2012 DC replication issues

if you do netdom query fsmo on that box is the RID master listed the correct server?

Yes it is ....

event log - system: getting lots of these,,,

"The domain controller is starting a request for a new account-identifier pool."

eventually get this :

The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is
 " The requested FSMO operation failed. The current FSMO holder could not be contacted.
 "
I can ping the FSMO role holder from the server.

check events in your current RIDMaster - run dcdiag on it too

RID MASTER DCDIAG

C:\Windows\system32>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = winDC01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Winnersh\WINDC01
      Starting test: Connectivity
         ......................... WINDC01 passed test Connectivity

Doing primary tests

   Testing server: Winnersh\WINDC01
      Starting test: Advertising
         ......................... WINDC01 passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... WINDC01 passed test FrsEvent
      Starting test: DFSREvent
         ......................... WINDC01 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... WINDC01 passed test SysVolCheck
      Starting test: KccEvent
         A warning event occurred.  EventID: 0x8000061E
            Time Generated: 10/09/2014   20:46:26
            Event String:
            All directory servers in the following site that can replicate the d
irectory partition over this transport are currently unavailable.
         An error event occurred.  EventID: 0xC000051F
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with t
he following directory partition.
         A warning event occurred.  EventID: 0x80000749
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The Knowledge Consistency Checker (KCC) was unable to form a complet
e spanning tree network topology. As a result, the following list of sites canno
t be reached from the local site.
         A warning event occurred.  EventID: 0x8000061E
            Time Generated: 10/09/2014   20:46:26
            Event String:
            All directory servers in the following site that can replicate the d
irectory partition over this transport are currently unavailable.
         An error event occurred.  EventID: 0xC000051F
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with t
he following directory partition.
         A warning event occurred.  EventID: 0x80000749
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The Knowledge Consistency Checker (KCC) was unable to form a complet
e spanning tree network topology. As a result, the following list of sites canno
t be reached from the local site.
         A warning event occurred.  EventID: 0x8000061E
            Time Generated: 10/09/2014   20:46:26
            Event String:
            All directory servers in the following site that can replicate the d
irectory partition over this transport are currently unavailable.
         An error event occurred.  EventID: 0xC000051F
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with t
he following directory partition.
         A warning event occurred.  EventID: 0x80000749
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The Knowledge Consistency Checker (KCC) was unable to form a complet
e spanning tree network topology. As a result, the following list of sites canno
t be reached from the local site.
         A warning event occurred.  EventID: 0x8000061E
            Time Generated: 10/09/2014   20:46:26
            Event String:
            All directory servers in the following site that can replicate the d
irectory partition over this transport are currently unavailable.
         An error event occurred.  EventID: 0xC000051F
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with t
he following directory partition.
         A warning event occurred.  EventID: 0x80000749
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The Knowledge Consistency Checker (KCC) was unable to form a complet
e spanning tree network topology. As a result, the following list of sites canno
t be reached from the local site.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The attempt to establish a replication link for the following writab
le directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The attempt to establish a replication link for the following writab
le directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 10/09/2014   20:46:26
            Event String:
            The attempt to establish a replication link for the following writab
le directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 10/09/2014   20:46:27
            Event String:
            The attempt to establish a replication link for the following writab
le directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 10/09/2014   20:46:27
            Event String:
            The attempt to establish a replication link for the following writab
le directory partition failed.
         ......................... WINDC01 failed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... WINDC01 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... WINDC01 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... WINDC01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... WINDC01 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... WINDC01 passed test ObjectsReplicated
      Starting test: Replications
         ......................... WINDC01 passed test Replications
      Starting test: RidManager
         ......................... WINDC01 passed test RidManager
      Starting test: Services
         ......................... WINDC01 passed test Services
      Starting test: SystemLog
         ......................... WINDC01 failed test SystemLog
      Starting test: VerifyReferences
         ......................... WINDC01 passed test VerifyReferences


   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : DOMAIN
      Starting test: CheckSDRefDom
         ......................... DOMAIN passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DOMAIN passed test CrossRefValidation

   Running enterprise tests on : DOMAIN.local
      Starting test: LocatorCheck
         ......................... DOMAIN.local passed test LocatorCheck
      Starting test: Intersite
         ......................... DOMAIN.local passed test Intersite

C:\Windows\system32>

Select allOpen in new window

where is the RID master pointing to for DNS?
is there any clock skew between them?

