ACS replication and NAT
Hi all,
I've the following question: is it possible to set up a replication between 2 server running the same version of ACS, but with 1 server behind a PIX running static NAT (private IP address of one server is statically mapped to a public address)?
I was able to manage the replication when the two servers on the same LAN, but when I move the second server on the private LAN I obtain error "shared secret mismatch".
Any idea?
Thanks
Regards
Roberto
ACs versions 3.1 and greater will not work with replication and NAT'ing. The security of the replication process was increased in these version, and the originating server hashes it's own IP address (the non-NAT'd version of it) into the data to be used as part of the verification process.
If the receiving server sees this from a different IP address due to the NAT'ing then it will fail and produce the "shared secret mismatch" error you're seeing.
Sorry, no way around it unfortunately.
Similar Messages
-
ACS replication and IP pools server
Hi, I have 2 ACS 3.3.2 with replication active and IP pools server function active.
I know that the IP pools definitions are not replicated but the group associations with pools are.
What's the best way to manage the IP pools on the 2 ACSs ?
60% of the pool on the first and 40% on the second ?
Or is there a way to infor the second ACS of the single IP assigned by the first ACS to avoid overlapping, in case of failure of the first ACS ?
Thank you in advance
greatings
RenatoIP pools are purposely not replicated automatically, no way around it. This is to avoid the situation where users authenticating to two different ACS servers get allocated the same IP address.
Basically there's nothing in ACS where the primary and backups talk to each other about what IP addresses they've allocated (this woul be huge task and require some new sort of communication mechanism between servers). If the same IP pool is configured on all 3 servers, they'll just blindly allocate the next available IP address to users, and you'll run into scenario's where two (or more) users get given the same address.
The pool is therefore purposely not replicated, which means you have to go in manually and configure it, making sure you configure a UNIQUE pool across the 3 servers. This only has to be done once and is then there forever. -
ACS replication issue on VMware ESX 3.5
I have just installed ACS 4.2 on two VMware hosts. I've configured database replication but it won't work. The error message is "shared secret mismatch". This error message occurs if a NAT device is in the path (which it isn't in this case) or if the tcp header is otherwise changed during transmission. I'm wondering if VMware is adding something to the TCP header. Has anyone come across this problem before or has anyone successfully implemented ACS replication when both hosts are on VMware?
Thanks.Hi,
I see that you are getting "shared secret mismatch error" under database replication logs. Just wanted to inform you that this is not because of nat'ed device. This happens when we have different keys for AAA servers on primary and secondary ACS.
The primary server must be configured as an AAA server and must have a key.
The secondary server must have the primary server configured as an AAA
server and its key for the primary server must match the primary servers own
key. The shared secret key should be same on the both the ACS's.
I am sending you one link for Setting Up Replication for Cisco Secure ACS, I
am sure this example with screen shots gives you better understanding.
Please visit the below suggested ULR:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration
_example09186a00800e518a.shtml
If that doesn't resolve the issue, please let me know if you see any server with this ip address 127.0.0.1.
HTH
JK
-Plz rate helpful posts- -
We have 2 ACS appliances that are separated by a WAN.
Both appliances are at the same software version and I have replication set up per Cisco's (as well as others') directions.
When I run replication, I get the error "Cannot replicate to 'ciscoacs2' - server not responding".
If I try replication in the other direction, I get the same error.
I can ping both appliances and access the web interface from both subnets.
There is a firewall between them, but I have port 2000 open and I do not see any other deny messages relating to the ACS replication in the firewall logging.
I ran a sniffer on the receiving appliance's port and got the following:
10.127.101.5 10.127.80.63 TCP evb-elm > cisco-sccp [SYN] Seq=0 Win=65535 Len=0 MSS=1380
10.127.101.5 10.127.80.63 TCP evb-elm > cisco-sccp [ACK] Seq=1 Ack=1 Win=65535 Len=0
10.127.80.63 10.127.101.5 TCP cisco-sccp > evb-elm [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
10.127.101.5 10.127.80.63 TCP evb-elm > cisco-sccp [RST] Seq=25 Win=0 Len=0
10.127.80.63 10.127.101.5 TCP [TCP Dup ACK 1515#1] cisco-sccp > evb-elm [ACK] Seq=1 Ack=1 Win=65535 Len=0
Logging on the devices themselves is terrible, so I really have no idea what would be causing replication to fail.
