Matt
asked on
2012 DC replication issues
Hi all
Have a 2003 domain which i have been upgrading to 2012 with the hope to bring the domain level up. At the moment there are a mixture of 2012, 2008 and a few 2003 domain controllers,
Today I added another 2012 server. It went through the promotion stage without error but after a number of hours it doesn't seems to want to replicate. Ive checked DNS and I have entered itself and a remote DC as its DNS servers
rebooted a number of times. DCDIAG:
Thanks
Have a 2003 domain which i have been upgrading to 2012 with the hope to bring the domain level up. At the moment there are a mixture of 2012, 2008 and a few 2003 domain controllers,
Today I added another 2012 server. It went through the promotion stage without error but after a number of hours it doesn't seems to want to replicate. Ive checked DNS and I have entered itself and a remote DC as its DNS servers
rebooted a number of times. DCDIAG:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = drdc01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: DRSite\DRDC01
Starting test: Connectivity
......................... DRDC01 passed test Connectivity
Doing primary tests
Testing server: DRSite\DRDC01
Starting test: Advertising
......................... DRDC01 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DRDC01 passed test FrsEvent
Starting test: DFSREvent
......................... DRDC01 passed test DFSREvent
Starting test: SysVolCheck
......................... DRDC01 passed test SysVolCheck
Starting test: KccEvent
......................... DRDC01 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DRDC01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DRDC01 passed test MachineAccount
Starting test: NCSecDesc
......................... DRDC01 passed test NCSecDesc
Starting test: NetLogons
......................... DRDC01 passed test NetLogons
Starting test: ObjectsReplicated
......................... DRDC01 passed test ObjectsReplicated
Starting test: Replications
......................... DRDC01 passed test Replications
Starting test: RidManager
Warning: attribute rIdSetReferences missing from
CN=DRDC01,OU=Domain Controllers,DC=DOMAIN,DC=local
Could not get Rid set Reference :failed with 8481:
The search failed to retrieve attributes from the database.
......................... DRDC01 failed test RidManager
Starting test: Services
......................... DRDC01 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x0000410B
Time Generated: 10/09/2014 18:35:35
Event String:
The request for a new account-identifier pool failed. The operation
will be retried until the request succeeds. The error is
......................... DRDC01 failed test SystemLog
Starting test: VerifyReferences
......................... DRDC01 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : DOMAIN
Starting test: CheckSDRefDom
......................... DOMAIN passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DOMAIN passed test CrossRefValidation
Running enterprise tests on : DOMAIN.local
Starting test: LocatorCheck
......................... DOMAIN.local passed test LocatorCheck
Starting test: Intersite
......................... DOMAIN.local passed test Intersite
C:\Windows\system32>
Thanks
if you do netdom query fsmo on that box is the RID master listed the correct server?
ASKER
Yes it is ....
event log - system: getting lots of these,,,
"The domain controller is starting a request for a new account-identifier pool."
eventually get this :
The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is
" The requested FSMO operation failed. The current FSMO holder could not be contacted.
"
I can ping the FSMO role holder from the server.
event log - system: getting lots of these,,,
"The domain controller is starting a request for a new account-identifier pool."
eventually get this :
The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is
" The requested FSMO operation failed. The current FSMO holder could not be contacted.
"
I can ping the FSMO role holder from the server.
check events in your current RIDMaster - run dcdiag on it too
ASKER
RID MASTER DCDIAG
C:\Windows\system32>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = winDC01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Winnersh\WINDC01
Starting test: Connectivity
......................... WINDC01 passed test Connectivity
Doing primary tests
Testing server: Winnersh\WINDC01
Starting test: Advertising
......................... WINDC01 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... WINDC01 passed test FrsEvent
Starting test: DFSREvent
......................... WINDC01 passed test DFSREvent
Starting test: SysVolCheck
......................... WINDC01 passed test SysVolCheck
Starting test: KccEvent
A warning event occurred. EventID: 0x8000061E
Time Generated: 10/09/2014 20:46:26
Event String:
All directory servers in the following site that can replicate the d
irectory partition over this transport are currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 10/09/2014 20:46:26
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with t
he following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 10/09/2014 20:46:26
Event String:
The Knowledge Consistency Checker (KCC) was unable to form a complet
e spanning tree network topology. As a result, the following list of sites canno
t be reached from the local site.
