Replication error on new DC after demoting old DC (Event 1411 Source:NTDS Replication)
Zaur Bahramov
with the name/ip of the old server. I believe replication didn't complete by
that moment on all other DCs in other sites....
Now I experience the replication issue as follows:
############################################################
Type: Error
Date: 29/05/2008
Time: 7.01.45
Event: 1411
Source: NTDS Replication
Category: Client DS RPC
User: NT AUTHORITY\ACCESSO ANONIMO
Computer: TRADEDC01
Description:
Impossibile costruire un nome principale di servizio (SPN) di autenticazione
reciproca per il seguente controller di dominio.
Controller di dominio:
6d7a8986-2e9e-4e05-90fc-6da6908b2d9e._msdcs.mondial.local
La chiamata e stata rifiutata. Questo puo influire sulla comunicazione con
il controller di dominio.
Dati aggiuntivi
Valore di errore:
8589 Il servizio directory (DS) non riesce a ottenere un nome principale di
servizio (SPN) da utilizzare per l'autenticazione reciproca del server di
destinazione. L'oggetto server corrispondente nel database DS locale ? privo
di attributo serverReference.
############################################################
ADSIEDIT shows fRSMemberReference as TRADEDC02, which is the old name. I
tried to replace it but I receive an invalid object error.
Report from FRSDiag is as follows:
------------------------------------------------------------
FRSDiag v1.7 on 29/05/2008 11.06.17
.\TRADEDC01 on 2008-05-29 at 11.06.17
------------------------------------------------------------
Checking for errors/warnings in FRS Event Log ....
NtFrs 29/05/2008 2.02.27 Warning 13508 Il servizio Replica file non riesce
ad abilitare la replica da MONDIALDC01 a TRADEDC01 per
c:\windows\sysvol\domain tramite il nome DNS mondialdc01.mondial.local.
Continuerà a tentare. Seguono alcune cause possibili di questo avviso.
[1] Il servizio Replica file non riesce a risolvere correttamente il nome
DNS mondialdc01.mondial.local dal computer. [2] Il servizio Replica file
non è in esecuzione in mondialdc01.mondial.local. [3] Le informazioni
topologiche in Active Directory per questa replica non sono ancora state
replicate su tutti i controller di dominio. Questo messaggio del
registro eventi viene visualizzato una sola volta per connessione. Alla
risoluzione del problema appare un altro messaggio del registro eventi che
indica che è stata stabilita la nuova connessione.
NtFrs 28/05/2008 23.02.13 Warning 13508 Il servizio Replica file non riesce
ad abilitare la replica da MONDIALDC01 a TRADEDC01 per
c:\windows\sysvol\domain tramite il nome DNS mondialdc01.mondial.local.
Continuerà a tentare. Seguono alcune cause possibili di questo avviso.
[1] Il servizio Replica file non riesce a risolvere correttamente il nome
DNS mondialdc01.mondial.local dal computer. [2] Il servizio Replica file
non è in esecuzione in mondialdc01.mondial.local. [3] Le informazioni
topologiche in Active Directory per questa replica non sono ancora state
replicate su tutti i controller di dominio. Questo messaggio del
registro eventi viene visualizzato una sola volta per connessione. Alla
risoluzione del problema appare un altro messaggio del registro eventi che
indica che è stata stabilita la nuova connessione.
NtFrs 28/05/2008 20.02.32 Warning 13508 Il servizio Replica file non riesce
ad abilitare la replica da MONDIALDC01 a TRADEDC02 per
c:\windows\sysvol\domain tramite il nome DNS mondialdc01.mondial.local.
Continuerà a tentare. Seguono alcune cause possibili di questo avviso.
[1] Il servizio Replica file non riesce a risolvere correttamente il nome
DNS mondialdc01.mondial.local dal computer. [2] Il servizio Replica file
non è in esecuzione in mondialdc01.mondial.local. [3] Le informazioni
topologiche in Active Directory per questa replica non sono ancora state
replicate su tutti i controller di dominio. Questo messaggio del
registro eventi viene visualizzato una sola volta per connessione. Alla
risoluzione del problema appare un altro messaggio del registro eventi che
indica che è stata stabilita la nuova connessione.
WARNING: Found Event ID 13508 errors without trailing 13509 ... see above
for (up to) the 3 latest entries!
......... failed 1
Checking for errors in Directory Service Event Log ....
