Need help determining where the problem is in my AD replicas
Jason Hand
corruption in it's AD database and what to do to fix it. Any ideas would be
very helpful. Here is what errors are being reported in Directory Services
and DNS:
Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1084
Date: 12/11/2008
Time: 8:12:55 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: EDUCATION
Description:
Internal event: Active Directory could not update the following object with
changes received from the following source domain controller. This is because
an error occurred during the application of the changes to Active Directory
on the domain controller.
Object:
DC=academic,DC=bridgeway.net,CN=MicrosoftDNS,CN=System,DC=bridgeway,DC=net
Object GUID:
43ed567a-e147-4cb9-9074-dd1635301c55
Source domain controller:
d8f79f5a-4b14-4c07-a35f-15b8e93dc0c7._msdcs.bridgeway.net
Synchronization of the local domain controller with the source domain
controller is blocked until this update problem is corrected.
This operation will be tried again at the next scheduled replication.
User Action
Restart the local domain controller if this condition appears to be related
to low system resources (for example, low physical or virtual memory).
Additional Data
Error value:
8451 The replication operation encountered a database error.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 2108
Date: 12/11/2008
Time: 8:12:55 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: EDUCATION
Description:
This event contains REPAIR PROCEDURES for the 1084 event which has
previously been logged. This message indicates a specific issue with the
consistency of the Active Directory database on this replication destination.
A database error occurred while applying replicated changes to the following
object. The database had unexpected contents, preventing the change from
being made.
Object:
DC=academic,DC=bridgeway.net,CN=MicrosoftDNS,CN=System,DC=bridgeway,DC=net
Object GUID:
43ed567a-e147-4cb9-9074-dd1635301c55
Source domain controller:
d8f79f5a-4b14-4c07-a35f-15b8e93dc0c7._msdcs.bridgeway.net
User Action
Please consult KB article 837932, http://support.microsoft.com/?id=837932.
A subset of its repair procedures are listed here.
1. Confirm that sufficient free disk space resides on the volumes hosting
the Active Directory database then retry the operation. Confirm that the
physical drives hosting the NTDS.DIT and log files do not reside on drives
where NTFS compression is enabled. Also check for anti-virus software
accessing these volumes.
2. It may be of benefit to force the Security Descriptor Propagator to
rebuild the object container ancestry in the database. This may be done by
following the instructions in KB article 251343,
http://support.microsoft.com/?id=251343.
3. The problem may be related to the object's parent on this domain
controller. On the source domain controller, move the object to have a
different parent.
4. If this machine is a global catalog and the error occurs in one of the
read-only partitions, you should demote the machine as a global catalog using
the Global Catalog checkbox in the Sites & Services user interface. If the
error is occurring in an application partition, you can stop the application
partition from being hosted on this replica. This may be changed using the
ntdsutil.exe command.
5. Obtain the most recent ntdsutil.exe by installing the latest service
pack for your operating system. Prior to booting into Directory Services
Restore Mode (DSRM), verify that the DSRM password is known. Otherwise reset
it prior to restarting the system.
6. In DSRM, run the NT CMD prompt, run "ntdsutil files integrity". If
corruption is found and other replicas exist, then demote replica and check
your hardware. If no replicas are present, restore a system state backup and
repeat this verification.
7. Perform an offline defragmentation using the "ntdsutil files compact"
function.
8. The "ntdsutil semantic database analysis" should also be performed. If
errors are found, they may be corrected using the "go fixup" function. Note
that this should not be confused with the database maintenance function
called "ESE repair", which should not be used, since it causes data loss for
Active Directory Databases.
If none of these actions succeed and the replication error continues, you
should demote this domain controller and promote it again.
Additional Data
Primary Error value:
8451 The replication operation encountered a database error.
Secondary Error value:
-1414 JET_errSecondaryIndexCorrupted, Secondary index is corrupt. The
database must be defragmented
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4015
Date: 12/11/2008
Time: 8:28:44 PM
User: N/A
Computer: EDUCATION
Description:
The DNS server has encountered a critical error from the Active Directory.
Check that the Active Directory is functioning properly. The extended error
debug information (which may be empty) is "000020EF: SvcErr: DSID-02080490,
problem 5012 (DIR_ERROR), data -1414". The event data contains the error.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 01 00 00 00 ....
