Active Directory Replication failed

Similar Messages

• Migration SBS2003 to SBS2008 Active Directory Replication

  I am migrating from SBS2003 server to SBS2008.  I fired up the 2008 server on the network with the 2003 server and started the migration.  I got about 25% progress on the “Expanding and Installing Files” window when I got an error message of “Active Directory Replication is taking longer than expected.  You can choose whether to continue waiting.  If you choose not to wait the migration may fail.  Unless you are sure that replication is working correctly, it is recommended that you continue to wait”.  After waiting three times of 20 minutes each I don’t think it is working.  What are my options?  What can I check for?

  Hi,
  As it is a SBS-related issue, you may wish to post to the SBS newsgroup. This will provide access to others who read the public newsgroups regularly who will either share their knowledge.
  Connect Windows Small Business Server 2008
  http://connect.microsoft.com/SBS08
  Thank you for your understanding and cooperation.
  Miles

• BO XI 3.1 : Active Directory Authentication failed to get the Active Directory groups

  Dear all 
          In our environment, there are 2 domain (domain A and B); it works well all the time. Today, all the user belong to domain A are not logi n; for user in domain B, all of them can log in but BO server response is very slowly. and there is error message popup when opening Webi report for domain B user. Below are the error message: 
         " Active Directory Authentication failed to get the Active Directory groups for the account with ID:XXXX; pls make sure this account is valid and belongs to an accessible domain"
        Anyone has encountered similar issue?
     BO version: BO XI 3.1 SP5
     Authenticate: Windows AD
  Thanks and Regards

  Please get in touch with your AD team and verify if there are any changes applied to the domain controller and there are no network issues.
  Also since this is a multi domain, make sure you have 2 way transitive forest trust as mentioned in SAP Note : 1323391 and FQDN for Directory servers are maintained in registry as per 1199995
  http://service.sap.com/sap/support/notes/1323391
  http://service.sap.com/sap/support/notes/1199995
  -Ambarish-

• Active Directory domain failed

  Hello Team,
  When i joined to our active directory, everytime bui gives same error messages:
  The attempt to join the Active Directory domain failed either because the clocks of the appliance and the domain controller are skewed or the administrative user
  does not have the appropriate permissions to create a computer account in Active Directory.
  It is recommended that NTP be used to keep clocks synchronized when using Active Directory.
  Storage Appliance: 7310 One Controller, No firewall for ntp server also which connect directly NTP Domain server. Actually my believe is that no time sync issue.
  Firmware version is latest patch.
  What is your idea about this issue?
  i did many times this action plan: but result is same
  ActiveDirectoryTasks
  B)Joining a Domain
  1.Configure an ActiveDirectory site in the CIFS context. (optional)
  2.Configure a preferred domain controller in the CIFS context. (optional)
  3.Enable NTP, or ensure that the clocks of the appliance and domain controller are synchronized
  to within five minutes.
  4.Ensure that your DNS infrastructure correctly delegates to the ActiveDirectory domain, or add
  your domain contoller's IP address as an additional name server in the DNS context.
  5.Configure the ActiveDirectory domain, administrative user, and administrative password.
  6.Apply/commit the configuration.
  A)Joining aWorkgroup
  Configure theworkgroup name.
  Apply/commit the configuration.
  1. First of all LAN Compatibility Mode 4 works fine with Win 2003 (AD Server)
  2. While trying to join the AD, using a non ADMIN username and passsword will not help
  Try using a username/pass which has Administrative Privileges (specifically having the rights for Account Creation in
  the AD Server) on the AD server.
  (I was trying by a different username/pass but it was not joing the storage to AD. It joined when i tried a user having
  the privileges to create Machine Accounts in AD)
  3. For Clock Sync, the tolerance limit is upto 5 Minutes..So you can take care that the difference does not go beyond
  5 minutes.
  Thanks
  Can
  Gantek Tech.

  Your first post to these OTN forums.
  You posted your inquiry to a HARDWARE forum.
  Your issue seems to be a Microsoft OS issue and you just happen to have your OS volumes on a model 7310 appliance.
  I suggest you go find a forum somewhere that is hosted for Microsoft AD issues.
  If you happen to need the documentation for that piece of storage hardware, there are currently three PDF's available:
  http://docs.oracle.com/cd/E19935-01/index.html
  They are the Installation Guide, the hardware Administration Guide, and the Service Manual.
  There are no current Oracle-published documents for that box as related to Active Directory.