A warning event occurred. EventID: 0x8000061E
Time Generated: 10/09/2014 20:46:26
Event String:
All directory servers in the following site that can replicate the d
irectory partition over this transport are currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 10/09/2014 20:46:26
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with t
he following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 10/09/2014 20:46:26
Event String:
The Knowledge Consistency Checker (KCC) was unable to form a complet
e spanning tree network topology. As a result, the following list of sites canno
t be reached from the local site.
A warning event occurred. EventID: 0x8000061E
Time Generated: 10/09/2014 20:46:26
Event String:
All directory servers in the following site that can replicate the d
irectory partition over this transport are currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 10/09/2014 20:46:26
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with t
he following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 10/09/2014 20:46:26
Event String:
The Knowledge Consistency Checker (KCC) was unable to form a complet
e spanning tree network topology. As a result, the following list of sites canno
t be reached from the local site.
A warning event occurred. EventID: 0x8000061E
Time Generated: 10/09/2014 20:46:26
Event String:
All directory servers in the following site that can replicate the d
irectory partition over this transport are currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 10/09/2014 20:46:26
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with t
he following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 10/09/2014 20:46:26
Event String:
The Knowledge Consistency Checker (KCC) was unable to form a complet
e spanning tree network topology. As a result, the following list of sites canno
t be reached from the local site.
A warning event occurred. EventID: 0x80000785
Time Generated: 10/09/2014 20:46:26
Event String:
The attempt to establish a replication link for the following writab
le directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 10/09/2014 20:46:26
Event String:
The attempt to establish a replication link for the following writab
le directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 10/09/2014 20:46:26
Event String:
The attempt to establish a replication link for the following writab
le directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 10/09/2014 20:46:27
Event String:
The attempt to establish a replication link for the following writab
le directory partition failed.
A warning event occurred. EventID: 0x80000785
Time Generated: 10/09/2014 20:46:27
Event String:
The attempt to establish a replication link for the following writab
le directory partition failed.
......................... WINDC01 failed test KccEvent
Starting test: KnowsOfRoleHolders
......................... WINDC01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... WINDC01 passed test MachineAccount
Starting test: NCSecDesc
......................... WINDC01 passed test NCSecDesc
Starting test: NetLogons
......................... WINDC01 passed test NetLogons
Starting test: ObjectsReplicated
......................... WINDC01 passed test ObjectsReplicated
Starting test: Replications
......................... WINDC01 passed test Replications
Starting test: RidManager
......................... WINDC01 passed test RidManager
Starting test: Services
......................... WINDC01 passed test Services
Starting test: SystemLog
......................... WINDC01 failed test SystemLog
Starting test: VerifyReferences
......................... WINDC01 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : DOMAIN
Starting test: CheckSDRefDom
......................... DOMAIN passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DOMAIN passed test CrossRefValidation
Running enterprise tests on : DOMAIN.local
Starting test: LocatorCheck
......................... DOMAIN.local passed test LocatorCheck
Starting test: Intersite
......................... DOMAIN.local passed test Intersite
C:\Windows\system32>
where is the RID master pointing to for DNS?
is there any clock skew between them?
is there any clock skew between them?
ASKER
RID MASTER has itself and another DC on the same site. All clocks are good.
One other things worth mentioning. I also demote a domain controller after I built the 2012 DC today. All the demotion was succesful I has been removed from the newly built DC but because the new DC isnt replicating the changes havent replicated across to the other DC's.
One other things worth mentioning. I also demote a domain controller after I built the 2012 DC today. All the demotion was succesful I has been removed from the newly built DC but because the new DC isnt replicating the changes havent replicated across to the other DC's.
ok...could have been a timing issue there
are all these in the same site? if you look in AD sites and services, where does the RID master replicate to?
just wondering if it is trying to replicate to that server that was removed but didn't know that it's gone
are all these in the same site? if you look in AD sites and services, where does the RID master replicate to?
just wondering if it is trying to replicate to that server that was removed but didn't know that it's gone
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No they are on different sites.
