LojzoT
asked on
Reconciling AD DS replication after tombstone lifetime passed
Hello,
I have 4 DCs in local LAN and 1 DC in a remote LAN. In the local LAN DC1 and DC2 running Windows Server 2003 SP2, DC4 and DC5 Windows Server 2012R2. In the remote LAN the DC3 running Windows Server 2008 SP1.
The new DC4 and DC5 servers should replace DC1&DC2 in the near future after successful migrating all the services from the old servers to the new ones.
First I had only 3 DCs - DC1, DC2 & DC3. DC3 in the remote LAN was replicated with DC2, when DC1 kept all 5 FSMO roles. The replication between DC2 and DC3 stuck a few months ago.
Short time ago I have added the 2 new servers DC4 & DC5 to the local LAN with a purpose of replacing DC1&DC2. The 5 FSMO roles were moved to DC4. Now I want to restore the AD replication between DC3 and DC5, but it is still configured between DC2 and DC3. I am receiving daily 4 times Error no. 1864:
=======
This is the replication status for the following directory partition on this directory server.
Directory partition:
DC=<domain-name>,DC=local
This directory server has not recently received replication information from a number of directory servers. The count of directory servers is shown, divided into the following intervals.
More than 24 hours:
1
More than a week:
1
More than one month:
1
More than two months:
1
More than a tombstone lifetime:
1
Tombstone lifetime (days):
60
Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
=======
This is the replication status for the following directory partition on this directory server.
Directory partition:
CN=Configuration,DC=<domai
This directory server has not recently received replication information from a number of directory servers. The count of directory servers is shown, divided into the following intervals.
More than 24 hours:
1
More than a week:
1
More than one month:
1
More than two months:
1
More than a tombstone lifetime:
1
Tombstone lifetime (days):
60
Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
=======
This is the replication status for the following directory partition on this directory server.
Directory partition:
DC=DomainDnsZones,DC=<doma
This directory server has not recently received replication information from a number of directory servers. The count of directory servers is shown, divided into the following intervals.
More than 24 hours:
1
More than a week:
1
More than one month:
1
More than two months:
1
More than a tombstone lifetime:
1
Tombstone lifetime (days):
60
Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
=======
This is the replication status for the following directory partition on this directory server.
Directory partition:
DC=ForestDnsZones,DC=<doma
This directory server has not recently received replication information from a number of directory servers. The count of directory servers is shown, divided into the following intervals.
More than 24 hours:
1
More than a week:
1
More than one month:
1
More than two months:
1
More than a tombstone lifetime:
1
Tombstone lifetime (days):
60
Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
=======
How can I restore DC replication and get rid of these errors?
Thank You.
I have 4 DCs in local LAN and 1 DC in a remote LAN. In the local LAN DC1 and DC2 running Windows Server 2003 SP2, DC4 and DC5 Windows Server 2012R2. In the remote LAN the DC3 running Windows Server 2008 SP1.
The new DC4 and DC5 servers should replace DC1&DC2 in the near future after successful migrating all the services from the old servers to the new ones.
First I had only 3 DCs - DC1, DC2 & DC3. DC3 in the remote LAN was replicated with DC2, when DC1 kept all 5 FSMO roles. The replication between DC2 and DC3 stuck a few months ago.
Short time ago I have added the 2 new servers DC4 & DC5 to the local LAN with a purpose of replacing DC1&DC2. The 5 FSMO roles were moved to DC4. Now I want to restore the AD replication between DC3 and DC5, but it is still configured between DC2 and DC3. I am receiving daily 4 times Error no. 1864:
=======
This is the replication status for the following directory partition on this directory server.
Directory partition:
DC=<domain-name>,DC=local
This directory server has not recently received replication information from a number of directory servers. The count of directory servers is shown, divided into the following intervals.
More than 24 hours:
1
More than a week:
1
More than one month:
1
More than two months:
1
More than a tombstone lifetime:
1
Tombstone lifetime (days):
60
Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
=======
This is the replication status for the following directory partition on this directory server.
