AD Replication issue, DNS, Kerberos
I have a problem between two onsite DNS servers. The Primary FSMO DC "server" seems to be ok, but I will post its DCDiag in a minute. The second DC, "DC2", has problems reaching one particular new server via DNS name, the file server
called "Server2".
If DC2 tries \\server2\ an error box appears "Logon Failure: The target account name is incorrect" however accessing via Server2 IP address is fine. No other systems on the network are having issues with Server2 or each others. This problem is
isolated between DC2 and Server2.
Over the weekend Server2 file server, which was Windows 2003 x32, was removed. The Server2 computer name was deleted in AD. A new file server with Windows 2008 Standard x64 was created -
IT'S NAME IS ALSO SERVER2 and with the same IP. I think this is what caused the problem.
Searching on the net I found a lot of info but not very specific to my issue. This could be a combo of DNS, AD replication and Kerberos but it is beyond my abilities to decipher. I believe it is the Kerberos cache on DC2 as maybe it never got notification
that Server2 was deleted and removed from AD via the FSMO Server dc.
*Both DC's are in a virtual environment.
DC2 - DCDIAG (Contains errors where the other DC does not)
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DC2
Starting test: Connectivity
......................... DC2 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DC2
Starting test: Replications
[Replications Check,DC2] Inbound replication is disabled.
To correct, run "repadmin /options DC2 -DISABLE_INBOUND_REPL"
[Replications Check,DC2] Outbound replication is disabled.
To correct, run "repadmin /options DC2 -DISABLE_OUTBOUND_REPL"
......................... DC2 failed test Replications
Starting test: NCSecDesc
......................... DC2 passed test NCSecDesc
Starting test: NetLogons
......................... DC2 passed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for \\SERVER.urbanco.local, w
hen we were trying to reach DC2.
Server is not responding or is not considered suitable.
......................... DC2 failed test Advertising
Starting test: KnowsOfRoleHolders
......................... DC2 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... DC2 passed test RidManager
Starting test: MachineAccount
......................... DC2 passed test MachineAccount
Starting test: Services
NETLOGON Service is paused on [DC2]
......................... DC2 failed test Services
Starting test: ObjectsReplicated
......................... DC2 passed test ObjectsReplicated
Starting test: frssysvol
......................... DC2 passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DC2 failed test frsevent
Starting test: kccevent
......................... DC2 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x40000004
Time Generated: 08/23/2010 09:44:20
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 08/23/2010 10:03:02
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 08/23/2010 10:03:07
Event String: The kerberos client received a
......................... DC2 failed test systemlog
Starting test: VerifyReferences
......................... DC2 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : urbanco
Starting test: CrossRefValidation
......................... urbanco passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... urbanco passed test CheckSDRefDom
Running enterprise tests on : urbanco.local
Starting test: Intersite
......................... urbanco.local passed test Intersite
Starting test: FsmoCheck
......................... urbanco.local passed test FsmoCheck
*Netdiag on DC2 shows no errors, same with Server
"Server" DCDIAG:
Netcard queries test . . . . . . . : Passed
[WARNING] The net card 'VMware Virtual Ethernet Adapter for VMnet1' may not
be working because it has not received any packets.
Per interface results:
Adapter : Local Area Connection 2
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : SERVER
IP Address . . . . . . . . : 10.10.10.5
Subnet Mask. . . . . . . . : 255.0.0.0
Default Gateway. . . . . . : 10.10.10.254
Dns Servers. . . . . . . . : 10.10.10.5
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Adapter : VMware Network Adapter VMnet1
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : SERVER
IP Address . . . . . . . . : 192.168.149.1
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . :
Dns Servers. . . . . . . . :
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Skipped
[WARNING] No gateways defined for this adapter.
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.
No remote names have been found.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Adapter : VMware Network Adapter VMnet8
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : SERVER
IP Address . . . . . . . . : 192.168.244.1
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . :
Dns Servers. . . . . . . . :
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Skipped
[WARNING] No gateways defined for this adapter.
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.
No remote names have been found.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{DE0887FD-FD0D-4375-8C2D-42FACD7932D5}
NetBT_Tcpip_{1319E633-80A0-4BCC-905E-7D163A36AE08}
NetBT_Tcpip_{A67C99EF-8178-4961-B160-84BCDB413DFF}
3 NetBt transports currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '10.10.10.5'
and other DCs also have some of the names registered.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{DE0887FD-FD0D-4375-8C2D-42FACD7932D5}
NetBT_Tcpip_{1319E633-80A0-4BCC-905E-7D163A36AE08}
NetBT_Tcpip_{A67C99EF-8178-4961-B160-84BCDB413DFF}
The redir is bound to 3 NetBt transports.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{A67C99EF-8178-4961-B160-84BCDB413DFF}
NetBT_Tcpip_{1319E633-80A0-4BCC-905E-7D163A36AE08}
NetBT_Tcpip_{DE0887FD-FD0D-4375-8C2D-42FACD7932D5}
The browser is bound to 3 NetBt transports.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
Hope I provided enough info.