NTDS Replication 29/05/2008 7.01.45 Error 1411 Impossibile costruire un nome
principale di servizio (SPN) di autenticazione reciproca per il seguente
controller di dominio. Controller di dominio:
6d7a8986-2e9e-4e05-90fc-6da6908b2d9e._msdcs.mondial.local La chiamata
è stata rifiutata. Questo può influire sulla comunicazione con il controller
di dominio. Dati aggiuntivi Valore di errore: 8589 Il servizio
directory (DS) non riesce a ottenere un nome principale di servizio (SPN) da
utilizzare per l'autenticazione reciproca del server di destinazione.
L'oggetto server corrispondente nel database DS locale è privo di attributo
serverReference.
NTDS Replication 29/05/2008 0.05.04 Error 1411 Impossibile costruire un nome
principale di servizio (SPN) di autenticazione reciproca per il seguente
controller di dominio. Controller di dominio:
6d7a8986-2e9e-4e05-90fc-6da6908b2d9e._msdcs.mondial.local La chiamata
è stata rifiutata. Questo può influire sulla comunicazione con il controller
di dominio. Dati aggiuntivi Valore di errore: 8589 Il servizio
directory (DS) non riesce a ottenere un nome principale di servizio (SPN) da
utilizzare per l'autenticazione reciproca del server di destinazione.
L'oggetto server corrispondente nel database DS locale è privo di attributo
serverReference.
NTDS Replication 28/05/2008 21.41.43 Error 1411 Impossibile costruire un
nome principale di servizio (SPN) di autenticazione reciproca per il
seguente controller di dominio. Controller di dominio:
6d7a8986-2e9e-4e05-90fc-6da6908b2d9e._msdcs.mondial.local La chiamata
è stata rifiutata. Questo può influire sulla comunicazione con il controller
di dominio. Dati aggiuntivi Valore di errore: 8589 Il servizio
directory (DS) non riesce a ottenere un nome principale di servizio (SPN) da
utilizzare per l'autenticazione reciproca del server di destinazione.
L'oggetto server corrispondente nel database DS locale è privo di attributo
serverReference.
NTDS Replication 28/05/2008 21.29.49 Error 1411 Impossibile costruire un
nome principale di servizio (SPN) di autenticazione reciproca per il
seguente controller di dominio. Controller di dominio:
6d7a8986-2e9e-4e05-90fc-6da6908b2d9e._msdcs.mondial.local La chiamata
è stata rifiutata. Questo può influire sulla comunicazione con il controller
di dominio. Dati aggiuntivi Valore di errore: 8589 Il servizio
directory (DS) non riesce a ottenere un nome principale di servizio (SPN) da
utilizzare per l'autenticazione reciproca del server di destinazione.
L'oggetto server corrispondente nel database DS locale è privo di attributo
serverReference.
NTDS Replication 28/05/2008 21.10.45 Error 1411 Impossibile costruire un
nome principale di servizio (SPN) di autenticazione reciproca per il
seguente controller di dominio. Controller di dominio:
6d7a8986-2e9e-4e05-90fc-6da6908b2d9e._msdcs.mondial.local La chiamata
è stata rifiutata. Questo può influire sulla comunicazione con il controller
di dominio. Dati aggiuntivi Valore di errore: 8589 Il servizio
directory (DS) non riesce a ottenere un nome principale di servizio (SPN) da
utilizzare per l'autenticazione reciproca del server di destinazione.
L'oggetto server corrispondente nel database DS locale è privo di attributo
serverReference.
WARNING: Found Directory Service Errors in the past 15 days! FRS Depends on
AD so Check AD Replication!
......... failed 5
Checking for minimum FRS version requirement ... passed
Checking for errors/warnings in ntfrsutl ds ...
ERROR: This server's "Member Ref" property for the SYSVOL volume does NOT
seem to be correct !!!
To fix this, use ADSIEdit and edit the "fRSMemberReference" Property of
the nTFRSSubscriber object named "CN=Domain System Volume (SYSVOL share)"
located under this Server's Computer Object.
This value should match the FQDN of this Server. Current Values are:
Current Value = "CN=TRADEDC02,CN=Domain System Volume (SYSVOL
share),CN=File Replication Service,CN=System,DC=mondial,DC=local"
Suggested Value = "CN=TRADEDC01,CN=Domain System Volume (SYSVOL
share),CN=File Replication Service,CN=System,DC=mondial,DC=local"
Please note there is a small chance the above Suggested Value may
not be correct - See below for more info on what the Proper Value should be!
