Windows 2008 (Not R2) Domain controller has stopped replicating to the other 2 Domain controllers
we had (unknown) happen last week stopped successful sysvol replication
i've been going through loads of articles looking clues after running dcdiag on 3 servers
this master domain controller
https://support.microsoft.com/en-us/kb/840674/
domain controller diagnosis
performing initial setup:
* verifying local machine ch-dc1-2k8, dc.
* connecting directory service on server ch-dc1-2k8.
* collecting site info.
* identifying servers.
* identifying nc cross-refs.
* found 3 dc(s). testing 1 of them.
done gathering initial info.
doing initial required tests
testing server: cardiff\ch-dc1-2k8
starting test: connectivity
* active directory ldap services check
* active directory rpc services check
......................... ch-dc1-2k8 passed test connectivity
doing primary tests
testing server: cardiff\ch-dc1-2k8
starting test: replications
* replications check
* replication latency check
cn=schema,cn=configuration,dc=companyname,dc=local
latency information 4 entries in vector ignored.
4 retired invocations. 0 either: read-only replicas , not verifiably latent, or dc's no longer replicating nc. 0 had no latency information (win2k dc).
cn=configuration,dc=companyname,dc=local
latency information 4 entries in vector ignored.
4 retired invocations. 0 either: read-only replicas , not verifiably latent, or dc's no longer replicating nc. 0 had no latency information (win2k dc).
dc=companyname,dc=local
latency information 4 entries in vector ignored.
4 retired invocations. 0 either: read-only replicas , not verifiably latent, or dc's no longer replicating nc. 0 had no latency information (win2k dc).
* replication site latency check
site
cn=ntds site settings,cn=edinburgh,cn=sites,cn=configuration,dc=companyname,dc=local
skipped because never had istg running in it.
site
cn=ntds site settings,cn=london,cn=sites,cn=configuration,dc=companyname,dc=local
skipped because never had istg running in it.
site
cn=ntds site settings,cn=belfast,cn=sites,cn=configuration,dc=companyname,dc=local
skipped because never had istg running in it.
......................... ch-dc1-2k8 passed test replications
test omitted user request: topology
test omitted user request: cutoffservers
starting test: ncsecdesc
* security permissions check nc's on dc ch-dc1-2k8.
* security permissions check for
cn=schema,cn=configuration,dc=companyname,dc=local
(schema,version 2)
* security permissions check for
cn=configuration,dc=companyname,dc=local
(configuration,version 2)
* security permissions check for
dc=companyname,dc=local
(domain,version 2)
......................... ch-dc1-2k8 passed test ncsecdesc
starting test: netlogons
* network logons privileges check
unable connect netlogon share! (\\ch-dc1-2k8\netlogon)
[ch-dc1-2k8] net use or lsapolicy operation failed error 67, win32 error 67.
......................... ch-dc1-2k8 failed test netlogons
starting test: advertising
dc ch-dc1-2k8 advertising dc , having ds.
dc ch-dc1-2k8 advertising ldap server
dc ch-dc1-2k8 advertising having writeable directory
dc ch-dc1-2k8 advertising key distribution center
warning: ch-dc1-2k8 not advertising time server.
ds ch-dc1-2k8 advertising gc.
......................... ch-dc1-2k8 failed test advertising
starting test: knowsofroleholders
role schema owner = cn=ntds settings,cn=ch-dc1-2k8,cn=servers,cn=cardiff,cn=sites,cn=configuration,dc=companyname,dc=local
role domain owner = cn=ntds settings,cn=ch-dc1-2k8,cn=servers,cn=cardiff,cn=sites,cn=configuration,dc=companyname,dc=local
role pdc owner = cn=ntds settings,cn=ch-dc1-2k8,cn=servers,cn=cardiff,cn=sites,cn=configuration,dc=companyname,dc=local
role rid owner = cn=ntds settings,cn=ch-dc1-2k8,cn=servers,cn=cardiff,cn=sites,cn=configuration,dc=companyname,dc=local
role infrastructure update owner = cn=ntds settings,cn=ch-dc1-2k8,cn=servers,cn=cardiff,cn=sites,cn=configuration,dc=companyname,dc=local
......................... ch-dc1-2k8 passed test knowsofroleholders
starting test: ridmanager
* available rid pool domain 12100 1073741823
* ch-dc1-2k8.companyname.local rid master
* dsbind rid master successful
* ridallocationpool 10600 11099
* ridpreviousallocationpool 10600 11099
* ridnextrid: 10613
......................... ch-dc1-2k8 passed test ridmanager
starting test: machineaccount
checking machine account dc ch-dc1-2k8 on dc ch-dc1-2k8.
