?
Solved

AD replication issues

Posted on 2014-12-18
3
Medium Priority
?
421 Views
Last Modified: 2015-01-05
Hello Experts,

I have a customer who is been running into some replication issues for a while. After running DCDIAG, we have discovered following errors.

The company has 16 sites, and is facing different GPO issues, most likely is caused by this FRS replication issues. Please see the logs below.

Forest/Domain functional level 2008 R2

DCs: Windows 2008 R2

So far, replication issues found on 3 Domain controllers

Can anyone provide me instructions step-by-step to fix this replication issues? Provide as much details as you can. I can provide the DCdiaglog and replmon if required, but basically you will see same information below

Please see each error and their corresponding code

From JAX00-dcdiag
Starting test: FrsEvent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         A warning event occurred.  EventID: 0x800034C4
            Time Generated: 12/17/2014   02:05:15
            Event String:
            The File Replication Service is having trouble enabling replication from HOU1 to JAX00 for c:\windows\sysvol\domain using the DNS name HOU1.domaincompany.com. FRS will keep retrying.  
             Following are some of the reasons you would see this warning.  
             
             [1] FRS can not correctly resolve the DNS name HOU1.domaincompany.com from this computer.  
             [2] FRS is not running on HOU1.domaincompany.com.  
             [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.  
             
             This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
         A warning event occurred.  EventID: 0x800034C4
            Time Generated: 12/17/2014   11:10:40
            Event String:
            The File Replication Service is having trouble enabling replication from JUP1 to JAX00 for c:\windows\sysvol\domain using the DNS name JUP1.domaincompany.com. FRS will keep retrying.  
             Following are some of the reasons you would see this warning.  
             
             [1] FRS can not correctly resolve the DNS name JUP1.domaincompany.com from this computer.  
             [2] FRS is not running on JUP1.domaincompany.com.  
             [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.  
             
             This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
         ......................... JAX00 passed test FrsEvent
Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=domaincompany,DC=com
               Latency information for 55 entries in the vector were ignored.
                  55 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=domaincompany,DC=com
               Latency information for 55 entries in the vector were ignored.
                  55 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=domaincompany,DC=com
               Latency information for 85 entries in the vector were ignored.
                  85 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=domaincompany,DC=com
               Latency information for 85 entries in the vector were ignored.
                  85 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=domaincompany,DC=com
               Latency information for 85 entries in the vector were ignored.
                  85 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         ......................... JAX00 passed test Replications

tarting test: SystemLog
         * The System Event log test
         An error event occurred.  EventID: 0x000016AD
            Time Generated: 12/17/2014   13:38:56
            Event String:
            The session setup from the computer JAX4921 failed to authenticate. The following error occurred:  
            Access is denied.
         An error event occurred.  EventID: 0x0000165B
            Time Generated: 12/17/2014   13:57:38
            Event String:
            The session setup from computer 'JX1906VM' failed because the security database does not contain a trust account 'JX1906VM$' referenced by the specified computer.  
             
            USER ACTION  
            If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time.  If this is a Read-Only Domain Controller and 'JX1906VM$' is a legitimate machine account for the computer 'JX1906VM' then 'JX1906VM' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller  capable of servicing the request (for example a writable domain controller).  Otherwise, the following steps may be taken to resolve this problem:  
             
            If 'JX1906VM$' is a legitimate machine account for the computer 'JX1906VM', then 'JX1906VM' should be rejoined to the domain.  
             
            If 'JX1906VM$' is a legitimate interdomain trust account, then the trust should be recreated.  
             
            Otherwise, assuming that 'JX1906VM$' is not a legitimate account, the following action should be taken on 'JX1906VM':  
             
            If 'JX1906VM' is a Domain Controller, then the trust associated with 'JX1906VM$' should be deleted.  
             
            If 'JX1906VM' is not a Domain Controller, it should be disjoined from the domain.
         An error event occurred.  EventID: 0x0000165B
            Time Generated: 12/17/2014   13:57:51
            Event String:
            The session setup from computer 'JX8581' failed because the security database does not contain a trust account 'JX8581$' referenced by the specified computer.  
             
            USER ACTION  
            If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time.  If this is a Read-Only Domain Controller and 'JX8581$' is a legitimate machine account for the computer 'JX8581' then 'JX8581' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller  capable of servicing the request (for example a writable domain controller).  Otherwise, the following steps may be taken to resolve this problem:  
             
            If 'JX8581$' is a legitimate machine account for the computer 'JX8581', then 'JX8581' should be rejoined to the domain.  
             
            If 'JX8581$' is a legitimate interdomain trust account, then the trust should be recreated.  
             
            Otherwise, assuming that 'JX8581$' is not a legitimate account, the following action should be taken on 'JX8581':  
             
            If 'JX8581' is a Domain Controller, then the trust associated with 'JX8581$' should be deleted.  
             
            If 'JX8581' is not a Domain Controller, it should be disjoined from the domain.
         ......................... JAX00 failed test SystemLog
0
Comment
Question by:Jerry Seinfield
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 4

Expert Comment

by:Sabi Goraya
ID: 40508285
Hi
As you would imagine due to the complexity of the setup i can provide you my initial though on the issue rather than a straight answer.
here we go.

From the initial look at th error looks like the common cause of replication failure is JAX00
Replication depends on DNS and hence the first thing to test is: are you able to resolve the JAX00 FQDN from  JUP1 and HOU1?

Also is the replication service running on JAX00 and as a matter on fact on other server?
0
 
LVL 4

Accepted Solution

by:
Sabi Goraya earned 2000 total points
ID: 40508309
Also

Most of the time it is DNS misconfig or network connectivity issue.
1.Check the DNS setting on the Server's it should point to itself assuming DNS role is installed on the server.If the public ip address is added in the NIC DNS setting remove the same and add to DNS forwarders if required.
If 127.0.0.1 is entered as dns remove the same and add ip address.Add alternate DNS setting.

2.Check NIC binding the NIC which is online and has ip details should be in first order.If multiple NIC are present then disabled the unrequired NIC.

3.Run ipconfig /flushdns and ipconfig /registerdns.Restart the netlogon and DNS service

4.Check the windows firewall is disabled.

5.Run repadmin /syncall /AdeP on all DC to force the replication
6.Once done ran dcdiag /q  and repadmin /replsum to check for any errors and post the same

7.Check the firewall ports.http://geekswithblogs.net/TSCustomiser/archive/2007/05/09/112357.aspx
0
 

Author Comment

by:Jerry Seinfield
ID: 40521129
Hello Sabi,

I did check all DNS servers and everything seems to be OK. no public IPs are being used or the 127.0.0.1

Ipconfig/flushdns and IP config/registerDNS ran, and both services restarted

Windows firewall is disabled

Any other ideas?

Can someone else provide me with an action plan to resolve this issue?
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question