Domain Replication issue
Hi,
I am using windows server 2008 R2 as PDC and ADC. My ADC was offline for more than 7 month .Now when it come online i am facing issue wit replication...
Problem: "Trust relation between this computer and the primary domain failed"
Event viewer log is-
It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.
The reason that replication is not allowed to continue is that the two DCs may contain lingering objects. Objects that have been deleted and garbage collected from an Active Directory Domain Services partition but still exist in the writable
partitions of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as "lingering objects". If the local destination DC was allowed to replicate with the source DC, these potential
lingering object would be recreated in the local Active Directory Domain Services database.
Time of last successful replication:
2014-08-01 08:52:53
Invocation ID of source directory server:......................................
I have tried repadmin /remove lingering object............................. ,tried re joining the system to domain,netdome trust command etc...still issue not getting resolved.Need help on this
Regards
It is normal that, when a DC does not replicate since a long time, it gets tombstoned.
Please proceed as the following:
On the faulty DC, run dcpromo /forceremoval to force its demotion
Check if the faulty DC holds any FSMO roles using netdom query fsmo. In case it holds some, seize them on the other DC: https://support.microsoft.com/en-us/kb/255504?wa=wsignin1.0
Do a metadata cleanup to remove the faulty DC references: https://technet.microsoft.com/en-us/library/cc816907%28v=ws.10%29.aspx
Once done, use dcdiag command to make sure that your left DC is in healthy state.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile
Similar Messages
-
Hi,
There is an issue with Secondary domain controller replication. I am interested in the "Windows Process" which is responsible for Replication.
We have a 3rd party tool in our project which generate alarm when a windows process in not running(configured).
I believe Remote Procedure Call (RPC) is used to replicate data and is always used for intrasite replication. But How to find out which RPC is responsible? or any other windows process is responsible?
Is it possible to find out "Replication problem" by just monitoring "Responsible Windows Process" ? ( process is running or not running)Hello,
have you already seen
http://technet.microsoft.com/en-us/library/cc772726(v=ws.10).aspx#w2k3tr_repup_how_dgvt
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter: -
I think this should be easily resolved, but I need some guidance.
I have a client with 2 Server 2003 R2 x64 DCs: BORIS & NATASHA. Last year I upgraded both of them from x86 to x64 one at a time, allowing replication to occur between the upgrades. BORIS is the FSMO roles holder as it is currently the production server,
while NATASHA is a backup DC. One thing that puzzles me though is that if I look at the NS record in DNS on the SOA tab, it says NATASHA is the Primary server.
While doing some routine maintenance I noticed an error in the File Replication Service events about a 'Tombstone' situation (Event ID 2042). I looked at article cc757610 in the Technet Library and opted for remedy #3 as I did not want to demote NATASHA
and I got confused looking at the help about using "repadmin /removelingeringobjects". I have no idea how to determine which DC has the good copy of the directory.
Now, in running "repadmin /showrepl" I get
"DC=CPA,DC=local
Default-First-Site-Name\BORIS via RPC
DC object GUID: 0267a090-1890-40e2-9a15-ea928cabd425
Last attempt @ 2012-12-27 08:28:55 failed, result -2146893022 (0x80090322):
The target principal name is incorrect.
1179 consecutive failure(s). Last success @ 2012-12-21 23:30:15." <-- THIS IS WEIRD SINCE THIS IS THE DATE THAT I DISCOVERED THE TOMBSTONE EVENT AND MADE THE REGISTRY CHANGE
(I THINK).
When I try to look at the FSMO roles on NATASHA, it shows ERROR for RID, PDC & Infrastructure and says "The current Operations Master is offline. The role cannot be transferred." The other issue I'm having is that client PCs are intermittently having
trouble reconnecting to necessary server shares.
TIA
Wayne S. CompTIA A+ CompTIA Network+ Microsoft MCPHello Sandesh,
I spent a lot of time trying to understand using NETDOM to reset machine account passwords (don't understand it yet), but I see that you're saying that won't work anyway.
I'm not really sure how to tell which DC is the broken one, but I'm assuming it's BORIS since that's the one users are unable to connect to. Since it is the FSMO role holder and GC I want to make sure I understand the steps correctly:
1.Use dcpromo to forcefully demote BORIS
2.Do metadata cleanup on NATASHA (using ntdsutil?)
3.Promote BORIS again to DC
Should I leave NATASHA as the FSMO role holder and GC? BORIS is the better (more resources/faster processor) machine and it's the file server. Or should the better machine be the FSMO role holder and GC as well as the file server. NATASHA is meant to be
a backup in case BORIS dies.
Thanks,
Wayne S. CompTIA A+ CompTIA Network+ Microsoft MCP www.InfoTek831.com
Hi,
The step you are performing is correct but you also need to seize the FSMO role on other DC if BORIS is FSMO role holder and configure authorative time server role.You can later move the famo role to BORIS server the choice is your however if you are
moveing the role then you need configure authorative time server on BORIS server.
Configuring the time service on the PDC Emulator FSMO role holder
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx
Domain Replication has exceeded the tombstone lifetime
http://pmeijden.wordpress.com/2011/01/12/domain-replication-has-exceeded-the-tombstone-lifetime/
Forcefull removal of DC:
http://support.microsoft.com/kb/332199
How to transfer or seize FSMO roles
http://sandeshdubey.wordpress.com/2011/10/07/how-to-transfer-or-seize-fsmo-roles/
Metadata Cleanup of a Domain controller
http://sandeshdubey.wordpress.com/2011/10/12/metadata-cleanup-of-a-domain-controller/
Once both server is online check the health of DC by running dcdiag /q and repadmin /replsum.Ensure that DNS/GC role is configured on both DC's
Hope this helps
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Active directory SYSVOL replication issues
Hello.
I have 2 domain controllers, both of them on the same site DC1 & DC2. I have added a new site with a DC3. When I have added DC3 to the domain, I have realized, SYSVOL was not initialized correctly. I went back to DC1 and found out, there's following
error in the event viewer:
Error: 4012 on DC1
The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter
(60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected.
Error: 2213 on DC2
The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication
WMI method to resume replication.
This indicates a DFS replication issue between DC1 & DC2 and probably this would be the reason, why the SYSVOL was not properly initialized on DC3.
How can I restore correct DFS replication between DC1 & DC2? I've read
this article, but it's not clear to me, which of the 2 domain controllers has a good version of SYSVOL + I can not find a decent step-by-step article for reconnecting Windows 2012 domain controller.