* spn found :ldap/ch-dc1-2k8.companyname.local/companyname.local
* spn found :ldap/ch-dc1-2k8.companyname.local
* spn found :ldap/ch-dc1-2k8
* spn found :ldap/ch-dc1-2k8.companyname.local/companyname
* spn found :ldap/bfe39346-13d8-455a-a97a-2a33f9e779f5._msdcs.companyname.local
* spn found :e3514235-4b06-11d1-ab04-00c04fc2dcd2/bfe39346-13d8-455a-a97a-2a33f9e779f5/companyname.local
* spn found :host/ch-dc1-2k8.companyname.local/companyname.local
* spn found :host/ch-dc1-2k8.companyname.local
* spn found :host/ch-dc1-2k8
* spn found :host/ch-dc1-2k8.companyname.local/companyname
* spn found :gc/ch-dc1-2k8.companyname.local/companyname.local
......................... ch-dc1-2k8 passed test machineaccount
starting test: services
* checking service: dnscache
* checking service: ntfrs
* checking service: ismserv
* checking service: kdc
* checking service: samss
* checking service: lanmanserver
* checking service: lanmanworkstation
* checking service: rpcss
* checking service: w32time
* checking service: netlogon
......................... ch-dc1-2k8 passed test services
test omitted user request: outboundsecurechannels
starting test: objectsreplicated
ch-dc1-2k8 in domain dc=companyname,dc=local
checking cn=ch-dc1-2k8,ou=domain controllers,dc=companyname,dc=local in domain dc=companyname,dc=local on 1 servers
object up-to-date on servers.
checking cn=ntds settings,cn=ch-dc1-2k8,cn=servers,cn=cardiff,cn=sites,cn=configuration,dc=companyname,dc=local in domain cn=configuration,dc=companyname,dc=local on 1 servers
object up-to-date on servers.
......................... ch-dc1-2k8 passed test objectsreplicated
starting test: frssysvol
* file replication service sysvol ready test
file replication service's sysvol ready
......................... ch-dc1-2k8 passed test frssysvol
starting test: frsevent
* file replication service event log test
there warning or error events within last 24 hours after the
sysvol has been shared. failing sysvol replication problems may cause
group policy problems.
warning event occured. eventid: 0x800034c4
time generated: 04/21/2015 21:42:20
event string: file replication service having trouble
enabling replication na-dc1-2k8 to
ch-dc1-2k8 c:\windows\sysvol\domain using the
dns name na-dc1-2k8.companyname.local. frs
keep retrying.
following of reasons see
warning.
[1] frs can not correctly resolve dns name
na-dc1-2k8.companyname.local this
computer.
[2] frs not running on
na-dc1-2k8.companyname.local.
[3] topology information in active
directory domain services replica has
not yet replicated domain controllers.
this event log message appear once per
connection, after problem fixed will
see event log message indicating the
connection has been established.
warning event occured. eventid: 0x800034c4
time generated: 04/22/2015 01:54:49
event string: file replication service having trouble
enabling replication ch-dc2-2k8 to
ch-dc1-2k8 c:\windows\sysvol\domain using the
dns name ch-dc2-2k8.companyname.local. frs
keep retrying.
following of reasons see
warning.
[1] frs can not correctly resolve dns name
ch-dc2-2k8.companyname.local this
computer.
[2] frs not running on
ch-dc2-2k8.companyname.local.
[3] topology information in active
directory domain services replica has
not yet replicated domain controllers.
this event log message appear once per
connection, after problem fixed will
see event log message indicating the
connection has been established.
......................... ch-dc1-2k8 failed test frsevent
starting test: kccevent
* kcc event log test
found no kcc errors in directory service event log in last 15 minutes.