-------------------------------------------
These are the results of doing a repadmin /showconn from Education:
repadmin running command /showconn against server localhost
Base DN:
CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bridgeway,DC=net
==== KCC CONNECTION OBJECTS ============================================
Connection --
Connection name : f3692596-d123-4be7-a5eb-6c667ee5cbe3
Server DNS name : education.bridgeway.net
Server DN name : CN=NTDS
Settings,CN=EDUCATION,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bridgeway,DC=net
Source: Default-First-Site-Name\ACADEMIC
******* 10445 CONSECUTIVE FAILURES since 2008-11-13 14:29:45
Last error: 8451 (0x2103):
The replication operation encountered a database error.
TransportType: intrasite RPC
options: isGenerated
ReplicatesNC: CN=Configuration,DC=bridgeway,DC=net
Reason: StaleServersTopology
Replica link has been added.
ReplicatesNC: DC=ForestDnsZones,DC=bridgeway,DC=net
Reason: StaleServersTopology
Replica link has been added.
ReplicatesNC: DC=bridgeway,DC=net
Reason: StaleServersTopology
Replica link has been added.
ReplicatesNC: CN=Schema,CN=Configuration,DC=bridgeway,DC=net
Reason: StaleServersTopology
Replica link has been added.
ReplicatesNC: DC=DomainDnsZones,DC=bridgeway,DC=net
Reason: StaleServersTopology
Replica link has been added.
Connection --
Connection name : c9215653-cf0b-42f1-8edc-797bf225dfbc
Server DNS name : academic.bridgeway.net
Server DN name : CN=NTDS
Settings,CN=ACADEMIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bridgeway,DC=net
Source: Default-First-Site-Name\EDUCATION
No Failures.
TransportType: intrasite RPC
options: isGenerated
ReplicatesNC: CN=Configuration,DC=bridgeway,DC=net
Reason: RingTopology
Replica link has been added.
ReplicatesNC: DC=ForestDnsZones,DC=bridgeway,DC=net
Reason: RingTopology
Replica link has been added.
ReplicatesNC: DC=bridgeway,DC=net
Reason: RingTopology
Replica link has been added.
ReplicatesNC: CN=Schema,CN=Configuration,DC=bridgeway,DC=net
Reason: RingTopology
Replica link has been added.
ReplicatesNC: DC=DomainDnsZones,DC=bridgeway,DC=net
Reason: RingTopology
Replica link has been added.
2 connections found.
These are the results of doing a repadmin /showreps from Education:
Default-First-Site-Name\EDUCATION
DC Options: IS_GC
Site Options: (none)
DC object GUID: 24e32f35-f094-4996-8b8b-66db169710ac
DC invocationID: f856f718-94b2-48cb-86eb-4639c992f389
==== INBOUND NEIGHBORS ======================================
DC=bridgeway,DC=net
Default-First-Site-Name\ACADEMIC via RPC
DC object GUID: d8f79f5a-4b14-4c07-a35f-15b8e93dc0c7
Last attempt @ 2008-12-11 19:30:23 failed, result 8451 (0x2103):
The replication operation encountered a database error.
10450 consecutive failure(s).
Last success @ 2008-11-13 14:29:45.
CN=Configuration,DC=bridgeway,DC=net
Default-First-Site-Name\ACADEMIC via RPC
DC object GUID: d8f79f5a-4b14-4c07-a35f-15b8e93dc0c7
Last attempt @ 2008-12-11 19:27:45 was successful.
CN=Schema,CN=Configuration,DC=bridgeway,DC=net
Default-First-Site-Name\ACADEMIC via RPC
DC object GUID: d8f79f5a-4b14-4c07-a35f-15b8e93dc0c7
Last attempt @ 2008-12-11 18:46:48 was successful.
DC=DomainDnsZones,DC=bridgeway,DC=net
Default-First-Site-Name\ACADEMIC via RPC
DC object GUID: d8f79f5a-4b14-4c07-a35f-15b8e93dc0c7
Last attempt @ 2008-12-11 18:46:48 was successful.
DC=ForestDnsZones,DC=bridgeway,DC=net
Default-First-Site-Name\ACADEMIC via RPC
DC object GUID: d8f79f5a-4b14-4c07-a35f-15b8e93dc0c7
Last attempt @ 2008-12-11 18:46:48 was successful.
