Solved

Domain Controller replication issues

Posted on 2013-12-13
13
589 Views
Last Modified: 2014-02-08
Hi Guys,

Have an issue with domain replication and DNS.

I have 2 DC's. DC1 and DC2.

On DC1;

Hold FSMO roles

Opening DNS gives me, "Access Denied"

Event Log error;
ID 2092 - ActiveDirectory_DomainService
ID 1202 - ADWS
ID 1055 - GroupPolicy
On DC2;

in AD sites and services when i right click on NTDS Settings on either DC1 or DC2 i have DNS Alias as something random : A439058ASD0F98W4095ASD09.DOMAIN.INTERNAL. not sure if thats right or not.

in AD users and computers when i right click on domain and Operations Masters, the RID and PDC and Infrastructure Operation Master says, "ERROR"

in DNS when i right click on the internal domain zone and properties then Name Servers, i edit DC1 and the IPV4 reports, "The server with this IP address is not authoritative for the required zone, BUT the IPV6 address says, OK.

Event log errors;
ID 4 - Security-Kerbros
ID 1864 - ActiveDirectory_DomainService
ID 2093 - ActiveDirectory_DomainService
ID 5773 - NETLOGON


both servers are 2008 and functional level of domain is 2008.

please help
0
Comment
Question by:Timbobaloba
  • 8
  • 3
  • 2
13 Comments
 
LVL 1

Author Comment

by:Timbobaloba
ID: 39716419
on DC1 i run repadmin /showrepl and get
DC=internal,DC=local
    Default-First-Site-Name\DC22 via RPC
        DSA object GUID: 9c94d255-a583-4462-8e53-d7410a796b5f
        Last attempt @ 2013-12-13 22:49:34 failed, result 5 (0x5):
            Access is denied.
        106 consecutive failure(s).
        Last success @ 2013-12-09 13:59:36.
0
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39716420
Hi,

Does event ID 2092 state the server considers the FSMO rules invalid?
0
 
LVL 1

Author Comment

by:Timbobaloba
ID: 39716428
correct. i have;
Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          13/12/2013 10:50:34 PM
Event ID:      2092
Task Category: Replication
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      ccs1.internal.ccsale.catholic.edu.au
Description:

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
 
FSMO Role: DC=internal,DC=local
0
Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

 
LVL 19

Assisted Solution

by:Patricksr1972
Patricksr1972 earned 200 total points
ID: 39716435
Hi again,

You could try to transfer the FSMO roles to another server.
Some fixes are discussed here.
0
 
LVL 1

Author Comment

by:Timbobaloba
ID: 39716442
that makes sense. i will attempt to sieze roles from itself now and report back.
0
 
LVL 1

Author Comment

by:Timbobaloba
ID: 39716485
that seemed to complete without error but still has not fixed any of the reported issues...
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 39716571
have you logged on with ID having domain admins right ?

Alias you seen in AD sites\Ntds settings are correct.
Just copy those alias for all domain controllers and check if you are able to ping them successfully.Every aliase should resolve to actual domain controller IP address, if not you can restart netlogon service on both domain controllers to correct those alias entries.

Also IPv6 need to be unchecked from network card properties of both DCs

What if you run repadmin /showrepl, can you please post output here

Mahesh
0
 
LVL 1

Author Comment

by:Timbobaloba
ID: 39716602
Yes, I am logged on as administrator (domain admin)

from DC2 (primary DNS) i can ping ntds alis of both DC1 and DC2
from DC1 i CANNOT ping DC1 alias but CAN ping DC2

IPV6 IS disabled on both DC.... wierd....

-----------------------------

RAN RELADMIN FROM DC1;

C:\Users\Administrator>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 726b16ff-c76e-457f-877f-f4c6d5bb4755
DSA invocationID: 726b16ff-c76e-457f-877f-f4c6d5bb4755

==== INBOUND NEIGHBORS ======================================

DC=ForestDnsZones,DC=internal,DC=local
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 9c94d255-a583-4462-8e53-d7410a796b5f
        Last attempt @ 2013-12-13 23:50:35 failed, result 5 (0x5):
            Access is denied.
        107 consecutive failure(s).
        Last success @ 2013-12-09 13:59:36.

DC=ForestDnsZones,DC=internal,DC=local
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 9c94d255-a583-4462-8e53-d7410a796b5f
        Last attempt @ 2013-12-13 23:51:35 failed, result 5 (0x5):
            Access is denied.
        107 consecutive failure(s).
        Last success @ 2013-12-09 13:59:36.

