Learn the fundamentals of the popular programming language JavaScript so that you can explore the realm of web development.
Urgent Help dns, clock issues nightmare
As of now im not sure what is going on, echange server is not connecting, can only connect to computers using ip because the name gives me a clocl not syncronized error. please help
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You have more than one problem then. Time can, obviously, be fixed easily enough but in a domain environment it should be synchronising with a DC.
It's likely time is wrong because something else is. What have you set your DNS servers (ipconfig) to?
It's likely time is wrong because something else is. What have you set your DNS servers (ipconfig) to?
When you connect via name, you're most likely using Kerberos authentication, which requires pretty strict time sync (within five minutes by default) between the machine you're connecting from and the one you're connecting to. When you connect via IP address, you're using NTLM authentication, which doesn't care about the time.
So, where is the time incorrect? Like Chris says, your domain-joined machines should all be configured to get their time from Active Directory.
So, where is the time incorrect? Like Chris says, your domain-joined machines should all be configured to get their time from Active Directory.
That is the problem all the times are correct, the Primary dc is in a vmware server that had an old dns itself, i corrected this a few days ago and all was working fine, now i cant strart dns on primary dc becasue it fails. the sais dc cannot be contacted, and also exchange is disconected i think i hope is because of this
Check about IPV6 (disable it) and also check the network adapters and the DNS entries for the server
Presumably you have some kind of error messages somewhere?
Ignore Exchange completely until you have your DCs fixed. If the DNS service is not starting, what does the event log say?
Ignore Exchange completely until you have your DCs fixed. If the DNS service is not starting, what does the event log say?
The main DC gives me this error when i try to open DNS, The server (domainName) could not be contacted the error was access denied would you like to add it anyway?
Windows was unable to determine whether new Group Policy settings defined by a network administrator should be enforced for this user or computer because this computer's clock is not synchronized with the clock of one of the domain controllers for the domain. Because of this issue, this computer system may not be in compliance with the network administrator’s requirements, and users of this system may not be able to use some functionality on the network. Windows will periodically attempt to retry this operation, and it is possible that either this system or the domain controller will correct the time settings without intervention by an administrator, so the problem will be corrected.
If this issue persists for more than an hour, checking the local system's clock settings to ensure they are accurate and are synchronized with the clocks on the network's domain controllers is one way to resolve this problem. A network administrator may be required to resolve the issue if correcting the local time settings does not address the problem.
If this issue persists for more than an hour, checking the local system's clock settings to ensure they are accurate and are synchronized with the clocks on the network's domain controllers is one way to resolve this problem. A network administrator may be required to resolve the issue if correcting the local time settings does not address the problem.
Is the DNS service started?
Are you able to run this command from the command line:
nslookup yourdomain.com
Have you run dcdiag to get an overview of any problems?
Have you looked at the event log at all to see if there are any errors?
"It doesn't work" is not sufficient to debug this.
Are you able to run this command from the command line:
nslookup yourdomain.com
Have you run dcdiag to get an overview of any problems?
Have you looked at the event log at all to see if there are any errors?
"It doesn't work" is not sufficient to debug this.
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.cdgcorp.lo
Possible causes of failure include:
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration
USER ACTION
Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt on the domain controller or by restarting Net Logon service on the domain controller
Possible causes of failure include:
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration
USER ACTION
Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt on the domain controller or by restarting Net Logon service on the domain controller
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>nslook
12.2.168.192.in-addr.arpa
primary name server = localhost
responsible mail addr = nobody.invalid
serial = 1
refresh = 600 (10 mins)
retry = 1200 (20 mins)
expire = 604800 (7 days)
default TTL = 10800 (3 hours)
Server: UnKnown
Address: 192.168.2.12
Non-authoritative answer:
Name: y-group.com
Address: 198.71.232.3
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>nslook
12.2.168.192.in-addr.arpa
primary name server = localhost
responsible mail addr = nobody.invalid
serial = 1
refresh = 600 (10 mins)
retry = 1200 (20 mins)
expire = 604800 (7 days)
default TTL = 10800 (3 hours)
Server: UnKnown
Address: 192.168.2.12
Non-authoritative answer:
Name: y-group.com
Address: 198.71.232.3
What is 192.168.2.12?
I take it y-group.com is your internal (AD) domain name? If so, your DNS server configuration appears to be wrong. Get that wrong and everything fails.
I take it y-group.com is your internal (AD) domain name? If so, your DNS server configuration appears to be wrong. Get that wrong and everything fails.
I'm going offline for a while, so I'll leave this comment in the hope it helps move forward in my absence. I'm sure there are others that can help take this forward as well.
Your Domain Controllers and member servers IP configuration should only include DNS servers that are able to resolve names for your internal AD domain. In more cases than not this means you must use your Domain Controller IPs in the primary / secondary / tertiary / etc DNS server list (IP configurationj).
