Active Directory Replication Monitor can't open domaincontroller

J

Joris Kemperman

Hi everyone,

Hope someone knows what's going on...

Our setup:
1 root domain with 2 DC's incl. Global Catalog
4 Subdomains with every one of them one single DC+Global Catalog.
Forestlevel : 2003 navtive
Domanilevel: 2003 native

The thing is, once i open the Replication Monitor Tool and open one of my
root domaincontrollers, everything looks okay. Once i open a
domaincontroller in one of my subdomains, i receive an error message
indicating that "the server could not be found or your have insufficient
rights to read the status of that server".

I do have transitive trusts between the root domain and the subdomains, for
example: i can login with my root domain administrator account on all
subdomain servers.

Anyone here that can tell me what my problem is?

Many Regards,
Joris Kemperman
 
P

Paul Bergson [MVP-DS]

Do you have any errors in the event logs of any of your child domain
controllers?

Are there any firewalls between the domains?

DNS issues?
From child and root dc's, from a command prompt try running
dnslint /ad /s "ip address of your dc"

Description and download of DNSLint
http://support.microsoft.com/kb/321045


Run diagnostics against your Active Directory domains.

If you don't have the tools installed, install them from your server install
disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take
into account slow links to dc's will also add to the testing time.

If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be output
in notepad text files that pop up automagically.

The script is located in the download section on my website at
http://www.pbbergs.com

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.



--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
 
J

Joris Kemperman

Hi Paul,

First of all thanks for your help.

I looked at the Event Log in the Childdomains and no errors/warnings are
found in Directory Service and System log!

I have to say:

All the Childdomains are in different subnets. When i place the
domaincontrollers in the subnet where the root domaincontrollers operate
(192.168.8.0/24), i receive no errors! Once i set up sites for these
childdomains and place them in the proper subnets where they should belong
(192.168.9.x/29) i run into these problems. (proper subnets have been
assigned to each site in AD Sites and Services)

Regards,
Joris
 
P

Paul Bergson [MVP-DS]

If everything works fine as long as they are in the same subnet and then
you change the subnets, it points to routing issues, which has nothing to do
with AD.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
 
J

Joris Kemperman

Paul, about the the dnslint command:

We've setup two DNS active directory intergrated servers in the rootdomain,
running domain.local.

The subdomaincontrollers have no DNS installed, all the subdomain DNS
records can be found when opening the DNS snapin, open the domain.local
domain and open the subdomain folder. Is this setup a problem?

Joris
 
J

Joris Kemperman

Hi Paul,

Pretty strange... gateway's are okay, subnetmasks are okay aswell. Hosts can
ping eachother, no ports are closed on the firewall.

I've tried your DCDIAG command on my domaincontroller, this is only the last
part of it (summary):
Test results for domain controllers:

DC: fserver.za.domain.local
Domain: za.domain.local


TEST: Authentication (Auth)
Error: Authentication failed with specified credentials
[Error details: 1203 (Type: Win32 - Description: No
network provider accepted the given network path.) - Add connection failed]

TEST: Basic (Basc)
Microsoft(R) Windows(R) Server 2003, Standard Edition
(Service Pack level: 1.0) is supported
Error: Open Service Control Manager failed
[Error details: 1722 (Type: Win32 - Description: The RPC
server is unavailable.) - Could not open Service Control Manager]
Total query time:0 min. 0 sec.. Total RPC connection time:0
min. 0 sec.
Total WMI connection time:0 min. 1 sec. Total Netuse
connection time:0 min. 0 sec.

Summary of DNS test results:

Auth Basc Forw Del Dyn RReg
Ext
________________________________________________________________
Domain: za.domain.local
fserver FAIL FAIL n/a n/a n/a n/a n/a

Total Time taken to test all the DCs:0 min. 1 sec.
......................... domain.local failed test DNS

As far as i can see it seems to be an authentication problem?

Thanks for your help, i really appiciate it!

Joris
 
P

Paul Bergson [MVP-DS]

Move this dc back to the subnet where you aren't getting errors and re-run
the tests. the local configuration you have has nothing to do with your
router definitions. Check with your network person.

If you do a route print on the failing machine it will tell you his defined
route paths but this may have no difference if it is your router that is
causing the problem.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

Joris Kemperman said:
Hi Paul,

Pretty strange... gateway's are okay, subnetmasks are okay aswell. Hosts
can ping eachother, no ports are closed on the firewall.

I've tried your DCDIAG command on my domaincontroller, this is only the
last part of it (summary):
Test results for domain controllers:

DC: fserver.za.domain.local
Domain: za.domain.local


TEST: Authentication (Auth)
Error: Authentication failed with specified credentials
[Error details: 1203 (Type: Win32 - Description: No
network provider accepted the given network path.) - Add connection
failed]

TEST: Basic (Basc)
Microsoft(R) Windows(R) Server 2003, Standard Edition
(Service Pack level: 1.0) is supported
Error: Open Service Control Manager failed
[Error details: 1722 (Type: Win32 - Description: The RPC
server is unavailable.) - Could not open Service Control Manager]
Total query time:0 min. 0 sec.. Total RPC connection time:0
min. 0 sec.
Total WMI connection time:0 min. 1 sec. Total Netuse
connection time:0 min. 0 sec.

Summary of DNS test results:

Auth Basc Forw Del Dyn RReg
Ext

________________________________________________________________
Domain: za.domain.local
fserver FAIL FAIL n/a n/a n/a n/a n/a

Total Time taken to test all the DCs:0 min. 1 sec.
......................... domain.local failed test DNS

As far as i can see it seems to be an authentication problem?

Thanks for your help, i really appiciate it!

Joris

Paul Bergson said:
If everything works fine as long as they are in the same subnet and then
you change the subnets, it points to routing issues, which has nothing to
do with AD.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
 
P

Paul Bergson [MVP-DS]

As long as the child dc's point to the dns server at the root this is fine.
Just make sure that all clients point to AD dns and the dns server forwards
external requests to your ISP's dns server.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top