Directory partition:
CN=Configuration,DC=<domai
This directory server has not recently received replication information from a number of directory servers. The count of directory servers is shown, divided into the following intervals.
More than 24 hours:
1
More than a week:
1
More than one month:
1
More than two months:
1
More than a tombstone lifetime:
1
Tombstone lifetime (days):
60
Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
=======
This is the replication status for the following directory partition on this directory server.
Directory partition:
DC=DomainDnsZones,DC=<doma
This directory server has not recently received replication information from a number of directory servers. The count of directory servers is shown, divided into the following intervals.
More than 24 hours:
1
More than a week:
1
More than one month:
1
More than two months:
1
More than a tombstone lifetime:
1
Tombstone lifetime (days):
60
Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
=======
This is the replication status for the following directory partition on this directory server.
Directory partition:
DC=ForestDnsZones,DC=<doma
This directory server has not recently received replication information from a number of directory servers. The count of directory servers is shown, divided into the following intervals.
More than 24 hours:
1
More than a week:
1
More than one month:
1
More than two months:
1
More than a tombstone lifetime:
1
Tombstone lifetime (days):
60
Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
=======
How can I restore DC replication and get rid of these errors?
Thank You.
DrDave242
Are those errors appearing on DC3 or one of the others?
Since you have 2003 DC's in your domain, you are still in at most a 2003 domain level, so I'll send you these instructions:
https://technet.microsoft.com/en-us/library/cc786630(v=ws.10).aspx
You can also increase the Tombstone timespan to the new default of 180 days to help if future long disconnects happen. This won't help since it already occurred. https://technet.microsoft.com/en-us/library/cc784932(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc786630(v=ws.10).aspx
You can also increase the Tombstone timespan to the new default of 180 days to help if future long disconnects happen. This won't help since it already occurred. https://technet.microsoft.com/en-us/library/cc784932(v=ws.10).aspx
ASKER
@DrDave242:
No, these errors are appearing on DC2, DC4 and DC5
On DC3 I am getting 4 times a group of Warning with Event ID 1566, then an Error with Event ID 1311 followed by another Warning (Event ID 1865) for the following DirectoryPartitions:
1. DC=<DomainName>,DC=local (see the logs below)
2. DC=DomainDnsZones,DC=<Doma
3. DC=ForestDnsZones,DC=<Doma
4. CN=Configuration,DC=<Domai
=====
Warning ID 1566:
All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
Site:
CN=Default-First-Site-Name
Directory partition:
DC=<DomainName>,DC=local
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Con
====
Error 1311:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
DC=DomainDnsZones,DC=<Doma
There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.
User Action
Perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.
If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.
====
Warning 1865:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
Sites:
CN=Default-First-Site-Name
No, these errors are appearing on DC2, DC4 and DC5
On DC3 I am getting 4 times a group of Warning with Event ID 1566, then an Error with Event ID 1311 followed by another Warning (Event ID 1865) for the following DirectoryPartitions:
1. DC=<DomainName>,DC=local (see the logs below)
2. DC=DomainDnsZones,DC=<Doma
3. DC=ForestDnsZones,DC=<Doma
4. CN=Configuration,DC=<Domai
=====
Warning ID 1566:
All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
Site:
CN=Default-First-Site-Name
Directory partition:
DC=<DomainName>,DC=local
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Con
====
Error 1311:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
DC=DomainDnsZones,DC=<Doma
There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.
User Action
Perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.
If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.
====
Warning 1865:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
Sites:
CN=Default-First-Site-Name
ASKER
@Pber:
I am trying to follow the instructions you sent me, but no success yet. When I am running the command
repadmin /removelingeringobjects DC3 c3e26067-7914-42ca-b380-bc
I am getting an error:
DsReplicaVerifyObjectsW() failed with status -2146893022 (0x80090322): The target principal name is incorrect.
