DC Apparently lost authentication to domain

K

Ken Eisman

We have a W2K/2K3 domain. It's been working fine up until this weekend. Now
one DC (in a remote site) will not authenticate with the other DC's.
Consequently, clients that authenticate with the bad DC cannot access
network resources in the home site. They seem to be able to access resources
in the remote site without problem.

Some examples are:
If I try to connect to the event viewer of a good DC from the bad DC, I get
an 'access denied' error.
If I try to connect to any computer in the good site from any computer in
the bad site using the computer browser or 'net use ...', I get 'The target
account name is incorrect'
If I try to connect using 'net view...', I get 'Error 5 Access is denied.'
In ADSS, replication appears to work from the good DC to the bad DC but not
from the bad DC to the good DC.
DNS on the bad DC gives an error 4015 '....critical error from the Active
Director' in the event log.
Running netdiag on the bad DC yields very few errors except for this:
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC
'adserver.co.matagorda.tx.us'.
[WARNING] Failed to query SPN registration on DC
'ptr-svr.co.matagorda.tx.us'.
[WARNING] Failed to query SPN registration on DC
'ANTIVIRUS.co.matagorda.tx.us'.
(These are all the DCs in the home site.)

Based on my search of the MS KB, I've tried using netdom to reset the
password and I've checked for duplicate account names , but nothing has
helped, so far.

I'm not sure what kind of information you may need to help me out. Just ask
for it and I will do my best to provide it.

Thank You

Ken
 
P

Paul Bergson

First thought that comes to mind is a firewall issue. Just because the
servers haven't changed doesn't mean someone didn't block some ports on you.
Check with your firewall folks and see if they made any changes over the
weekend.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 
K

Ken Eisman

We own the connection to the remote site, so there is no firewall between
the home and remote sites. There is just a routing switch which doesn't have
the capability to block ports.

Good thought. I wish it were that easy.

Speaking of routing... Could it be a WINS/NetBIOS thing since we are
routing? We're not using WINS because every MS class I ever went to
suggested not using it with AD integrated DNS but I've recently heard that
some things just won't work right without WINS. Any thoughts?

Ken

Paul Bergson said:
First thought that comes to mind is a firewall issue. Just because the
servers haven't changed doesn't mean someone didn't block some ports on
you. Check with your firewall folks and see if they made any changes over
the weekend.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no
rights.


Ken Eisman said:
We have a W2K/2K3 domain. It's been working fine up until this weekend.
Now one DC (in a remote site) will not authenticate with the other DC's.
Consequently, clients that authenticate with the bad DC cannot access
network resources in the home site. They seem to be able to access
resources in the remote site without problem.

Some examples are:
If I try to connect to the event viewer of a good DC from the bad DC, I
get an 'access denied' error.
If I try to connect to any computer in the good site from any computer in
the bad site using the computer browser or 'net use ...', I get 'The
target account name is incorrect'
If I try to connect using 'net view...', I get 'Error 5 Access is
denied.'
In ADSS, replication appears to work from the good DC to the bad DC but
not from the bad DC to the good DC.
DNS on the bad DC gives an error 4015 '....critical error from the Active
Director' in the event log.
Running netdiag on the bad DC yields very few errors except for this:
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC
'adserver.co.matagorda.tx.us'.
[WARNING] Failed to query SPN registration on DC
'ptr-svr.co.matagorda.tx.us'.
[WARNING] Failed to query SPN registration on DC
'ANTIVIRUS.co.matagorda.tx.us'.
(These are all the DCs in the home site.)

Based on my search of the MS KB, I've tried using netdom to reset the
password and I've checked for duplicate account names , but nothing has
helped, so far.

I'm not sure what kind of information you may need to help me out. Just
ask for it and I will do my best to provide it.

Thank You

Ken
Click to expand...
Click to expand...
 
P

Paul Bergson

Try running netdiag, repadmin and dcdiag. Look for fail, error and warning
errors.

If you don't have the tools installed load them from your install disk.

d:\i386\adminpak.msi (Server tools for remote management of servers)
d:\support\tools\setup.exe (Server Utilities)

Copy the following to a cmd file and run look for error, fail and warn
within the reports. Post any errors you can't figure out. make sure you
modify DC_Name to the name of a dc in your domain.

@echo off

c:
cd \
cd "program files\support tools"

del c:\dcdiag.log
dcdiag /e /c /v /s:DC_Name /f:c:\dcdiag.log
start c:\dcdiag.log

netdiag.exe /v > c:\netdiag.log
start c:\netdiag.log

repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
start c:\repl.txt


See for more details

http://www.microsoft.com/technet/pr...Ref/1d4ce93c-54f2-4069-a708-251509c38837.mspx

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.


Ken Eisman said:
We own the connection to the remote site, so there is no firewall between
the home and remote sites. There is just a routing switch which doesn't
have the capability to block ports.

Good thought. I wish it were that easy.

Speaking of routing... Could it be a WINS/NetBIOS thing since we are
routing? We're not using WINS because every MS class I ever went to
suggested not using it with AD integrated DNS but I've recently heard that
some things just won't work right without WINS. Any thoughts?

Ken

Paul Bergson said:
First thought that comes to mind is a firewall issue. Just because the
servers haven't changed doesn't mean someone didn't block some ports on
you. Check with your firewall folks and see if they made any changes over
the weekend.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no
rights.


Ken Eisman said:
We have a W2K/2K3 domain. It's been working fine up until this weekend.
Now one DC (in a remote site) will not authenticate with the other DC's.
Consequently, clients that authenticate with the bad DC cannot access
network resources in the home site. They seem to be able to access
resources in the remote site without problem.

Some examples are:
If I try to connect to the event viewer of a good DC from the bad DC, I
get an 'access denied' error.
If I try to connect to any computer in the good site from any computer
in the bad site using the computer browser or 'net use ...', I get 'The
target account name is incorrect'
If I try to connect using 'net view...', I get 'Error 5 Access is
denied.'
In ADSS, replication appears to work from the good DC to the bad DC but
not from the bad DC to the good DC.
DNS on the bad DC gives an error 4015 '....critical error from the
Active Director' in the event log.
Running netdiag on the bad DC yields very few errors except for this:
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC
'adserver.co.matagorda.tx.us'.
[WARNING] Failed to query SPN registration on DC
'ptr-svr.co.matagorda.tx.us'.
[WARNING] Failed to query SPN registration on DC
'ANTIVIRUS.co.matagorda.tx.us'.
(These are all the DCs in the home site.)

