Replication errors

A

Andrew Wagg

I am seeing some interesting AD replication related
errors on two of my servers.

I recently added a DC to this domain and AD replication
seems to be working reasonable well (I can make changes
to users in the new dc, and they show up in the other two
older ones.) However I am seeing the following two
errors repeating on the original two DCs,
**********************************************************
************************************
--------------------------------------------------
Event Type: Warning
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1061
Date: 14/11/2003
Time: 11:37:20 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: EUROPA
Description:
Internal error: The directory replication agent (DRA)
call returned error 5.

-------------------------------------------
Event Type: Warning
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1265
Date: 14/11/2003
Time: 10:52:20 AM
User: N/A
Computer: EUROPA
Description:
The attempt to establish a replication link with
parameters

Partition: CN=Schema,CN=Configuration,DC=ourdomain,DC=com
Source DSA DN: CN=NTDS
Settings,CN=CALLISTO,CN=Servers,CN=Burloak,CN=Sites,CN=Con
figuration,DC=ourdomain,DC=com
Source DSA Address: 5673215d-87e2-4c3b-8204-
4ffeafe0c2f2._msdcs.ourdomain.com
Inter-site Transport (if any):

failed with the following status:

Access is denied.

The record data is the status code. This operation will
be retried.
Data:
0000: 05 00 00 00 ....

**********************************************************
**************

I have also noticed in Replmon that the original DC's
only show connections to each other in the main screen.
However when I open the properties for the old servers
the inbound connections list the new server (Callisto) as
Auto Created, but the reasons pane shows the following
info:

**********************************************************
**************
-----------------------------------
Connection Name: cb927d75-622b-4f5f-8132-19833a8515ac

Replication Partner: Burloak\COCKATRICE
Administrator Generated?: AUTO

Reasons for this connection:
----------------------------
Directory Partition
(CN=Configuration,DC=ourdomain,DC=com)
Replicated because the replication partner is a
ring neighbor.
Directory Partition (DC=ourdomain,DC=com)
Replicated because the replication partner is a
ring neighbor.
Directory Partition
(CN=Schema,CN=Configuration,DC=ourdomain,DC=com)
Replicated because the replication partner is a
ring neighbor.

Connection Name: e3e7f12a-17e2-4f39-8f87-8fc2e297d47d

Replication Partner: Burloak\CALLISTO
Administrator Generated?: AUTO

Reasons for this connection:
----------------------------
Directory Partition
(CN=Configuration,DC=ourdomain,DC=com)
This replication connection is created because
another replication partner has surpassed the allowed
failure limit.
Directory Partition (DC=ourdomain,DC=com)
This replication connection is created because
another replication partner has surpassed the allowed
failure limit.
Directory Partition
(CN=Schema,CN=Configuration,DC=ourdomain,DC=com)
This replication connection is created because
another replication partner has surpassed the allowed
failure limit.


**********************************************************
**************

I have been trying to find out what might be wrong, or
how to troubleshoot this, and have not had much luck.

I have already looked at and discarded the information in
these Q-Docs:
http://support.microsoft.com/default.aspx?scid=KB;en-
us;328701&
http://support.microsoft.com/default.aspx?scid=kb;en-
us;306091&Product=win2000
http://support.microsoft.com/default.aspx?scid=kb;en-
us;329860

Any ideas would be greatly appreciated.

Thanks
 
C

Chriss3

Hm, look like broken relationtrusts between DC´s

i think the fastest way to get raid of it is to DCPROMO demote one of them,
and DCPROMO it back.

//chrisse
 
A

Andrew Wagg

Thanks for the response Chriss,

I just tried a DCpromo, on the new one and get :

The operation failed because: The Directory Service
failed to replicate off changes made locally. "Access is
denied. "
 
D

David Pharr [MSFT]

Check that dns is configured properly - check out the following kb article:

263624 Cannot Remove Active Directory from a Replica Domain Controller
http://support.microsoft.com/?id=263624

To see if your DCs are configured properly, look at the following kb
articles:
298143 How to Verify an Active Directory Installation
http://support.microsoft.com/?id=298143

