Discussion:
Replication problems
(too old to reply)
stosti
2005-10-22 11:14:01 UTC
Permalink
I have two DC's my secondary (as I call it) has a ton of replication errors.
How do I fix this?

Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1864
Date: 10/6/2005
Time: 8:39:43 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC-02
Description:
This is the replication status for the following directory partition on the
local domain controller.

Directory partition:
DC=DomainDnsZones,DC=TOSTI,DC=US

The local domain controller has not recently received replication
information from a number of domain controllers. The count of domain
controllers is shown, divided into the following intervals.

More than 24 hours:
1
More than a week:
1
More than one month:
1
More than two months:
0
More than a tombstone lifetime:
0
Tombstone lifetime (days):
60
Domain controllers that do not replicate in a timely manner may encounter
errors. It may miss password changes and be unable to authenticate. A DC that
has not replicated in a tombstone lifetime may have missed the deletion of
some objects, and may be automatically blocked from future replication until
it is reconciled.

To identify the domain controllers by name, install the support tools
included on the installation CD and run dcdiag.exe.
You can also use the support tool repadmin.exe to display the replication
latencies of the domain controllers in the forest. The command is "repadmin
/showvector /latency <partition-dn>".

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1988
Date: 10/6/2005
Time: 8:54:43 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC-02
Description:
The local domain controller has attempted to replicate the following object
from the following source domain controller. This object is not present on
the local domain controller because it may have been deleted and already
garbage collected.

Source domain controller:
1fb85186-6697-4741-985b-b8a3d224c1dc._msdcs.TOSTI.US
Object:
DC=..SerialNo-dc-01.TOSTI.US\0ADEL:201d824b-d947-4730-a625-1da3d1d19a81,CN=Deleted Objects,DC=ForestDnsZones,DC=TOSTI,DC=US
Object GUID:
201d824b-d947-4730-a625-1da3d1d19a81

Replication will not continue with the source domain controller until the
situation has been resolved.


User Action
Verify that the object was deleted on this domain controller or in the
forest. If object restoration is desired, authoritatively restore the object
on the source domain controller. If restoration isn't desired, install the
support tools included on the installation CD and use "repadmin
/removelingeringobjects" on the source domain controller to remove the object
from the forest and continue replication. To allow automatic restoration of
this object and future similar objects, the following registry key can be
set.

Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Strict Replication
Consistency

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Thanks,
Scott
Ace Fekay [MVP]
2005-10-22 15:25:53 UTC
Permalink
Post by stosti
I have two DC's my secondary (as I call it) has a ton of replication errors.
How do I fix this?
Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1864
Date: 10/6/2005
Time: 8:39:43 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC-02
This is the replication status for the following directory partition on the
local domain controller.
<snip>
Post by stosti
Scott
Scott,

You didn't provide enough info about your infrastructure to accurately help.

How long has the error beein showing up? MOre than 60 days? Was the "second"
DC offline more than 60 days? If not, then it seems that something may be
blocking replication and the "second" DC "thinks" the other has been offline
more than 60 days.

Are the two DCs on the same subnet or in different locations?
What DNS address are the DCs set to in their IP properties? Can you provide
an ipconfig /all of both DCs please to help give us clear configuration info
of *both* DCs (copy and paste the ipconfig /all into your reply please).

If in different locations:
Is there a firewall present? If using VPNs with remote locations, is there
anything blocking in the VPN settings? Any MTU changes on the VPN routers?
--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Microsot Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================
stosti
2005-10-23 15:41:05 UTC
Permalink
At least 30 days. My logs do not go back further.

DC-02 was never off line. Neither were...

Both are on the same subnet. They are on the same switch.

No firewalls or changes of any kind. That includes MTU.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

U:\>ipconfig/all

Windows IP Configuration

Host Name . . . . . . . . . . . . : dc-01
Primary Dns Suffix . . . . . . . : TOSTI.US
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : TOSTI.US

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 VM Network Connection
Physical Address. . . . . . . . . : 00-0B-CD-43-F0-98
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.100.200
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.1
DNS Servers . . . . . . . . . . . : 192.168.100.201
192.168.100.200
Primary WINS Server . . . . . . . : 192.168.100.201
Secondary WINS Server . . . . . . : 192.168.100.200

U:\>

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

U:\>ipconfig/all

Windows IP Configuration

Host Name . . . . . . . . . . . . : dc-02
Primary Dns Suffix . . . . . . . : TOSTI.US
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : TOSTI.US

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 VM Network Connection
Physical Address. . . . . . . . . : 00-0B-CD-01-EA-63
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.100.201
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.3
DNS Servers . . . . . . . . . . . : 192.168.100.200
192.168.100.201
Primary WINS Server . . . . . . . : 192.168.100.200
Secondary WINS Server . . . . . . : 192.168.100.201