Verify that the DNS service is running on one (or more) of your servers, then fix any erroneous IP configuration to meet the requirement above. You should get to a state where the nslookup command works and shows the internal IP addresses of your Domain Controllers (in a list).
For example:
DC1:
Primary DNS server: DC2
Secondary DNS server: DC1
DC2:
Primary DNS server: DC1
Secondary DNS server: DC2
Your Domain Controllers and member servers IP configuration should only include DNS servers that are able to resolve names for your internal AD domain. In more cases than not this means you must use your Domain Controller IPs in the primary / secondary / tertiary / etc DNS server list (IP configurationj).
Verify that the DNS service is running on one (or more) of your servers, then fix any erroneous IP configuration to meet the requirement above. You should get to a state where the nslookup command works and shows the internal IP addresses of your Domain Controllers (in a list).
For example:
DC1:
Primary DNS server: DC2
Secondary DNS server: DC1
DC2:
Primary DNS server: DC1
Secondary DNS server: DC2
DNS server i have the two one ending in 12 ( wich has the problem is the primary) and one ending in 17 which is allowing me at least to browse
one note im not sure if it has to do with anything the 3 servers giving me issues are all in a VMware environment,
This is nuts, the three servers connected to the VMWARE server are not responding unless direct ip, the other 2 physical servers are working just fine.
Is time right on those? If they're all using .12 as primary DNS, and .12 is suspect, take it out of the loop. Make all of the servers use a working DNS server while you fix what might be broken.
Commonality is a useful thing to find in situations like this. For example, if someone had changed the network configuration of the host you could easily lose access to the rest of the network.
Commonality is a useful thing to find in situations like this. For example, if someone had changed the network configuration of the host you could easily lose access to the rest of the network.
This is nuts, the three servers connected to the VMWARE server are not responding unless direct ip, the other 2 physical servers are working just fine.
Do you have host-guest time sync configured on those, and if so, is the time incorrect on the VMware host server?
Time is ok on all this, later this week i changed the dns on the vm host to the new because the old server had died. but it was fine till this morning. the old server has no record anywere
I got the Ns lookup fixed i made him point to the secondary dc and dns and at least now i can print. but still no exchange
Do the same for Exchange, just in case, that one may need services restarting / a reboot / a good kick.
You do need to look at dcdiag on one of your working DCs. If the DC on VMWare is that unhappy the other DCs will know about it too, it's important to determine exactly how unhappy it is.
You do need to look at dcdiag on one of your working DCs. If the DC on VMWare is that unhappy the other DCs will know about it too, it's important to determine exactly how unhappy it is.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC-02
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: BrickellLocation\DC-02
Starting test: Connectivity
......................... DC-02 passed test Connectivity
Doing primary tests
Testing server: BrickellLocation\DC-02
Starting test: Advertising
......................... DC-02 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DC-02 passed test FrsEvent
Starting test: DFSREvent
......................... DC-02 passed test DFSREvent
Starting test: SysVolCheck
......................... DC-02 passed test SysVolCheck
Starting test: KccEvent
......................... DC-02 passed test KccEvent
Starting test: KnowsOfRoleHolders
[YDC01] DsBindWithSpnEx() failed with error 1398,
There is a time and/or date difference between the client and server..
Warning: YDC01 is the Schema Owner, but is not responding to DS RPC
Bind.
[YDC01] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: YDC01 is the Schema Owner, but is not responding to LDAP
Bind.
Warning: YDC01 is the Domain Owner, but is not responding to DS RPC
Bind.
Warning: YDC01 is the Domain Owner, but is not responding to LDAP
Bind.
Warning: YDC01 is the PDC Owner, but is not responding to DS RPC Bind.
Warning: YDC01 is the PDC Owner, but is not responding to LDAP Bind.
Warning: YDC01 is the Rid Owner, but is not responding to DS RPC Bind.
Warning: YDC01 is the Rid Owner, but is not responding to LDAP Bind.
Warning: YDC01 is the Infrastructure Update Owner, but is not
responding to DS RPC Bind.
Warning: YDC01 is the Infrastructure Update Owner, but is not
responding to LDAP Bind.
......................... DC-02 failed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC-02 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=cdgco
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=cdgco
......................... DC-02 failed test NCSecDesc
Starting test: NetLogons
......................... DC-02 passed test NetLogons
Starting test: ObjectsReplicated
......................... DC-02 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,DC-02] A recent replication attempt failed:
From YDC01 to DC-02
Naming Context: DC=ForestDnsZones,DC=cdgco
The replication generated an error (1256):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
The failure occurred at 2005-08-17 03:47:24.
The last success occurred at 2005-08-16 09:47:24.
18 failures have occurred since the last success.
[Replications Check,DC-02] A recent replication attempt failed:
From YDC01 to DC-02
Naming Context: DC=DomainDnsZones,DC=cdgco
The replication generated an error (1398):
There is a time and/or date difference between the client and server
.
