Solved

2012 DC replication issues

Posted on 2014-10-09
33
125 Views
Last Modified: 2015-01-15
Hi all

Have a 2003 domain which i have been upgrading to 2012 with the hope to bring the domain level up. At the moment there are a mixture of 2012, 2008 and a few 2003 domain controllers,

Today I added another 2012 server. It went through the promotion stage without error but after a number of hours it doesn't seems to want to replicate. Ive checked DNS and I have entered itself and a remote DC as its DNS servers

rebooted a number of times. DCDIAG:

Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = drdc01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: DRSite\DRDC01
      Starting test: Connectivity
         ......................... DRDC01 passed test Connectivity

Doing primary tests

   Testing server: DRSite\DRDC01
      Starting test: Advertising
         ......................... DRDC01 passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... DRDC01 passed test FrsEvent
      Starting test: DFSREvent
         ......................... DRDC01 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DRDC01 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DRDC01 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DRDC01 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DRDC01 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... DRDC01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... DRDC01 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DRDC01 passed test ObjectsReplicated
      Starting test: Replications
         ......................... DRDC01 passed test Replications
      Starting test: RidManager
         Warning: attribute rIdSetReferences missing from
         CN=DRDC01,OU=Domain Controllers,DC=DOMAIN,DC=local
         Could not get Rid set Reference :failed with 8481:
         The search failed to retrieve attributes from the database.
         ......................... DRDC01 failed test RidManager
      Starting test: Services
         ......................... DRDC01 passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x0000410B
            Time Generated: 10/09/2014   18:35:35
            Event String:
            The request for a new account-identifier pool failed. The operation
will be retried until the request succeeds. The error is
         ......................... DRDC01 failed test SystemLog
      Starting test: VerifyReferences
         ......................... DRDC01 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : DOMAIN
      Starting test: CheckSDRefDom
         ......................... DOMAIN passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DOMAIN passed test CrossRefValidation

   Running enterprise tests on : DOMAIN.local
      Starting test: LocatorCheck
         ......................... DOMAIN.local passed test LocatorCheck
      Starting test: Intersite
         ......................... DOMAIN.local passed test Intersite

C:\Windows\system32>

Open in new window



Thanks
0
Comment
Question by:Matt
  • 17
  • 6
  • 6
  • +1
33 Comments
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40371356
if you do netdom query fsmo on that box is the RID master listed the correct server?
0
 

Author Comment

by:Matt
ID: 40371492
Yes it is ....

event log - system: getting lots of these,,,

"The domain controller is starting a request for a new account-identifier pool."

eventually get this :

The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is
 " The requested FSMO operation failed. The current FSMO holder could not be contacted.
 "
I can ping the FSMO role holder from the server.
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 40371620
check events in your current RIDMaster - run dcdiag on it too
0
 

Author Comment

by:Matt
ID: 40371640
RID MASTER DCDIAG

C:\Windows\system32>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = winDC01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Winnersh\WINDC01
      Starting test: Connectivity
         ......................... WINDC01 passed test Connectivity