August 23rd, 2010 8:22pm
Testing server: Default-First-Site-Name\DC2
Starting test: Replications
[Replications Check,DC2] Inbound replication is disabled.
To correct, run "repadmin /options DC2 -DISABLE_INBOUND_REPL"
[Replications Check,DC2] Outbound replication is disabled.
To correct, run "repadmin /options DC2 -DISABLE_OUTBOUND_REPL"
......................... DC2 failed test Replications
Like it is mentioned running the following commands should solve this problem.
repadmin /options DC2 -DISABLE_INBOUND_REPL
repadmin /options DC2 -DISABLE_OUTBOUND_REPL
Free Windows Admin Tool Kit Click here and download it now
August 23rd, 2010 9:48pm
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DC2 failed test frsevent
Starting test: kccevent
......................... DC2 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x40000004
Time Generated: 08/23/2010 09:44:20
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 08/23/2010 10:03:02
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 08/23/2010 10:03:07
Event String: The kerberos client received a
......................... DC2 failed test systemlog
As you see there is an error with the eventID 0x40000004.
I searched on the net a possible resolution for this problem but did not found something intersting.
I found someone who had the same error and as a resolution an expert recommanded to simply demote the failed DC, and re-promote.
Have a look to this link:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24469030.html
Best regards.
August 23rd, 2010 9:52pm
Thanks for the reply but what makes me worried is that if I disable the REPLICATION how would I enable it again? This message may be incorrect for me and cause even more problems.
Free Windows Admin Tool Kit Click here and download it now
August 23rd, 2010 11:06pm
I am tempted as well to demote and promote as this is mainly just a secondary DC, VPN and a Kaspersky AV Admin unit.
All other tests show communication is fine so this is probably my only option though I would like to hear from someone more versed in AD replication before doing so. As is, we are still functional and working fine with the primary DC.
August 23rd, 2010 11:07pm
Thanks for the reply but what makes me worried is that if I disable the REPLICATION how would I enable it again? This message may be incorrect for me and cause even more problems.
If you demote the failed DC and re-promote it you will not have a replication problem. By doing that, it will be in the same site (default site) as your first DC and replication will start automatically. So, you don't have to worry.
Free Windows Admin Tool Kit Click here and download it now
August 23rd, 2010 11:14pm
Ok, I will try that after hours. What about other programs that might rely on AD? Such as backups, my AntiVirus Admin, VPN. Do you think by demoting, rebooting, promoting, rebooting that will cause the problem or a total unknown? Its worth a shot for sure
and probably will run the risk.
Thanks.
August 23rd, 2010 11:46pm
Mike, I would like to tell you that I am a MCP, MCSA Security and MCSE Security. So, I know what I am writing and I refered to an article to give a solution for this problem.
As I said, I found an article on internet about this kind of error which is the following:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24469030.html
So, please work as a professional and stop saying such things.
If you have another solution, you are welcome.
Best regards.
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2010 1:07am
Venom66,
based on search on the internet, I found the following for the use of the
dcpromo /forceremoval command:
If the domain controller hosts any operations master (also known as flexible single master operations or FSMO) roles or if it is a Domain Name System (DNS) server or a global catalog server, warnings appear that explain how the forced removal will affect
the rest of the environment. After you read each warning, click Yes . To suppress the warnings in advance of the removal operation, type
/demotefsmo:yes at the command prompt. If you forcefully removal AD DS from a server that hosts an operations master role, you must seize the role after the Dcpromo operation.
I found it in this Microsoft article:
http://technet.microsoft.com/en-us/library/cc816826%28WS.10%29.aspx
I found also that if your domain controller is also an exchange server, the demote may affect your exchange environment.
This is a link to the article speaking about a such thing:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_22939677.html
As a conclusion, the demote operation should not affect your environment if your server is not an exchange server and you follow correctely the mentioned procedure.
Best regards.
August 24th, 2010 1:16am
Thanks. This is a secondary peer DC, holding no FSMO roles. The other has the Exchange and that DC seems to be fine with no problems affecting the other systems. I will give this a shot tonight and post my results but I may hold off as I have a vacation
coming end of week and since we are functioning fine I could be opening a can of worms.
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2010 1:38am
Okay, so proceed like I mentioned because I have not found another possible resolution on the internet. Don't forget to read the warnings. They will allow you to detect the problems that you may have (So just believe to Microsoft and its warning system).
Have a good vacation.
Best regards.
August 24th, 2010 1:44am