Based on my search of the MS KB, I've tried using netdom to reset the
password and I've checked for duplicate account names , but nothing has
helped, so far.

I'm not sure what kind of information you may need to help me out. Just
ask for it and I will do my best to provide it.

Thank You

Ken
Click to expand...
Click to expand...
Click to expand...
 
K

Ken Eisman

There were quite a few errors so I'll just post a few this time. Hopefully
this will give you enough information. I'll post more as needed.

I'm running the tests from SOSERVER (the DC with problems). The PDC Emulator
is ADSERVER.

***************************************************
From dcdiag:

Doing initial required tests

Testing server: Courthouse\ADSERVER
Starting test: Connectivity
* Active Directory LDAP Services Check
[ADSERVER] LDAP bind failed with error 8341,
A directory service error has occurred..
......................... ADSERVER failed test Connectivity

Testing server: SO\TLETS
Starting test: Connectivity
* Active Directory LDAP Services Check
The host
e66261ed-1506-47c2-b5a8-18054c8b88a9._msdcs.co.matagorda.tx.us could not be
resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name

(e66261ed-1506-47c2-b5a8-18054c8b88a9._msdcs.co.matagorda.tx.us)

couldn't be resolved, the server name (tlets.co.matagorda.tx.us)

resolved to the IP address (192.168.18.102) and was pingable.
Check

that the IP address is registered correctly with the DNS server.
......................... TLETS failed test Connectivity

Testing server: Courthouse\PTR-SVR
Starting test: Connectivity
* Active Directory LDAP Services Check
[PTR-SVR] LDAP bind failed with error 8341,
A directory service error has occurred..
......................... PTR-SVR failed test Connectivity

Testing server: Courthouse\ANTIVIRUS
Starting test: Connectivity
* Active Directory LDAP Services Check
[ANTIVIRUS] LDAP bind failed with error 8341,
A directory service error has occurred..
......................... ANTIVIRUS failed test Connectivity

Testing server: SO\SOSERVER
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... SOSERVER passed test Connectivity
Doing primary tests

Testing server: Courthouse\ADSERVER
Skipping all tests, because server ADSERVER is
not responding to directory service requests

Testing server: SO\TLETS
Skipping all tests, because server TLETS is
not responding to directory service requests

Testing server: Courthouse\PTR-SVR
Skipping all tests, because server PTR-SVR is
not responding to directory service requests

Testing server: Courthouse\ANTIVIRUS
Skipping all tests, because server ANTIVIRUS is
not responding to directory service requests

Testing server: SO\SOSERVER
Starting test: Replications
* Replications Check
* Replication Latency Check
REPLICATION-RECEIVED LATENCY WARNING
SOSERVER: Current time is 2005-10-19 13:48:17.
CN=Schema,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Last replication recieved from PTR-SVR at 2005-08-18
09:48:24.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Last replication recieved from ADSERVER at 2005-08-18
09:49:56.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Last replication recieved from ANTIVIRUS at 2005-08-18
09:48:43.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Latency information for 4 entries in the vector were ignored.
3 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 1 had no latency information (Win2K DC).
CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Last replication recieved from PTR-SVR at 2005-08-18
09:49:34.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Last replication recieved from ADSERVER at 2005-08-18
09:49:56.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Last replication recieved from ANTIVIRUS at 2005-08-18
09:48:43.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Latency information for 4 entries in the vector were ignored.
3 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 1 had no latency information (Win2K DC).
DC=co,DC=matagorda,DC=tx,DC=us
Last replication recieved from PTR-SVR at 2005-08-18
09:51:24.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Last replication recieved from ADSERVER at 2005-08-18
09:53:49.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Last replication recieved from ANTIVIRUS at 2005-08-18
09:54:02.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Latency information for 4 entries in the vector were ignored.
3 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 1 had no latency information (Win2K DC).
* Replication Site Latency Check
REPLICATION-RECEIVED LATENCY WARNING

Source site:

CN=NTDS Site
Settings,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us

Current time: 2005-10-19 13:48:17

Last update time: 2005-08-18 09:26:19

Check if source site has an elected ISTG running.

Check replication from source site to this server.
......................... SOSERVER passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
CN=Schema,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us.
These servers can't get changes from home server SOSERVER:
Courthouse/ADSERVER
Courthouse/PTR-SVR
Courthouse/ANTIVIRUS
* Analyzing the connection topology for
CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us.
These servers can't get changes from home server SOSERVER:
Courthouse/ADSERVER
Courthouse/PTR-SVR
Courthouse/ANTIVIRUS
* Analyzing the connection topology for
DC=co,DC=matagorda,DC=tx,DC=us.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
DC=co,DC=matagorda,DC=tx,DC=us.
These servers can't get changes from home server SOSERVER:
Courthouse/ADSERVER
Courthouse/PTR-SVR
Courthouse/ANTIVIRUS
......................... SOSERVER failed test Topology
---8><------------------------------
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=ADSERVER,CN=Servers,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
[ADSERVER] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: ADSERVER is the Schema Owner, but is not responding to DS
RPC Bind.
Warning: ADSERVER is the Schema Owner, but is not responding to
LDAP Bind.
Role Domain Owner = CN=NTDS
Settings,CN=ADSERVER,CN=Servers,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Warning: ADSERVER is the Domain Owner, but is not responding to DS
RPC Bind.
Warning: ADSERVER is the Domain Owner, but is not responding to
LDAP Bind.
Role PDC Owner = CN=NTDS
Settings,CN=ADSERVER,CN=Servers,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Warning: ADSERVER is the PDC Owner, but is not responding to DS RPC
Bind.
Warning: ADSERVER is the PDC Owner, but is not responding to LDAP
Bind.
Role Rid Owner = CN=NTDS
Settings,CN=ADSERVER,CN=Servers,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Warning: ADSERVER is the Rid Owner, but is not responding to DS RPC
Bind.
Warning: ADSERVER is the Rid Owner, but is not responding to LDAP
Bind.
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=ADSERVER,CN=Servers,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Warning: ADSERVER is the Infrastructure Update Owner, but is not
responding to DS RPC Bind.
Warning: ADSERVER is the Infrastructure Update Owner, but is not
responding to LDAP Bind.
......................... SOSERVER failed test KnowsOfRoleHolders

-8><------------------------
Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x8000061E
Time Generated: 10/19/2005 13:47:22
Event String: All domain controllers in the following site that
can replicate the directory partition over this
transport are currently unavailable.

