2003 DC not replicating

G

Guest

We have an issue with 1 of our DC's at the moment that is giving alot of NTDS
Replication errors..
Can anybody she any light on this DCDIAG log????:


Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine site-mitch, is a DC.
* Connecting to directory service on server site-mitch.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 10 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Mitchelstown\SITE-MITCH
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... SITE-MITCH passed test Connectivity

Doing primary tests

Testing server: Mitchelstown\SITE-MITCH
Starting test: Replications
* Replications Check
* Replication Latency Check
CN=Schema,CN=Configuration,DC=domain,DC=ad
Latency information for 3 entries in the vector were ignored.
3 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=domain,DC=ad
Latency information for 3 entries in the vector were ignored.
3 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
DC=domain,DC=ad
Latency information for 5 entries in the vector were ignored.
1 were retired Invocations. 4 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
DC=uk,DC=domain,DC=ad
Latency information for 8 entries in the vector were ignored.
2 were retired Invocations. 6 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
DC=irl,DC=domain,DC=ad
Latency information for 2 entries in the vector were ignored.
2 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
* Replication Site Latency Check
......................... SITE-MITCH passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions Check for
DC=irl,DC=domain,DC=ad
(Domain,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=domain,DC=ad
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=domain,DC=ad
(Configuration,Version 2)
* Security Permissions Check for
DC=uk,DC=domain,DC=ad
(Domain,Version 2)
* Security Permissions Check for
DC=domain,DC=ad
(Domain,Version 2)
......................... SITE-MITCH passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
......................... SITE-MITCH passed test NetLogons
Starting test: Advertising
The DC SITE-MITCH is advertising itself as a DC and having a DS.
The DC SITE-MITCH is advertising as an LDAP server
The DC SITE-MITCH is advertising as having a writeable directory
The DC SITE-MITCH is advertising as a Key Distribution Center
The DC SITE-MITCH is advertising as a time server
The DS SITE-MITCH is advertising as a GC.
......................... SITE-MITCH passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=ADROOT1,CN=Servers,CN=Cork,CN=Sites,CN=Configuration,DC=domain,DC=ad
Role Domain Owner = CN=NTDS
Settings,CN=ADROOT1,CN=Servers,CN=Cork,CN=Sites,CN=Configuration,DC=domain,DC=ad
Role PDC Owner = CN=NTDS
Settings,CN=IRLAD1,CN=Servers,CN=Cork,CN=Sites,CN=Configuration,DC=domain,DC=ad
Role Rid Owner = CN=NTDS
Settings,CN=IRLAD1,CN=Servers,CN=Cork,CN=Sites,CN=Configuration,DC=domain,DC=ad
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=IRLAD1,CN=Servers,CN=Cork,CN=Sites,CN=Configuration,DC=domain,DC=ad
......................... SITE-MITCH passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 11103 to 1073741823
* irlad1.irl.domain.ad is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 10603 to 11102
* rIDPreviousAllocationPool is 10603 to 11102
* rIDNextRID: 10634
......................... SITE-MITCH passed test RidManager
Starting test: MachineAccount
* SPN found :LDAP/site-mitch.irl.domain.ad/irl.domain.ad
* SPN found :LDAP/site-mitch.irl.domain.ad
* SPN found :LDAP/SITE-MITCH
* SPN found :LDAP/site-mitch.irl.domain.ad/IRLdomain
* SPN found
:LDAP/f1ebda0b-2f44-4515-ba8a-03e152c75e95._msdcs.domain.ad
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/f1ebda0b-2f44-4515-ba8a-03e152c75e95/irl.domain.ad
* SPN found :HOST/site-mitch.irl.domain.ad/irl.domain.ad
* SPN found :HOST/site-mitch.irl.domain.ad
* SPN found :HOST/SITE-MITCH
* SPN found :HOST/site-mitch.irl.domain.ad/IRLdomain
* SPN found :GC/site-mitch.irl.domain.ad/domain.ad
......................... SITE-MITCH passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... SITE-MITCH passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
SITE-MITCH is in domain DC=irl,DC=domain,DC=ad
Checking for CN=SITE-MITCH,OU=Domain
Controllers,DC=irl,DC=domain,DC=ad in domain DC=irl,DC=domain,DC=ad on 1
servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=SITE-MITCH,CN=Servers,CN=Mitchelstown,CN=Sites,CN=Configuration,DC=domain,DC=ad in domain CN=Configuration,DC=domain,DC=ad on 1 servers
Object is up-to-date on all servers.
......................... SITE-MITCH passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... SITE-MITCH passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... SITE-MITCH passed test frsevent
Starting test: kccevent
* The KCC Event log test
An Error Event occured. EventID: 0xC000066D
Time Generated: 07/27/2005 15:42:33
Event String: Active Directory did not perform an authenticated