Thanks!
Post by Ace Fekay [MVP]
Post by stosti
I have two DC's my secondary (as I call it) has a ton of replication errors.
How do I fix this?
Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1864
Date: 10/6/2005
Time: 8:39:43 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC-02
This is the replication status for the following directory partition on the
local domain controller.
<snip>
Post by stosti
Scott
Scott,
You didn't provide enough info about your infrastructure to accurately help.
How long has the error beein showing up? MOre than 60 days? Was the "second"
DC offline more than 60 days? If not, then it seems that something may be
blocking replication and the "second" DC "thinks" the other has been offline
more than 60 days.
Are the two DCs on the same subnet or in different locations?
What DNS address are the DCs set to in their IP properties? Can you provide
an ipconfig /all of both DCs please to help give us clear configuration info
of *both* DCs (copy and paste the ipconfig /all into your reply please).
Is there a firewall present? If using VPNs with remote locations, is there
anything blocking in the VPN settings? Any MTU changes on the VPN routers?
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Microsot Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================
Ace Fekay [MVP]
2005-10-23 17:14:31 UTC
Permalink
Post by stosti
At least 30 days. My logs do not go back further.
DC-02 was never off line. Neither were...
Both are on the same subnet. They are on the same switch.
No firewalls or changes of any kind. That includes MTU.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
U:\>ipconfig/all
Windows IP Configuration
Host Name . . . . . . . . . . . . : dc-01
Primary Dns Suffix . . . . . . . : TOSTI.US
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : TOSTI.US
Description . . . . . . . . . . . : Intel(R) PRO/100 VM Network
Connection Physical Address. . . . . . . . . : 00-0B-CD-43-F0-98
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.100.200
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.1
DNS Servers . . . . . . . . . . . : 192.168.100.201
192.168.100.200
Primary WINS Server . . . . . . . : 192.168.100.201
Secondary WINS Server . . . . . . : 192.168.100.200
U:\>
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
U:\>ipconfig/all
Windows IP Configuration
Host Name . . . . . . . . . . . . : dc-02
Primary Dns Suffix . . . . . . . : TOSTI.US
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : TOSTI.US
Description . . . . . . . . . . . : Intel(R) PRO/100 VM Network
Connection Physical Address. . . . . . . . . : 00-0B-CD-01-EA-63
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.100.201
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.3
DNS Servers . . . . . . . . . . . : 192.168.100.200
192.168.100.201
Primary WINS Server . . . . . . . : 192.168.100.200
Secondary WINS Server . . . . . . : 192.168.100.201
Thanks!
Thanks for posting that info. The ipconfigs actually look good. Surprised
you are getting these errors, especially if they are on the same subnet and
nothing is blocking communication. Is anything installed on them that may
hinder or alter default functionality or are they just pure DCs with nothing
else on them?

So you're saying neither machine was ever offline for more than 60 days?
Was there a restore from backup ever performed on DC1?

For the 1864 error and the 60 day issue, you can see why I was asking about
the 60 day thing:
http://www.eventid.net/display.asp?eventid=1864&eventno=4849&source=NTDS%20Replication&phase=1

And the 1988 error says it's trying to replicate with an object that doesn't
exist (implying it's past the 60 day tombstone lifetime when objects get
scavenged from the database):
http://www.eventid.net/display.asp?eventid=1988&eventno=4936&source=NTDS%20Replication&phase=1

Based on the 1988 and 1864 errors on DC2, they're both saying DC1 is the
deleted object.

Can you run these diagnostics and post the results please:
netdiag /v /fix > c:\netdiag.txt
dcdiag /v /fix > c:\dcdiag.txt

Thanks

Ace
stosti
2005-10-24 15:03:09 UTC
Permalink
Hi,

No backups were performed... The only posability is that DC01 was off for
60 days and we did not know. It's a test network so this is an option. How
do we fix this?

I will send the requested data later...

Regards,
Scott
Post by Ace Fekay [MVP]
Post by stosti
At least 30 days. My logs do not go back further.
DC-02 was never off line. Neither were...
Both are on the same subnet. They are on the same switch.
No firewalls or changes of any kind. That includes MTU.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
U:\>ipconfig/all
Windows IP Configuration
Host Name . . . . . . . . . . . . : dc-01
Primary Dns Suffix . . . . . . . : TOSTI.US
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : TOSTI.US
Description . . . . . . . . . . . : Intel(R) PRO/100 VM Network
Connection Physical Address. . . . . . . . . : 00-0B-CD-43-F0-98
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.100.200
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.1
DNS Servers . . . . . . . . . . . : 192.168.100.201
192.168.100.200
Primary WINS Server . . . . . . . : 192.168.100.201
Secondary WINS Server . . . . . . : 192.168.100.200
U:\>
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
U:\>ipconfig/all
Windows IP Configuration
Host Name . . . . . . . . . . . . : dc-02
Primary Dns Suffix . . . . . . . : TOSTI.US
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : TOSTI.US
Description . . . . . . . . . . . : Intel(R) PRO/100 VM Network
Connection Physical Address. . . . . . . . . : 00-0B-CD-01-EA-63
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.100.201
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.3
DNS Servers . . . . . . . . . . . : 192.168.100.200
192.168.100.201
Primary WINS Server . . . . . . . : 192.168.100.200
Secondary WINS Server . . . . . . : 192.168.100.201
Thanks!
Thanks for posting that info. The ipconfigs actually look good. Surprised
you are getting these errors, especially if they are on the same subnet and
nothing is blocking communication. Is anything installed on them that may
hinder or alter default functionality or are they just pure DCs with nothing
else on them?
So you're saying neither machine was ever offline for more than 60 days?
Was there a restore from backup ever performed on DC1?
For the 1864 error and the 60 day issue, you can see why I was asking about
http://www.eventid.net/display.asp?eventid=1864&eventno=4849&source=NTDS%20Replication&phase=1
And the 1988 error says it's trying to replicate with an object that doesn't
exist (implying it's past the 60 day tombstone lifetime when objects get
http://www.eventid.net/display.asp?eventid=1988&eventno=4936&source=NTDS%20Replication&phase=1
Based on the 1988 and 1864 errors on DC2, they're both saying DC1 is the
deleted object.
netdiag /v /fix > c:\netdiag.txt
dcdiag /v /fix > c:\dcdiag.txt
Thanks
Ace
Ace Fekay [MVP]
2005-10-25 03:10:22 UTC
Permalink
Post by stosti
Hi,
No backups were performed... The only posability is that DC01 was
off for 60 days and we did not know. It's a test network so this is
an option. How do we fix this?
I will send the requested data later...
Regards,
Scott
Hi Scott,

If it was truly offline that long, for whatever reason, your only option is
to dump the machine, seize any roles it may have held, move the GC if it was
a GC, then run a metadata cleanup to purge the reference to this DC from the
current system. That is your only option, so the other data I requested
would be moot at this point, unfortunately.

