AD Problems with one DC

[Guest]

Hello, I have 5 DC's on my Windows 2000 AD Domain. Everything was working
fine till I noticed some errors on one of the DC's and only one of them.
Please see error below:

The attempt to establish a replication link with parameters
Partition: CN=Schema,CN=Configuration,DC=mydomain,DC=com
Source DSA DN: CN=NTDS
Settings,CN=DC2,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=mydomain,DC=com
Source DSA Address: 155ec0d0-681f-4cb8-b0a7-5b046f3fe6c4._msdcs.mydomain.com
Inter-site Transport (if any): CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=mydomain,DC=com
failed with the following status:
Access is denied.
The record data is the status code. This operation will be retried.

Then I get this error,

The Directory Service consistency checker has determined that either (a) there
is not enough physical connectivity published via the Active Directory Sites
and
Services Manager to create a spanning tree connecting all the sites containing
the Partition CN=Configuration,DC=mydomain,DC=com, or (b) replication cannot
be performed with one or more
critical servers in order for changes to propagate across all sites (most
often
due to the servers being unreachable).
For (a), please use the Active Directory Sites and Services Manager to do one
of the following:
1. Publish sufficient site connectivity information such that the system can
infer a route by which this Partition can reach this site. This option is
preferred.
2. Add an ntdsConnection object to a Domain Controller that contains the
Partition CN=Configuration,DC=mydomain,DC=com in this site from a Domain
Controller that contains the same
Partition in another site.
For (b), please see previous events logged by the NTDS KCC source that
identify the servers that could not be contacted.

I don't understand where this is getting denied?? Can someone help me with
the ACCESS IS DENIED error? Everything was working fine and I didn't change
anything???

 

[Ryan Hanisco]

Jessem,

It looks as though you are having connectivity problems between the sites.
This can happen for a number of reasons and we'd need more information to
troubleshoot this.

Here are some things to try
1. Make sure that you have a stable connection that is not oversubscribed
between these sites.
2. Install the support tools and run replmon to force replication.. then
have it give you a diagnostic
Select: Action | Server | Generate Status Report
3. Use DCDIAG to give a general status of the server
DCDIAG /s:<ServerName> /v /c <enter>
4.Use NETDIAG /v to get your network statistics

These should give you enough information to continue troubleshooting... and
remember that there is a /fix switch on these that can resolve minor
problems.

From there, post again and we can help with more specific problems.

 

[Guest]

ok, I've got a lot of info but am not sure what I should be looking for or
what to post?

 

[Ryan Hanisco]

Well... start with any of the tests that the DCs failed and anything that
didn't come back as expected. It will take some time and you'll have to
read those carefully.

Did you try those with the /fix switch?

 

[Guest]

I did run those fix switches but they did not help. Here is part of the dcdiag
Testing server: site2\server2
Starting test: Replications
[Replications Check,server2] A recent replication attempt failed:
From server3 to server2
Naming Context: CN=Schema,CN=Configuration,DC=mydomain,DC=com
The replication generated an error (5):
Access is denied.
The failure occurred at 2005-02-07 13:26.20.
The last success occurred at 2005-01-27 01:27.44.
368 failures have occurred since the last success.

and it keeps getting the same error with the other servers.

 

[Guest]

I also received this error in the dcdiag

......................... SERVER2 failed test KnowsOfRoleHolders
Starting test: RidManager
......................... SERVER2 passed test RidManager
Starting test: MachineAccount
......................... SERVER2 passed test MachineAccount
Starting test: Services
Could not open IISADMIN Service on [SERVER2]:failed with 1060:
The specified service does not exist as an installed service.
Could not open SMTPSVC Service on [SERVER2]:failed with 1060:
The specified service does not exist as an installed service.
......................... SERVER2 failed test Services
Starting test: ObjectsReplicated
......................... SERVER2 passed test ObjectsReplicated
Starting test: frssysvol
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... SERVER2 passed test frssysvol
Starting test: kccevent

I did run those fix switches but they did not help. Here is part of the dcdiag
Testing server: site2\server2
Starting test: Replications
[Replications Check,server2] A recent replication attempt failed:
From server3 to server2
Naming Context: CN=Schema,CN=Configuration,DC=mydomain,DC=com
The replication generated an error (5):
Access is denied.
The failure occurred at 2005-02-07 13:26.20.
The last success occurred at 2005-01-27 01:27.44.
368 failures have occurred since the last success.

and it keeps getting the same error with the other servers.

Well... start with any of the tests that the DCs failed and anything that
didn't come back as expected. It will take some time and you'll have to
read those carefully.

Did you try those with the /fix switch?

