Does ANYONE's 2003 DC Intrasite replicate under 15 mins!!??!

[K Berrien]

After weeks of work, a lot of discussions on a different thread, I
must ask the following question...

Does anyone have freshly installed 2003 DC's with proper INTRA-site
(1-2 minute) replication??? Our install doesn't work SO PERFECTLY I
have to wonder if this is a bug.

 

[K Berrien]

Been a couple of days now... and no replies. Do I take it that
no-one's working? <grin>

 

[Support]

I have just installed 2003 DC and will try out and see. <gulp>

 

[K Berrien]

Post your results..... I'm interested.

I have just installed 2003 DC and will try out and see. <gulp>

 

[Trond Hindenes]

According to the 2003 Server Resource Kit, intrasite replication is now
every 5 minutes (if i remember correctly). AD Replicatoin is much better
compressed with 2003 than in 2000, so this shouldn`t have a negative effect
on bandwith.

Aslo, if this is a upgraded 2000 domain where the default replication
interval was changed, upgrading to 2003 won`t automatically set replication
to the new 5-minute interval (obviously), so you`ll have to do this
manually.

best regards,
Trond Hindenes
Consultant
Norway

 

[K Berrien]

If its now 5 minutes it surely doesn't work! My repadmin /showreps
shows consistent 15 minute timing.

These are brand new server with virgin 2003 installs. In terms of
setting manually... how does one do this? Everything I've tried does
not work.

 

[Joe Richards [MVP]]

5 minutes is the timing between dsa's for Windows 2000 within a site.

K. I will spin up a couple of W2K3 domain controllers and play around today/tomorrow.

 

[Laura A. Robinson]

circa Wed, 22 Oct 2003 20:25:47 GMT, in
microsoft.public.win2000.active_directory, K Berrien
([email protected]) said,

After weeks of work, a lot of discussions on a different thread, I
must ask the following question...

Does anyone have freshly installed 2003 DC's with proper INTRA-site
(1-2 minute) replication???

Yes. In fact, I have yet to have an install that *didn't* work
correctly.

Our install doesn't work SO PERFECTLY I
have to wonder if this is a bug.

I would wonder if it's a misconfiguration.

Laura

 

[Laura A. Robinson]

circa Sat, 25 Oct 2003 03:12:45 +0200, in
microsoft.public.win2000.active_directory, Trond Hindenes
([email protected]) said,

According to the 2003 Server Resource Kit, intrasite replication is now
every 5 minutes (if i remember correctly).

No, it was five minutes in Windows 2000. Now it is nearly
instantaneous.

AD Replicatoin is much better
compressed with 2003 than in 2000,

Compression isn't used on intrasite replication.

so this shouldn`t have a negative effect
on bandwith.

Aslo, if this is a upgraded 2000 domain where the default replication
interval was changed, upgrading to 2003 won`t automatically set replication
to the new 5-minute interval (obviously), so you`ll have to do this
manually.

Actually, it depends on the operating system of the DC, not the
domain.

Laura

 

[Laura A. Robinson]

circa Sat, 25 Oct 2003 15:12:24 -0400, in
microsoft.public.win2000.active_directory, Joe Richards [MVP]
([email protected]) said,

5 minutes is the timing between dsa's for Windows 2000 within a site.

K. I will spin up a couple of W2K3 domain controllers and play around today/tomorrow.

In Win2K3, it is 3 seconds post-commit with a 15 second delay between
notifications. In all of my deployments (post-beta), replication has
behaved just as it was supposed to.

More info for OP:

http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/prodtechnol/windowsserver2003/proddocs/entserver/sag_ADr
eplication_intrasite.asp

or

http://tinyurl.com/sduw

Laura

 

[K Berrien]

Yes. In fact, I have yet to have an install that *didn't* work
correctly.

Excellent, then there is light at the end of the tunnel.

I would wonder if it's a misconfiguration.

Well, on the surface everything appears ok. Both DC's are winthin the
same site, which I've confirmed with nltest /dsgetsite. Same site.

My origional site had 3 subnets, so I moved the DC's to a hypothetical
site DATACENTER and only attached one subnet (which the machines are
on), still doesn't work...

So I tried set nc replicate notification delay DC=mydomain,DC=org
30 60 and played with that. still doesn't work...

I set (in sites and services) replication to 1 hour (intersite) for ha
ha's, still replicates in 15 min intervals.

I tried the Win2k registry entries for ha ha's. Still doesn't work.

I pinned a picture of Ballmer to the patch cables... still doesn't
work.