I am trying to follow the instructions you sent me, but no success yet. When I am running the command
repadmin /removelingeringobjects DC3 c3e26067-7914-42ca-b380-bc
I am getting an error:
DsReplicaVerifyObjectsW() failed with status -2146893022 (0x80090322): The target principal name is incorrect.
ASKER
I have tried the 1st step, but got this error:
Next I have tried to reset the DC account password of DC3 on DC4 which is the PDC emulator.
I stopped the KDC service on all DCs except DC4, purged kerberos ticket cache on DC3 and ran this command also on DC3:
Then I wanted to synchronize the domain, so I ran on DC4 this command below, but got couple of errors connected with DC3:
C:\Windows\system32>repadm
Syncing all NC's held on DC4.
Syncing partition: DC=ForestDnsZones,DC=<Doma
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC2,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC1,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC2,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC1,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC1,CN=Servers
To : CN=NTDS Settings,CN=DC5,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC1,CN=Servers
To : CN=NTDS Settings,CN=DC5,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
CALLBACK MESSAGE: Error issuing replication: 1908 (0x774):
Could not find the domain controller for this domain.
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
CALLBACK MESSAGE: SyncAll Finished.
SyncAll reported the following errors:
Error issuing replication: 1908 (0x774):
Could not find the domain controller for this domain.
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
Syncing partition: DC=DomainDnsZones,DC=<Doma
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC2,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC1,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC2,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC1,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC1,CN=Servers
To : CN=NTDS Settings,CN=DC5,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC1,CN=Servers
To : CN=NTDS Settings,CN=DC5,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
CALLBACK MESSAGE: Error issuing replication: 1908 (0x774):
Could not find the domain controller for this domain.
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
CALLBACK MESSAGE: SyncAll Finished.
SyncAll reported the following errors:
Error issuing replication: 1908 (0x774):
Could not find the domain controller for this domain.
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
Syncing partition: CN=Schema,CN=Configuration
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC2,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC1,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC2,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC1,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC1,CN=Servers
To : CN=NTDS Settings,CN=DC5,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC1,CN=Servers
To : CN=NTDS Settings,CN=DC5,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
CALLBACK MESSAGE: Error issuing replication: 1908 (0x774):
Could not find the domain controller for this domain.
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
CALLBACK MESSAGE: SyncAll Finished.
SyncAll reported the following errors:
Error issuing replication: 1908 (0x774):
Could not find the domain controller for this domain.
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
Syncing partition: CN=Configuration,DC=<Domai
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC2,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC1,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC2,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC1,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC1,CN=Servers
To : CN=NTDS Settings,CN=DC5,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC1,CN=Servers
To : CN=NTDS Settings,CN=DC5,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
CALLBACK MESSAGE: Error issuing replication: 1908 (0x774):
Could not find the domain controller for this domain.
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
CALLBACK MESSAGE: SyncAll Finished.
SyncAll reported the following errors:
Error issuing replication: 1908 (0x774):
Could not find the domain controller for this domain.
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
Syncing partition: DC=<DomainName>,DC=local
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC2,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC1,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC2,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC1,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC1,CN=Servers
To : CN=NTDS Settings,CN=DC5,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC1,CN=Servers
To : CN=NTDS Settings,CN=DC5,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
CALLBACK MESSAGE: Error issuing replication: 1908 (0x774):
Could not find the domain controller for this domain.
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
CALLBACK MESSAGE: SyncAll Finished.
SyncAll reported the following errors:
Error issuing replication: 1908 (0x774):
Could not find the domain controller for this domain.
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
When I ran the same command on DC3, I got this:
What should I try next?
Thank you for answer.
C:\Windows\system32>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC3
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Remote-Site\DC3
Starting test: Connectivity
......................... DC3 passed test Connectivity
Doing primary tests
Testing server: Remote-Site\DC3
Starting test: CheckSecurityError
Source DC DC2 has possible security error (1908). Diagnosing...