Site:
CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us

Directory partition:
DC=co,DC=matagorda,DC=tx,DC=us

Transport:
CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us

An Error Event occured. EventID: 0xC000051F
Time Generated: 10/19/2005 13:47:22
Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory
partition.

Directory partition:

DC=co,DC=matagorda,DC=tx,DC=us

There is insufficient site connectivity
information in Active Directory Sites and
Services for the KCC to create a spanning tree
replication topology. Or, one or more domain
controllers with this directory partition are
unable to replicate the directory partition
information. This is probably due to inaccessible
domain controllers.
*****************************************************************************

From repl:

SO\SOSERVER
DC Options: IS_GC
Site Options: (none)
DC object GUID: 089439f1-02f1-461d-bec5-0315ce44ae8d
DC invocationID: 582897d5-1cd0-4d51-8e63-6f7f5751d5a7

==== KCC CONNECTION OBJECTS ============================================

Connection --
Connection name : 3f1a9949-e259-4e23-8f51-f46f876cc15f
Server DNS name : soserver.co.matagorda.tx.us
Server DN name : CN=NTDS
Settings,CN=SOSERVER,CN=Servers,CN=SO,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Source: Courthouse\ADSERVER

******* 90 CONSECUTIVE FAILURES since 2005-10-18 15:49:32
Last error: -2146893022 (0x80090322):
The target principal name is incorrect.
TransportType: IP
options: isGenerated overrideNotifyDefault
ReplicatesNC: CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Reason: IntersiteTopology
******* WARNING: KCC could not add this REPLICA LINK due to error.
ReplicatesNC: DC=co,DC=matagorda,DC=tx,DC=us
Reason: IntersiteTopology
******* WARNING: KCC could not add this REPLICA LINK due to error.
enabledConnection: whenChanged: 20051018214717.0Z
whenCreated: 20051018214717.0Z
Schedule:
day: 0123456789ab0123456789ab
Sun: ffffffffffffffffffffffff
Mon: ffffffffffffffffffffffff
Tue: ffffffffffffffffffffffff
Wed: ffffffffffffffffffffffff
Thu: ffffffffffffffffffffffff
Fri: ffffffffffffffffffffffff
Sat: ffffffffffffffffffffffff

***************************************************************************************
From netdiag:

Testing DNS
PASS - All the DNS entries for DC are registered on DNS server
'192.168.18.100' and other DCs also have some of the names registered.
[WARNING] The DNS entries for this DC are not registered correctly on
DNS server '192.168.1.100'. Please wait for 30 minutes for DNS server
replication.
[WARNING] The DNS entries for this DC are not registered correctly on
DNS server '192.168.1.107'. Please wait for 30 minutes for DNS server
replication.

***************************************************************************

Thanks for your help.

Ken
 
J

Jorge_de_Almeida_Pinto

We have a W2K/2K3 domain. It's been working fine up until this
weekend. Now
one DC (in a remote site) will not authenticate with the other
DC's.
Consequently, clients that authenticate with the bad DC cannot
access
network resources in the home site. They seem to be able to
access resources
in the remote site without problem.

Some examples are:
If I try to connect to the event viewer of a good DC from the
bad DC, I get
an 'access denied' error.
If I try to connect to any computer in the good site from any
computer in
the bad site using the computer browser or 'net use ...', I
get 'The target
account name is incorrect'
If I try to connect using 'net view...', I get 'Error 5 Access
is denied.'
In ADSS, replication appears to work from the good DC to the
bad DC but not
from the bad DC to the good DC.
DNS on the bad DC gives an error 4015 '....critical error from
the Active
Director' in the event log.
Running netdiag on the bad DC yields very few errors except
for this:
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC
'adserver.co.matagorda.tx.us'.
[WARNING] Failed to query SPN registration on DC
'ptr-svr.co.matagorda.tx.us'.
[WARNING] Failed to query SPN registration on DC
'ANTIVIRUS.co.matagorda.tx.us'.
(These are all the DCs in the home site.)

Based on my search of the MS KB, I've tried using netdom to
reset the
password and I've checked for duplicate account names , but
nothing has
helped, so far.

I'm not sure what kind of information you may need to help me
out. Just ask
for it and I will do my best to provide it.

Thank You

Ken
Click to expand...

have you seen:
http://www.eventid.net/display.asp?eventid=4015&eventno=333&source=DNS&phase=1

any more errors in the event log?
 
K

Ken Eisman

Jorge_de_Almeida_Pinto said:
We have a W2K/2K3 domain. It's been working fine up until this
weekend. Now
one DC (in a remote site) will not authenticate with the other
DC's.
Consequently, clients that authenticate with the bad DC cannot
access
network resources in the home site. They seem to be able to
access resources
in the remote site without problem.

Some examples are:
If I try to connect to the event viewer of a good DC from the
bad DC, I get
an 'access denied' error.
If I try to connect to any computer in the good site from any
computer in
the bad site using the computer browser or 'net use ...', I
get 'The target
account name is incorrect'
If I try to connect using 'net view...', I get 'Error 5 Access
is denied.'
In ADSS, replication appears to work from the good DC to the
bad DC but not
from the bad DC to the good DC.
DNS on the bad DC gives an error 4015 '....critical error from
the Active
Director' in the event log.
Running netdiag on the bad DC yields very few errors except
for this:
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC
'adserver.co.matagorda.tx.us'.
[WARNING] Failed to query SPN registration on DC
'ptr-svr.co.matagorda.tx.us'.
[WARNING] Failed to query SPN registration on DC
'ANTIVIRUS.co.matagorda.tx.us'.
(These are all the DCs in the home site.)

Based on my search of the MS KB, I've tried using netdom to
reset the
password and I've checked for duplicate account names , but
nothing has
helped, so far.

I'm not sure what kind of information you may need to help me
out. Just ask
for it and I will do my best to provide it.

Thank You

Ken
Click to expand...

have you seen:
http://www.eventid.net/display.asp?eventid=4015&eventno=333&source=DNS&phase=1
Click to expand...

I have now, thanks. But it doesn't seem to help me much, though.
any more errors in the event log?
Click to expand...

Yes, in remote site DNS log there is also 4510, 4513 and 4514. It all seems
like it is due to the remote site DC not being able to authenticate with the
PDC Emulator so replication doesn't take place.

Thanks
Ken
 
P

Paul Bergson

From what I can see it appears that the dns replication is not working
correctly and with the length of time you have had without this dc talking
to the other
dc's has made it unable to get back in service. I'm not sure what is
causing the dns issue but the machines are not all the same definition. You
will have to demote this dc (dcpromo /forceremoval if need be) and repromote
it. You need to find the dns issue before you promote it again though.