Now, the boxes DO replicate just fine, no notible errors in the event
viewer at solid 15 min intervals, changes made, or not made. It would
appear that change notification just doesn't work, period. I've
entered 30 users within a 15 minute period and its not enough to
trigger. We live off Sites & Services replicate now feature to get
bye.

Now I'm a 10 year NT 3/4/Citrix vet. Server configuration with these
2003 boxes was no big deal. Just the AD area that was new for me.
But given the stacks of printed materials, 2K resource kit books,
which I generally actually read I configured these machines just fine.

Kevin <stumped, and sick of the 2 macintosh fanatics in my office
heckling me>

 

[Joe Richards [MVP]]

Sorry, I changed this to Rich Text so I can highlight things.



Howdy, I spun up a couple of W2K3 DC's in a new Domain and Forest. They are vpc dc's running on a P3-950 w/ 512MB of RAM so they are a little slow. They both have 64MB assigned to them. I have access to some fun tools that no one else has access to since I wrote them, one of them lets me chase changes in a domain so I know exactly when they occur. I will put it on my joeware site someday but not yet. That is what I used to check the latency of the change replications.

Here is a quick summary of the changes I made (I kept changing the description on a user id)

13910 mastered on VW2K3a.vtest.local
[12:49:42 PM] VW2K3a.vtest.local
[12:50:02 PM] VW2K3b.vtest.local

13914 mastered on VW2K3a.vtest.local
[12:50:20 PM] VW2K3a.vtest.local
[12:50:35 PM] VW2K3b.vtest.local

13932 mastered on VW2K3a.vtest.local
[12:53:36 PM] VW2K3a.vtest.local
[12:53:51 PM] VW2K3b.vtest.local


So we have the following deltas in seconds
13910 20 seconds
13914 15 seconds
13932 15 seconds

That is pretty consistent and all within tolerances as described the documentation and by Laura. (Hi Laura!).


Here are all the details.

Here is the script I used to make the changes, I ran it on the PDCE machine.

adsuser=wscript.arguments.item(0)
attribute=wscript.arguments.item(1)
value=wscript.arguments.item(2)
set o=getobject("LDAP://" & adsuser)
o.put attribute,value
o.setinfo()

Here is the output from my change tracking program...



C:\Temp>ripplecon

Ripple V01.00.00cpp Joe Richards ([email protected]) July 2001

Base DC: \\VW2K3a.vtest.local


Here I select the domain to watch


Domain Puddle Selected, which domain:
1. vtest.local {EFE7E628-BA2C-432D-ABA4-8F8B7D701004}

1

0 entries returned!


Here I select the user dn to watch


Enter specific DN you wish to use (max 255 characters)
Object category must be (objectCategory=person)
Ex1: cn=__rippleUser,cn=users,dc=test,dc=com

CN=TestUser,CN=Users,DC=vtest,DC=local

Search Filter = (&(objectCategory=person)(distinguishedName=CN=TestUser,CN=Users,DC=vtest,DC=local))
1 entry returned!



Here I verify what I am watching


Select Object:
1. TestUser [user] (CN=TestUser,CN=Users,DC=vtest,DC=local)
2. Enter specific DN/displayName

1

Selected Rock: CN=TestUser,CN=Users,DC=vtest,DC=local
Current Description Attribute: (null)


Will spawn 2 Threads to monitor the domain controllers for changes in
distiguishedName = CN=TestUser,CN=Users,DC=vtest,DC=local


I will try to report what attributes changed. To report all
information, "Manage Replication Topology" access must be
given on the root of the container that the information is being
pulled from which would be the domain NC for domain objects.

Once threads are spawned and have reported as processing changes
toss the Rock into the pond. i.e. Change the object being watched.

Please note that I have special watches on description so that
if you want to try this with a normal user id, you can change the
description with an admin ID and watch that change replicate around
running this program as a normal user.


For lines that show which attributes changed, the format will be:
[hostname] [time] (localUSN) attribute (change master - USN)
hostname - hostname of machine where change detected
time - time that change was detected
localUSN - USN Number for change on hostname
attribute - attribute that changed
change master - hostname of machine that mastered change
USN - USN of change at change master


PRESS 0 AND RETURN OR CTRL^C TO END MONITORING



Here the threads spawn up and start watching the domain controllers


Spawning thread for VW2K3a.vtest.local
Spawning thread for VW2K3b.vtest.local
[VW2K3a.vtest.local] [12:47:22 PM] Processing...
[VW2K3b.vtest.local] [12:47:22 PM] Processing...