The failure occurred at 2005-08-17 03:54:02.
The last success occurred at 2005-08-16 09:47:24.
20 failures have occurred since the last success.
Kerberos Error.
Check that the system time between the two servers is sufficiently.
close. Also check that the time service is functioning correctly
[Replications Check,DC-02] A recent replication attempt failed:
From YDC01 to DC-02
Naming Context: CN=Schema,CN=Configuration
The replication generated an error (1398):
There is a time and/or date difference between the client and server
.
The failure occurred at 2005-08-17 03:47:24.
The last success occurred at 2005-08-16 09:47:24.
18 failures have occurred since the last success.
Kerberos Error.
Check that the system time between the two servers is sufficiently.
close. Also check that the time service is functioning correctly
[Replications Check,DC-02] A recent replication attempt failed:
From YDC01 to DC-02
Naming Context: CN=Configuration,DC=cdgcor
The replication generated an error (1398):
There is a time and/or date difference between the client and server
.
The failure occurred at 2005-08-17 03:47:24.
The last success occurred at 2005-08-16 09:47:24.
18 failures have occurred since the last success.
Kerberos Error.
Check that the system time between the two servers is sufficiently.
close. Also check that the time service is functioning correctly
[Replications Check,DC-02] A recent replication attempt failed:
From YDC01 to DC-02
Naming Context: DC=cdgcorp,DC=local
The replication generated an error (1398):
There is a time and/or date difference between the client and server
.
The failure occurred at 2005-08-17 03:47:24.
The last success occurred at 2005-08-16 09:47:24.
18 failures have occurred since the last success.
Kerberos Error.
Check that the system time between the two servers is sufficiently.
close. Also check that the time service is functioning correctly
......................... DC-02 failed test Replications
Starting test: RidManager
......................... DC-02 failed test RidManager
Starting test: Services
......................... DC-02 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 03:35:26
Event String:
Driver RICOH Class Driver required for printer RICOH Class Driver is
unknown. Contact the administrator to install the driver before you log in agai
n.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 03:35:27
Event String:
Driver Brother HL-5050 required for printer Brother HL-5050 is unkno
wn. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 03:35:28
Event String:
Driver Adobe PDF Converter required for printer Adobe PDF is unknown
. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 03:35:28
Event String:
Driver Microsoft Print To PDF required for printer Microsoft Print t
o PDF is unknown. Contact the administrator to install the driver before you log
in again.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 03:35:30
Event String:
Driver Microsoft XPS Document Writer v4 required for printer Microso
ft XPS Document Writer is unknown. Contact the administrator to install the driv
er before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 03:35:31
Event String:
Driver Send to Microsoft OneNote 16 Driver required for printer Send
To OneNote 2016 is unknown. Contact the administrator to install the driver bef
ore you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 04:27:17
Event String:
Driver RICOH Class Driver required for printer RICOH Class Driver is
unknown. Contact the administrator to install the driver before you log in agai
n.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 04:27:17
Event String:
Driver Microsoft XPS Document Writer v4 required for printer Microso
ft XPS Document Writer is unknown. Contact the administrator to install the driv
er before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 04:27:18
Event String:
Driver Adobe PDF Converter required for printer Adobe PDF is unknown
. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 04:27:20
Event String:
Driver Brother HL-5050 required for printer Brother HL-5050 is unkno
wn. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 04:27:21
Event String:
Driver Microsoft Print To PDF required for printer Microsoft Print t
o PDF is unknown. Contact the administrator to install the driver before you log
in again.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 04:27:21
Event String:
Driver Send to Microsoft OneNote 16 Driver required for printer Send
To OneNote 2016 is unknown. Contact the administrator to install the driver bef
ore you log in again.
......................... DC-02 failed test SystemLog
Starting test: VerifyReferences
......................... DC-02 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : cdgcorp
Starting test: CheckSDRefDom
......................... cdgcorp passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... cdgcorp passed test CrossRefValidation
Running enterprise tests on : cdgcorp.local
Starting test: LocatorCheck
......................... cdgcorp.local passed test LocatorCheck
Starting test: Intersite
......................... cdgcorp.local passed test Intersite
C:\Windows\system32>
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC-02
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: BrickellLocation\DC-02
Starting test: Connectivity
......................... DC-02 passed test Connectivity
Doing primary tests
Testing server: BrickellLocation\DC-02
Starting test: Advertising
......................... DC-02 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DC-02 passed test FrsEvent
Starting test: DFSREvent
......................... DC-02 passed test DFSREvent
Starting test: SysVolCheck
......................... DC-02 passed test SysVolCheck
Starting test: KccEvent
......................... DC-02 passed test KccEvent
Starting test: KnowsOfRoleHolders
[YDC01] DsBindWithSpnEx() failed with error 1398,
There is a time and/or date difference between the client and server..