Here's how to perform a metadata cleanup. Follow it closely step by step.
216498 - HOW TO Remove Data in Active Directory After an Unsuccessful Domain
Controller Demotion:
http://support.microsoft.com/?id=216498

Ace
stosti
2005-10-25 14:04:04 UTC
Permalink
So I would dump DC-01 or DC-02? DC-01 has no errors. DC-02 has the errors.
Why dould moving all the roles fix the situation? Why not dcpromo DC-02
down? Then the replication issues are gone...
Post by Ace Fekay [MVP]
Post by stosti
Hi,
No backups were performed... The only posability is that DC01 was
off for 60 days and we did not know. It's a test network so this is
an option. How do we fix this?
I will send the requested data later...
Regards,
Scott
Hi Scott,
If it was truly offline that long, for whatever reason, your only option is
to dump the machine, seize any roles it may have held, move the GC if it was
a GC, then run a metadata cleanup to purge the reference to this DC from the
current system. That is your only option, so the other data I requested
would be moot at this point, unfortunately.
Here's how to perform a metadata cleanup. Follow it closely step by step.
216498 - HOW TO Remove Data in Active Directory After an Unsuccessful Domain
http://support.microsoft.com/?id=216498
Ace
Ace Fekay [MVP]
2005-10-26 10:59:42 UTC
Permalink
Post by stosti
So I would dump DC-01 or DC-02? DC-01 has no errors. DC-02 has the
errors. Why dould moving all the roles fix the situation? Why not
dcpromo DC-02 down? Then the replication issues are gone...
If the system truly thinks one of the DCs has been gone for the past 60
days, then it may not demote since it's replication set is beyond the 60 day
tombstone, however, there will be lingering objects to remove using Metadata
Clearnup. LIke I said, usually just dump the box, transfer FSMOs and
metadata cleanup on the existing DC.

To find out exactly which, run this on both DCs and post it back please"
dcdiag /v /fix > c:\dcdiag.txt

Ace
stosti
2005-10-26 11:33:01 UTC
Permalink
Morning,

Last night I shut down the entire network. I started DC-01 let it come up
and started exchange and my file server. Here is the only error on DC-01:
Does this support what you have been saying? Please send me the correct
procedure to move the roles. Then exactly what should I do from that point?
Once complete with a single healthy DC (DC-02) I would rebuild DC-01 and
dcpromo the machine? Once complete I would like to move the roles back. Is
that ok? The goal is to have two DC's as redundant as possible. Currently
they are both GC machines.

DCDIAG below as well.

I will follow all of your instructions tonight. THANKS!!!

Event Type: Warning
Event Source: NTDS Replication
Event Category: Replication
Event ID: 2092
Date: 10/25/2005
Time: 4:07:02 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC-01
Description:

This server is the owner of the following FSMO role, but does not consider
it valid. For the partition which contains the FSMO, this server has not
replicated successfully with any of its partners since this server has been
restarted. Replication errors are preventing validation of this role.

Operations which require contacting a FSMO operation master will fail until
this condition is corrected.

FSMO Role: CN=Schema,CN=Configuration,DC=TOSTI,DC=US

User Action:

1. Initial synchronization is the first early replications done by a system
as it is starting. A failure to initially synchronize may explain why a FSMO
role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is
failing for all of these partners. Use the command repadmin /showrepl to
display the replication errors. Correct the error in question. For example
there maybe problems with IP connectivity, DNS name resolution, or security
authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected
occurance, perhaps because of maintenance or a disaster recovery, you can
force the role to be validated. This can be done by using NTDSUTIL.EXE to
seize the role to the same server. This may be done using the steps provided
in KB articles 255504 and 324801 on http://support.microsoft.com.

The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this
forest.
PDC: You will no longer be able to perform primary domain controller
operations, such as Group Policy updates and password resets for non-Active
Directory accounts.
RID: You will not be able to allocation new security identifiers for new
user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group
memberships, will not be updated properly if their target object is moved or
renamed.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine dc-01, is a DC.
* Connecting to directory service on server dc-01.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\DC-01
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... DC-01 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\DC-01
Starting test: Replications
* Replications Check
[Replications Check,DC-01] A recent replication attempt failed:
From DC-02 to DC-01
Naming Context: DC=ForestDnsZones,DC=TOSTI,DC=US
The replication generated an error (1256):
The remote system is not available. For information about
network troubleshooting, see Windows Help.
The failure occurred at 2005-10-26 06:52:25.
The last success occurred at 2005-10-25 09:57:36.
17 failures have occurred since the last success.
[DC-02] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..
Printing RPC Extended Error Info:
Error Record 1, ProcessID is 1204 (DcDiag)
System Time is: 10/26/2005 11:28:3:828
Generating component is 8 (winsock)
Status is 1722: The RPC server is unavailable.

Detection location is 323
Error Record 2, ProcessID is 1204 (DcDiag)
System Time is: 10/26/2005 11:28:3:828
Generating component is 8 (winsock)
Status is 1237: The operation could not be completed. A retry
should be performed.

Detection location is 313
Error Record 3, ProcessID is 1204 (DcDiag)
System Time is: 10/26/2005 11:28:3:828
Generating component is 8 (winsock)
Status is 10060: A connection attempt failed because the
connected party did not properly respond after a period of time, or
established connection failed because connected host has failed to respond.

Detection location is 311
NumberOfParameters is 3
Long val: 135
Pointer val: 0
Pointer val: 0
Error Record 4, ProcessID is 1204 (DcDiag)
System Time is: 10/26/2005 11:28:3:828
Generating component is 8 (winsock)
Status is 10060: A connection attempt failed because the
connected party did not properly respond after a period of time, or
established connection failed because connected host has failed to respond.

