Monitoring active directory replication.
Hello! How to configure step by step monitoring replication between 2 domains?
Hi,
Have you downloaded “Guide for System Center Management Pack for Active Directory for Operations Manager 2012”? It includes detailed information.
http://www.microsoft.com/en-us/download/details.aspx?id=21357
Niki Han
TechNet Community Support
Similar Messages
-
Active Directory Replication 2008 R2
Hi
We are getting an error as "The following server could not be reached (topology incomplete)"
Domain Controllers: 2008 R2
How can we resolve this issue.
AravindThe error message mentions that the server is not reachable.
You might want to start with checking the basics:
Check that the faulty DC has its A, CNAME and SRV records properly registered in your DNS system (You can
NSlookup for checking: http://social.technet.microsoft.com/wiki/contents/articles/29184.nslookup-for-beginners.aspx). If this is not the case then you follow the IP settings recommendation I mentioned here: http://social.technet.microsoft.com/wiki/contents/articles/18513.active-directory-replication-issues-basic-troubleshooting-steps-single-ad-domain-in-a-single-ad-forest.aspx).
Once the IP settings are corrected then you can ipconfig /registerdns
command
Check that required ports for AD replication are opened between your DCs and are not filtered: http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx
If none helped then you can temporary disable security software you use on DCs and check again
The last resort could be to demote the DC and promote it again.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Migration SBS2003 to SBS2008 Active Directory Replication
I am migrating from SBS2003 server to SBS2008. I fired up the 2008 server on the network with the 2003 server and started the migration. I got about 25% progress on the “Expanding and Installing Files” window when I got an error message of “Active Directory Replication is taking longer than expected. You can choose whether to continue waiting. If you choose not to wait the migration may fail. Unless you are sure that replication is working correctly, it is recommended that you continue to wait”. After waiting three times of 20 minutes each I don’t think it is working. What are my options? What can I check for?
Hi,
As it is a SBS-related issue, you may wish to post to the SBS newsgroup. This will provide access to others who read the public newsgroups regularly who will either share their knowledge.
Connect Windows Small Business Server 2008
http://connect.microsoft.com/SBS08
Thank you for your understanding and cooperation.
Miles -
FYI: Testing Active Directory Replication Latency/Convergence Through PowerShell (Update 2)
see:
(2014-02-01) Testing Active Directory Replication Latency/Convergence Through PowerShell (Update
2)
Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/Might that link has been been broken.Here is the link
http://jorgequestforknowledge.wordpress.com/2014/02/01/testing-active-directory-replication-latencyconvergence-through-powershell-update-2/
Nice Jorge. Thanks for sharing.
Regards~Biswajit
Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
MY BLOG
Domain Controllers inventory-Quest Powershell
Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
Generate a Report for installed Hotfix for Bulk Servers -
Active Directory Replication failed
Hi all,
I'm deploying lync server 2010 in virtual server.
My Domain controller is a physical server.
Windows update restart is done when almost 90% of deployment is completed.
During enabling users in Lync Server control panel
I have got an issue after server restart, is active directory replication failed.
Regards,
Arun.The problem is more related with Domain Controller.
Please check the event log on Domain Controller.
You can also refer to the following link to troubleshoot Active Directory Replication Problems:
http://technet.microsoft.com/en-us/library/cc738415(v=ws.10).aspx
Lisa Zheng
TechNet Community Support -
Windows Server 2008 R2 - Active Directory Replication over DynDNS
Hello,
I have one server that Windows Server 2008 R2 - Active Directory / DNS
Now some users shifted to new office with the server
Some users still in the original place that now don't have ADDS/DNS
i want to install one replication server in the original place to retrieve AD/DNS form new office via DynDNS
is that possible of not?
Best regards,Badr, I don't think you want AD replication occurring over the internet - even if that was possible the server would need access to all the SRV records, a records, And all the ports required for communication - See here for an exhaustive list
http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx - I don't think I have to tell you how bad opening all these ports to the internet would be.
You may want to look at Setting up a vpn or DirectAccess from the original site to the new site. This will give you more security and generally won't cost to much.
http://technet.microsoft.com/en-us/network/dd420463.aspx
Another thing that may work for you would be if you setup remote desktop services in the new location and had the original location remote into via a gateway server -
http://blogs.technet.com/b/windowsserver/archive/2012/05/09/windows-server-2012-remote-desktop-services-rds.aspx as a starting point. With RDS your users would be able to access the new location from anywhere, although there would be upfront costs associated,
licensing and server being part of them - I don't recommend turning your domain controller into an RDS server.These are just some ideas to help you with your issue -
Active Directory : Replication Issue - "Disconnected" sub-domain from the Forest
Hello everyone,
I'm managing a multi-domain forest (with 7 sub-domain). All are working fine except for one. Throught repadmin (Repadmin /replsum /bysrc /bydest /sort:delta), I noticed I got both domain controllers of a subdomain (there are only 2 DCs in that
subdomain), who hadn't replicated with the rest of the forest for more than 60 days.
According to my research, it's usually recommended to Depromote and repromote the problematic DC to avoid the issue of lingering objects. In this case, it's both DC of a sub-domain. Of course, on the others DCs in the forest, I got the event
ID 2012 "it has been too long since this machine last replicated with the named source machine....".
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
to a value of 1.
