Discussion:
NTDS Replication event 2023 error 8589
(too old to reply)
Mr Major Thorburn
2006-01-24 15:16:04 UTC
Permalink
Text from event log entry is:
The local domain controller was unable to replicate changes to the following
remote domain controller for the following directory partition.

Remote domain controller:
881ebe49-647f-46f2-8017-b0a14f94b25a._msdcs.xports.nhs.uk
Directory partition:
DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk

The local domain controller cannot complete demotion.

User Action
Investigate why replication between these two domain controllers cannot be
performed. Then, try to demote this domain controller again.

Additonal Data
Error value:
8589 The DS cannot derive a service principal name (SPN) with which to
mutually authenticate the target server because the corresponding server
object in the local DS database has no serverReference attribute.

It mentions demotion but the source and target servers have never been
demoted.
The problem is with all the servers in this sub-domain.

My question is:
Which server object is it talking about that deos not have a serverreference
attribute?

Any help you can give me with move me onto a solution and the next problem.
Paul Williams [MVP]
2006-01-25 06:17:50 UTC
Permalink
Type:

nslookup -type=cname
881ebe49-647f-46f2-8017-b0a14f94b25a._msdcs.xports.nhs.uk


At a command prompt to resolve the GUID CNAME to an A record.

If it doesn't resolve, that is your problem.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-01-25 16:32:04 UTC
Permalink
Paul, it resolved to the server name ie

881ebe49-647f-46f2-8017-b0a14f94b25a._msdcs.xports.nhs.uk canonical
name =
sjhdc01.xports.nhs.uk

Regards, Major.
Post by Paul Williams [MVP]
nslookup -type=cname
881ebe49-647f-46f2-8017-b0a14f94b25a._msdcs.xports.nhs.uk
At a command prompt to resolve the GUID CNAME to an A record.
If it doesn't resolve, that is your problem.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-01-26 07:47:23 UTC
Permalink
Post by Mr Major Thorburn
Which server object is it talking about that deos not have a
serverreference attribute?
Sorry, misread your question. The corresponding server object is the object
that you see in DSSITE.MSC for the DC.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-01-26 08:01:02 UTC
Permalink
OK. If I open sites and services and locate the DC that is getting these
events is it that object that does not have a serverreference attribute or
one of its connected servers?

Is it possible to fix this by using for example adsiedit?

Regards, Major.
Post by Paul Williams [MVP]
Post by Mr Major Thorburn
Which server object is it talking about that deos not have a
serverreference attribute?
Sorry, misread your question. The corresponding server object is the object
that you see in DSSITE.MSC for the DC.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-01-26 08:31:26 UTC
Permalink
Post by Mr Major Thorburn
Is it possible to fix this by using for example adsiedit?
Yes, it sure is:
-- http://support.microsoft.com/?id=312862
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-01-26 12:59:02 UTC
Permalink
Paul, you are a star.
Thank you very much for your help.
From you guidance and following the KB article helped me fix the problem.
Regards, Major.
Post by Paul Williams [MVP]
Post by Mr Major Thorburn
Is it possible to fix this by using for example adsiedit?
-- http://support.microsoft.com/?id=312862
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-01-26 13:21:02 UTC
Permalink
Paul, sorry spoke too soon. Too eager to get this fixed I guess.
The event error came back.
I did use adsiedit to clean up the SYSVOL replication partners.
There were some old DC entries in there.

How do I use adsiedit to select the specific dc that the event error is
talking about ie SJHDC01.
It is not a sysvol replica partner of the DC where the event error is
occuring as it is in the parent domain.

Regards, Major.
Post by Paul Williams [MVP]
Post by Mr Major Thorburn
Is it possible to fix this by using for example adsiedit?
-- http://support.microsoft.com/?id=312862
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-01-27 12:24:56 UTC
Permalink
SYSVOL doesn't replicate forest wide. It is a [special] domain-based DFS
root. Can you please clarify what changes have you made, and what errors
are you now getting? Sorry if you've stated some of this, I just want to be
sure where we're at.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-01-27 13:19:02 UTC
Permalink
The changes I made were in system, file replication. That was waht the KB
article was about.
The error I am getting is the same as before event 2003 error 8589.

The local domain controller was unable to replicate changes to the following
remote domain controller for the following directory partition.

Remote domain controller:
881ebe49-647f-46f2-8017-b0a14f94b25a._msdcs.xports.nhs.uk
Directory partition:
DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk

The local domain controller cannot complete demotion.

User Action
Investigate why replication between these two domain controllers cannot be
performed. Then, try to demote this domain controller again.

Additonal Data
Error value:
8589 The DS cannot derive a service principal name (SPN) with which to
mutually authenticate the target server because the corresponding server
object in the local DS database has no serverReference attribute.

