DC not working properly 1

[gl3n2k3]

Recently installed WK3 DC in a branch office connected with a T1 internet connecting using a Cisco PIX Lan-to-Lan VPN tunnel back to the home office. This be a DC for the site with DNS. After running dcpromo no issues seem to occur. Found AD, DNS, etc and copied AD from the home office. Post installations test indicated the following:

>NetDiag: (only 1 failed)
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC.

>net share
on the new DC there isnt a SYSVOL share

>successful ping from each DC

>clients in the branch office are not authenticating to the DC at that site but are authenticated by the server in the home office

>FSMO operations role is an upgraded W2K3 server from NT4 PDC and is the PDC emulator. I read that this can cause problems with only fix to move the role to the new DC so the entire sysvol is replicated. Is this true?

Any ideas? I have tried demoting it back to a standalone, removing DNS, adding DNS, but netdiag still fails with the same error (indicated above). I did read that IPSec can cause problems with NT trusts but this doenst appear to be a trust issue. Also, there is >G of disk space on DCs.

My understanding is the DC wont assume the role of being a DC until the entire SYSVOL is replicated.

Any input is greatly appreciated.

 

[peopleperson88]

Have you tried to monitor AD using the ReplAdmin or the GUI interface?

Try DCDiag, what are the results there?

 

[gl3n2k3]

See Logs and information below. Thanks for your response.


Starting test: Advertising
Warning: DsGetDcName returned information for \\server1.domainname.local,
when we were trying to reach server2.
Server is not responding or is not considered suitable.
......................... server1 failed test Advertising


Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DALDSIDC1 failed test frsevent


*****************
FRS event:

File Replication Service is initializing the system volume with data from another

domain controller. Computer DALDSIDC1 cannot become a domain controller until this

process is complete. The system volume will then be shared as SYSVOL.

To check for the SYSVOL share, at the command prompt, type:
net share

When File Replication Service completes the initialization process, the SYSVOL

share will appear.

The initialization of the system volume can take some time. The time is dependent

on the amount of data in the system volume, the availability of other domain

controllers, and the replication interval between domain controllers.


****************
NtFrs Debug:

++ ERROR - NtCreateFile failed : NTStatus: STATUS_OBJECT_NAME_NOT_FOUND

<FrsHashCalcString:


**************
<from server1 frs debug log>

ERROR - NtCreateFile failed : NTStatus: STATUS_OPLOCK_NOT_GRANTED



The first server is an upgraded NT-w2k3 server and it is a mix-mode environment. I understand that the DC will not assume the DC role until all the sysvol has replicated. I am able to open ad users/computers from any DC. nslookups ok. ping ok. trusts ok. I used a sniffer and noticed the oplock errors. Any ideas what would be causing this? The same issue is in multiple branch offices which lead me to believe the problem is the first AD controller. I did verify permissions on all DCs and they appeared correct. Any input would be apprecitated. I have used many of the MS docs on troubleshooting replication but none have corrected the issue.

 

[hooperman13]

Did you manage to resolve this problem? I am struggling with what appears to be the exact same issue.

 

[dowsley]

I believe your problem is DNS related make sure your DNS is setup correctly to allow secure and non secure updates. also look in sited and servers to check communication.
I hope this helps.

dowsley

 

[gl3n2k3]

yes, i was finally able to resolve the issue. It wasnt a DNS issue. I was having two issues that caused FRS to fail. I wasnt having problems with DS because AD was replication w/o issue. RPC end point mapper had an port occupied which was cleared with stopping the service, set to manual, reboot, then restarted it after reboot. The other issue was an issue with kerberos secure channel. To fix that. reset the password on one DC using the netdom resetpwd command. the stop the kdc service on all DCs. I changed the PDC emulator's kdc service to manual then rebooted. login took ~7minutes because it was attempting to use kdc service. after login, restarted the service. frs replication then resumed as normal. I then went to each DC and restarted the kdc service. I made sure replication was working by creating a fromSERVERname.txt file on each DC in the scripts folder and verified each DC received each of them.

if you are able to open AD sites and services and <right-click> and replcate NOW then most likely if no errors occur it is not a DNS issue. If you are having a FRS issue I suggest using the FRSdiag tool.

http://www.microsoft.com/downloads/...8e-8553-4de7-811a-562563eb5ebf&DisplayLang=en

hope that helps. let me know. it was a major pain for me.