I'm running a single Windows Server 2003 with AD, DNS, File & Print Serving. Added a second DC into the same domain (also Server 2003) which I'd like to have ready to take over as main DC with a change of DNS at some point. However, at this point, I'd just like to have the new DC to be a replica of the old DC - and run backups to it. AD seems to have replicated fine and updates replicate quickly. I can login using AD on the new DC from a workstation. The 2 DC's respond correctly w/ pings to each other by IP, Server Name, and FQDN. DC1 has no significant errors, but the new one (DC2) does. Having a lot of trouble with FRS and backups quit after partial.DCDIAG (on DC2) - everything passes except: -- Netlogons: "Unable to connect to the NETLOGONS share! (DC2\netlogon) An net use or LsaPolicy operation failed with error 1203. No network provider accepted the given network path"-- Advertising test fails with "Warning: DsGetDcName returned information for DC1 when trying to reach DC2. Server is not responding or is not considered suitable.NETDIAG (on DC2) - "Domain membership test.. failed. Warning: this system volume has not been completely replicated to the local machine. This machine is not working properly as a DC."NETDIAG /FIX (on DC2): everything passed, with exception: DNS test passed followed with "Warning: Cannot find a primary authoritative DNS server for the name DS2... DS2 may not be registered in DNS"EVENT LOG ERRORS (Warnings) ON DC2 include:13508 - NtFrs - FRS having trouble enabling replication from DC1 to DC2 for c:\windows\sysvol\domain13509 - NtFrs - FRS has enabled replication from DC1 to DC2 for c\windows\sysvol\domain after repeated retries.1054 - Userenv - Windows cannot obtain the domain controller name for your computer network.53258 - MSDTC - MS DTC could not correctly process a DC Promotion/Demotion event.1003 - SceSrv - Notifcation of policy change from LSA/SAM has been retried and failed. Error 4312 to save policy change for account xxxxx in the default GPOs.40960 - LSASRV - SPNEGO negotiator - authentication error for server LDAP/DC2Sure would appreciate some help if anyone can spot any common thread in this grouping of errors.

Hello,It seems your new DC have not been completely initialized.Also, make sure the new DC have the same fixed DNS entry as the Primary DC..please post a complete ipconfig /all from both DCIsaac Oben MCITP:EA, MCSE

Thanks for the reply.-------------------------------------------------------------IPCONFIG /ALL for DC1 (main DC) Note: only Ethernet Adapter LAC 1 (of 2) is in use.Windows IP Configuration Host Name . . . . . . . . . . . . : DomainServer Primary Dns Suffix . . . . . . . : MYDOMAIN.COM Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : MYDOMAIN.COM Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2 Physical Address. . . . . . . . . : 00-E0-81-40-34-33 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Autoconfiguration IP Address. . . : 169.254.226.28 Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . : Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet Physical Address. . . . . . . . . : 00-E0-81-40-34-32 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.150.201 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.150.200 DNS Servers . . . . . . . . . . . : 192.168.150.201 192.168.150.202--------------------------------------------------------------------------------------------------------------------------IPCONFIG /ALL for DC2 (second DC) Note: only Ethernet Adapter LAC 1 (of 4) is in use.Windows IP Configuration Host Name . . . . . . . . . . . . : DOMAINSERVER2 Primary Dns Suffix . . . . . . . : MYDOMAIN.COM Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : MYDOMAIN.COM Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) Physical Address. . . . . . . . . : 00-25-64-F8-AA-56 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.150.202 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.150.200 DNS Servers . . . . . . . . . . . : 192.168.150.201 192.168.150.202-------------------------------------------------------------Dave

Hello Dave,IP config looks good..How long ago did you complete the promotion of the server as an additional domain controller. Please send a complete dcdiag /v from DC2 as well.Isaac Oben MCITP:EA, MCSE

