G
Guest
I have a problem where replication has broken between a domain
controller that controls a leaf domain and the domain controller that
controls the root domain.
The guid that the leaf node attempts to replicate with is different than
the guid of the actual root DC.
On the leaf DC:
I get event log errors like:
Event ID: 1265
The attempt to establish a replication link with parameters
Partition: CN=Schema,CN=Configuration,DC=root,DC=domain,DC=com
Source DSA DN: CN=NTDS
Settings,CN=ROOTDCSERVER,CN=Servers,CN=West-Site,CN=Sites,CN=Configuration,DC=root,DC=domain,DC=com
Source DSA Address:
1111111-1111-1111-1111-111111111111._msdcs.root.domain.com
Inter-site Transport (if any): CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=root,DC=domain,DC=com
failed with the following status:
The DSA operation is unable to proceed because of a DNS lookup failure.
When the root DC attempts to initiate replication the event log error is:
Event ID: 1411
The Directory Service failed to construct a mutual authentication
Service Principal Name (SPN) for server
22222222-2222-2222-2222-222222222222._msdcs.root.domain.com. The call
is denied. The error was:
The DSA object could not be found.
The leaf DC thinks that the guid of the root server is:
1111111-1111-1111-1111-111111111111
The root server is actually has the guid of:
22222222-2222-2222-2222-222222222222
Is it possible to change this guid on the leaf DC to enable the
replication to take place? I tried changing the DNS to include what the
leaf DC is looking for but this just means that when that server
attempts to log in to do the replication that it gets a logon failure
because it using the wrong guid credentials.
I have tried to reset the trust passwords with the command
netdom trust dom1 /domain:dom2 /reset
This does not help
I have attempted to poke around with adsiedit to find where these guid's
are stored but it's not possible to search for this value using this
tool. (from what I can see)
Basically I believe that if I can just change the saved guid value for
the root DC on that leaf DC to match the correct value, I can get the
replication going again.
If anyone has any insight on where to look for the stored version of
this guid value in the active directory on the leaf DC or other ideas to
solve this I would be grateful.
controller that controls a leaf domain and the domain controller that
controls the root domain.
The guid that the leaf node attempts to replicate with is different than
the guid of the actual root DC.
On the leaf DC:
I get event log errors like:
Event ID: 1265
The attempt to establish a replication link with parameters
Partition: CN=Schema,CN=Configuration,DC=root,DC=domain,DC=com
Source DSA DN: CN=NTDS
Settings,CN=ROOTDCSERVER,CN=Servers,CN=West-Site,CN=Sites,CN=Configuration,DC=root,DC=domain,DC=com
Source DSA Address:
1111111-1111-1111-1111-111111111111._msdcs.root.domain.com
Inter-site Transport (if any): CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=root,DC=domain,DC=com
failed with the following status:
The DSA operation is unable to proceed because of a DNS lookup failure.
When the root DC attempts to initiate replication the event log error is:
Event ID: 1411
The Directory Service failed to construct a mutual authentication
Service Principal Name (SPN) for server
22222222-2222-2222-2222-222222222222._msdcs.root.domain.com. The call
is denied. The error was:
The DSA object could not be found.
The leaf DC thinks that the guid of the root server is:
1111111-1111-1111-1111-111111111111
The root server is actually has the guid of:
22222222-2222-2222-2222-222222222222
Is it possible to change this guid on the leaf DC to enable the
replication to take place? I tried changing the DNS to include what the
leaf DC is looking for but this just means that when that server
attempts to log in to do the replication that it gets a logon failure
because it using the wrong guid credentials.
I have tried to reset the trust passwords with the command
netdom trust dom1 /domain:dom2 /reset
This does not help
I have attempted to poke around with adsiedit to find where these guid's
are stored but it's not possible to search for this value using this
tool. (from what I can see)
Basically I believe that if I can just change the saved guid value for
the root DC on that leaf DC to match the correct value, I can get the
replication going again.
If anyone has any insight on where to look for the stored version of
this guid value in the active directory on the leaf DC or other ideas to
solve this I would be grateful.