• Active Directory Replication 2008 R2

  Hi
  We are getting an error as "The following server could not be reached (topology incomplete)"
  Domain Controllers: 2008 R2
  How can we resolve this issue.
  Aravind

  The error message mentions that the server is not reachable.
  You might want to start with checking the basics:
  Check that the faulty DC has its A, CNAME and SRV records properly registered in your DNS system (You can
  NSlookup for checking: http://social.technet.microsoft.com/wiki/contents/articles/29184.nslookup-for-beginners.aspx). If this is not the case then you follow the IP settings recommendation I mentioned here: http://social.technet.microsoft.com/wiki/contents/articles/18513.active-directory-replication-issues-basic-troubleshooting-steps-single-ad-domain-in-a-single-ad-forest.aspx).
  Once the IP settings are corrected then you can ipconfig /registerdns
  command
  Check that required ports for AD replication are opened between your DCs and are not filtered: http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx
  If none helped then you can temporary disable security software you use on DCs and check again
  The last resort could be to demote the DC and promote it again.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• "Active Directory operation failed on DC " when assigning Send As permissions on a distribution group

  I'm trying to give a mailbox user Send As right for a distribution group. But the cmdlet comes back with this:
  Get-DistributionGroup MyGroup | Add-ADPermission -user albert -ExtendedRights Send-As
  Active Directory operation failed on <DC fqdn>. This error is not retriable. Additional information: Access is denied.
  Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
      + CategoryInfo          : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
      + FullyQualifiedErrorId : FE24751F,Microsoft.Exchange.Management.RecipientTasks.AddADPermission
  What could be the problem, considering the items below :
  - inheritance is not broken to the level of the distribution group object
  - the account used to run the cmdlet is a member of the Organization Management group
  - creating a new distribution group in the same OU and running the command works as expected; checking the permission for this group against MyGroup (using Get-DistributionGroup testgroup | Get-ADPermission | Sort-Object User,AccessRights | ft user,accessrights,extendedrights,properties)
  shows no differences.
  - adding the permission using ADUC results in the user being able to Send As the group, however I'm trying to find out the root cause of the Powershell cmdlet execution problem
  - there is no Deny permission on the group's ACL
  - the group didn't have the "Hide Membership" feature of Exchange 2003 applied, so there shouldn't be any non-canonical ACL issues

  Anyone ever come up with a solution to this?  I get something similar when Activesync tries to create objects on user containers.
  Exchange ActiveSync doesn't have sufficient permissions to create the "CN=Test User,OU=Domain Users,DC=domain,DC=com" container under Active Directory user "Active Directory operation failed on DELL7S09.domain.com. This error is not retriable.
  Additional information: Access is denied.
  Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
  Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchActiveSyncDevices" and doesn't have any deny permissions that block such operations.
  Details:%3
  So...I get this after I introduced a MS Exchange 2010 SP3 RU8 server into my environment.  You can find LOTS of people suggesting the same fix but I've not found anything that deviates from those fixes:  check the "inherit permissions",
  and give full permis to msExchActiveSync devices for the Exchange Servers security group, blah blah.
  I got to this point by following a Migrate to Exch2010 paper by MS.  I have no Win2k servers, my old Exchange server is Win2003r2SP2 with Exch2003SP2 fully patched.  The Exch server is also a DC.  I installed a new 2012r2 server and then patched
  it.  Installed Exch2010SP3Ru8 and all seems well.  
  The old Exch2003 server is still in production.  My iPhone army connects remotely for mail, and all works great.  I created a new Test User in AD, gave it a mailbox on the 2003 server, and waited a bit.  It eventually shows up in the Server
  Manager on the new 2010 Exch Server.  I send it a bunch of emails, connect to it with an outook client on a Win7 machine, all works.  I go to the SM on the 2010 box and migrate the mailbox to the new server.  It works.  I can connect with
  outlook, send receive mail to other users in the org.  I then try to connect with my iPhone and I get the message in Event Viewer over and over.
  Went so far as to Promo the new 2012 server to a DC.  seems to be fine.  Now am wondering if I Demote the old Exch2003 server will it help...or cause a new crop of issues....

• FYI: Testing Active Directory Replication Latency/Convergence Through PowerShell (Update 2)

  see:
  (2014-02-01) Testing Active Directory Replication Latency/Convergence Through PowerShell (Update
  2)
  Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/

  Might that link has been been broken.Here is the link
  http://jorgequestforknowledge.wordpress.com/2014/02/01/testing-active-directory-replication-latencyconvergence-through-powershell-update-2/
  Nice Jorge. Thanks for sharing.
  Regards~Biswajit
  Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
  MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
  MY BLOG
  Domain Controllers inventory-Quest Powershell
  Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
  Generate a Report for installed Hotfix for Bulk Servers