Detection location is 318
[Replications Check,DC-01] A recent replication attempt failed:
From DC-02 to DC-01
Naming Context: DC=DomainDnsZones,DC=TOSTI,DC=US
The replication generated an error (1256):
The remote system is not available. For information about
network troubleshooting, see Windows Help.
The failure occurred at 2005-10-26 06:52:25.
The last success occurred at 2005-10-25 09:57:36.
17 failures have occurred since the last success.
[Replications Check,DC-01] A recent replication attempt failed:
From DC-02 to DC-01
Naming Context: CN=Schema,CN=Configuration,DC=TOSTI,DC=US
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2005-10-26 06:52:46.
The last success occurred at 2005-10-25 09:57:36.
17 failures have occurred since the last success.
The source remains down. Please check the machine.
[Replications Check,DC-01] A recent replication attempt failed:
From DC-02 to DC-01
Naming Context: CN=Configuration,DC=TOSTI,DC=US
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2005-10-26 06:52:25.
The last success occurred at 2005-10-25 10:15:38.
17 failures have occurred since the last success.
The source remains down. Please check the machine.
[Replications Check,DC-01] A recent replication attempt failed:
From DC-02 to DC-01
Naming Context: DC=TOSTI,DC=US
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2005-10-26 06:53:07.
The last success occurred at 2005-10-25 10:27:05.
17 failures have occurred since the last success.
The source remains down. Please check the machine.
* Replication Latency Check
REPLICATION-RECEIVED LATENCY WARNING
DC-01: Current time is 2005-10-26 07:27:42.
DC=ForestDnsZones,DC=TOSTI,DC=US
Last replication recieved from DC-02 at 2005-10-25 09:57:36.
DC=DomainDnsZones,DC=TOSTI,DC=US
Last replication recieved from DC-02 at 2005-10-25 09:57:36.
CN=Schema,CN=Configuration,DC=TOSTI,DC=US
Last replication recieved from DC-02 at 2005-10-25 09:57:36.
CN=Configuration,DC=TOSTI,DC=US
Last replication recieved from DC-02 at 2005-10-25 10:15:38.
DC=TOSTI,DC=US
Last replication recieved from DC-02 at 2005-10-25 10:27:05.
* Replication Site Latency Check
......................... DC-01 passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DC-01.
* Security Permissions Check for
DC=ForestDnsZones,DC=TOSTI,DC=US
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=TOSTI,DC=US
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=TOSTI,DC=US
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=TOSTI,DC=US
(Configuration,Version 2)
* Security Permissions Check for
DC=TOSTI,DC=US
(Domain,Version 2)
......................... DC-01 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\DC-01\netlogon
Verified share \\DC-01\sysvol
......................... DC-01 passed test NetLogons
Starting test: Advertising
The DC DC-01 is advertising itself as a DC and having a DS.
The DC DC-01 is advertising as an LDAP server
The DC DC-01 is advertising as having a writeable directory
The DC DC-01 is advertising as a Key Distribution Center
The DC DC-01 is advertising as a time server
The DS DC-01 is advertising as a GC.
......................... DC-01 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=TOSTI,DC=US
Role Domain Owner = CN=NTDS
Settings,CN=DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=TOSTI,DC=US
Role PDC Owner = CN=NTDS
Settings,CN=DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=TOSTI,DC=US
Role Rid Owner = CN=NTDS
Settings,CN=DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=TOSTI,DC=US
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=TOSTI,DC=US
......................... DC-01 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 2103 to 1073741823
* dc-01.TOSTI.US is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1103 to 1602
* rIDPreviousAllocationPool is 1103 to 1602
* rIDNextRID: 1138
......................... DC-01 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC DC-01 on DC DC-01.
* SPN found :LDAP/dc-01.TOSTI.US/TOSTI.US
* SPN found :LDAP/dc-01.TOSTI.US
* SPN found :LDAP/DC-01
* SPN found :LDAP/dc-01.TOSTI.US/TOSTI
* SPN found
:LDAP/1fb85186-6697-4741-985b-b8a3d224c1dc._msdcs.TOSTI.US
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/1fb85186-6697-4741-985b-b8a3d224c1dc/TOSTI.US
* SPN found :HOST/dc-01.TOSTI.US/TOSTI.US
* SPN found :HOST/dc-01.TOSTI.US
* SPN found :HOST/DC-01
* SPN found :HOST/dc-01.TOSTI.US/TOSTI
* SPN found :GC/dc-01.TOSTI.US/TOSTI.US
......................... DC-01 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... DC-01 passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
DC-01 is in domain DC=TOSTI,DC=US
Checking for CN=DC-01,OU=Domain Controllers,DC=TOSTI,DC=US in
domain DC=TOSTI,DC=US on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=TOSTI,DC=US in domain CN=Configuration,DC=TOSTI,DC=US on 1 servers
Object is up-to-date on all servers.
......................... DC-01 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... DC-01 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may
cause

Group Policy problems.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 10/25/2005 15:19:20
(Event String could not be retrieved)
......................... DC-01 failed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15
minutes.
......................... DC-01 passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0xC001106A
Time Generated: 10/26/2005 06:39:39
Event String: An attempt to connect to the remote WINS server

with address 192.168.100.201 returned with an

error. Check to see that the remote WINS server

is running and available, and that WINS is

running on that server.
An Error Event occured. EventID: 0xC001106A
Time Generated: 10/26/2005 07:09:40
Event String: An attempt to connect to the remote WINS server

with address 192.168.100.201 returned with an

error. Check to see that the remote WINS server

is running and available, and that WINS is

running on that server.
......................... DC-01 failed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)