I have a DR site. that had a 2003 server (drdc)
I promoted the 2012 server (drdc01)
I then demoted the server drdc
The active directory object created and replicated to all DC's.
DRDC01 sites and services is correct and only has itself under the DR site.
All other DC's on different sites did not update teh sites and services and do not have the new server DRDC01 but still have all settings for the old server DRDC
Should I forcefully remove drdc?
I have a DR site. that had a 2003 server (drdc)
I promoted the 2012 server (drdc01)
I then demoted the server drdc
The active directory object created and replicated to all DC's.
DRDC01 sites and services is correct and only has itself under the DR site.
All other DC's on different sites did not update teh sites and services and do not have the new server DRDC01 but still have all settings for the old server DRDC
Should I forcefully remove drdc?
I think this is still relevant for 2012
http://technet.microsoft.com/en-us/library/cc739234(v=ws.10).aspx
Here is some additional assistance:
https://social.technet.microsoft.com/forums/windowsserver/en-US/9f8fd85c-a16a-4643-a52b-43a52640a862/ridmanager-ridsetreferences-missing-from-dc
http://technet.microsoft.com/en-us/library/cc739234(v=ws.10).aspx
Here is some additional assistance:
https://social.technet.microsoft.com/forums/windowsserver/en-US/9f8fd85c-a16a-4643-a52b-43a52640a862/ridmanager-ridsetreferences-missing-from-dc
ASKER
Not in this instance.
ASKER
Update..
Just to update it looks a bit of a mess.
DR site server drdc01 has been promoted to a DC but none of the other DC's see this. They just see it as a member server. The old DC on this site which was demoted (drdc) is no longer a DC but all other sites still see this as a DC.
Should I demote DRDC01 and promote again? then forcefully remove DRDC?
Just to update it looks a bit of a mess.
DR site server drdc01 has been promoted to a DC but none of the other DC's see this. They just see it as a member server. The old DC on this site which was demoted (drdc) is no longer a DC but all other sites still see this as a DC.
Should I demote DRDC01 and promote again? then forcefully remove DRDC?
Have you been through DNS checks?
http://technet.microsoft.com/en-us/library/bb727055.aspx
is DRDC still listed in DNS as a DC?
(sorry if I seem to be diverting a little here - there are quite a few checks to be made to make sure it all runns smoothly)
Here is a link to removing all vestiges of a failed domain controller:
http://support2.microsoft.com/kb/555846
http://technet.microsoft.com/en-us/library/bb727055.aspx
is DRDC still listed in DNS as a DC?
(sorry if I seem to be diverting a little here - there are quite a few checks to be made to make sure it all runns smoothly)
Here is a link to removing all vestiges of a failed domain controller:
http://support2.microsoft.com/kb/555846
Here is a suggest pick one DC that is the most accurate and make this the "source of truth". Seize allFSMO roles to this DC. Force demote the other DC's. Do a AD meta data cleanup. Clean up DNS, WinS etc... Wait a couple of our of one day if you can to give everything time to settle then try to add on DC back
ASKER
OK had removed problematic DC;s and cleaned up. all looking much better. One problem I still seem to get and this seemed to only become apparent when I started to introduce 2012 DC's to the domain. Every now and again a users machine would lock and they wouldn't be able to log back on with there current password. They only way to fix this issue is to reboot the machine. Any reason why this might happen?
Are there any errors / warning on the affect workstations event logs? What about the event log on the DC's?
Nice work on the AD clean-up !!!
Nice work on the AD clean-up !!!
ASKER
Im not sure at the time I didn't get a chance to look. I will wait for the next time it happens.
ASKER
Verbose log from FSMO DC
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine winDC01, is a Directory Server.
