We had something (unknown) happen last week that stopped successful sysvol replication
I've been going through loads of articles looking for clues after running dcdiag on all 3 servers
This is from the Master Domain controller
https://support.microsoft.com/en-us/kb/840674/
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine ch-dc1-2k8, is a DC.
* Connecting to directory service on server ch-dc1-2k8.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 3 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Cardiff\CH-DC1-2K8
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... CH-DC1-2K8 passed test Connectivity
Doing primary tests
Testing server: Cardiff\CH-DC1-2K8
Starting test: Replications
* Replications Check
* Replication Latency Check
CN=Schema,CN=Configuration,DC=companyname,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
CN=Configuration,DC=companyname,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
DC=companyname,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
* Replication Site Latency Check
Site
CN=NTDS Site Settings,CN=Edinburgh,CN=Sites,CN=Configuration,DC=companyname,DC=local
was skipped because it never had an ISTG running in it.
Site
CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=companyname,DC=local
was skipped because it never had an ISTG running in it.
Site
CN=NTDS Site Settings,CN=Belfast,CN=Sites,CN=Configuration,DC=companyname,DC=local
was skipped because it never had an ISTG running in it.
......................... CH-DC1-2K8 passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC CH-DC1-2K8.
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=companyname,DC=local
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=companyname,DC=local
(Configuration,Version 2)
* Security Permissions Check for
DC=companyname,DC=local
(Domain,Version 2)
......................... CH-DC1-2K8 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\CH-DC1-2K8\netlogon)
[CH-DC1-2K8] An net use or LsaPolicy operation failed with error 67, Win32 Error 67.
......................... CH-DC1-2K8 failed test NetLogons
Starting test: Advertising
The DC CH-DC1-2K8 is advertising itself as a DC and having a DS.
The DC CH-DC1-2K8 is advertising as an LDAP server
The DC CH-DC1-2K8 is advertising as having a writeable directory
The DC CH-DC1-2K8 is advertising as a Key Distribution Center
Warning: CH-DC1-2K8 is not advertising as a time server.
The DS CH-DC1-2K8 is advertising as a GC.
......................... CH-DC1-2K8 failed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role Domain Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role PDC Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role Rid Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
......................... CH-DC1-2K8 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 12100 to 1073741823
* ch-dc1-2k8.companyname.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 10600 to 11099
* rIDPreviousAllocationPool is 10600 to 11099
* rIDNextRID: 10613
......................... CH-DC1-2K8 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC CH-DC1-2K8 on DC CH-DC1-2K8.
* SPN found :LDAP/ch-dc1-2k8.companyname.local/companyname.local
* SPN found :LDAP/ch-dc1-2k8.companyname.local
* SPN found :LDAP/CH-DC1-2K8
* SPN found :LDAP/ch-dc1-2k8.companyname.local/companyname
* SPN found :LDAP/bfe39346-13d8-455a-a97a-2a33f9e779f5._msdcs.companyname.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/bfe39346-13d8-455a-a97a-2a33f9e779f5/companyname.local
* SPN found :HOST/ch-dc1-2k8.companyname.local/companyname.local
* SPN found :HOST/ch-dc1-2k8.companyname.local
* SPN found :HOST/CH-DC1-2K8
* SPN found :HOST/ch-dc1-2k8.companyname.local/companyname
* SPN found :GC/ch-dc1-2k8.companyname.local/companyname.local
......................... CH-DC1-2K8 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... CH-DC1-2K8 passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
CH-DC1-2K8 is in domain DC=companyname,DC=local
Checking for CN=CH-DC1-2K8,OU=Domain Controllers,DC=companyname,DC=local in domain DC=companyname,DC=local on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local in domain CN=Configuration,DC=companyname,DC=local on 1 servers
Object is up-to-date on all servers.
......................... CH-DC1-2K8 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... CH-DC1-2K8 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 04/21/2015 21:42:20
Event String: The File Replication Service is having trouble
enabling replication from NA-DC1-2K8 to
CH-DC1-2K8 for c:\windows\sysvol\domain using the
DNS name na-dc1-2k8.companyname.local. FRS
will keep retrying.
Following are some of the reasons you would see
this warning.
[1] FRS can not correctly resolve the DNS name
na-dc1-2k8.companyname.local from this
computer.