RID MASTER has itself and another DC on the same site. All clocks are good.

One other things worth mentioning. I also demote a domain controller after I built the 2012 DC today. All the demotion was succesful I has been removed from the newly built DC but because the new DC isnt replicating the changes havent replicated across to the other DC's.

ok...could have been a timing issue there
are all these in the same site?  if you look in AD sites and services, where does the RID master replicate to?
just wondering if it is trying to replicate to that server that was removed but didn't know that it's gone

No they are on different sites.

I have a DR site. that had a 2003 server (drdc)

I promoted the 2012 server (drdc01)

I then demoted the server drdc

The active directory object created and replicated to all DC's.

DRDC01 sites and services is correct and only has itself under the DR site.

All other DC's on different sites did not update teh sites and services and do not have the new server DRDC01 but still have all settings for the old server DRDC

Should I forcefully remove drdc?

I think this is still relevant for 2012

http://technet.microsoft.com/en-us/library/cc739234(v=ws.10).aspx

Here is some additional assistance:

https://social.technet.microsoft.com/forums/windowsserver/en-US/9f8fd85c-a16a-4643-a52b-43a52640a862/ridmanager-ridsetreferences-missing-from-dc

Not in this instance.

Update..

Just to update it looks a bit of a mess.

DR site server drdc01 has been promoted to a DC but none of the other DC's see this. They just see it as a member server. The old DC on this site which was demoted (drdc) is no longer a DC but all other sites still see this as a DC.

Should I demote DRDC01 and promote again? then forcefully remove DRDC?

Have you been through DNS checks?

http://technet.microsoft.com/en-us/library/bb727055.aspx

is DRDC still listed in DNS as a DC?  
(sorry if I seem to be diverting a little here - there are quite a few checks to be made to make sure it all runns smoothly)

Here is a link to removing all vestiges of a failed domain controller:
http://support2.microsoft.com/kb/555846

Here is a suggest pick one DC that is the most accurate and make this the "source of truth". Seize allFSMO roles to this DC. Force demote the other DC's. Do a AD meta data cleanup. Clean up DNS, WinS etc... Wait a couple of our of one day if you can to give everything time to settle then try to add on DC back

OK had removed problematic DC;s and cleaned up. all looking much better. One problem I still seem to get and this seemed to only become apparent when I started to introduce 2012 DC's to the domain. Every now and again a users machine would lock and they wouldn't be able to log back on with there current password. They only way to fix this issue is to reboot the machine. Any reason why this might happen?

Are there any errors / warning on the affect workstations event logs? What about the event log on the DC's?

Nice work on the AD clean-up !!!

Im not sure at the time I didn't get a chance to look. I will wait for the next time it happens.

Verbose log from FSMO DC

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   * Verifying that the local machine winDC01, is a Directory Server. 
   Home Server = winDC01

   * Connecting to directory service on server winDC01.

   * Identified AD Forest. 
   Collecting AD specific global data 
   * Collecting site info.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded 
   Iterating through the sites 
   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=VPNUsers,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Neuss,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Pachesham,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Colo,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=RealIPColo,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Cumbernauld,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Roosendaal,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Paris,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=DRSite,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Turin,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Munich,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
   Getting ISTG and options for the site
   * Identifying all servers.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers 
   Getting information for the server CN=NTDS Settings,CN=WINNERSHDC2,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=CUMBERNAULDDC1,CN=Servers,CN=Cumbernauld,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=COLODC,CN=Servers,CN=RealIPColo,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=MITDC,CN=Servers,CN=Turin,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=WINDC02,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=DEDC02,CN=Servers,CN=Munich,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=ROOSENDAALDC01,CN=Servers,CN=Roosendaal,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=FRDC01,CN=Servers,CN=Paris,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=COLODC01,CN=Servers,CN=Colo,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.

   * Found 10 DC(s). Testing 1 of them.

   Done gathering initial info.


Doing initial required tests

   
   Testing server: Winnersh\WINDC01

      Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity 
         * Active Directory RPC Services Check
         ......................... WINDC01 passed test Connectivity



Doing primary tests

   
   Testing server: Winnersh\WINDC01

      Starting test: Advertising

         The DC WINDC01 is advertising itself as a DC and having a DS.
         The DC WINDC01 is advertising as an LDAP server
         The DC WINDC01 is advertising as having a writeable directory
         The DC WINDC01 is advertising as a Key Distribution Center
         The DC WINDC01 is advertising as a time server
         The DS WINDC01 is advertising as a GC.
         ......................... WINDC01 passed test Advertising

      Test omitted by user request: CheckSecurityError

      Test omitted by user request: CutoffServers

      Starting test: FrsEvent

         * The File Replication Service Event log test 
         ......................... WINDC01 passed test FrsEvent

      Starting test: DFSREvent

         The DFS Replication Event Log. 
         Skip the test because the server is running FRS.