As I understand it, this may cause lingering objects to appear (they can be removed with repadmin /removelingeringobjects command with the DSA GUID, naming context, etc..). So far, I haven't used that registry key yet because of the associated risks.
I didn't noticed any other issue so far. Users in the problematic sub-domain are fine, and the problematic sub-domain seems to be able to pull replication data from the others DCs in the forests. (at least, I'm not getting any error in the A.D. Sites
and Services)
I added two new DCs for the affected sub-domains, so the number of DCs for that domain went from 2 to 4 DCs. The two old DCs that hadn't replicated for 60 days are windows Server 2003 and the two new DCs are Server 2008 R2.
Unfortunately (and I was half expecting this, but did it anyway since I must eventually replace the old DCs), that didn't solve my issue, since the rest of the forest "doesn't see" the two new DCs of the sub-domain. By that, I mean that I
cannot add an Active Directory Domain Services Connection in Sites & Services console (from a DC in another domain of the forest or even the root domain). I see all the DCs, including the two old DCs that are server 2003, but not the new ones.
I believe it's because the others DCs doesn't pull/replicate the information from the old DCs anymore, so they aren't "aware" of the two new DCs for that problematic sub-domain.
I was wondering what is the best course of action. Is it worthwhilte to use the registry key force replication with the old DCs ? (and hopefully, the new DCs will get their AD Services connection/replication vector created, so I can depromote
the old DCs.
Since the Old DCs from the problematic sub-domain seems to be able to pull the replication from the rest of the forest, does the risk of Lingering object isn't that great ?
Or is it too risky and I must create a new sub-domain and migrate one way or another the users ? (which would be time-consuming)
Thanks in advance,
AdamThanks for the reply. One of the link had another link to a good article about the use of repadmin :
So, I ran the command "repadmin /removinglingerobjects " on one of the problematic DCs ().
For clarity purpose, let's say I used the domain :
domain = main domain
subdomain = the domain whose DC are problematic (all of them).
AnotherSubDomain = Just another subdomain I used as a "reference" DC to cleanup the appropriate partition.
Command (the DSA guid is from a DC "clean" in another domain)
repadmin /removelingeringobjects adrec01.mysubdomain.domain.ca C4081E00-921A-480D-9FDE-C4C34F96E7AC dc=ANOTHERsubdomain,dc=domain,dc=ca /advisory_mode
I got the following message in the event viewer :
Active Directory Domain Services has completed the verification of lingering objects on the local domain controller in advisory mode. All objects on this domain controller have had their existence verified on the following source domain controller.
Source domain controller:
c4081e00-921a-480d-9fde-c4c34f96e7ac._msdcs.mydomain.ca
Number of objects examined and verified:
0
Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller have been listed in past event log entries. To permanently delete the lingering objects, restart this procedure without using the
advisory mode option.
How should I interpret the message "number of objects examined and verified 0". Does it mean it just didn't find any object to compare ? (which would be odd IMHO) Or there is another problem ?
Thanks in advance,
Adam -
Active Directory Replication Servers (wont replicate SYSVOL and NETLOGON Not showing)
I have my first DC Server (DC1). DC1.DOMAIN.lOCAL, I decided to add another Domain Controller. Made it a secondary DNS Server and also GC. Everything seems to replicate, but its missing NETLOGON and SYSVOL Wont replicate.
Windows 2008 R2Errr 5706
The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\INFGRP.LOCAL\SCRIPTS. The following error occurred:
The system cannot find the file specified.
Event 7009
A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.
Event 1058
The processing of Group Policy failed. Windows attempted to read the file \\INFGRP.LOCAL\SysVol\INFGRP.LOCAL\Policies\{55DE4000-0D51-44CD-92A1-30F286B2BC86}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until
this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
All Critical
This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS
Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets.
Test replication
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine dc, is a DC.
* Connecting to directory service on server dc.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\dc
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... dc passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\dc
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=GRP,DC=LOCAL
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=GRP,DC=LOCAL
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=GRP,DC=LOCAL
Latency information for 8 entries in the vector were ignored.
8 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=GRP,DC=LOCAL
Latency information for 9 entries in the vector were ignored.
9 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=GRP,DC=LOCAL
Latency information for 9 entries in the vector were ignored.
9 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... dc passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: Advertising
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: RidManager
Test omitted by user request: MachineAccount
Test omitted by user request: Services
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: ObjectsReplicated
Test omitted by user request: frssysvol
Test omitted by user request: frsevent
Test omitted by user request: kccevent
Test omitted by user request: systemlog
Test omitted by user request: VerifyReplicas
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError
Running partition tests on : ForestDnsZones
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : DomainDnsZones
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : Schema
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : Configuration
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : GRP
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running enterprise tests on : GRP.LOCAL
Test omitted by user request: Intersite
Test omitted by user request: FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS
On the second DC (DCR). I see SYSVOL, no files replicated, also theres no NETLOGON. -
Can't fix Active Directory replication
Hi,
I am not sure when the replication issue started, but it is for month now. Whe have two AD's and so actually, we have one working fine (probably). Users are replicated fine (at least they show in the second AD tree) and also, the group policies replicates
(they show in the group policy tree).
But, in the \\dc02\SYSVOL\domainname.com\Policies directory, nothing is shared. It's completely out of date. Also the group policy manager gives an warning: 1 Domain controller(s) with replication in progress.
Anyway, me, and other members of the IT-staff looked into it but it looks that the problem goes deep.