Warning: YDC01 is the Schema Owner, but is not responding to DS RPC
Bind.
[YDC01] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: YDC01 is the Schema Owner, but is not responding to LDAP
Bind.
Warning: YDC01 is the Domain Owner, but is not responding to DS RPC
Bind.
Warning: YDC01 is the Domain Owner, but is not responding to LDAP
Bind.
Warning: YDC01 is the PDC Owner, but is not responding to DS RPC Bind.
Warning: YDC01 is the PDC Owner, but is not responding to LDAP Bind.
Warning: YDC01 is the Rid Owner, but is not responding to DS RPC Bind.
Warning: YDC01 is the Rid Owner, but is not responding to LDAP Bind.
Warning: YDC01 is the Infrastructure Update Owner, but is not
responding to DS RPC Bind.
Warning: YDC01 is the Infrastructure Update Owner, but is not
responding to LDAP Bind.
......................... DC-02 failed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC-02 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=cdgco
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=cdgco
......................... DC-02 failed test NCSecDesc
Starting test: NetLogons
......................... DC-02 passed test NetLogons
Starting test: ObjectsReplicated
......................... DC-02 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,DC-02] A recent replication attempt failed:
From YDC01 to DC-02
Naming Context: DC=ForestDnsZones,DC=cdgco
The replication generated an error (1256):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
The failure occurred at 2005-08-17 03:47:24.
The last success occurred at 2005-08-16 09:47:24.
18 failures have occurred since the last success.
[Replications Check,DC-02] A recent replication attempt failed:
From YDC01 to DC-02
Naming Context: DC=DomainDnsZones,DC=cdgco
The replication generated an error (1398):
There is a time and/or date difference between the client and server
.
The failure occurred at 2005-08-17 03:54:02.
The last success occurred at 2005-08-16 09:47:24.
20 failures have occurred since the last success.
Kerberos Error.
Check that the system time between the two servers is sufficiently.
close. Also check that the time service is functioning correctly
[Replications Check,DC-02] A recent replication attempt failed:
From YDC01 to DC-02
Naming Context: CN=Schema,CN=Configuration
The replication generated an error (1398):
There is a time and/or date difference between the client and server
.
The failure occurred at 2005-08-17 03:47:24.
The last success occurred at 2005-08-16 09:47:24.
18 failures have occurred since the last success.
Kerberos Error.
Check that the system time between the two servers is sufficiently.
close. Also check that the time service is functioning correctly
[Replications Check,DC-02] A recent replication attempt failed:
From YDC01 to DC-02
Naming Context: CN=Configuration,DC=cdgcor
The replication generated an error (1398):
There is a time and/or date difference between the client and server
.
The failure occurred at 2005-08-17 03:47:24.
The last success occurred at 2005-08-16 09:47:24.
18 failures have occurred since the last success.
Kerberos Error.
Check that the system time between the two servers is sufficiently.
close. Also check that the time service is functioning correctly
[Replications Check,DC-02] A recent replication attempt failed:
From YDC01 to DC-02
Naming Context: DC=cdgcorp,DC=local
The replication generated an error (1398):
There is a time and/or date difference between the client and server
.
The failure occurred at 2005-08-17 03:47:24.
The last success occurred at 2005-08-16 09:47:24.
18 failures have occurred since the last success.
Kerberos Error.
Check that the system time between the two servers is sufficiently.
close. Also check that the time service is functioning correctly
......................... DC-02 failed test Replications
Starting test: RidManager
......................... DC-02 failed test RidManager
Starting test: Services
......................... DC-02 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 03:35:26
Event String:
Driver RICOH Class Driver required for printer RICOH Class Driver is
unknown. Contact the administrator to install the driver before you log in agai
n.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 03:35:27
Event String:
Driver Brother HL-5050 required for printer Brother HL-5050 is unkno
wn. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 03:35:28
Event String:
Driver Adobe PDF Converter required for printer Adobe PDF is unknown
. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 03:35:28
Event String:
Driver Microsoft Print To PDF required for printer Microsoft Print t
o PDF is unknown. Contact the administrator to install the driver before you log
in again.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 03:35:30
Event String:
Driver Microsoft XPS Document Writer v4 required for printer Microso
ft XPS Document Writer is unknown. Contact the administrator to install the driv
er before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 03:35:31
Event String:
Driver Send to Microsoft OneNote 16 Driver required for printer Send
To OneNote 2016 is unknown. Contact the administrator to install the driver bef
ore you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 04:27:17
Event String:
Driver RICOH Class Driver required for printer RICOH Class Driver is
unknown. Contact the administrator to install the driver before you log in agai
n.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 04:27:17
Event String:
Driver Microsoft XPS Document Writer v4 required for printer Microso
ft XPS Document Writer is unknown. Contact the administrator to install the driv
er before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 04:27:18
Event String:
Driver Adobe PDF Converter required for printer Adobe PDF is unknown
. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 04:27:20
Event String:
Driver Brother HL-5050 required for printer Brother HL-5050 is unkno
wn. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 04:27:21
Event String:
Driver Microsoft Print To PDF required for printer Microsoft Print t
o PDF is unknown. Contact the administrator to install the driver before you log
in again.