CN=DC-01,OU=Domain Controllers,DC=TOSTI,DC=US and backlink on


CN=DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=TOSTI,DC=US

are correct.
The system object reference (frsComputerReferenceBL)

CN=DC-01,CN=Domain System Volume (SYSVOL share),CN=File Replication
Service,CN=System,DC=TOSTI,DC=US

and backlink on CN=DC-01,OU=Domain Controllers,DC=TOSTI,DC=US are

correct.
The system object reference (serverReferenceBL)

CN=DC-01,CN=Domain System Volume (SYSVOL share),CN=File Replication
Service,CN=System,DC=TOSTI,DC=US

and backlink on

CN=NTDS
Settings,CN=DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=TOSTI,DC=US

are correct.
......................... DC-01 passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : TOSTI
Starting test: CrossRefValidation
......................... TOSTI passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... TOSTI passed test CheckSDRefDom

Running enterprise tests on : TOSTI.US
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope

provided by the command line arguments provided.
......................... TOSTI.US passed test Intersite
Starting test: FsmoCheck
GC Name: \\dc-01.TOSTI.US
Locator Flags: 0xe00001fd
PDC Name: \\dc-01.TOSTI.US
Locator Flags: 0xe00001fd
Time Server Name: \\dc-01.TOSTI.US
Locator Flags: 0xe00001fd
Preferred Time Server Name: \\dc-01.TOSTI.US
Locator Flags: 0xe00001fd
KDC Name: \\dc-01.TOSTI.US
Locator Flags: 0xe00001fd
......................... TOSTI.US passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS
Post by Ace Fekay [MVP]
Post by stosti
So I would dump DC-01 or DC-02? DC-01 has no errors. DC-02 has the
errors. Why dould moving all the roles fix the situation? Why not
dcpromo DC-02 down? Then the replication issues are gone...
If the system truly thinks one of the DCs has been gone for the past 60
days, then it may not demote since it's replication set is beyond the 60 day
tombstone, however, there will be lingering objects to remove using Metadata
Clearnup. LIke I said, usually just dump the box, transfer FSMOs and
metadata cleanup on the existing DC.
To find out exactly which, run this on both DCs and post it back please"
dcdiag /v /fix > c:\dcdiag.txt
Ace
Ace Fekay [MVP]
2005-10-26 22:39:08 UTC
Permalink
Post by stosti
Morning,
Last night I shut down the entire network. I started DC-01 let it come up
Does this support what you have been saying? Please send me the correct
procedure to move the roles. Then exactly what should I do from that point?
Once complete with a single healthy DC (DC-02) I would rebuild DC-01 and
dcpromo the machine? Once complete I would like to move the roles back. Is
that ok? The goal is to have two DC's as redundant as possible.
Currently
they are both GC machines.
DCDIAG below as well.
Run it on DC02 as well please.

For reference:
324801 - HOW TO View and Transfer FSMO Roles in Windows Server 2003:
http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b324801

Ace
stosti
2005-10-27 10:38:01 UTC
Permalink
Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine dc-02, is a DC.
* Connecting to directory service on server dc-02.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\DC-02
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... DC-02 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\DC-02
Starting test: Replications
* Replications Check
[Replications Check,DC-02] A recent replication attempt failed:
From DC-01 to DC-02
Naming Context: DC=DomainDnsZones,DC=TOSTI,DC=US
The replication generated an error (8606):
Insufficient attributes were given to create an object. This
object may not exist because it may have been deleted and already garbage
collected.
The failure occurred at 2005-10-27 05:53:30.
The last success occurred at 2005-09-03 01:52:42.
1487 failures have occurred since the last success.
[Replications Check,DC-02] A recent replication attempt failed:
From DC-01 to DC-02
Naming Context: DC=ForestDnsZones,DC=TOSTI,DC=US
The replication generated an error (8606):
Insufficient attributes were given to create an object. This
object may not exist because it may have been deleted and already garbage
collected.
The failure occurred at 2005-10-27 05:53:30.
The last success occurred at 2005-09-03 01:52:42.
1266 failures have occurred since the last success.
* Replication Latency Check
REPLICATION-RECEIVED LATENCY WARNING
DC-02: Current time is 2005-10-27 06:33:03.
DC=DomainDnsZones,DC=TOSTI,DC=US
Last replication recieved from DC-01 at 2005-09-03 01:52:42.
DC=ForestDnsZones,DC=TOSTI,DC=US
Last replication recieved from DC-01 at 2005-09-03 01:52:42.
* Replication Site Latency Check
......................... DC-02 passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DC-02.
* Security Permissions Check for
DC=DomainDnsZones,DC=TOSTI,DC=US
(NDNC,Version 2)
* Security Permissions Check for
DC=ForestDnsZones,DC=TOSTI,DC=US
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=TOSTI,DC=US
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=TOSTI,DC=US
(Configuration,Version 2)
* Security Permissions Check for
DC=TOSTI,DC=US
(Domain,Version 2)
......................... DC-02 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\DC-02\netlogon
Verified share \\DC-02\sysvol
......................... DC-02 passed test NetLogons
Starting test: Advertising
The DC DC-02 is advertising itself as a DC and having a DS.
The DC DC-02 is advertising as an LDAP server
The DC DC-02 is advertising as having a writeable directory
The DC DC-02 is advertising as a Key Distribution Center
The DC DC-02 is advertising as a time server
The DS DC-02 is advertising as a GC.
......................... DC-02 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=TOSTI,DC=US
Role Domain Owner = CN=NTDS
Settings,CN=DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=TOSTI,DC=US
Role PDC Owner = CN=NTDS
Settings,CN=DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=TOSTI,DC=US
Role Rid Owner = CN=NTDS
Settings,CN=DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=TOSTI,DC=US
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=TOSTI,DC=US
......................... DC-02 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 2103 to 1073741823
* dc-01.TOSTI.US is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1603 to 2102
* rIDPreviousAllocationPool is 1603 to 2102
* rIDNextRID: 1610
......................... DC-02 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC DC-02 on DC DC-02.
* SPN found :LDAP/dc-02.TOSTI.US/TOSTI.US
* SPN found :LDAP/dc-02.TOSTI.US
* SPN found :LDAP/DC-02
* SPN found :LDAP/dc-02.TOSTI.US/TOSTI
* SPN found
:LDAP/46cca6bb-890b-418f-9892-56630b4ab9f9._msdcs.TOSTI.US
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/46cca6bb-890b-418f-9892-56630b4ab9f9/TOSTI.US
* SPN found :HOST/dc-02.TOSTI.US/TOSTI.US
* SPN found :HOST/dc-02.TOSTI.US
* SPN found :HOST/DC-02
* SPN found :HOST/dc-02.TOSTI.US/TOSTI
* SPN found :GC/dc-02.TOSTI.US/TOSTI.US
......................... DC-02 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... DC-02 passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
DC-02 is in domain DC=TOSTI,DC=US
Checking for CN=DC-02,OU=Domain Controllers,DC=TOSTI,DC=US in
domain DC=TOSTI,DC=US on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=DC-02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=TOSTI,DC=US in domain CN=Configuration,DC=TOSTI,DC=US on 1 servers
Object is up-to-date on all servers.
......................... DC-02 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... DC-02 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may
cause