So my question is, what is the best way to solve this. Start to place some errors here or maybe we should completely re-install the second DC? Or both? Or is that a bad idea?
Thanks for any help!Thanks for the responses!
Problem is, Event viewer keeps giving different errors. I just restarted my secondary DC and it gives this error:
This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets.
Before restart, I ran dcdiag again and it gave problems with NCSecDesc. So permission problem. I fixed that and after that I ran dcdiag again and no errors were showing. But sysvol directory was still not in sync.
After that, I restarted and the top error is shown in event viewer and dcdiag gives me another, new error:
Starting test: SystemLog
A warning event occurred. EventID: 0x000727A5
Time Generated: 04/16/2014 18:02:36
Event String: The WinRM service is not listening for WS-Management requests.
A warning event occurred. EventID: 0x80040020
Time Generated: 04/16/2014 18:03:13
Event String:
The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may o
ccur.
A warning event occurred. EventID: 0x80040020
Time Generated: 04/16/2014 18:03:13
Event String:
The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may o
ccur.
A warning event occurred. EventID: 0x80040020
Time Generated: 04/16/2014 18:03:13
Event String:
The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may o
ccur.
An error event occurred. EventID: 0xC0001B61
Time Generated: 04/16/2014 18:03:40
Event String:
A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.
An error event occurred. EventID: 0xC0001B6F
Time Generated: 04/16/2014 18:03:41
Event String: The Diagnostic System Host service terminated with the following error:
An error event occurred. EventID: 0xC0001B6F
Time Generated: 04/16/2014 18:03:41
Event String: The Diagnostic Service Host service terminated with the following error:
......................... DC02 failed test SystemLog
After restarting the secondary DC, the primary DC gives an error on DFSREvent but I think that's OK because it lost the secondary DC for a minute. No further errors there.
After restarting the primary DC, it gives also a SystemLog error, but different from the other DC with dcdiag:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source
, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain
hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domai
n, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function a
s the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this c
omputer, you may choose to disable the NtpClient.
A warning event occurred. EventID: 0x00000090
Time Generated: 04/16/2014 18:31:25
Event String: The time service has stopped advertising as a good time source.
......................... DC01 failed test SystemLog
Now this is the current status. I am pretty desperate. Maybe you have some suggestions? Otherwise, I will try pbbergs' suggestion.
Other errors in the event viewer (not sure if they are related but just posting to be sure):
This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets.
Active Directory Web Services could not find a server certificate with the specified certificate name. A certificate is required to use SSL/TLS connections. To use SSL/TLS connections, verify that a valid server authentication certificate from a trusted Certificate Authority (CA) is installed on the machine.
Certificate name: dc01.domainname.com
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
Thanks for the help! -
Active Directory replication and login errors (Plz HELP !!)
Hi All,
We have one forest domain (XXXX.LOCAL)and lots of child domains (XXX.XXXX.LOCAL).
We are facing issue that child domains are not able to login with forest administrator account and there are also lots of replication errors.
Exchange OWA gives error of not able to find particular XXX.XXX.local child domain.
dcdiag from child domain is :
C:\Windows\system32>
C:\Windows\system32>nltest.exe /dsregdns
Flags: 0
Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully
C:\Windows\system32>nltest.exe /dsregdns
Flags: 0
Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully
C:\Windows\system32>
C:\Windows\system32>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = PMA-DC01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: HEC-CITY\PMA-DC01
Starting test: Connectivity
......................... PMA-DC01 passed test Connectivity
Doing primary tests
Testing server: HEC-CITY\PMA-DC01
Starting test: Advertising
Warning: PMA-DC01 is not advertising as a time server.
......................... PMA-DC01 failed test Advertising
Starting test: FrsEvent
......................... PMA-DC01 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... PMA-DC01 failed test DFSREvent
Starting test: SysVolCheck
......................... PMA-DC01 passed test SysVolCheck
Starting test: KccEvent
......................... PMA-DC01 passed test KccEvent
Starting test: KnowsOfRoleHolders
[PMA-DC02] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: PMA-DC02 is the PDC Owner, but is not responding to DS RPC
Bind.
[PMA-DC02] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: PMA-DC02 is the PDC Owner, but is not responding to LDAP
Bind.
Warning: PMA-DC02 is the Rid Owner, but is not responding to DS RPC
Bind.
Warning: PMA-DC02 is the Rid Owner, but is not responding to LDAP
Bind.
Warning: PMA-DC02 is the Infrastructure Update Owner, but is not
responding to DS RPC Bind.
Warning: PMA-DC02 is the Infrastructure Update Owner, but is not
responding to LDAP Bind.
......................... PMA-DC01 failed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... PMA-DC01 passed test MachineAccount
Starting test: NCSecDesc
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
......................... PMA-DC01 failed test NCSecDesc
Starting test: NetLogons
......................... PMA-DC01 passed test NetLogons
Starting test: ObjectsReplicated
......................... PMA-DC01 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,Replications Check] Inbound replication is
disabled.
To correct, run "repadmin /options PMA-DC01 -DISABLE_INBOUND_REPL"
[Replications Check,PMA-DC01] Outbound replication is disabled.
