Announcement

Collapse
No announcement yet.

AD Replication issues - HELP!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD Replication issues - HELP!

    We are having some serious replication issues. I have a Windows 2008 Domain and 3 Server 2008 Std 64-bit DC's.
    We had a time issues this morning that might be related. We were getting Kerberos ticket errors and logon issues during the time issue. Most (if not all) servers were off time by 12 hours ahead, i changed all my DC's time back 12 hours to the correct time and pretty much rebooted everything and set to use NTP so this doesn't happen again. Time has seemed to stabilize.
    Now when I try to replicate DC's i get an RPC to busy error.
    I ran DCDIAG and have put the output below. PLEASE HELP!
    C:\Windows\system32>dcdiag

    Directory Server Diagnosis

    Performing initial setup:
    Trying to find home server...
    Home Server = MASPDC03
    * Identified AD Forest.
    Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-Site-Name\MASPDC03
    Starting test: Connectivity
    ......................... MASPDC03 passed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site-Name\MASPDC03
    Starting test: Advertising
    ......................... MASPDC03 passed test Advertising
    Starting test: FrsEvent
    ......................... MASPDC03 passed test FrsEvent
    Starting test: DFSREvent
    There are warning or error events within the last 24 hours after the SYSVOL has been
    shared. Failing SYSVOL replication problems may cause Group Policy problems.
    ......................... MASPDC03 failed test DFSREvent
    Starting test: SysVolCheck
    ......................... MASPDC03 passed test SysVolCheck
    Starting test: KccEvent
    ......................... MASPDC03 passed test KccEvent
    Starting test: KnowsOfRoleHolders
    [MAVSPDC01] DsBindWithSpnEx() failed with error 1723,
    The RPC server is too busy to complete this operation..
    Warning: MAVSPDC01 is the Schema Owner, but is not responding to DS RPC Bind.
    [MAVSPDC01] LDAP bind failed with error 8341,
    A directory service error has occurred..
    Warning: MAVSPDC01 is the Schema Owner, but is not responding to LDAP Bind.
    Warning: MAVSPDC01 is the Domain Owner, but is not responding to DS RPC Bind.
    Warning: MAVSPDC01 is the Domain Owner, but is not responding to LDAP Bind.
    Warning: MAVSPDC01 is the PDC Owner, but is not responding to DS RPC Bind.
    Warning: MAVSPDC01 is the PDC Owner, but is not responding to LDAP Bind.
    Warning: MAVSPDC01 is the Rid Owner, but is not responding to DS RPC Bind.
    Warning: MAVSPDC01 is the Rid Owner, but is not responding to LDAP Bind.
    [MAVSPDC02] DsBindWithSpnEx() failed with error 1723,
    The RPC server is too busy to complete this operation..
    Warning: MAVSPDC02 is the Infrastructure Update Owner, but is not responding to DS RPC
    Bind.
    [MAVSPDC02] LDAP bind failed with error 8341,
    A directory service error has occurred..
    Warning: MAVSPDC02 is the Infrastructure Update Owner, but is not responding to LDAP Bind.
    ......................... MASPDC03 failed test KnowsOfRoleHolders
    Starting test: MachineAccount
    ......................... MASPDC03 passed test MachineAccount
    Starting test: NCSecDesc
    ......................... MASPDC03 passed test NCSecDesc
    Starting test: NetLogons
    ......................... MASPDC03 passed test NetLogons
    Starting test: ObjectsReplicated
    ......................... MASPDC03 passed test ObjectsReplicated
    Starting test: Replications
    [Replications Check,MASPDC03] A recent replication attempt failed:
    From MAVSPDC01 to MASPDC03
    Naming Context: DC=ForestDnsZones,DC=ma,DC=corp
    The replication generated an error (-2146893022):
    The target principal name is incorrect.
    The failure occurred at 2008-08-19 14:52:53.
    The last success occurred at 2008-08-19 14:46:58.
    1 failures have occurred since the last success.
    ......................... MASPDC03 failed test Replications
    Starting test: RidManager
    ......................... MASPDC03 failed test RidManager
    Starting test: Services
    ......................... MASPDC03 passed test Services
    Starting test: SystemLog
    An Warning Event occurred. EventID: 0x80000008
    Time Generated: 08/19/2008 14:28:47
    Event String:
    The jobs in the print queue for printer Microsoft XPS Document Writer (redirected 2) wer
    e deleted. No user action is required.
    An Warning Event occurred. EventID: 0x80000004
    Time Generated: 08/19/2008 14:28:47
    Event String:
    Printer Microsoft XPS Document Writer (redirected 2) will be deleted. No user action is