         ......................... WINDC01 passed test DFSREvent

      Starting test: SysVolCheck

         * The File Replication Service SYSVOL ready test 
         File Replication Service's SYSVOL is ready 
         ......................... WINDC01 passed test SysVolCheck

      Starting test: KccEvent

         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... WINDC01 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         Role Schema Owner = CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
         Role PDC Owner = CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local
         ......................... WINDC01 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         Checking machine account for DC WINDC01 on DC WINDC01.
         * SPN found :LDAP/winDC01.DOMAIN.local/DOMAIN.local
         * SPN found :LDAP/winDC01.DOMAIN.local
         * SPN found :LDAP/WINDC01
         * SPN found :LDAP/winDC01.DOMAIN.local/DOMAIN.local
         * SPN found :LDAP/9c56f573-b228-480e-9d61-86610c38b184._msdcs.DOMAIN.local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/9c56f573-b228-480e-9d61-86610c38b184/DOMAIN.local
         * SPN found :HOST/winDC01.DOMAIN.local/DOMAIN.local
         * SPN found :HOST/winDC01.DOMAIN.local
         * SPN found :HOST/WINDC01
         * SPN found :HOST/winDC01.DOMAIN.local/DOMAIN.local
         * SPN found :GC/winDC01.DOMAIN.local/DOMAIN.local
         ......................... WINDC01 passed test MachineAccount

      Starting test: NCSecDesc

         * Security Permissions check for all NC's on DC WINDC01.
         * Security Permissions Check for

           DC=DomainDnsZones,DC=DOMAIN.local,DC=local
            (NDNC,Version 3)
         * Security Permissions Check for

           DC=ForestDnsZones,DC=DOMAIN.local,DC=local
            (NDNC,Version 3)
         * Security Permissions Check for

           CN=Schema,CN=Configuration,DC=DOMAIN.local,DC=local
            (Schema,Version 3)
         * Security Permissions Check for

           CN=Configuration,DC=DOMAIN.local,DC=local
            (Configuration,Version 3)
         * Security Permissions Check for

           DC=DOMAIN.local,DC=local
            (Domain,Version 3)
         ......................... WINDC01 passed test NCSecDesc

      Starting test: NetLogons

         * Network Logons Privileges Check
         Verified share \\WINDC01\netlogon
         Verified share \\WINDC01\sysvol
         ......................... WINDC01 passed test NetLogons

      Starting test: ObjectsReplicated

         WINDC01 is in domain DC=DOMAIN.local,DC=local
         Checking for CN=WINDC01,OU=Domain Controllers,DC=DOMAIN.local,DC=local in domain DC=DOMAIN.local,DC=local on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local in domain CN=Configuration,DC=DOMAIN.local,DC=local on 1 servers
            Object is up-to-date on all servers.
         ......................... WINDC01 passed test ObjectsReplicated

      Test omitted by user request: OutboundSecureChannels

      Starting test: Replications

         * Replications Check
         * Replication Latency Check
            DC=DomainDnsZones,DC=DOMAIN.local,DC=local
               Latency information for 17 entries in the vector were ignored.
                  17 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=ForestDnsZones,DC=DOMAIN.local,DC=local
               Latency information for 17 entries in the vector were ignored.
                  17 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=DOMAIN.local,DC=local
               Latency information for 17 entries in the vector were ignored.
                  17 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=DOMAIN.local,DC=local
               Latency information for 18 entries in the vector were ignored.
                  18 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DOMAIN.local,DC=local
               Latency information for 17 entries in the vector were ignored.
                  17 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         ......................... WINDC01 passed test Replications

      Starting test: RidManager

         * Available RID Pool for the Domain is 19100 to 1073741823
         * winDC01.DOMAIN.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 15600 to 16099
         * rIDPreviousAllocationPool is 15600 to 16099
         * rIDNextRID: 15613
         ......................... WINDC01 passed test RidManager

      Starting test: Services

         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... WINDC01 passed test Services