Any idea, how I can proceed further here?Here's a complete documentation with resolution of my issue. I have created this documentation for my own purposes in our WIKI, so I will paste it here (I hope, it will help somebody else in the future):
The Problem
We have bought a new server for our domain. This server (NEWDC01) was promoted to be a domain
controller in the DOMAIN. After the promotion, I have added a single computer to the domain. When I have logged on the client to the domain, I realized, this computer is not using the new domain controller (NEWDC01)
for authentication, but DC02 domain controller instead. This is not intended. Local clients should use local domain controllers for authentication (assuming, the Active directory sites & services are configured properly). Further investigation revealed,
there are some replication errors on OLDDC01 & OLDDC02 servers. First I need to solve these replication errors. Then I can
add the NEWDC01 server to domain properly.
Analysis
There are several errors related to DFSR replication on both domain controllers:
Error: 4012 on OLDDC01
The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain.
This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder
until this error is corrected.
Error: 2213 on OLDDC02
The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database
is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.
In order to have active directory in a healthy condition, one must ensure, there’s a successful
replication between existing domain controllers up and running. If the replication does not work correctly, you can expect bunch of issues.
group policies and logon scripts are not applied correctly, or as intended
when you want to add a new domain controller to the domain, it will not work as expected (although, you will not see any specific errors after the
server is promoted to be a domain controller)
Active directory backup
I have scheduled an AD backup on OLDDC01 server using the ‘Windows Backup’ solution to make sure,
I can restore the AD / SYSVOL, in case something goes wrong. The backup is scheduled to be executed every day.
Active directory restore
In this particular case, I will talk only about SYSVOL restore. As indicated above, we must get
rid of the DFSR event viewer errors which you can find in event viewer. One of them is indicating, that the JET database was not shut down cleanly and autorecovery was disabled. The other error indicates, the SYSVOL volume is no longer replicated. I am not
sure, what is the reason, why the AD’s in the domain stopped to replicate. Probably it was an unclean server shutdown. The DFSR service stopped to replicate the SYSVOL share and I was not aware about that. When the replication did not run for more than ~99
days, the SYSVOL share was excluded from the DFSR replications.
Find out the most accurate SYSVOL share in the domain
I have compared the content of the SYSVOL directories on both OLDDC01 and OLDDC02 servers: C:\Windows\SYSVOL\domain\Policies.
Both directories have 37 subdirectories. Each subdirectory corresponds to one group policy. This means, that the content is approximately the same, thus I can’t tell, which version is most recent. I do most of the GPO changes on OLDDC01, so I made a conclusion,
that this server contains the most recent version of the SYSVOL share.
There are 2 types of SYSVOL restores, you can do:
Authoritative restore
Non-authoritative restore
Non-authoritative restore
This is a more simple kind of a restore. You can perform this kind of restore, when you are sure,
that one of the domain controllers is authoritative (e.g. you presume, the SYSVOL share is intact and working properly). If you can identify such a working server, you can perform non-authoritative restore of the active directory on a broken domain controller.
Authoritative restore
In this case, you can designate a specific domain controller to be authoritative. You set a special
flag on this server, which will prohibit to overwrite it’s state from another domain controllers, when the replication is enabled on the server again. After you designate one server to be authoritative, you need to update all the another domain controllers
using the non-authoritative procedure.
In this article, you can find, how to perform authoritative vs. non authoritative AD resotre:
http://support.microsoft.com/kb/2218556.
In my case, I was not sure, which of the domain controllers had a more recent copy of AD, so I
have decided to make OLDDC01 authoritative (check the link above). Once this has been done, I have made a non-authoritative update on OLDDC02 server.
Everything was almost ready. The last step, I needed to execute was, I needed to fix the ‘JET’
event viewer error on SRVBK1. In the event log entry on the bottom, you can find following:
Recovery Steps
1. Back up the files in all replicated folders on the volume. Failure to do
so may result in data loss due to unexpected conflict resolution during the recovery of the replicated folders.
2. To resume the replication for this volume, use the WMI method ResumeReplication
of the DfsrVolumeConfig class. For example, from an elevated command prompt, type the following command:
wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig
where volumeGuid="D37A9FC3-8B1D-11E2-93E8-806E6F6E6963" call ResumeReplication
For more information, see http://support.microsoft.com/kb/2663685.
Final words
After I have executed this command, the replication was again started between OLDDC01 and OLDDC02
servers. After I have started up the NEWDC01 server, I have realized, it has automatically replicated the contents of the SYSVOL share - almost immediately after the server was started up. I have again tried to login with the local client into DOMAIN domain
and now I see, that local client is using local Domain controller for authentication.
Everything seems to be OK now. -
AD replication issue. had 1722 error after running repadmin
Hi,
I got 1722 error ( The RPC server is unavailable) when I run repadmin /replsummary. The result points that one source DSA is having 1722 error and the problem DC is the DC I run repadmin command from.
Do it make sense. Why DC itself cannot rpc to itself?
Thanks
QingI would start with what is mentioned in this Wiki article: http://social.technet.microsoft.com/wiki/contents/articles/18513.active-directory-replication-issues-basic-troubleshooting-steps-single-ad-domain-in-a-single-ad-forest.aspx
That should be a good start for troubleshooting.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password -
Hello Team,
We have built a new Domain Controller in our environment with OS 2003 Server.
While checking for replication from an existing server (using the command repadmin /replsummary) I get and an as below:
1753 - NLHAAAHDC002
(NLHAAAHDC002 is the DC name that is built new)
Also if I run the same command on the new server (NLHAAAHDC002) I get the error that as below:
"'repadmin' is not recognized as an internal or external command,
operable program or batch file".
An urgent response is appreciated.
Regards,
Suman RoutHi Suman,
Please refer the below link on Microsoft KB article for Troubleshooting steps - DC Replication issue,
http://support.microsoft.com/kb/2089874/en-us
Regards,
Gopi
JiJi
Technologies -
10.9: Server Replication Issue
Hi ther guys,
I have seen several posts about this replication issue since 2012, i have 2 fresh install systems 10.9 Server app 3.0.2 on both boxes DNS shows correctly setup but im totaly lost on where to continue.