Thanks.
JasonOne update if it will help. I've been doing some research and I found that ACS replication doesn't like NAT and replication will fail if the IP address is changed through NAT.
While NAT is running on the firewall that our ACS appliance is behind, there is a static mapping to basically keep the NAT address the same. So NAT is being applied, but NAT is just giving it the same address.
I don't know if the NAT process is what's causing the problem? Based on the sniff I posted earlier, the source address of 101.5 is the IP of the ACS appliance.
Taking the device out from behind the firewall could be an option, but it would be a last resort because we would then need to reconfigure all of our equipment to point to the new address, and we have a lot of equipment.
Thanks.
Jason -
ACS Replication does not replicate all users
Hello,
we have two ACS 4.0 solution engines. both are configured correct for acs replication. after starting the replication not all users from the primary ACS are replicated to the slave ACS. All uses are in different groups and the not replicated users are not in the local or unknown user group.
does anybody have a hint to resolve this problem?
regards
TorstenI have deleted a user which was dynamicly discovered and afterwards added to a user group. After added the user manually again the replication was successfull.
Thank you. -
Cisco ASA Site to Site IPSEC VPN and NAT question
Hi Folks,
I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.Hi,
Ok so were going with the older NAT configuration format
To me it seems you could do the following:
Configure the ASA1 with Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
access-list INSIDE-NONAT remark L2LVPN NONAT
access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
I could test this setup tomorrow at work but let me know if it works out.
Please rate if it was helpful
- Jouni -
ASA5505 SOHO public ip range and nat head ache
Hello
Can anyone shed some ligh on a problem im having. We have setup a ASA 5505 with an ISP called Zen that allocates you a subnet of public ip addresses. i have sucessfully setup the asa to access the internet using nat on the outside interface. we would like to use the other ip addresses in the range for other services but i cannot think how i can do this/configure this.
LAN > ASA5505 > VDSL Modem > ISP
the range they have given us is
Number of IP addresses: 8
IP addresses: XX.XX.XXX.40 - XX.XX.XXX.47
Subnet mask: 255.255.255.248
Subnet in slash notation: XX.XX.XXX.40 /29
Network address: XX.XX.XXX.40
XX.XX.XXX.41
XX.XX.XXX.42
XX.XX.XXX.43
XX.XX.XXX.44
XX.XX.XXX.45
XX.XX.XXX.46 Router
Broadcast address: XX.XX.XXX.47
Router address: XX.XX.XXX.46
i have setup XX.XX.XXX.46 on the otside interface and hosts inside can access the net and nat from the internet to internal devices all work.
we have a vdsl modem connected to the outside interface and using PPPoE we dynamically get the XX.XX.XXX.46/32 address.
Is there any way i can use the other spare addresses? i do see how i can use them. i have done a lot of browsing and the only way i see that other people have been able to do this is using a layer3 device and using ip unnumber of the external int point to a loopback,
any info or advice would be gratefully received.
regards
C.Hello
the version is Cisco Adaptive Security Appliance Software Version 9.2(2)4
debugging icmp i see pings to the .46 address however i see no pings/traffic received on the asa for the other addresses. how does zen know to route the xx.xx.xx.41 to .45 ip addresses to the firewall using the .46 address?
the nat rules i have are
nat (Vlan200_Int,Outside_Dirty_Int) dynamic interface < this works for lan access to the internet
nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp www 65100
nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp https 65101
access-list Outside_Dirty_Network_access_in extended permit tcp object Click_PC object ESXi object-group DM_INLINE_TCP_7
object-group service DM_INLINE_TCP_7 tcp
port-object eq 902
port-object eq www
port-object eq https
thanks for the help -
Internal DNS server and NAT routing issue.
Hi -- I am not terribly experienced with DNS and I am running into an issue that I can't seem to resolve. My company.com DNS information is hosted by an outside ISP for email, web, etc... but I have configured an A record there to point to the public IP to my mac os x server (server.company.com).