An error event occurred. EventID: 0x00000457
Time Generated: 08/17/2005 04:27:21
Event String:
Driver Send to Microsoft OneNote 16 Driver required for printer Send
To OneNote 2016 is unknown. Contact the administrator to install the driver bef
ore you log in again.
......................... DC-02 failed test SystemLog
Starting test: VerifyReferences
......................... DC-02 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : cdgcorp
Starting test: CheckSDRefDom
......................... cdgcorp passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... cdgcorp passed test CrossRefValidation
Running enterprise tests on : cdgcorp.local
Starting test: LocatorCheck
......................... cdgcorp.local passed test LocatorCheck
Starting test: Intersite
......................... cdgcorp.local passed test Intersite
C:\Windows\system32>
Are you certain that the time is synchronized between DC02 and YDC01? Because this seems to indicate that it's not:
Starting test: KnowsOfRoleHolders
[YDC01] DsBindWithSpnEx() failed with error 1398,
There is a time and/or date difference between the client and server..
Um. Why is the year 2005?
Move slowly here, you don't want your DCs to consider themselves to be 12 years out of date...
Move slowly here, you don't want your DCs to consider themselves to be 12 years out of date...
I get this after the time update
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC-02
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: BrickellLocation\DC-02
Starting test: Connectivity
......................... DC-02 passed test Connectivity
Doing primary tests
Testing server: BrickellLocation\DC-02
Starting test: Advertising
......................... DC-02 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DC-02 passed test FrsEvent
Starting test: DFSREvent
......................... DC-02 passed test DFSREvent
Starting test: SysVolCheck
......................... DC-02 passed test SysVolCheck
Starting test: KccEvent
......................... DC-02 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC-02 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC-02 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=cdgco
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=cdgco
......................... DC-02 failed test NCSecDesc
Starting test: NetLogons
......................... DC-02 passed test NetLogons
Starting test: ObjectsReplicated
......................... DC-02 passed test ObjectsReplicated
Starting test: Replications
......................... DC-02 passed test Replications
Starting test: RidManager
......................... DC-02 passed test RidManager
Starting test: Services
......................... DC-02 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0xC0002719
Time Generated: 03/24/2017 16:31:46
Event String:
DCOM was unable to communicate with the computer xchangesrv.cdgcorp.
local using any of the configured protocols.
A warning event occurred. EventID: 0x00000024
Time Generated: 03/24/2017 16:31:52
Event String:
The time service has not synchronized the system time for 86400 seco
nds because none of the time service providers provided a usable time stamp. The
time service will not update the local system time until it is able to synchron
ize with a time source. If the local system is configured to act as a time serve
r for clients, it will stop advertising as a time source to clients. The time se
rvice will continue to retry and sync time with its time sources. Check system e
vent log for other W32time events for more details. Run 'w32tm /resync' to force
an instant time synchronization.
......................... DC-02 failed test SystemLog
Starting test: VerifyReferences
......................... DC-02 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : cdgcorp
Starting test: CheckSDRefDom
......................... cdgcorp passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... cdgcorp passed test CrossRefValidation
Running enterprise tests on : cdgcorp.local
Starting test: LocatorCheck
......................... cdgcorp.local passed test LocatorCheck
Starting test: Intersite
......................... cdgcorp.local passed test Intersite
C:\Windows\system32>
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC-02
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: BrickellLocation\DC-02
Starting test: Connectivity
......................... DC-02 passed test Connectivity
Doing primary tests
Testing server: BrickellLocation\DC-02
Starting test: Advertising
......................... DC-02 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DC-02 passed test FrsEvent
Starting test: DFSREvent
......................... DC-02 passed test DFSREvent
Starting test: SysVolCheck
......................... DC-02 passed test SysVolCheck
Starting test: KccEvent
......................... DC-02 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC-02 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC-02 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=cdgco
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=cdgco
......................... DC-02 failed test NCSecDesc
Starting test: NetLogons
......................... DC-02 passed test NetLogons
Starting test: ObjectsReplicated
......................... DC-02 passed test ObjectsReplicated
Starting test: Replications
......................... DC-02 passed test Replications
Starting test: RidManager
......................... DC-02 passed test RidManager
Starting test: Services
......................... DC-02 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0xC0002719
Time Generated: 03/24/2017 16:31:46
Event String:
DCOM was unable to communicate with the computer xchangesrv.cdgcorp.
local using any of the configured protocols.