Here is the first change to description

[VW2K3a.vtest.local] [12:49:42 PM] (13910) description (*SELF* - 13910)
[VW2K3b.vtest.local] [12:50:02 PM] (12362) description (VW2K3a.vtest.local - 13910)


Here is the second change to description

[VW2K3a.vtest.local] [12:50:20 PM] (13914) description (*SELF* - 13914)
[VW2K3b.vtest.local] [12:50:35 PM] (12366) description (VW2K3a.vtest.local - 13914)


Here is the third change to description

[VW2K3a.vtest.local] [12:53:36 PM] (13932) description (*SELF* - 13932)
[VW2K3b.vtest.local] [12:53:51 PM] (12384) description (VW2K3a.vtest.local - 13932)


Exiting program now

0
Terminating VW2K3a.vtest.local
Terminating VW2K3b.vtest.local
Waiting for threads to wake up and terminate normally...

(1856)RIPPLE: Exiting thread due to normal termination - VW2K3b.vtest.local
(1012)RIPPLE: Exiting thread due to normal termination - VW2K3a.vtest.local




This is the summary of what the program saw changed on the user object for the session, it is the summary at the top...

Outputting changes log
-----------------------------------------------------------------
13910 mastered on VW2K3a.vtest.local
[12:49:42 PM] VW2K3a.vtest.local
[12:50:02 PM] VW2K3b.vtest.local

13914 mastered on VW2K3a.vtest.local
[12:50:20 PM] VW2K3a.vtest.local
[12:50:35 PM] VW2K3b.vtest.local

13932 mastered on VW2K3a.vtest.local
[12:53:36 PM] VW2K3a.vtest.local
[12:53:51 PM] VW2K3b.vtest.local



Program terminated normally.


C:\Temp>


Obviously from this, the functionality is working as designed but this isn't surprising to me. There is one of two things that I can think of going on in your environment. Things aren't happening as you think they are or something is way misconfigured and the machines think they are in different sites.


joe

 

[K Berrien]

Things aren't happening as you think they are

Changes made on one domain don't register on other domain until after
15 mins (if changed is enterered right after last replication). I add
user here, it doesn't show up there until I come back somewhere within
the time of 15 minutes. Things are not working, as I know they are
not.

or something is way misconfigured and the machines think they are in different sites.

Well, since others DO have correctly working Win2k3 intra-site
replication then this would certainly be the case.

In my opinion its still a bug.

Can anyone tell me how to specifically try to configure 2 DC's to
exhibit this behaviour intentionally? - And I'll tell you I did not do
that. Thats the only way I would consider this not a bug. If any
portion of the install/configuration ALLOWS this situtation to happen
(other than just plain data corruption) its a bug.

I created one DC. I created a 2nd DC. Both were placed within the
same site using Sites & Services. As far as I know intra-site
replication should now take place (with change notifications) between
these two boxes unless I missed some fine print somewhere.

Sites and Services show them within the same site. nltest /dsgetsite
shows them within the same site. If two utilities report the boxes
within the same site, and true intrasite replication still can't work
= bug, or the code doesn't actually look at sites, but uses some other
method of indentifying locations.

Now, lets take data corruption or something. Is there anyway I can
"rebuild" all this without dissrupting anything? Where, besides using
nltest or S&S's can I confirm both sites are within the same site?

 

[Joe Richards [MVP]]

Do you have replication errors in the event log?

What do you get when you do dcdiag?

Do you know if you are having any DNS issues?

If you have an extra piece of hardware spin up another DC and make sure it is in the subnet defined for the DC's that
you current have and see what it does. You could also demote and repromote and see if that helps.

I can't think of any corruption that could cause this. If the DC's report they are in the same site, that is a couple of
very simply AD entries.

Maybe do the following:
o Modify a users description.
o Watch for the change to hit your other DC.
o Get a ldap dump of the user object on both DC's
o Get a repadmin /showmeta dump of the user object on both DC's
o Post the info.

 

[K Berrien]

This is what dcdiag gives me on both boxes.