remote procedure call (RPC) to another domain

controller because the desired service principal

name (SPN) for the destination domain controller

is not registered on the Key Distribution Center

(KDC) domain controller that resolves the SPN.



Destination domain controller:

f8dbe4a8-e5de-4855-a10e-4279c21a6a90._msdcs.domain.ad



SPN:

E3514235-4B06-11D1-AB04-00C04FC2DCD2/f8dbe4a8-e5de-4855-a10e-4279c21a6a90/[email protected]





User Action

Verify that the names of the destination domain

controller and domain are correct. Also, verify

that the SPN is registered on the KDC domain

controller. If the destination domain controller

has been recently promoted, it will be necessary

for the local domain controller's computer

account data to replicate to the KDC before this

computer can be authenticated.
An Warning Event occured. EventID: 0x80000786
Time Generated: 07/27/2005 15:42:33
Event String: The attempt to establish a replication link to a

read-only directory partition with the following

parameters failed.



Directory partition:

DC=uk,DC=domain,DC=ad

Source domain controller:

CN=NTDS
Settings,CN=DGDC2,CN=Servers,CN=Wales,CN=Sites,CN=Configuration,DC=domain,DC=ad



Source domain controller address:

f8dbe4a8-e5de-4855-a10e-4279c21a6a90._msdcs.domain.ad



Intersite transport (if any):

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=ad





Additional Data

Error value:

1396

Logon Failure: The target account name is incorrect.


An Error Event occured. EventID: 0xC000066D
Time Generated: 07/27/2005 15:42:34
Event String: Active Directory did not perform an authenticated

remote procedure call (RPC) to another domain

controller because the desired service principal

name (SPN) for the destination domain controller

is not registered on the Key Distribution Center

(KDC) domain controller that resolves the SPN.



Destination domain controller:

f8dbe4a8-e5de-4855-a10e-4279c21a6a90._msdcs.domain.ad



SPN:

E3514235-4B06-11D1-AB04-00C04FC2DCD2/f8dbe4a8-e5de-4855-a10e-4279c21a6a90/[email protected]





User Action

Verify that the names of the destination domain

controller and domain are correct. Also, verify

that the SPN is registered on the KDC domain

controller. If the destination domain controller

has been recently promoted, it will be necessary

for the local domain controller's computer

account data to replicate to the KDC before this

computer can be authenticated.
An Warning Event occured. EventID: 0x80000786
Time Generated: 07/27/2005 15:42:34
Event String: The attempt to establish a replication link to a

read-only directory partition with the following

parameters failed.



Directory partition:

DC=domain,DC=ad

Source domain controller:

CN=NTDS
Settings,CN=DGDC2,CN=Servers,CN=Wales,CN=Sites,CN=Configuration,DC=domain,DC=ad



Source domain controller address:

f8dbe4a8-e5de-4855-a10e-4279c21a6a90._msdcs.domain.ad



Intersite transport (if any):

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=ad





Additional Data

Error value:

1396

Logon Failure: The target account name is incorrect.