[2] FRS is not running on
na-dc1-2k8.companyname.local.
[3] The topology information in the Active
Directory Domain Services for this replica has
not yet replicated to all the Domain Controllers.
This event log message will appear once per
connection, After the problem is fixed you will
see another event log message indicating that the
connection has been established.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 04/22/2015 01:54:49
Event String: The File Replication Service is having trouble
enabling replication from CH-DC2-2K8 to
CH-DC1-2K8 for c:\windows\sysvol\domain using the
DNS name ch-dc2-2k8.companyname.local. FRS
will keep retrying.
Following are some of the reasons you would see
this warning.
[1] FRS can not correctly resolve the DNS name
ch-dc2-2k8.companyname.local from this
computer.
[2] FRS is not running on
ch-dc2-2k8.companyname.local.
[3] The topology information in the Active
Directory Domain Services for this replica has
not yet replicated to all the Domain Controllers.
This event log message will appear once per
connection, After the problem is fixed you will
see another event log message indicating that the
connection has been established.
......................... CH-DC1-2K8 failed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minutes.
......................... CH-DC1-2K8 passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40000004
Time Generated: 04/22/2015 07:16:20
Event String: The Kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
Administrator. The target name used was
companyname\CH-DC2-2K8$. This indicates that
the target server failed to decrypt the ticket
provided by the client. This can occur when the
target server principal name (SPN) is registered
on an account other than the account the target
service is using. Please ensure that the target
SPN is registered on, and only registered on, the
account used by the server. This error can also
happen when the target service is using a
different password for the target service account
than what the Kerberos Key Distribution Center
(KDC) has for the target service account. Please
ensure that the service on the server and the KDC
are both updated to use the current password. If
the server name is not fully qualified, and the
target domain (companyname.LOCAL) is different
from the client domain (companyname.LOCAL),
check if there are identically named server
accounts in these two domains, or use the
fully-qualified name to identify the server.
An Error Event occured. EventID: 0x40000004
Time Generated: 04/22/2015 07:16:20
Event String: The Kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
administrator. The target name used was
companyname\NA-DC1-2K8$. This indicates that
the target server failed to decrypt the ticket
provided by the client. This can occur when the
target server principal name (SPN) is registered
on an account other than the account the target
service is using. Please ensure that the target
SPN is registered on, and only registered on, the
account used by the server. This error can also
happen when the target service is using a
different password for the target service account
than what the Kerberos Key Distribution Center
(KDC) has for the target service account. Please
ensure that the service on the server and the KDC
are both updated to use the current password. If
the server name is not fully qualified, and the
target domain (companyname.LOCAL) is different
from the client domain (companyname.LOCAL),
check if there are identically named server
accounts in these two domains, or use the
fully-qualified name to identify the server.
......................... CH-DC1-2K8 failed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=CH-DC1-2K8,OU=Domain Controllers,DC=companyname,DC=local and
backlink on
CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
are correct.
The system object reference (frsComputerReferenceBL)
CN=CH-DC1-2K8,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=companyname,DC=local
and backlink on
CN=CH-DC1-2K8,OU=Domain Controllers,DC=companyname,DC=local are
correct.
The system object reference (serverReferenceBL)
CN=CH-DC1-2K8,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=companyname,DC=local
and backlink on
CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
are correct.
......................... CH-DC1-2K8 passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : companyname
Starting test: CrossRefValidation
......................... companyname passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... companyname passed test CheckSDRefDom
Running enterprise tests on : companyname.local
Starting test: Intersite
Skipping site Cardiff, this site is outside the scope provided by the
command line arguments provided.
Skipping site Edinburgh, this site is outside the scope provided by
the command line arguments provided.
Skipping site London, this site is outside the scope provided by the
command line arguments provided.
Skipping site Belfast, this site is outside the scope provided by the
command line arguments provided.
......................... companyname.local passed test Intersite
Starting test: FsmoCheck
GC Name: \\ch-dc1-2k8.companyname.local
Locator Flags: 0xe00011bd
PDC Name: \\ch-dc1-2k8.companyname.local
Locator Flags: 0xe00011bd
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
KDC Name: \\ch-dc1-2k8.companyname.local
Locator Flags: 0xe00011bd
......................... companyname.local failed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS
- Edited by aideyuk Wednesday, April 22, 2015 8:56 AM