------------------
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: ComputerCenter\WESTNET
Starting test: Connectivity
......................... WESTNET passed test Connectivity
Doing primary tests
Testing server: ComputerCenter\WESTNET
Starting test: Replications
......................... WESTNET passed test Replications
Starting test: NCSecDesc
......................... WESTNET passed test NCSecDesc
Starting test: NetLogons
......................... WESTNET passed test NetLogons
Starting test: Advertising
......................... WESTNET passed test Advertising
Starting test: KnowsOfRoleHolders
......................... WESTNET passed test
KnowsOfRoleHolders
Starting test: RidManager
......................... WESTNET passed test RidManager
Starting test: MachineAccount
......................... WESTNET passed test MachineAccount
Starting test: Services
......................... WESTNET passed test Services
Starting test: ObjectsReplicated
......................... WESTNET passed test
ObjectsReplicated
Starting test: frssysvol
......................... WESTNET passed test frssysvol
Starting test: frsevent
......................... WESTNET passed test frsevent
Starting test: kccevent
......................... WESTNET passed test kccevent
Starting test: systemlog
......................... WESTNET passed test systemlog
Starting test: VerifyReferences
......................... WESTNET passed test
VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test
CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test
CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test
CheckSDRefDom
Running partition tests on : cityofX.org
Starting test: CrossRefValidation
......................... cityofX.org passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... cityofX.org passed test
CheckSDRefDom
Running enterprise tests on : cityofX.org.org
Starting test: Intersite
......................... cityofX.org.org passed test
Intersite
Starting test: FsmoCheck
......................... cityofX.org.org passed test
FsmoCheck

----------------------
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: ComputerCenter\WESTFILE
Starting test: Connectivity
......................... WESTFILE passed test Connectivity
Doing primary tests
Testing server: ComputerCenter\WESTFILE
Starting test: Replications
......................... WESTFILE passed test Replications
Starting test: NCSecDesc
......................... WESTFILE passed test NCSecDesc
Starting test: NetLogons
......................... WESTFILE passed test NetLogons
Starting test: Advertising
......................... WESTFILE passed test Advertising
Starting test: KnowsOfRoleHolders
......................... WESTFILE passed test
KnowsOfRoleHolders
Starting test: RidManager
......................... WESTFILE passed test RidManager
Starting test: MachineAccount
......................... WESTFILE passed test MachineAccount
Starting test: Services
......................... WESTFILE passed test Services
Starting test: ObjectsReplicated
......................... WESTFILE passed test
ObjectsReplicated
Starting test: frssysvol
......................... WESTFILE passed test frssysvol
Starting test: frsevent
......................... WESTFILE passed test frsevent
Starting test: kccevent
......................... WESTFILE passed test kccevent
Starting test: systemlog
......................... WESTFILE passed test systemlog
Starting test: VerifyReferences
......................... WESTFILE passed test
VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test
CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test
CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test
CheckSDRefDom
Running partition tests on : cityofX.org
Starting test: CrossRefValidation
......................... cityofX.org passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... cityofX.org passed test
CheckSDRefDom
Running enterprise tests on : cityofX.org.org
Starting test: Intersite
......................... cityofX.org.org passed test
Intersite
Starting test: FsmoCheck
......................... cityofX.org.org passed test
FsmoCheck

------------------------- end

All appears ok there.

The only thing that would appear pertanant is the following. These
are older log entries from the PDC. I've had to reboot one or more of
the servers within this period for security updates, installations,
etc, so it might be while one server was down.

Over the weekend, no log entries with issues. Today, while making
changes (and double checking them - yup, 15 mins exactly) no errors in
the logs.

10-16-03
The File Replication Service is having trouble enabling replication
from WESTFILE to WESTNET for d:\sysvol\domain using the DNS name
westfile.cityofX.org. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name westfile.cityofX.org
from this computer.
[2] FRS is not running on westfile.cityofX.org.
[3] The topology information in the Active Directory for this replica
has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the
problem is fixed you will see another event log message indicating
that the connection has been established.

10-11-03 3:42pm
The File Replication Service is no longer preventing the computer
WESTNET from becoming a domain controller. The system volume has been
successfully initialized and the Netlogon service has been notified
that the system volume is now ready to be shared as SYSVOL.

Type "net share" to check for the SYSVOL share.

10-11-03 3:35pm
Following is the summary of warnings and errors encountered by File
Replication Service while polling the Domain Controller
westnet.cityofX.org for FRS replica set configuration information.

Could not find computer object for this computer. Will try again at
next polling cycle.

10-11-03 10:37am
The File Replication Service has enabled replication from WESTFILE to
WESTNET for d:\sysvol\domain after repeated retries.

10-11-03 10:29am
The File Replication Service is having trouble enabling replication
from WESTFILE to WESTNET for d:\sysvol\domain using the DNS name
westfile.cityofX.org. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name westfile.cityofX.org
from this computer.
[2] FRS is not running on westfile.cityofX.org.
[3] The topology information in the Active Directory for this replica
has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the
problem is fixed you will see another event log message indicating
that the connection has been established.