Doing primary tests

   Testing server: Winnersh\WINDC01
      Starting test: Advertising
         ......................... WINDC01 passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... WINDC01 passed test FrsEvent
      Starting test: DFSREvent
         ......................... WINDC01 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... WINDC01 passed test SysVolCheck
      Starting test: KccEvent
         A warning event occurred.  EventID: 0x8000061E
            Time Generated: 10/09/2014   20:46:26
            Event String:
            All directory servers in the following site that can replicate the d
irectory partition over this transport are currently unavailable.
         An error event occurred.  EventID: 0xC000051F
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with t
he following directory partition.
         A warning event occurred.  EventID: 0x80000749
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The Knowledge Consistency Checker (KCC) was unable to form a complet
e spanning tree network topology. As a result, the following list of sites canno
t be reached from the local site.
         A warning event occurred.  EventID: 0x8000061E
            Time Generated: 10/09/2014   20:46:26
            Event String:
            All directory servers in the following site that can replicate the d
irectory partition over this transport are currently unavailable.
         An error event occurred.  EventID: 0xC000051F
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with t
he following directory partition.
         A warning event occurred.  EventID: 0x80000749
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The Knowledge Consistency Checker (KCC) was unable to form a complet
e spanning tree network topology. As a result, the following list of sites canno
t be reached from the local site.
         A warning event occurred.  EventID: 0x8000061E
            Time Generated: 10/09/2014   20:46:26
            Event String:
            All directory servers in the following site that can replicate the d
irectory partition over this transport are currently unavailable.
         An error event occurred.  EventID: 0xC000051F
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with t
he following directory partition.
         A warning event occurred.  EventID: 0x80000749
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The Knowledge Consistency Checker (KCC) was unable to form a complet
e spanning tree network topology. As a result, the following list of sites canno
t be reached from the local site.
         A warning event occurred.  EventID: 0x8000061E
            Time Generated: 10/09/2014   20:46:26
            Event String:
            All directory servers in the following site that can replicate the d
irectory partition over this transport are currently unavailable.
         An error event occurred.  EventID: 0xC000051F
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with t
he following directory partition.
         A warning event occurred.  EventID: 0x80000749
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The Knowledge Consistency Checker (KCC) was unable to form a complet
e spanning tree network topology. As a result, the following list of sites canno
t be reached from the local site.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The attempt to establish a replication link for the following writab
le directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The attempt to establish a replication link for the following writab
le directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The attempt to establish a replication link for the following writab
le directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 10/09/2014   20:46:27
            Event String:
            The attempt to establish a replication link for the following writab
le directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 10/09/2014   20:46:27
            Event String:
            The attempt to establish a replication link for the following writab
le directory partition failed.
         ......................... WINDC01 failed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... WINDC01 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... WINDC01 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... WINDC01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... WINDC01 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... WINDC01 passed test ObjectsReplicated
      Starting test: Replications
         ......................... WINDC01 passed test Replications
      Starting test: RidManager
         ......................... WINDC01 passed test RidManager
      Starting test: Services
         ......................... WINDC01 passed test Services
      Starting test: SystemLog
         ......................... WINDC01 failed test SystemLog
      Starting test: VerifyReferences
         ......................... WINDC01 passed test VerifyReferences


   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : DOMAIN
      Starting test: CheckSDRefDom
         ......................... DOMAIN passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DOMAIN passed test CrossRefValidation

   Running enterprise tests on : DOMAIN.local
      Starting test: LocatorCheck
         ......................... DOMAIN.local passed test LocatorCheck
      Starting test: Intersite
         ......................... DOMAIN.local passed test Intersite

C:\Windows\system32>

Open in new window

0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40371662
where is the RID master pointing to for DNS?
is there any clock skew between them?
0
 

Author Comment

by:Matt
ID: 40371683
RID MASTER has itself and another DC on the same site. All clocks are good.

One other things worth mentioning. I also demote a domain controller after I built the 2012 DC today. All the demotion was succesful I has been removed from the newly built DC but because the new DC isnt replicating the changes havent replicated across to the other DC's.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40371696
ok...could have been a timing issue there
are all these in the same site?  if you look in AD sites and services, where does the RID master replicate to?
just wondering if it is trying to replicate to that server that was removed but didn't know that it's gone
0
 
LVL 13

Accepted Solution

by:
Greg Hejl earned 500 total points
ID: 40371697
Check this previous EE Solution:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2012/Q_28511997.html

additionally there is some advice to demote and re-promote the server as a domain controller - if you choose this please move any FSMO roles to a different DC

http://www.archy.net/windows-server-2012-migrating-fsmo-roles/
http://trunkofmemorie.blogspot.com/2012/12/how-to-change-fsmo-roles-in-windows-2012.html
0
 

Author Comment

by:Matt
ID: 40371714
No they are on different sites.

I have a DR site. that had a 2003 server (drdc)

I promoted the 2012 server (drdc01)

I then demoted the server drdc

The active directory object created and replicated to all DC's.

DRDC01 sites and services is correct and only has itself under the DR site.

All other DC's on different sites did not update teh sites and services and do not have the new server DRDC01 but still have all settings for the old server DRDC

Should I forcefully remove drdc?
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 40371776
0
 

Author Comment

by:Matt
ID: 40371785
Not in this instance.
0
 

Author Comment

by:Matt
ID: 40371854
Update..

Just to update it looks a bit of a mess.