Home Server = winDC01
* Connecting to directory service on server winDC01.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=VPNUsers,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=Neuss,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=Pachesham,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=Colo,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=RealIPColo,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=Cumbernauld,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=Roosendaal,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=Paris,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=DRSite,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=Turin,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=Munich,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=WINNERSHDC2,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=CUMBERNAULDDC1,CN=Servers,CN=Cumbernauld,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=COLODC,CN=Servers,CN=RealIPColo,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=MITDC,CN=Servers,CN=Turin,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=WINDC02,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=DEDC02,CN=Servers,CN=Munich,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=ROOSENDAALDC01,CN=Servers,CN=Roosendaal,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=FRDC01,CN=Servers,CN=Paris,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=COLODC01,CN=Servers,CN=Colo,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 10 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Winnersh\WINDC01
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... WINDC01 passed test Connectivity
Doing primary tests
Testing server: Winnersh\WINDC01
Starting test: Advertising
The DC WINDC01 is advertising itself as a DC and having a DS.
The DC WINDC01 is advertising as an LDAP server
The DC WINDC01 is advertising as having a writeable directory
The DC WINDC01 is advertising as a Key Distribution Center
The DC WINDC01 is advertising as a time server
The DS WINDC01 is advertising as a GC.
......................... WINDC01 passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
......................... WINDC01 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
Skip the test because the server is running FRS.
......................... WINDC01 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... WINDC01 passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... WINDC01 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
Role Domain Owner = CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
Role PDC Owner = CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
Role Rid Owner = CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
......................... WINDC01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC WINDC01 on DC WINDC01.
* SPN found :LDAP/winDC01.DOMAIN.local/DOMAIN.local
* SPN found :LDAP/winDC01.DOMAIN.local
* SPN found :LDAP/WINDC01
* SPN found :LDAP/winDC01.DOMAIN.local/DOMAIN.local
* SPN found :LDAP/9c56f573-b228-480e-9d61-86610c38b184._msdcs.DOMAIN.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/9c56f573-b228-480e-9d61-86610c38b184/DOMAIN.local
* SPN found :HOST/winDC01.DOMAIN.local/DOMAIN.local
* SPN found :HOST/winDC01.DOMAIN.local
* SPN found :HOST/WINDC01
* SPN found :HOST/winDC01.DOMAIN.local/DOMAIN.local
* SPN found :GC/winDC01.DOMAIN.local/DOMAIN.local
......................... WINDC01 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC WINDC01.
* Security Permissions Check for
DC=DomainDnsZones,DC=DOMAIN.local,DC=local
(NDNC,Version 3)
* Security Permissions Check for
DC=ForestDnsZones,DC=DOMAIN.local,DC=local
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=DOMAIN.local,DC=local
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=DOMAIN.local,DC=local
(Configuration,Version 3)
* Security Permissions Check for
DC=DOMAIN.local,DC=local
(Domain,Version 3)
......................... WINDC01 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\WINDC01\netlogon
Verified share \\WINDC01\sysvol
......................... WINDC01 passed test NetLogons
Starting test: ObjectsReplicated
WINDC01 is in domain DC=DOMAIN.local,DC=local
Checking for CN=WINDC01,OU=Domain Controllers,DC=DOMAIN.local,DC=local in domain DC=DOMAIN.local,DC=local on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local in domain CN=Configuration,DC=DOMAIN.local,DC=local on 1 servers
Object is up-to-date on all servers.
......................... WINDC01 passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=DomainDnsZones,DC=DOMAIN.local,DC=local
Latency information for 17 entries in the vector were ignored.
17 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=ForestDnsZones,DC=DOMAIN.local,DC=local
Latency information for 17 entries in the vector were ignored.
17 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=DOMAIN.local,DC=local
Latency information for 17 entries in the vector were ignored.
17 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=DOMAIN.local,DC=local
Latency information for 18 entries in the vector were ignored.
18 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DOMAIN.local,DC=local
Latency information for 17 entries in the vector were ignored.
17 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... WINDC01 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 19100 to 1073741823
* winDC01.DOMAIN.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 15600 to 16099
* rIDPreviousAllocationPool is 15600 to 16099
* rIDNextRID: 15613
......................... WINDC01 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... WINDC01 passed test Services
Starting test: SystemLog
* The System Event log test
......................... WINDC01 failed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=WINDC01,OU=Domain Controllers,DC=DOMAIN.local,DC=local and backlink on
CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
are correct.