I get these in PDC in Application log, very regularly

Windows cannot access the file gpt.ini for GPO
CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=cityofX,DC=org.
The file must be present at the location
<\\cityofX.org\sysvol\cityofX.org\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini>.
(Access is denied. ). Group Policy processing aborted.

Onto repadmin /showmeta. This requires distrinct names which I can't
seem to get the syntax down correctly. Could you give me more
specific details on what to enter on the command line? ie

repadmin /showmeta westfile CN=x x x x x x x x

Thanks, Kevin

 

[Laura A. Robinson]

circa Mon, 27 Oct 2003 01:01:56 GMT, in
microsoft.public.win2000.active_directory, K Berrien
([email protected]) said,

Changes made on one domain don't register on other domain

Wait a second. These are DCs in different *domains*? I'm assuming
that this is a typo; is it?

until after
15 mins (if changed is enterered right after last replication). I add
user here, it doesn't show up there until I come back somewhere within
the time of 15 minutes. Things are not working, as I know they are
not.

Correct, but it's not because it's a bug.
I would say that this is likely the case.

and the machines think they are in different sites.

Well, since others DO have correctly working Win2k3 intra-site
replication then this would certainly be the case.

In my opinion its still a bug.

Sorry, but if it were a bug, it would be reproducible in
configurations that weren't misconfigured. ;-)

Can anyone tell me how to specifically try to configure 2 DC's to
exhibit this behaviour intentionally?

Sure. Goof in setting up DNS.

- And I'll tell you I did not do
that.

What is your DNS setup?

Thats the only way I would consider this not a bug.

See above.

If any
portion of the install/configuration ALLOWS this situtation to happen
(other than just plain data corruption) its a bug.

Not if it's misconfiguration.

I created one DC. I created a 2nd DC. Both were placed within the
same site using Sites & Services. As far as I know intra-site
replication should now take place (with change notifications) between
these two boxes unless I missed some fine print somewhere.
DNS?


Sites and Services show them within the same site. nltest /dsgetsite
shows them within the same site. If two utilities report the boxes
within the same site, and true intrasite replication still can't work
= bug, or the code doesn't actually look at sites, but uses some other
method of indentifying locations.

This is not the case. I promise you, something is misconfigured on
your end.

Now, lets take data corruption or something. Is there anyway I can
"rebuild" all this without dissrupting anything? Where, besides using
nltest or S&S's can I confirm both sites are within the same site?

Before we go there, let's talk DNS.

Laura>

 

[K Berrien]

Wait a second. These are DCs in different *domains*? I'm assuming
that this is a typo; is it?

Quite right, one domain, two domain controllers. oops.

Sorry, but if it were a bug, it would be reproducible in
configurations that weren't misconfigured. ;-)

Misconfigurations or configurations can aggrivate bugs, however. We
may misconfigure or configure differently. 1 variable can expose a
bug. My point was of a more basic nature however. A properly
designed system should not allow you to misconfigure and just run in a
non-correct fashion. I can see misconfiguring and getting errors, but
I don't see that, or at least its below my radar screen. Win2k/2k3
loves to tell me all sorts of useless stuff in the logs, but doesn't
notice change notification isn't working????

Ok, but less of software development theory....

Sure. Goof in setting up DNS.

Install wizards took care of my DNS/AD configuration. Can the wizards
goof? I can certainly see how a goofed DNS would stop me from
replicating period, but this is not the case.

What is your DNS setup?

Box 1, PDC is primary DNS, box 2, secondary dns. Both DC's are within
the same zone, and appear to have the correct AD entries (as generated
by the wizard) as I do replicate at intersite intervals and everything
else appears ok. Certainly I could be wrong....

Not if it's misconfiguration.

Like I said, I'm no AD/2k/2k3 genious (my exerience lies w/NT4) so I
relied on the wizards as was recommended to me. Wizards =
misconfigurators?

This is not the case. I promise you, something is misconfigured on
your end.

How does one determine where possible misconfigurations could be? If
nltest /dsgetsite reported two different sites, I could see a
misconfiguration there - oops, I didn't notice my DC's are in
different sites. But they don't, so thats no the problem. I'm at a
loss of where else to look.

 

[K Berrien]

Before we go there, let's talk DNS.