We have a cisco router configured with one to one NAT from the public IP to the internal IP for our server in a 192.168.15.x subnet. The same router is running DHCP and and NAT on that subnet under a different public IP provided by our ISP.
Our server is running DNS with recursion and has a "company.private" zone set up for internal services and machine names. Thus, the server is accessible via "server.company.com" from the outside and "server.company.private" from the private LAN.
The problem is that I would like to be able to access some services simply via "server.company.com" both inside and outside the private network. Now, accessing the "server.company.com" services from the private lan does not work because the name resolves to the external IP and the external IP cannot be used internally due to NAT.
Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
I know that I could manually duplicate all entries for our domain from my ISP and host the same entries for internal clients, but it would be much easier to only have our server handle requests for itself. The server is running OS X Server 10.4.11.
ThanksIs there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
Ordinarily, no. Once your server thinks it is responsible for a zone (e.g. company.com) then it will answer all queries for that domain and never pass them upstream. Therefore you'd have to replicate all the zone data, including all the public records, and maintain them both.
The one possible exception to this (I haven't tried) is to create a zone for server.company.com that has your internal address. In theory (like I said, I haven't tried this), the server should respond to 'server.company.com' lookups with its own zone data and defer all other lookups (including other company.com names since they're not in a zone it controls). Might be worth trying. -
Questions on replication and h/w load balancer
Why does h/w load balancer have to support passive cookies and inspect them to
dispatch the request to the primary server first? If we have in-memory replication
and if h/w loadbalancer just dispatches the http request from the client to any
of the weblogic servers in the cluster wouldnt this work?
Is it to pin the session to the creator server to minimize the chance of replication
misses due to n/w issues, member server slow speed, buffer overwrite etc.
-Shiraz
Yes, and previous to 6.1 (?) if the request showed up at the wrong server it
would fail.
Peace,
Cameron Purdy
Tangosol Inc.
Tangosol Coherence: Clustered Coherent Cache for J2EE
Information at http://www.tangosol.com/
"Shiraz Zaidi" <[email protected]> wrote in message
news:3c15aa10$[email protected]..
>
> Why does h/w load balancer have to support passive cookies and inspect
them to
> dispatch the request to the primary server first? If we have in-memory
replication
> and if h/w loadbalancer just dispatches the http request from the client
to any
> of the weblogic servers in the cluster wouldnt this work?
>
> Is it to pin the session to the creator server to minimize the chance of
replication
> misses due to n/w issues, member server slow speed, buffer overwrite etc.
>
> -Shiraz
-
Apple Airport Extreme Base Station for PPPoE, DHCP and NAT with ActionTec DSL modem
I just spent several hours trying to track down proper instructions for setting up my Apple AEBS to do the PPPoE, DHCP and NAT while connected to an ActionTec M1000 (no wireless module). It turns out my initial set ups on both devices were correct, but that the order for rebooting and reconnecting the two devices is critical. All of the threads I found on this forum and on many others suggested this was not possible, but it is. What I don't yet know is whether it is the best method for running my home network DSL connection to my ISP (CenturyLink).
The instructions I found that worked come courtesy of Brandon Konkle's blog and are both simple and clear: http://brandon.konkle.us/post/19637529637/centurylink-actiontec-q1000-airport-ex treme-bridge
The proper settings for the ActionTec DSL Modem can be found under Advanced Setup/IP Adressing/WAN IP Address
Click RFC 1483 Transparent Bridging then click on Apply.
(see also http://qwest.centurylink.com/internethelp/modems/m1000/pdf/M1000_BRIDGE.pdf )
To reduce time, do this BEFORE you reset your AEBS then set the AEBS so that you don't have to wait for the AEBS to reboot.
In contrast to what Brandon described for the Q1000 modem, my AEBS never reconnected to the modem (he describes his as getting an IP from his ISP, then dropping it then getting another over and over - mine never got an IP). Once you have reset both devices as described, the critical steps I have not found described elsewhere were:
1. Disconnect the power from both the modem and the Airport Extreme.
2. Disconnect the Ethernet cable between the two devices
3. Restore power to the 2 devices and allow them to fully reboot. For the ActionTec M1000, this is indicated when the lights stop blinking. (Note that the Internet light will NOT be lit in this instance since the modem is acting only as a bridge. You will NOT have an Internet connection until the AEBS is reconnected.) The AEBS will be blinking yellow.