Source: Default-First-Site-Name\ACADEMIC
******* 10445 CONSECUTIVE FAILURES since 2008-11-13 14:29:45
Last error: 8451 (0x2103):
The replication operation encountered a database error.
Lastly-Here is the result of doing a repadmin /showmeta using the GUID for
Academic from Education:
10 entries.
Loc.USN Originating DC Org.USN Org.Time/Date
Ver Attribute
======= =============== ========= =============
=== =========
77878 Default-First-Site-Name\EDUCATION 77878 2008-01-30
22:53:47 1 objectClass
77878 Default-First-Site-Name\EDUCATION 77878 2008-01-30
22:53:47 1 instanceType
77878 Default-First-Site-Name\EDUCATION 77878 2008-01-30
22:53:47 1 whenCreated
77878 Default-First-Site-Name\EDUCATION 77878 2008-01-30
22:53:47 1 showInAdvancedViewOnly
77878 Default-First-Site-Name\EDUCATION 77878 2008-01-30
22:53:47 1 nTSecurityDescriptor
77878 Default-First-Site-Name\EDUCATION 77878 2008-01-30
22:53:47 1 name
1133205 Default-First-Site-Name\ACADEMIC 1335751 2008-11-12
14:47:57 600 dnsRecord
77878 Default-First-Site-Name\EDUCATION 77878 2008-01-30
22:53:47 1 objectCategory
82031 Default-First-Site-Name\EDUCATION 82031 2008-01-30
23:28:59 1 dNSTombstoned
77878 Default-First-Site-Name\EDUCATION 77878 2008-01-30
22:53:47 1 dc
0 entries.
Type Attribute Last Mod Time Originating
DC Loc.USN Org.USN Ver
======= ============ =============
================= ======= ======= ===
Distinguished Name
=============================
Thanks for any help you can offer. We are a non-profit school and need all
the help we can get!
Thanks,
Jason
Meinolf Weber [MVP-DS]
Did you follow the provided articles and desribed steps on Educatio where
the errors occur?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Paul Bergson
Do you have free space available on your system drive?
Go through the troubleshooting tips 1 by 1 and if this all fails then I
would report back, but you have plenty of details to press forward. Make
sure you get a backup (System state and all) before proceeding.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Jason Hand" <Jaso...@discussions.microsoft.com> wrote in message
news:6CC4376E-E092-4BDA...@microsoft.com...
Jason Hand
server(s) and put them into AD restore mode.
My point of asking for advice was that I can't even tell which of the two
has the corrupted data. I am afraid of doing too much changing and probing
in case it makes the situation worse.
Can you tell from what I posted whether the problem is on the Education
server or the Academic server? What is the best way to tell? I am very good
at researching and following procedures but when it comes to AD and these are
the only 2 DC's and I honestly have no idea where the corruption resides I am
unwilling at this point to assume anything and don't want to make it worse.
Thanks,
Jason
Jason Hand
the AD restore mode. The reason why is that I don't know where the problem
is; Education or Academic and if I restore the good one but the bad one
doesn't get fixed then I am worse off.
I have tried a few other tips like trying to take the GC off of the one you
suspect is bad(which I lean toward Academic but the errors are all coming
from Education--Academic just reports occasional Directory errors but no DNS
errors) and also tried changing the primary dns setting on each one to point
to the other and then try a repladmin /sync as well as the dcdiag /fix and
netdiag /fix and a few other little suggestions. I have tried many things
but it still very much eludes me as to which of these 2 machines truly has
the corruption in it and how to find that out.
Thanks,
Jason
Jason Hand
Thanks,
Jason
Meinolf Weber [MVP-DS]
Check the machine which has the error, so Education.
Best regards
>>> =n et
>>>
>>> ==== KCC CONNECTION OBJECTS
>>> ============================================
>>> Connection --
>>>
>>> Connection name : f3692596-d123-4be7-a5eb-6c667ee5cbe3
>>>
>>> Server DNS name : education.bridgeway.net
>>>
>>> Server DN name : CN=NTDS
>>> Settings,CN=EDUCATION,CN=Servers,CN=Default-First-Site-Name,CN=Sites
>>> ,C N=Configuration,DC=bridgeway,DC=net
>>> CN =Configuration,DC=bridgeway,DC=net
Paul Bergson
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Jason Hand" <Jaso...@discussions.microsoft.com> wrote in message
news:2A317ED6-2C4E-431D...@microsoft.com...