To correct, run "repadmin /options PMA-DC01 -DISABLE_OUTBOUND_REPL"
......................... PMA-DC01 failed test Replications
Starting test: RidManager
......................... PMA-DC01 failed test RidManager
Starting test: Services
w32time Service is stopped on [PMA-DC01]
......................... PMA-DC01 failed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x00000010
Time Generated: 04/21/2014 19:16:04
Event String:
Unable to Connect: Windows is unable to connect to the automatic upd
ates service and therefore cannot download and install updates according to the
set schedule. Windows will continue to try to establish a connection.
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:42
Event String:
The dynamic registration of the DNS record '_kerberos._tcp.dc._msdcs
.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the fol
lowing DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kerberos._tcp.PMA.XXXX.
LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kerberos._tcp.HEC-LAHOR
E._sites.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on
the following DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kerberos._udp.PMA.XXXX.
LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kpasswd._tcp.PMA.XXXX.L
OCAL. 600 IN SRV 0 100 464 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kpasswd._udp.PMA.XXXX.L
OCAL. 600 IN SRV 0 100 464 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kerberos._tcp.HEC-LAHOR
E._sites.dc._msdcs.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.'
failed on the following DNS server:
An error event occurred. EventID: 0x00000C8A
Time Generated: 04/21/2014 19:44:51
Event String:
This computer could not authenticate with \\LHR-DC01.XXXX.LOCAL, a W
indows domain controller for domain XXXX, and therefore this computer might deny
logon requests. This inability to authenticate might be caused by another compu
ter on the same network using the same name or the password for this computer ac
count is not recognized. If this message appears again, contact your system admi
nistrator.
An error event occurred. EventID: 0xC00A0038
Time Generated: 04/21/2014 19:46:02
Event String:
The Terminal Server security layer detected an error in the protocol
stream and has disconnected the client. Client IP: 10.87.193.37.
An error event occurred. EventID: 0x40000004
Time Generated: 04/21/2014 19:52:41
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver pma-dc02$. The target name used was PMA\PMA-DC02$. This indicates that the
target server failed to decrypt the ticket provided by the client. This can occu
r when the target server principal name (SPN) is registered on an account other
than the account the target service is using. Please ensure that the target SPN
is registered on, and only registered on, the account used by the server. This e
rror can also happen when the target service is using a different password for t
he target service account than what the Kerberos Key Distribution Center (KDC) h
as for the target service account. Please ensure that the service on the server
and the KDC are both updated to use the current password. If the server name is
not fully qualified, and the target domain (PMA.XXXX.LOCAL) is different from th
e client domain (PMA.XXXX.LOCAL), check if there are identically named server ac
counts in these two domains, or use the fully-qualified name to identify the ser
ver.
A warning event occurred. EventID: 0x8000001C
Time Generated: 04/21/2014 19:53:42
Event String:
When generating a cross realm referal from domain XXXX.LOCAL the KDC
was not able to find the suitable key to verify the ticket. The ticket key vers
ion in the request was 25 and the available key version was 22. This most common
reason for this error is a delay in replicating the keys. In order to remove th
is problem try forcing replication or wait for the replication of keys to occur.
An error event occurred. EventID: 0x40000004
Time Generated: 04/21/2014 20:13:25
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver pma-dc02$. The target name used was LDAP/4a166db9-c39c-4069-99e7-8a233ce2c0
be._msdcs.XXXX.LOCAL. This indicates that the target server failed to decrypt th
e ticket provided by the client. This can occur when the target server principal
name (SPN) is registered on an account other than the account the target servic
e is using. Please ensure that the target SPN is registered on, and only registe
red on, the account used by the server. This error can also happen when the targ
et service is using a different password for the target service account than wha
t the Kerberos Key Distribution Center (KDC) has for the target service account.
Please ensure that the service on the server and the KDC are both updated to us
e the current password. If the server name is not fully qualified, and the targe
t domain (PMA.XXXX.LOCAL) is different from the client domain (PMA.XXXX.LOCAL),
check if there are identically named server accounts in these two domains, or us
e the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 04/21/2014 20:13:25
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver pma-dc02$. The target name used was ldap/pma-dc02.pma.XXXX.LOCAL. This indi
cates that the target server failed to decrypt the ticket provided by the client
. This can occur when the target server principal name (SPN) is registered on an
account other than the account the target service is using. Please ensure that
the target SPN is registered on, and only registered on, the account used by the
server. This error can also happen when the target service is using a different
password for the target service account than what the Kerberos Key Distribution
Center (KDC) has for the target service account. Please ensure that the service
on the server and the KDC are both updated to use the current password. If the
server name is not fully qualified, and the target domain (PMA.XXXX.LOCAL) is di
fferent from the client domain (PMA.XXXX.LOCAL), check if there are identically
named server accounts in these two domains, or use the fully-qualified name to i
dentify the server.
......................... PMA-DC01 failed test SystemLog
Starting test: VerifyReferences
......................... PMA-DC01 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : PMA
Starting test: CheckSDRefDom
......................... PMA passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... PMA passed test CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running enterprise tests on : XXXX.LOCAL
Starting test: LocatorCheck
......................... XXXX.LOCAL passed test LocatorCheck
Starting test: Intersite
......................... XXXX.LOCAL passed test Intersite
C:\Windows\system32>There are a number of things that can cause this, such as:
DNS is misconfigured to support a parent-child-additional tree forest.
Incorrect DNS zone replication scope for the design, which points back to the point #1.
AD Sites are misconfigured for the physical environment. For example if you have a hub and spoke physical environment, you can't use the default settings that bridge all sites (BASL) and must individually configure them.
