Announcement

Collapse
No announcement yet.

NTDS Issues

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • NTDS Issues

    Hi Guys,

    I posted this in the W2k3 forum, probably the wrong place, so am posting this again into a suitable forum.

    I have seen this come up in the forums but cannot find the actual resolution. It would be very handy if someone could point me to the correct thread or even offer a solution. Can this be fixed? It happens on the DC that has always been up and running and holds all FSMO roles. It came about after the following situation:

    - Second DC failed
    -Restored it from ghost image of 2 days old
    -Started getting AD errors on this DC after restore
    -Demoted DC (the ghosted image)
    -Cleaned Metadata from NTDSUTIL run from other DC (original one thats always been up)
    -Rejoined machine back as DC (same name same IP)
    - Started receiving these NTDS Replication problems every 2 minutes

    Not sure what to do now, or what state my AD and replication is in...

    The error message in full is as below:

    5/4/2007 8:56:26 AM NTDS Replication Error DS RPC Client 1411 NT AUTHORITY\ANONYMOUS LOGON HELIX "Active Directory failed to construct a mutual authentication service principal name (SPN) for the following domain controller.

    Domain controller:
    5a4fb31d-6041-4c0a-9c54-743ee87e9e04._msdcs.enterprise.local

    The call was denied. Communication with this domain controller might be affected.

    Additional Data
    Error value:
    8589 The DS cannot derive a service principal name (SPN) with which to mutually authenticate the target server because the corresponding server object in the local DS database has no serverReference attribute."
    5/4/2007 8:56:23 AM NTDS Replication Error DS RPC Client 1411 NT AUTHORITY\ANONYMOUS LOGON HELIX "Active Directory failed to construct a mutual authentication service principal name (SPN) for the following domain controller.

    Domain controller:
    ec4fdc35-026c-470d-b6b9-11c6ab5ae51d._msdcs.enterprise.local

    The call was denied. Communication with this domain controller might be affected.

    Thanks

  • #2
    Re: NTDS Issues

    Global Catalog & Infrastructure Master on same DC ? How many GC servers you have in your local site ?

    2 possible solutions

    - Make all DC's global catalog
    - Keep Global Catalog & Infrastructure Master on different DC's.

    Resoring DC via Ghost is not a good solution. Use default Windows backup scheme to backup"system state backup".


    [p/s : Are you sure that replication has been done? After restoring how long you kept that DC idle for replication ? Many times due to network traffic, loops in switch makes delay in replication.]
    Last edited by sco1984; 14th May 2007, 11:21.
    All in 1
    Solaris,Linux & Windows admin + networking.

    Comment


    • #3
      Re: NTDS Issues

      Checkout Pertri's how to remove a failed dc from "AD" and "DNS"

      http://www.petri.com/delete_failed_dcs_from_ad.htm

      http://support.microsoft.com/Default.aspx?id=216498
      http://support.microsoft.com/Default.aspx?id=216498

      Comment


      • #4
        Re: NTDS Issues

        Had semi same issue.

        The links posted by virgel and written by Daniel cleared out a failed DC from AD and allowed us to bring it back online and replication is happy.

        One thing I might suggest is to grab the Windows Server Install CD and Rebuild the server from sctach, clean the AD Database with ntdsutil, and then bring the server backup to DC Status.

        Nate
        Hope this helps.

        Nate

        My advice is provided AS IS, without warranty of any kind, express or implied. Follow at your own risk.

        Comment


        • #5
          Re: NTDS Issues

          Originally posted by sco1984 View Post
          - Keep Global Catalog & Infrastructure Master on different DC's.
          This is only required in multi-domain forests. In single domain forest Infrastructure Master FSMO is not really doing anything.

          Originally posted by sco1984 View Post
          Resoring DC via Ghost is not a good solution. Use default Windows backup scheme to backup"system state backup".
          This is not only "not good". This is unsupported if you have more than one DC and it does break things. Do not do it.
          Guy Teverovsky
          "Smith & Wesson - the original point and click interface"

          Comment


          • #6
            Re: NTDS Issues

            Hi, I'm using the same method (imaging) for my DCs DRP (using Acronis True Image software - online backup) but not yet have a chance to testing it (don't have additional hardware which is same with the running servers, but plan to purchase Acronis Universal Restore to eliminate the issue). I found an interesting discussion about DC recovery (same with this topic) in Acronis's forum http://www.wilderssecurity.com/showt...ain+controller

            As mentioned by Guy, it's not recommended and not good, but in that thread they explain how to resolved the issue.
            I create a system image of my DCs (weekly) and stop the ntfrs and netlogon services before the imaging process as recommended in that thread.
            Just want to make sure if my system able to be restored in case of failure (and will testing it soon), does anyone here tested the method already? Please advice.

            Regards,

            Acung

            Comment

            Working...
            X