No KDC found for domain <DomainName>.local in site
Default-First-Site-Name (1355, NULL)
[DC2] Unable to contact this DC. Cannot continue
diagnosing errors with this DC.
[DC1] DsBindWithSpnEx() failed with error -2146893022,
Win32 Error -2146893022.
Ignoring DC DC1 in the convergence test of object
CN=DC3,OU=Domain Controllers,DC=<DomainName
connect!
[DC2] DsBindWithSpnEx() failed with error -2146893022,
Win32 Error -2146893022.
Ignoring DC DC2 in the convergence test of object
CN=DC3,OU=Domain Controllers,DC=<DomainName
connect!
......................... DC3 failed test CheckSecurityError
Running partition tests on : DomainDnsZones
Running partition tests on : ForestDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : <DomainName>
Running enterprise tests on : <DomainName>.local
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC3
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Remote-Site\DC3
Starting test: Connectivity
......................... DC3 passed test Connectivity
Doing primary tests
Testing server: Remote-Site\DC3
Starting test: CheckSecurityError
Source DC DC2 has possible security error (1908). Diagnosing...
No KDC found for domain <DomainName>.local in site
Default-First-Site-Name (1355, NULL)
[DC2] Unable to contact this DC. Cannot continue
diagnosing errors with this DC.
[DC1] DsBindWithSpnEx() failed with error -2146893022,
Win32 Error -2146893022.
Ignoring DC DC1 in the convergence test of object
CN=DC3,OU=Domain Controllers,DC=<DomainName
connect!
[DC2] DsBindWithSpnEx() failed with error -2146893022,
Win32 Error -2146893022.
Ignoring DC DC2 in the convergence test of object
CN=DC3,OU=Domain Controllers,DC=<DomainName
connect!
......................... DC3 failed test CheckSecurityError
Running partition tests on : DomainDnsZones
Running partition tests on : ForestDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : <DomainName>
Running enterprise tests on : <DomainName>.local
Next I have tried to reset the DC account password of DC3 on DC4 which is the PDC emulator.
I stopped the KDC service on all DCs except DC4, purged kerberos ticket cache on DC3 and ran this command also on DC3:
C:\Windows\system32>netdom
Type the password associated with the domain user:
The machine account password for the local machine has been successfully reset.
The command completed successfully.
Type the password associated with the domain user:
The machine account password for the local machine has been successfully reset.
The command completed successfully.
Then I wanted to synchronize the domain, so I ran on DC4 this command below, but got couple of errors connected with DC3:
C:\Windows\system32>repadm
Syncing all NC's held on DC4.
Syncing partition: DC=ForestDnsZones,DC=<Doma
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC2,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC1,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC2,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC1,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC1,CN=Servers
To : CN=NTDS Settings,CN=DC5,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC1,CN=Servers
To : CN=NTDS Settings,CN=DC5,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
CALLBACK MESSAGE: Error issuing replication: 1908 (0x774):
Could not find the domain controller for this domain.
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
CALLBACK MESSAGE: SyncAll Finished.
SyncAll reported the following errors:
Error issuing replication: 1908 (0x774):
Could not find the domain controller for this domain.
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
Syncing partition: DC=DomainDnsZones,DC=<Doma
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC2,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC1,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC2,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC1,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC1,CN=Servers
To : CN=NTDS Settings,CN=DC5,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC1,CN=Servers
To : CN=NTDS Settings,CN=DC5,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
CALLBACK MESSAGE: Error issuing replication: 1908 (0x774):
Could not find the domain controller for this domain.
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
CALLBACK MESSAGE: SyncAll Finished.
SyncAll reported the following errors:
Error issuing replication: 1908 (0x774):
Could not find the domain controller for this domain.
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
Syncing partition: CN=Schema,CN=Configuration
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC2,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC1,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC2,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC1,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC1,CN=Servers
To : CN=NTDS Settings,CN=DC5,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC1,CN=Servers
To : CN=NTDS Settings,CN=DC5,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
CALLBACK MESSAGE: Error issuing replication: 1908 (0x774):
Could not find the domain controller for this domain.