Group Policy problems.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 10/26/2005 07:44:25
(Event String could not be retrieved)
......................... DC-02 failed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15
minutes.
......................... DC-02 passed test kccevent
Starting test: systemlog
* The System Event log test
Found no errors in System Event log in the last 60 minutes.
......................... DC-02 passed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)

CN=DC-02,OU=Domain Controllers,DC=TOSTI,DC=US and backlink on


CN=DC-02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=TOSTI,DC=US

are correct.
The system object reference (frsComputerReferenceBL)

CN=DC-02,CN=Domain System Volume (SYSVOL share),CN=File Replication
Service,CN=System,DC=TOSTI,DC=US

and backlink on CN=DC-02,OU=Domain Controllers,DC=TOSTI,DC=US are

correct.
The system object reference (serverReferenceBL)

CN=DC-02,CN=Domain System Volume (SYSVOL share),CN=File Replication
Service,CN=System,DC=TOSTI,DC=US

and backlink on

CN=NTDS
Settings,CN=DC-02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=TOSTI,DC=US

are correct.
......................... DC-02 passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : TOSTI
Starting test: CrossRefValidation
......................... TOSTI passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... TOSTI passed test CheckSDRefDom

Running enterprise tests on : TOSTI.US
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope

provided by the command line arguments provided.
......................... TOSTI.US passed test Intersite
Starting test: FsmoCheck
GC Name: \\dc-02.TOSTI.US
Locator Flags: 0xe00001fc
PDC Name: \\dc-01.TOSTI.US
Locator Flags: 0xe00001fd
Time Server Name: \\dc-02.TOSTI.US
Locator Flags: 0xe00001fc
Preferred Time Server Name: \\dc-02.TOSTI.US
Locator Flags: 0xe00001fc
KDC Name: \\dc-02.TOSTI.US
Locator Flags: 0xe00001fc
......................... TOSTI.US passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS

SORRY I left this out...
Post by Ace Fekay [MVP]
Post by stosti
Morning,
Last night I shut down the entire network. I started DC-01 let it come up
Does this support what you have been saying? Please send me the correct
procedure to move the roles. Then exactly what should I do from that point?
Once complete with a single healthy DC (DC-02) I would rebuild DC-01 and
dcpromo the machine? Once complete I would like to move the roles back. Is
that ok? The goal is to have two DC's as redundant as possible.
Currently
they are both GC machines.
DCDIAG below as well.
Run it on DC02 as well please.
http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b324801
Ace
Ace Fekay [MVP]
2005-10-28 04:20:18 UTC
Permalink
Post by stosti
Domain Controller Diagnosis
<snipped>

Thanks for posting it. It looks like DC-02 is the good DC, since DC-01 seems
to be saying it holds the roles but doesn't deam them valid as based on the
2092 Event ID and it's description:
============================
This server is the owner of the following FSMO role, but does not consider
it valid. For the partition which contains the FSMO, this server has not
replicated successfully with any of its partners since this server has been
restarted. Replication errors are preventing validation of this role.
============================

I would suggest to unplug DC-01 for a few days. Based on DC-02's clean
dcdiag, except the FRS errors, which I believe are due to an essentially
non-existing DC-01 (based on the 2092 error) and nothing to replicate to.

But before removing DC-01 completely, see if this link helps:
http://www.eventid.net/display.asp?eventid=2092&eventno=5836&source=NTDS%20Replication&phase=1

Ace
stosti
2005-11-07 00:11:36 UTC
Permalink
Hi,

I moved the roles to DC-02, shut off DC-01, ran metabase cleanup and removed
DC-01. I rebuilt the machine, ran dcpromo and set up the machine as a GC.
Things are still not right. I believe replication is still failing...

Event Type: Error
Event Source: NTDS Replication
Event Category: DS RPC Client
Event ID: 1411
Date: 11/6/2005
Time: 5:18:14 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC-02
Description:
Active Directory failed to construct a mutual authentication service
principal name (SPN) for the following domain controller.

Domain controller:
1fb85186-6697-4741-985b-b8a3d224c1dc._msdcs.TOSTI.US

The call was denied. Communication with this domain controller might be
affected.