OK Isaac. Here is "dcdiag /v" from DC2---------------------------------------------Domain Controller Diagnosis Performing initial setup: * Verifying that the local machine DOMAINSERVER2, is a DC. * Connecting to directory service on server DOMAINSERVER2. * Collecting site info. * Identifying all servers. * Identifying all NC cross-refs. * Found 2 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\DOMAINSERVER2 Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check ......................... DOMAINSERVER2 passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\DOMAINSERVER2 Starting test: Replications * Replications Check * Replication Latency Check DC=ForestDnsZones,DC=MYDOMAIN,DC=COM Latency information for 1 entries in the vector were ignored. 1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=DomainDnsZones,DC=MYDOMAIN,DC=COM Latency information for 1 entries in the vector were ignored. 1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=COM Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Configuration,DC=MYDOMAIN,DC=COM Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=MYDOMAIN,DC=COM Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). * Replication Site Latency Check ......................... DOMAINSERVER2 passed test Replications Test omitted by user request: Topology Test omitted by user request: CutoffServers Starting test: NCSecDesc * Security Permissions check for all NC's on DC DOMAINSERVER2. * Security Permissions Check for DC=ForestDnsZones,DC=MYDOMAIN,DC=COM (NDNC,Version 2) * Security Permissions Check for DC=DomainDnsZones,DC=MYDOMAIN,DC=COM (NDNC,Version 2) * Security Permissions Check for CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=COM (Schema,Version 2) * Security Permissions Check for CN=Configuration,DC=MYDOMAIN,DC=COM (Configuration,Version 2) * Security Permissions Check for DC=MYDOMAIN,DC=COM (Domain,Version 2) ......................... DOMAINSERVER2 passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Unable to connect to the NETLOGON share! (\\DOMAINSERVER2\netlogon) [DOMAINSERVER2] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path.. ......................... DOMAINSERVER2 failed test NetLogons Starting test: Advertising Warning: DsGetDcName returned information for \\DomainServer.MYDOMAIN.COM, when we were trying to reach DOMAINSERVER2. Server is not responding or is not considered suitable. The DC DOMAINSERVER2 is advertising itself as a DC and having a DS. The DC DOMAINSERVER2 is advertising as an LDAP server The DC DOMAINSERVER2 is advertising as having a writeable directory The DC DOMAINSERVER2 is advertising as a Key Distribution Center The DC DOMAINSERVER2 is advertising as a time server The DS DOMAINSERVER2 is advertising as a GC. ......................... DOMAINSERVER2 failed test Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=DOMAINSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM Role Domain Owner = CN=NTDS Settings,CN=DOMAINSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM Role PDC Owner = CN=NTDS Settings,CN=DOMAINSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM Role Rid Owner = CN=NTDS Settings,CN=DOMAINSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM Role Infrastructure Update Owner = CN=NTDS Settings,CN=DOMAINSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM ......................... DOMAINSERVER2 passed test KnowsOfRoleHolders Starting test: RidManager * Available RID Pool for the Domain is 3104 to 1073741823 * DomainServer.MYDOMAIN.COM is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 2604 to 3103 * rIDPreviousAllocationPool is 2604 to 3103 * rIDNextRID: 2609 ......................... DOMAINSERVER2 passed test RidManager Starting test: MachineAccount Checking machine account for DC DOMAINSERVER2 on DC DOMAINSERVER2. * SPN found :LDAP/DOMAINSERVER2.MYDOMAIN.COM/MYDOMAIN.COM * SPN found :LDAP/DOMAINSERVER2.MYDOMAIN.COM * SPN found :LDAP/DOMAINSERVER2 * SPN found :LDAP/DOMAINSERVER2.MYDOMAIN.COM/MYDOMAIN * SPN found :LDAP/7676b8fb-965f-4fa1-8b41-f48c50df120f._msdcs.MYDOMAIN.COM * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/7676b8fb-965f-4fa1-8b41-f48c50df120f/MYDOMAIN.COM * SPN found :HOST/DOMAINSERVER2.MYDOMAIN.COM/MYDOMAIN.COM * SPN found :HOST/DOMAINSERVER2.MYDOMAIN.COM * SPN found :HOST/DOMAINSERVER2 * SPN found :HOST/DOMAINSERVER2.MYDOMAIN.COM/MYDOMAIN * SPN found :GC/DOMAINSERVER2.MYDOMAIN.COM/MYDOMAIN.COM ......................... DOMAINSERVER2 passed test MachineAccount Starting test: Services * Checking Service: Dnscache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: RpcSs * Checking Service: w32time * Checking Service: NETLOGON ......................... DOMAINSERVER2 passed test Services Test omitted by user request: OutboundSecureChannels Starting test: ObjectsReplicated DOMAINSERVER2 is in domain DC=MYDOMAIN,DC=COM Checking for CN=DOMAINSERVER2,OU=Domain Controllers,DC=MYDOMAIN,DC=COM in domain DC=MYDOMAIN,DC=COM on 1 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=DOMAINSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM in domain CN=Configuration,DC=MYDOMAIN,DC=COM on 1 servers Object is up-to-date on all servers. ......................... DOMAINSERVER2 passed test ObjectsReplicated Starting test: frssysvol * The File Replication Service SYSVOL ready test The registry lookup failed to determine the state of the SYSVOL. The error returned was 0 (The operation completed successfully.). Check the FRS event log to see if the SYSVOL has successfully been shared. ......................... DOMAINSERVER2 passed test frssysvol Starting test: frsevent * The File Replication Service Event log test ......................... DOMAINSERVER2 passed test frsevent Starting test: kccevent * The KCC Event log test Found no KCC errors in Directory Service Event log in the last 15 minutes. ......................... DOMAINSERVER2 passed test kccevent Starting test: systemlog * The System Event log test Found no errors in System Event log in the last 60 minutes. ......................... DOMAINSERVER2 passed test systemlog Test omitted by user request: VerifyReplicas Starting test: VerifyReferences The system object reference (serverReference) CN=DOMAINSERVER2,OU=Domain Controllers,DC=MYDOMAIN,DC=COM and backlink on CN=DOMAINSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM are correct. The system object reference (frsComputerReferenceBL) CN=DOMAINSERVER2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MYDOMAIN,DC=COM and backlink on CN=DOMAINSERVER2,OU=Domain Controllers,DC=MYDOMAIN,DC=COM are correct. The system object reference (serverReferenceBL) CN=DOMAINSERVER2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MYDOMAIN,DC=COM and backlink on CN=NTDS Settings,CN=DOMAINSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM are correct. ......................... DOMAINSERVER2 passed test VerifyReferences Test omitted by user request: VerifyEnterpriseReferences Test omitted by user request: CheckSecurityError Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : MYDOMAIN Starting test: CrossRefValidation ......................... MYDOMAIN passed test CrossRefValidation Starting test: CheckSDRefDom ......................... MYDOMAIN passed test CheckSDRefDom Running enterprise tests on : MYDOMAIN.COM Starting test: Intersite Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments provided. ......................... MYDOMAIN.COM passed test Intersite Starting test: FsmoCheck GC Name: \\DomainServer.MYDOMAIN.COM Locator Flags: 0xe00003fd PDC Name: \\DomainServer.MYDOMAIN.COM Locator Flags: 0xe00003fd Time Server Name: \\DomainServer.MYDOMAIN.COM Locator Flags: 0xe00003fd Preferred Time Server Name: \\DomainServer.MYDOMAIN.COM Locator Flags: 0xe00003fd KDC Name: \\DomainServer.MYDOMAIN.COM Locator Flags: 0xe00003fd ......................... MYDOMAIN.COM passed test FsmoCheck Test omitted by user request: DNS Test omitted by user request: DNS--------------------------------------------------Thanks again.Dave

Hello Dave,I am thinking you are having DNS related issue.Try this.On the DomainServer2, stop and restart the netlogon service (net stop netlogon & net start netlogon)Run dcdiag /test:dnsIf it failed,run netdiag /fixAlso make sure on DomainServer2 DNS, check and make sure DomainServer1 is properly registerpost both results..Isaac Oben MCITP:EA, MCSE

