0xC00038D6
            Time Generated: 12/05/2013   13:51:56
            Event String:
            The DFS Namespace service could not initialize cross forest trust in
formation on this domain controller, but it will periodically retry the operatio
n. The return code is in the record data.
         A warning event occurred.  EventID: 0x000727A5
            Time Generated: 12/05/2013   13:52:43
            Event String:
            The WinRM service is not listening for WS-Management requests.
         A warning event occurred.  EventID: 0x80050004
            Time Generated: 12/05/2013   13:56:08
            Event String:
            Broadcom NetXtreme Gigabit Ethernet #2: The network link is down.  C
heck to make sure the network cable is properly connected.
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 12/05/2013   13:56:34
            Event String:
            Name resolution for the name _ldap._tcp.dc._msdcs.northamerica.bergq
uistcompany.com. timed out after none of the configured DNS servers responded.
         A warning event occurred.  EventID: 0x81000204
            Time Generated: 12/05/2013   13:56:45
            Event String:
            Process **\mcshield.exe pid (2880) contains signed but untrusted cod
e, but was allowed to perform a privileged operation with a McAfee driver.
         A warning event occurred.  EventID: 0x81000204
            Time Generated: 12/05/2013   13:56:46
            Event String:
            Process **\mcshield.exe pid (2880) contains signed but untrusted cod
e, but was allowed to perform a privileged operation with a McAfee driver.
         A warning event occurred.  EventID: 0x81000204
            Time Generated: 12/05/2013   13:56:46
            Event String:
            Process **\mcshield.exe pid (2880) contains signed but untrusted cod
e, but was allowed to perform a privileged operation with a McAfee driver.
         A warning event occurred.  EventID: 0x81000202
            Time Generated: 12/05/2013   13:57:14
            Event String:
            Process **\VsTskMgr.exe pid (2584) contained unsigned or corrupted c
ode and was blocked from performing a privileged operation with a McAfee driver.

         A warning event occurred.  EventID: 0x00001796
            Time Generated: 12/05/2013   13:59:12
            Event String:
            Microsoft Windows Server has detected that NTLM authentication is pr
esently being used between clients and this server. This event occurs once per b
oot of the server on the first time a client uses NTLM with this server.
         An error event occurred.  EventID: 0x0000165B
            Time Generated: 12/05/2013   14:03:53
            Event String:
            The session setup from computer 'IS2164' failed because the security
 database does not contain a trust account 'IS2164$' referenced by the specified
 computer.
         ......................... IS2288 failed test SystemLog
      Starting test: VerifyReferences
         ......................... IS2288 passed test VerifyReferences


   Running partition tests on : northamerica
      Starting test: CheckSDRefDom
         ......................... northamerica passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... northamerica passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running enterprise tests on : bergquistcompany.com
      Starting test: LocatorCheck
         ......................... bergquistcompany.com passed test
         LocatorCheck
      Starting test: Intersite
         ......................... bergquistcompany.com passed test Intersite

C:\Windows\system32>
0
 
LVL 30

Expert Comment

by:renazonse
ID: 39699469
Is BQDC2 online or is has it been shutdown?

[BQDC1] DsBindWithSpnEx() failed with error -2146892976,
         The system cannot contact a domain controller to service the authentica
tion request. Please try again later..
         Warning: BQDC1 is the Schema Owner, but is not responding to DS RPC
         Bind.
         [BQDC1] LDAP bind failed with error 8341,
         A directory service error has occurred..
         Warning: BQDC1 is the Schema Owner, but is not responding to LDAP
         Bind.
         [BQDC2] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         Warning: BQDC2 is the Domain Owner, but is not responding to DS RPC
         Bind.
         Ldap search capability attribute search failed on server BQDC2, return
         value = 81
         Warning: BQDC2 is the Domain Owner, but is not responding to LDAP
         Bind.
         ......................... IS2288 failed test KnowsOfRoleHolders
      Starting test: MachineAccount


If you run NETDOM QUERY FSMO do all of the roles belong to a server that is still in production?
0
 

Author Comment

by:bergquistcompany
ID: 39699928
BQDC2 is online

BQDC1 and BQDC2 are the root domain.

CHDC1 is the 2003 in the child domain and is2288 is the 2012 server I'm troubleshooting.
From is2288 I get
Schema master               BQDC1.bergquistcompany.com
Domain naming master        BQDC2.bergquistcompany.com
PDC                         chdc1.northamerica.bergquistcompany.com
RID pool manager            chdc1.northamerica.bergquistcompany.com
Infrastructure master       chdc1.northamerica.bergquistcompany.com
The command completed successfully.