Is there anyone out there that already resolved this?
domaintest2:~ admin$ sudo slapconfig -createreplica 192.168.2.17 diradmin
Password:
2014-01-08 01:05:11 +0000 slapconfig -createreplica
diradmin's Password:
2014-01-08 01:05:22 +0000 1 Creating computer record for replica
2014-01-08 01:05:26 +0000 command: /usr/sbin/slapconfig -delkeychain /LDAPv3/127.0.0.1 domaintest2.int$
2014-01-08 01:05:26 +0000 Added computer password to keychain
2014-01-08 01:05:26 +0000 Adding ldap and host service principals
Unable to obtain kerberos princ, using CRAM-MD5: -2
Unable to obtain kerberos princ, using CRAM-MD5: -2
2014-01-08 01:05:26 +0000 2 Creating ldap replicator user
2014-01-08 01:05:26 +0000 _ldap_replicator exists from previous replica - migrating
2014-01-08 01:05:26 +0000 NSString *_getReplicatorPasswordWithNode(ODNode *): no syncrepl attribute found in results
2014-01-08 01:05:26 +0000 Unable to get replicator password, recreating replicator
2014-01-08 01:05:27 +0000 GetLastServerID: Error creating DSLDAPContainer: 77014 Can't contact LDAP server (-1)
2014-01-08 01:05:27 +0000 ServerID for this replica 1
2014-01-08 01:05:27 +0000 SetLastServerID: Unable to create DSLDAPContainer: 77014 Can't contact LDAP server (-1)
2014-01-08 01:05:27 +0000 Error setting last server id
2014-01-08 01:05:28 +0000 command: /usr/bin/sntp -s time.apple.com.
2014-01-08 01:05:29 +0000 3 Updating local replica configuration
2014-01-08 01:05:29 +0000 4 Gathering replication data from the master
2014-01-08 01:05:29 +0000 5 Copying master database to new replica
2014-01-08 01:05:29 +0000 Removed directory at path /var/db/openldap/openldap-data.
2014-01-08 01:05:29 +0000 Starting LDAP server (slapd)
2014-01-08 01:05:30 +0000 slapd started
2014-01-08 01:05:30 +0000 Stopping LDAP server (slapd)
2014-01-08 01:05:31 +0000 command: /usr/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
2014-01-08 01:05:31 +0000 command: /usr/sbin/slapadd -c -w -l /var/db/openldap/openldap-data/backup.ldif
2014-01-08 01:05:31 +0000 command: /usr/sbin/slapadd -c -w -b cn=authdata -l /var/db/openldap/authdata/authdata.ldif
2014-01-08 01:05:31 +0000
2014-01-08 01:05:31 +0000 52cca45b slapd is running in import mode - only use if importing large data
52cca45b bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
2014-01-08 01:05:31 +0000 6 Starting new replica
2014-01-08 01:05:31 +0000 Starting LDAP server (slapd)
2014-01-08 01:05:31 +0000 slapd started
2014-01-08 01:05:31 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2014-01-08 01:05:31 +0000 command: /usr/bin/ldapsearch -x -LLL -H ldapi://%2Fvar%2Frun%2Fldapi -b cn=config -s base olcServerID
2014-01-08 01:05:31 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2014-01-08 01:05:31 +0000 Starting password server
2014-01-08 01:05:37 +0000 CFStringRef CopyHostGUID(DSLDAPContainerRef, CFStringRef): Could not get query results
2014-01-08 01:05:37 +0000 FATAL : Could not retrieve HOST GUID for parent
2014-01-08 01:05:37 +0000 FATAL : Could not retrieve HOST GUID for parent (error = 78)
2014-01-08 01:05:37 +0000 Deleting Cert Authority related data
2014-01-08 01:05:37 +0000 No intCAIdentity, not removing int CA from keychain
2014-01-08 01:05:37 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist
2014-01-08 01:05:37 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist
2014-01-08 01:05:37 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist
2014-01-08 01:05:37 +0000 Updating ldapreplicas on primary master
2014-01-08 01:05:37 +0000 Unable to create ODNode for domaintest1.int: 2100 Connection failed to the directory server.
2014-01-08 01:05:37 +0000 Primary master node is nil!
2014-01-08 01:05:37 +0000 Unable to locate ldapreplicas record: 0 (null)
2014-01-08 01:05:37 +0000 Error setting read ldap replicas array: 0 (null)
2014-01-08 01:05:37 +0000 Error setting write ldap replicas array: 0 (null)
2014-01-08 01:05:37 +0000 ODRecord *_getODRecord(ODNode *, NSString *, NSString *, NSArray *): ODNodeRef parameter error
2014-01-08 01:05:37 +0000 int _removeReplicaFromConfigRecord(ODNode *, NSString *): ODRecord not found
2014-01-08 01:05:37 +0000 Error synchronizing ldapreplicas: 0 (null)
2014-01-08 01:05:37 +0000 Removing self from the database
2014-01-08 01:05:37 +0000 Warning: An error occurred while re-enabling GSSAPI.
2014-01-08 01:05:38 +0000 Stopping LDAP server (slapd)
2014-01-08 01:05:39 +0000 Stopping password server
2014-01-08 01:05:39 +0000 Removed all service principals from keytab for realm DOMAINTEST1.INT
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/__db.001.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/__db.002.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/__db.003.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/__db.004.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/__db.005.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/__db.006.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/altSecurityIdentities.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/apple-config-realname.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/cn.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/DB_CONFIG.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/dn2id.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/entryCSN.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/entryUUID.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/givenName.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/id2entry.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/ipHostNumber.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/log.0000000001.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/macAddress.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/memberUid.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/objectClass.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/ou.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/sn.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/uid.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/__db.001.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/__db.002.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/__db.003.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/__db.004.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/__db.005.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/__db.006.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/alock.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/authdata.ldif.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/authGUID.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/DB_CONFIG.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/dn2id.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalAliases.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalName.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/entryCSN.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/entryUUID.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/id2entry.bdb.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/log.0000000001.
2014-01-08 01:05:39 +0000 Removed file at path /var/db/openldap/authdata/objectClass.bdb.
2014-01-08 01:05:39 +0000 Removed directory at path /var/db/openldap/authdata.
2014-01-08 01:05:39 +0000 Removed file at path /etc/openldap/slapd_macosxserver.conf.
2014-01-08 01:05:39 +0000 Removed file at path /etc/openldap/slapd.conf.
2014-01-08 01:05:39 +0000 Removed directory at path /etc/openldap/slapd.d/cn=config.