Incorrect DNS settings on the DCs.
Multi-homed DCs.
Time service is not configured properly and/or syncing from the VM host, which should be configured otherwise (Microsoft, VMware and Citrix have KBs explaining this).
Default security settings at either the parent, child or both domains, have been altered.
Firewalls between DCs, such as perimeter firewalls, or installed antivirus protection features if not excluded on DCs properly, will cause this, too.
That's the short list. If you can describe some of the points above, it may help us pinpoint where the issue may be.
Some links that may help understand some of the bullet points:
AD Site Design, DNS & the DC Locator Process, and Auto Site Link Bridging, or Bridge All Site Links (BASL)
http://blogs.msmvps.com/acefekay/2013/02/24/ad-site-design-and-auto-site-link-bridging-or-bridge-all-site-links-basl/
DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
Published by Ace Fekay, MCT, MVP DS on Oct 1, 2010 at 12:22 PM
http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx
Configuring the Windows Time Service for Windows 2000, 2003, 2008 and newer, explanation of the time service hierarchy, and more
Published by Ace Fekay, MCT, MVP DS on Sep 18, 2009 at 8:14 PM 3050 1
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Active Directory Replication, have not been performed for a long time
Good afternoon,
Situation: in the organization with a lot of domain controllers, with one of the sites lost contact. From the period of 18.07.2014 - for the present time, the replication of the two domain controllers did not happen. Now, the connection is reestablished in
magazines replication errors occurred. Replication is performed using DFS.
errors:
The journal replication DFS:
The DFS Replication service has detected an error in the connection to the partner for replication group Domain System Volume.
For more information:
Error 1825 (Error in the security package.)
Connection ID: F29C3738-AF90-4CE8-BFC0-48C1B36A5819
The ID of the replication group: 72D953C6-FD0A-4DA0-8D91-2C0B144E45A1
In the system log:
The Kerberos client received an error from the server KRB_AP_ERR_MODIFIED SERVERNAME $. Used the final name DNS \ SERVERNAME $. This means that the target server failed to decrypt the ticket provided by the client. This may be due to the fact that the SPN
is the destination server (SPN) is registered on an account other than the account used by the ultimate service. Make sure that the final SPN is registered only on the account that is used by the server. This error may also be that the final service is using
a different password for the account of finite life that is different from the password key distribution center Kerberos (KDC) for the account of finite life. Make sure that the service on the server and the KDC are updated to use the current password. If
the server name is not fully defined, and the target domain is different from the client's domain, check for server accounts with the same name in these two domains, or use the full name to identify the server.
This error occurs when you try to access any network resource problem servers.
Storage of deleted AD objects installed by default 180 days.
Solutions found, can someone faced with similar circumstances. I would not want to lower the domain controllers on the problematic servers and deploy them again. After all objects created will be lost during this period, they are the whole domain is not much,
but they are
The result of repadmin / showrepl - this error, on all servers:
SITE \ SERVER via RPC
DSA - GUID of the object: 5f01bea8-b74b-4876-b475-be712a191431
Last attempt @ 15/10/2014 13:00:35 completed with an error, the result -
2146893022 (0x80090322):
Principal Name is incorrect.
7579 consecutive errors.
Last success @ 07/28/2014 14:15:41.
SITE \ SERVER via RPC
DSA - GUID of the object: 436c1016-4363-47b5-a34d-2e5b3e2b0038
Last attempt @ 15/10/2014 13:00:35 completed with an error, the result of 5
(0x5):
Access is denied.
7579 consecutive errors.
Last success @ 07/28/2014 14:15:42.
SITE \ SERVER via RPC
DSA - GUID of the object: b677e990-f7cb-4daf-8f87-16602bc119e0
Last attempt @ 15/10/2014 13:00:35 completed with an error, the result -
2146893022 (0x80090322):
Principal Name is incorrect.
7579 consecutive errors.
Last success @ 07/28/2014 14:15:43.
SITE \ SERVER via RPC
DSA - GUID of the object: 5afbb9b1-7558-4f97-b941-84e1845b48ce
Last attempt @ 15/10/2014 13:00:35 completed with an error, the result -
2146893022 (0x80090322):
Principal Name is incorrect.
7579 consecutive errors.
Last success @ 07/28/2014 14:15:43.
netdom resetpwd / s: NameWorkDC / ud: domain \ administrator_domen / pd: password
Failed to reset the password for the local computer account.
Login failure: The target account name is incorrect.
Failed to execute the command.
If I execute the command, and as a server pointing, use the second server of the same site (which have not replicated on the same site). The command is executed successfully.
If I specify as the /server - IP address of work DC, operating a server running KDC - the command is executed successfully.
Generally, the problem with the controller, I can not get access to any of the listed on the main market, produces an error. You might not have permission to use this resource.
BUT if we turn on the IP, - let without the need to enter login and password.
Please help, what Microsoft's recommendations in this regard. Thanks in advance.To get a better idea of the DCs' config, let's see an unedited ipconfig /all from the DCs, please.
Is there are third party AV on the DCs?
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Windows Server 2003 Active Directory Replication Issue
Dear Friends,
Few days before my Primary Domain controller was crased, so i restored 1 month old full server image.
But issue is after restoration replication between domain controller is not working.