What kind of DNS info would be helpful. I checked my DNS
configurations today, and I have what appear to be proper records.
Didn't have time to dig out any documentation and compare...

but.. for instance, my site info seems correct. Both servers in terms
of DNS, are within the same site - if they were not, perhaps why I'm
having my problems.

cityofx.org
_sites
Mysitename
_tcp
_gc Service Location (SRV) [0][100][3268]
westfile.cityofX.org.
_gc Service Location (SRV) [0][100][3268]
westnet.cityofX.org.
_kerberos Service Location (SRV) [0][100][88]
westfile.cityofX.org.
_kerberos Service Location (SRV) [0][100][88]
westnet.cityofX.org.
_ldap Service Location (SRV) [0][100][389]
westfile.cityofX.org.
_ldap Service Location (SRV) [0][100][389]
westnet.cityofX.org.

 

[K Berrien]

Any thoughts anyone? Got another jab from the Macintosh fanatics
yesterday - this is for vindication!

This is what dcdiag gives me on both boxes.

------------------
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: ComputerCenter\WESTNET
Starting test: Connectivity
......................... WESTNET passed test Connectivity
Doing primary tests
Testing server: ComputerCenter\WESTNET
Starting test: Replications
......................... WESTNET passed test Replications
Starting test: NCSecDesc
......................... WESTNET passed test NCSecDesc
Starting test: NetLogons
......................... WESTNET passed test NetLogons
Starting test: Advertising
......................... WESTNET passed test Advertising
Starting test: KnowsOfRoleHolders
......................... WESTNET passed test
KnowsOfRoleHolders
Starting test: RidManager
......................... WESTNET passed test RidManager
Starting test: MachineAccount
......................... WESTNET passed test MachineAccount
Starting test: Services
......................... WESTNET passed test Services
Starting test: ObjectsReplicated
......................... WESTNET passed test
ObjectsReplicated
Starting test: frssysvol
......................... WESTNET passed test frssysvol
Starting test: frsevent
......................... WESTNET passed test frsevent
Starting test: kccevent
......................... WESTNET passed test kccevent
Starting test: systemlog
......................... WESTNET passed test systemlog
Starting test: VerifyReferences
......................... WESTNET passed test
VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test
CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test
CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test
CheckSDRefDom
Running partition tests on : cityofX.org
Starting test: CrossRefValidation
......................... cityofX.org passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... cityofX.org passed test
CheckSDRefDom
Running enterprise tests on : cityofX.org.org
Starting test: Intersite
......................... cityofX.org.org passed test
Intersite
Starting test: FsmoCheck
......................... cityofX.org.org passed test
FsmoCheck

----------------------
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: ComputerCenter\WESTFILE
Starting test: Connectivity
......................... WESTFILE passed test Connectivity
Doing primary tests
Testing server: ComputerCenter\WESTFILE
Starting test: Replications
......................... WESTFILE passed test Replications
Starting test: NCSecDesc
......................... WESTFILE passed test NCSecDesc
Starting test: NetLogons
......................... WESTFILE passed test NetLogons
Starting test: Advertising
......................... WESTFILE passed test Advertising
Starting test: KnowsOfRoleHolders
......................... WESTFILE passed test
KnowsOfRoleHolders
Starting test: RidManager
......................... WESTFILE passed test RidManager
Starting test: MachineAccount
......................... WESTFILE passed test MachineAccount
Starting test: Services
......................... WESTFILE passed test Services
Starting test: ObjectsReplicated
......................... WESTFILE passed test
ObjectsReplicated
Starting test: frssysvol
......................... WESTFILE passed test frssysvol
Starting test: frsevent
......................... WESTFILE passed test frsevent
Starting test: kccevent
......................... WESTFILE passed test kccevent
Starting test: systemlog
......................... WESTFILE passed test systemlog
Starting test: VerifyReferences
......................... WESTFILE passed test
VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test
CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test
CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test
CheckSDRefDom
Running partition tests on : cityofX.org
Starting test: CrossRefValidation
......................... cityofX.org passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... cityofX.org passed test
CheckSDRefDom
Running enterprise tests on : cityofX.org.org
Starting test: Intersite
......................... cityofX.org.org passed test
Intersite
Starting test: FsmoCheck
......................... cityofX.org.org passed test
FsmoCheck

------------------------- end

All appears ok there.

The only thing that would appear pertanant is the following. These
are older log entries from the PDC. I've had to reboot one or more of
the servers within this period for security updates, installations,
etc, so it might be while one server was down.

Over the weekend, no log entries with issues. Today, while making
changes (and double checking them - yup, 15 mins exactly) no errors in
the logs.