DC=ForestDnsZones,DC=internal,DC=local
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 9c94d255-a583-4462-8e53-d7410a796b5f
        Last attempt @ 2013-12-13 23:52:35 failed, result 5 (0x5):
            Access is denied.
        107 consecutive failure(s).
        Last success @ 2013-12-09 13:59:36.

DC=ForestDnsZones,DC=internal,DC=local
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 9c94d255-a583-4462-8e53-d7410a796b5f
        Last attempt @ 2013-12-13 23:50:35 failed, result 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
        107 consecutive failure(s).
        Last success @ 2013-12-09 13:59:36.

DC=ForestDnsZones,DC=internal,DC=local
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 9c94d255-a583-4462-8e53-d7410a796b5f
        Last attempt @ 2013-12-13 23:50:35 failed, result 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
        107 consecutive failure(s).
        Last success @ 2013-12-09 13:59:36.

Source: Default-First-Site-Name\DC2
******* 107 CONSECUTIVE FAILURES since 2013-12-09 13:59:36
Last error: 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.

---------------------------------

RAN RELADMIN FROM DC2;

C:\Users\Administrator.CCSALE>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\DC2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 9c94d255-a583-4462-8e53-d7410a796b5f
DSA invocationID: 16558192-7699-43ab-9851-6f56961484fe

==== INBOUND NEIGHBORS ======================================

DC=ForestDnsZones,DC=internal,DC=local
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: 726b16ff-c76e-457f-877f-f4c6d5bb4755
        Last attempt @ 2013-12-13 23:16:42 failed, result 1908 (0x774):
            Could not find the domain controller for this domain.
        35307 consecutive failure(s).
        Last success @ 2013-11-15 22:37:19.

DC=ForestDnsZones,DC=internal,DC=local
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: 726b16ff-c76e-457f-877f-f4c6d5bb4755
        Last attempt @ 2013-12-13 23:17:25 failed, result 1908 (0x774):
            Could not find the domain controller for this domain.
        683 consecutive failure(s).
        Last success @ 2013-11-15 21:57:26.

DC=ForestDnsZones,DC=internal,DC=local
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: 726b16ff-c76e-457f-877f-f4c6d5bb4755
        Last attempt @ 2013-12-13 23:18:23 failed, result 1908 (0x774):
            Could not find the domain controller for this domain.
        678 consecutive failure(s).
        Last success @ 2013-11-15 21:57:26.

DC=ForestDnsZones,DC=internal,DC=local
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: 726b16ff-c76e-457f-877f-f4c6d5bb4755
        Last attempt @ 2013-12-13 23:18:59 failed, result 1908 (0x774):
            Could not find the domain controller for this domain.
        1128 consecutive failure(s).
        Last success @ 2013-11-15 21:57:26.

DC=ForestDnsZones,DC=internal,DC=local
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: 726b16ff-c76e-457f-877f-f4c6d5bb4755
        Last attempt @ 2013-12-13 23:19:45 failed, result 1908 (0x774):
            Could not find the domain controller for this domain.
        682 consecutive failure(s).
        Last success @ 2013-11-15 21:57:26.

Source: Default-First-Site-Name\DC1
******* 35307 CONSECUTIVE FAILURES since 2013-11-15 22:37:19
Last error: 1908 (0x774):
            Could not find the domain controller for this domain.
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 39716714
Can you restart netlogon service on DC1 and check if alias is regenerated ?

If not , then please create it manually and also ensute that you have Host(A) and PTR records of both DCs on both server exists

Mahesh
0
 
LVL 1

Accepted Solution

by:
Timbobaloba earned 0 total points
ID: 39716717
this has fixed the AD replication;

C:\Users\Administrator>netdom resetpwd /server:DC2 /userd:ccsale\administrator
/passwordd:******

but STILL cant open DNS on DC1
0
 
LVL 1

Author Comment

by:Timbobaloba
ID: 39716724
just needed to restart DNS Server service all working now!!!!!!

thanks for your help. will give you some points for your assistance.
0
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39716803
Glad to see you are back up and running.
0
 
LVL 1

Author Closing Comment

by:Timbobaloba
ID: 39843927
solved
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
sbs 2011 6 24
Boot Disk drive letter change 15 88
outlook 2007 + exchange 5 37
Windows 10 home to Pro 25 74
Log files are useful in diagnosing and repairing problems.  This is a list of common log files and their standard locations that I've compiled.   While this is not exhaustive, it is a pretty good list that I've found to be useful.  I may update it f…
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question