The system object reference (serverReferenceBL)
CN=WINDC01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=DOMAIN.local,DC=local
and backlink on
CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
are correct.
The system object reference (frsComputerReferenceBL)
CN=WINDC01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=DOMAIN.local,DC=local
and backlink on CN=WINDC01,OU=Domain Controllers,DC=DOMAIN.local,DC=local
are correct.
......................... WINDC01 passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : DOMAIN.local
Starting test: CheckSDRefDom
......................... DOMAIN.local passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DOMAIN.local passed test CrossRefValidation
Running enterprise tests on : DOMAIN.local
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\winDC01.DOMAIN.local
Locator Flags: 0xe000f3fd
PDC Name: \\winDC01.DOMAIN.local
Locator Flags: 0xe000f3fd
Time Server Name: \\winDC01.DOMAIN.local
Locator Flags: 0xe000f3fd
Preferred Time Server Name: \\winDC01.DOMAIN.local
Locator Flags: 0xe000f3fd
KDC Name: \\winDC01.DOMAIN.local
Locator Flags: 0xe000f3fd
......................... DOMAIN.local passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
Skipping site VPNUsers, this site is outside the scope provided by the
command line arguments provided.
Skipping site Neuss, this site is outside the scope provided by the
command line arguments provided.
Skipping site Pachesham, this site is outside the scope provided by
the command line arguments provided.
Skipping site Colo, this site is outside the scope provided by the
command line arguments provided.
Skipping site Winnersh, this site is outside the scope provided by the
command line arguments provided.
Skipping site RealIPColo, this site is outside the scope provided by
the command line arguments provided.
Skipping site Cumbernauld, this site is outside the scope provided by
the command line arguments provided.
Skipping site Roosendaal, this site is outside the scope provided by
the command line arguments provided.
Skipping site Paris, this site is outside the scope provided by the
command line arguments provided.
Skipping site DRSite, this site is outside the scope provided by the
command line arguments provided.
Skipping site Turin, this site is outside the scope provided by the
command line arguments provided.
Skipping site Munich, this site is outside the scope provided by the
command line arguments provided.
......................... DOMAIN.local passed test Intersite
Looks good so far can you post the results of repadmin /showrepl
What os are your clients?
What os are your clients?
ASKER
All windows 7 machines ....
Repadmin: running command /showrepl against full DC localhost
Winnersh\WINDC01
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 9c56f573-b228-480e-9d61-86610c38b184
DSA invocationID: 039aecb8-790b-49a4-804d-27904849f56f
==== INBOUND NEIGHBORS ======================================
DC=domain,DC=local
Colo\COLODC01 via RPC
DSA object GUID: cca2458e-7864-4756-b3f0-c78d891b06ea
Last attempt @ 2014-10-12 21:38:15 was successful.
Winnersh\WINNERSHDC2 via RPC
DSA object GUID: 630657dc-66c8-4388-ab47-cd96f40a6b9d
Last attempt @ 2014-10-12 21:45:54 was successful.
Winnersh\WINDC02 via RPC
DSA object GUID: 5df22a58-4504-4733-aeed-2fc5ff39e454
Last attempt @ 2014-10-12 21:46:17 was successful.
CN=Configuration,DC=domain,DC=local
Winnersh\WINDC02 via RPC
DSA object GUID: 5df22a58-4504-4733-aeed-2fc5ff39e454
Last attempt @ 2014-10-12 20:53:15 was successful.
Winnersh\WINNERSHDC2 via RPC
DSA object GUID: 630657dc-66c8-4388-ab47-cd96f40a6b9d
Last attempt @ 2014-10-12 20:53:15 was successful.
Colo\COLODC01 via RPC
DSA object GUID: cca2458e-7864-4756-b3f0-c78d891b06ea
Last attempt @ 2014-10-12 21:38:15 was successful.
CN=Schema,CN=Configuration,DC=domain,DC=local
Winnersh\WINDC02 via RPC
DSA object GUID: 5df22a58-4504-4733-aeed-2fc5ff39e454
Last attempt @ 2014-10-12 20:53:15 was successful.