260371 Troubleshooting Common Active Directory Setup Issues in Windows 2000
http://support.microsoft.com/?id=260371
--------------------
| Content-Class: urn:content-classes:message
| From: "Andrew Wagg" <[email protected]>
| Sender: "Andrew Wagg" <[email protected]>
| References: <[email protected]>
<[email protected]>
| Subject: Re: Replication errors
| Date: Tue, 18 Nov 2003 13:26:50 -0800
| Lines: 168
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: quoted-printable
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| thread-index: AcOuGq4Gg4qk5gB9SKCL5DDAtgEr1A==
| Newsgroups: microsoft.public.win2000.active_directory
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.active_directory:56685
| NNTP-Posting-Host: TK2MSFTNGXA14 10.40.1.166
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Thanks for the response Chriss,
| I just tried a DCpromo, on the new one and get :
| The operation failed because: The Directory Service
| failed to replicate off changes made locally. "Access is
| denied. "
| >-----Original Message-----
| >Hm, look like broken relationtrusts between DC´s
| >
| >i think the fastest way to get raid of it is to DCPROMO
| demote one of them,
| >and DCPROMO it back.
| >
| >//chrisse
| >
| >"Andrew Wagg" <[email protected]> skrev i
| meddelandet
| >| >> I am seeing some interesting AD replication related
| >> errors on two of my servers.
| >>
| >> I recently added a DC to this domain and AD replication
| >> seems to be working reasonable well (I can make changes
| >> to users in the new dc, and they show up in the other
| two
| >> older ones.) However I am seeing the following two
| >> errors repeating on the original two DCs,
| >>
| **********************************************************
| >> ************************************
| >> --------------------------------------------------
| >> Event Type: Warning
| >> Event Source: NTDS Replication
| >> Event Category: Replication
| >> Event ID: 1061
| >> Date: 14/11/2003
| >> Time: 11:37:20 AM
| >> User: NT AUTHORITY\ANONYMOUS LOGON
| >> Computer: EUROPA
| >> Description:
| >> Internal error: The directory replication agent (DRA)
| >> call returned error 5.
| >>
| >> -------------------------------------------
| >> Event Type: Warning
| >> Event Source: NTDS KCC
| >> Event Category: Knowledge Consistency Checker
| >> Event ID: 1265
| >> Date: 14/11/2003
| >> Time: 10:52:20 AM
| >> User: N/A
| >> Computer: EUROPA
| >> Description:
| >> The attempt to establish a replication link with
| >> parameters
| >>
| >> Partition:
| CN=Schema,CN=Configuration,DC=ourdomain,DC=com
| >> Source DSA DN: CN=NTDS
| >>
| Settings,CN=CALLISTO,CN=Servers,CN=Burloak,CN=Sites,CN=Con
| >> figuration,DC=ourdomain,DC=com
| >> Source DSA Address: 5673215d-87e2-4c3b-8204-
| >> 4ffeafe0c2f2._msdcs.ourdomain.com
| >> Inter-site Transport (if any):
| >>
| >> failed with the following status:
| >>
| >> Access is denied.
| >>
| >> The record data is the status code. This operation
| will
| >> be retried.
| >> Data:
| >> 0000: 05 00 00 00 ....
| >>
| >>
| **********************************************************
| >> **************
| >>
| >> I have also noticed in Replmon that the original DC's
| >> only show connections to each other in the main screen.
| >> However when I open the properties for the old servers
| >> the inbound connections list the new server (Callisto)
| as
| >> Auto Created, but the reasons pane shows the following
| >> info:
| >>
| >>
| **********************************************************
| >> **************
| >> -----------------------------------
| >> Connection Name: cb927d75-622b-4f5f-8132-19833a8515ac
| >>
| >> Replication Partner: Burloak\COCKATRICE
| >> Administrator Generated?: AUTO
| >>
| >> Reasons for this connection:
| >> ----------------------------
| >> Directory Partition
| >> (CN=Configuration,DC=ourdomain,DC=com)
| >> Replicated because the replication partner
| is a
| >> ring neighbor.
| >> Directory Partition (DC=ourdomain,DC=com)
| >> Replicated because the replication partner
| is a
| >> ring neighbor.
| >> Directory Partition
| >> (CN=Schema,CN=Configuration,DC=ourdomain,DC=com)
| >> Replicated because the replication partner
| is a
| >> ring neighbor.
| >>
| >> Connection Name: e3e7f12a-17e2-4f39-8f87-8fc2e297d47d
| >>
| >> Replication Partner: Burloak\CALLISTO
| >> Administrator Generated?: AUTO
| >>
| >> Reasons for this connection:
| >> ----------------------------
| >> Directory Partition
| >> (CN=Configuration,DC=ourdomain,DC=com)
| >> This replication connection is created
| because
| >> another replication partner has surpassed the allowed
| >> failure limit.
| >> Directory Partition (DC=ourdomain,DC=com)
| >> This replication connection is created
| because
| >> another replication partner has surpassed the allowed
| >> failure limit.
| >> Directory Partition
| >> (CN=Schema,CN=Configuration,DC=ourdomain,DC=com)
| >> This replication connection is created
| because
| >> another replication partner has surpassed the allowed
| >> failure limit.
| >>
| >>
| >>
| **********************************************************
| >> **************
| >>
| >> I have been trying to find out what might be wrong, or
| >> how to troubleshoot this, and have not had much luck.
| >>
| >> I have already looked at and discarded the information
| in
| >> these Q-Docs:
| >> http://support.microsoft.com/default.aspx?scid=KB;en-
| >> us;328701&
| >> http://support.microsoft.com/default.aspx?scid=kb;en-
| >> us;306091&Product=win2000
| >> http://support.microsoft.com/default.aspx?scid=kb;en-
| >> us;329860
| >>
| >> Any ideas would be greatly appreciated.
| >>
| >> Thanks
| >>
| >
| >
| >.
| >
|