A warning event occurred. EventID: 0x00000024
Time Generated: 03/24/2017 16:31:52
Event String:
The time service has not synchronized the system time for 86400 seco
nds because none of the time service providers provided a usable time stamp. The
time service will not update the local system time until it is able to synchron
ize with a time source. If the local system is configured to act as a time serve
r for clients, it will stop advertising as a time source to clients. The time se
rvice will continue to retry and sync time with its time sources. Check system e
vent log for other W32time events for more details. Run 'w32tm /resync' to force
an instant time synchronization.
......................... DC-02 failed test SystemLog
Starting test: VerifyReferences
......................... DC-02 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : cdgcorp
Starting test: CheckSDRefDom
......................... cdgcorp passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... cdgcorp passed test CrossRefValidation
Running enterprise tests on : cdgcorp.local
Starting test: LocatorCheck
......................... cdgcorp.local passed test LocatorCheck
Starting test: Intersite
......................... cdgcorp.local passed test Intersite
C:\Windows\system32>
holy crap dc-02 has a wrong time and it completely eluded me. i changed it should i restart it?
There should be no need to restart it, but manually changing the time may not be enough to keep the issue from coming back (although if it were previously set to the year 2005, that may indeed be all you have to do).
Run w32tm /query /configuration on DC-02 and post the results here.
......................... cdgcorp.local passed test Intersite
C:\Windows\system32>w32tm /resync
Sending resync command to local computer
The computer did not resync because no time data was available.
C:\Windows\system32>w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)
FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32tim
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Local)
AllowNonstandardModeCombin
ResolvePeerBackoffMinutes:
ResolvePeerBackoffMaxTimes
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NTP (Local)
NtpServer: DC_HostName.DomainName.com
NtpServer (Local)
DllName: C:\Windows\system32\w32tim
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombin
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmicti
Enabled: 1 (Local)
InputProvider: 1 (Local)
C:\Windows\system32>w32tm /resync
Sending resync command to local computer
The computer did not resync because no time data was available.
C:\Windows\system32>w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)
FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32tim
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Local)
AllowNonstandardModeCombin
ResolvePeerBackoffMinutes:
ResolvePeerBackoffMaxTimes
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NTP (Local)
NtpServer: DC_HostName.DomainName.com
NtpServer (Local)
DllName: C:\Windows\system32\w32tim
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombin
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmicti
Enabled: 1 (Local)
InputProvider: 1 (Local)
Type: NTP (Local)
Unless DC-02 is the PDC Emulator (it isn't, according to the dcdiag output), this value should be set to NT5DS rather than NTP. It can be set in the registry here:
HKLM\SYSTEM\CurrentControl
If you make that change, you'll need to restart the Windows Time service for it to take effect.
It should be set to NT5DS on everything except the DC that holds the PDC Emulator FSMO role (which appears to be YDC01).
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\mnunez>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
***Error: Exchange is not a Directory Server. Must specify /s:<Directory
Server> or /n:<Naming Context> or nothing to use the local machine.
ERROR: Could not find home server.
C:\Users\mnunez>
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\mnunez>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
***Error: Exchange is not a Directory Server. Must specify /s:<Directory
Server> or /n:<Naming Context> or nothing to use the local machine.
ERROR: Could not find home server.
C:\Users\mnunez>
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)
FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32tim
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombin
ResolvePeerBackoffMinutes:
ResolvePeerBackoffMaxTimes
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NTP (Local)
NtpServer: DC_HostName.DomainName.com
NtpServer (Local)
DllName: C:\Windows\system32\w32tim
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombin
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmicti
Enabled: 1 (Local)
InputProvider: 1 (Local)
C:\Windows\system32>
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)
FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32tim
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombin
ResolvePeerBackoffMinutes:
ResolvePeerBackoffMaxTimes
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NTP (Local)
NtpServer: DC_HostName.DomainName.com
NtpServer (Local)
DllName: C:\Windows\system32\w32tim
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombin
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmicti
Enabled: 1 (Local)
InputProvider: 1 (Local)
C:\Windows\system32>
good lord i cant rdp again now i have this no longer the time.
The connection cannot be completed because the remote computer that was reached is not the one you specified. This could be caused by an outdated entry in the DNS cache. Try using the IP address of the computer instead of the name.
I did a flush, restarted my computer and nothing.
The connection cannot be completed because the remote computer that was reached is not the one you specified. This could be caused by an outdated entry in the DNS cache. Try using the IP address of the computer instead of the name.
I did a flush, restarted my computer and nothing.
NtpServer: DC_HostName.DomainName.com(Local)
This will need to be changed on YDC01. That server needs to get time from a source outside of your environment, like a public NTP server. Microsoft runs one at time.windows.com, and there are a number of others out there. Go to this registry location:
HKLM\SYSTEM\CurrentControl
...and set it to this:
time.windows.com,0x9 time-a.nist.gov,0x9 time-b.nist.gov,0x9
If you know the names of specific NTP servers you'd prefer to use, feel free to substitute those, but leave the ,0x9's in there after each one.