4. Reconnect the Ethernet cable between the devices (make sure on the M1000 that you are using the connector with the circle icon over it, not the arrow icon).
Within about 60 seconds, the AEBS light went to steady green and the connection to the Internet was restored.
Now I have to see if this is a more stable configuration than the flaky one I had before while using the AEBS as a bridge and the M1000 to do everything.
Does anyone think or know if it will make a difference?
Message was edited by: Bud ShawNow I have to see if this is a more stable configuration than the flaky one I had before while using the AEBS as a bridge and the M1000 to do everything.
Does anyone think or know if it will make a difference?
No one can accurately predict in advance what the actual results might be. I've tried both ways with different products and cannot say that one method is better than the other. What works is best.
In theory, it is preferable to have the modem provide the PPPoE connection service since it is the device connected directly to the Internet.
In practice, results vary depending on the service provider, products used, phase of the moon, alignment of the planets, etc. -
How to set up DHCP and NAT for QNAP NAS MyCloud service?
I have an Apple AirPort Extreme Base Station (AEBS) attached to my DSL model (no router in the modem). My QNAP NAS is attached via ethernet to the QNAP NAS. My iMac (running AirPort Utility 6.x) is connected to the AEBS via wifi.
I've found several folks who've tried this (and apparently succeeded) but I'm a networking novice and am having trouble making this work. What I did was to go into the AirPort utility and in the networking section configure "DHCP and NAT" and then called out the static IP and MAC address of the QNAP NAS (as well as the ports I'd like to remain open). However, when I did this and applied the changes, my iMac (connected to the AEBS via wifi) could no longer see the AEBS, which then required me to reset the AEBS, re-configure it back to the previous known good conifiguration and start over. After about 5 cycles of this I gave up.
So, what am I doing wrong here? Do I need to go in and configure every device that is going to access the AEBS as static and call out each device's IP and MAC address? (hopefully not, that'd be a major PITA).
Help. Anyone?When I run diagnostics with the QNAP, here is the reply I get (IPs redacted):
------ NAT PMP Diagnostics ------
initnatpmp() returned 0 (SUCCESS)
using gateway : xx.x.x.x
sendpublicaddressrequest returned 2 (SUCCESS)
readnatpmpresponseorretry returned 0 (OK)
Public IP address : 192.168.xxx.xxx
epoch = 2621
closenatpmp() returned 0 (SUCCESS)
------ UPnP Diagnostics ------
upnpc : miniupnpc library test client. (c) 2006-2011 Thomas Bernard
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
desc: http://xx.x.x.x:60606/8CC1212D0C6D/Server0/ddd
st: upnp:rootdevice
desc: http://xx.x.x.x:9000/TMSDeviceDescription.xml
st: upnp:rootdevice
desc: http://xx.x.x.xx:55000/nrc/ddd.xml
st: upnp:rootdevice
desc: http://xx.x.x.xx:55000/dmr/ddd.xml
st: upnp:rootdevice
desc: http://xx.x.x.xx:49152/4/description.xml
st: upnp:rootdevice
desc: http://xx.x.x.xx:49152/2/description.xml
st: upnp:rootdevice
desc: http://xx.x.x.xx:49152/0/description.xml
st: upnp:rootdevice
desc: http://xx.x.x.xxx:8200/rootDesc.xml
st: upnp:rootdevice
desc: http://xx.x.x.xxx:49152/gatedesc.xml
st: upnp:rootdevice
desc: http://xx.x.x.xxx:49153/gatedesc.xml
st: upnp:rootdevice
desc: http://xx.x.x.xxx:49155/gatedesc.xml
st: upnp:rootdevice
desc: http://xx.x.x.xxx:9000/TMSDeviceDescription.xml
st: upnp:rootdevice
UPnP device found. Is it an IGD ? : http://xx.x.x.x:60606/
Trying to continue anyway
Local LAN ip address : xx.x.x.xxx
GetConnectionTypeInfo failed.