    required.
    An Warning Event occurred. EventID: 0x80000003
    Time Generated: 08/19/2008 14:28:48
    Event String:
    Printer Microsoft XPS Document Writer (redirected 2) was deleted, and users will no long
    er be able to print to this printer. No user action is required.
    An Warning Event occurred. EventID: 0x80000008
    Time Generated: 08/19/2008 14:28:48
    Event String:
    The jobs in the print queue for printer Fax (redirected 2) were deleted. No user action
    is required.
    An Warning Event occurred. EventID: 0x80000004
    Time Generated: 08/19/2008 14:28:48
    Event String: Printer Fax (redirected 2) will be deleted. No user action is required.
    An Warning Event occurred. EventID: 0x80000003
    Time Generated: 08/19/2008 14:28:48
    Event String:
    Printer Fax (redirected 2) was deleted, and users will no longer be able to print to thi
    s printer. No user action is required.
    An Error Event occurred. EventID: 0xC0001B72
    Time Generated: 08/19/2008 14:32:42
    Event String: The following boot-start or system-start driver(s) failed to load:
    An Warning Event occurred. EventID: 0x00001696
    Time Generated: 08/19/2008 14:32:45
    Event String:
    Dynamic registration or deregistration of one or more DNS records failed with the follow
    ing error:
    An Error Event occurred. EventID: 0x40000004
    Time Generated: 08/19/2008 14:33:54
    Event String:
    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server mavspdc01$. The
    target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/c78a4aa0-4f14-4d56-b323-b705802250d3/ma.c
    [email protected]. This indicates that the target server failed to decrypt the ticket provided by the clie
    nt. This can occur when the target server principal name (SPN) is registered on an account other tha
    n the account the target service is using. Please ensure that the target SPN is registered on, and o
    nly registered on, the account used by the server. This error can also happen when the target servic
    e is using a different password for the target service account than what the Kerberos Key Distributi
    on Center (KDC) has for the target service account. Please ensure that the service on the server and
    the KDC are both updated to use the current password. If the server name is not fully qualified, an
    d the target domain (MA.CORP) is different from the client domain (MA.CORP), check if there are iden
    tically named server accounts in these two domains, or use the fully-qualified name to identify the
    server.
    An Error Event occurred. EventID: 0x40000004
    Time Generated: 08/19/2008 14:35:01
    Event String:
    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server mavspfp01$. The
    target name used was cifs/MAVSPFP01.ma.corp. This indicates that the target server failed to decryp
    t the ticket provided by the client. This can occur when the target server principal name (SPN) is r
    egistered on an account other than the account the target service is using. Please ensure that the t
    arget SPN is registered on, and only registered on, the account used by the server. This error can a
    lso happen when the target service is using a different password for the target service account than
    what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure t
    hat the service on the server and the KDC are both updated to use the current password. If the serve
    r name is not fully qualified, and the target domain (MA.CORP) is different from the client domain (
    MA.CORP), check if there are identically named server accounts in these two domains, or use the full
    y-qualified name to identify the server.
    An Error Event occurred. EventID: 0x00000457
    Time Generated: 08/19/2008 14:35:04
    Event String:
    Driver HP LaserJet 8000 Series PCL required for printer !!phlvirtusfs01!HP8000 is unknow
    n. Contact the administrator to install the driver before you log in again.
    An Error Event occurred. EventID: 0x00000457
    Time Generated: 08/19/2008 14:35:05
    Event String:
    Driver HP LaserJet M1319f MFP required for printer !!mawgschrems!HP LaserJet M1319f MFP
    is unknown. Contact the administrator to install the driver before you log in again.
    An Error Event occurred. EventID: 0x00000457
    Time Generated: 08/19/2008 14:35:07
    Event String:
    Driver Send To Microsoft OneNote Driver required for printer Send To OneNote 2007 is unk
    nown. Contact the administrator to install the driver before you log in again.
    An Error Event occurred. EventID: 0x40000004
    Time Generated: 08/19/2008 14:35:18