Error message on DC2: Target Principal Name is incorrect
Event Log on Restored DC1:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 3/18/2014
Time: 10:50:00 AM
User: N/A
Computer: ***
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/**.domain.com. The target name used was cifs/dc2. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly,
this is due to identically named machine accounts in the target realm (domain.COM), and the client realm. Please contact your system administrator.
Have a look:
https://msmvps.com/blogs/vandooren/archive/2009/04/02/the-kerberos-client-received-a-krb-ap-err-modified-error.aspx
Regards,
Rafic
If you found this post helpful, please give it a "Helpful" vote.
If it answered your question, remember to mark it as an "Answer".
This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing! -
Server 2012 Active Directory replication problems
Hi.
I`ve got a forest with 2 sites.
forest - domain.local
site a: - everything appears to work fine
srv-adc1 10.100.100.11 - domain controller - replicating with srv-adc2
srv-adc2 10.100.100.12 - domain controller - replicating with srv-adc1
site b: - was offline for more then 180 days
srv-bdc1 10.200.100.11 - domain controller - not replicating with srv-adc1
srv-bdc2 10.200.100.12 - demoted domain controller
each domain controller is also a dns server
all the servers are microsoft 2012
site B was offline for more than 180 days, so it exceeded the tombstone`s lifetime.
i demoted srv-bdc2 and did a metadata cleanup on the rest of the servers.
i took srv-bdc2 out of the domain and brought it back in.
when i try and promote it again i get an access denied error.
when i try and browse to \\domain.local\ from any server in the site B i get a network name error.
the same thing if i try \\srv-adc1\
with ip its working just fine.
i look everywhere in the dns but got nothing.
anyone has an idea?thanks for replying.
Both of them were down for about a year.
Should i remove them from the domain, or just demoting them will be good enough?
will it affect something on siteb?
srv-adc1 - repadmin /showreps /v
SITEA\SRV-ADC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
DSA invocationID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
==== INBOUND NEIGHBORS ======================================
DC=DOMAIN,DC=LOCAL
SITEA\SRV-ADC2 via RPC
DSA object GUID: 89c75ba3-3796-4151-aa63-51916a24130c
Address: 89c75ba3-3796-4151-aa63-51916a24130c._msdcs.DOMAIN.LOCAL
DSA invocationID: ac8680bf-c70c-4fd5-aab1-5ceeba7645a6
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 1423024/OU, 1423024/PU
Last attempt @ 2014-06-27 09:17:58 was successful.
SITEB\SRV-BDC1 via RPC
DSA object GUID: 465bca1d-a4e5-4925-9e11-0dc98cf8f176
Address: 465bca1d-a4e5-4925-9e11-0dc98cf8f176._msdcs.DOMAIN.LOCAL
DSA invocationID: 750894b2-365d-4241-8eab-0fd058f8e0ea
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS
USNs: 689527/OU, 689527/PU
Last attempt @ 2014-06-27 09:17:58 was successful.
CN=Configuration,DC=DOMAIN,DC=LOCAL
SITEA\SRV-ADC2 via RPC
DSA object GUID: 89c75ba3-3796-4151-aa63-51916a24130c
Address: 89c75ba3-3796-4151-aa63-51916a24130c._msdcs.DOMAIN.LOCAL
DSA invocationID: ac8680bf-c70c-4fd5-aab1-5ceeba7645a6
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 1422941/OU, 1422941/PU
Last attempt @ 2014-06-27 09:17:58 was successful.
SITEB\SRV-BDC1 via RPC
DSA object GUID: 465bca1d-a4e5-4925-9e11-0dc98cf8f176
Address: 465bca1d-a4e5-4925-9e11-0dc98cf8f176._msdcs.DOMAIN.LOCAL
DSA invocationID: 750894b2-365d-4241-8eab-0fd058f8e0ea
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS
USNs: 689527/OU, 689527/PU
Last attempt @ 2014-06-27 09:17:58 was successful.
CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
SITEA\SRV-ADC2 via RPC
DSA object GUID: 89c75ba3-3796-4151-aa63-51916a24130c
Address: 89c75ba3-3796-4151-aa63-51916a24130c._msdcs.DOMAIN.LOCAL
DSA invocationID: ac8680bf-c70c-4fd5-aab1-5ceeba7645a6
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 1422941/OU, 1422941/PU
Last attempt @ 2014-06-27 09:17:58 was successful.
SITEB\SRV-BDC1 via RPC
DSA object GUID: 465bca1d-a4e5-4925-9e11-0dc98cf8f176
Address: 465bca1d-a4e5-4925-9e11-0dc98cf8f176._msdcs.DOMAIN.LOCAL
DSA invocationID: 750894b2-365d-4241-8eab-0fd058f8e0ea
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS
USNs: 689527/OU, 689527/PU
Last attempt @ 2014-06-27 09:17:58 was successful.
DC=DomainDnsZones,DC=DOMAIN,DC=LOCAL
SITEA\SRV-ADC2 via RPC
DSA object GUID: 89c75ba3-3796-4151-aa63-51916a24130c
Address: 89c75ba3-3796-4151-aa63-51916a24130c._msdcs.DOMAIN.LOCAL
DSA invocationID: ac8680bf-c70c-4fd5-aab1-5ceeba7645a6
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 1422941/OU, 1422941/PU
Last attempt @ 2014-06-27 09:17:58 was successful.