Regards, Major.
Post by Paul Williams [MVP]
SYSVOL doesn't replicate forest wide. It is a [special] domain-based DFS
root. Can you please clarify what changes have you made, and what errors
are you now getting? Sorry if you've stated some of this, I just want to be
sure where we're at.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-01-31 20:44:27 UTC
Permalink
Sorry for the delay - I wanted to verify this in one of my customer
environments - they have several domains in a forest. I haven't been able
to yet, as I've been out of the office.

Try adding the necessary NTDS Settings object DN into the serverReference
attribute, regardless of domain. This is like so:

CN=NTDS Settings, CN=<Computer name>, CN=Servers, CN=<Site name>, CN=Sites,
CN=Configuration, DC=<forest root>,DC=com


e.g.

CN=NTDS Settings, CN=LON-MIIS, CN=Servers, CN=Default-First-Site-Name,
CN=Sites, CN=Configuration, DC=fabrikam,DC=com


Note. There appears to be a typo in the DN listed in the KB. The above is
correct - pasted from a VM.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-02-01 07:20:30 UTC
Permalink
Paul, thanks for getting back to me. ok about delays. I understand how busy
you must be. One of you and lots of us with questions.

The KB article talks about FRS SYSVOL share. The DC referenced in the event
is in a parent domain. I thought that the SYSVOL share was domain specific.
Should there be a CN entry for the server in the event on this DC in
ADSIEDIT under System, File Replication Service, Domain System Volume (SYSVOL
share)?
If not which CN would contain the ServerReference?
Regards, Major.
Post by Paul Williams [MVP]
Sorry for the delay - I wanted to verify this in one of my customer
environments - they have several domains in a forest. I haven't been able
to yet, as I've been out of the office.
Try adding the necessary NTDS Settings object DN into the serverReference
CN=NTDS Settings, CN=<Computer name>, CN=Servers, CN=<Site name>, CN=Sites,
CN=Configuration, DC=<forest root>,DC=com
e.g.
CN=NTDS Settings, CN=LON-MIIS, CN=Servers, CN=Default-First-Site-Name,
CN=Sites, CN=Configuration, DC=fabrikam,DC=com
Note. There appears to be a typo in the DN listed in the KB. The above is
correct - pasted from a VM.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-02-01 17:04:14 UTC
Permalink
Post by Mr Major Thorburn
The KB article talks about FRS SYSVOL share. The DC referenced in the
event is in a parent domain. I thought that the SYSVOL share was domain
specific.
It is. That's why the KB threw me. Although I've had a re-think and I
think I know what's going on... (famous last words before hiding away in
shame)
Post by Mr Major Thorburn
Should there be a CN entry for the server in the event on this DC in
ADSIEDIT under System, File Replication Service, Domain System Volume
(SYSVOL share)?
No.
Post by Mr Major Thorburn
If not which CN would contain the ServerReference?
The serverReference attribute should point to the NTDS Settings object for
this DC. Basically, the nTFRSMember object defines what servers are part of
a given FRS replica set. There are several important attributes of these
objects, two of which are fRSComputerReference and serverReference. The
former holds the DN of the FRS member that this object represents. The
latter holds the DN of the connection object for the FRS member that this
object represents. The reason being that SYSVOL uses the same connection
objects as DS replication.

So, you need to verify that both servers point to themselves, or rather,
their own connection object. The parent DCs member object should have its
own NTDS Settings object as its serverReference attribute, and the other DC
in question should have it's own.

As an example, you have four DCs - two per domain. We'll focus on one from
each domain. In this example there are two nTFRSMember objects that we're
concerned with (one in each domain):

CN=PDC01, CN=Domain System Volume (SYSVOL), CN=File Replication Service,
CN=System, DC=forest-root, DC=com

CN=CDC01, CN=Domain System Volume (SYSVOL), CN=File Replication Service,
CN=System, DC=child-domain, DC=forest-root, DC=com


These should have a serverReference attribute that points to something like
this:

CN=NTDS Settings, CN=PDC01, CN=Servers, CN=ParentDomainSite, CN=Sites,
CN=Configuration, DC=forest-root, DC=com

CN=NTDS Settings, CN=CDC01, CN=Servers, CN=ChildDomainSite, CN=Sites,
CN=Configuration, DC=child-domain, DC=forest-root, DC=com


Hope that makes sense.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-02-02 08:10:26 UTC
Permalink
Paul, thanks for the excellent explanation which I followed with no problem.
I checked the serverReference and the field is correct for all the DCs in
all the domains.
The confusion for me is that the event log entry is referring to a server
that is not in this domain. On this particvular DC it is for a DC from the
parent domain. If I look on the parent domain it has the same event but for
this DC.
It looks like there is a link missing.