2014-01-08 01:05:39 +0000 Removed file at path /etc/openldap/slapd.d/cn=config.ldif.
2014-01-08 01:05:39 +0000 Removed directory at path /etc/openldap/slapd.d.
2014-01-08 01:05:39 +0000 Removed directory at path /etc/openldap/slapd.d.backup/cn=config.
2014-01-08 01:05:39 +0000 Removed file at path /etc/openldap/slapd.d.backup/cn=config.ldif.
2014-01-08 01:05:39 +0000 Removed directory at path /etc/openldap/slapd.d.backup.
2014-01-08 01:05:39 +0000 Stopping password server
2014-01-08 01:05:39 +0000 Removed file at path /etc/ntp_opendirectory.conf.
2014-01-08 01:05:39 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.We're having the exact same issue, also between two 10.9 servers - any luck finding a resolution?
-
Replication issue between lync 2010 FE and lync 2013 FE
Hello
I face any issue in my lync server's .
I was in the last steps in the migration process from lync 2010 to 2013 enterprise edition .
where CMS was moved already to 2013 , and later on many time I checked the replication and it was fine , then I deleted the CMS DB FROM 2010 FE and I checked the replication and it was fine .
later on I proceed to delete the archiving server and monitoring server and it was fine .
later on I proceed to
Reset call admission control
Prevent sessions for services
Stop Lync Server 2010 services
Remove a Front End Server from a pool
I just I face this replication issue after I start the process to delete the lync 2010 pool which im stuck on it now .
one more thing while I was trying to delete the 2010 front end pool , I got the error .
Error: An error occurred: "System.InvalidOperationException" "Cannot publish topology changes. Conference directories still exist on a pool that would be deleted. Remove the conference directories before continuing."
so I moved the conference directories from 2010 pool to the 2013 pool successfully.
but later on when I check the replication I notice the replication issue ?
Get-CsManagementStoreReplicationStatus
UpToDate : False """""""""""""""""""it is already shutdown
ReplicaFqdn : HQ-EDGE01.mydom
LastStatusReport :
LastUpdateCreation : 3/23/2015 11:22:17 AM
ProductVersion :
UpToDate : True
ReplicaFqdn : HQ-LYNC2013-FE.mydom
LastStatusReport : 3/19/2015 5:21:27 PM
LastUpdateCreation : 3/19/2015 5:21:25 PM
ProductVersion : 5.0.8308.556
UpToDate : False
ReplicaFqdn : HQ-LYNC-FE-01.mydom
LastStatusReport : 3/19/2015 11:38:25 AM
LastUpdateCreation : 3/23/2015 11:52:17 AM
ProductVersion : 4.0.7577.0
then I run the
I run Invoke-CsManagementStoreReplication
Get-CsManagementStoreReplicationStatus
UpToDate : False """""""""""""""""""it is already shutdown """"""""""""""""""
ReplicaFqdn : HQ-EDGE01.mydomain
LastStatusReport :
LastUpdateCreation : 3/23/2015 10:18:22 PM
ProductVersion :
UpToDate : True
ReplicaFqdn : HQ-LYNC2013-FE.mydomain
LastStatusReport : 3/23/2015 10:18:26 PM
LastUpdateCreation : 3/23/2015 10:18:22 PM
ProductVersion : 5.0.8308.556
UpToDate : False
ReplicaFqdn : HQ-LYNC-FE-01.mydomain
LastStatusReport : 3/19/2015 11:38:25 AM
LastUpdateCreation : 3/23/2015 10:18:22 PM
ProductVersion : 4.0.7577.0
====================
Get-CsManagementStoreReplicationStatus
UpToDate : False """"""""""""""" it is already down """""""""""""""""""""
ReplicaFqdn : HQ-EDGE01.mydomain
LastStatusReport :
LastUpdateCreation : 3/23/2015 10:53:23 PM
ProductVersion :
UpToDate : True
ReplicaFqdn : HQ-LYNC2013-FE.mydomain
LastStatusReport : 3/23/2015 10:18:26 PM
LastUpdateCreation : 3/23/2015 10:18:22 PM
ProductVersion : 5.0.8308.556
UpToDate : False
ReplicaFqdn : HQ-LYNC-FE-01.mydomain
LastStatusReport : 3/19/2015 11:38:25 AM
LastUpdateCreation : 3/23/2015 10:53:23 PM
ProductVersion : 4.0.7577.0
why LastUpdateCreation : 3/23/2015 10:53:23 PM from the lync 2010 pool ????
I'm not doing any change on 2010 pool now (I just try to delete it ) , all the change it is on 2013 pool .
for edge server 2013 I shut down the server since there is another configuration issue there (so replication to edge server not the issue now since it is down).
my question is this will affect my lync 2013 since it is the production now ? is this un completed steps for removing the 2010 pool affect my production.
is the replication issue affects my 2013 pool ?
Kind Regards
MKHi,
From your description above, did you mean before deleting the Lync Server 2010 Pool from topology, you found the replication of Lync 2010 FE Server not update to date?
If it is the case, based on my knowledge, there is no affect for Lync Server 2013 Pool. Please double check if Lync Server 2013 Pool work normally, and Lync users in Lync 2013 Pool can use all Lync function without issues. Then you can delete Lync 2010 Pool
from Topology and publish it. After finish it, please re-run step 2 on Lync Server 2013 FE Servers.
Best Regards,
Eason Huang
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Eason Huang
TechNet Community Support -
Data Domain - Replication Acceleration vs Application Acceleration?
http://www.datadomain.com/pdf/DataDomain-Cisco-SolutionBrief.pdf
I recently read an article by Cisco detailing the WAAS appliances capability to add addional deduplicaion to Data Domain replication traffic being forwarded across the WAN. After reading the aricle and speaking with my SE. He recommended a 674 in Application Acceleration mode vs the WAE 7341 in Replication Acceleration mode. The article also states Application Acceleration mode was used.
Why is Application Acceleration mode recommended over Replication Acceleration mode for this traffic?
I have a project requiring 15 - 20 GB / day of incremental backups to be replicated between 3 sites. The sites are 90 ~ 110ms apart and the links are around 20mbps at each site. Would a 674 in Application Acceleration mode really make a difference for the Data Domain replications?Is their any possibility you could dig up the configuration that was used on the WAAS Application Accelerator during the Data Domain testing. I see Data Domain replication service runs over port TCP 4126. My SE recommends disabling the WAE 674s DRE functions for the Data Domain traffic and simply reply on LZ & TFO. How do you simply disable DRE, but still use LZ and TFO?