......................... ch-dc1-2k8 passed test kccevent
starting test: systemlog
* system event log test
error event occured. eventid: 0x40000004
time generated: 04/22/2015 07:16:20
event string: kerberos client received a
krb_ap_err_modified error server
administrator. target name used was
companyname\ch-dc2-2k8$. indicates that
target server failed decrypt ticket
provided client. can occur when the
target server principal name (spn) registered
on account other account target
service using. please ensure target
spn registered on, , registered on, the
account used server. error can also
happen when target service using a
different password target service account
kerberos key distribution center
(kdc) has target service account. please
ensure service on server , kdc
both updated use current password. if
server name not qualified, , the
target domain (companyname.local) different
client domain (companyname.local),
check if there identically named server
accounts in these 2 domains, or use the
fully-qualified name identify server.
error event occured. eventid: 0x40000004
time generated: 04/22/2015 07:16:20
event string: kerberos client received a
krb_ap_err_modified error server
administrator. target name used was
companyname\na-dc1-2k8$. indicates that
target server failed decrypt ticket
provided client. can occur when the
target server principal name (spn) registered
on account other account target
service using. please ensure target
spn registered on, , registered on, the
account used server. error can also
happen when target service using a
different password target service account
kerberos key distribution center
(kdc) has target service account. please
ensure service on server , kdc
both updated use current password. if
server name not qualified, , the
target domain (companyname.local) different
client domain (companyname.local),
check if there identically named server
accounts in these 2 domains, or use the
fully-qualified name identify server.
......................... ch-dc1-2k8 failed test systemlog
test omitted user request: verifyreplicas
starting test: verifyreferences
system object reference (serverreference)
cn=ch-dc1-2k8,ou=domain controllers,dc=companyname,dc=local and
backlink on
cn=ch-dc1-2k8,cn=servers,cn=cardiff,cn=sites,cn=configuration,dc=companyname,dc=local
correct.
system object reference (frscomputerreferencebl)
cn=ch-dc1-2k8,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=companyname,dc=local
, backlink on
cn=ch-dc1-2k8,ou=domain controllers,dc=companyname,dc=local are
correct.
system object reference (serverreferencebl)
cn=ch-dc1-2k8,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=companyname,dc=local
, backlink on
cn=ntds settings,cn=ch-dc1-2k8,cn=servers,cn=cardiff,cn=sites,cn=configuration,dc=companyname,dc=local
correct.
......................... ch-dc1-2k8 passed test verifyreferences
test omitted user request: verifyenterprisereferences
test omitted user request: checksecurityerror
running partition tests on : schema
starting test: crossrefvalidation
......................... schema passed test crossrefvalidation
starting test: checksdrefdom
......................... schema passed test checksdrefdom
running partition tests on : configuration
starting test: crossrefvalidation
......................... configuration passed test crossrefvalidation
starting test: checksdrefdom
......................... configuration passed test checksdrefdom
running partition tests on : companyname
starting test: crossrefvalidation
......................... companyname passed test crossrefvalidation
starting test: checksdrefdom
......................... companyname passed test checksdrefdom
running enterprise tests on : companyname.local
starting test: intersite
skipping site cardiff, site outside scope provided the
command line arguments provided.
skipping site edinburgh, site outside scope provided by
command line arguments provided.
skipping site london, site outside scope provided the
command line arguments provided.
skipping site belfast, site outside scope provided the
command line arguments provided.
......................... companyname.local passed test intersite
starting test: fsmocheck
gc name: \\ch-dc1-2k8.companyname.local
locator flags: 0xe00011bd
pdc name: \\ch-dc1-2k8.companyname.local
locator flags: 0xe00011bd
warning: dcgetdcname(time_server) call failed, error 1355
time server not located.
server holding pdc role down.
warning: dcgetdcname(good_time_server_preferred) call failed, error 1355
time server not located.
kdc name: \\ch-dc1-2k8.companyname.local
locator flags: 0xe00011bd
......................... companyname.local failed test fsmocheck
test omitted user request: dns
test omitted user request: dns
my post similar previous one:
you missing netlogon share
make sure have folder
%systemroot%\sysvol\sysvol\{domain}\
then:
http://support.microsoft.com/default.aspx?scid=kb;en-us;947022
- stop file replication services
- open services.msc
- locate file replication services
- stop service
- change sysvolready flag
- click start, click run, type regedit, , click ok.
- locate following subkey in registry editor:
hkey_local_machine\system\currentcontrolset\services\netlogon\parameters
- in details pane, right-click sysvolready flag, , click modify.
- in value data box, type 0 , click ok.
- again in details pane, right-click sysvolready flag, , click modify.
- in value data box, type 1, , click ok.
note: cause netlogon share out sysvol, , scripts folder
- start file replication services
- open services.msc
- locate file replication services
- stop service
- check netlogon / sysvol comes back
- open command prompt
- run net share , confirm folders there
note: if folders not come back, check folder structure within sysvol folder correct.
post provided no warranties or guarantees, , confers no rights.
~~~
questo post non fornisce garanzie e non conferisce diritti
Windows Server > Group Policy
Comments
Post a Comment