Hi Isaac,Restarted NETLOGONSdcdiag /test:dns Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\DOMAINSERVER2 Starting test: Connectivity ......................... DOMAINSERVER2 passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\DOMAINSERVER2 DNS Tests are running and not hung. Please wait a few minutes... Running partition tests on : ForestDnsZones Running partition tests on : DomainDnsZones Running partition tests on : Schema Running partition tests on : Configuration Running partition tests on : MYDOMAIN Running enterprise tests on : MYDOMAIN.GOV Starting test: DNS Test results for domain controllers: DC: DOMAINSERVER2.MYDOMAIN.GOV Domain: MYDOMAIN.GOV TEST: Delegations (Del) Warning: DNS server: domainserver.server.MYDOMAIN. IP: <Unavailable> Failure:Missing glue A record Summary of DNS test results: Auth Basc Forw Del Dyn RReg Ext ________________________________________________________________ Domain: MYDOMAIN.GOV DOMAINSERVER2 PASS PASS PASS FAIL PASS PASS n/a ......................... MYDOMAIN.GOV failed test DNS-------------------------------------------------------- NETDIAG /FIX results Computer Name: DOMAINSERVER2 DNS Host Name: DOMAINSERVER2.MYDOMAIN.GOV System info : Microsoft Windows Server 2003 R2 (Build 3790) Processor : x86 Family 6 Model 26 Stepping 5, GenuineIntel List of installed hotfixes : KB918005-v3 KB923561 KB924667-v2 KB925398_WMP64 KB925902 KB926122 KB927891 KB929123 KB930178 KB932168 KB933360 KB933854 KB935839 KB935840 KB936357 KB936594 KB938127 KB938127-IE7 KB938464 KB941569 KB941693 KB941716 KB941838 KB942615 KB942830 KB942831 KB943055 KB943460 KB943545 KB944338 KB944653 KB945553 KB946026 KB948496 KB948590 KB950224-v3 KB950762 KB950974 KB951066 KB951072 KB951698 KB951748 KB952004 KB952069 KB952954 KB953298 KB954155 KB954434 KB954550-v5 KB955069 KB955759 KB956572 KB956802 KB956803 KB956844 KB957097 KB958469 KB958644 KB958687 KB958690 KB958869 KB959426 KB960225 KB960803 KB960859 KB961063 KB961118 KB961371-v2 KB961501 KB963027 KB967715 KB967723 KB968389 KB968816 KB969059 KB969947 KB970238 KB970267 KB970430 KB970483 KB971032 KB971486 KB971557 KB971633 KB971657 KB971737 KB971961 KB972270 KB973037 KB973354 KB973507 KB973525 KB973540 KB973687 KB973815 KB973825 KB973869 KB973904 KB973917 KB974112 KB974318 KB974392 KB974571 KB975025 KB975467 KB976098-v2 KB976325 KB976325-IE7 KB978207-IE7 Q147222 Netcard queries test . . . . . . . : Passed Per interface results: Adapter : Local Area Connection Netcard queries test . . . : Passed Host Name. . . . . . . . . : DOMAINSERVER2 IP Address . . . . . . . . : 192.168.150.202 Subnet Mask. . . . . . . . : 255.255.255.0 Default Gateway. . . . . . : 192.168.150.200 Dns Servers. . . . . . . . : 192.168.150.201 192.168.150.202 AutoConfiguration results. . . . . . : Passed Default gateway test . . . : Passed NetBT name test. . . . . . : Passed [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing. WINS service test. . . . . : Skipped There are no WINS servers configured for this interface. Global results: Domain membership test . . . . . . : Failed [WARNING] Ths system volume has not been completely replicated to the localmachine. This machine is not working properly as a DC. NetBT transports test. . . . . . . : Passed List of NetBt transports currently configured: NetBT_Tcpip_{6BD89EF2-4602-4905-B21F-64D6D49672E6} 1 NetBt transport currently configured. Autonet address test . . . . . . . : Passed IP loopback ping test. . . . . . . : Passed Default gateway test . . . . . . . : Passed NetBT name test. . . . . . . . . . : Passed [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined. Winsock test . . . . . . . . . . . : Passed DNS test . . . . . . . . . . . . . : Passed PASS - All the DNS entries for DC are registered on DNS server '192.168.150.201' and other DCs also have some of the names registered. Redir and Browser test . . . . . . : Passed List of NetBt transports currently bound to the Redir NetBT_Tcpip_{6BD89EF2-4602-4905-B21F-64D6D49672E6} The redir is bound to 1 NetBt transport. List of NetBt transports currently bound to the browser NetBT_Tcpip_{6BD89EF2-4602-4905-B21F-64D6D49672E6} The browser is bound to 1 NetBt transport. DC discovery test. . . . . . . . . : Passed DC list test . . . . . . . . . . . : Passed Trust relationship test. . . . . . : Passed Secure channel for domain 'MYDOMAIN' is to '\\DomainServer.MYDOMAIN.GOV'. Kerberos test. . . . . . . . . . . : Passed LDAP test. . . . . . . . . . . . . : Passed Bindings test. . . . . . . . . . . : Passed WAN configuration test . . . . . . : Skipped No active remote access connections. Modem diagnostics test . . . . . . : Passed IP Security test . . . . . . . . . : Skipped Note: run "netsh ipsec dynamic show /?" for more detailed information The command completed successfully------------------------------------------------------Thanks again.Dave

You seem to be missing Glue A record which is the A record that resolves the domain controller's nameto an IP address. TEST: Delegations (Del) Warning: DNS server: domainserver.server.MYDOMAIN. IP: <Unavailable> Failure:Missing glue A recordTo fix this try this:run at command promptIpconfig /flushdnsipconfig /registerdnsor you can do it manually:Open the zone for the AD domain name, rightclick, select new host, name it the Domain Controller's host name and giveit the IP address of the domain controller. (Do this on the 192.168.150.201 DNS server. First check and make sure that server DOMAINSERVER2 is the and may have a wrong IP) vice versaIsaac Oben MCITP:EA, MCSE

Hello Isaac,I had tried 'flushdns / registerdns' previously 2 or 3 times, but ran it again as suggested.On both DC1 and DC2, the zone shows both DC's with their corresponding IP's correctly listed.The results of "dcdiag /test:dns" and "netdiag /fix" remain same as previous post.Thanks.DaveP.S. (re: previous post): I added this server and promoted to DC about 3 weeks ago.

Dave,Your netdiag /fix shows that it passed DNS test. But I think your issue is DNS related. After the the netdiag /fix..Now lets try this:1- Do another dcdiag /v and see if the error Starting test: NetLogons * Network Logons Privileges Check Unable to connect to the NETLOGON share! (\\DOMAINSERVER2\netlogon) [DOMAINSERVER2] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path.. ......................... DOMAINSERVER2 failed test NetLogons Starting test: Advertising Warning: DsGetDcName returned information for \\DomainServer.MYDOMAIN.COM, when we were trying to reach DOMAINSERVER2. Server is not responding or is not considered suitable. The DC DOMAINSERVER2 is advertising itself as a DC and having a DS. The DC DOMAINSERVER2 is advertising as an LDAP server The DC DOMAINSERVER2 is advertising as having a writeable directory The DC DOMAINSERVER2 is advertising as a Key Distribution Center The DC DOMAINSERVER2 is advertising as a time server The DS DOMAINSERVER2 is advertising as a GC. ......................... DOMAINSERVER2 failed test Advertising2- Still on DC2, at command prompt, type nslookup DOMAINSERVER1and post result.3- Still on DC2, see if you can successfully browse to DOMAINSERVER1 using both the UNC and IP such as \\DOMAINSERVER1. and \\'192.168.150.201. If this is successful, you should see the sysvol share, netlogon share etc4- On DC2, browse to c:\windows\system32\sysvol and browse into the folders and see if they contain any data..you can referebce DC1 because DC1 should have data.Isaac Oben MCITP:EA, MCSE