I see 3 common settings;
action optimize full LZ+TFO+DRE
action optimize DRE no compression none TFO only
action pass-through bypass
Can you do LZ+TFO only? None of the applications in the link below show this type of action setting. This leads me to believe my SE was really suggesting turn off DRE completely for the WAAS.
This WAAS needs to optimize traffic for;
Lotus-Notes, HTTP, CIFS, Directory Services, RDP, and Data Domain
Can all applications above + Data Domain be optimized from a pair of WAE 674s in AA mode?
http://cisco.biz/en/US/docs/app_ntwk_services/waas/waas/v407/configuration/guide/apx_apps.html
policy-engine application
name Data-Domain
classifier Data-Domain
match dst port eq 4126
exit
map basic
name Data-Domain classifier Data-Domain action optimize DRE no compression LZ
exit -
Active Directory : Replication Issue - "Disconnected" sub-domain from the Forest
Hello everyone,
I'm managing a multi-domain forest (with 7 sub-domain). All are working fine except for one. Throught repadmin (Repadmin /replsum /bysrc /bydest /sort:delta), I noticed I got both domain controllers of a subdomain (there are only 2 DCs in that
subdomain), who hadn't replicated with the rest of the forest for more than 60 days.
According to my research, it's usually recommended to Depromote and repromote the problematic DC to avoid the issue of lingering objects. In this case, it's both DC of a sub-domain. Of course, on the others DCs in the forest, I got the event
ID 2012 "it has been too long since this machine last replicated with the named source machine....".
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
to a value of 1.
As I understand it, this may cause lingering objects to appear (they can be removed with repadmin /removelingeringobjects command with the DSA GUID, naming context, etc..). So far, I haven't used that registry key yet because of the associated risks.
I didn't noticed any other issue so far. Users in the problematic sub-domain are fine, and the problematic sub-domain seems to be able to pull replication data from the others DCs in the forests. (at least, I'm not getting any error in the A.D. Sites
and Services)
I added two new DCs for the affected sub-domains, so the number of DCs for that domain went from 2 to 4 DCs. The two old DCs that hadn't replicated for 60 days are windows Server 2003 and the two new DCs are Server 2008 R2.
Unfortunately (and I was half expecting this, but did it anyway since I must eventually replace the old DCs), that didn't solve my issue, since the rest of the forest "doesn't see" the two new DCs of the sub-domain. By that, I mean that I
cannot add an Active Directory Domain Services Connection in Sites & Services console (from a DC in another domain of the forest or even the root domain). I see all the DCs, including the two old DCs that are server 2003, but not the new ones.
I believe it's because the others DCs doesn't pull/replicate the information from the old DCs anymore, so they aren't "aware" of the two new DCs for that problematic sub-domain.
I was wondering what is the best course of action. Is it worthwhilte to use the registry key force replication with the old DCs ? (and hopefully, the new DCs will get their AD Services connection/replication vector created, so I can depromote
the old DCs.
Since the Old DCs from the problematic sub-domain seems to be able to pull the replication from the rest of the forest, does the risk of Lingering object isn't that great ?
Or is it too risky and I must create a new sub-domain and migrate one way or another the users ? (which would be time-consuming)
Thanks in advance,
AdamThanks for the reply. One of the link had another link to a good article about the use of repadmin :
So, I ran the command "repadmin /removinglingerobjects " on one of the problematic DCs ().
For clarity purpose, let's say I used the domain :
domain = main domain
subdomain = the domain whose DC are problematic (all of them).
AnotherSubDomain = Just another subdomain I used as a "reference" DC to cleanup the appropriate partition.
Command (the DSA guid is from a DC "clean" in another domain)
repadmin /removelingeringobjects adrec01.mysubdomain.domain.ca C4081E00-921A-480D-9FDE-C4C34F96E7AC dc=ANOTHERsubdomain,dc=domain,dc=ca /advisory_mode
I got the following message in the event viewer :
Active Directory Domain Services has completed the verification of lingering objects on the local domain controller in advisory mode. All objects on this domain controller have had their existence verified on the following source domain controller.
Source domain controller:
c4081e00-921a-480d-9fde-c4c34f96e7ac._msdcs.mydomain.ca
Number of objects examined and verified:
0
Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller have been listed in past event log entries. To permanently delete the lingering objects, restart this procedure without using the
advisory mode option.
How should I interpret the message "number of objects examined and verified 0". Does it mean it just didn't find any object to compare ? (which would be odd IMHO) Or there is another problem ?
Thanks in advance,
Adam -
AD Replication issues, SYSVOL / NETLOGON not replicating
Hello Experts!
We have a client that recently called us for some assistance. The IT department had a new virtual environment stood up. They Created 3 new VMs and promoted them all to domain controllers. The current domain and forest functional levels are (and were) Server
2003. There were two existing domain controllers, both Server 2003. The new domain controllers are Server 2012 R2. After promoting the 3 new servers to DC’s, they demoted one of the old DC’s. Then they transferred FSMO roles to a new 2012 R2 DC. When they
went to demote the last server 2003 DC, it was giving them the error that it is the last DC in the domain. That’s when we were called to assist. I have since demoted 2 of the 3 new 2012 R2 DCs and transferred all FSMO roles back to the Server 2003 DC.