An Error Event occured. EventID: 0xC000066D
Time Generated: 07/27/2005 15:42:34
Event String: Active Directory did not perform an authenticated

remote procedure call (RPC) to another domain

controller because the desired service principal

name (SPN) for the destination domain controller

is not registered on the Key Distribution Center

(KDC) domain controller that resolves the SPN.



Destination domain controller:

f8dbe4a8-e5de-4855-a10e-4279c21a6a90._msdcs.domain.ad



SPN:

E3514235-4B06-11D1-AB04-00C04FC2DCD2/f8dbe4a8-e5de-4855-a10e-4279c21a6a90/[email protected]





User Action

Verify that the names of the destination domain

controller and domain are correct. Also, verify

that the SPN is registered on the KDC domain

controller. If the destination domain controller

has been recently promoted, it will be necessary

for the local domain controller's computer

account data to replicate to the KDC before this

computer can be authenticated.
An Warning Event occured. EventID: 0x80000785
Time Generated: 07/27/2005 15:42:34
Event String: The attempt to establish a replication link for

the following writable directory partition

failed.



Directory partition:

CN=Schema,CN=Configuration,DC=domain,DC=ad

Source domain controller:

CN=NTDS
Settings,CN=DGDC2,CN=Servers,CN=Wales,CN=Sites,CN=Configuration,DC=domain,DC=ad



Source domain controller address:

f8dbe4a8-e5de-4855-a10e-4279c21a6a90._msdcs.domain.ad



Intersite transport (if any):

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=ad





This domain controller will be unable to

replicate with the source domain controller until

this problem is corrected.



User Action

Verify if the source domain controller is

accessible or network connectivity is available.



Additional Data

Error value:

1396

Logon Failure: The target account name is incorrect.


An Error Event occured. EventID: 0xC000066D
Time Generated: 07/27/2005 15:42:34
Event String: Active Directory did not perform an authenticated

remote procedure call (RPC) to another domain

controller because the desired service principal

name (SPN) for the destination domain controller

is not registered on the Key Distribution Center

(KDC) domain controller that resolves the SPN.



Destination domain controller:

f8dbe4a8-e5de-4855-a10e-4279c21a6a90._msdcs.domain.ad



SPN:

E3514235-4B06-11D1-AB04-00C04FC2DCD2/f8dbe4a8-e5de-4855-a10e-4279c21a6a90/[email protected]





User Action

Verify that the names of the destination domain

controller and domain are correct. Also, verify

that the SPN is registered on the KDC domain

controller. If the destination domain controller

has been recently promoted, it will be necessary

for the local domain controller's computer

account data to replicate to the KDC before this

computer can be authenticated.
An Warning Event occured. EventID: 0x80000785
Time Generated: 07/27/2005 15:42:34
Event String: The attempt to establish a replication link for

the following writable directory partition

failed.



Directory partition:

CN=Configuration,DC=domain,DC=ad

Source domain controller:

CN=NTDS
Settings,CN=DGDC2,CN=Servers,CN=Wales,CN=Sites,CN=Configuration,DC=domain,DC=ad



Source domain controller address:

f8dbe4a8-e5de-4855-a10e-4279c21a6a90._msdcs.domain.ad



Intersite transport (if any):

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=ad





This domain controller will be unable to

replicate with the source domain controller until

this problem is corrected.



User Action

Verify if the source domain controller is

accessible or network connectivity is available.



Additional Data

Error value:

1396

Logon Failure: The target account name is incorrect.


......................... SITE-MITCH failed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x0000165B
Time Generated: 07/27/2005 15:14:23
Event String: The session setup from computer '4WCCD1J' failed

because the security database does not contain a

trust account '4WCCD1J$' referenced by the

specified computer.



USER ACTION

If this is the first occurrence of this event for

the specified computer and account, this may be a

transient issue that doesn't require any action

at this time. Otherwise, the following steps may

be taken to resolve this problem:



If '4WCCD1J$' is a legitimate machine account for

the computer '4WCCD1J', then '4WCCD1J' should be

rejoined to the domain.