I should have pointed out earlier that this ActiveDirectory setup has been
established via an Active Directory disaster recovery exercise, following all
the good guidelines from MS, and is all running on virtual systems.
It was established because we do not have a test facility.
I have carried out things like installation of SP1, promotions, demotions,
move of DCs, rename of DCs and raising the forest to run in native mode and
all has been successful.
What I am now trying to achieve now is a domain rename and this event error
is what is stopping me do that.

We have an opertunity here to do what we like.
if we want to experiment in something I will take a backup of all the images
and we can do anything we like as we would have a full recovery available.

Regards, Major.
Post by Paul Williams [MVP]
Post by Mr Major Thorburn
The KB article talks about FRS SYSVOL share. The DC referenced in the
event is in a parent domain. I thought that the SYSVOL share was domain
specific.
It is. That's why the KB threw me. Although I've had a re-think and I
think I know what's going on... (famous last words before hiding away in
shame)
Post by Mr Major Thorburn
Should there be a CN entry for the server in the event on this DC in
ADSIEDIT under System, File Replication Service, Domain System Volume
(SYSVOL share)?
No.
Post by Mr Major Thorburn
If not which CN would contain the ServerReference?
The serverReference attribute should point to the NTDS Settings object for
this DC. Basically, the nTFRSMember object defines what servers are part of
a given FRS replica set. There are several important attributes of these
objects, two of which are fRSComputerReference and serverReference. The
former holds the DN of the FRS member that this object represents. The
latter holds the DN of the connection object for the FRS member that this
object represents. The reason being that SYSVOL uses the same connection
objects as DS replication.
So, you need to verify that both servers point to themselves, or rather,
their own connection object. The parent DCs member object should have its
own NTDS Settings object as its serverReference attribute, and the other DC
in question should have it's own.
As an example, you have four DCs - two per domain. We'll focus on one from
each domain. In this example there are two nTFRSMember objects that we're
CN=PDC01, CN=Domain System Volume (SYSVOL), CN=File Replication Service,
CN=System, DC=forest-root, DC=com
CN=CDC01, CN=Domain System Volume (SYSVOL), CN=File Replication Service,
CN=System, DC=child-domain, DC=forest-root, DC=com
These should have a serverReference attribute that points to something like
CN=NTDS Settings, CN=PDC01, CN=Servers, CN=ParentDomainSite, CN=Sites,
CN=Configuration, DC=forest-root, DC=com
CN=NTDS Settings, CN=CDC01, CN=Servers, CN=ChildDomainSite, CN=Sites,
CN=Configuration, DC=child-domain, DC=forest-root, DC=com
Hope that makes sense.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-02-03 10:55:23 UTC
Permalink
This is looking more and more like the only issue is with replicating that
app partition rather than an issue with FRS.

Delete all the connection objects for each server object in DSSITE.MSC and
go and get yourself a cup of coffee. After you've drank it, fire up REPLMON
and force replication between DCs in the same domain and across domains (the
enterprise and app partitions).

Rescan the event logs.

Also, run DCDIAG /V /C /E and post any errors or warnings.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-02-06 07:35:34 UTC
Permalink
This post might be inappropriate. Click to display it.
Mr Major Thorburn
2006-02-07 14:08:28 UTC
Permalink
Paul, further to my previous response I have removed two DCs that I had added
(was trying to force the regerneration of the links). Nw ow back to the
original 8 (2 per domain, 1 paernt 3 children)
The dcdiag still shows errors but most of them seem to be for access denied.
The id I am using to run the command is a domain admin in the sub domain and
the server it is concerned about is in the parent domain.
I tried to 'manage' the server in the parent domain and when I tried to open
the services I got access denied. When I tried the same on the live
production system it worked fine.
What access rights are required for a domain administrator of a child domain
to open services on a DC in a partent domain?
Regards, Major.
Post by Paul Williams [MVP]
This is looking more and more like the only issue is with replicating that
app partition rather than an issue with FRS.
Delete all the connection objects for each server object in DSSITE.MSC and
go and get yourself a cup of coffee. After you've drank it, fire up REPLMON
and force replication between DCs in the same domain and across domains (the
enterprise and app partitions).
Rescan the event logs.
Also, run DCDIAG /V /C /E and post any errors or warnings.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-02-10 08:32:51 UTC
Permalink
You'll need to be administrator in that domain. Which means you need to be
a member of the built-in\administrators group (or EA).
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-02-10 13:26:29 UTC
Permalink
This post might be inappropriate. Click to display it.
Paul Williams [MVP]
2006-03-21 20:52:56 UTC
Permalink
This is strange. All of those errors are accessed denied. Are these DCs
still members of the Domain Controllers group?
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-03-22 07:50:31 UTC
Permalink
Paul, thanks for getting back to me. I have been working on other things
since the last post so any delay has not been a problem. I'm just glad of
your response.