I have been running some tools to try and gather data. Here is the DCDIAG from the last Server 2003 DC:
C:\Documents and Settings\user>dcdiag /fix
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: domainname\server2003server
Starting test: Connectivity
......................... server2003server passed test Connectivity
Doing primary tests
Testing server: domainname\server2003server
Starting test: Replications
......................... server2003server passed test Replications
Starting test: NCSecDesc
......................... server2003server passed test NCSecDesc
Starting test: NetLogons
......................... server2003server passed test NetLogons
Starting test: Advertising
......................... server2003server passed test Advertising
Starting test: KnowsOfRoleHolders
......................... server2003server passed test KnowsOfRoleHolders
Starting test: RidManager
......................... server2003server passed test RidManager
Starting test: MachineAccount
......................... server2003server passed test MachineAccount
Starting test: Services
......................... server2003server passed test Services
Starting test: ObjectsReplicated
......................... server2003server passed test ObjectsReplicated
Starting test: frssysvol
......................... server2003server passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... server2003server failed test frsevent
Starting test: kccevent
......................... server2003server passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x0000410B
Time Generated: 02/18/2015 19:27:04
Event String: The request for a new account-identifier pool
An Error Event occured. EventID: 0xC4350607
Time Generated: 02/18/2015 19:28:22
Event String: Component: System Information Agent
An Error Event occured. EventID: 0xC00110CD
Time Generated: 02/18/2015 19:28:22
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00072787
Time Generated: 02/18/2015 19:28:22
Event String: The WinRM service is unable to start because of a
An Error Event occured. EventID: 0xC0060024
Time Generated: 02/18/2015 19:28:34
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002720
Time Generated: 02/18/2015 19:32:26
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC25A001D
Time Generated: 02/18/2015 14:33:27
(Event String could not be retrieved)
An Error Event occured. EventID: 0x825A0011
Time Generated: 02/18/2015 14:33:28
(Event String could not be retrieved)
An Error Event occured. EventID: 0x825A0011
Time Generated: 02/18/2015 14:33:31
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410B
Time Generated: 02/18/2015 14:36:18
Event String: The request for a new account-identifier pool
An Error Event occured. EventID: 0xC4350607
Time Generated: 02/18/2015 14:38:48
Event String: Component: System Information Agent
An Error Event occured. EventID: 0x00072787
Time Generated: 02/18/2015 14:38:48
Event String: The WinRM service is unable to start because of a
An Error Event occured. EventID: 0xC4350505
Time Generated: 02/18/2015 14:38:54
Event String: NIC Agent: Connectivity has been lost for the NIC
An Error Event occured. EventID: 0x825A0011
Time Generated: 02/18/2015 14:39:00
(Event String could not be retrieved)
An Error Event occured. EventID: 0x825A0011
Time Generated: 02/18/2015 14:39:14
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168E
Time Generated: 02/18/2015 14:39:54
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0x0000168F
Time Generated: 02/18/2015 14:42:09
Event String: The dynamic deletion of the DNS record
An Error Event occured. EventID: 0x0000168F
Time Generated: 02/18/2015 14:42:09
Event String: The dynamic deletion of the DNS record
An Error Event occured. EventID: 0x0000168F
Time Generated: 02/18/2015 14:42:09
Event String: The dynamic deletion of the DNS record
An Error Event occured. EventID: 0x0000168F
Time Generated: 02/18/2015 14:42:09
Event String: The dynamic deletion of the DNS record
An Error Event occured. EventID: 0xC25A001D
Time Generated: 02/18/2015 14:42:10
(Event String could not be retrieved)
An Error Event occured. EventID: 0x825A0011
Time Generated: 02/18/2015 14:42:22
(Event String could not be retrieved)
An Error Event occured. EventID: 0x825A0011
Time Generated: 02/18/2015 14:42:37
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC4350607
Time Generated: 02/18/2015 14:48:03
Event String: Component: System Information Agent
An Error Event occured. EventID: 0x00072787
Time Generated: 02/18/2015 14:48:03
Event String: The WinRM service is unable to start because of a
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 14:50:06
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 14:50:06
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 14:50:06
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 14:50:07
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 14:50:07
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 14:50:07
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 14:50:07
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 14:50:07
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 14:50:07
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 14:50:07
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 02/18/2015 14:55:30
Event String: The kerberos client received a
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 15:11:36
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 15:11:37
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 15:11:37
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 15:11:38
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 15:11:38
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 15:11:38
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 15:11:38
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 15:11:38
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 15:11:38
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 15:11:39
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 15:16:07
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 15:16:08
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 15:16:08
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 15:16:09
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 15:16:09
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 15:16:09
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 15:16:10
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 15:16:10
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 15:16:10
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/18/2015 15:16:10
(Event String could not be retrieved)
......................... server2003server failed test systemlog
Starting test: VerifyReferences
Some objects relating to the DC server2003server have problems:
[1] Problem: Missing Expected Value
Base Object:
CN= server2003server,OU=Domain Controllers,DC=domainname,DC=com
Base Object Description: "DC Account Object"
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
[1] Problem: Missing Expected Value
Base Object:
CN=NTDS Settings,CN= server2003server,CN=Servers,CN=domainname,CN=Sites,CN=C
onfiguration,DC=domainname,DC=com
Base Object Description: "DSA Object"
Value Object Attribute Name: serverReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
......................... server2003server failed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : domainname
Starting test: CrossRefValidation
......................... domainname passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... domainname passed test CheckSDRefDom
Running enterprise tests on : domainname.com
Starting test: Intersite
......................... domainname.com passed test Intersite
Starting test: FsmoCheck
......................... domainname.com passed test FsmoCheck
C:\Documents and Settings\user>
Now the DCDIAG for the Server 2012 R2 DC.
2012R2DC
PS C:\Users\user > dcdiag /fix
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = 2012R2DC
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: domainname\2012R2DC
Starting test: Connectivity
......................... 2012R2DC
passed test Connectivity
Doing primary tests
Testing server: domainname\2012R2DC
Starting test: Advertising
Warning: DsGetDcName returned information for \\server2003server.domainname.com, when we were trying to reach 2012R2DC.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... 2012R2DC
failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... 2012R2DC
passed test FrsEvent
Starting test: DFSREvent
......................... 2012R2DC passed test DFSREvent
Starting test: SysVolCheck
......................... 2012R2DC passed test SysVolCheck
Starting test: KccEvent
......................... 2012R2DC passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... 2012R2DC passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... 2012R2DC passed test MachineAccount
Starting test: NCSecDesc
......................... 2012R2DC passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\2012R2DC \netlogon)
[2012R2DC] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
......................... 2012R2DC failed test NetLogons
Starting test: ObjectsReplicated
......................... 2012R2DC passed test ObjectsReplicated
Starting test: Replications
[Replications Check, 2012R2DC] DsReplicaGetInfo(PENDING_OPS, NULL) failed, error 0x2105
"Replication access was denied."
......................... 2012R2DC failed test Replications
Starting test: RidManager
......................... 2012R2DC passed test RidManager
Starting test: Services
Could not open NTDS Service on 2012R2DC, error 0x5 "Access is denied."