• Verification of prerequisites for Active Directory preparation failed

  We currently have Windows Server 2003 SBS, SP2, Domain Controller. Would like to add Windows Server 2012, Standard, 64-bit as a backup domain controller.
  "Verification of prerequisites for Active Directory preparation failed. Unable to perform Exchange schema conflict check for domain sxxxx.local.
  Exception: The RPC server is unavailable.
  Adprep could not retrieve data from the server name.xxxxx.local through Windows Managment Instrumentation (WMI).
  [User Action]
  Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20130417103902-test directory for possible cause of failure."
  What the log says is really:
  "Adprep encountered a Win32 error. Error code: 0x6ba Error messa The RPC server is unavailable."
  Can anyone has similar experience shred some lights to troubleshoot this? Have reviewed
  other links that have similar probems but that doesn't help. 
  Many Thanks!

  Of course I CANNOT remove Symnatec as Meinolf suggests. That would be out of my mind!! I tried to stop all their services though which doesn't help. I know this has nothing to do with Symantec. Here comes another test, the final one:
  Test 8
  This article is really good as it concludes very thoroughly about the problems about "800706BA - RPC Server Is Unavailable" and other WMI query issues:
  http://goo dot gl/l2iha
  I started looking at he ISA 2004 on our SBS 2003.
  Tried to disable the RPF Filter:
  a. Open Microsoft Internet Security and Acceleration Server 2004
  b. Go to Configuration > Add-in and location RPC Filter on the right side, right-click on it and select Properties, uncheck 'Enable this filter'
  c. Hit Apply....
  d. Now I go back to Windows 7 and test the WMI query.
  The result: it WORKS! 
  e. Next, I tried that on the Windows Server 2012 like so:
  c:>wmic /node:sbs2003servername computersystem list brief /format:list
  It also works!
  f. Next also on Windows Server 2012, I continued on what was left over.  I did the "Rerun prerequisites check " and no surprise - "All prerequisite checks passed successfully. Click 'Install' to begin installation"!
  Well that concludes the problem of installing Windows Server 2012 (standard) as a backup domain controller to a Windows SBS 2003 domain controller and the  troubleshooting process that finally led to a solution that solves my problem. Thanks for all
  the discussions over the web. Every bit counts!
  Well if this helps you in some way, give me some points to buy beer! I am going to have a drink with Bill, Cheers! 

• Windows Server 2008 R2 - Active Directory Replication over DynDNS

  Hello,
  I have one server that Windows Server 2008 R2 - Active Directory / DNS
  Now some users shifted to new office with the server
  Some users still in the original place that now don't have ADDS/DNS
  i want to install one replication server in the original place to retrieve AD/DNS form new office via DynDNS
  is that possible of not?
  Best regards,

  Badr, I don't think you want AD replication occurring over the internet - even if that was possible the server would need access to all the SRV records, a records, And all the ports required for communication - See here for an exhaustive list
  http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx - I don't think I have to tell you how bad opening all these ports to the internet would be.
  You may want to look at Setting up a vpn or DirectAccess from the original site to the new site. This will give you more security and generally won't cost to much.
  http://technet.microsoft.com/en-us/network/dd420463.aspx
  Another thing that may work for you would be if you setup remote desktop services in the new location and had the original location remote into via a gateway server -
  http://blogs.technet.com/b/windowsserver/archive/2012/05/09/windows-server-2012-remote-desktop-services-rds.aspx as a starting point. With RDS your users would be able to access the new location from anywhere, although there would be upfront costs associated,
  licensing and server being part of them - I don't recommend turning your domain controller into an RDS server.These are just some ideas to help you with your issue

• Active Directory Replication Servers (wont replicate SYSVOL and NETLOGON Not showing)

  I have my first DC Server (DC1). DC1.DOMAIN.lOCAL, I decided to add another Domain Controller. Made it a secondary DNS Server and also GC. Everything seems to replicate, but its missing NETLOGON and SYSVOL Wont replicate. 
  Windows 2008 R2