Last attempt @ 2017-03-24 17:46:40 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.
The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.
That's a significant problem. It means that your domain controllers have been unable to replicate with each other for a very long time. How many total DCs do you have in the domain?
two, i inherit this job from another admin, and i have run into some weird stuff in here. should i turn one off maybe dc 02, i run the last script in the exchange server
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>netdom
List of domain controllers with accounts in the domain:
DC01
DC02
The command completed successfully.
C:\Windows\system32>
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>netdom
List of domain controllers with accounts in the domain:
DC01
DC02
The command completed successfully.
C:\Windows\system32>
Exchange isn't installed on one of the DCs, is it? I believe you said that it's on a different server, but I want to be sure.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>REPADM
BrickellLocation\YDC01
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 62d3b9b6-5b3d-419a-bd88-69
DSA invocationID: 3e22d92f-9798-4b5e-a8c7-eb
==== INBOUND NEIGHBORS ==========================
DC=cdgcorp,DC=local
BrickellLocation\DC-02 via RPC
DSA object GUID: df94fcba-4bb0-4a7f-85cd-c4
Last attempt @ 2017-03-24 18:07:15 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.
68 consecutive failure(s).
Last success @ 2017-03-24 13:24:43.
CN=Configuration,DC=cdgcor
BrickellLocation\DC-02 via RPC
DSA object GUID: df94fcba-4bb0-4a7f-85cd-c4
Last attempt @ 2017-03-24 17:46:40 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.
10 consecutive failure(s).
Last success @ 2017-03-24 13:24:43.
CN=Schema,CN=Configuration
BrickellLocation\DC-02 via RPC
DSA object GUID: df94fcba-4bb0-4a7f-85cd-c4
Last attempt @ 2017-03-24 17:46:40 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.
9 consecutive failure(s).
Last success @ 2017-03-24 13:24:43.
DC=ForestDnsZones,DC=cdgco
BrickellLocation\DC-02 via RPC
DSA object GUID: df94fcba-4bb0-4a7f-85cd-c4
Last attempt @ 2017-03-24 17:46:40 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.
9 consecutive failure(s).
Last success @ 2017-03-24 13:24:43.
DC=DomainDnsZones,DC=cdgco
BrickellLocation\DC-02 via RPC
DSA object GUID: df94fcba-4bb0-4a7f-85cd-c4
Last attempt @ 2017-03-24 17:46:40 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.
9 consecutive failure(s).
Last success @ 2017-03-24 13:24:43.
Source: BrickellLocation\DC-02
******* 67 CONSECUTIVE FAILURES since 2017-03-24 13:24:43
Last error: 8614 (0x21a6):
The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.
C:\Windows\system32>w32tm /monitor
YDC01.cdgcorp.local *** PDC ***[[::1]:123]:
ICMP: 0ms delay
NTP: +0.0000000s offset from YDC01.cdgcorp.local
RefID: time-a.nist.gov [129.6.15.28]
Stratum: 2
DC-02.cdgcorp.local[192.16
ICMP: 0ms delay
NTP: -744.1300266s offset from YDC01.cdgcorp.local
RefID: 'LOCL' [0x4C434F4C]
Stratum: 1
Warning:
Reverse name resolution is best effort. It may not be
correct since RefID field in time packets differs across
NTP implementations and may not be using IP addresses.
C:\Windows\system32>w32tm /resync
Sending resync command to local computer
The command completed successfully.
C:\Windows\system32>
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>REPADM
BrickellLocation\YDC01
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 62d3b9b6-5b3d-419a-bd88-69
DSA invocationID: 3e22d92f-9798-4b5e-a8c7-eb
==== INBOUND NEIGHBORS ==========================
DC=cdgcorp,DC=local
BrickellLocation\DC-02 via RPC
DSA object GUID: df94fcba-4bb0-4a7f-85cd-c4
Last attempt @ 2017-03-24 18:07:15 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.
68 consecutive failure(s).
Last success @ 2017-03-24 13:24:43.
CN=Configuration,DC=cdgcor
BrickellLocation\DC-02 via RPC
DSA object GUID: df94fcba-4bb0-4a7f-85cd-c4
Last attempt @ 2017-03-24 17:46:40 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.
10 consecutive failure(s).
Last success @ 2017-03-24 13:24:43.
CN=Schema,CN=Configuration
BrickellLocation\DC-02 via RPC
DSA object GUID: df94fcba-4bb0-4a7f-85cd-c4
Last attempt @ 2017-03-24 17:46:40 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.
9 consecutive failure(s).
Last success @ 2017-03-24 13:24:43.
DC=ForestDnsZones,DC=cdgco
BrickellLocation\DC-02 via RPC
DSA object GUID: df94fcba-4bb0-4a7f-85cd-c4
Last attempt @ 2017-03-24 17:46:40 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.
9 consecutive failure(s).
Last success @ 2017-03-24 13:24:43.