SITEB\SRV-BDC1 via RPC
DSA object GUID: 465bca1d-a4e5-4925-9e11-0dc98cf8f176
Address: 465bca1d-a4e5-4925-9e11-0dc98cf8f176._msdcs.DOMAIN.LOCAL
DSA invocationID: 750894b2-365d-4241-8eab-0fd058f8e0ea
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS
USNs: 689527/OU, 689527/PU
Last attempt @ 2014-06-27 09:17:58 was successful.
DC=ForestDnsZones,DC=DOMAIN,DC=LOCAL
SITEA\SRV-ADC2 via RPC
DSA object GUID: 89c75ba3-3796-4151-aa63-51916a24130c
Address: 89c75ba3-3796-4151-aa63-51916a24130c._msdcs.DOMAIN.LOCAL
DSA invocationID: ac8680bf-c70c-4fd5-aab1-5ceeba7645a6
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 1422941/OU, 1422941/PU
Last attempt @ 2014-06-27 09:17:58 was successful.
SITEB\SRV-BDC1 via RPC
DSA object GUID: 465bca1d-a4e5-4925-9e11-0dc98cf8f176
Address: 465bca1d-a4e5-4925-9e11-0dc98cf8f176._msdcs.DOMAIN.LOCAL
DSA invocationID: 750894b2-365d-4241-8eab-0fd058f8e0ea
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS
USNs: 689527/OU, 689527/PU
Last attempt @ 2014-06-27 09:17:58 was successful.
srv-adc2 - repadmin /showreps /v
SITEA\SRV-ADC2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 89c75ba3-3796-4151-aa63-51916a24130c
DSA invocationID: ac8680bf-c70c-4fd5-aab1-5ceeba7645a6
==== INBOUND NEIGHBORS ======================================
DC=DOMAIN,DC=LOCAL
SITEA\SRV-ADC1 via RPC
DSA object GUID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
Address: 6cc683ff-09ac-4aec-9e57-727141ed2c18._msdcs.DOMAIN.LOCAL
DSA invocationID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 4872366/OU, 4872366/PU
Last attempt @ 2014-06-27 09:30:12 was successful.
CN=Configuration,DC=DOMAIN,DC=LOCAL
SITEA\SRV-ADC1 via RPC
DSA object GUID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
Address: 6cc683ff-09ac-4aec-9e57-727141ed2c18._msdcs.DOMAIN.LOCAL
DSA invocationID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 4872349/OU, 4872349/PU
Last attempt @ 2014-06-27 09:23:18 was successful.
CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
SITEA\SRV-ADC1 via RPC
DSA object GUID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
Address: 6cc683ff-09ac-4aec-9e57-727141ed2c18._msdcs.DOMAIN.LOCAL
DSA invocationID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 4872278/OU, 4872278/PU
Last attempt @ 2014-06-27 09:22:40 was successful.
DC=DomainDnsZones,DC=DOMAIN,DC=LOCAL
SITEA\SRV-ADC1 via RPC
DSA object GUID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
Address: 6cc683ff-09ac-4aec-9e57-727141ed2c18._msdcs.DOMAIN.LOCAL
DSA invocationID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 4872278/OU, 4872278/PU
Last attempt @ 2014-06-27 09:22:40 was successful.
DC=ForestDnsZones,DC=DOMAIN,DC=LOCAL
SITEA\SRV-ADC1 via RPC
DSA object GUID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
Address: 6cc683ff-09ac-4aec-9e57-727141ed2c18._msdcs.DOMAIN.LOCAL
DSA invocationID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 4872278/OU, 4872278/PU
Last attempt @ 2014-06-27 09:22:40 was successful.
srv-bdc1 - repadmin /showreps /v
SITEB\SRV-BDC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 465bca1d-a4e5-4925-9e11-0dc98cf8f176
DSA invocationID: 750894b2-365d-4241-8eab-0fd058f8e0ea
Source: SITEA\SRV-ADC1
******* 102 CONSECUTIVE FAILURES since 2014-06-26 08:42:30
Last error: -2146893022 (0x80090322):
The target principal name is incorrect.
Naming Context: DC=ForestDnsZones,DC=DOMAIN,DC=LOCAL
Source: SITEA\SRV-ADC1
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=DomainDnsZones,DC=DOMAIN,DC=LOCAL
Source: SITEA\SRV-ADC1
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=DOMAIN,DC=LOCAL
Source: SITEA\SRV-ADC1
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: CN=Configuration,DC=DOMAIN,DC=LOCAL
Source: SITEA\SRV-ADC1
******* WARNING: KCC could not add this REPLICA LINK due to error.
Source: SITEA\SRV-ADC2
******* 73 CONSECUTIVE FAILURES since 2014-06-26 15:24:28
Last error: -2146893022 (0x80090322):
The target principal name is incorrect.
Naming Context: DC=ForestDnsZones,DC=DOMAIN,DC=LOCAL
Source: SITEA\SRV-ADC2
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=DomainDnsZones,DC=DOMAIN,DC=LOCAL
Source: SITEA\SRV-ADC2
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=DOMAIN,DC=LOCAL
Source: SITEA\SRV-ADC2
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: CN=Configuration,DC=DOMAIN,DC=LOCAL
Source: SITEA\SRV-ADC2
******* WARNING: KCC could not add this REPLICA LINK due to error. -
Replication Active Directory, ports issues in firewall
Hi,
i am facing some issue in active directory replication between my Active Directory User Database located in two different locations.