  • #2
    Re: AD Replication issues - HELP!

    Event String:
    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server mavspdc02$. The
    target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/69ec5e22-c36e-4e93-9898-c9cd0ff6a040/ma.c
    [email protected]. This indicates that the target server failed to decrypt the ticket provided by the clie
    nt. This can occur when the target server principal name (SPN) is registered on an account other tha
    n the account the target service is using. Please ensure that the target SPN is registered on, and o
    nly registered on, the account used by the server. This error can also happen when the target servic
    e is using a different password for the target service account than what the Kerberos Key Distributi
    on Center (KDC) has for the target service account. Please ensure that the service on the server and
    the KDC are both updated to use the current password. If the server name is not fully qualified, an
    d the target domain (MA.CORP) is different from the client domain (MA.CORP), check if there are iden
    tically named server accounts in these two domains, or use the fully-qualified name to identify the
    server.
    An Error Event occurred. EventID: 0x40000004
    Time Generated: 08/19/2008 14:35:54
    Event String:
    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server mavspdc01$. The
    target name used was ldap/MAVSPDC01.ma.corp. This indicates that the target server failed to decryp
    t the ticket provided by the client. This can occur when the target server principal name (SPN) is r
    egistered on an account other than the account the target service is using. Please ensure that the t
    arget SPN is registered on, and only registered on, the account used by the server. This error can a
    lso happen when the target service is using a different password for the target service account than
    what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure t
    hat the service on the server and the KDC are both updated to use the current password. If the serve
    r name is not fully qualified, and the target domain (MA.CORP) is different from the client domain (
    MA.CORP), check if there are identically named server accounts in these two domains, or use the full
    y-qualified name to identify the server.
    An Error Event occurred. EventID: 0x0000168E
    Time Generated: 08/19/2008 14:37:47
    Event String:
    The dynamic registration of the DNS record '_ldap._tcp.gc._msdcs.ma.corp. 600 IN SRV 0 1
    00 3268 MASPDC03.ma.corp.' failed on the following DNS server:
    An Error Event occurred. EventID: 0x0000168E
    Time Generated: 08/19/2008 14:37:48
    Event String:
    The dynamic registration of the DNS record '_gc._tcp.ma.corp. 600 IN SRV 0 100 3268 MASP
    DC03.ma.corp.' failed on the following DNS server:
    An Warning Event occurred. EventID: 0x80000008
    Time Generated: 08/19/2008 14:48:11
    Event String:
    The jobs in the print queue for printer Microsoft XPS Document Writer (redirected 2) wer
    e deleted. No user action is required.
    An Warning Event occurred. EventID: 0x80000004
    Time Generated: 08/19/2008 14:48:11
    Event String:
    Printer Microsoft XPS Document Writer (redirected 2) will be deleted. No user action is
    required.
    An Warning Event occurred. EventID: 0x80000003
    Time Generated: 08/19/2008 14:48:11
    Event String:
    Printer Microsoft XPS Document Writer (redirected 2) was deleted, and users will no long
    er be able to print to this printer. No user action is required.
    An Warning Event occurred. EventID: 0x80000008
    Time Generated: 08/19/2008 14:48:11
    Event String:
    The jobs in the print queue for printer Fax (redirected 2) were deleted. No user action