      Starting test: SystemLog

         * The System Event log test
         ......................... WINDC01 failed test SystemLog

      Test omitted by user request: Topology

      Test omitted by user request: VerifyEnterpriseReferences

      Starting test: VerifyReferences

         The system object reference (serverReference)

         CN=WINDC01,OU=Domain Controllers,DC=DOMAIN.local,DC=local and backlink on

         CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local

          are correct. 
         The system object reference (serverReferenceBL)

         CN=WINDC01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=DOMAIN.local,DC=local

         and backlink on

         CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=DOMAIN.local,DC=local

         are correct. 
         The system object reference (frsComputerReferenceBL)

         CN=WINDC01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=DOMAIN.local,DC=local

         and backlink on CN=WINDC01,OU=Domain Controllers,DC=DOMAIN.local,DC=local

         are correct. 
         ......................... WINDC01 passed test VerifyReferences

      Test omitted by user request: VerifyReplicas

   
      Test omitted by user request: DNS

      Test omitted by user request: DNS

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : DOMAIN.local

      Starting test: CheckSDRefDom

         ......................... DOMAIN.local passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DOMAIN.local passed test CrossRefValidation

   
   Running enterprise tests on : DOMAIN.local

      Test omitted by user request: DNS

      Test omitted by user request: DNS

      Starting test: LocatorCheck

         GC Name: \\winDC01.DOMAIN.local

         Locator Flags: 0xe000f3fd
         PDC Name: \\winDC01.DOMAIN.local
         Locator Flags: 0xe000f3fd
         Time Server Name: \\winDC01.DOMAIN.local
         Locator Flags: 0xe000f3fd
         Preferred Time Server Name: \\winDC01.DOMAIN.local
         Locator Flags: 0xe000f3fd
         KDC Name: \\winDC01.DOMAIN.local
         Locator Flags: 0xe000f3fd
         ......................... DOMAIN.local passed test LocatorCheck

      Starting test: Intersite

         Skipping site Default-First-Site-Name, this site is outside the scope

         provided by the command line arguments provided. 
         Skipping site VPNUsers, this site is outside the scope provided by the

         command line arguments provided. 
         Skipping site Neuss, this site is outside the scope provided by the

         command line arguments provided. 
         Skipping site Pachesham, this site is outside the scope provided by

         the command line arguments provided. 
         Skipping site Colo, this site is outside the scope provided by the

         command line arguments provided. 
         Skipping site Winnersh, this site is outside the scope provided by the

         command line arguments provided. 
         Skipping site RealIPColo, this site is outside the scope provided by

         the command line arguments provided. 
         Skipping site Cumbernauld, this site is outside the scope provided by

         the command line arguments provided. 
         Skipping site Roosendaal, this site is outside the scope provided by

         the command line arguments provided. 
         Skipping site Paris, this site is outside the scope provided by the

         command line arguments provided. 
         Skipping site DRSite, this site is outside the scope provided by the

         command line arguments provided. 
         Skipping site Turin, this site is outside the scope provided by the

         command line arguments provided. 
         Skipping site Munich, this site is outside the scope provided by the

         command line arguments provided. 
         ......................... DOMAIN.local passed test Intersite

Select allOpen in new window

Looks good so far can you post the results of repadmin /showrepl

What os are your clients?

All windows 7 machines ....

Repadmin: running command /showrepl against full DC localhost
Winnersh\WINDC01
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 9c56f573-b228-480e-9d61-86610c38b184
DSA invocationID: 039aecb8-790b-49a4-804d-27904849f56f

==== INBOUND NEIGHBORS ======================================

DC=domain,DC=local
    Colo\COLODC01 via RPC
        DSA object GUID: cca2458e-7864-4756-b3f0-c78d891b06ea
        Last attempt @ 2014-10-12 21:38:15 was successful.
    Winnersh\WINNERSHDC2 via RPC
        DSA object GUID: 630657dc-66c8-4388-ab47-cd96f40a6b9d
        Last attempt @ 2014-10-12 21:45:54 was successful.
    Winnersh\WINDC02 via RPC
        DSA object GUID: 5df22a58-4504-4733-aeed-2fc5ff39e454
        Last attempt @ 2014-10-12 21:46:17 was successful.

