AD schema not replicating

[aviens]

I recently made changes to the AD schema. These included
changing the FSMO roles to a new server so i could retire
the old server. While the changes were replicated to SOMe
of the DC's on the network, one DC did not receive or
implement the changes. There are a number of erros being
logged but i do not know if they are related to this
issue. Some are Kerberos errors, as well as DNS errors.
The DNs errors seem to deal with the "Active Directory
integrated" zone, but the new zone information is not
replicating to the DC so the DNS is generating errors. any
ideas to help? should i demote the DC to a memeber server
and then re-promote it to a DC?

 

[Cary Shultz [A.D. MVP]]

Aviens,

Is this a one Site AD environment or do you have multiple Sites in your AD
environment?

In any case, let's start by looking at either of these two sets of MSKB
Articles:

http://support.microsoft.com/?id=249256 ( for Intra-Site Replication
issues )

- or -
http://support.microsoft.com/?id=224815 ( for Inter-Site Replication
Issues )
http://support.microsoft.com/?id=271997


The first 'set' is simply basic troubleshooting of Intra-Site Replication
issues if you have one Site.

The second set includes information on the KCC and Bridgehead Servers. For
each Site that you have you would need to use the first Article ( 249256 )
for the 'internal' Troubleshooting as well as take a look at the second set
( 224815 and 271997 ).

It might also help to let us know what the event ids are so that we can
possibly help there ( take a look at http://www.eventid.net ) as well as
doing a DCDIAG /c /v on each Domain Controller. DCDIAG is a utility that is
available from the Support Tools. The Support Tools can be found in a
couple of places: on the WIN2000 Server CD and on the WIN2000 Service Pack
CD in the Support | Tools folder as well as on the Microsoft web site. You
would need to install the Support Tools on each DC ( I would suggest on each
and every Server that you have! ). Running the DCDIAG with the /c switch
( will result in a comprehensive examine - aka performs more tests ) and
with the /v switch ( puts it in verbose mode ) will give you good results.
You might also want to redirect the output to a text file. You can either
use the /f: switch to do this ( example, /f:c:\dcdiagdc1.log on your 'DC1'
and /f:c:\dcdiagdc2.log on your 'DC2" ) or use the redirector ( > ) so that
you can more easily go through this. You can simply do a search for error,
fail and warn in Notepad as this might bring you to the problem more
quickly.

You might also want to do an ipconfig /all on each DC to make sure that
there is nothing out of the ordinary there. Make sure that all of your DCs
( well, all machines for that matter ) are pointing ONLY to your Internal
DNS Server(s) and that the domain name is spelled correctly ( if you added
it to the 'DNS Suffix for this connection' in your TCP/IP configuration
settings ).

Kerberos errors can result if the time difference between the machines
exceeds five minutes ( the default ). You might want to run a netdiag /v on
each DC as well ( this is also from the Support Tools ).

HTH,

Cary