What happens if you run a netdiag /fix?

How is dns setup between the different dns servers? Are you using AD
integrated or primary and secondary's?



--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.


Ken Eisman said:
There were quite a few errors so I'll just post a few this time. Hopefully
this will give you enough information. I'll post more as needed.

I'm running the tests from SOSERVER (the DC with problems). The PDC
Emulator is ADSERVER.

***************************************************
From dcdiag:

Doing initial required tests

Testing server: Courthouse\ADSERVER
Starting test: Connectivity
* Active Directory LDAP Services Check
[ADSERVER] LDAP bind failed with error 8341,
A directory service error has occurred..
......................... ADSERVER failed test Connectivity

Testing server: SO\TLETS
Starting test: Connectivity
* Active Directory LDAP Services Check
The host
e66261ed-1506-47c2-b5a8-18054c8b88a9._msdcs.co.matagorda.tx.us could not
be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name

(e66261ed-1506-47c2-b5a8-18054c8b88a9._msdcs.co.matagorda.tx.us)

couldn't be resolved, the server name (tlets.co.matagorda.tx.us)

resolved to the IP address (192.168.18.102) and was pingable.
Check

that the IP address is registered correctly with the DNS server.
......................... TLETS failed test Connectivity

Testing server: Courthouse\PTR-SVR
Starting test: Connectivity
* Active Directory LDAP Services Check
[PTR-SVR] LDAP bind failed with error 8341,
A directory service error has occurred..
......................... PTR-SVR failed test Connectivity

Testing server: Courthouse\ANTIVIRUS
Starting test: Connectivity
* Active Directory LDAP Services Check
[ANTIVIRUS] LDAP bind failed with error 8341,
A directory service error has occurred..
......................... ANTIVIRUS failed test Connectivity

Testing server: SO\SOSERVER
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... SOSERVER passed test Connectivity
Doing primary tests

Testing server: Courthouse\ADSERVER
Skipping all tests, because server ADSERVER is
not responding to directory service requests

Testing server: SO\TLETS
Skipping all tests, because server TLETS is
not responding to directory service requests

Testing server: Courthouse\PTR-SVR
Skipping all tests, because server PTR-SVR is
not responding to directory service requests

Testing server: Courthouse\ANTIVIRUS
Skipping all tests, because server ANTIVIRUS is
not responding to directory service requests

Testing server: SO\SOSERVER
Starting test: Replications
* Replications Check
* Replication Latency Check
REPLICATION-RECEIVED LATENCY WARNING
SOSERVER: Current time is 2005-10-19 13:48:17.
CN=Schema,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Last replication recieved from PTR-SVR at 2005-08-18
09:48:24.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Last replication recieved from ADSERVER at 2005-08-18
09:49:56.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Last replication recieved from ANTIVIRUS at 2005-08-18
09:48:43.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Latency information for 4 entries in the vector were
ignored.
3 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 1 had no latency information (Win2K DC).
CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Last replication recieved from PTR-SVR at 2005-08-18
09:49:34.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Last replication recieved from ADSERVER at 2005-08-18
09:49:56.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Last replication recieved from ANTIVIRUS at 2005-08-18
09:48:43.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Latency information for 4 entries in the vector were
ignored.
3 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 1 had no latency information (Win2K DC).
DC=co,DC=matagorda,DC=tx,DC=us
Last replication recieved from PTR-SVR at 2005-08-18
09:51:24.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Last replication recieved from ADSERVER at 2005-08-18
09:53:49.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Last replication recieved from ANTIVIRUS at 2005-08-18
09:54:02.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Latency information for 4 entries in the vector were
ignored.
3 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 1 had no latency information (Win2K DC).
* Replication Site Latency Check
REPLICATION-RECEIVED LATENCY WARNING

Source site:

CN=NTDS Site
Settings,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us

Current time: 2005-10-19 13:48:17

Last update time: 2005-08-18 09:26:19

Check if source site has an elected ISTG running.

Check replication from source site to this server.
......................... SOSERVER passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
CN=Schema,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us.
These servers can't get changes from home server SOSERVER:
Courthouse/ADSERVER
Courthouse/PTR-SVR
Courthouse/ANTIVIRUS
* Analyzing the connection topology for
CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us.
These servers can't get changes from home server SOSERVER:
Courthouse/ADSERVER
Courthouse/PTR-SVR
Courthouse/ANTIVIRUS
* Analyzing the connection topology for
DC=co,DC=matagorda,DC=tx,DC=us.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
DC=co,DC=matagorda,DC=tx,DC=us.
These servers can't get changes from home server SOSERVER:
Courthouse/ADSERVER
Courthouse/PTR-SVR
Courthouse/ANTIVIRUS
......................... SOSERVER failed test Topology
---8><------------------------------
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=ADSERVER,CN=Servers,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
[ADSERVER] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: ADSERVER is the Schema Owner, but is not responding to DS
RPC Bind.
Warning: ADSERVER is the Schema Owner, but is not responding to
LDAP Bind.
Role Domain Owner = CN=NTDS
Settings,CN=ADSERVER,CN=Servers,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Warning: ADSERVER is the Domain Owner, but is not responding to DS
RPC Bind.
Warning: ADSERVER is the Domain Owner, but is not responding to
LDAP Bind.
Role PDC Owner = CN=NTDS
Settings,CN=ADSERVER,CN=Servers,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Warning: ADSERVER is the PDC Owner, but is not responding to DS
RPC Bind.
Warning: ADSERVER is the PDC Owner, but is not responding to LDAP
Bind.
Role Rid Owner = CN=NTDS
Settings,CN=ADSERVER,CN=Servers,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Warning: ADSERVER is the Rid Owner, but is not responding to DS
RPC Bind.
Warning: ADSERVER is the Rid Owner, but is not responding to LDAP
Bind.
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=ADSERVER,CN=Servers,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Warning: ADSERVER is the Infrastructure Update Owner, but is not
responding to DS RPC Bind.
Warning: ADSERVER is the Infrastructure Update Owner, but is not
responding to LDAP Bind.
......................... SOSERVER failed test KnowsOfRoleHolders

-8><------------------------
Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x8000061E
Time Generated: 10/19/2005 13:47:22
Event String: All domain controllers in the following site that
can replicate the directory partition over this
transport are currently unavailable.

Site:
CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us

Directory partition:
DC=co,DC=matagorda,DC=tx,DC=us

Transport:
CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us

An Error Event occured. EventID: 0xC000051F
Time Generated: 10/19/2005 13:47:22
Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory
partition.

