Active Directory Replication Issue and Logon Failure

[Guest]

Had an issue with AD Replication between 5 Domain Controllers and getting
"Access Denied" in event logs under Directory Service Source: NTDS KCC with
event ID: 1265 . Performed KB 288167 and accidentally applied this to the PDC
Emulater Domain Controller as well. Rebooted the 5 Servers and renabled KDC.
These Servers are all on seperate WAN Subnets. On the Server at the Main
Office which is the PDC Emulator I can access all the other Servers and there
Shares but I can not access the Main Server from any of the Branch Servers.
When I click on the Main Server object in Windows Explorer from any of the
Branch Servers I get "Logon Failure: The target account name is incorrect".
I also get this same error clicking on any PC object that is located at the
Main Office from Windows Explorer from the Branch Servers. I do not get this
error when clicking on any other Server or PC object that are related to the
Branch Offices within Windows Explorer from Branch Servers. Any idea on how
to fix this would be appreciated.
Galaxy Tech

 

[Guest]

Here is some additional info that I received from running dcdiag from a
command prompt on a Branch Domain Controller:

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Amherst\AMHERST
Starting test: Connectivity
......................... AMHERST passed test Connectivity

Doing primary tests

Testing server: Amherst\AMHERST
Starting test: Replications
......................... AMHERST passed test Replications
Starting test: NCSecDesc
......................... AMHERST passed test NCSecDesc
Starting test: NetLogons
......................... AMHERST passed test NetLogons
Starting test: Advertising
......................... AMHERST passed test Advertising
Starting test: KnowsOfRoleHolders
[MAIN] DsBind() failed with error -2146893022,
The target principal name is incorrect..
Warning: MAIN is the Schema Owner, but is not responding to DS RPC
Bind.
[MAIN] LDAP bind failed with error 31,
A device attached to the system is not functioning..
Warning: MAIN is the Schema Owner, but is not responding to LDAP
Bind.
Warning: MAIN is the Domain Owner, but is not responding to DS RPC
Bind.
Warning: MAIN is the Domain Owner, but is not responding to LDAP
Bind.
Warning: MAIN is the PDC Owner, but is not responding to DS RPC Bind.
Warning: MAIN is the PDC Owner, but is not responding to LDAP Bind.
Warning: MAIN is the Rid Owner, but is not responding to DS RPC Bind.
Warning: MAIN is the Rid Owner, but is not responding to LDAP Bind.
......................... AMHERST failed test KnowsOfRoleHolders
Starting test: RidManager
[AMHERST] DsBindWithCred() failed with error -2146893022. The
target principal name is incorrect.
......................... AMHERST failed test RidManager
Starting test: MachineAccount
......................... AMHERST passed test MachineAccount
Starting test: Services
......................... AMHERST passed test Services
Starting test: ObjectsReplicated
......................... AMHERST passed test ObjectsReplicated
Starting test: frssysvol
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... AMHERST passed test frssysvol
Starting test: kccevent
An Warning Event occured. EventID: 0x800004F1
Time Generated: 10/21/2005 12:58:53
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800004F1
Time Generated: 10/21/2005 12:58:53
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800004F1
Time Generated: 10/21/2005 12:58:53
(Event String could not be retrieved)
......................... AMHERST failed test kccevent
Starting test: systemlog
......................... AMHERST passed test systemlog

Running enterprise tests on : lormet.fcu
Starting test: Intersite
......................... lormet.fcu passed test Intersite
Starting test: FsmoCheck
......................... lormet.fcu passed test FsmoCheck

 

[Ace Fekay [MVP]]

In

Here is some additional info that I received from running dcdiag from
a command prompt on a Branch Domain Controller:

Domain Controller Diagnosis

<snip>

Is Amherst a single label name (as in amherst instead of amherst.com, or
amherst.net)?

This is an interesting sceanario. If you attempted to reset the computer
account on the PDC emulator, did you attempt to reset the others again after
you did that?

Did you perform the resests based on the original Event ID 1265 error? There
may have been other issues that could have caused replication problems then
needing a netdom reset.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Microsot Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================

 

[Guest]

Yes, I tried the reseting the computer account on another branch server again
after I accidentally set the account on the PDC Emulator. This did not
however resolve the issue of getting the error trying to access the Server
called Main at the Main Office or resolve the Replication issue. The name
Amherst is the name of one of the Branch Servers and not a domain name. I
appreciate you responding to my issue.

We decided to bite the bullet and then tried to sieze the primary roles to
another branch server that did not go well or we were impatient in allowing
the other Servers to repicate to the new PDC Emulator. The circuits were
256K circuits to the 4 Banch Servers so we felt it should not take to long.
We decided to sieze the roles back to the Main Server and then remove active
directory from the branch servers and remove them from the Domain. We then
joined them back to the Domain and ran dcpromo to make them Active Directory
Domain Controllers again. It was time consuming but took care of the
problems and the ongoing Replication issues as well. We did have to rejoin
all the workstations into the Domain however that made it a little more
painful. Another tech asked if we tried to just delete the computer account
in Active Directory to see if the users could log back in to register its
computer name into Active Directory again without rejoining them to the
Domain. Would this have worked? This would have saved us some time. Thanks
for your help.

Galaxy Tech

 

[Ace Fekay [MVP]]

In

Yes, I tried the reseting the computer account on another branch
server again after I accidentally set the account on the PDC
Emulator. This did not however resolve the issue of getting the
error trying to access the Server called Main at the Main Office or
resolve the Replication issue. The name Amherst is the name of one of
the Branch Servers and not a domain name. I appreciate you
responding to my issue.

We decided to bite the bullet and then tried to sieze the primary
roles to another branch server that did not go well or we were
impatient in allowing the other Servers to repicate to the new PDC
Emulator. The circuits were 256K circuits to the 4 Banch Servers so
we felt it should not take to long. We decided to sieze the roles
back to the Main Server and then remove active directory from the
branch servers and remove them from the Domain. We then joined them
back to the Domain and ran dcpromo to make them Active Directory
Domain Controllers again. It was time consuming but took care of the
problems and the ongoing Replication issues as well. We did have to
rejoin all the workstations into the Domain however that made it a
little more painful. Another tech asked if we tried to just delete
the computer account in Active Directory to see if the users could
log back in to register its computer name into Active Directory again
without rejoining them to the Domain. Would this have worked? This
would have saved us some time. Thanks for your help.

Galaxy Tech

Sorry to hear you had to go thru all that, but it seemed the most straight
forward method. Deleting the computer account and then relying on useres
logging in wouldn't have worked. But I don;t see why you had to disjoin and
rejoin, since it is the same domain name, unless I mistakedn what you are
saying and you demoted ALL the DCs. If that was the case, yes, disjoin and
rejoin would have been the answer. You may have been able to script that
task as well on each machine.

Well, that was one way of fixing this issue!

Ace