  Errr 5706
  The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\INFGRP.LOCAL\SCRIPTS.  The following error occurred: 
  The system cannot find the file specified.
  Event 7009
  A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.
  Event 1058
  The processing of Group Policy failed. Windows attempted to read the file \\INFGRP.LOCAL\SysVol\INFGRP.LOCAL\Policies\{55DE4000-0D51-44CD-92A1-30F286B2BC86}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until
  this event is resolved. This issue may be transient and could be caused by one or more of the following: 
  a) Name Resolution/Network Connectivity to the current domain controller. 
  b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 
  c) The Distributed File System (DFS) client has been disabled.
  All Critical
  This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS
  Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets.
  Test replication
  Domain Controller Diagnosis
  Performing initial setup:
     * Verifying that the local machine dc, is a DC. 
     * Connecting to directory service on server dc.
     * Collecting site info.
     * Identifying all servers.
     * Identifying all NC cross-refs.
     * Found 2 DC(s). Testing 1 of them.
     Done gathering initial info.
  Doing initial required tests
     Testing server: Default-First-Site-Name\dc
        Starting test: Connectivity
           * Active Directory LDAP Services Check
           * Active Directory RPC Services Check
           ......................... dc passed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\dc
        Starting test: Replications
           * Replications Check
           * Replication Latency Check
              DC=ForestDnsZones,DC=GRP,DC=LOCAL
                 Latency information for 7 entries in the vector were ignored.
                    7 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
              DC=DomainDnsZones,DC=GRP,DC=LOCAL
                 Latency information for 7 entries in the vector were ignored.
                    7 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
              CN=Schema,CN=Configuration,DC=GRP,DC=LOCAL
                 Latency information for 8 entries in the vector were ignored.
                    8 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
              CN=Configuration,DC=GRP,DC=LOCAL
                 Latency information for 9 entries in the vector were ignored.
                    9 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
              DC=GRP,DC=LOCAL
                 Latency information for 9 entries in the vector were ignored.
                    9 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
           ......................... dc passed test Replications
        Test omitted by user request: Topology
        Test omitted by user request: CutoffServers
        Test omitted by user request: NCSecDesc
        Test omitted by user request: NetLogons
        Test omitted by user request: Advertising
        Test omitted by user request: KnowsOfRoleHolders
        Test omitted by user request: RidManager
        Test omitted by user request: MachineAccount
        Test omitted by user request: Services
        Test omitted by user request: OutboundSecureChannels
        Test omitted by user request: ObjectsReplicated
        Test omitted by user request: frssysvol
        Test omitted by user request: frsevent
        Test omitted by user request: kccevent
        Test omitted by user request: systemlog
        Test omitted by user request: VerifyReplicas
        Test omitted by user request: VerifyReferences
        Test omitted by user request: VerifyEnterpriseReferences
        Test omitted by user request: CheckSecurityError
     Running partition tests on : ForestDnsZones
        Test omitted by user request: CrossRefValidation
        Test omitted by user request: CheckSDRefDom
     Running partition tests on : DomainDnsZones
        Test omitted by user request: CrossRefValidation
        Test omitted by user request: CheckSDRefDom
     Running partition tests on : Schema
        Test omitted by user request: CrossRefValidation
        Test omitted by user request: CheckSDRefDom
     Running partition tests on : Configuration
        Test omitted by user request: CrossRefValidation
        Test omitted by user request: CheckSDRefDom
     Running partition tests on : GRP
        Test omitted by user request: CrossRefValidation
        Test omitted by user request: CheckSDRefDom
     Running enterprise tests on : GRP.LOCAL
        Test omitted by user request: Intersite
        Test omitted by user request: FsmoCheck
        Test omitted by user request: DNS
        Test omitted by user request: DNS
  On the second DC (DCR). I see SYSVOL, no files replicated, also theres no NETLOGON.

• Can't fix Active Directory replication

  Hi,
  I am not sure when the replication issue started, but it is for month now. Whe have two AD's and so actually, we have one working fine (probably). Users are replicated fine (at least they show in the second AD tree) and also, the group policies replicates
  (they show in the group policy tree).
  But, in the \\dc02\SYSVOL\domainname.com\Policies directory, nothing is shared. It's completely out of date. Also the group policy manager gives an warning: 1 Domain controller(s) with replication in progress.
  Anyway, me, and other members of the IT-staff looked into it but it looks that the problem goes deep.
  So my question is, what is the best way to solve this. Start to place some errors here or maybe we should completely re-install the second DC? Or both? Or is that a bad idea?
  Thanks for any help!