Directory partition:

DC=co,DC=matagorda,DC=tx,DC=us

There is insufficient site connectivity
information in Active Directory Sites and
Services for the KCC to create a spanning tree
replication topology. Or, one or more domain
controllers with this directory partition are
unable to replicate the directory partition
information. This is probably due to inaccessible
domain controllers.
*****************************************************************************

From repl:

SO\SOSERVER
DC Options: IS_GC
Site Options: (none)
DC object GUID: 089439f1-02f1-461d-bec5-0315ce44ae8d
DC invocationID: 582897d5-1cd0-4d51-8e63-6f7f5751d5a7

==== KCC CONNECTION OBJECTS ============================================

Connection --
Connection name : 3f1a9949-e259-4e23-8f51-f46f876cc15f
Server DNS name : soserver.co.matagorda.tx.us
Server DN name : CN=NTDS
Settings,CN=SOSERVER,CN=Servers,CN=SO,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Source: Courthouse\ADSERVER

******* 90 CONSECUTIVE FAILURES since 2005-10-18 15:49:32
Last error: -2146893022 (0x80090322):
The target principal name is incorrect.
TransportType: IP
options: isGenerated overrideNotifyDefault
ReplicatesNC: CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Reason: IntersiteTopology
******* WARNING: KCC could not add this REPLICA LINK due to error.
ReplicatesNC: DC=co,DC=matagorda,DC=tx,DC=us
Reason: IntersiteTopology
******* WARNING: KCC could not add this REPLICA LINK due to error.
enabledConnection: whenChanged: 20051018214717.0Z
whenCreated: 20051018214717.0Z
Schedule:
day: 0123456789ab0123456789ab
Sun: ffffffffffffffffffffffff
Mon: ffffffffffffffffffffffff
Tue: ffffffffffffffffffffffff
Wed: ffffffffffffffffffffffff
Thu: ffffffffffffffffffffffff
Fri: ffffffffffffffffffffffff
Sat: ffffffffffffffffffffffff

***************************************************************************************
From netdiag:

Testing DNS
PASS - All the DNS entries for DC are registered on DNS server
'192.168.18.100' and other DCs also have some of the names registered.
[WARNING] The DNS entries for this DC are not registered correctly on
DNS server '192.168.1.100'. Please wait for 30 minutes for DNS server
replication.
[WARNING] The DNS entries for this DC are not registered correctly on
DNS server '192.168.1.107'. Please wait for 30 minutes for DNS server
replication.

***************************************************************************

Thanks for your help.

Ken


Paul Bergson said:
Try running netdiag, repadmin and dcdiag. Look for fail, error and
warning errors.

If you don't have the tools installed load them from your install disk.

d:\i386\adminpak.msi (Server tools for remote management of servers)
d:\support\tools\setup.exe (Server Utilities)

Copy the following to a cmd file and run look for error, fail and warn
within the reports. Post any errors you can't figure out. make sure you
modify DC_Name to the name of a dc in your domain.

@echo off

c:
cd \
cd "program files\support tools"

del c:\dcdiag.log
dcdiag /e /c /v /s:DC_Name /f:c:\dcdiag.log
start c:\dcdiag.log

netdiag.exe /v > c:\netdiag.log
start c:\netdiag.log

repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
start c:\repl.txt


See for more details

http://www.microsoft.com/technet/pr...Ref/1d4ce93c-54f2-4069-a708-251509c38837.mspx

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no
rights.
Click to expand...
Click to expand...
 
K

Ken Eisman

Paul Bergson said:
From what I can see it appears that the dns replication is not working
correctly and with the length of time you have had without this dc talking
to the other
dc's has made it unable to get back in service. I'm not sure what is
causing the dns issue but the machines are not all the same definition.
You will have to demote this dc (dcpromo /forceremoval if need be) and
repromote it. You need to find the dns issue before you promote it again
though.
Click to expand...

We will demote and promote the DC, then. Are there any 'gotchas' we need to
look out for other then the DNS issuses?

Thanks for all your help.

Ken
What happens if you run a netdiag /fix?
Click to expand...

Nothing seems to change when I run netdiag /fix
How is dns setup between the different dns servers? Are you using AD
integrated or primary and secondary's?
Click to expand...

We are using AD integrated for DNS
--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no
rights.


Ken Eisman said:
There were quite a few errors so I'll just post a few this time.
Hopefully this will give you enough information. I'll post more as
needed.

I'm running the tests from SOSERVER (the DC with problems). The PDC
Emulator is ADSERVER.

***************************************************
From dcdiag:

Doing initial required tests

Testing server: Courthouse\ADSERVER
Starting test: Connectivity
* Active Directory LDAP Services Check
[ADSERVER] LDAP bind failed with error 8341,
A directory service error has occurred..
......................... ADSERVER failed test Connectivity

Testing server: SO\TLETS
Starting test: Connectivity
* Active Directory LDAP Services Check
The host
e66261ed-1506-47c2-b5a8-18054c8b88a9._msdcs.co.matagorda.tx.us could not
be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name

(e66261ed-1506-47c2-b5a8-18054c8b88a9._msdcs.co.matagorda.tx.us)

couldn't be resolved, the server name (tlets.co.matagorda.tx.us)

resolved to the IP address (192.168.18.102) and was pingable.
Check

that the IP address is registered correctly with the DNS server.
......................... TLETS failed test Connectivity

Testing server: Courthouse\PTR-SVR
Starting test: Connectivity
* Active Directory LDAP Services Check
[PTR-SVR] LDAP bind failed with error 8341,
A directory service error has occurred..
......................... PTR-SVR failed test Connectivity

Testing server: Courthouse\ANTIVIRUS
Starting test: Connectivity
* Active Directory LDAP Services Check
[ANTIVIRUS] LDAP bind failed with error 8341,
A directory service error has occurred..
......................... ANTIVIRUS failed test Connectivity

Testing server: SO\SOSERVER
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... SOSERVER passed test Connectivity
Doing primary tests

Testing server: Courthouse\ADSERVER
Skipping all tests, because server ADSERVER is
not responding to directory service requests

Testing server: SO\TLETS
Skipping all tests, because server TLETS is
not responding to directory service requests

Testing server: Courthouse\PTR-SVR
Skipping all tests, because server PTR-SVR is
not responding to directory service requests

Testing server: Courthouse\ANTIVIRUS
Skipping all tests, because server ANTIVIRUS is
not responding to directory service requests