......................... 2012R2DC failed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x0000041E
Time Generated: 02/18/2015 14:39:32
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could
be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 02/18/2015 14:44:34
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could
be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x40000004
Time Generated: 02/18/2015 14:47:09
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server cr-dc3$. The target name used was C
RDC02$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when t
he target server principal name (SPN) is registered on an account other than the account the target service is using. En
sure that the target SPN is only registered on the account used by the server. This error can also happen if the target
service account password is different than what is configured on the Kerberos Key Distribution Center for that target se
rvice. Ensure that the service on the server and the KDC are both configured to use the same password. If the server nam
e is not fully qualified, and the target domain (domainname.COM) is different from the client domain (domainname.COM),
check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify
the server.
......................... 2012R2DC failed test SystemLog
Starting test: VerifyReferences
......................... 2012R2DC passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : domainname
Starting test: CheckSDRefDom
......................... domainname passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... domainname passed test CrossRefValidation
Running enterprise tests on : domainname.com
Starting test: LocatorCheck
......................... domainname.com passed test LocatorCheck
Starting test: Intersite
......................... domainname.com passed test Intersite
PS C:\Users\user>
From here I can see SYSVOL and NETLOGON are not replicating from server2003server. When I log on to server2003server and run ‘net share’ the SYSVOL and NETLOGON shares are shared. But, when I do the same on 2012R2DC there are no NETLOGON or SYSVOL shares.
I see ntfrs issues. So I ran ntfrsutl ds on server2003server and the results are here:
C:\Documents and Settings\user>ntfrsutl ds
NTFRS CONFIGURATION IN THE DS
SUBSTITUTE DCINFO FOR DC
FRS DomainControllerName: (null)
Computer Name : SERVER2003SERVER
Computer DNS Name : SERVER2003SERVER.domainname.com
BINDING TO THE DS:
ldap_connect : SERVER2003SERVER.domainname.com
DsBind : SERVER2003SERVER.domainname.com
NAMING CONTEXTS:
SitesDn : CN=Sites,cn=configuration,dc= domainname,dc=com
ServicesDn : CN=Services,cn=configuration,dc= domainname,dc=com
DefaultNcDn: DC= domainname,DC=com
ComputersDn: CN=Computers,DC= domainname,DC=com
DomainCtlDn: OU=Domain Controllers,DC= domainname,DC=com
Fqdn : CN= SERVER2003SERVER,OU=Domain Controllers,DC= domainname,DC=com
Searching : Fqdn
COMPUTER: SERVER2003SERVER
DN : cn= SERVER2003SERVER,ou=domain controllers,dc= domainname,dc=com
Guid : d3cfdf56-a013-40ab-a2e9ffc3d88896bd
UAC : 0x00082000
Server BL : CN= SERVER2003SERVER,CN=Servers,CN=domainname,CN=Sites,CN=Configuration,D
C= SERVER2003SERVER,DC=com
Settings : cn=ntds settings,cn= SERVER2003SERVER,cn=servers,cn= domainname,cn=sites,c
n=configuration,dc= domainname,dc=com
DNS Name : SERVER2003SERVER. domainname.com
WhenCreated : 5/29/2007 10:36:30 Eastern Standard Time Eastern Daylight Time
[300]
WhenChanged : 2/17/2015 11:21:58 Eastern Standard Time Eastern Daylight Time
[300]
SUBSCRIPTION: NTFRS SUBSCRIPTIONS
DN : cn=ntfrs subscriptions,cn= SERVER2003SERVER,ou=domain controllers,dc= domainname,dc=com
Guid : 5d0ca299-209d-4814-ae6d7acd9209e10a
Working : c:\windows\ntfrs
Actual Working: c:\windows\ntfrs
WhenCreated : 5/29/2007 10:50:26 Eastern Standard Time Eastern Daylight T
ime [300]
WhenChanged : 5/29/2007 10:50:26 Eastern Standard Time Eastern Daylight T
ime [300]
SUBSCRIBER: DOMAIN SYSTEM VOLUME (SYSVOL SHARE)
DN : cn=domain system volume (sysvol share),cn=ntfrs subscriptions,cn
= SERVER2003SERVER,ou=domain controllers,dc= domainname,dc=com
Guid : fb56d707-3c40-429f-bd7c63d227b9fb5d
Member Ref: (null)
Root : c:\windows\sysvol\domain
Stage : c:\windows\sysvol\staging\domain
WhenCreated : 5/29/2007 10:50:26 Eastern Standard Time Eastern Dayligh
t Time [300]
WhenChanged : 5/29/2007 10:50:26 Eastern Standard Time Eastern Dayligh
t Time [300]
SERVER2003SERVER IS NOT A MEMBER OF ANY SET!
C:\Documents and Settings\user>
Also worth noting that when we power down SERVER2003SERVER no computer can contact a logon server.
The last line of this worries me as well. I am going to continue to work on this but I wanted to get these logs to some other eyes in case you have some ideas off the bat. Thanks in advance!I would first recommend to make sure that the new DCs are also global catalogs and to refer to IP setting recommendations I shared here: http://www.ahmedmalek.com/web/fr/home.asp
It is possible to do a non-authoritative restore of SYSVOL to make it appear on the other DCs: https://support.microsoft.com/kb/290762?wa=wsignin1.0
However, you would need to upgrade to DFSR.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Active Directory Ghost Object replication issue
I have a Windows 2003, Single Forest with nearly 50 Domains. This is a constantly changing, deployable system where not all Domains are connected and online at all times.
Some months ago 2 of these domains were held up in transit and tombstoned. Before they were connected to the Forest again they went to our Hardware support department to be "cleaned" meaning remove dust etc, instead they wiped the arrays on all
servers.
Our Level 4 Support team reanimated these node after restoring them from a really old backup.
This backup did not refelect the AD as it was when it was deleted, therefore we have several orphaned objects form those domains. The Domains are functioning correctly and replicating, however, the GC in the forest is inconsistent and the orphaned/ghost
objects are still being replicated.
We have rehosted the directory partitions from the problem nodes to online domains which works fine, but as soon as another domain comes online the orphaned objects are again replicated into the Global Catalog. The nature of our system means that we cannot
control when the other domains are coming back online to rehost them before replicating the object items back into the GC.
I have made several LDAP queries and can see that the items no longer exist on the problem domain, the only reference to the objects is in the GC directory partitions of those domains.
The biggest issue I have is that these objects were mail enabled users and when the GAL queries the GC it is repopulating them.