  Thanks for the responses!
  Problem is, Event viewer keeps giving different errors. I just restarted my secondary DC and it gives this error:
  This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets.
  Before restart, I ran dcdiag again and it gave problems with NCSecDesc. So permission problem. I fixed that and after that I ran dcdiag again and no errors were showing. But sysvol directory was still not in sync.
  After that, I restarted and the top error is shown in event viewer and dcdiag gives me another, new error:
  Starting test: SystemLog
  A warning event occurred. EventID: 0x000727A5
  Time Generated: 04/16/2014 18:02:36
  Event String: The WinRM service is not listening for WS-Management requests.
  A warning event occurred. EventID: 0x80040020
  Time Generated: 04/16/2014 18:03:13
  Event String:
  The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may o
  ccur.
  A warning event occurred. EventID: 0x80040020
  Time Generated: 04/16/2014 18:03:13
  Event String:
  The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may o
  ccur.
  A warning event occurred. EventID: 0x80040020
  Time Generated: 04/16/2014 18:03:13
  Event String:
  The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may o
  ccur.
  An error event occurred. EventID: 0xC0001B61
  Time Generated: 04/16/2014 18:03:40
  Event String:
  A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.
  An error event occurred. EventID: 0xC0001B6F
  Time Generated: 04/16/2014 18:03:41
  Event String: The Diagnostic System Host service terminated with the following error:
  An error event occurred. EventID: 0xC0001B6F
  Time Generated: 04/16/2014 18:03:41
  Event String: The Diagnostic Service Host service terminated with the following error:
  ......................... DC02 failed test SystemLog
  After restarting the secondary DC, the primary DC gives an error on DFSREvent but I think that's OK because it lost the secondary DC for a minute. No further errors there.
  After restarting the primary DC, it gives also a SystemLog error, but different from the other DC with dcdiag:
  Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source
  , but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain
  hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domai
  n, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function a
  s the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this c
  omputer, you may choose to disable the NtpClient.
  A warning event occurred. EventID: 0x00000090
  Time Generated: 04/16/2014 18:31:25
  Event String: The time service has stopped advertising as a good time source.
  ......................... DC01 failed test SystemLog
  Now this is the current status. I am pretty desperate. Maybe you have some suggestions? Otherwise, I will try pbbergs' suggestion.
  Other errors in the event viewer (not sure if they are related but just posting to be sure):
  This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets.
  Active Directory Web Services could not find a server certificate with the specified certificate name. A certificate is required to use SSL/TLS connections. To use SSL/TLS connections, verify that a valid server authentication certificate from a trusted Certificate Authority (CA) is installed on the machine.
  Certificate name: dc01.domainname.com
  The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
  Thanks for the help!

• Active Directory : Replication Issue - "Disconnected" sub-domain from the Forest

  Hello everyone,
  I'm managing a multi-domain forest (with 7 sub-domain).  All are working fine except for one.  Throught repadmin (Repadmin /replsum /bysrc /bydest /sort:delta), I noticed I got both domain controllers of a subdomain (there are only 2 DCs in that
  subdomain), who hadn't replicated with the rest of the forest for more than 60 days.
  According to my research, it's usually recommended to Depromote and repromote the problematic DC to avoid the issue of lingering objects.  In this case, it's both DC of a sub-domain.  Of course, on the others DCs in the forest, I got the event
  ID 2012 "it has been too long since this machine last replicated with the named source machine....". 
   HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
  to a value of 1. 
  As I understand it, this may cause lingering objects to appear (they can be removed with repadmin /removelingeringobjects command with the DSA GUID, naming context, etc..).  So far, I haven't used that registry key yet because of the associated risks.
  I didn't noticed any other issue so far.  Users in the problematic sub-domain are fine, and the problematic sub-domain seems to be able to pull replication data from the others DCs in the forests. (at least, I'm not getting any error in the A.D. Sites
  and Services)
  I added two new DCs for the affected sub-domains, so the number of DCs for that domain went from 2 to 4 DCs.  The two old DCs that hadn't replicated for 60 days are windows Server 2003 and the two new DCs are Server 2008 R2. 
  Unfortunately (and I was half expecting this, but did it anyway since I must eventually replace the old DCs), that didn't solve my issue, since the rest of the forest "doesn't see" the two new DCs of the sub-domain.  By that, I mean that I
  cannot add an Active Directory Domain Services Connection in Sites & Services console (from a DC in another domain of the forest or even the root domain).  I see all the DCs, including the two old DCs that are server 2003, but not the new ones. 
  I believe it's because the others DCs doesn't pull/replicate the information from the old DCs anymore, so they aren't "aware" of the two new DCs for that problematic sub-domain.
  I was wondering what is the best course of action. Is it worthwhilte to use the registry key force replication with the old DCs ?  (and hopefully, the new DCs will get their AD Services connection/replication vector created, so I can depromote
  the old DCs.
  Since the Old DCs from the problematic sub-domain seems to be able to pull the replication from the rest of the forest, does the risk of Lingering object isn't that great ?
  Or is it too risky and I must create a new sub-domain and migrate one way or another the users ? (which would be time-consuming)
  Thanks in advance,
  Adam