Testing server: SO\SOSERVER
Starting test: Replications
* Replications Check
* Replication Latency Check
REPLICATION-RECEIVED LATENCY WARNING
SOSERVER: Current time is 2005-10-19 13:48:17.
CN=Schema,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Last replication recieved from PTR-SVR at 2005-08-18
09:48:24.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Last replication recieved from ADSERVER at 2005-08-18
09:49:56.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Last replication recieved from ANTIVIRUS at 2005-08-18
09:48:43.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Latency information for 4 entries in the vector were
ignored.
3 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating
this nc. 1 had no latency information (Win2K DC).
CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Last replication recieved from PTR-SVR at 2005-08-18
09:49:34.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Last replication recieved from ADSERVER at 2005-08-18
09:49:56.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Last replication recieved from ANTIVIRUS at 2005-08-18
09:48:43.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Latency information for 4 entries in the vector were
ignored.
3 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating
this nc. 1 had no latency information (Win2K DC).
DC=co,DC=matagorda,DC=tx,DC=us
Last replication recieved from PTR-SVR at 2005-08-18
09:51:24.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Last replication recieved from ADSERVER at 2005-08-18
09:53:49.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Last replication recieved from ANTIVIRUS at 2005-08-18
09:54:02.
WARNING: This latency is over the Tombstone Lifetime of 60
days!
Latency information for 4 entries in the vector were
ignored.
3 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating
this nc. 1 had no latency information (Win2K DC).
* Replication Site Latency Check
REPLICATION-RECEIVED LATENCY WARNING

Source site:

CN=NTDS Site
Settings,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us

Current time: 2005-10-19 13:48:17

Last update time: 2005-08-18 09:26:19

Check if source site has an elected ISTG running.

Check replication from source site to this server.
......................... SOSERVER passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
CN=Schema,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us.
These servers can't get changes from home server SOSERVER:
Courthouse/ADSERVER
Courthouse/PTR-SVR
Courthouse/ANTIVIRUS
* Analyzing the connection topology for
CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us.
These servers can't get changes from home server SOSERVER:
Courthouse/ADSERVER
Courthouse/PTR-SVR
Courthouse/ANTIVIRUS
* Analyzing the connection topology for
DC=co,DC=matagorda,DC=tx,DC=us.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
DC=co,DC=matagorda,DC=tx,DC=us.
These servers can't get changes from home server SOSERVER:
Courthouse/ADSERVER
Courthouse/PTR-SVR
Courthouse/ANTIVIRUS
......................... SOSERVER failed test Topology
---8><------------------------------
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=ADSERVER,CN=Servers,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
[ADSERVER] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: ADSERVER is the Schema Owner, but is not responding to
DS RPC Bind.
Warning: ADSERVER is the Schema Owner, but is not responding to
LDAP Bind.
Role Domain Owner = CN=NTDS
Settings,CN=ADSERVER,CN=Servers,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Warning: ADSERVER is the Domain Owner, but is not responding to
DS RPC Bind.
Warning: ADSERVER is the Domain Owner, but is not responding to
LDAP Bind.
Role PDC Owner = CN=NTDS
Settings,CN=ADSERVER,CN=Servers,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Warning: ADSERVER is the PDC Owner, but is not responding to DS
RPC Bind.
Warning: ADSERVER is the PDC Owner, but is not responding to LDAP
Bind.
Role Rid Owner = CN=NTDS
Settings,CN=ADSERVER,CN=Servers,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Warning: ADSERVER is the Rid Owner, but is not responding to DS
RPC Bind.
Warning: ADSERVER is the Rid Owner, but is not responding to LDAP
Bind.
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=ADSERVER,CN=Servers,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Warning: ADSERVER is the Infrastructure Update Owner, but is not
responding to DS RPC Bind.
Warning: ADSERVER is the Infrastructure Update Owner, but is not
responding to LDAP Bind.
......................... SOSERVER failed test KnowsOfRoleHolders

-8><------------------------
Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x8000061E
Time Generated: 10/19/2005 13:47:22
Event String: All domain controllers in the following site
that
can replicate the directory partition over this
transport are currently unavailable.

Site:
CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us

Directory partition:
DC=co,DC=matagorda,DC=tx,DC=us

Transport:
CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us

An Error Event occured. EventID: 0xC000051F
Time Generated: 10/19/2005 13:47:22
Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory
partition.

Directory partition:

DC=co,DC=matagorda,DC=tx,DC=us

There is insufficient site connectivity
information in Active Directory Sites and
Services for the KCC to create a spanning tree
replication topology. Or, one or more domain
controllers with this directory partition are
unable to replicate the directory partition
information. This is probably due to inaccessible
domain controllers.
*****************************************************************************

From repl:

SO\SOSERVER
DC Options: IS_GC
Site Options: (none)
DC object GUID: 089439f1-02f1-461d-bec5-0315ce44ae8d
DC invocationID: 582897d5-1cd0-4d51-8e63-6f7f5751d5a7

==== KCC CONNECTION OBJECTS ============================================

Connection --
Connection name : 3f1a9949-e259-4e23-8f51-f46f876cc15f
Server DNS name : soserver.co.matagorda.tx.us
Server DN name : CN=NTDS
Settings,CN=SOSERVER,CN=Servers,CN=SO,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Source: Courthouse\ADSERVER

******* 90 CONSECUTIVE FAILURES since 2005-10-18 15:49:32
Last error: -2146893022 (0x80090322):
The target principal name is incorrect.
TransportType: IP
options: isGenerated overrideNotifyDefault
ReplicatesNC: CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Reason: IntersiteTopology
******* WARNING: KCC could not add this REPLICA LINK due to error.
ReplicatesNC: DC=co,DC=matagorda,DC=tx,DC=us
Reason: IntersiteTopology
******* WARNING: KCC could not add this REPLICA LINK due to error.
enabledConnection: whenChanged: 20051018214717.0Z
whenCreated: 20051018214717.0Z
Schedule:
day: 0123456789ab0123456789ab
Sun: ffffffffffffffffffffffff
Mon: ffffffffffffffffffffffff
Tue: ffffffffffffffffffffffff
Wed: ffffffffffffffffffffffff
Thu: ffffffffffffffffffffffff
Fri: ffffffffffffffffffffffff
Sat: ffffffffffffffffffffffff

***************************************************************************************
From netdiag:

Testing DNS
PASS - All the DNS entries for DC are registered on DNS server
'192.168.18.100' and other DCs also have some of the names registered.
[WARNING] The DNS entries for this DC are not registered correctly on
DNS server '192.168.1.100'. Please wait for 30 minutes for DNS server
replication.
[WARNING] The DNS entries for this DC are not registered correctly on
DNS server '192.168.1.107'. Please wait for 30 minutes for DNS server
replication.