Status : , uptime=3217870016s, LastConnectionError :
Time started : Wed Mar 13 17:04:03 1912
MaxBitRateDown : 7 bps MaxBitRateUp 0 bps
GetExternalIPAddress() returned -3
GetExternalIPAddress failed.
GetGenericPortMappingEntry() returned -3 ((null)) -
Comparision between Multimaster replication and data guard
Hi,
I have some questions regarding Multimaster Replication and Data Guard. Like
*1.)* I have a web site having database in oracle 10.2.0 and multimaster replication configured on it. But whenever i need to change the structure of the tables i
need to stop replication. So my web site is unavailable but my first priority is availability. So will it be useful for me to configure data guard.
*2.)* I have configured data guard for testing . My Database is Named as Gard and physical standby database is like stan.
it is working fine.
suppose my main database server get corrupted i have no option to start main database server. Now i left with only standby server how i can start standby server
as database main server.
*3.)* Is there any if main database stop working Standby database start working as main without dba intervention.
Thanks
Umesh
Edited by: Umesh Sharma on Jan 14, 2009 4:17 AMHi Umesh,
first of all you should be aware that Dataguard and Replication are two completely different things.
While the database where you replicate to is always up and open in read write mode, a physical standby can either be recovering or open in read only mode.
1.) I think from what you are telling you probably should consider using dataguard with a logical standby database, but be aware that there will be some limitations regarding datatypes.
2.) you can do a failover or a switchover, depending on your database version switchback may not be possible
3.) have a look at dataguard broker, you can use it to automate the failover
Best regards,
PP -
Windows 2012 - SYSVOL replication and NETLOGON share
After reading 100 tons of articles and links i decided to open this thread.
I know today is 1st of april, but unfortunately for me this is not a joke.
given:
two 2003 DC's - physical servers
two 2008 DC's - VM's on ESX 5.1 hosts
two 2012 DC's - VM's on ESX 5.5 hosts
domian fucntional level 2003
situation:
we plan to decom the 2003's.
The 2008 DC's are in place since a while and working ok.
We plan to upgrade to 2012 and here it is where the trouble starts.
Firstly, I couldn't, by any means, to promote 2012 as DC's until i moved all the FSMO roles from the 2003 DC's to the 2008 DC's.
After lots of work with the network team we made all the right connections opened the firewalls, made the DCDIAG and DNS tests and the only problem reported are the SYSVOL replication and NETLOGON share.
I tried all the tools out there to check the replication and the last one is Microsoft's AdRplstatus Tool which made me think that either Microsoft makes fun of me, either i'm the dumbest windows admin on this planet.
This tool reports that there are NO ERRORS in replicating SYSVOL, but when i run the command 'net share' the 'domain.com\sysvol\scripts' is not there. Further more checking, i try to access '\\domain.com\sysvol' - directory under which i must find the 'policies'
and 'scripts' folders and, Sysvol is empty - obviously these are present when i do this check from the 2008 DC's or 2003 DC's.
Is there a known issue for these problems regarding 2012 and ESX 5.5 ? - still, i doubt it.
DCDIAG /TEST:DNS
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = dc-p01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: dc-p01
Starting test: Connectivity
......................... dc-p01 passed test Connectivity
Doing primary tests
Testing server: dc-p01
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... dc-p01 passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : domain
Running enterprise tests on : domain.com
Starting test: DNS
Test results for domain controllers:
DC: dc-p01.domain.com
Domain: domain.com
TEST: Dynamic update (Dyn)
Warning: Failed to delete the test record dcdiag-test-record i
n zone domain.com
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 184.134.0.97 (<name unavailable>)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 184.134.0.97
dc-p01 PASS
PASS PASS PASS WARN PASS n/a
......................... domain.com passed test DNS
The PTR record query for 1.0.0.127 is still there but i will change it manually, my DNS is set as primary to point to the server itself by it's IP and not 127.0.0.1.
still, that DNS server with that error is a linux DNS, but all my DC's have DNS role on and fully replicating and working, including the 2012's.