  Thanks for the reply.  One of the link had another link to a good article about the use of repadmin :
  So, I ran the command "repadmin /removinglingerobjects " on one of the problematic DCs ().
  For clarity purpose, let's say I used the domain :
  domain = main domain
  subdomain = the domain whose DC are problematic (all of them).
  AnotherSubDomain = Just another subdomain I used as a "reference" DC to cleanup the appropriate partition.
  Command (the DSA guid is from a DC "clean" in another domain)
  repadmin /removelingeringobjects adrec01.mysubdomain.domain.ca C4081E00-921A-480D-9FDE-C4C34F96E7AC dc=ANOTHERsubdomain,dc=domain,dc=ca /advisory_mode
  I got the following message in the event viewer :
  Active Directory Domain Services has completed the verification of lingering objects on the local domain controller in advisory mode. All objects on this domain controller have had their existence verified on the following source domain controller.
  Source domain controller:
  c4081e00-921a-480d-9fde-c4c34f96e7ac._msdcs.mydomain.ca
  Number of objects examined and verified:
  0
  Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller have been listed in past event log entries. To permanently delete the lingering objects, restart this procedure without using the
  advisory mode option.
  How should I interpret the message "number of objects examined and verified 0".  Does it mean it just didn't find any object to compare ? (which would be odd IMHO)  Or there is another problem ?
  Thanks in advance,
  Adam

• Monitoring active directory replication.

  Hello! How to configure step by step monitoring replication between 2 domains?

  Hi,
  Have you downloaded “Guide for System Center Management Pack for Active Directory for Operations Manager 2012”? It includes detailed information.
  http://www.microsoft.com/en-us/download/details.aspx?id=21357
  Niki Han
  TechNet Community Support

• Active Directory Discovery fails to bind to OU

  I am continuously receiving the following error:
  Active Directory System Discovery Agent failed to bind to container
  LDAP://OU=DOMAIN CONTROLLERS,DC=MYDOMAIN,DC=COM. Error: The specified directory service attribute or value does not exist.
  Not sure what to check at this point.  I have checked permissions on the OU, Server has read permissions. Here is screenshot of properties:

  Have you tried discovery of the entire forest, not just a single OU? If that works then it has to be permissions to that OU. If it fails, then it would be no permissions to the forest.
  I'd also consider using a user account (just as a test). Personally I've always used the site server computer account, but you could also try a user account for this to ensure that it's not something else.
  Wally Mead

• Active Directory replication and login errors (Plz HELP !!)