***************************************************************************

Thanks for your help.

Ken


Paul Bergson said:
Try running netdiag, repadmin and dcdiag. Look for fail, error and
warning errors.

If you don't have the tools installed load them from your install disk.

d:\i386\adminpak.msi (Server tools for remote management of servers)
d:\support\tools\setup.exe (Server Utilities)

Copy the following to a cmd file and run look for error, fail and warn
within the reports. Post any errors you can't figure out. make sure you
modify DC_Name to the name of a dc in your domain.

@echo off

c:
cd \
cd "program files\support tools"

del c:\dcdiag.log
dcdiag /e /c /v /s:DC_Name /f:c:\dcdiag.log
start c:\dcdiag.log

netdiag.exe /v > c:\netdiag.log
start c:\netdiag.log

repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
start c:\repl.txt


See for more details

http://www.microsoft.com/technet/pr...Ref/1d4ce93c-54f2-4069-a708-251509c38837.mspx

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no
rights.
Click to expand...
Click to expand...
Click to expand...
 
P

Paul Bergson

Shouldn't be but before you repromote I would do another run of the
diagnostics I gave you and make sure you get rid of any or all errors.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.


Ken Eisman said:
Paul Bergson said:
From what I can see it appears that the dns replication is not working
correctly and with the length of time you have had without this dc
talking to the other
dc's has made it unable to get back in service. I'm not sure what is
causing the dns issue but the machines are not all the same definition.
You will have to demote this dc (dcpromo /forceremoval if need be) and
repromote it. You need to find the dns issue before you promote it again
though.
Click to expand...

We will demote and promote the DC, then. Are there any 'gotchas' we need
to look out for other then the DNS issuses?

Thanks for all your help.

Ken
What happens if you run a netdiag /fix?
Click to expand...

Nothing seems to change when I run netdiag /fix
How is dns setup between the different dns servers? Are you using AD
integrated or primary and secondary's?
Click to expand...

We are using AD integrated for DNS
--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no
rights.


Ken Eisman said:
There were quite a few errors so I'll just post a few this time.
Hopefully this will give you enough information. I'll post more as
needed.

I'm running the tests from SOSERVER (the DC with problems). The PDC
Emulator is ADSERVER.

***************************************************
From dcdiag:

Doing initial required tests

Testing server: Courthouse\ADSERVER
Starting test: Connectivity
* Active Directory LDAP Services Check
[ADSERVER] LDAP bind failed with error 8341,
A directory service error has occurred..
......................... ADSERVER failed test Connectivity

Testing server: SO\TLETS
Starting test: Connectivity
* Active Directory LDAP Services Check
The host
e66261ed-1506-47c2-b5a8-18054c8b88a9._msdcs.co.matagorda.tx.us could not
be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name

(e66261ed-1506-47c2-b5a8-18054c8b88a9._msdcs.co.matagorda.tx.us)

couldn't be resolved, the server name (tlets.co.matagorda.tx.us)

resolved to the IP address (192.168.18.102) and was pingable.
Check

that the IP address is registered correctly with the DNS server.
......................... TLETS failed test Connectivity

Testing server: Courthouse\PTR-SVR
Starting test: Connectivity
* Active Directory LDAP Services Check
[PTR-SVR] LDAP bind failed with error 8341,
A directory service error has occurred..
......................... PTR-SVR failed test Connectivity

Testing server: Courthouse\ANTIVIRUS
Starting test: Connectivity
* Active Directory LDAP Services Check
[ANTIVIRUS] LDAP bind failed with error 8341,
A directory service error has occurred..
......................... ANTIVIRUS failed test Connectivity

Testing server: SO\SOSERVER
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... SOSERVER passed test Connectivity
Doing primary tests

Testing server: Courthouse\ADSERVER
Skipping all tests, because server ADSERVER is
not responding to directory service requests

Testing server: SO\TLETS
Skipping all tests, because server TLETS is
not responding to directory service requests

Testing server: Courthouse\PTR-SVR
Skipping all tests, because server PTR-SVR is
not responding to directory service requests

Testing server: Courthouse\ANTIVIRUS
Skipping all tests, because server ANTIVIRUS is
not responding to directory service requests

Testing server: SO\SOSERVER
Starting test: Replications
* Replications Check
* Replication Latency Check
REPLICATION-RECEIVED LATENCY WARNING
SOSERVER: Current time is 2005-10-19 13:48:17.
CN=Schema,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Last replication recieved from PTR-SVR at 2005-08-18
09:48:24.
WARNING: This latency is over the Tombstone Lifetime of
60 days!
Last replication recieved from ADSERVER at 2005-08-18
09:49:56.
WARNING: This latency is over the Tombstone Lifetime of
60 days!
Last replication recieved from ANTIVIRUS at 2005-08-18
09:48:43.
WARNING: This latency is over the Tombstone Lifetime of
60 days!
Latency information for 4 entries in the vector were
ignored.
3 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating
this nc. 1 had no latency information (Win2K DC).
CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Last replication recieved from PTR-SVR at 2005-08-18
09:49:34.
WARNING: This latency is over the Tombstone Lifetime of
60 days!
Last replication recieved from ADSERVER at 2005-08-18
09:49:56.
WARNING: This latency is over the Tombstone Lifetime of
60 days!
Last replication recieved from ANTIVIRUS at 2005-08-18
09:48:43.
WARNING: This latency is over the Tombstone Lifetime of
60 days!
Latency information for 4 entries in the vector were
ignored.
3 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating
this nc. 1 had no latency information (Win2K DC).
DC=co,DC=matagorda,DC=tx,DC=us
Last replication recieved from PTR-SVR at 2005-08-18
09:51:24.
WARNING: This latency is over the Tombstone Lifetime of
60 days!
Last replication recieved from ADSERVER at 2005-08-18
09:53:49.
WARNING: This latency is over the Tombstone Lifetime of
60 days!
Last replication recieved from ANTIVIRUS at 2005-08-18
09:54:02.
WARNING: This latency is over the Tombstone Lifetime of
60 days!
Latency information for 4 entries in the vector were
ignored.
3 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating
this nc. 1 had no latency information (Win2K DC).
* Replication Site Latency Check
REPLICATION-RECEIVED LATENCY WARNING

Source site:

CN=NTDS Site
Settings,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us

Current time: 2005-10-19 13:48:17

Last update time: 2005-08-18 09:26:19

Check if source site has an elected ISTG running.