    is required.
    An Warning Event occurred. EventID: 0x80000004
    Time Generated: 08/19/2008 14:48:11
    Event String: Printer Fax (redirected 2) will be deleted. No user action is required.
    An Warning Event occurred. EventID: 0x80000003
    Time Generated: 08/19/2008 14:48:11
    Event String:
    Printer Fax (redirected 2) was deleted, and users will no longer be able to print to thi
    s printer. No user action is required.
    An Error Event occurred. EventID: 0x00000457
    Time Generated: 08/19/2008 14:48:31
    Event String:
    Driver HP LaserJet 8000 Series PCL required for printer !!phlvirtusfs01!HP8000 is unknow
    n. Contact the administrator to install the driver before you log in again.
    An Error Event occurred. EventID: 0x00000457
    Time Generated: 08/19/2008 14:48:32
    Event String:
    Driver HP LaserJet M1319f MFP required for printer !!mawgschrems!HP LaserJet M1319f MFP
    is unknown. Contact the administrator to install the driver before you log in again.
    An Error Event occurred. EventID: 0x00000457
    Time Generated: 08/19/2008 14:48:35
    Event String:
    Driver Send To Microsoft OneNote Driver required for printer Send To OneNote 2007 is unk
    nown. Contact the administrator to install the driver before you log in again.
    An Error Event occurred. EventID: 0x40000004
    Time Generated: 08/19/2008 14:58:00
    Event String:
    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server mavspdc01$. The
    target name used was ldap/mavspdc01.ma.corp. This indicates that the target server failed to decryp
    t the ticket provided by the client. This can occur when the target server principal name (SPN) is r
    egistered on an account other than the account the target service is using. Please ensure that the t
    arget SPN is registered on, and only registered on, the account used by the server. This error can a
    lso happen when the target service is using a different password for the target service account than
    what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure t
    hat the service on the server and the KDC are both updated to use the current password. If the serve
    r name is not fully qualified, and the target domain (MA.CORP) is different from the client domain (
    MA.CORP), check if there are identically named server accounts in these two domains, or use the full
    y-qualified name to identify the server.
    An Error Event occurred. EventID: 0x40000004
    Time Generated: 08/19/2008 14:58:01
    Event String:
    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server mavspdc02$. The
    target name used was ldap/mavspdc02.ma.corp. This indicates that the target server failed to decryp
    t the ticket provided by the client. This can occur when the target server principal name (SPN) is r
    egistered on an account other than the account the target service is using. Please ensure that the t
    arget SPN is registered on, and only registered on, the account used by the server. This error can a
    lso happen when the target service is using a different password for the target service account than
    what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure t
    hat the service on the server and the KDC are both updated to use the current password. If the serve
    r name is not fully qualified, and the target domain (MA.CORP) is different from the client domain (
    MA.CORP), check if there are identically named server accounts in these two domains, or use the full
    y-qualified name to identify the server.
    ......................... MASPDC03 failed test SystemLog
    Starting test: VerifyReferences
    ......................... MASPDC03 passed test VerifyReferences