For more Info See KB Article : 312862 Recovering Missing FRS Objects and
FRS Attributes in Active Directory - Search for the step about Updating the
"fRSMemberReference" object (Step 8 on the "Recovering from Deleted FRS
Objects" section
......... failed with 1 error(s)
Checking for Replica Set configuration triggers... passed
Checking for suspicious file Backlog size... passed
Checking Overall Disk Space and SYSVOL structure (note: integrity is not
checked)... passed
Checking for suspicious inlog entries ... passed
Checking for suspicious outlog entries ... passed
Checking for appropriate staging area size ... passed
Checking for errors in debug logs ... passed
Checking NtFrs Service (and dependent services) state...passed
Checking NtFrs related Registry Keys for possible problems...passed
Checking Repadmin Showreps for errors...passed
############################################################
Zaur Bahramov, MCP
Meinolf Weber
Check if this helps you:
http://support.microsoft.com/kb/938704
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Zaur Bahramov
I will try this method, but could you pls, tell me the following:
1) what is "root" domain controller?
2) the error I get... how dangerous it is for my network?
3) Can the method described in the http://support.microsoft.com/kb/938704
cause any other negative issues, or it's solely to resolve this actual
problem?
"Meinolf Weber" <meiweb(nospam)@gmx.de> ha scritto nel messaggio
news:ff16fb669de878...@msnews.microsoft.com...
Meinolf Weber
see inline
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> Hi!
>
> I will try this method, but could you pls, tell me the following:
>
> 1) what is "root" domain controller?
The first installed DC, which also holds the FSMO roles by default. Check
with netdom from the support tools, located on the install disk if not installed,
from a command line "netdom query /domain:domainname fsmo" without the quotes.
> 2) the error I get... how dangerous it is for my network?
If replication in a domain does not work correctly, you get a lot of problems,
user can maybe not login, because account information are not replicated,
passwords etc.
> 3) Can the method described in the
> http://support.microsoft.com/kb/938704
> cause any other negative issues, or it's solely to resolve this actual
> problem?
See the part WARNING under RESOLUTION in the document.
Paul Bergson [MVP-DS]
demotion, before you promoted the new dc. I can't read the language this is
posted in
Run diagnostics against your Active Directory domain.
If you don't have the support tools installed, install them from your server
install disk.
d:\support\tools\setup.exe
Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
-> dnslint /ad /s "ip address of your dc"
**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take
into account slow links to dc's will also add to the testing time.
If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be output
in notepad text files that pop up automagically.
The script is located on my website at
http://www.pbbergs.com/windows/downloads.htm
Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)
When complete search for fail, error and warning messages.
Description and download for dnslint
http://support.microsoft.com/kb/321045
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Zaur Bahramov" <zbakh...@msn.com> wrote in message
news:e39HyGXw...@TK2MSFTNGP04.phx.gbl...
Zaur Bahramov
1) Installed new SERVER2 and dcpromoted it to DC and GC
2) SERVER1 - "dcdemote", reboot, change IP to some other free ip, rename to
SERVER1BKP, add to WORKGROUP, reboot
3) SERVER2 - change IP to old SERVER1 ip, rename to SERVER1, reboot
When I renamed SERVER2 to SERVER1 I wasn't able to do that since the object
existed in AD so I did a mistake here, I force deleted the old domain
controller (SERVER1) and then renamed SERVER2 to SERVER1.
When now I run repadmin /showreps I get a positive result that replication
is OK through all sites. But adsiedit.msc still shows the SERVER2 under
nTFRSSubscriber -> fRSMemberReference.
I was planning to follow the procedure described here to resolve this issue:
http://support.microsoft.com/kb/938704
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> ha scritto nel
messaggio news:eF%23p$qYwIH...@TK2MSFTNGP03.phx.gbl...
Paul Bergson [MVP-DS]
and do a metadata cleanup and repromote.
http://support.microsoft.com/Default.aspx?id=216498
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Zaur Bahramov" <zbakh...@msn.com> wrote in message
news:%2395tynl...@TK2MSFTNGP04.phx.gbl...
Zaur
After runnig the procedure explained in KB938704 seems that the
<automatically created> replication link was recreated with the root domain
controller. Replication works (hopefully well!)
This is result from the server where I have had problems. Please, let me
know if it looks OK now, or I need to check something else to make sure
everything is OK.