Hello Isaac, Here is the latest "dcdiag /v" from DC2----------------------------------------------------------dcdiag /vDomain Controller Diagnosis Performing initial setup: * Verifying that the local machine DOMAINSERVER2, is a DC. * Connecting to directory service on server DOMAINSERVER2. * Collecting site info. * Identifying all servers. * Identifying all NC cross-refs. * Found 2 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\DOMAINSERVER2 Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check ......................... DOMAINSERVER2 passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\DOMAINSERVER2 Starting test: Replications * Replications Check * Replication Latency Check DC=ForestDnsZones,DC=MYDOMAIN,DC=COM Latency information for 1 entries in the vector were ignored. 1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=DomainDnsZones,DC=MYDOMAIN,DC=COM Latency information for 1 entries in the vector were ignored. 1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=COM Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Configuration,DC=MYDOMAIN,DC=COM Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=MYDOMAIN,DC=COM Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). * Replication Site Latency Check ......................... DOMAINSERVER2 passed test Replications Test omitted by user request: Topology Test omitted by user request: CutoffServers Starting test: NCSecDesc * Security Permissions check for all NC's on DC DOMAINSERVER2. * Security Permissions Check for DC=ForestDnsZones,DC=MYDOMAIN,DC=COM (NDNC,Version 2) * Security Permissions Check for DC=DomainDnsZones,DC=MYDOMAIN,DC=COM (NDNC,Version 2) * Security Permissions Check for CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=COM (Schema,Version 2) * Security Permissions Check for CN=Configuration,DC=MYDOMAIN,DC=COM (Configuration,Version 2) * Security Permissions Check for DC=MYDOMAIN,DC=COM (Domain,Version 2) ......................... DOMAINSERVER2 passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Unable to connect to the NETLOGON share! (\\DOMAINSERVER2\netlogon) [DOMAINSERVER2] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path.. ......................... DOMAINSERVER2 failed test NetLogons Starting test: Advertising Warning: DsGetDcName returned information for \\DomainServer.MYDOMAIN-ME.COM, when we were trying to reach DOMAINSERVER2. Server is not responding or is not considered suitable. The DC DOMAINSERVER2 is advertising itself as a DC and having a DS. The DC DOMAINSERVER2 is advertising as an LDAP server The DC DOMAINSERVER2 is advertising as having a writeable directory The DC DOMAINSERVER2 is advertising as a Key Distribution Center The DC DOMAINSERVER2 is advertising as a time server The DS DOMAINSERVER2 is advertising as a GC. ......................... DOMAINSERVER2 failed test Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=DOMAINSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM Role Domain Owner = CN=NTDS Settings,CN=DOMAINSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM Role PDC Owner = CN=NTDS Settings,CN=DOMAINSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM Role Rid Owner = CN=NTDS Settings,CN=DOMAINSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM Role Infrastructure Update Owner = CN=NTDS Settings,CN=DOMAINSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM ......................... DOMAINSERVER2 passed test KnowsOfRoleHolders Starting test: RidManager * Available RID Pool for the Domain is 3104 to 1073741823 * DomainServer.MYDOMAIN.COM is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 2604 to 3103 * rIDPreviousAllocationPool is 2604 to 3103 * rIDNextRID: 2609 ......................... DOMAINSERVER2 passed test RidManager Starting test: MachineAccount Checking machine account for DC DOMAINSERVER2 on DC DOMAINSERVER2. * SPN found :LDAP/DOMAINSERVER2.MYDOMAIN.COM/MYDOMAIN.COM * SPN found :LDAP/DOMAINSERVER2.MYDOMAIN.COM * SPN found :LDAP/DOMAINSERVER2 * SPN found :LDAP/DOMAINSERVER2.MYDOMAIN.COM/MYDOMAIN * SPN found :LDAP/7676b8fb-965f-4fa1-8b41-f48c50df120f._msdcs.MYDOMAIN-ME.COM * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/7676b8fb-965f-4fa1-8b41-f48c50df120f/MYDOMAIN.COM * SPN found :HOST/DOMAINSERVER2.MYDOMAIN.COM/MYDOMAIN.COM * SPN found :HOST/DOMAINSERVER2.MYDOMAIN.COM * SPN found :HOST/DOMAINSERVER2 * SPN found :HOST/DOMAINSERVER2.MYDOMAIN.COM/MYDOMAIN * SPN found :GC/DOMAINSERVER2.MYDOMAIN.COM/MYDOMAIN.COM ......................... DOMAINSERVER2 passed test MachineAccount Starting test: Services * Checking Service: Dnscache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: RpcSs * Checking Service: w32time * Checking Service: NETLOGON ......................... DOMAINSERVER2 passed test Services Test omitted by user request: OutboundSecureChannels Starting test: ObjectsReplicated DOMAINSERVER2 is in domain DC=MYDOMAIN,DC=COM Checking for CN=DOMAINSERVER2,OU=Domain Controllers,DC=MYDOMAIN,DC=COM in domain DC=MYDOMAIN,DC=COM on 1 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=DOMAINSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM in domain CN=Configuration,DC=MYDOMAIN,DC=COM on 1 servers Object is up-to-date on all servers. ......................... DOMAINSERVER2 passed test ObjectsReplicated Starting test: frssysvol * The File Replication Service SYSVOL ready test The registry lookup failed to determine the state of the SYSVOL. The error returned was 0 (The operation completed successfully.). Check the FRS event log to see if the SYSVOL has successfully been shared. ......................... DOMAINSERVER2 passed test frssysvol Starting test: frsevent * The File Replication Service Event log test ......................... DOMAINSERVER2 passed test frsevent Starting test: kccevent * The KCC Event log test Found no KCC errors in Directory Service Event log in the last 15 minutes. ......................... DOMAINSERVER2 passed test kccevent Starting test: systemlog * The System Event log test Found no errors in System Event log in the last 60 minutes. ......................... DOMAINSERVER2 passed test systemlog Test omitted by user request: VerifyReplicas Starting test: VerifyReferences The system object reference (serverReference) CN=DOMAINSERVER2,OU=Domain Controllers,DC=MYDOMAIN,DC=COM and backlink on CN=DOMAINSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM are correct. The system object reference (frsComputerReferenceBL) CN=DOMAINSERVER2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MYDOMAIN,DC=COM and backlink on CN=DOMAINSERVER2,OU=Domain Controllers,DC=MYDOMAIN,DC=COM are correct. The system object reference (serverReferenceBL) CN=DOMAINSERVER2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MYDOMAIN,DC=COM and backlink on CN=NTDS Settings,CN=DOMAINSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM are correct. ......................... DOMAINSERVER2 passed test VerifyReferences Test omitted by user request: VerifyEnterpriseReferences Test omitted by user request: CheckSecurityError Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : MYDOMAIN Starting test: CrossRefValidation ......................... MYDOMAIN passed test CrossRefValidation Starting test: CheckSDRefDom ......................... MYDOMAIN passed test CheckSDRefDom Running enterprise tests on : MYDOMAIN.COM Starting test: Intersite Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments provided. ......................... MYDOMAIN.COM passed test Intersite Starting test: FsmoCheck GC Name: \\DomainServer.MYDOMAIN.COM Locator Flags: 0xe00003fd PDC Name: \\DomainServer.MYDOMAIN.COM Locator Flags: 0xe00003fd Time Server Name: \\DomainServer.MYDOMAIN.COM Locator Flags: 0xe00003fd Preferred Time Server Name: \\DomainServer.MYDOMAIN.COM Locator Flags: 0xe00003fd KDC Name: \\DomainServer.MYDOMAIN.COM Locator Flags: 0xe00003fd ......................... MYDOMAIN.COM passed test FsmoCheck Test omitted by user request: DNS Test omitted by user request: DNS ----------------------------------------------------------And the "nslookup domainserver" result:> nslookup domainserverServer: domainserver.MYDOMAIN.COMAddress: 192.168.150.201----------------------------------------------------------Re: "sysvol" folders are not replicated completely.DC2 has a single policy folder which has replicated TO DC1, however, DC1 had 3 to start and none of those have replicated to DC2.----------------------------------------------------------Re: Browsing to "DC1/sysvol" - not happening.Nothing under Network Places.----------------------------------------------------------Thanks again.Dave