DCDIAG:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = dc-p01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: dc-p01
Starting test: Connectivity
......................... dc-p01 passed test Connectivity
Doing primary tests
Testing server: dc-p01
Starting test: Advertising
......................... dc-p01 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... dc-p01 passed test FrsEvent
Starting test: DFSREvent
......................... dc-p01 passed test DFSREvent
Starting test: SysVolCheck
......................... dc-p01 passed test SysVolCheck
Starting test: KccEvent
......................... dc-p01 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... dc-p01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... dc-p01 passed test MachineAccount
Starting test: NCSecDesc
......................... dc-p01 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\dc-p01\netlogon)
[dc-p01] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... dc-p01 failed test NetLogons
Starting test: ObjectsReplicated
......................... dc-p01 passed test ObjectsReplicated
Starting test: Replications
REPLICATION-RECEIVED LATENCY WARNING
dc-p01: Current time is 2014-04-01 10:25:09.
DC=ForestDnsZones,DC=mydomain,DC=lan
Last replication received from DC-P02 at
2014-03-31 15:22:40
DC=DomainDnsZones,DC=mydomain,DC=lan
Last replication received from DC-P02 at
2014-03-31 15:22:40
CN=Schema,CN=Configuration,DC=mydomain,DC=lan
Last replication received from DC-P02 at
2014-03-31 15:22:40
CN=Configuration,DC=mydomain,DC=lan
Last replication received from DC-P02 at
2014-03-31 15:25:50
DC=mydomain,DC=lan
Last replication received from DC-P02 at
2014-03-31 15:22:40
......................... dc-p01 passed test Replications
Starting test: RidManager
......................... dc-p01 passed test RidManager
Starting test: Services
......................... dc-p01 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0xA004001B
Time Generated: 04/01/2014 09:26:35
EvtFormatMessage failed, error 15027 the message resource is present
but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 09:27:52
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID fdc (C:\Windows\s
ystem32\taskhost.exe).
A warning event occurred. EventID: 0xA004001B
Time Generated: 04/01/2014 09:31:14
EvtFormatMessage failed, error 15027 the message resource is present
but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
A warning event occurred. EventID: 0xA004001B
Time Generated: 04/01/2014 09:32:13
EvtFormatMessage failed, error 15027 the message resource is present
but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 09:32:53
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID c18 (C:\Windows\s
ystem32\taskhost.exe).
A warning event occurred. EventID: 0xA004001B
Time Generated: 04/01/2014 09:35:33
EvtFormatMessage failed, error 15027 the message resource is present
but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 09:37:54
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID 950 (C:\Windows\s
ystem32\taskhost.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 09:42:54
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID 5c4 (C:\Windows\s
ystem32\taskhost.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 09:47:55
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID ee0 (C:\Windows\s
ystem32\taskhost.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 09:52:56
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID e48 (C:\Windows\s
ystem32\taskhost.exe).
A warning event occurred. EventID: 0xA004001B
Time Generated: 04/01/2014 09:53:30
EvtFormatMessage failed, error 15027 the message resource is present
but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 09:57:57
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID a20 (C:\Windows\s
ystem32\taskhost.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 10:02:58
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID 1bc (C:\Windows\s
ystem32\taskhost.exe).
A warning event occurred. EventID: 0xA004001B
Time Generated: 04/01/2014 10:06:04
EvtFormatMessage failed, error 15027 the message resource is present
but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 10:07:58
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID 14c (C:\Windows\s
ystem32\taskhost.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 10:12:59
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID 90c (C:\Windows\s
ystem32\taskhost.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 10:18:00
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID 558 (C:\Windows\s
ystem32\taskhost.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 10:23:01
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID f00 (C:\Windows\s
ystem32\taskhost.exe).