10-16-03
The File Replication Service is having trouble enabling replication
from WESTFILE to WESTNET for d:\sysvol\domain using the DNS name
westfile.cityofX.org. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name westfile.cityofX.org
from this computer.
[2] FRS is not running on westfile.cityofX.org.
[3] The topology information in the Active Directory for this replica
has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the
problem is fixed you will see another event log message indicating
that the connection has been established.

10-11-03 3:42pm
The File Replication Service is no longer preventing the computer
WESTNET from becoming a domain controller. The system volume has been
successfully initialized and the Netlogon service has been notified
that the system volume is now ready to be shared as SYSVOL.

Type "net share" to check for the SYSVOL share.

10-11-03 3:35pm
Following is the summary of warnings and errors encountered by File
Replication Service while polling the Domain Controller
westnet.cityofX.org for FRS replica set configuration information.

Could not find computer object for this computer. Will try again at
next polling cycle.

10-11-03 10:37am
The File Replication Service has enabled replication from WESTFILE to
WESTNET for d:\sysvol\domain after repeated retries.

10-11-03 10:29am
The File Replication Service is having trouble enabling replication
from WESTFILE to WESTNET for d:\sysvol\domain using the DNS name
westfile.cityofX.org. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name westfile.cityofX.org
from this computer.
[2] FRS is not running on westfile.cityofX.org.
[3] The topology information in the Active Directory for this replica
has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the
problem is fixed you will see another event log message indicating
that the connection has been established.

I get these in PDC in Application log, very regularly

Windows cannot access the file gpt.ini for GPO
CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=cityofX,DC=org.
The file must be present at the location
<\\cityofX.org\sysvol\cityofX.org\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini>.
(Access is denied. ). Group Policy processing aborted.

Onto repadmin /showmeta. This requires distrinct names which I can't
seem to get the syntax down correctly. Could you give me more
specific details on what to enter on the command line? ie

repadmin /showmeta westfile CN=x x x x x x x x

Thanks, Kevin

Do you have replication errors in the event log?

What do you get when you do dcdiag?

Do you know if you are having any DNS issues?

If you have an extra piece of hardware spin up another DC and make sure it is in the subnet defined for the DC's that
you current have and see what it does. You could also demote and repromote and see if that helps.

I can't think of any corruption that could cause this. If the DC's report they are in the same site, that is a couple of
very simply AD entries.

Maybe do the following:
o Modify a users description.
o Watch for the change to hit your other DC.
o Get a ldap dump of the user object on both DC's
o Get a repadmin /showmeta dump of the user object on both DC's
o Post the info.

 

[Joe Richards [MVP]]

repadmin /showmeta cn=objectname,ou=whereat,dc=domain,dc=com domaincontroller

Also you want LDAP dumps of the object from both DC's. You can use ldp from MS or my adfind (www.joeware.net on the free
win32 c++ tools page). Using adfind it would look like

adfind -h domaincontroller -b cn=objectname,ou=whereat,dc=domain,dc=com -s base


Also another suggestion that I thought I made somewhere else but can't find it is to spin up a third domain controller
and see what it replicates like.

Also yet another suggestion would be to blow away the connection objects between the DC's and let the machines reconnect
themselves. Maybe there is a bad value in the connection objects?



--
Joe Richards
www.joeware.net

--

This is what dcdiag gives me on both boxes.

------------------
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: ComputerCenter\WESTNET
Starting test: Connectivity
......................... WESTNET passed test Connectivity
Doing primary tests
Testing server: ComputerCenter\WESTNET
Starting test: Replications
......................... WESTNET passed test Replications
Starting test: NCSecDesc
......................... WESTNET passed test NCSecDesc
Starting test: NetLogons
......................... WESTNET passed test NetLogons
Starting test: Advertising
......................... WESTNET passed test Advertising
Starting test: KnowsOfRoleHolders
......................... WESTNET passed test
KnowsOfRoleHolders
Starting test: RidManager
......................... WESTNET passed test RidManager
Starting test: MachineAccount
......................... WESTNET passed test MachineAccount
Starting test: Services
......................... WESTNET passed test Services
Starting test: ObjectsReplicated
......................... WESTNET passed test
ObjectsReplicated
Starting test: frssysvol
......................... WESTNET passed test frssysvol
Starting test: frsevent
......................... WESTNET passed test frsevent
Starting test: kccevent
......................... WESTNET passed test kccevent
Starting test: systemlog
......................... WESTNET passed test systemlog
Starting test: VerifyReferences
......................... WESTNET passed test
VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test
CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test
CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test
CheckSDRefDom
Running partition tests on : cityofX.org
Starting test: CrossRefValidation
......................... cityofX.org passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... cityofX.org passed test
CheckSDRefDom
Running enterprise tests on : cityofX.org.org
Starting test: Intersite
......................... cityofX.org.org passed test
Intersite
Starting test: FsmoCheck
......................... cityofX.org.org passed test
FsmoCheck