DR site server drdc01 has been promoted to a DC but none of the other DC's see this. They just see it as a member server. The old DC on this site which was demoted (drdc) is no longer a DC but all other sites still see this as a DC.

Should I demote DRDC01 and promote again? then forcefully remove DRDC?
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 40371875
Have you been through DNS checks?

http://technet.microsoft.com/en-us/library/bb727055.aspx

is DRDC still listed in DNS as a DC?  
(sorry if I seem to be diverting a little here - there are quite a few checks to be made to make sure it all runns smoothly)

Here is a link to removing all vestiges of a failed domain controller:
http://support2.microsoft.com/kb/555846
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40375142
Here is a suggest pick one DC that is the most accurate and make this the "source of truth". Seize allFSMO roles to this DC. Force demote the other DC's. Do a AD meta data cleanup. Clean up DNS, WinS etc... Wait a couple of our of one day if you can to give everything time to settle then try to add on DC back
0
 

Author Comment

by:Matt
ID: 40375944
OK had removed problematic DC;s and cleaned up. all looking much better. One problem I still seem to get and this seemed to only become apparent when I started to introduce 2012 DC's to the domain. Every now and again a users machine would lock and they wouldn't be able to log back on with there current password. They only way to fix this issue is to reboot the machine. Any reason why this might happen?
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40375953
Are there any errors / warning on the affect workstations event logs? What about the event log on the DC's?

Nice work on the AD clean-up !!!
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 

Author Comment

by:Matt
ID: 40375957
Im not sure at the time I didn't get a chance to look. I will wait for the next time it happens.
0
 

Author Comment

by:Matt
ID: 40375976
Verbose log from FSMO DC

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   * Verifying that the local machine winDC01, is a Directory Server. 
   Home Server = winDC01

   * Connecting to directory service on server winDC01.

   * Identified AD Forest. 
   Collecting AD specific global data 
   * Collecting site info.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded 
   Iterating through the sites 
   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=VPNUsers,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Neuss,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Pachesham,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Colo,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=RealIPColo,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Cumbernauld,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Roosendaal,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Paris,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=DRSite,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Turin,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Munich,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   * Identifying all servers.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers 
   Getting information for the server CN=NTDS Settings,CN=WINNERSHDC2,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=CUMBERNAULDDC1,CN=Servers,CN=Cumbernauld,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=COLODC,CN=Servers,CN=RealIPColo,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=MITDC,CN=Servers,CN=Turin,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=WINDC02,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=DEDC02,CN=Servers,CN=Munich,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=ROOSENDAALDC01,CN=Servers,CN=Roosendaal,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=FRDC01,CN=Servers,CN=Paris,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=COLODC01,CN=Servers,CN=Colo,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.

   * Found 10 DC(s). Testing 1 of them.

   Done gathering initial info.


Doing initial required tests

   
   Testing server: Winnersh\WINDC01

      Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity 
         * Active Directory RPC Services Check
         ......................... WINDC01 passed test Connectivity



Doing primary tests

   
   Testing server: Winnersh\WINDC01

      Starting test: Advertising

         The DC WINDC01 is advertising itself as a DC and having a DS.
         The DC WINDC01 is advertising as an LDAP server
         The DC WINDC01 is advertising as having a writeable directory
         The DC WINDC01 is advertising as a Key Distribution Center
         The DC WINDC01 is advertising as a time server
         The DS WINDC01 is advertising as a GC.
         ......................... WINDC01 passed test Advertising

      Test omitted by user request: CheckSecurityError

      Test omitted by user request: CutoffServers

      Starting test: FrsEvent

         * The File Replication Service Event log test 
         ......................... WINDC01 passed test FrsEvent

      Starting test: DFSREvent

         The DFS Replication Event Log. 
         Skip the test because the server is running FRS.