I've hit a bit of a wall now and do not know how we can remove these ghost objects without having all domains online at the same time and rehosting the problem domains partitions forest wide. I'd appreciate any assistnce.
I have asked this question before but with less detail so I'm having another go!An AD backup is as good as the Tombstone lifetime. By default the TSL of a 2003 forest functional level is 60. So if you haven't done this already you should probably configure a higher value for the TSL. By default Strict Replication
Consistency is also enabled to prevent DC that have been disconnected for a long time to propagate lingering objects into the AD topology, check to see if you have this enabled. You should use "repadmin" to remove the lingering objects.
"When a domain controller in your Active Directory environment is disconnected from the replication topology for an extended period of time, all objects that are deleted from AD DS on all other domain controllers might remain on the disconnected
domain controller. Such objects are called lingering objects. When this domain controller is reconnected to the replication topology, it acts as a source replication partner that has one or more objects that its destination replication partners no longer have.
Problems occur when these lingering objects on the source domain controller are updated and these updates are sent by replication to the destination domain controllers. A destination domain controller can respond in one of two ways:
If the destination domain controller has strict replication consistency enabled, it recognizes that it cannot update the object (because the object does not exist), and it locally halts inbound replication of the directory partition from that source
domain controller.
If the destination domain controller does not have strict replication consistency enabled, it requests the full replica of the updated object, which introduces a lingering object into the directory."
Also keep in mind that the Infrastructure Master role handles the cross-domain references and phantoms from the global catalog in its domain. Make sure that you either have all DCs as Global Catalogs or do not place the GC on the DC with the IM role.
Here are some useful links:
Determine the tombstone lifetime for the forest
Event ID 1388 or 1988: A lingering object is detected
Use Repadmin to remove lingering objects
Enable strict replication consistency
FSMO placement and optimization on Active Directory domain controllers
Phantoms, tombstones and the infrastructure master
http://mariusene.wordpress.com/ -
Windows Server 2003 Active Directory Replication Issue
Dear Friends,
Few days before my Primary Domain controller was crased, so i restored 1 month old full server image.
But issue is after restoration replication between domain controller is not working.
Error message on DC2: Target Principal Name is incorrect
Event Log on Restored DC1:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 3/18/2014
Time: 10:50:00 AM
User: N/A
Computer: ***
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/**.domain.com. The target name used was cifs/dc2. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly,
this is due to identically named machine accounts in the target realm (domain.COM), and the client realm. Please contact your system administrator.
Have a look:
https://msmvps.com/blogs/vandooren/archive/2009/04/02/the-kerberos-client-received-a-krb-ap-err-modified-error.aspx
Regards,
Rafic
If you found this post helpful, please give it a "Helpful" vote.
If it answered your question, remember to mark it as an "Answer".
This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing! -
Yesterday we had two ACS 4.0 servers installed on Windows 2000 Domain Controllers that were working great. ACS1 was the primary server and replication was configured to send to ACS2. ACS2 replication was configured to receive from ACS1.
We lost ACS2 yesterday so I installed ACS 4 on a 2003 Domain Controller (ACS3). I installed ACS3, went into network configuration and added ACS1 as an AAA server.
I then logged onto ACS1 and added ACS3 as an AAA server and configured ACS3 as a replication partner.
It is not replicating - if I look at the log I get
ERROR, ACS 'ACS3' has denied replication request
I do not have the primary as a replication on the secondary.
I have some screen shots of the configuration from ACS2 and I've duplicated everything I've could (except for name and IP).
Any ideas on what I can try next?I had what seems to be the same issue.
In my case I have two ACS SE 1113 appliances, but the issue could still be the same with your Windows servers.
The appliance has two NIC's - I had both of the NIC's connected. Although the appliance only allows you to use the Primary NIC (the bottom one) ACS still detected the Secondary NIC and creates an additional "AAA Server" entry under the "Network Configuration" tab called "self". You should only have one "self" entry in your AAA Server list, not two.
Unfortunately I couldn't find a way to undo this. So I disconnected the Secondary NIC (the top one) and used the recovery CD to reload both of my ACS devices. Now everything works just fine.
- Nate -
Hey
I have recently upgraded our domain controllers to Windows Server 2012 R2, which was, seemingly, a success. Running dcdiag and forcing a replication between the two domain controllers proceeded with no errors reported, DHCP and DNS is functioning correctly
This was monitored over the weekend, and all services (AD, DHCP, DNS) and no events were recorded to point towards faults. However, this morning, the DHCP Server Role did not exist on the two domain controllers, and Active Directory had many, many issues,
which have now been fixed
I have looked in the Microsoft-Windows-DHCP-Server-Service event logs and cannot find events that point either to the scope being removed or the role removed from the server, and the security audit log does not yield any results. In this circumstance, what
should I be looking for to find out the cause of the fault?
-- MattHi Matt,
According to your description, do you mean that after you upgraded Domain Controllers, DHCP service was running correctly, but after a couple of days, DHCP role was removed?
Sounds like someone removed it manually to me.
Have you enabled DHCP audit logging? If you have, you can view the logs under
%windir%\System32\Dhcp.
More information for you:
More About DHCP Audit and Event Logging
http://technet.microsoft.com/en-us/library/dd759178.aspx
DHCP Audit Logging
http://technet.microsoft.com/en-us/library/cc774854(v=ws.10).aspx
Best Regards,
Amy Wang
Maybe you are looking for
-
Cover in ipod fifth generation
why appears on my ipod a cover for a song, different from the original one in my itunes ?
-
TPSDLS idoc to be triggered only when deleting the delivery
Hi, We have a requirement: We should be trigerring the TPSDLS idoc only when deleting the delivery in SAP. Currently, we generate the TPSDLS idoc when creating and deleting the delivery. The Changes we tried did not help us in anyway.As we are seeing
-
How can i lock the settings app/menu on my IPAD so other people cant mess with the settings?
I want to be able to lock the settings menu on my IPAD. even if its password protected. Any Ideas? Thanks
-
Trial download on my PC- Installer not initializing
I seem to be able to download the trial of adobe photoshop but it pops up at the end saying that Adobe Installer failed to initialize on my PC. I then downloaded Adobe Support Advisor and it says that it could not find any problems. Could you please
-
How many minutes can fit on a red laser "high def" dvd?
using the share feature in FCP7 and making the "bluray" (avchd) dvd but on a standard 4.7 dvd, how many minutes of footage can I burn? What about a double layer 8.5gb DVD??