David Pharr, (e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
 
G

george

Hi,

you have to give the other servers login locally permissions to writ to the
sysvol directory. You do this in one of the security templates, I had the
same issue a year ago. Che the knowlege base to get the correct proceedure.
 
C

Cary Shultz [A.D. MVP]

Andrew,

While it sounds like you have a good idea of what is going one, let's try to
accumulate a little bit more information. Have you run dcdiag /v and
netdiag /v on all of your DCs? You might find it easier to redirect the
output to a folder, so simply add the '> c:\dc01dcdiag.log' and '>
c:\dc01netdiag.log'. Then open each up using Notepad and search for 'error'
and 'fail'.

I am betting that there is something DNS-related to find. Have you run
'netdiag /fix' on your DCs? Have you opened the DNS MMC and verified that
all is present and correct ( you should have the four '_folder' sub-folders?
Are all DCs there? Do you have a RLZ?

There might be a few other things that could be going on but let's take a
look at these things first.

HTH,

Cary
"David Pharr [MSFT]" said:
Check that dns is configured properly - check out the following kb article:

263624 Cannot Remove Active Directory from a Replica Domain Controller
http://support.microsoft.com/?id=263624

To see if your DCs are configured properly, look at the following kb
articles:
298143 How to Verify an Active Directory Installation
http://support.microsoft.com/?id=298143