From BQDC2 if I run DCDIAG I get
Doing primary tests

   Testing server: Chanhassen\BQDC2
      Starting test: Advertising
         ......................... BQDC2 passed test Advertising
      Starting test: FrsEvent
         ......................... BQDC2 passed test FrsEvent
      Starting test: DFSREvent
         ......................... BQDC2 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... BQDC2 passed test SysVolCheck
      Starting test: KccEvent
         ......................... BQDC2 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... BQDC2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... BQDC2 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... BQDC2 passed test NCSecDesc
      Starting test: NetLogons
         ......................... BQDC2 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... BQDC2 passed test ObjectsReplicated
      Starting test: Replications
         [IS2288] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         ......................... BQDC2 failed test Replications
      Starting test: RidManager
         ......................... BQDC2 passed test RidManager
      Starting test: Services
         ......................... BQDC2 passed test Services
      Starting test: SystemLog
         ......................... BQDC2 passed test SystemLog
      Starting test: VerifyReferences
         ......................... BQDC2 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidatio

   Running partition tests on : bergquistcompany
      Starting test: CheckSDRefDom
         ......................... bergquistcompany passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... bergquistcompany passed test
         CrossRefValidation

   Running enterprise tests on : bergquistcompany.com
      Starting test: LocatorCheck
         ......................... bergquistcompany.com passed test
         LocatorCheck
      Starting test: Intersite
         ......................... bergquistcompany.com passed test Intersite

C:\Windows\system32>
0
 

Author Comment

by:bergquistcompany
ID: 39699989
also on is2288 I am getting in event viewer on DNS Server event id 4015 DNS-Server-Service
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39700207
You are getting the error "The RPC server is unavailable" relates to port being blocked or network connectivity issue or due to dns misconfig.I would suggest contact network/security team to verify whether all the related AD ports being configured and allowed on the firewall for communication. Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.

DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx

Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
Disable Windows Firewall: http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

It can also be caused by antivirus software with many of them sporting a new feature called "network traffic protection," which can efffectively block necessary AD traffic

Active Directory and Active Directory Domain Services Port Requirements
http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

Troubleshooting “RPC server is unavailable” error, reported in failing AD replication scenario.
http://blogs.technet.com/b/abizerh/archive/2009/06/11/troubleshooting-rpc-server-is-unavailable-error-reported-in-failing-ad-replication-scenario.aspx
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:bergquistcompany
ID: 39701004
Ok now I have it down to one error:
1908 could not find the domain controller for this domain?
Destination DSA     largest delta    fails/total %%   error
 ALVIN                     47m:53s    0 /  12    0
 ASDC1                     16m:43s    0 /  16    0
 BFDC1                     09m:35s    0 /   8    0
 BQDC1                     11m:14s    0 /  22    0
 BQDC2                     17m:00s    0 /  22    0
 BQROOT                    18m:52s    0 /  32    0
 BRDC1                     39m:09s    0 /  14    0
 BRICKROCK                 39m:39s    0 /  22    0
 CFDC1             01d.19h:40m:44s    0 /  14  0
 CHDC1             10d.13h:12m:53s   12 /  62   19  (1908) Could not find the do
main controller for this domain.
 CHEF                      50m:28s    0 /  14    0
 EUDC1                     07m:03s    0 /   6    0
 KYLE                      38m:50s    0 /   6    0
 PDC2                      14m:31s    0 /   8    0

C:\Windows\system32>
0
 

Author Comment

by:bergquistcompany
ID: 39701136
on CHDC1 I get event ID 1925 and it says:
Source domain controller address:
04a482b6-a285-4268-936a-893180b61841._msdcs.bergquistcompany.com
Intersite transport (if any):

but I don't have a domain controller with this name?
0
 
LVL 30

Expert Comment

by:renazonse
ID: 39701225
Read through this article and check for the records in DNS to see if there's an old orphaned DC - http://support.microsoft.com/kb/555846
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39702692
If the name of the DC is present in AD which is not in network then it seems that faulty DC instances are still present you neeed to run metadata cleanup to remove the instances of faulty DC.http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
 

Author Comment

by:bergquistcompany
ID: 39719238
Ran that will see what happens
0
 

Author Comment

by:bergquistcompany
ID: 39728276
ran metadata cleanup and replication seems to be working but still getting events:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data every hour.

Replsummary and showrepl pass

Dcdiag:   Starting test: KccEvent
     ......................... BRDC1 passed test KccEvent
  Starting test: KnowsOfRoleHolders
     [BQDC2] DsBindWithSpnEx() failed with error 1722,
     The RPC server is unavailable..
     Warning: BQDC2 is the Schema Owner, but is not responding to DS RPC
     Bind.
     Ldap search capability attribute search failed on server BQDC2, return
     value = 81
     Warning: BQDC2 is the Schema Owner, but is not responding to LDAP

We have a DC at each site so 5 in the child domain and only this one getting the error.
0
 

Accepted Solution

by:
bergquistcompany earned 0 total points
ID: 39766023
ok putting in a call to Microsoft
0
 

Author Closing Comment

by:bergquistcompany
ID: 39799467
called Microsoft
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Every now and then, Microsoft does something that totally impresses me. It doesn't happen often, but in this case I must say I am thoroughly impressed with Windows Server Backup. One of the long time issues with Windows Backup has been the ability t…
I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now