Dave, Are these DCs on separate sites? Possible a firewall in place preventing replication or blocking a port?If you do a repadmin /showreps what results do you get?Isaac Oben MCITP:EA, MCSE

Isaac,Thank you for persisting with me on this.DCs in same location with only a basic switch between. Firewall between internet only.Results below for both DC1 & DC2 with "repadmin /showreps"No issues on DC1, but yes a couple replication errors on DC2.--------------------------------------------------------------------------------------------------DC1 - repadmin /showreps Default-First-Site-Name\DOMAINSERVERDC Options: IS_GCSite Options: (none)DC object GUID: de66c2d3-eda2-4ab2-a393-fdea108ad439DC invocationID: de66c2d3-eda2-4ab2-a393-fdea108ad439 ==== INBOUND NEIGHBORS ====================================== DC=MYDOMAIN,DC=COM Default-First-Site-Name\DOMAINSERVER2 via RPC DC object GUID: 7676b8fb-965f-4fa1-8b41-f48c50df120f Last attempt @ 2010-01-28 18:59:35 was successful. CN=Configuration,DC=MYDOMAIN,DC=COM Default-First-Site-Name\DOMAINSERVER2 via RPC DC object GUID: 7676b8fb-965f-4fa1-8b41-f48c50df120f Last attempt @ 2010-01-28 18:57:47 was successful. CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=COM Default-First-Site-Name\DOMAINSERVER2 via RPC DC object GUID: 7676b8fb-965f-4fa1-8b41-f48c50df120f Last attempt @ 2010-01-28 18:57:48 was successful. DC=DomainDnsZones,DC=MYDOMAIN,DC=COM Default-First-Site-Name\DOMAINSERVER2 via RPC DC object GUID: 7676b8fb-965f-4fa1-8b41-f48c50df120f Last attempt @ 2010-01-28 18:57:48 was successful. DC=ForestDnsZones,DC=MYDOMAIN,DC=COM Default-First-Site-Name\DOMAINSERVER2 via RPC DC object GUID: 7676b8fb-965f-4fa1-8b41-f48c50df120f Last attempt @ 2010-01-28 18:57:48 was successful. ----------------------------------------------------------------------------------------------------------------------DC2 - repadmin /showreps Default-First-Site-Name\DOMAINSERVER2DC Options: IS_GCSite Options: (none)DC object GUID: 7676b8fb-965f-4fa1-8b41-f48c50df120fDC invocationID: 189a7988-7cab-448c-a825-33861995bfcd ==== INBOUND NEIGHBORS ====================================== DC=MYDOMAIN,DC=GOV Default-First-Site-Name\DOMAINSERVER via RPC DC object GUID: de66c2d3-eda2-4ab2-a393-fdea108ad439 Last attempt @ 2010-01-28 18:53:24 failed, result 8453 (0x2105): Replication access was denied. 193 consecutive failure(s). Last success @ 2010-01-28 11:11:43. CN=Configuration,DC=MYDOMAIN,DC=GOV Default-First-Site-Name\DOMAINSERVER via RPC DC object GUID: de66c2d3-eda2-4ab2-a393-fdea108ad439 Last attempt @ 2010-01-28 18:51:59 was successful. CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=GOV Default-First-Site-Name\DOMAINSERVER via RPC DC object GUID: de66c2d3-eda2-4ab2-a393-fdea108ad439 Last attempt @ 2010-01-28 18:51:59 was successful. DC=DomainDnsZones,DC=MYDOMAIN,DC=GOV Default-First-Site-Name\DOMAINSERVER via RPC DC object GUID: de66c2d3-eda2-4ab2-a393-fdea108ad439 Last attempt @ 2010-01-28 18:51:59 was successful. DC=ForestDnsZones,DC=MYDOMAIN,DC=GOV Default-First-Site-Name\DOMAINSERVER via RPC DC object GUID: de66c2d3-eda2-4ab2-a393-fdea108ad439 Last attempt @ 2010-01-28 18:51:59 was successful. Source: Default-First-Site-Name\DOMAINSERVER******* 193 CONSECUTIVE FAILURES since 2010-01-28 11:11:43Last error: 8453 (0x2105): Replication access was denied.---------------------------------------------------------- Thanks.Dave

Dave,On your AD Site and Services, do you have a connection by default between DC1 and DC2? from eitther way?Let's test if there is a security error. on dc 2 run this: It seems DC2 is not getting inbound repl from dc1 so lets check''Dcdiag /test:CheckSecurityError /ReplSource:DOMAINSERVER (this should be DC1)..please post resultsIsaac Oben MCITP:EA, MCSE

Good day Isaac,(Run on DC2)dcdiag /test:CheckSecurityError /ReplSource:DOMAINSERVER-----------------------------------------------------------------Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\DOMAINSERVER2 Starting test: Connectivity ......................... DOMAINSERVER2 passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\DOMAINSERVER2 Starting test: CheckSecurityError Source DC DOMAINSERVER has possible security error (8453). Diagnosing... Error MYDOMAIN\Domain Controllers doesn't have Replicating Directory Changes All access rights for the naming context: DC=MYDOMAIN,DC=COM ......................... DOMAINSERVER2 failed test CheckSecurityError Running partition tests on : ForestDnsZones Running partition tests on : DomainDnsZones Running partition tests on : Schema Running partition tests on : Configuration Running partition tests on : MYDOMAIN Running enterprise tests on : MYDOMAIN.COM--------------------------------------------------------------------------Looks like you're onto something.Thanks again.Dave

Hello Dave,It seems DC1 can receive replication with no error from DC2 but DC2 can't receive replication from DC1. So, you may need to reset the machine password and secure channels between the two Dcs. We will do this for DC1 and reboot, if that doesn't work, then reset the machin passwrod on DC2 as well.Folow the steps on this microsoft KBhttp://support.microsoft.com/kb/325850/en-usif you do not already have the support tools on your dc, then you can download from here:http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-939B-9A772EA2DF90&displaylang=en. Please let mw know how it works out.One note, before you start check to see if the two DCs have the same time, sometimes this is what might cause the replication and security failure.Isaac Oben MCITP:EA, MCSE