Check replication from source site to this server.
......................... SOSERVER passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
CN=Schema,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us.
These servers can't get changes from home server SOSERVER:
Courthouse/ADSERVER
Courthouse/PTR-SVR
Courthouse/ANTIVIRUS
* Analyzing the connection topology for
CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us.
These servers can't get changes from home server SOSERVER:
Courthouse/ADSERVER
Courthouse/PTR-SVR
Courthouse/ANTIVIRUS
* Analyzing the connection topology for
DC=co,DC=matagorda,DC=tx,DC=us.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
DC=co,DC=matagorda,DC=tx,DC=us.
These servers can't get changes from home server SOSERVER:
Courthouse/ADSERVER
Courthouse/PTR-SVR
Courthouse/ANTIVIRUS
......................... SOSERVER failed test Topology
---8><------------------------------
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=ADSERVER,CN=Servers,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
[ADSERVER] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: ADSERVER is the Schema Owner, but is not responding to
DS RPC Bind.
Warning: ADSERVER is the Schema Owner, but is not responding to
LDAP Bind.
Role Domain Owner = CN=NTDS
Settings,CN=ADSERVER,CN=Servers,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Warning: ADSERVER is the Domain Owner, but is not responding to
DS RPC Bind.
Warning: ADSERVER is the Domain Owner, but is not responding to
LDAP Bind.
Role PDC Owner = CN=NTDS
Settings,CN=ADSERVER,CN=Servers,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Warning: ADSERVER is the PDC Owner, but is not responding to DS
RPC Bind.
Warning: ADSERVER is the PDC Owner, but is not responding to
LDAP Bind.
Role Rid Owner = CN=NTDS
Settings,CN=ADSERVER,CN=Servers,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Warning: ADSERVER is the Rid Owner, but is not responding to DS
RPC Bind.
Warning: ADSERVER is the Rid Owner, but is not responding to
LDAP Bind.
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=ADSERVER,CN=Servers,CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Warning: ADSERVER is the Infrastructure Update Owner, but is not
responding to DS RPC Bind.
Warning: ADSERVER is the Infrastructure Update Owner, but is not
responding to LDAP Bind.
......................... SOSERVER failed test
KnowsOfRoleHolders

-8><------------------------
Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x8000061E
Time Generated: 10/19/2005 13:47:22
Event String: All domain controllers in the following site
that
can replicate the directory partition over this
transport are currently unavailable.

Site:
CN=Courthouse,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us

Directory partition:
DC=co,DC=matagorda,DC=tx,DC=us

Transport:
CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us

An Error Event occured. EventID: 0xC000051F
Time Generated: 10/19/2005 13:47:22
Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory
partition.

Directory partition:

DC=co,DC=matagorda,DC=tx,DC=us

There is insufficient site connectivity
information in Active Directory Sites and
Services for the KCC to create a spanning tree
replication topology. Or, one or more domain
controllers with this directory partition are
unable to replicate the directory partition
information. This is probably due to inaccessible
domain controllers.
*****************************************************************************

From repl:

SO\SOSERVER
DC Options: IS_GC
Site Options: (none)
DC object GUID: 089439f1-02f1-461d-bec5-0315ce44ae8d
DC invocationID: 582897d5-1cd0-4d51-8e63-6f7f5751d5a7

==== KCC CONNECTION OBJECTS ============================================

Connection --
Connection name : 3f1a9949-e259-4e23-8f51-f46f876cc15f
Server DNS name : soserver.co.matagorda.tx.us
Server DN name : CN=NTDS
Settings,CN=SOSERVER,CN=Servers,CN=SO,CN=Sites,CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Source: Courthouse\ADSERVER

******* 90 CONSECUTIVE FAILURES since 2005-10-18 15:49:32
Last error: -2146893022 (0x80090322):
The target principal name is incorrect.
TransportType: IP
options: isGenerated overrideNotifyDefault
ReplicatesNC: CN=Configuration,DC=co,DC=matagorda,DC=tx,DC=us
Reason: IntersiteTopology
******* WARNING: KCC could not add this REPLICA LINK due to error.
ReplicatesNC: DC=co,DC=matagorda,DC=tx,DC=us
Reason: IntersiteTopology
******* WARNING: KCC could not add this REPLICA LINK due to error.
enabledConnection: whenChanged: 20051018214717.0Z
whenCreated: 20051018214717.0Z
Schedule:
day: 0123456789ab0123456789ab
Sun: ffffffffffffffffffffffff
Mon: ffffffffffffffffffffffff
Tue: ffffffffffffffffffffffff
Wed: ffffffffffffffffffffffff
Thu: ffffffffffffffffffffffff
Fri: ffffffffffffffffffffffff
Sat: ffffffffffffffffffffffff

***************************************************************************************
From netdiag:

Testing DNS
PASS - All the DNS entries for DC are registered on DNS server
'192.168.18.100' and other DCs also have some of the names registered.
[WARNING] The DNS entries for this DC are not registered correctly on
DNS server '192.168.1.100'. Please wait for 30 minutes for DNS server
replication.
[WARNING] The DNS entries for this DC are not registered correctly on
DNS server '192.168.1.107'. Please wait for 30 minutes for DNS server
replication.

***************************************************************************

Thanks for your help.

Ken


Try running netdiag, repadmin and dcdiag. Look for fail, error and
warning errors.

If you don't have the tools installed load them from your install disk.

d:\i386\adminpak.msi (Server tools for remote management of servers)
d:\support\tools\setup.exe (Server Utilities)

Copy the following to a cmd file and run look for error, fail and warn
within the reports. Post any errors you can't figure out. make sure
you modify DC_Name to the name of a dc in your domain.

@echo off

c:
cd \
cd "program files\support tools"

del c:\dcdiag.log
dcdiag /e /c /v /s:DC_Name /f:c:\dcdiag.log
start c:\dcdiag.log

netdiag.exe /v > c:\netdiag.log
start c:\netdiag.log

repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
start c:\repl.txt


See for more details

http://www.microsoft.com/technet/pr...Ref/1d4ce93c-54f2-4069-a708-251509c38837.mspx

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no
rights.
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Slow Logons and Can't open files 0
Unable to local DC ......... URGENT 1
Forest Root DC problem 3
DCDIAG SPN WARNING 10
Problem after DC has been rebuilt from scratch 5
Domain Authentication Problem 3
2003 DC not replicating 2
Error demoting a 2000 DC 4

Top