Winnersh\WINNERSHDC2 via RPC
DSA object GUID: 630657dc-66c8-4388-ab47-cd96f40a6b9d
Last attempt @ 2014-10-12 20:53:15 was successful.
Colo\COLODC01 via RPC
DSA object GUID: cca2458e-7864-4756-b3f0-c78d891b06ea
Last attempt @ 2014-10-12 21:38:15 was successful.
DC=ForestDnsZones,DC=domain,DC=local
Winnersh\WINNERSHDC2 via RPC
DSA object GUID: 630657dc-66c8-4388-ab47-cd96f40a6b9d
Last attempt @ 2014-10-12 20:53:15 was successful.
Winnersh\WINDC02 via RPC
DSA object GUID: 5df22a58-4504-4733-aeed-2fc5ff39e454
Last attempt @ 2014-10-12 20:53:15 was successful.
Colo\COLODC01 via RPC
DSA object GUID: cca2458e-7864-4756-b3f0-c78d891b06ea
Last attempt @ 2014-10-12 21:38:15 was successful.
DC=DomainDnsZones,DC=domain,DC=local
Colo\COLODC01 via RPC
DSA object GUID: cca2458e-7864-4756-b3f0-c78d891b06ea
Last attempt @ 2014-10-12 21:38:15 was successful.
Winnersh\WINDC02 via RPC
DSA object GUID: 5df22a58-4504-4733-aeed-2fc5ff39e454
Last attempt @ 2014-10-12 21:47:07 was successful.
Winnersh\WINNERSHDC2 via RPC
DSA object GUID: 630657dc-66c8-4388-ab47-cd96f40a6b9d
Last attempt @ 2014-10-12 21:47:13 was successful.
Have this happened since you cleaned up AD? If not this could be caused by replication problem in AD as your were experiencing.
ASKER
Had one issue this morning. A user powered on machine and tried to logon. Got the default message saying incorrect username/password although the are sure it was correct. I reset password and logged on OK. No event created in eventvwr.
ASKER
Same issue with another user. This time I rebooted without changing password and it accepted the password.
Event ID 4771
Kerberos pre-authentication failed.
Account Information:
Security ID: domain\CBryant
Account Name: CBryant
Service Information:
Service Name: krbtgt/domain
Network Information:
Client Address: ::ffff:x.x.0.42
Client Port: 2300
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
This usually means the user entered in a bad PWD or their token as expired.
Are all client workstation clocks in sync with the PDC's time?
Are all client workstation clocks in sync with the PDC's time?
ASKER
When you say token has expired how does this work? is it the same on all domains? The time is synced with the pdc so they clients time should be accurate.
The kerbose token naturally expires after 8 hours by design.. When you say "should" be in sync can you double check for me.. please
ASKER
Sorry for delay...
So Im still getting the same issue with a few users. The machine locks, and the user cannot unlock it again. The time on the machine is correct. A reboot fixes the issue and they can logon again.
So Im still getting the same issue with a few users. The machine locks, and the user cannot unlock it again. The time on the machine is correct. A reboot fixes the issue and they can logon again.
ASKER
I spoke with a user earlier who had the same problem.
This morning when she logged in she was prompted to change her password, which she did. After lunch she returned to her desktop with the screen locked. It wouldn't take the new password to unlock, however it would accept the old one?!
I confirmed this by manually locking the workstation and unlocking again with the old password.
This morning when she logged in she was prompted to change her password, which she did. After lunch she returned to her desktop with the screen locked. It wouldn't take the new password to unlock, however it would accept the old one?!
I confirmed this by manually locking the workstation and unlocking again with the old password.
Is this with a wireless connection?
i have noticed on some machines that the wireless connection is not authenticated until the user is logged in and will not accept password changes unless the user is first logged in then uses control-alt-delete to change the password.
i have noticed on some machines that the wireless connection is not authenticated until the user is logged in and will not accept password changes unless the user is first logged in then uses control-alt-delete to change the password.
ASKER
No wired.
related events in event viewer? or still same as above?
ASKER
same as above