Hello Isaac,Password reset failed on DC1 with this note:"Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again."-------------------------------------------------------------------------------------------------Also ran netdiag on DC1 with these 2 errors in results:DNS test . . . . . . . . . . . . . : Passed [WARNING] The DNS entries for this DC are not registered correctly on DNS server '192.168.150.201'. Please wait for 30 minutes for DNS server replication. PASS - All the DNS entries for DC are registered on DNS server '192.168.150.202' and other DCs also have some of the names registered.LDAP test. . . . . . . . . . . . . : Passed [FATAL] Cannot do Negotiate authenticated ldap_bind to 'DomainServer.MYDOMAIN.COM': Local Error. [WARNING] Failed to query SPN registration on DC 'DOMAINSERVER2.MYDOMAIN.COM'.-------------------------------------------------------------------------------------------------dcdiag /fix on DC1 generated a bunch of replication errors and these Testing server: Default-First-Site-Name\DOMAINSERVER Starting test: Connectivity *** Warning: could not confirm the identity of this server in the directory versus the names returned by DNS servers. If there are problems accessing this directory server then you may need to check that this server is correctly registered with DNS ......................... DOMAINSERVER passed test Connectivity Starting test: NCSecDesc Error MYDOMAIN-ME\Domain Controllers doesn't have Replicating Directory Changes All access rights for the naming context: DC=MYDOMAIN-ME,DC=COM ......................... DOMAINSERVER failed test NCSecDesc-------------------------------------------------------------------------------------------------It looks like resetting the password via netdom can resolve a lot of issues, so I'll waitto see what you think about the failed resetpwd result.------------------------------------------------------------------------------------------------Also ran on DC1 "dcdiag /test:CheckSecurityError/ReplSource:domainserver" Testing server: Default-First-Site-Name\DOMAINSERVER Starting test: Connectivity ......................... DOMAINSERVER passed test ConnectivityDoing primary tests Testing server: Default-First-Site-Name\DOMAINSERVER Starting test: CheckSecurityError Source DC DOMAINSERVER2 has possible security error (1722). Diagnosing... Error 53 querying time on DC DOMAINSERVER2. Ignoring this DC and continuing... Time skew error between client and 1 DCs! ERROR_ACCESS_DENIED or down machine recieved by: DOMAINSERVER2 Source DC DOMAINSERVER was requested for a manual security error check.Diagnosing... Error MYDOMAIN-ME\Domain Controllers doesn't have Replicating Directory Changes All access rights for the naming context: DC=MYDOMAIN-ME,DC=COM ......................... DOMAINSERVER failed test CheckSecurityError--------------------------------------------------------------------------------P.S. Not sure why the "Time Skew" error. DC1 runs Atomic Time and everyother system syncs off DC1 when they log in - including DC2. Clocks are identically.--------------------------------------------------------------------------------Edited P.S. again: (I guess that would be a "P.S. P.S.")DC1 is the gift that keeps on giving today. Just ran "nslookup" and also received error:nslookup*** Can't find server name for address 192.168.150.201: Non-existent domainDefault Server: UnKnownAddress: 192.168.150.201--------------------------------------------------------------------------------Thanks again.Dave

Hello Dave,We will need to fix this error first "Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again."it seems either the file sharing service making connections to some network resource, or that some other network service was accessing the server, and thus disabling the hostname change via DNS..Try this at command prompt: net use * /deleteif that doesn't workAlso try to stop all "server" and "workstation" services on your server and try again..Isaac Oben MCITP:EA, MCSE

Hello Isaac,That did clear it up for the password reset for DC1. Password reset successfully.Reboot server, restart Kerkerbos: (followed instructions per MS kb article 325850) Re-ran "dcdiag /test:CheckSecurityError /ReplSource:domainserver" (DC1)which was the post prior to password reset Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\DOMAINSERVER Starting test: Connectivity ......................... DOMAINSERVER passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\DOMAINSERVER Starting test: CheckSecurityError Source DC DOMAINSERVER was requested for a manual security error check. Diagnosing... Error MYDOMAIN\Domain Controllers doesn't have Replicating Directory Changes All access rights for the naming context: DC=MYDOMAIN,DC=COM Authoritative attribute dBCSPwd on DOMAINSERVER (writeable) usnLocalChange = 1339415 LastOriginatingDsa = DOMAINSERVER usnOriginatingChange = 1339415 timeLastOriginatingChange = 2010-02-02 21:01:08 VersionLastOriginatingChange = 56 Out-of-date attribute dBCSPwd on DOMAINSERVER2 (writeable) usnLocalChange = 50616 LastOriginatingDsa = DOMAINSERVER usnOriginatingChange = 1297414 timeLastOriginatingChange = 2010-01-09 20:36:58 VersionLastOriginatingChange = 50 Authoritative attribute lmPwdHistory on DOMAINSERVER (writeable) usnLocalChange = 1339415 LastOriginatingDsa = DOMAINSERVER usnOriginatingChange = 1339415 timeLastOriginatingChange = 2010-02-02 21:01:08 VersionLastOriginatingChange = 56 Out-of-date attribute lmPwdHistory on DOMAINSERVER2 (writeable) usnLocalChange = 50616 LastOriginatingDsa = DOMAINSERVER usnOriginatingChange = 1297414 timeLastOriginatingChange = 2010-01-09 20:36:58 VersionLastOriginatingChange = 50 Authoritative attribute ntPwdHistory on DOMAINSERVER (writeable) usnLocalChange = 1339415 LastOriginatingDsa = DOMAINSERVER usnOriginatingChange = 1339415 timeLastOriginatingChange = 2010-02-02 21:01:08 VersionLastOriginatingChange = 56 Out-of-date attribute ntPwdHistory on DOMAINSERVER2 (writeable) usnLocalChange = 50616 LastOriginatingDsa = DOMAINSERVER usnOriginatingChange = 1297414 timeLastOriginatingChange = 2010-01-09 20:36:58 VersionLastOriginatingChange = 50 Authoritative attribute pwdLastSet on DOMAINSERVER (writeable) usnLocalChange = 1339415 LastOriginatingDsa = DOMAINSERVER usnOriginatingChange = 1339415 timeLastOriginatingChange = 2010-02-02 21:01:08 VersionLastOriginatingChange = 56 Out-of-date attribute pwdLastSet on DOMAINSERVER2 (writeable) usnLocalChange = 50616 LastOriginatingDsa = DOMAINSERVER usnOriginatingChange = 1297414 timeLastOriginatingChange = 2010-01-09 20:36:58 VersionLastOriginatingChange = 50 Authoritative attribute supplementalCredentials on DOMAINSERVER (writeable) usnLocalChange = 1339416 LastOriginatingDsa = DOMAINSERVER usnOriginatingChange = 1339416 timeLastOriginatingChange = 2010-02-02 21:01:08 VersionLastOriginatingChange = 55 Out-of-date attribute supplementalCredentials on DOMAINSERVER2 (writeable) usnLocalChange = 50616 LastOriginatingDsa = DOMAINSERVER usnOriginatingChange = 1297415 timeLastOriginatingChange = 2010-01-09 20:36:58 VersionLastOriginatingChange = 49 Authoritative attribute unicodePwd on DOMAINSERVER (writeable) usnLocalChange = 1339415 LastOriginatingDsa = DOMAINSERVER usnOriginatingChange = 1339415 timeLastOriginatingChange = 2010-02-02 21:01:08 VersionLastOriginatingChange = 56 Out-of-date attribute unicodePwd on DOMAINSERVER2 (writeable) usnLocalChange = 50616 LastOriginatingDsa = DOMAINSERVER usnOriginatingChange = 1297414 timeLastOriginatingChange = 2010-01-09 20:36:58 VersionLastOriginatingChange = 50 Unable to verify the convergence of this machine account (CN=DOMAINSERVER,OU=Domain Controllers,DC=MYDOMAIN,DC=COM) on this domain (DC=MYDOMAIN,DC=COM). Does the machine account password need reseting? ......................... DOMAINSERVER failed test CheckSecurityError Running partition tests on : ForestDnsZones Running partition tests on : DomainDnsZones Running partition tests on : Schema Running partition tests on : Configuration Running partition tests on : MYDOMAIN Running enterprise tests on : MYDOMAIN.COMThanks again.Dave