A warning event occurred. EventID: 0xA004001B
Time Generated: 04/01/2014 10:23:56
EvtFormatMessage failed, error 15027 the message resource is present
but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
......................... dc-p01 failed test SystemLog
Starting test: VerifyReferences
......................... dc-p01 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : mydomain
Starting test: CheckSDRefDom
......................... mydomain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... mydomain passed test CrossRefValidation
Running enterprise tests on : domain.comn
Starting test: LocatorCheck
......................... domain.comn passed test LocatorCheck
Starting test: Intersite
......................... domain.comn passed test Intersite
in Active DIrecotry Sites adn Services when i try to replicate FROM a valid SYSVOL Domain Controller towards my 2012 DC i get this:
The following error ocurred during the attempt to contact the domain controller dc-p01:
Directory object not found
i cannot upload picture yet because Ms ...didn t verified me.Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\dc-p01\netlogon)
[dc-p01] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... dc-p01 failed test NetLogons
Starting test: ObjectsReplicated
......................... dc-p01 passed test ObjectsReplicated
Starting test: Replications
REPLICATION-RECEIVED LATENCY WARNING
dc-p01: Current time is 2014-04-01 10:25:09.
DC=ForestDnsZones,DC=mydomain,DC=lan
Last replication received from DC-P02 at
2014-03-31 15:22:40
DC=DomainDnsZones,DC=mydomain,DC=lan
Last replication received from DC-P02 at
2014-03-31 15:22:40
To perform non-authoritative restore of sysvol, you set the Burflag value & system will automatically tries to sync contents of sysvol with its replicating partner DC. Its not mandatory to select any particular DC for sysvol replication becasue in a
same domain, all DC's shares the same sysvol content.
Sometime, if initialization of FRS doesn't start, you have to follow the below article. Its also applicable to windows 2008 even as long as your using FRS for replication.
http://support.microsoft.com/kb/290762/en-us
To force the replication of sysvol using cmdline, refer below link.
http://blogs.technet.com/b/justinturner/archive/2007/04/27/quick-tip-force-frs-replication.aspx
Its better to find out what went wrong with the overall AD domain infra that sysvol has not been able to contact its partner for sysvol replication using depth assessment of the domain. It can be the network,firewall,antivirus or in-built firewall port issues
which might have broken sysvol replication.
http://msmvps.com/blogs/ad/archive/2008/06/03/active-directory-health-checks-for-domain-controllers.aspx
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Data replication and synchronization in Oracle 10g XE.
We are trying to do data replication and synchronization sort of thing for all our servers. We are using Oracle 10g. XE. I guess there are some features in oracle already for replication but I am not very sure about them.
To explain it more clearly - we will have individual database servers in our sub-divisions and then divisions and centers and then main server. We need to synchronize at various levels. So If any body is aware of any techniques, please let me know.Hi,
Could you tell me what exactly synchronisation your talking about..?
we will have individual database servers in our sub-divisions and then divisions >>and centers and then main serverIf you have mulitple DB servers then you can connect it by DB links. also if you are talking DB synchronisation then you can have Triggers,Materialized views.
we also have two independent severs which are synchronised(atleast schema levels).
Regards! -
Advance Replication and Oracle Label Security
Has anyone been able to configure both Advance Replication and Oracle Label Security to work together?
This is currently not supported in Streams. I have an enhancement request in with Oracle for this functionality. This won't be seen in 11g R2 either.
Has anyone done Label Security with Advance Replication?
Maybe you are looking for
-
Error while creating user session from the DataProvider
hi I am getting a strange error oracle.express.idl.util.OlapiException: java.sql.SQLException: ORA-37158: Bad clob or varray IN-args: (case 6) ORA-06512: at "SYS.GENSERVERINTERFACE", line 2 ORA-06512: at line 1 at oracle.express.idl.ExpressConne
-
This problem has only started in the last day. I click on the itune store app and it tries to load but immediately clicks off. I have synced to laptop but that did not clear the problem up. I need help!
-
I have created a Slide Show in iPhoto. I have dragged it to the iDVD application. What DVD-R discs do I need to purchase to Burn the Slide Show on? The "Help" informs me: Mac Superdrive only writes to x2.0 general DVD-R discs. I have been unable to f
-
Is it possible to deploy appln created in java Studio creator
Dear Everyone, Is it possible to deploy appln created in java Studio creator. regards, Ashish SAMANT
-
Problems with CS4 when several photos are open
Hello all, I have a problem with Photoshop CS4. When I have several photos open, the borders of the underlying is shining through: This remains until I move the upper picture. Its a rather ennoying effect... My configuration is the following: Windows