260371 Troubleshooting Common Active Directory Setup Issues in Windows 2000
http://support.microsoft.com/?id=260371
--------------------
| Content-Class: urn:content-classes:message
| From: "Andrew Wagg" <[email protected]>
| Sender: "Andrew Wagg" <[email protected]>
| References: <[email protected]>
<[email protected]>
| Subject: Re: Replication errors
| Date: Tue, 18 Nov 2003 13:26:50 -0800
| Lines: 168
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: quoted-printable
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| thread-index: AcOuGq4Gg4qk5gB9SKCL5DDAtgEr1A==
| Newsgroups: microsoft.public.win2000.active_directory
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.active_directory:56685
| NNTP-Posting-Host: TK2MSFTNGXA14 10.40.1.166
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Thanks for the response Chriss,
| I just tried a DCpromo, on the new one and get :
| The operation failed because: The Directory Service
| failed to replicate off changes made locally. "Access is
| denied. "
| >-----Original Message-----
| >Hm, look like broken relationtrusts between DC´s
| >
| >i think the fastest way to get raid of it is to DCPROMO
| demote one of them,
| >and DCPROMO it back.
| >
| >//chrisse
| >
| >"Andrew Wagg" <[email protected]> skrev i
| meddelandet
| >| >> I am seeing some interesting AD replication related
| >> errors on two of my servers.
| >>
| >> I recently added a DC to this domain and AD replication
| >> seems to be working reasonable well (I can make changes
| >> to users in the new dc, and they show up in the other
| two
| >> older ones.) However I am seeing the following two
| >> errors repeating on the original two DCs,
| >>
| **********************************************************
| >> ************************************
| >> --------------------------------------------------
| >> Event Type: Warning
| >> Event Source: NTDS Replication
| >> Event Category: Replication
| >> Event ID: 1061
| >> Date: 14/11/2003
| >> Time: 11:37:20 AM
| >> User: NT AUTHORITY\ANONYMOUS LOGON
| >> Computer: EUROPA
| >> Description:
| >> Internal error: The directory replication agent (DRA)
| >> call returned error 5.
| >>
| >> -------------------------------------------
| >> Event Type: Warning
| >> Event Source: NTDS KCC
| >> Event Category: Knowledge Consistency Checker
| >> Event ID: 1265
| >> Date: 14/11/2003
| >> Time: 10:52:20 AM
| >> User: N/A
| >> Computer: EUROPA
| >> Description:
| >> The attempt to establish a replication link with
| >> parameters
| >>
| >> Partition:
| CN=Schema,CN=Configuration,DC=ourdomain,DC=com
| >> Source DSA DN: CN=NTDS
| >>
| Settings,CN=CALLISTO,CN=Servers,CN=Burloak,CN=Sites,CN=Con
| >> figuration,DC=ourdomain,DC=com
| >> Source DSA Address: 5673215d-87e2-4c3b-8204-
| >> 4ffeafe0c2f2._msdcs.ourdomain.com
| >> Inter-site Transport (if any):
| >>
| >> failed with the following status:
| >>
| >> Access is denied.
| >>
| >> The record data is the status code. This operation
| will
| >> be retried.
| >> Data:
| >> 0000: 05 00 00 00 ....
| >>
| >>
| **********************************************************
| >> **************
| >>
| >> I have also noticed in Replmon that the original DC's
| >> only show connections to each other in the main screen.
| >> However when I open the properties for the old servers
| >> the inbound connections list the new server (Callisto)
| as
| >> Auto Created, but the reasons pane shows the following
| >> info:
| >>
| >>
| **********************************************************
| >> **************
| >> -----------------------------------
| >> Connection Name: cb927d75-622b-4f5f-8132-19833a8515ac
| >>
| >> Replication Partner: Burloak\COCKATRICE
| >> Administrator Generated?: AUTO
| >>
| >> Reasons for this connection:
| >> ----------------------------
| >> Directory Partition
| >> (CN=Configuration,DC=ourdomain,DC=com)
| >> Replicated because the replication partner
| is a
| >> ring neighbor.
| >> Directory Partition (DC=ourdomain,DC=com)
| >> Replicated because the replication partner
| is a
| >> ring neighbor.
| >> Directory Partition
| >> (CN=Schema,CN=Configuration,DC=ourdomain,DC=com)
| >> Replicated because the replication partner
| is a
| >> ring neighbor.
| >>
| >> Connection Name: e3e7f12a-17e2-4f39-8f87-8fc2e297d47d
| >>
| >> Replication Partner: Burloak\CALLISTO
| >> Administrator Generated?: AUTO
| >>
| >> Reasons for this connection:
| >> ----------------------------
| >> Directory Partition
| >> (CN=Configuration,DC=ourdomain,DC=com)
| >> This replication connection is created
| because
| >> another replication partner has surpassed the allowed
| >> failure limit.
| >> Directory Partition (DC=ourdomain,DC=com)
| >> This replication connection is created
| because
| >> another replication partner has surpassed the allowed
| >> failure limit.
| >> Directory Partition
| >> (CN=Schema,CN=Configuration,DC=ourdomain,DC=com)
| >> This replication connection is created
| because
| >> another replication partner has surpassed the allowed
| >> failure limit.
| >>
| >>
| >>
| **********************************************************
| >> **************
| >>
| >> I have been trying to find out what might be wrong, or
| >> how to troubleshoot this, and have not had much luck.
| >>
| >> I have already looked at and discarded the information
| in
| >> these Q-Docs:
| >> http://support.microsoft.com/default.aspx?scid=KB;en-
| >> us;328701&
| >> http://support.microsoft.com/default.aspx?scid=kb;en-
| >> us;306091&Product=win2000
| >> http://support.microsoft.com/default.aspx?scid=kb;en-
| >> us;329860
| >>
| >> Any ideas would be greatly appreciated.
| >>
| >> Thanks
| >>
| >
| >
| >.
| >
|

David Pharr, (e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Active Directory Replication Problem... 0
active directory replication not worked 4
Slow Logons and Can't open files 0
AD REPLICATION FAILURE. HELP!!! 3
AD Replication Monitor Status Report 5
AD Replication Problem 2
PROBLEM with AD urgent help!!!!!!! 1
error raise domain function from win2000 to win2003 0

Top