Additional Data
Error value:
8589 The DS cannot derive a service principal name (SPN) with which to
mutually authenticate the target server because the corresponding server
object in the local DS database has no serverReference attribute.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: NTDS Replication
Event Category: DS RPC Client
Event ID: 2088
Date: 11/6/2005
Time: 5:17:19 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC-02
Description:
Active Directory could not use DNS to resolve the IP address of the source
domain controller listed below. To maintain the consistency of Security
groups, group policy, users and computers and their passwords, Active
Directory successfully replicated using the NetBIOS or fully qualified
computer name of the source domain controller.

Invalid DNS configuration may be affecting other essential operations on
member computers, domain controllers or application servers in this Active
Directory forest, including logon authentication or access to network
resources.

You should immediately resolve this DNS configuration error so that this
domain controller can resolve the IP address of the source domain controller
using DNS.

Alternate server name:
dc-01
Failing DNS host name:
2ac8455a-97e5-499c-bc0e-47dc19ad58a0._msdcs.TOSTI.US

NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour
period, even if more than 10 failures occur. To log all individual failure
events, set the following diagnostics registry value to 1:

Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client

User Action:

1) If the source domain controller is no longer functioning or its
operating system has been reinstalled with a different computer name or
NTDSDSA object GUID, remove the source domain controller's metadata with
ntdsutil.exe, using the steps outlined in MSKB article 216498.

2) Confirm that the source domain controller is running Active directory
and is accessible on the network by typing "net view \\<source DC name>" or
"ping <source DC name>".

3) Verify that the source domain controller is using a valid DNS server for
DNS services, and that the source domain controller's host record and CNAME
record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE
available on http://www.microsoft.com/dns

dcdiag /test:dns

4) Verify that that this destination domain controller is using a valid DNS
server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE
command on the console of the destination domain controller, as follows:

dcdiag /test:dns

5) For further analysis of DNS error failures see KB 824449:
http://support.microsoft.com/?kbid=824449

Additional Data
Error value:
11004 The requested name is valid, but no data of the requested type was
found.


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

What should I do now? I have never had these types of problems with a
Windows domain before.

Regards,
Scott
Post by Ace Fekay [MVP]
Post by stosti
Domain Controller Diagnosis
<snipped>
Thanks for posting it. It looks like DC-02 is the good DC, since DC-01 seems
to be saying it holds the roles but doesn't deam them valid as based on the
============================
This server is the owner of the following FSMO role, but does not consider
it valid. For the partition which contains the FSMO, this server has not
replicated successfully with any of its partners since this server has been
restarted. Replication errors are preventing validation of this role.
============================
I would suggest to unplug DC-01 for a few days. Based on DC-02's clean
dcdiag, except the FRS errors, which I believe are due to an essentially
non-existing DC-01 (based on the 2092 error) and nothing to replicate to.
http://www.eventid.net/display.asp?eventid=2092&eventno=5836&source=NTDS%20Replication&phase=1
Ace
Ace Fekay [MVP]
2005-11-07 05:40:53 UTC
Permalink
Post by stosti
Hi,
I moved the roles to DC-02, shut off DC-01, ran metabase cleanup and
removed DC-01. I rebuilt the machine, ran dcpromo and set up the
machine as a GC. Things are still not right. I believe replication
is still failing...
Event Type: Error
Event Source: NTDS Replication
Event Category: DS RPC Client
Event ID: 1411
Date: 11/6/2005
Time: 5:18:14 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC-02
Active Directory failed to construct a mutual authentication service
principal name (SPN) for the following domain controller.
1fb85186-6697-4741-985b-b8a3d224c1dc._msdcs.TOSTI.US
The call was denied. Communication with this domain controller might
be affected.
Additional Data
8589 The DS cannot derive a service principal name (SPN) with which to
mutually authenticate the target server because the corresponding
server object in the local DS database has no serverReference
attribute.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: NTDS Replication
Event Category: DS RPC Client
Event ID: 2088
Date: 11/6/2005
Time: 5:17:19 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC-02
Active Directory could not use DNS to resolve the IP address of the
source domain controller listed below. To maintain the consistency of
Security groups, group policy, users and computers and their
passwords, Active Directory successfully replicated using the NetBIOS
or fully qualified computer name of the source domain controller.
Invalid DNS configuration may be affecting other essential operations
on member computers, domain controllers or application servers in
this Active Directory forest, including logon authentication or
access to network resources.
You should immediately resolve this DNS configuration error so that
this domain controller can resolve the IP address of the source
domain controller using DNS.
dc-01
2ac8455a-97e5-499c-bc0e-47dc19ad58a0._msdcs.TOSTI.US
NOTE: By default, only up to 10 DNS failures are shown for any given
12 hour period, even if more than 10 failures occur. To log all
individual failure events, set the following diagnostics registry
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
1) If the source domain controller is no longer functioning or its
operating system has been reinstalled with a different computer name
or NTDSDSA object GUID, remove the source domain controller's
metadata with ntdsutil.exe, using the steps outlined in MSKB article
216498.
2) Confirm that the source domain controller is running Active
directory
and is accessible on the network by typing "net view \\<source DC
name>" or "ping <source DC name>".
3) Verify that the source domain controller is using a valid DNS
server for DNS services, and that the source domain controller's host
record and CNAME record are correctly registered, using the DNS
Enhanced version of DCDIAG.EXE available on
http://www.microsoft.com/dns
dcdiag /test:dns
4) Verify that that this destination domain controller is using a
valid DNS server for DNS services, by running the DNS Enhanced
version of DCDIAG.EXE command on the console of the destination
dcdiag /test:dns
http://support.microsoft.com/?kbid=824449
Additional Data
11004 The requested name is valid, but no data of the requested type
was found.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
What should I do now? I have never had these types of problems with a
Windows domain before.
Regards,
Scott
Scott, it says above it could not use DNS, among other DNS error messages.