    Running partition tests on : DomainDnsZones
    Starting test: CheckSDRefDom
    ......................... DomainDnsZones passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... DomainDnsZones passed test CrossRefValidation

    Running partition tests on : ForestDnsZones
    Starting test: CheckSDRefDom
    ......................... ForestDnsZones passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... ForestDnsZones passed test CrossRefValidation

    Running partition tests on : Schema
    Starting test: CheckSDRefDom
    ......................... Schema passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... Schema passed test CrossRefValidation

    Running partition tests on : Configuration
    Starting test: CheckSDRefDom
    ......................... Configuration passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... Configuration passed test CrossRefValidation

    Running partition tests on : ma
    Starting test: CheckSDRefDom
    ......................... ma passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... ma passed test CrossRefValidation

    Running enterprise tests on : ma.corp
    Starting test: LocatorCheck
    ......................... ma.corp passed test LocatorCheck
    Starting test: Intersite
    ......................... ma.corp passed test Intersite

    C:\Windows\system32>

    Comment


    • #3
      Re: AD Replication issues - HELP!

      Looks like a mess!
      Are these servers all in the same site? Make sure the time zones as well as current times are all correct. Personally I would be tempted make sure the main role holder is looking at itself for DNS and then restart netlogon. Then change the other 2 so they look at the "main" server and restart their netlogons. I would be tempted to stop the firewalls on all 3 too.
      cheers
      Andy

      Please read this before you post:


      Quis custodiet ipsos custodes?

      Comment


      • #4
        Re: AD Replication issues - HELP!

        I dont' like DCDIAG at all, the simplest DNS errors (I'll bet this is your problem) can make it look like your AD is just a disaster.

        Try Andy's advice.

        Comment


        • #5
          Re: AD Replication issues - HELP!

          yes the servers are in the same site. I just double checked time and time zones on all the servers and they were correct. DNS is also pointing to itself - loopback for our first DC - DC01 which pretty much holds all the roles and all the other DC's have DNS pointed to it with their loopback as a secondary address. I restarted the netlogon service and still recieve the same errors. They also dont have any firewalls enabled.

          Comment


          • #6
            Re: AD Replication issues - HELP!

            Ok, it looks like my errors are coming from DC03 and replicating to it. The other DC's seem to replicate fine. I did a DCDIAG on DC01 and it looks alot better then DC03's. See below


            C:\Users\admrshilling>dcdiag

            Directory Server Diagnosis

            Performing initial setup:
            Trying to find home server...
            Home Server = MAVSPDC01
            * Identified AD Forest.
            Done gathering initial info.

            Doing initial required tests

            Testing server: Default-First-Site-Name\MAVSPDC01
            Starting test: Connectivity
            ......................... MAVSPDC01 passed test Connectivity