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
CALLBACK MESSAGE: SyncAll Finished.
SyncAll reported the following errors:
Error issuing replication: 1908 (0x774):
Could not find the domain controller for this domain.
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
Syncing partition: CN=Configuration,DC=<Domai
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC2,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC1,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC2,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC1,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC1,CN=Servers
To : CN=NTDS Settings,CN=DC5,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC1,CN=Servers
To : CN=NTDS Settings,CN=DC5,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
CALLBACK MESSAGE: Error issuing replication: 1908 (0x774):
Could not find the domain controller for this domain.
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
CALLBACK MESSAGE: SyncAll Finished.
SyncAll reported the following errors:
Error issuing replication: 1908 (0x774):
Could not find the domain controller for this domain.
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
Syncing partition: DC=<DomainName>,DC=local
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC2,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC1,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC2,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC4,CN=Servers
To : CN=NTDS Settings,CN=DC1,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC1,CN=Servers
To : CN=NTDS Settings,CN=DC5,CN=Servers
CALLBACK MESSAGE: The following replication completed successfully:
From: CN=NTDS Settings,CN=DC1,CN=Servers
To : CN=NTDS Settings,CN=DC5,CN=Servers
CALLBACK MESSAGE: The following replication is in progress:
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
CALLBACK MESSAGE: Error issuing replication: 1908 (0x774):
Could not find the domain controller for this domain.
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
CALLBACK MESSAGE: SyncAll Finished.
SyncAll reported the following errors:
Error issuing replication: 1908 (0x774):
Could not find the domain controller for this domain.
From: CN=NTDS Settings,CN=DC2,CN=Servers
To : CN=NTDS Settings,CN=DC3,CN=Servers
When I ran the same command on DC3, I got this:
C:\Windows\system32>repadm
Syncing all NC's held on localhost.
Syncing partition: DC=DomainDnsZones,DC=<Doma
CALLBACK MESSAGE: Error contacting server CN=NTDS Settings,CN=DC1,CN=Servers
The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
CALLBACK MESSAGE: Error contacting server CN=NTDS Settings,CN=DC2,CN=Servers
The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
CALLBACK MESSAGE: Error contacting server CN=NTDS Settings,CN=DC3,CN=Servers
The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
SyncAll exited with fatal Win32 error: 8440 (0x20f8):
The naming context specified for this replication operation is invalid.
Syncing all NC's held on localhost.
Syncing partition: DC=DomainDnsZones,DC=<Doma
CALLBACK MESSAGE: Error contacting server CN=NTDS Settings,CN=DC1,CN=Servers
The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
CALLBACK MESSAGE: Error contacting server CN=NTDS Settings,CN=DC2,CN=Servers
The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
CALLBACK MESSAGE: Error contacting server CN=NTDS Settings,CN=DC3,CN=Servers
The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
SyncAll exited with fatal Win32 error: 8440 (0x20f8):
The naming context specified for this replication operation is invalid.
What should I try next?
Thank you for answer.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here's some extra info:
https://support.microsoft.com/en-us/kb/332199
https://support.microsoft.com/en-us/kb/332199
ASKER
Yes, true, only DC3 has the issue, the other 4 DCs are working just fine.
I will try your suggestion next day.
The metadata cleanup I should do on one of the rest 4 DCs, right? Maybe DC4 as the new FSMO role holder, or?
Thank you for your help.
I will try your suggestion next day.
The metadata cleanup I should do on one of the rest 4 DCs, right? Maybe DC4 as the new FSMO role holder, or?
Thank you for your help.
Yup on one of the good DCs
ASKER
Thank you for your help, I turned off DC3, then I did metadata cleanup in the domain. Errors connected with this issue are gone. DC3 will be reinstalled from the ground and it will be reconnected to the AD.
Thanks again.
Thanks again.
Awesome. Glad to help.