         ......................... WINDC01 passed test DFSREvent

      Starting test: SysVolCheck

         * The File Replication Service SYSVOL ready test 
         File Replication Service's SYSVOL is ready 
         ......................... WINDC01 passed test SysVolCheck

      Starting test: KccEvent

         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... WINDC01 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         Role Schema Owner = CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
         Role PDC Owner = CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
         ......................... WINDC01 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         Checking machine account for DC WINDC01 on DC WINDC01.
         * SPN found :LDAP/winDC01.DOMAIN.local/DOMAIN.local
         * SPN found :LDAP/winDC01.DOMAIN.local
         * SPN found :LDAP/WINDC01
         * SPN found :LDAP/winDC01.DOMAIN.local/DOMAIN.local
         * SPN found :LDAP/9c56f573-b228-480e-9d61-86610c38b184._msdcs.DOMAIN.local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/9c56f573-b228-480e-9d61-86610c38b184/DOMAIN.local
         * SPN found :HOST/winDC01.DOMAIN.local/DOMAIN.local
         * SPN found :HOST/winDC01.DOMAIN.local
         * SPN found :HOST/WINDC01
         * SPN found :HOST/winDC01.DOMAIN.local/DOMAIN.local
         * SPN found :GC/winDC01.DOMAIN.local/DOMAIN.local
         ......................... WINDC01 passed test MachineAccount

      Starting test: NCSecDesc

         * Security Permissions check for all NC's on DC WINDC01.
         * Security Permissions Check for

           DC=DomainDnsZones,DC=DOMAIN.local,DC=local
            (NDNC,Version 3)
         * Security Permissions Check for

           DC=ForestDnsZones,DC=DOMAIN.local,DC=local
            (NDNC,Version 3)
         * Security Permissions Check for

           CN=Schema,CN=Configuration,DC=DOMAIN.local,DC=local
            (Schema,Version 3)
         * Security Permissions Check for

           CN=Configuration,DC=DOMAIN.local,DC=local
            (Configuration,Version 3)
         * Security Permissions Check for

           DC=DOMAIN.local,DC=local
            (Domain,Version 3)
         ......................... WINDC01 passed test NCSecDesc

      Starting test: NetLogons

         * Network Logons Privileges Check
         Verified share \\WINDC01\netlogon
         Verified share \\WINDC01\sysvol
         ......................... WINDC01 passed test NetLogons

      Starting test: ObjectsReplicated

         WINDC01 is in domain DC=DOMAIN.local,DC=local
         Checking for CN=WINDC01,OU=Domain Controllers,DC=DOMAIN.local,DC=local in domain DC=DOMAIN.local,DC=local on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local in domain CN=Configuration,DC=DOMAIN.local,DC=local on 1 servers
            Object is up-to-date on all servers.
         ......................... WINDC01 passed test ObjectsReplicated

      Test omitted by user request: OutboundSecureChannels

      Starting test: Replications

         * Replications Check
         * Replication Latency Check
            DC=DomainDnsZones,DC=DOMAIN.local,DC=local
               Latency information for 17 entries in the vector were ignored.
                  17 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=ForestDnsZones,DC=DOMAIN.local,DC=local
               Latency information for 17 entries in the vector were ignored.
                  17 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=DOMAIN.local,DC=local
               Latency information for 17 entries in the vector were ignored.
                  17 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=DOMAIN.local,DC=local
               Latency information for 18 entries in the vector were ignored.
                  18 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DOMAIN.local,DC=local
               Latency information for 17 entries in the vector were ignored.
                  17 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         ......................... WINDC01 passed test Replications

      Starting test: RidManager

         * Available RID Pool for the Domain is 19100 to 1073741823
         * winDC01.DOMAIN.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 15600 to 16099
         * rIDPreviousAllocationPool is 15600 to 16099
         * rIDNextRID: 15613
         ......................... WINDC01 passed test RidManager

      Starting test: Services

         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... WINDC01 passed test Services

      Starting test: SystemLog

         * The System Event log test
         ......................... WINDC01 failed test SystemLog

      Test omitted by user request: Topology

      Test omitted by user request: VerifyEnterpriseReferences

      Starting test: VerifyReferences

         The system object reference (serverReference)

         CN=WINDC01,OU=Domain Controllers,DC=DOMAIN.local,DC=local and backlink on

         CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local

          are correct. 
         The system object reference (serverReferenceBL)

         CN=WINDC01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=DOMAIN.local,DC=local

         and backlink on

         CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local

         are correct. 
         The system object reference (frsComputerReferenceBL)

         CN=WINDC01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=DOMAIN.local,DC=local

         and backlink on CN=WINDC01,OU=Domain Controllers,DC=DOMAIN.local,DC=local

         are correct. 
         ......................... WINDC01 passed test VerifyReferences