            Doing primary tests

            Testing server: Default-First-Site-Name\MAVSPDC01
            Starting test: Advertising
            ......................... MAVSPDC01 passed test Advertising
            Starting test: FrsEvent
            ......................... MAVSPDC01 passed test FrsEvent
            Starting test: DFSREvent
            There are warning or error events within the last 24 hours after the
            SYSVOL has been shared. Failing SYSVOL replication problems may cause
            Group Policy problems.
            ......................... MAVSPDC01 failed test DFSREvent
            Starting test: SysVolCheck
            ......................... MAVSPDC01 passed test SysVolCheck
            Starting test: KccEvent
            ......................... MAVSPDC01 passed test KccEvent
            Starting test: KnowsOfRoleHolders
            ......................... MAVSPDC01 passed test KnowsOfRoleHolders
            Starting test: MachineAccount
            ......................... MAVSPDC01 passed test MachineAccount
            Starting test: NCSecDesc
            ......................... MAVSPDC01 passed test NCSecDesc
            Starting test: NetLogons
            ......................... MAVSPDC01 passed test NetLogons
            Starting test: ObjectsReplicated
            ......................... MAVSPDC01 passed test ObjectsReplicated
            Starting test: Replications
            [Replications Check,MAVSPDC01] A recent replication attempt failed:
            From MASPDC03 to MAVSPDC01
            Naming Context: DC=ForestDnsZones,DC=ma,DC=corp
            The replication generated an error (1825):
            A security package specific error occurred.
            The failure occurred at 2008-08-19 17:09:37.
            The last success occurred at 2008-08-19 14:26:15.
            13 failures have occurred since the last success.
            [Replications Check,MAVSPDC01] A recent replication attempt failed:
            From MASPDC03 to MAVSPDC01
            Naming Context: DC=DomainDnsZones,DC=ma,DC=corp
            The replication generated an error (1825):
            A security package specific error occurred.
            The failure occurred at 2008-08-19 16:49:17.
            The last success occurred at 2008-08-19 14:26:15.
            3 failures have occurred since the last success.
            [Replications Check,MAVSPDC01] A recent replication attempt failed:
            From MASPDC03 to MAVSPDC01
            Naming Context: CN=Schema,CN=Configuration,DC=ma,DC=corp
            The replication generated an error (1825):
            A security package specific error occurred.
            The failure occurred at 2008-08-19 16:49:16.
            The last success occurred at 2008-08-19 14:26:15.
            3 failures have occurred since the last success.
            [Replications Check,MAVSPDC01] A recent replication attempt failed:
            From MASPDC03 to MAVSPDC01
            Naming Context: CN=Configuration,DC=ma,DC=corp
            The replication generated an error (1825):
            A security package specific error occurred.
            The failure occurred at 2008-08-19 17:05:41.
            The last success occurred at 2008-08-19 14:26:15.
            5 failures have occurred since the last success.
            [Replications Check,MAVSPDC01] A recent replication attempt failed:
            From MASPDC03 to MAVSPDC01
            Naming Context: DC=ma,DC=corp
            The replication generated an error (1825):
            A security package specific error occurred.
            The failure occurred at 2008-08-19 17:14:00.
            The last success occurred at 2008-08-19 14:26:15.
            75 failures have occurred since the last success.
            ......................... MAVSPDC01 failed test Replications
            Starting test: RidManager
            ......................... MAVSPDC01 passed test RidManager
            Starting test: Services
            ......................... MAVSPDC01 passed test Services
            Starting test: SystemLog
            An Error Event occurred. EventID: 0xC00A0038
            Time Generated: 08/19/2008 16:19:17
            Event String:
            The Terminal Server security layer detected an error in the protocol
            stream and has disconnected the client.
            An Error Event occurred. EventID: 0x00000457
            Time Generated: 08/19/2008 16:19:43
            Event String:
            Driver Send To Microsoft OneNote Driver required for printer Send To
            OneNote 2007 is unknown. Contact the administrator to install the driver before
            you log in again.
            An Error Event occurred. EventID: 0x00000457
            Time Generated: 08/19/2008 16:19:47
            Event String:
            Driver HP LaserJet M1319f MFP required for printer !!mawgschrems!HP
            LaserJet M1319f MFP is unknown. Contact the administrator to install the driver
            before you log in again.
            An Error Event occurred. EventID: 0x00000457
            Time Generated: 08/19/2008 16:19:48
            Event String:
            Driver HP LaserJet 8000 Series PCL required for printer !!phlvirtusf
            s01!HP8000 is unknown. Contact the administrator to install the driver before yo
            u log in again.
            ......................... MAVSPDC01 failed test SystemLog
            Starting test: VerifyReferences
            ......................... MAVSPDC01 passed test VerifyReferences


            Running partition tests on : ForestDnsZones
            Starting test: CheckSDRefDom
            ......................... ForestDnsZones passed test CheckSDRefDom
            Starting test: CrossRefValidation
            ......................... ForestDnsZones passed test
            CrossRefValidation

            Running partition tests on : DomainDnsZones
            Starting test: CheckSDRefDom
            ......................... DomainDnsZones passed test CheckSDRefDom
            Starting test: CrossRefValidation
            ......................... DomainDnsZones passed test
            CrossRefValidation

            Running partition tests on : Schema
            Starting test: CheckSDRefDom
            ......................... Schema passed test CheckSDRefDom
            Starting test: CrossRefValidation
            ......................... Schema passed test CrossRefValidation

            Running partition tests on : Configuration
            Starting test: CheckSDRefDom
            ......................... Configuration passed test CheckSDRefDom
            Starting test: CrossRefValidation
            ......................... Configuration passed test CrossRefValidation

            Running partition tests on : ma
            Starting test: CheckSDRefDom
            ......................... ma passed test CheckSDRefDom
            Starting test: CrossRefValidation
            ......................... ma passed test CrossRefValidation

            Running enterprise tests on : ma.corp
            Starting test: LocatorCheck
            ......................... ma.corp passed test LocatorCheck
            Starting test: Intersite
            ......................... ma.corp passed test Intersite

            C:\Users\admrshilling>

            Comment


            • #7
              Re: AD Replication issues - HELP!

              Try ip versus loopback

              Comment

              Working...
              X