Dave,Lets try a complete dcdiag /v and also repadmin /showreps and look for any errors...Isaac Oben MCITP:EA, MCSE

Hi Isaac,Complete results of "dcdiag /v" on DC1 posted below, followed by results of "repadmin /showreps" on DC1.------------------------------------------------------------------------------------ dcdiag /v Domain Controller Diagnosis (DC1) Performing initial setup: * Verifying that the local machine DomainServer, is a DC. * Connecting to directory service on server DomainServer. * Collecting site info. * Identifying all servers. * Identifying all NC cross-refs. * Found 2 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\DOMAINSERVER Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check ......................... DOMAINSERVER passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\DOMAINSERVER Starting test: Replications * Replications Check * Replication Latency Check DC=ForestDnsZones,DC=MYDOMAIN,DC=COM Latency information for 1 entries in the vector were ignored. 1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=DomainDnsZones,DC=MYDOMAIN,DC=COM Latency information for 1 entries in the vector were ignored. 1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=COM Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Configuration,DC=MYDOMAIN,DC=COM Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=MYDOMAIN,DC=COM Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). * Replication Site Latency Check ......................... DOMAINSERVER passed test Replications Test omitted by user request: Topology Test omitted by user request: CutoffServers Starting test: NCSecDesc * Security Permissions check for all NC's on DC DOMAINSERVER. * Security Permissions Check for DC=ForestDnsZones,DC=MYDOMAIN,DC=COM (NDNC,Version 2) * Security Permissions Check for DC=DomainDnsZones,DC=MYDOMAIN,DC=COM (NDNC,Version 2) * Security Permissions Check for CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=COM (Schema,Version 2) * Security Permissions Check for CN=Configuration,DC=MYDOMAIN,DC=COM (Configuration,Version 2) * Security Permissions Check for DC=MYDOMAIN,DC=COM (Domain,Version 2) Error MYDOMAIN\Domain Controllers doesn't have Replicating Directory Changes All access rights for the naming context: DC=MYDOMAIN,DC=COM ......................... DOMAINSERVER failed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\DOMAINSERVER\netlogon Verified share \\DOMAINSERVER\sysvol ......................... DOMAINSERVER passed test NetLogons Starting test: Advertising The DC DOMAINSERVER is advertising itself as a DC and having a DS. The DC DOMAINSERVER is advertising as an LDAP server The DC DOMAINSERVER is advertising as having a writeable directory The DC DOMAINSERVER is advertising as a Key Distribution Center The DC DOMAINSERVER is advertising as a time server The DS DOMAINSERVER is advertising as a GC. ......................... DOMAINSERVER passed test Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=DOMAINSERVER,CN=Servers,CN=Defa ult-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM Role Domain Owner = CN=NTDS Settings,CN=DOMAINSERVER,CN=Servers,CN=Defa ult-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM Role PDC Owner = CN=NTDS Settings,CN=DOMAINSERVER,CN=Servers,CN=Default -First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM Role Rid Owner = CN=NTDS Settings,CN=DOMAINSERVER,CN=Servers,CN=Default -First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM Role Infrastructure Update Owner = CN=NTDS Settings,CN=DOMAINSERVER,CN= Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC= COM ......................... DOMAINSERVER passed test KnowsOfRoleHolders Starting test: RidManager * Available RID Pool for the Domain is 3104 to 1073741823 * DomainServer.MYDOMAIN.COM is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 1104 to 1603 * rIDPreviousAllocationPool is 1104 to 1603 * rIDNextRID: 1250 ......................... DOMAINSERVER passed test RidManager Starting test: MachineAccount Checking machine account for DC DOMAINSERVER on DC DOMAINSERVER. * SPN found :LDAP/DomainServer.MYDOMAIN.COM/MYDOMAIN.COM * SPN found :LDAP/DomainServer.MYDOMAIN.COM * SPN found :LDAP/DOMAINSERVER * SPN found :LDAP/DomainServer.MYDOMAIN.COM/MYDOMAIN * SPN found :LDAP/de66c2d3-eda2-4ab2-a393-fdea108ad439._msdcs.MYDOMAIN -ME.COM * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/de66c2d3-eda2-4ab2-a3 93-fdea108ad439/MYDOMAIN.COM * SPN found :HOST/DomainServer.MYDOMAIN.COM/MYDOMAIN.COM * SPN found :HOST/DomainServer.MYDOMAIN.COM * SPN found :HOST/DOMAINSERVER * SPN found :HOST/DomainServer.MYDOMAIN.COM/MYDOMAIN * SPN found :GC/DomainServer.MYDOMAIN.COM/MYDOMAIN.COM ......................... DOMAINSERVER passed test MachineAccount Starting test: Services * Checking Service: Dnscache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: RpcSs * Checking Service: w32time * Checking Service: NETLOGON ......................... DOMAINSERVER passed test Services Test omitted by user request: OutboundSecureChannels Starting test: ObjectsReplicated DOMAINSERVER is in domain DC=MYDOMAIN,DC=COM Checking for CN=DOMAINSERVER,OU=Domain Controllers,DC=MYDOMAIN,DC=G OV in domain DC=MYDOMAIN,DC=COM on 1 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=DOMAINSERVER,CN=Servers,CN=Default-Fir st-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM in domain CN=Confi guration,DC=MYDOMAIN,DC=COM on 1 servers Object is up-to-date on all servers. ......................... DOMAINSERVER passed test ObjectsReplicated Starting test: frssysvol * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... DOMAINSERVER passed test frssysvol Starting test: frsevent * The File