I am not doing any Port based ACL in the firewall, and there is no static / dynamic NAT-ng used between the server ip ranges (nat 0).
1) what could be the possible issue in this?2) do i need to issue any command in the FWSM Module to make use / open the dynamic ports ?3) How can i make sure that these ports are not opend or not blocked on the firewall.
below are some of the ports used for this, based on the information from Microsoft Team.
tcp 5389
tcp 5722
tcp 5729
tcp3268
tcp 3269
tcp 445
udp 445
udp 88
udp 2535
udp 389
tcp 1025 - 5000
tcp 44152 - 65535
Appreciate your valuable support.
regards
SunnyHi Bro
If you’re not doing any port based ACL in your FWSM, I can only assume you’re permitting the rules between both the AD by IP e.g. access-list inside permit ip host 1.1.1.1 host 2.2.2.2, am I right? I hope you can PING between both the AD, otherwise this could be a routing issue.
Listed below are some commands that you could type to investigate this issue further;
a) show np block (hardware buffer counters) - if they are non-zero and increasing it's bad. You're most likely running into hardware limitation of the FWSM.
b) show np all stats | i RTL and show np all stats | i RL will show you if the packets are dropped because of software rate limiting mechanisms built into network processors.
Perhaps, what you need is to enable the “xlate-bypass” command. By default, the FWSM creates NAT sessions for all connections even if you do not use NAT. You can disable NAT sessions for untranslated network traffic, which is called xlate bypass, in order to avoid the maximum NAT session limit. The xlate-bypass command can be configured as shown:
hostname(config)#xlate-bypass
If the xlate-bypass doesn’t resolve your issue, please do ensure you’ve a static NAT or dedicated nat/global in place.
The last resort is to enable sysoption np completion-unit, this magic option is invoking special processing created to address scenarios in which FWSM was known to introduce out of order packets for TCP streams. -
Hi,
after reading many Posts and Blogs i came to the conclusion that it is still unclear to me what is needed to Monitor Active Directory successfully and what is the securest way configuring the RunAs or Action Account. I hope the experts here can make a clear
Statement to answer the question for all time ;-)
1. Action Account:
Here is described what permissions and rights are needed to use a low-privileged account:
https://technet.microsoft.com/en-us/library/hh212808.aspx
Now you might say: that was asked and answered so many times..you are right, but the answer was from run as "local System" to "you Need local admin". So also the AD MP documentation still says you Need a local Admin account.
here are other references which says you Need local admin rights:
http://micloud.azurewebsites.net//2014/02/26/scom-agent-grayed-out-when-trying-to-monitor-domain-controllers/
Even Kevin Holman says here
https://social.technet.microsoft.com/Forums/systemcenter/en-US/2a0e5a2b-a3d9-42d4-8474-9f690007caa0/opsmgrlatency-cn-gets-auto-created-in-domain-not-configuration:
"Basically - if your domain controllers are running as local system default agent action account, in most cases you will not need to ever set up any replication monitoring run-as accounts.... as local system on a DC has all the rights necessary.
(in most cases).
"Simple questions: Is this really enought to Monitor every aspect of an ActiveDirectory Domain and Domain Controller using a low privilege account the the permissions in the article? Or is using local System better? Is there a difference when
using SCOM2012R2 with the new Agent? Most documentation referes to SCOM2007(except the replication Monitoring where it is clear that other permissions are needed:
http://blogs.technet.com/b/jimmyharper/archive/2009/05/20/configuring-or-disabling-replication-monitoring-in-the-active-directory-management-pack.aspx )The MP guide is not really clear about it. The only thing they are clear about is whenever you want to use client monitoring. In those situations low privileged will not work.
For each of the client-side monitoring scripts to run successfully, the
Action Account must be a member of the Administrators group on both the computer
on which the client management pack is running and the domain controller that is being monitored. The
Action Account must also be a member of the
Operations Manager Administrators group, which is configured through the Operations console in so that all the scripts that are configured on the Root Management Server can run properly
Both a local system and domain admin are a risk. If someone loads a malicious management pack that makes changes to the AD services you are screwed. The local system has unrestricted access to local resources including domain services.
The only reason I don't want a domain admin account in SCOM is that you have an additional layer where the password potentially could be retrieved. That's not the case with a local system account. But the risks are the same.
See: https://msdn.microsoft.com/en-us/library/ms677973%28v=vs.85%29.aspx
But this not an answer to your question. :-)
Maybe you are looking for
-
Populating the Conditions segment in PORDCR102-PO create IDOC
Hi Gurus, Iam populating some fields in the E1BPMEPOCONDHEADER segment of the IDOC PORDCR102. But the condition record is not getting generated in the PO. Kindly can anyone throw some light on the mandatory fields that needs to be populated in this s
-
How Do I use my time machine as an external hard drive?
-
Some albums not organized correctly on iOS devices?
I just activated Match yesterday. For the most part, it works great! I'm running into an issue where, in iTunes on multiple computers, if I go to a specific artist, all their albums are there in order. Then, if I go to the same artist on any of my
-
My ipad 2 home button has stopped responding completely. Any suggestions
My ipad 2 home button has stopped responding completely. Any suggestions?
-
Error connecting to OPMN (is it running?)
Hi All, Might this be a silly question but please help me out. I have 10g AS installed on Solaris.I need to get the datasource lookup from my localhost standalone java application . This is the code i have used: Hashtable env = new Hashtable(); env.p