Announcement

Collapse
No announcement yet.

AD Issues / Replication

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD Issues / Replication

    Hello,

    We have two active directory servers (PATERNO) and (HAPVAL). Both are Windows Server 2003. Yesterday morning we had a problem and realized that Active Directory some how was corrupt.

    From Paterno to Hapval I can replicate fine. However when I try to replicate from Hapval to Paterno I get: "Replication Access was denied"

    Does anyone have any pointers on how to proceed? We have a very simple network setup. Two servers, two domain controllers. Paterno had all FSMO roles.

    I have tried doing the "netdom resetpwd /server:hapval /userd:hapval\administrator_id /passwordd:*" with KCC disabled on the server and get:

    C:\Documents and Settings\Administrator.EBJACOBS>netdom resetpwd /server:hapval
    /userd:hapval\administrator_id /passwordd:*
    Type the password associated with the domain user:

    The machine account password for the local machine could not be reset.

    Multiple connections to a server or shared resource by the same user, using more
    than one user name, are not allowed. Disconnect all previous connections to the
    server or shared resource and try again.

    The command failed to complete successfully.

    -------------


    C:\Documents and Settings\Administrator.#>dcdiag /test:CheckSecurityError
    /ReplSource:hapval

    Doing initial required tests

    Testing server: Default-First-Site-Name\PATERNO
    Starting test: Connectivity
    ......................... PATERNO passed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site-Name\PATERNO
    Starting test: CheckSecurityError
    The account PATERNO is not a DC account. It cannot replicate.
    Warning: Attribute userAccountControl of PATERNO is: 0x81000 = ( UF_WO
    RKSTATION_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
    Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TR
    USTED_FOR_DELEGATION )
    This may be affecting replication?
    Unable to verify the machine account (CN=PATERNO,OU=Domain Controllers,
    DC=domainsite,DC=com) for PATERNO on PATERNO.
    Source DC HAPVAL has possible security error (8453). Diagnosing...
    Authoritative attribute dBCSPwd on HAPVAL (writeable)
    usnLocalChange = 1057114
    LastOriginatingDsa = HAPVAL
    usnOriginatingChange = 1057114
    timeLastOriginatingChange = 2008-04-30 09:41:23
    VersionLastOriginatingChange = 53
    Out-of-date attribute dBCSPwd on PATERNO (writeable)
    usnLocalChange = 1249346
    LastOriginatingDsa = PATERNO
    usnOriginatingChange = 1249346
    timeLastOriginatingChange = 2008-04-30 09:59:50
    VersionLastOriginatingChange = 52
    Authoritative attribute lmPwdHistory on HAPVAL (writeable)
    usnLocalChange = 1057114
    LastOriginatingDsa = HAPVAL
    usnOriginatingChange = 1057114
    timeLastOriginatingChange = 2008-04-30 09:41:23
    VersionLastOriginatingChange = 53
    Out-of-date attribute lmPwdHistory on PATERNO (writeable)
    usnLocalChange = 1249346
    LastOriginatingDsa = PATERNO
    usnOriginatingChange = 1249346
    timeLastOriginatingChange = 2008-04-30 09:59:50
    VersionLastOriginatingChange = 52
    Authoritative attribute ntPwdHistory on HAPVAL (writeable)
    usnLocalChange = 1057114
    LastOriginatingDsa = HAPVAL
    usnOriginatingChange = 1057114
    timeLastOriginatingChange = 2008-04-30 09:41:23
    VersionLastOriginatingChange = 53
    Out-of-date attribute ntPwdHistory on PATERNO (writeable)
    usnLocalChange = 1249346
    LastOriginatingDsa = PATERNO
    usnOriginatingChange = 1249346
    timeLastOriginatingChange = 2008-04-30 09:59:50
    VersionLastOriginatingChange = 52
    Authoritative attribute supplementalCredentials on HAPVAL (wri
    teable)
    usnLocalChange = 1057115
    LastOriginatingDsa = HAPVAL
    usnOriginatingChange = 1057115
    timeLastOriginatingChange = 2008-04-30 09:41:23