----------------------
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: ComputerCenter\WESTFILE
Starting test: Connectivity
......................... WESTFILE passed test Connectivity
Doing primary tests
Testing server: ComputerCenter\WESTFILE
Starting test: Replications
......................... WESTFILE passed test Replications
Starting test: NCSecDesc
......................... WESTFILE passed test NCSecDesc
Starting test: NetLogons
......................... WESTFILE passed test NetLogons
Starting test: Advertising
......................... WESTFILE passed test Advertising
Starting test: KnowsOfRoleHolders
......................... WESTFILE passed test
KnowsOfRoleHolders
Starting test: RidManager
......................... WESTFILE passed test RidManager
Starting test: MachineAccount
......................... WESTFILE passed test MachineAccount
Starting test: Services
......................... WESTFILE passed test Services
Starting test: ObjectsReplicated
......................... WESTFILE passed test
ObjectsReplicated
Starting test: frssysvol
......................... WESTFILE passed test frssysvol
Starting test: frsevent
......................... WESTFILE passed test frsevent
Starting test: kccevent
......................... WESTFILE passed test kccevent
Starting test: systemlog
......................... WESTFILE passed test systemlog
Starting test: VerifyReferences
......................... WESTFILE passed test
VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test
CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test
CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test
CheckSDRefDom
Running partition tests on : cityofX.org
Starting test: CrossRefValidation
......................... cityofX.org passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... cityofX.org passed test
CheckSDRefDom
Running enterprise tests on : cityofX.org.org
Starting test: Intersite
......................... cityofX.org.org passed test
Intersite
Starting test: FsmoCheck
......................... cityofX.org.org passed test
FsmoCheck

------------------------- end

All appears ok there.

The only thing that would appear pertanant is the following. These
are older log entries from the PDC. I've had to reboot one or more of
the servers within this period for security updates, installations,
etc, so it might be while one server was down.

Over the weekend, no log entries with issues. Today, while making
changes (and double checking them - yup, 15 mins exactly) no errors in
the logs.

10-16-03
The File Replication Service is having trouble enabling replication
from WESTFILE to WESTNET for d:\sysvol\domain using the DNS name
westfile.cityofX.org. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name westfile.cityofX.org
from this computer.
[2] FRS is not running on westfile.cityofX.org.
[3] The topology information in the Active Directory for this replica
has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the
problem is fixed you will see another event log message indicating
that the connection has been established.

10-11-03 3:42pm
The File Replication Service is no longer preventing the computer
WESTNET from becoming a domain controller. The system volume has been
successfully initialized and the Netlogon service has been notified
that the system volume is now ready to be shared as SYSVOL.

Type "net share" to check for the SYSVOL share.

10-11-03 3:35pm
Following is the summary of warnings and errors encountered by File
Replication Service while polling the Domain Controller
westnet.cityofX.org for FRS replica set configuration information.

Could not find computer object for this computer. Will try again at
next polling cycle.

10-11-03 10:37am
The File Replication Service has enabled replication from WESTFILE to
WESTNET for d:\sysvol\domain after repeated retries.

10-11-03 10:29am
The File Replication Service is having trouble enabling replication
from WESTFILE to WESTNET for d:\sysvol\domain using the DNS name
westfile.cityofX.org. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name westfile.cityofX.org
from this computer.
[2] FRS is not running on westfile.cityofX.org.
[3] The topology information in the Active Directory for this replica
has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the
problem is fixed you will see another event log message indicating
that the connection has been established.

I get these in PDC in Application log, very regularly

Windows cannot access the file gpt.ini for GPO
CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=cityofX,DC=org.
The file must be present at the location
<\\cityofX.org\sysvol\cityofX.org\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini>.
(Access is denied. ). Group Policy processing aborted.

Onto repadmin /showmeta. This requires distrinct names which I can't
seem to get the syntax down correctly. Could you give me more
specific details on what to enter on the command line? ie

repadmin /showmeta westfile CN=x x x x x x x x

Thanks, Kevin