      Test omitted by user request: VerifyReplicas

   
      Test omitted by user request: DNS

      Test omitted by user request: DNS

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : DOMAIN.local

      Starting test: CheckSDRefDom

         ......................... DOMAIN.local passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DOMAIN.local passed test CrossRefValidation

   
   Running enterprise tests on : DOMAIN.local

      Test omitted by user request: DNS

      Test omitted by user request: DNS

      Starting test: LocatorCheck

         GC Name: \\winDC01.DOMAIN.local

         Locator Flags: 0xe000f3fd
         PDC Name: \\winDC01.DOMAIN.local
         Locator Flags: 0xe000f3fd
         Time Server Name: \\winDC01.DOMAIN.local
         Locator Flags: 0xe000f3fd
         Preferred Time Server Name: \\winDC01.DOMAIN.local
         Locator Flags: 0xe000f3fd
         KDC Name: \\winDC01.DOMAIN.local
         Locator Flags: 0xe000f3fd
         ......................... DOMAIN.local passed test LocatorCheck

      Starting test: Intersite

         Skipping site Default-First-Site-Name, this site is outside the scope

         provided by the command line arguments provided. 
         Skipping site VPNUsers, this site is outside the scope provided by the

         command line arguments provided. 
         Skipping site Neuss, this site is outside the scope provided by the

         command line arguments provided. 
         Skipping site Pachesham, this site is outside the scope provided by

         the command line arguments provided. 
         Skipping site Colo, this site is outside the scope provided by the

         command line arguments provided. 
         Skipping site Winnersh, this site is outside the scope provided by the

         command line arguments provided. 
         Skipping site RealIPColo, this site is outside the scope provided by

         the command line arguments provided. 
         Skipping site Cumbernauld, this site is outside the scope provided by

         the command line arguments provided. 
         Skipping site Roosendaal, this site is outside the scope provided by

         the command line arguments provided. 
         Skipping site Paris, this site is outside the scope provided by the

         command line arguments provided. 
         Skipping site DRSite, this site is outside the scope provided by the

         command line arguments provided. 
         Skipping site Turin, this site is outside the scope provided by the

         command line arguments provided. 
         Skipping site Munich, this site is outside the scope provided by the

         command line arguments provided. 
         ......................... DOMAIN.local passed test Intersite

Open in new window

0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40375995
Looks good so far can you post the results of repadmin /showrepl

What os are your clients?
0
 

Author Comment

by:Matt
ID: 40376009
All windows 7 machines ....

Repadmin: running command /showrepl against full DC localhost
Winnersh\WINDC01
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 9c56f573-b228-480e-9d61-86610c38b184
DSA invocationID: 039aecb8-790b-49a4-804d-27904849f56f

==== INBOUND NEIGHBORS ======================================

DC=domain,DC=local
    Colo\COLODC01 via RPC
        DSA object GUID: cca2458e-7864-4756-b3f0-c78d891b06ea
        Last attempt @ 2014-10-12 21:38:15 was successful.
    Winnersh\WINNERSHDC2 via RPC
        DSA object GUID: 630657dc-66c8-4388-ab47-cd96f40a6b9d
        Last attempt @ 2014-10-12 21:45:54 was successful.
    Winnersh\WINDC02 via RPC
        DSA object GUID: 5df22a58-4504-4733-aeed-2fc5ff39e454
        Last attempt @ 2014-10-12 21:46:17 was successful.

CN=Configuration,DC=domain,DC=local
    Winnersh\WINDC02 via RPC
        DSA object GUID: 5df22a58-4504-4733-aeed-2fc5ff39e454
        Last attempt @ 2014-10-12 20:53:15 was successful.
    Winnersh\WINNERSHDC2 via RPC
        DSA object GUID: 630657dc-66c8-4388-ab47-cd96f40a6b9d
        Last attempt @ 2014-10-12 20:53:15 was successful.
    Colo\COLODC01 via RPC
        DSA object GUID: cca2458e-7864-4756-b3f0-c78d891b06ea
        Last attempt @ 2014-10-12 21:38:15 was successful.