    VersionLastOriginatingChange = 52
    Out-of-date attribute supplementalCredentials on PATERNO (writ
    eable)
    usnLocalChange = 1249347
    LastOriginatingDsa = PATERNO
    usnOriginatingChange = 1249347
    timeLastOriginatingChange = 2008-04-30 09:59:50
    VersionLastOriginatingChange = 51
    Authoritative attribute unicodePwd on HAPVAL (writeable)
    usnLocalChange = 1057114
    LastOriginatingDsa = HAPVAL
    usnOriginatingChange = 1057114
    timeLastOriginatingChange = 2008-04-30 09:41:23
    VersionLastOriginatingChange = 53
    Out-of-date attribute unicodePwd on PATERNO (writeable)
    usnLocalChange = 1249346
    LastOriginatingDsa = PATERNO
    usnOriginatingChange = 1249346
    timeLastOriginatingChange = 2008-04-30 09:59:50
    VersionLastOriginatingChange = 52
    Unable to verify the convergence of this machine account (CN=HAPV
    AL,OU=Domain Controllers,DC=domainsite,DC=com) on these DC's (HAPVAL,PATERNO). Do
    es the machine account password need reseting? Are the SPN's in sync?
    Authoritative attribute dBCSPwd on HAPVAL (writeable)
    usnLocalChange = 1057114
    LastOriginatingDsa = HAPVAL
    usnOriginatingChange = 1057114
    timeLastOriginatingChange = 2008-04-30 09:41:23
    VersionLastOriginatingChange = 53
    Out-of-date attribute dBCSPwd on PATERNO (writeable)
    usnLocalChange = 1249346
    LastOriginatingDsa = PATERNO
    usnOriginatingChange = 1249346
    timeLastOriginatingChange = 2008-04-30 09:59:50
    VersionLastOriginatingChange = 52
    Authoritative attribute lmPwdHistory on HAPVAL (writeable)
    usnLocalChange = 1057114
    LastOriginatingDsa = HAPVAL
    usnOriginatingChange = 1057114
    timeLastOriginatingChange = 2008-04-30 09:41:23
    VersionLastOriginatingChange = 53
    Out-of-date attribute lmPwdHistory on PATERNO (writeable)
    usnLocalChange = 1249346
    LastOriginatingDsa = PATERNO
    usnOriginatingChange = 1249346
    timeLastOriginatingChange = 2008-04-30 09:59:50
    VersionLastOriginatingChange = 52
    Authoritative attribute ntPwdHistory on HAPVAL (writeable)
    usnLocalChange = 1057114
    LastOriginatingDsa = HAPVAL
    usnOriginatingChange = 1057114
    timeLastOriginatingChange = 2008-04-30 09:41:23
    VersionLastOriginatingChange = 53
    Out-of-date attribute ntPwdHistory on PATERNO (writeable)
    usnLocalChange = 1249346
    LastOriginatingDsa = PATERNO
    usnOriginatingChange = 1249346
    timeLastOriginatingChange = 2008-04-30 09:59:50
    VersionLastOriginatingChange = 52
    Authoritative attribute supplementalCredentials on HAPVAL (wri
    teable)
    usnLocalChange = 1057115
    LastOriginatingDsa = HAPVAL
    usnOriginatingChange = 1057115
    timeLastOriginatingChange = 2008-04-30 09:41:23
    VersionLastOriginatingChange = 52
    Out-of-date attribute supplementalCredentials on PATERNO (writ
    eable)
    usnLocalChange = 1249347
    LastOriginatingDsa = PATERNO
    usnOriginatingChange = 1249347
    timeLastOriginatingChange = 2008-04-30 09:59:50
    VersionLastOriginatingChange = 51
    Authoritative attribute unicodePwd on HAPVAL (writeable)
    usnLocalChange = 1057114
    LastOriginatingDsa = HAPVAL
    usnOriginatingChange = 1057114
    timeLastOriginatingChange = 2008-04-30 09:41:23
    VersionLastOriginatingChange = 53
    Out-of-date attribute unicodePwd on PATERNO (writeable)
    usnLocalChange = 1249346
    LastOriginatingDsa = PATERNO
    usnOriginatingChange = 1249346
    timeLastOriginatingChange = 2008-04-30 09:59:50
    VersionLastOriginatingChange = 52
    Unable to verify the convergence of this machine account (CN=HAPV
    AL,OU=Domain Controllers,DC=domainsite,DC=com) on this domain (DC=domainsite,DC=com)
    . Does the machine account password need reseting or are the SPN's in sync?
    [HAPVAL] Unable to diagnose problem for this source. See any err
    ors reported in attempting tests.
    ......................... PATERNO failed test CheckSecurityError
Working...
X