Occimiano\TRADEDC01
DC Options: IS_GC
Site Options: (none)
DC object GUID: d2aca0b2-8722-490e-a55a-9219c8160802
DC invocationID: b7dbf545-9d62-411b-a72c-ce770252bc39
==== INBOUND NEIGHBORS ======================================
DC=mondial,DC=local
SanGiorgio\MONDIALDC01 via RPC
DC object GUID: 4edaa474-eebf-4d20-95bb-2faf5eb9a8ba
Last attempt @ 2008-05-30 20:45:36 was successful.
Mirabello\MONDIALDC03 via RPC
DC object GUID: d53c6396-7b75-4f63-9c81-9ebc991711d5
Last attempt @ 2008-05-30 20:45:37 was successful.
CN=Configuration,DC=mondial,DC=local
SanGiorgio\MONDIALDC01 via RPC
DC object GUID: 4edaa474-eebf-4d20-95bb-2faf5eb9a8ba
Last attempt @ 2008-05-30 20:45:36 was successful.
Mirabello\MONDIALDC03 via RPC
DC object GUID: d53c6396-7b75-4f63-9c81-9ebc991711d5
Last attempt @ 2008-05-30 20:45:37 was successful.
CN=Schema,CN=Configuration,DC=mondial,DC=local
SanGiorgio\MONDIALDC01 via RPC
DC object GUID: 4edaa474-eebf-4d20-95bb-2faf5eb9a8ba
Last attempt @ 2008-05-30 20:45:37 was successful.
Mirabello\MONDIALDC03 via RPC
DC object GUID: d53c6396-7b75-4f63-9c81-9ebc991711d5
Last attempt @ 2008-05-30 20:45:37 was successful.
DC=DomainDnsZones,DC=mondial,DC=local
SanGiorgio\MONDIALDC01 via RPC
DC object GUID: 4edaa474-eebf-4d20-95bb-2faf5eb9a8ba
Last attempt @ 2008-05-30 20:45:37 was successful.
Mirabello\MONDIALDC03 via RPC
DC object GUID: d53c6396-7b75-4f63-9c81-9ebc991711d5
Last attempt @ 2008-05-30 20:45:37 was successful.
DC=ForestDnsZones,DC=mondial,DC=local
SanGiorgio\MONDIALDC01 via RPC
DC object GUID: 4edaa474-eebf-4d20-95bb-2faf5eb9a8ba
Last attempt @ 2008-05-30 20:45:37 was successful.
Mirabello\MONDIALDC03 via RPC
DC object GUID: d53c6396-7b75-4f63-9c81-9ebc991711d5
Last attempt @ 2008-05-30 20:45:37 was successful.
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:%23eg8PQm...@TK2MSFTNGP06.phx.gbl...
Paul Bergson [MVP-DS]
enterprise.
DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
When complete search for fail, error and warning messages.
**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take
into account slow links to dc's will also add to the testing time.
You could check your High Water marks on your dc's but I don't think you
need to do this.
Good luck I will be unavailable for a week and a half.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Zaur" <zbakh...@gmail.com> wrote in message
news:eM2ilYow...@TK2MSFTNGP02.phx.gbl...
Herb Martin
> Successful is your friend. I would also run at least a dcdiag against your
> enterprise.
>
> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
> When complete search for fail, error and warning messages.
>
> **Note: Using the /E switch in dcdiag will run diagnostics against ALL
> dc's in the forest. If you have significant numbers of DC's this test
> could
Paul and I disagree (amicably) on using /E switch -- he uses, I never
do but rather prefer running it on each individual DC for a couple of
reasons: output from DCDiag is voluminous for even one DC,
amalgamating them into one file doesn't help make it more clear but
more importantly IF you have problems that DCDiag might
discover then you are also likely to have problems finding and
getting authorized onto every DC.
Zaur
instead of 'TRADEDC01'. Besides, in replmon I see **DELETED SERVER #1 and
**DELETED SERVER #2.
I'm not sure whether this might cause any serious issues though...
I've ran a dcdiag and I got the error on one of the other DCs:
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after
the
SYSVOL has been shared. Failing SYSVOL replication problems may
cause
Group Policy problems.
An Error Event occured. EventID: 0xC0003502
Time Generated: 06/01/2008 06:31:56
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0003502
Time Generated: 06/01/2008 06:32:00
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800034FC
Time Generated: 06/01/2008 06:37:11
(Event String could not be retrieved)
......................... MONDIALDC02 failed test frsevent
amd on another dc:
......................... MONDIALDC03 failed test ObjectsReplicated
"Herb Martin" <ne...@learnquick.com> wrote in message
news:%23Iput3q...@TK2MSFTNGP03.phx.gbl...