  Hi All,
  We have one forest domain (XXXX.LOCAL)and lots of child domains (XXX.XXXX.LOCAL).
  We are facing issue that child domains are not able to login with forest administrator account and there are also lots of replication errors.
  Exchange OWA gives error of not able to find particular XXX.XXX.local child domain.
  dcdiag from child domain is :
  C:\Windows\system32>
  C:\Windows\system32>nltest.exe /dsregdns
  Flags: 0
  Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
  The command completed successfully
  C:\Windows\system32>nltest.exe /dsregdns
  Flags: 0
  Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
  The command completed successfully
  C:\Windows\system32>
  C:\Windows\system32>dcdiag
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     Home Server = PMA-DC01
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
     Testing server: HEC-CITY\PMA-DC01
        Starting test: Connectivity
           ......................... PMA-DC01 passed test Connectivity
  Doing primary tests
     Testing server: HEC-CITY\PMA-DC01
        Starting test: Advertising
           Warning: PMA-DC01 is not advertising as a time server.
           ......................... PMA-DC01 failed test Advertising
        Starting test: FrsEvent
           ......................... PMA-DC01 passed test FrsEvent
        Starting test: DFSREvent
           There are warning or error events within the last 24 hours after the
           SYSVOL has been shared.  Failing SYSVOL replication problems may cause
           Group Policy problems.
           ......................... PMA-DC01 failed test DFSREvent
        Starting test: SysVolCheck
           ......................... PMA-DC01 passed test SysVolCheck
        Starting test: KccEvent
           ......................... PMA-DC01 passed test KccEvent
        Starting test: KnowsOfRoleHolders
           [PMA-DC02] DsBindWithSpnEx() failed with error -2146893022,
           The target principal name is incorrect..
           Warning: PMA-DC02 is the PDC Owner, but is not responding to DS RPC
           Bind.
           [PMA-DC02] LDAP bind failed with error 8341,
           A directory service error has occurred..
           Warning: PMA-DC02 is the PDC Owner, but is not responding to LDAP
           Bind.
           Warning: PMA-DC02 is the Rid Owner, but is not responding to DS RPC
           Bind.
           Warning: PMA-DC02 is the Rid Owner, but is not responding to LDAP
           Bind.
           Warning: PMA-DC02 is the Infrastructure Update Owner, but is not
           responding to DS RPC Bind.
           Warning: PMA-DC02 is the Infrastructure Update Owner, but is not
           responding to LDAP Bind.
           ......................... PMA-DC01 failed test KnowsOfRoleHolders
        Starting test: MachineAccount
           ......................... PMA-DC01 passed test MachineAccount
        Starting test: NCSecDesc
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           Fatal Error: Cannot retrieve SID
           ......................... PMA-DC01 failed test NCSecDesc
        Starting test: NetLogons
           ......................... PMA-DC01 passed test NetLogons
        Starting test: ObjectsReplicated
           ......................... PMA-DC01 passed test ObjectsReplicated
        Starting test: Replications
           [Replications Check,Replications Check] Inbound replication is
           disabled.
           To correct, run "repadmin /options PMA-DC01 -DISABLE_INBOUND_REPL"
           [Replications Check,PMA-DC01] Outbound replication is disabled.
           To correct, run "repadmin /options PMA-DC01 -DISABLE_OUTBOUND_REPL"
           ......................... PMA-DC01 failed test Replications
        Starting test: RidManager
           ......................... PMA-DC01 failed test RidManager
        Starting test: Services
              w32time Service is stopped on [PMA-DC01]
           ......................... PMA-DC01 failed test Services
        Starting test: SystemLog
           A warning event occurred.  EventID: 0x00000010
              Time Generated: 04/21/2014   19:16:04
              Event String:
              Unable to Connect: Windows is unable to connect to the automatic upd
  ates service and therefore cannot download and install updates according to the
  set schedule. Windows will continue to try to establish a connection.
           An error event occurred.  EventID: 0x0000168E
              Time Generated: 04/21/2014   19:44:42
              Event String:
              The dynamic registration of the DNS record '_kerberos._tcp.dc._msdcs
  .PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the fol
  lowing DNS server:
           An error event occurred.  EventID: 0x0000168E
              Time Generated: 04/21/2014   19:44:43
              Event String:
              The dynamic registration of the DNS record '_kerberos._tcp.PMA.XXXX.
  LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
   server:
           An error event occurred.  EventID: 0x0000168E
              Time Generated: 04/21/2014   19:44:43
              Event String:
              The dynamic registration of the DNS record '_kerberos._tcp.HEC-LAHOR
  E._sites.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on
   the following DNS server:
           An error event occurred.  EventID: 0x0000168E
              Time Generated: 04/21/2014   19:44:43
              Event String:
              The dynamic registration of the DNS record '_kerberos._udp.PMA.XXXX.
  LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
   server:
           An error event occurred.  EventID: 0x0000168E
              Time Generated: 04/21/2014   19:44:43
              Event String:
              The dynamic registration of the DNS record '_kpasswd._tcp.PMA.XXXX.L
  OCAL. 600 IN SRV 0 100 464 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
   server:
           An error event occurred.  EventID: 0x0000168E
              Time Generated: 04/21/2014   19:44:43
              Event String:
              The dynamic registration of the DNS record '_kpasswd._udp.PMA.XXXX.L
  OCAL. 600 IN SRV 0 100 464 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
   server:
           An error event occurred.  EventID: 0x0000168E
              Time Generated: 04/21/2014   19:44:43
              Event String:
              The dynamic registration of the DNS record '_kerberos._tcp.HEC-LAHOR
  E._sites.dc._msdcs.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.'
   failed on the following DNS server:
           An error event occurred.  EventID: 0x00000C8A
              Time Generated: 04/21/2014   19:44:51
              Event String:
              This computer could not authenticate with \\LHR-DC01.XXXX.LOCAL, a W
  indows domain controller for domain XXXX, and therefore this computer might deny
   logon requests. This inability to authenticate might be caused by another compu
  ter on the same network using the same name or the password for this computer ac
  count is not recognized. If this message appears again, contact your system admi
  nistrator.
           An error event occurred.  EventID: 0xC00A0038
              Time Generated: 04/21/2014   19:46:02
              Event String:
              The Terminal Server security layer detected an error in the protocol
   stream and has disconnected the client. Client IP: 10.87.193.37.
           An error event occurred.  EventID: 0x40000004
              Time Generated: 04/21/2014   19:52:41
              Event String:
              The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
  rver pma-dc02$. The target name used was PMA\PMA-DC02$. This indicates that the
  target server failed to decrypt the ticket provided by the client. This can occu
  r when the target server principal name (SPN) is registered on an account other
  than the account the target service is using. Please ensure that the target SPN
  is registered on, and only registered on, the account used by the server. This e
  rror can also happen when the target service is using a different password for t
  he target service account than what the Kerberos Key Distribution Center (KDC) h
  as for the target service account. Please ensure that the service on the server
  and the KDC are both updated to use the current password. If the server name is
  not fully qualified, and the target domain (PMA.XXXX.LOCAL) is different from th
  e client domain (PMA.XXXX.LOCAL), check if there are identically named server ac
  counts in these two domains, or use the fully-qualified name to identify the ser
  ver.
           A warning event occurred.  EventID: 0x8000001C
              Time Generated: 04/21/2014   19:53:42
              Event String:
              When generating a cross realm referal from domain XXXX.LOCAL the KDC
   was not able to find the suitable key to verify the ticket. The ticket key vers
  ion in the request was 25 and the available key version was 22. This most common
   reason for this error is a delay in replicating the keys. In order to remove th
  is problem try forcing replication or wait for the replication of keys to occur.
           An error event occurred.  EventID: 0x40000004
              Time Generated: 04/21/2014   20:13:25
              Event String:
              The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
  rver pma-dc02$. The target name used was LDAP/4a166db9-c39c-4069-99e7-8a233ce2c0
  be._msdcs.XXXX.LOCAL. This indicates that the target server failed to decrypt th
  e ticket provided by the client. This can occur when the target server principal
   name (SPN) is registered on an account other than the account the target servic
  e is using. Please ensure that the target SPN is registered on, and only registe
  red on, the account used by the server. This error can also happen when the targ
  et service is using a different password for the target service account than wha
  t the Kerberos Key Distribution Center (KDC) has for the target service account.
   Please ensure that the service on the server and the KDC are both updated to us
  e the current password. If the server name is not fully qualified, and the targe
  t domain (PMA.XXXX.LOCAL) is different from the client domain (PMA.XXXX.LOCAL),
  check if there are identically named server accounts in these two domains, or us
  e the fully-qualified name to identify the server.
           An error event occurred.  EventID: 0x40000004
              Time Generated: 04/21/2014   20:13:25
              Event String:
              The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
  rver pma-dc02$. The target name used was ldap/pma-dc02.pma.XXXX.LOCAL. This indi
  cates that the target server failed to decrypt the ticket provided by the client
  . This can occur when the target server principal name (SPN) is registered on an
   account other than the account the target service is using. Please ensure that
  the target SPN is registered on, and only registered on, the account used by the
   server. This error can also happen when the target service is using a different
   password for the target service account than what the Kerberos Key Distribution
   Center (KDC) has for the target service account. Please ensure that the service
   on the server and the KDC are both updated to use the current password. If the
  server name is not fully qualified, and the target domain (PMA.XXXX.LOCAL) is di
  fferent from the client domain (PMA.XXXX.LOCAL), check if there are identically
  named server accounts in these two domains, or use the fully-qualified name to i
  dentify the server.
           ......................... PMA-DC01 failed test SystemLog
        Starting test: VerifyReferences
           ......................... PMA-DC01 passed test VerifyReferences
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test
           CrossRefValidation
     Running partition tests on : PMA
        Starting test: CheckSDRefDom
           ......................... PMA passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... PMA passed test CrossRefValidation
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test
           CrossRefValidation
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidation
     Running enterprise tests on : XXXX.LOCAL
        Starting test: LocatorCheck
           ......................... XXXX.LOCAL passed test LocatorCheck
        Starting test: Intersite
           ......................... XXXX.LOCAL passed test Intersite
  C:\Windows\system32>