If '4WCCD1J$' is a legitimate interdomain trust

account, then the trust should be recreated.



Otherwise, assuming that '4WCCD1J$' is not a

legitimate account, the following action should

be taken on '4WCCD1J':



If '4WCCD1J' is a Domain Controller, then the

trust associated with '4WCCD1J$' should be

deleted.



If '4WCCD1J' is not a Domain Controller, it

should be disjoined from the domain.
An Error Event occured. EventID: 0x000016AD
Time Generated: 07/27/2005 15:16:41
Event String: The session setup from the computer 4WCCD1J

failed to authenticate. The following error

occurred:

%%5
......................... SITE-MITCH failed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)

CN=SITE-MITCH,OU=Domain Controllers,DC=irl,DC=domain,DC=ad and

backlink on


CN=SITE-MITCH,CN=Servers,CN=Mitchelstown,CN=Sites,CN=Configuration,DC=domain,DC=ad

are correct.
The system object reference (frsComputerReferenceBL)

CN=SITE-MITCH,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=irl,DC=domain,DC=ad

and backlink on

CN=SITE-MITCH,OU=Domain Controllers,DC=irl,DC=domain,DC=ad are

correct.
The system object reference (serverReferenceBL)

CN=SITE-MITCH,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=irl,DC=domain,DC=ad

and backlink on

CN=NTDS
Settings,CN=SITE-MITCH,CN=Servers,CN=Mitchelstown,CN=Sites,CN=Configuration,DC=domain,DC=ad

are correct.
......................... SITE-MITCH passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences

Running partition tests on : irl
Starting test: CrossRefValidation
......................... irl passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... irl passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running enterprise tests on : domain.ad
Starting test: Intersite
Skipping site Mitchelstown, this site is outside the scope provided
by

the command line arguments provided.
Skipping site Crewe, this site is outside the scope provided by the

command line arguments provided.
Skipping site Wales, this site is outside the scope provided by the

command line arguments provided.
Skipping site Dublin, this site is outside the scope provided by the

command line arguments provided.
Skipping site Mallow, this site is outside the scope provided by the

command line arguments provided.
Skipping site Cork, this site is outside the scope provided by the

command line arguments provided.
......................... domain.ad passed test Intersite
Starting test: FsmoCheck
GC Name: \\site-mitch.irl.domain.ad
Locator Flags: 0xe00001fc
PDC Name: \\irlad1.irl.domain.ad
Locator Flags: 0xe000017d
Time Server Name: \\site-mitch.irl.domain.ad
Locator Flags: 0xe00001fc
Preferred Time Server Name: \\site-mitch.irl.domain.ad
Locator Flags: 0xe00001fc
KDC Name: \\site-mitch.irl.domain.ad
Locator Flags: 0xe00001fc
......................... domain.ad passed test FsmoCheck
 
M

Mike Shepperd

Take a look at these articles:

http://support.microsoft.com/default.aspx?scid=kb;en-us;310340

http://support.microsoft.com/default.aspx?scid=kb;en-us;296993

http://support.microsoft.com/default.aspx?scid=kb;en-us;257844

Those are the more common issues I've seen like this, but you can get a more
comprehensive list from Microsoft by searching the Knowledge Base:
http://support.microsoft.com/search/default.aspx?qu="target+account+name+is+incorrect"

It also looks like you may have one or more missing SPN's. Look here for
that:
http://support.microsoft.com/default.aspx?scid=kb;en-us;308111
The article is specific to a Windows 2000 hotfix, but the workaround section
shows how to check the SPN registration in DNS and AD and how to update it
if needed.
 
G

GreenTwig

Check your WINS, if you run it.
Had the wrong NIC putting it's details into the WINS databes causing me
grief.

nbtstat -c

Lists the current cached Name Table info.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top