All the DCs are in the appropriate domain controllers grooup and the domains
are intact because I can promote a new server as a DC in each of them without
any problems.
I am able to do some more diagnosis now as my other work is complete.
Regards, Major.
Post by Paul Williams [MVP]
This is strange. All of those errors are accessed denied. Are these DCs
still members of the Domain Controllers group?
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-02-11 11:15:26 UTC
Permalink
Paul, I have just noticed that dcdiag failed to complete.
The text in the event log was

Faulting application dcdiag.exe, version 5.2.3790.1830, faulting module
dcdiag.exe, version 5.2.3790.1830, fault address 0x0004a66c.

Any suggestions for that?

Regards, Major.
Post by Paul Williams [MVP]
You'll need to be administrator in that domain. Which means you need to be
a member of the built-in\administrators group (or EA).
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-03-21 20:47:39 UTC
Permalink
Sorry for the delay. This post is a long way down...

I would try the newest version. The support tools ship newer versions with
the SPs, but don't install as part of the SP. You can also download the
latest versions.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-03-22 07:59:02 UTC
Permalink
Paul, dont worry about the delay, I was doing other things.
Did you want me to start a new thread?
The version of dcdiag I was using is 5.2.3790.1830. Is that the latest?

The DS errors have changed a bit.
On the root domain DCs I am getting
Active Directory failed to construct a mutual authentication service
principal name (SPN) for the following domain controller.

Domain controller:
1201a128-9b81-4adf-b2cf-2fab2180c3b0._msdcs.xports.nhs.uk

The call was denied. Communication with this domain controller might be
affected.

Additional Data
Error value:
8419 The DSA object could not be found.

And on the sub domain DCs
The local domain controller was unable to replicate changes to the following
remote domain controller for the following directory partition.

Remote domain controller:
84741a6c-b847-42bc-9c0f-a9fe7b6de218._msdcs.xports.nhs.uk
Directory partition:
DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk

The local domain controller cannot complete demotion.

User Action
Investigate why replication between these two domain controllers cannot be
performed. Then, try to demote this domain controller again.

Additonal Data
Error value:
8419 The DSA object could not be found.

Regards, Major.
Post by Paul Williams [MVP]
Sorry for the delay. This post is a long way down...
I would try the newest version. The support tools ship newer versions with
the SPs, but don't install as part of the SP. You can also download the
latest versions.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-05-25 16:48:22 UTC
Permalink
That looks like there are still DCs in AD that aren't there. Or, there are
stale CNAME records in DNS. Delete _msdcs and restart NETLOGON on the DCs
(this is a test lab if I remember correctly).

Follow kb216498 to be sure you've not left anything in there that shouldn't
be.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-02-15 14:51:29 UTC
Permalink
Paul, I have subsequently run dcdiag /v /c on each DC.
Some of them, particualarly in the sub domains, have downstream topology is
disconnected messages.
Any hints for this?
Regards, Major.
Post by Paul Williams [MVP]
You'll need to be administrator in that domain. Which means you need to be
a member of the built-in\administrators group (or EA).
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-05-25 16:45:12 UTC
Permalink
Clutching at straws here, as it gets tricky without being there:
-- http://support.microsoft.com/?id=320063


This still looks like its DNS related.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-05-26 09:07:02 UTC
Permalink
Paul, I have created a new post for the same setup.
I did a DC demotion/promotion and that seemd to resolve this particular issue.

I would appreciate your help with the new problem in the new post if that is
ok with you.

I may get back to this sort of problem when i attempt another domain rename.

At the moment I am trying to do an exchange 2003 installation and the AD
replication problems are stopping that which is in the new post.

Thanks for you help on this one.

Regards, Major.
Post by Paul Williams [MVP]
-- http://support.microsoft.com/?id=320063
This still looks like its DNS related.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-01-31 08:16:27 UTC
Permalink
Anyone any other thoughts on this?
I realise you are all very busy looking after your own systems and helping
other users but if you could give me a hint on where to look I will go and
look there.
Any help you can give will help me loads.
Thanks.
Regards, Major.
Post by Mr Major Thorburn
The local domain controller was unable to replicate changes to the following
remote domain controller for the following directory partition.
881ebe49-647f-46f2-8017-b0a14f94b25a._msdcs.xports.nhs.uk
DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk
The local domain controller cannot complete demotion.
User Action
Investigate why replication between these two domain controllers cannot be
performed. Then, try to demote this domain controller again.
Additonal Data
8589 The DS cannot derive a service principal name (SPN) with which to
mutually authenticate the target server because the corresponding server
object in the local DS database has no serverReference attribute.
It mentions demotion but the source and target servers have never been
demoted.
The problem is with all the servers in this sub-domain.
Which server object is it talking about that deos not have a serverreference
attribute?
Any help you can give me with move me onto a solution and the next problem.
Loading...