CN=Schema,CN=Configuration,DC=domain,DC=local
    Winnersh\WINDC02 via RPC
        DSA object GUID: 5df22a58-4504-4733-aeed-2fc5ff39e454
        Last attempt @ 2014-10-12 20:53:15 was successful.
    Winnersh\WINNERSHDC2 via RPC
        DSA object GUID: 630657dc-66c8-4388-ab47-cd96f40a6b9d
        Last attempt @ 2014-10-12 20:53:15 was successful.
    Colo\COLODC01 via RPC
        DSA object GUID: cca2458e-7864-4756-b3f0-c78d891b06ea
        Last attempt @ 2014-10-12 21:38:15 was successful.

DC=ForestDnsZones,DC=domain,DC=local
    Winnersh\WINNERSHDC2 via RPC
        DSA object GUID: 630657dc-66c8-4388-ab47-cd96f40a6b9d
        Last attempt @ 2014-10-12 20:53:15 was successful.
    Winnersh\WINDC02 via RPC
        DSA object GUID: 5df22a58-4504-4733-aeed-2fc5ff39e454
        Last attempt @ 2014-10-12 20:53:15 was successful.
    Colo\COLODC01 via RPC
        DSA object GUID: cca2458e-7864-4756-b3f0-c78d891b06ea
        Last attempt @ 2014-10-12 21:38:15 was successful.

DC=DomainDnsZones,DC=domain,DC=local
    Colo\COLODC01 via RPC
        DSA object GUID: cca2458e-7864-4756-b3f0-c78d891b06ea
        Last attempt @ 2014-10-12 21:38:15 was successful.
    Winnersh\WINDC02 via RPC
        DSA object GUID: 5df22a58-4504-4733-aeed-2fc5ff39e454
        Last attempt @ 2014-10-12 21:47:07 was successful.
    Winnersh\WINNERSHDC2 via RPC
        DSA object GUID: 630657dc-66c8-4388-ab47-cd96f40a6b9d
        Last attempt @ 2014-10-12 21:47:13 was successful.

Open in new window

0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40376022
Have this happened since you cleaned up AD? If not this could be caused by replication problem in AD as your were experiencing.
0
 

Author Comment

by:Matt
ID: 40376491
Had one issue this morning. A user powered on machine and tried to logon. Got the default message saying incorrect username/password although the are sure it was correct. I reset password and logged on OK. No event created in eventvwr.
0
 

Author Comment

by:Matt
ID: 40376571
Same issue with another user. This time I rebooted without changing password and it accepted the password.
Event ID 4771
Kerberos pre-authentication failed.

Account Information:
	Security ID:		domain\CBryant
	Account Name:		CBryant

Service Information:
	Service Name:		krbtgt/domain

Network Information:
	Client Address:		::ffff:x.x.0.42
	Client Port:		2300

Additional Information:
	Ticket Options:		0x40810010
	Failure Code:		0x18
	Pre-Authentication Type:	2

Certificate Information:
	Certificate Issuer Name:		
	Certificate Serial Number: 	
	Certificate Thumbprint:		

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Open in new window

0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40376877
This usually means the user entered in a bad PWD or their token as expired.

Are all client workstation clocks in sync with the PDC's time?
0
 

Author Comment

by:Matt
ID: 40377098
When you say token has expired how does this work? is it the same on all domains? The time is synced with the pdc so they clients time should be accurate.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40377547
The kerbose token naturally expires after 8 hours by design.. When you say "should" be in sync can you double check for me.. please
0
 

Author Comment

by:Matt
ID: 40391639
Sorry for delay...
So Im still getting the same issue with a few users. The machine locks, and the user cannot unlock it again. The time on the machine is correct. A reboot fixes the issue and they can logon again.
0
 

Author Comment

by:Matt
ID: 40392097
I spoke with a user earlier who had the same problem.

This morning when she logged in she was prompted to change her password, which she did. After lunch she returned to her desktop with the screen locked. It wouldn't take the new password to unlock, however it would accept the old one?!

I confirmed this by manually locking the workstation and unlocking again with the old password.
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 40392317
Is this with a wireless connection?

i have noticed on some machines that the wireless connection is not authenticated until the user is logged in and will not accept password changes unless the user is first logged in then uses control-alt-delete to change the password.
0
 

Author Comment

by:Matt
ID: 40392397
No wired.
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 40392544
related events in event viewer? or still same as above?
0
 

Author Comment

by:Matt
ID: 40392553
same as above
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now