"Active Directory could not use DNS to resolve the IP address of the source
domain controller listed below."

"Invalid DNS configuration may be affecting"

"You should immediately resolve this DNS configuration error so that this
domain controller can resolve the IP address of the source domain controller
using DNS."

Does this record exist?
2ac8455a-97e5-499c-bc0e-47dc19ad58a0._msdcs.TOSTI.US

Did you create a reverse zone (will eliminate SPN errors)?
Are the DCs pointing to themselves for DNS?
Do all the records and SRV folders show up in the zone?
Any DNS errors?

Ace
stosti
2005-11-07 23:09:04 UTC
Permalink
DCdiag /DNS passess on both machines.

I think DNS is working... I do not know how to tell if this record is valid
or not.
2ac8455a-97e5-499c-bc0e-47dc19ad58a0._msdcs.TOSTI.US

I have reverse DNS setup and working.

DC's are pointing to each other first and then to themselves.

Yes to records and no there are not any DNS errors. Just replication issues.

Regards,
Scott
Post by Ace Fekay [MVP]
Post by stosti
Hi,
I moved the roles to DC-02, shut off DC-01, ran metabase cleanup and
removed DC-01. I rebuilt the machine, ran dcpromo and set up the
machine as a GC. Things are still not right. I believe replication
is still failing...
Event Type: Error
Event Source: NTDS Replication
Event Category: DS RPC Client
Event ID: 1411
Date: 11/6/2005
Time: 5:18:14 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC-02
Active Directory failed to construct a mutual authentication service
principal name (SPN) for the following domain controller.
1fb85186-6697-4741-985b-b8a3d224c1dc._msdcs.TOSTI.US
The call was denied. Communication with this domain controller might
be affected.
Additional Data
8589 The DS cannot derive a service principal name (SPN) with which to
mutually authenticate the target server because the corresponding
server object in the local DS database has no serverReference
attribute.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: NTDS Replication
Event Category: DS RPC Client
Event ID: 2088
Date: 11/6/2005
Time: 5:17:19 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC-02
Active Directory could not use DNS to resolve the IP address of the
source domain controller listed below. To maintain the consistency of
Security groups, group policy, users and computers and their
passwords, Active Directory successfully replicated using the NetBIOS
or fully qualified computer name of the source domain controller.
Invalid DNS configuration may be affecting other essential operations
on member computers, domain controllers or application servers in
this Active Directory forest, including logon authentication or
access to network resources.
You should immediately resolve this DNS configuration error so that
this domain controller can resolve the IP address of the source
domain controller using DNS.
dc-01
2ac8455a-97e5-499c-bc0e-47dc19ad58a0._msdcs.TOSTI.US
NOTE: By default, only up to 10 DNS failures are shown for any given
12 hour period, even if more than 10 failures occur. To log all
individual failure events, set the following diagnostics registry
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
1) If the source domain controller is no longer functioning or its
operating system has been reinstalled with a different computer name
or NTDSDSA object GUID, remove the source domain controller's
metadata with ntdsutil.exe, using the steps outlined in MSKB article
216498.
2) Confirm that the source domain controller is running Active directory
and is accessible on the network by typing "net view \\<source DC
name>" or "ping <source DC name>".
3) Verify that the source domain controller is using a valid DNS
server for DNS services, and that the source domain controller's host
record and CNAME record are correctly registered, using the DNS
Enhanced version of DCDIAG.EXE available on
http://www.microsoft.com/dns
dcdiag /test:dns
4) Verify that that this destination domain controller is using a
valid DNS server for DNS services, by running the DNS Enhanced
version of DCDIAG.EXE command on the console of the destination
dcdiag /test:dns
http://support.microsoft.com/?kbid=824449
Additional Data
11004 The requested name is valid, but no data of the requested type
was found.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
What should I do now? I have never had these types of problems with a
Windows domain before.
Regards,
Scott
Scott, it says above it could not use DNS, among other DNS error messages.
"Active Directory could not use DNS to resolve the IP address of the source
domain controller listed below."
"Invalid DNS configuration may be affecting"
"You should immediately resolve this DNS configuration error so that this
domain controller can resolve the IP address of the source domain controller
using DNS."
Does this record exist?
2ac8455a-97e5-499c-bc0e-47dc19ad58a0._msdcs.TOSTI.US
Did you create a reverse zone (will eliminate SPN errors)?
Are the DCs pointing to themselves for DNS?
Do all the records and SRV folders show up in the zone?
Any DNS errors?
Ace
Ace Fekay [MVP]
2005-11-08 05:29:55 UTC
Permalink
Post by stosti
DCdiag /DNS passess on both machines.
I think DNS is working... I do not know how to tell if this record
is valid or not.
2ac8455a-97e5-499c-bc0e-47dc19ad58a0._msdcs.TOSTI.US
I have reverse DNS setup and working.
DC's are pointing to each other first and then to themselves.
Yes to records and no there are not any DNS errors. Just replication issues.
Regards,
Scott
Also, since DNS doesn't seem to be responding, and not sure if the GUID is
correct, let's try this:

1. Change the zone on one of the DCs to Standard Primary. This will get it
out of the AD database and into a text file.
2. Change the zone on the other DC to a secondary pulling from the first DC.
3. Point both DCs to the Primary zone for DNS (IP properties). This will
make both DCs use the one DNS server.
4. Then delete the system32\config\netlogon.dns and netlogon.dnb files.
5. CMD prompt:
ipconfig /registerdns
net stop netlogon
net start netlogon
6. Rerun dcdiag /v /fix

See if that clears it up.

Some reading material...
http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21609377.html
How to use DNSLint to troubleshoot Active Directory replication issues
http://support.microsoft.com/default.aspx?scid=kb;en-us;321046

Ace

Continue reading on narkive:
Loading...