DC=DomainDnsZones,DC=cdgco
BrickellLocation\DC-02 via RPC
DSA object GUID: df94fcba-4bb0-4a7f-85cd-c4
Last attempt @ 2017-03-24 17:46:40 failed, result 8614 (0x21a6):
The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.
9 consecutive failure(s).
Last success @ 2017-03-24 13:24:43.
Source: BrickellLocation\DC-02
******* 67 CONSECUTIVE FAILURES since 2017-03-24 13:24:43
Last error: 8614 (0x21a6):
The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.
C:\Windows\system32>w32tm /monitor
YDC01.cdgcorp.local *** PDC ***[[::1]:123]:
ICMP: 0ms delay
NTP: +0.0000000s offset from YDC01.cdgcorp.local
RefID: time-a.nist.gov [129.6.15.28]
Stratum: 2
DC-02.cdgcorp.local[192.16
ICMP: 0ms delay
NTP: -744.1300266s offset from YDC01.cdgcorp.local
RefID: 'LOCL' [0x4C434F4C]
Stratum: 1
Warning:
Reverse name resolution is best effort. It may not be
correct since RefID field in time packets differs across
NTP implementations and may not be using IP addresses.
C:\Windows\system32>w32tm /resync
Sending resync command to local computer
The command completed successfully.
C:\Windows\system32>
> The directory service cannot replicate with this server because the
> time since the last replication with this server has exceeded the tombstone life
> time.
This is what I feared would happen when you changed the time on your DCs. 12 years: no amount of hope will put that in an acceptable tombstone lifetime.
You will have to consider demoting and, ideally, rebuilding, some of your domain controllers. Obviously if you have one that's working that should stay exactly as it is.
> time since the last replication with this server has exceeded the tombstone life
> time.
This is what I feared would happen when you changed the time on your DCs. 12 years: no amount of hope will put that in an acceptable tombstone lifetime.
You will have to consider demoting and, ideally, rebuilding, some of your domain controllers. Obviously if you have one that's working that should stay exactly as it is.
Looks like you may have some secure-channel issues due to the tombstoned DC, so the first order of business is to get rid of DC-02 (since YDC01 has all of the FSMO roles). You don't have to wipe its OS or anything, but it needs to be removed from AD, and the quickest way to do that will be a forced demotion.
DC-02 appears to be running Windows Server 2008 R2. If so, a forced demotion is initiated by running the dcpromo /forceremoval command. This command removes Active Directory from the server without updating any other DCs in the domain. That's necessary in this case because DC-02 can't authenticate with the other DC.
After the demotion is complete, you'll need to perform a metadata cleanup on YDC01 in order to remove DC-02 from AD. This way, YDC01 won't keep trying to replicate from it.
After the metadata cleanup is complete, DC-02 can be promoted back to a domain controller. Before doing so, you'll want to configure it to use only YDC01 for DNS, as that will be the only valid domain controller remaining in the domain at that time.
DC-02 appears to be running Windows Server 2008 R2. If so, a forced demotion is initiated by running the dcpromo /forceremoval command. This command removes Active Directory from the server without updating any other DCs in the domain. That's necessary in this case because DC-02 can't authenticate with the other DC.
After the demotion is complete, you'll need to perform a metadata cleanup on YDC01 in order to remove DC-02 from AD. This way, YDC01 won't keep trying to replicate from it.
After the metadata cleanup is complete, DC-02 can be promoted back to a domain controller. Before doing so, you'll want to configure it to use only YDC01 for DNS, as that will be the only valid domain controller remaining in the domain at that time.
To clarify. By demoting I mean forcefully removing DCs from the domain. Overcoming that tombstone lifetime is possible, but not entirely without risk. If it were my problem, and I had a working DC I'd go safety first and force demote then rebuild DCs.
MS have an article covering this situation:
https://support.microsoft.com/en-gb/help/2020053/troubleshooting-ad-replication-error-8614-the-active-directory-cannot-replicate-with-this-server-because-the-time-since-the-last-replication-with-this-server-has-exceeded-the-tombstone-lifetime
I feel you're in good hands with DrDave242, I'm afraid I must head to bed.
MS have an article covering this situation:
https://support.microsoft.com/en-gb/help/2020053/troubleshooting-ad-replication-error-8614-the-active-directory-cannot-replicate-with-this-server-because-the-time-since-the-last-replication-with-this-server-has-exceeded-the-tombstone-lifetime
I feel you're in good hands with DrDave242, I'm afraid I must head to bed.
There's no need to do anything in Exchange - this is strictly Active Directory we're working with at the moment. Once the metadata cleanup has been completed, Exchange should be able to locate the only remaining global catalog (YDC01) and use it for authentication.
Dcdiag won't run on a server that isn't a domain controller. Which version of Exchange are you running?
Premium Content
You need an Expert Office subscription to comment.Start Free Trial