 

[Ryan Hanisco]

Jessem,

The errors that you are seeing tell me that your DC is not able to contact
the holders of the FSMO roles. This can happen in one of two ways. The
easiest to resolve is a physical problem contacting all of them. Even if by
hand, do a quick network drawing of your forest and domains labeling all of
the FSMO role holders. The do PINGs and check the link subscription to
ensure that you can communicate with all of them

If this is not the case, this is probably a DNS problem. In 90% of these
kinds of problems, this is the case. Make sure that every site has an AD
integrated DNS -- and its not a bad idea to make every DC a DNS server.
Make sure that every DC points to itself as its DNS source and the core then
externally as its forwarders.

From there, you will want to make sure that the server is looking to its
local DNS zone as its first resolution. Once that is solid, restart the
netlogon services to ensure that you have the correct DNS registrations.

From there, you should be able to see everything and replicate in REPLMON.

If that doesn't work....
1. Look at time services and time zones to make sure your DCs are within the
5min Kerberos threshold.
2. Make sure your other DCs can see the Masters because you probably have a
system-wide problem
3. Consider a real problem with the FSMOs and consider NTDSUtil to clean
them up (careful)
4. Call PSS support to open a case -- we all do it.
--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

I also received this error in the dcdiag

......................... SERVER2 failed test KnowsOfRoleHolders
Starting test: RidManager
......................... SERVER2 passed test RidManager
Starting test: MachineAccount
......................... SERVER2 passed test MachineAccount
Starting test: Services
Could not open IISADMIN Service on [SERVER2]:failed with 1060:
The specified service does not exist as an installed service.
Could not open SMTPSVC Service on [SERVER2]:failed with 1060:
The specified service does not exist as an installed service.
......................... SERVER2 failed test Services
Starting test: ObjectsReplicated
......................... SERVER2 passed test ObjectsReplicated
Starting test: frssysvol
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... SERVER2 passed test frssysvol
Starting test: kccevent

I did run those fix switches but they did not help. Here is part of the
dcdiag
Testing server: site2\server2
Starting test: Replications
[Replications Check,server2] A recent replication attempt
failed:
From server3 to server2
Naming Context: CN=Schema,CN=Configuration,DC=mydomain,DC=com
The replication generated an error (5):
Access is denied.
The failure occurred at 2005-02-07 13:26.20.
The last success occurred at 2005-01-27 01:27.44.
368 failures have occurred since the last success.

and it keeps getting the same error with the other servers.

Well... start with any of the tests that the DCs failed and anything
that
didn't come back as expected. It will take some time and you'll have
to
read those carefully.

Did you try those with the /fix switch?

--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

ok, I've got a lot of info but am not sure what I should be looking
for or
what to post?

:

Jessem,

It looks as though you are having connectivity problems between the
sites.
This can happen for a number of reasons and we'd need more
information
to
troubleshoot this.

Here are some things to try
1. Make sure that you have a stable connection that is not
oversubscribed
between these sites.
2. Install the support tools and run replmon to force replication..
then
have it give you a diagnostic
Select: Action | Server | Generate Status Report
3. Use DCDIAG to give a general status of the server
DCDIAG /s:<ServerName> /v /c <enter>
4.Use NETDIAG /v to get your network statistics

These should give you enough information to continue
troubleshooting...
and
remember that there is a /fix switch on these that can resolve
minor
problems.

From there, post again and we can help with more specific problems.
--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

Hello, I have 5 DC's on my Windows 2000 AD Domain. Everything
was
working
fine till I noticed some errors on one of the DC's and only one
of
them.
Please see error below:

The attempt to establish a replication link with parameters
Partition: CN=Schema,CN=Configuration,DC=mydomain,DC=com
Source DSA DN: CN=NTDS


Settings,CN=DC2,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=mydomain,DC
=com
Source DSA Address:
155ec0d0-681f-4cb8-b0a7-5b046f3fe6c4._msdcs.mydomain.com
Inter-site Transport (if any): CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=mydomain,DC=com
failed with the following status:
Access is denied.
The record data is the status code. This operation will be
retried.

Then I get this error,

The Directory Service consistency checker has determined that
either
(a)
there
is not enough physical connectivity published via the Active
Directory
Sites
and
Services Manager to create a spanning tree connecting all the
sites
containing
the Partition CN=Configuration,DC=mydomain,DC=com, or (b)
replication
cannot
be performed with one or more
critical servers in order for changes to propagate across all
sites
(most
often
due to the servers being unreachable).
For (a), please use the Active Directory Sites and Services
Manager to
do
one
of the following:
1. Publish sufficient site connectivity information such that the
system
can
infer a route by which this Partition can reach this site. This
option is
preferred.
2. Add an ntdsConnection object to a Domain Controller that
contains
the
Partition CN=Configuration,DC=mydomain,DC=com in this site from a
Domain
Controller that contains the same
Partition in another site.
For (b), please see previous events logged by the NTDS KCC source
that
identify the servers that could not be contacted.

I don't understand where this is getting denied?? Can someone
help me
with
the ACCESS IS DENIED error? Everything was working fine and I
didn't
change
anything???