replication problem




i have a windows 2000 AD with all patches.
i have 2 DCs, DC1 and DC2 on 2 differents sites
the PDC role is on DC3 in the same site as DC1.

replication works from DC2 to DC1 but not from DC1 to DC2.

i have those event on DC2:

id event 1311 and 1566 (Directory service part) every 15 min
id event 13508 (replication part)
id event 594 (system) every minute
the last event is provided after have enabled the debug mode for kerberos.
the error is KRB_AP_ERR_MODIFIED (0x29)

on DC1:
id event 13508

i have looked at a lot of microsoft document and from third party (Q307593,
Q268109, troubleshooting kerberos errors...).
for 1311 and 1566 i've checked everything.
my DNS is clear, my topology is clear, my sites are well configured,

i tried repadmin \sync DC2 <guid of DC1> to force but i have the following
dsrecplicasync failed with status 5
access denied.
i tried to reset my machine account with no more succes.
(netdom resetpwd /server:DC1) from DC2
also (netdom resetpwd /server:DC3) from DC2

does someone could help me with this kerberos problem ?

thank you in advance


Look for a CrashonAuditfail on the domain controller that is denying access
to it's partner DC.

Click on Start|Run
type regedit and press enter

Drill down to HKLocalMachine|System|Current Control Set|Control|LSA

The CrashOnAuditFail key should be a REG_DWORD and have a value of either 0
or 1. If the key is a REG_NONE or has a value of 2 then delete the key and
recreate it. Then Reboot the DC and you should not get the access denied
events again.


hi Mack,

i checked this key and everything is normal:
REG_DWORD with a value of 0 on both serversDC1 and DC2.

any other idea ?


Hi mack, again,

i've tried again to reset the account machine password between DC1 & DC2 and
it worked. no more kerberos event on DC2 about DC1.

but know i have the following events on DC2:

event 1265 ( failed remote procedure call )

event 594 KRB_AP_ERR_MODIFIED (0x29) but this time with DC3 (PDC emulator).
i reset the machine's account password of DC2 with DC3 but nothing changed.

event 3034
i tried to see if i had an IP adress problem but i don't see.
the DC3 has 2 IP adresses, but it is not suppose to be a problem. is it ?

a dcdiag from DC2 gives thoses results:
for the test knowofroleholders:
dsbind failed, the target principal name is incorrect.
DC3 is the schema holder but is not responding to RPC bind.
DC3 is the schema holder but is not responding to LDAP bind.
the same both messages for all the roles (DC3 gots all of them).

dcdiag from DC1 (in the same site than DC3 the PDC)
does not give any mistake.
nothing is blocked by the firewall between the 2 sites.

Do you have any idea where could this be the problem ?

thank you in advance.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question