machine account password replication not working

[Brandon McCombs]

Hello,

I have 2 domains with 4 servers each. 2 servers are DCs and 2 servers
are designated file/print servers. All 8 servers are using windows
server 2003. For the last few weeks off and on the servers have all
been reporting file replication errors but seemingly overnight they go
away. The file/print servers were reporting that they couldn't find
their computer objcet in AD even though I looked and saw them plain as
day in the same OU they had always been in. That error showed up a
couple days before errors about not being able to bind to AD started
showing up. I found out that resetting the machine account password on
the file/print servers wasn't a good idea as now they can't connect to
AD at all, even to let a domain user authenticate to them thru Remote
Desktop although file share access is still possible (thank goodness).

It sounds like that somewhere along the line when the machine account
password is due for a reset that the member server adn the domain
controllers get out of sync. The member servers reported access denied
errors indicating that their machine password is no longer in sync with
AD and AD won't let anything happen between the DCs adn the member
servers. Can anyone tell me as to how this might happen?

We were also having replication issues even between 2 domain controllers
in the same domain (the domains involved are not in a trust
relationship) and it is working today between those 2 machines and I
didnt find out until after everyone left so I don't know if it fixed
itself or if someone ran the netdom command to reset their machine
passwords. The last time i did that it fixed replication because the
secure channel could be established again between the DCs but doing that
for the member servers today totally broke them off from the domain and
they will need to be rejoined from what I've read about the issue on MS
technet.

thanks for any input

 

[Cary Shultz [A.D. MVP]]

Brandon,

Not really familiar with WIN2003 ( well, not enough to be giving out any
reasonable advice ) so this may or may not apply.

Install the Support Tools on each Domain Controller and on each Member
Server. Or, on the workstation on which you do your Admin-type work. Run
dcdiag /v on each Domain Controller. Run netdiag /v on all servers. I
would even redirect the output of each to a text file so that you can search
for 'fail', 'warn' and 'error'. You do this by entering dcdiag /v

c:\dcdiagdc01.txt ( you can name the file whatever you like ).

Not sure if repadmin is available on WIN2003. Also not sure if replmon is
available on WIN2003. If they are take a look at them. They can be of
great assistance ( well, in WIN2000!!! ).

I am confused by the 'sometimes it works and sometimes it doesn't'. Are
there any event ids in the appropriate logs? If so, what are they? You can
use those log ids to find some possible solutions by going to
http://www.eventid.net. This is a very helpful web site.

Is everything okay with DNS?

Is the time correct? Meaning, if you look at the clock on DC01 is the time
the same as on DC02 and as on MEMSRVR01 and MEMSRVR02? And on the
workstations? Or, if not, how much difference in time is there? 5 minutes
is the maximum - by default - before things start getting nasty.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Cary Shultz [A.D. MVP]]

Sorry,

Forgot a few things.

Let's do the most basic of troubleshooting. Checking for replication
issues.

Do the following on one Domain Controller. Open up the sysvol shared folder
( by default it is located at c:\winnt\SYSVOL\sysvol ) and place a simple
..txt file in there. You can do this in NotePad. Simply call it
DC0120050429.txt and in the body simply put something like...."This is
created on DC01 on April 29, 2005 at around 9:08 EDT". Then, go look at the
other Domain Controllers in that Domain and see when ( if ) that .txt file
shows up in the sysvol folder. This is checking FRS replication.

To check AD replication simply create a non-mail enabled user account
object. Does it show up within five minutes if you open up the ADUC MMC on
the other Domain Controllers in that Domain?

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Brandon McCombs]

Sorry,

Forgot a few things.

Let's do the most basic of troubleshooting. Checking for replication
issues.

Do the following on one Domain Controller. Open up the sysvol shared folder
( by default it is located at c:\winnt\SYSVOL\sysvol ) and place a simple
.txt file in there. You can do this in NotePad. Simply call it
DC0120050429.txt and in the body simply put something like...."This is
created on DC01 on April 29, 2005 at around 9:08 EDT". Then, go look at the
other Domain Controllers in that Domain and see when ( if ) that .txt file
shows up in the sysvol folder. This is checking FRS replication.

To check AD replication simply create a non-mail enabled user account
object. Does it show up within five minutes if you open up the ADUC MMC on
the other Domain Controllers in that Domain?

The tools you mentioned in your first email are all available for win2003 and
I've already used them before during the first time I had replication problems.
That's how the first time I was able to see that the secure channel between the
2 DCs couldn't be established so I used netdom to reset the DCs passwords. THis
time though, at least yesterday afternoon, all the tests from netdiag and dcdiag
passsed but I might have ran them after another administrator already used
netdom on the domain controllers. I'm just not sure about that since I haven't
talked to any of the other administrators yet. But based on the logs there was
a time period of at least a few weeks where no changes would occur but yet the
file replication service would report problems. In fact, for a certain
time/date the FRS would report everything being okay and then 2 min later in the
same log it would say that it was having trouble replicating data which didn't
make sense to me. As of right now the 2 DCs are able to replicate both
directions as I tested using AD Sites and Services last night.

But all that has mainly been between 2 DCs, now as I stated in the original
post, I'm seeing the file/print servers have replication issues and I think it's
due to the machine passwords getting out of sync but I can't figure out how that
ends up happening. Could it be a setting within the group policy security
settings that prevent the password from replicating? I am not refusing machine
password changes and they are set to reset every 7 days. When I forced a
password change I lost the file/print servers and will have to rejoin them to
the domain.

thanks

 

[Cary Shultz [A.D. MVP]]

Brandon,

It used to be seven days ( in the old WINNT days ). In WIN2000 and WIN2003
it is actually 30 days. But, the actual value is not that important. You
have the concept down pat and that is what is important.

What event ids are you seeing on the files/print servers?

And I think that you mean synch errors, right? And not replication
errors....What replication errors do you mean?

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Brandon McCombs]

Brandon,

It used to be seven days ( in the old WINNT days ). In WIN2000 and WIN2003
it is actually 30 days. But, the actual value is not that important. You
have the concept down pat and that is what is important.

What event ids are you seeing on the files/print servers?

I didn't write them down and I can't view them remotely so I can't tell you.

And I think that you mean synch errors, right? And not replication
errors....What replication errors do you mean?

There were replication errors between the domain controllers and the fileprint
servers were complaining of not having any licenses so it looked like the file
servers weren't getting any licensing information replicated but I mention that
because I think tha tsomehow the replication is related to the machine password
synchronization but maybe not. We rejoined the file servers to the domain today
and they are working now but I have to wonder that in 7 days whether or not
we're going to see some errors again somewhere.