Replication Service Event log test There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. An Warning Event occured. EventID: 0x800034C4 Time Generated: 02/02/2010 21:23:28 (Event String could not be retrieved) ......................... DOMAINSERVER failed test frsevent Starting test: kccevent * The KCC Event log test Found no KCC errors in Directory Service Event log in the last 15 minut es. ......................... DOMAINSERVER passed test kccevent Starting test: systemlog * The System Event log test Found no errors in System Event log in the last 60 minutes. ......................... DOMAINSERVER passed test systemlog Test omitted by user request: VerifyReplicas Starting test: VerifyReferences The system object reference (serverReference) CN=DOMAINSERVER,OU=Domain Controllers,DC=MYDOMAIN,DC=COM and backlink on CN=DOMAINSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi guration,DC=MYDOMAIN,DC=COM are correct. The system object reference (frsComputerReferenceBL) CN=DOMAINSERVER,CN=Domain System Volume (SYSVOL share),CN=File Replicat ion Service,CN=System,DC=MYDOMAIN,DC=COM and backlink on CN=DOMAINSERVER,OU=Domain Controllers,DC=MYDOMAIN,DC=COM are correct. The system object reference (serverReferenceBL) CN=DOMAINSERVER,CN=Domain System Volume (SYSVOL share),CN=File Replicat ion Service,CN=System,DC=MYDOMAIN,DC=COM and backlink on CN=NTDS Settings,CN=DOMAINSERVER,CN=Servers,CN=Default-First-Site-Name, CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM are correct. ......................... DOMAINSERVER passed test VerifyReferences Test omitted by user request: VerifyEnterpriseReferences Test omitted by user request: CheckSecurityError Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : MYDOMAIN Starting test: CrossRefValidation ......................... MYDOMAIN passed test CrossRefValidation Starting test: CheckSDRefDom ......................... MYDOMAIN passed test CheckSDRefDom Running enterprise tests on : MYDOMAIN.COM Starting test: Intersite Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments provided. ......................... MYDOMAIN.COM passed test Intersite Starting test: FsmoCheck GC Name: \\DomainServer.MYDOMAIN.COM Locator Flags: 0xe00003fd PDC Name: \\DomainServer.MYDOMAIN.COM Locator Flags: 0xe00003fd Time Server Name: \\DomainServer.MYDOMAIN.COM Locator Flags: 0xe00003fd Preferred Time Server Name: \\DomainServer.MYDOMAIN.COM Locator Flags: 0xe00003fd KDC Name: \\DomainServer.MYDOMAIN.COM Locator Flags: 0xe00003fd ......................... MYDOMAIN.COM passed test FsmoCheck Test omitted by user request: DNS Test omitted by user request: DNS -------------------------------------------------------------------------------------------------------------------------------------- Now for "repadmin /showreps" (DC1) Default-First-Site-Name\DOMAINSERVER DC Options: IS_GC Site Options: (none) DC object GUID: de66c2d3-eda2-4ab2-a393-fdea108ad439 DC invocationID: de66c2d3-eda2-4ab2-a393-fdea108ad439 ==== INBOUND NEIGHBORS ====================================== DC=MYDOMAIN,DC=COM Default-First-Site-Name\DOMAINSERVER2 via RPC DC object GUID: 7676b8fb-965f-4fa1-8b41-f48c50df120f Last attempt @ 2010-02-03 09:49:22 was successful. CN=Configuration,DC=MYDOMAIN,DC=COM Default-First-Site-Name\DOMAINSERVER2 via RPC DC object GUID: 7676b8fb-965f-4fa1-8b41-f48c50df120f Last attempt @ 2010-02-03 09:49:22 was successful. CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=COM Default-First-Site-Name\DOMAINSERVER2 via RPC DC object GUID: 7676b8fb-965f-4fa1-8b41-f48c50df120f Last attempt @ 2010-02-03 09:49:22 was successful. DC=DomainDnsZones,DC=MYDOMAIN,DC=COM Default-First-Site-Name\DOMAINSERVER2 via RPC DC object GUID: 7676b8fb-965f-4fa1-8b41-f48c50df120f Last attempt @ 2010-02-03 09:49:22 was successful. DC=ForestDnsZones,DC=MYDOMAIN,DC=COM Default-First-Site-Name\DOMAINSERVER2 via RPC DC object GUID: 7676b8fb-965f-4fa1-8b41-f48c50df120f Last attempt @ 2010-02-03 09:49:22 was successful. C:\>repadmin /showreps Default-First-Site-Name\DOMAINSERVER DC Options: IS_GC Site Options: (none) DC object GUID: de66c2d3-eda2-4ab2-a393-fdea108ad439 DC invocationID: de66c2d3-eda2-4ab2-a393-fdea108ad439 ==== INBOUND NEIGHBORS ====================================== DC=MYDOMAIN,DC=COM Default-First-Site-Name\DOMAINSERVER2 via RPC DC object GUID: 7676b8fb-965f-4fa1-8b41-f48c50df120f Last attempt @ 2010-02-03 09:49:22 was successful. CN=Configuration,DC=MYDOMAIN,DC=COM Default-First-Site-Name\DOMAINSERVER2 via RPC DC object GUID: 7676b8fb-965f-4fa1-8b41-f48c50df120f Last attempt @ 2010-02-03 09:49:22 was successful. CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=COM Default-First-Site-Name\DOMAINSERVER2 via RPC DC object GUID: 7676b8fb-965f-4fa1-8b41-f48c50df120f Last attempt @ 2010-02-03 09:49:22 was successful. DC=DomainDnsZones,DC=MYDOMAIN,DC=COM Default-First-Site-Name\DOMAINSERVER2 via RPC DC object GUID: 7676b8fb-965f-4fa1-8b41-f48c50df120f Last attempt @ 2010-02-03 09:49:22 was successful. DC=ForestDnsZones,DC=MYDOMAIN,DC=COM Default-First-Site-Name\DOMAINSERVER2 via RPC DC object GUID: 7676b8fb-965f-4fa1-8b41-f48c50df120f Last attempt @ 2010-02-03 09:49:22 was successful. Thanks again.Dave

Hello Dave,It seems everything have been resolved and your DC is working as it should. If you agree with me on that, please mark thread as answered so it can be closed..IsaacIsaac Oben MCITP:EA, MCSE

Isaac,Thank you so much for your assistance.For these purposes, I'd say this thread would be considered resolved.I've got some issues with DC2 replication, but different than it started with.I'll see if I can work though those issues. I appreciate your direction. Thanks much.Dave