  There are a number of things that can cause this, such as:
  DNS is misconfigured to support a parent-child-additional tree forest.
  Incorrect DNS zone replication scope for the design, which points back to the point #1.
  AD Sites are misconfigured for the physical environment. For example if you have a hub and spoke physical environment, you can't use the default settings that bridge all sites (BASL) and must individually configure them.
  Incorrect DNS settings on the DCs.
  Multi-homed DCs.
  Time service is not configured properly and/or syncing from the VM host, which should be configured otherwise (Microsoft, VMware and Citrix have KBs explaining this).
  Default security settings at either the parent, child or both domains, have been altered.
  Firewalls between DCs, such as perimeter firewalls, or installed antivirus protection features if not excluded on DCs properly, will cause this, too.
  That's the short list. If you can describe some of the points above, it may help us pinpoint where the issue may be.
  Some links that may help understand some of the bullet points:
  AD Site Design, DNS & the DC Locator Process, and Auto Site Link Bridging, or Bridge All Site Links (BASL)
  http://blogs.msmvps.com/acefekay/2013/02/24/ad-site-design-and-auto-site-link-bridging-or-bridge-all-site-links-basl/
  DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
  Published by Ace Fekay, MCT, MVP DS on Oct 1, 2010 at 12:22 PM
  http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx
  Configuring the Windows Time Service for Windows 2000, 2003, 2008 and newer, explanation of the time service hierarchy, and more
  Published by Ace Fekay, MCT, MVP DS on Sep 18, 2009 at 8:14 PM  3050  1 
  http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.