CN=Configuration,DC=domain,DC=local
    Winnersh\WINDC02 via RPC
        DSA object GUID: 5df22a58-4504-4733-aeed-2fc5ff39e454
        Last attempt @ 2014-10-12 20:53:15 was successful.
    Winnersh\WINNERSHDC2 via RPC
        DSA object GUID: 630657dc-66c8-4388-ab47-cd96f40a6b9d
        Last attempt @ 2014-10-12 20:53:15 was successful.
    Colo\COLODC01 via RPC
        DSA object GUID: cca2458e-7864-4756-b3f0-c78d891b06ea
        Last attempt @ 2014-10-12 21:38:15 was successful.

CN=Schema,CN=Configuration,DC=domain,DC=local
    Winnersh\WINDC02 via RPC
        DSA object GUID: 5df22a58-4504-4733-aeed-2fc5ff39e454
        Last attempt @ 2014-10-12 20:53:15 was successful.
    Winnersh\WINNERSHDC2 via RPC
        DSA object GUID: 630657dc-66c8-4388-ab47-cd96f40a6b9d
        Last attempt @ 2014-10-12 20:53:15 was successful.
    Colo\COLODC01 via RPC
        DSA object GUID: cca2458e-7864-4756-b3f0-c78d891b06ea
        Last attempt @ 2014-10-12 21:38:15 was successful.

DC=ForestDnsZones,DC=domain,DC=local
    Winnersh\WINNERSHDC2 via RPC
        DSA object GUID: 630657dc-66c8-4388-ab47-cd96f40a6b9d
        Last attempt @ 2014-10-12 20:53:15 was successful.
    Winnersh\WINDC02 via RPC
        DSA object GUID: 5df22a58-4504-4733-aeed-2fc5ff39e454
        Last attempt @ 2014-10-12 20:53:15 was successful.
    Colo\COLODC01 via RPC
        DSA object GUID: cca2458e-7864-4756-b3f0-c78d891b06ea
        Last attempt @ 2014-10-12 21:38:15 was successful.

DC=DomainDnsZones,DC=domain,DC=local
    Colo\COLODC01 via RPC
        DSA object GUID: cca2458e-7864-4756-b3f0-c78d891b06ea
        Last attempt @ 2014-10-12 21:38:15 was successful.
    Winnersh\WINDC02 via RPC
        DSA object GUID: 5df22a58-4504-4733-aeed-2fc5ff39e454
        Last attempt @ 2014-10-12 21:47:07 was successful.
    Winnersh\WINNERSHDC2 via RPC
        DSA object GUID: 630657dc-66c8-4388-ab47-cd96f40a6b9d
        Last attempt @ 2014-10-12 21:47:13 was successful.

Select allOpen in new window

Have this happened since you cleaned up AD? If not this could be caused by replication problem in AD as your were experiencing.

Had one issue this morning. A user powered on machine and tried to logon. Got the default message saying incorrect username/password although the are sure it was correct. I reset password and logged on OK. No event created in eventvwr.

Same issue with another user. This time I rebooted without changing password and it accepted the password.

Event ID 4771
Kerberos pre-authentication failed.

Account Information:
	Security ID:		domain\CBryant
	Account Name:		CBryant

Service Information:
	Service Name:		krbtgt/domain

Network Information:
	Client Address:		::ffff:x.x.0.42
	Client Port:		2300

Additional Information:
	Ticket Options:		0x40810010
	Failure Code:		0x18
	Pre-Authentication Type:	2

Certificate Information:
	Certificate Issuer Name:		
	Certificate Serial Number: 	
	Certificate Thumbprint:		

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Select allOpen in new window

This usually means the user entered in a bad PWD or their token as expired.

Are all client workstation clocks in sync with the PDC's time?

When you say token has expired how does this work? is it the same on all domains? The time is synced with the pdc so they clients time should be accurate.

The kerbose token naturally expires after 8 hours by design.. When you say "should" be in sync can you double check for me.. please

Sorry for delay...
So Im still getting the same issue with a few users. The machine locks, and the user cannot unlock it again. The time on the machine is correct. A reboot fixes the issue and they can logon again.

I spoke with a user earlier who had the same problem.

This morning when she logged in she was prompted to change her password, which she did. After lunch she returned to her desktop with the screen locked. It wouldn't take the new password to unlock, however it would accept the old one?!

I confirmed this by manually locking the workstation and unlocking again with the old password.

Is this with a wireless connection?

i have noticed on some machines that the wireless connection is not authenticated until the user is logged in and will not accept password changes unless the user is first logged in then uses control-alt-delete to change the password.

No wired.

related events in event viewer? or still same as above?

same as above