Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Replication Issues

Status
Not open for further replies.

xsquid

IS-IT--Management
Oct 14, 2003
21
US
We have recently implemented Server 2003 at our location. We have two servers running 2003, and one running NT4 that we have set up with an external trust. We get the following errors on both 2003 machines, pointing at each other, with the server names reversed. I have removed the actual domain and machine names:


Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 7/12/2004
Time: 3:04:18 PM
User: N/A
Computer: SERVER1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/server2.subdomain.domain.com. The target name used was \SERVER2$. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (SUBDOMAIN.DOMAIN.COM), and the client realm. Please contact your system administrator.


Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13508
Date: 7/11/2004
Time: 7:15:14 PM
User: N/A
Computer: SERVER1
Description:
The File Replication Service is having trouble enabling replication from SERVER2 to SERVER1 for c:\windows\sysvol\domain using the DNS name server2.SUBDOMAIN.DOMAIN.com. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name nt99.madtel.madisontelco.com from this computer.
[2] FRS is not running on nt99.madtel.madisontelco.com.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

Some more info:
We can ping the FQDN from either servers command prompt.
FRS is running as a service on both domain controllers.
These servers are both configured as domain controllers.
I can open the event log from server1 console on server2 and vice versa. I have also tried most of the fixes around replication found on this site or the Microsoft KB.

Any help would be greatly appreciated.
 
You say that you can ping fully qualified domain names. This is good...this means that DNS is set up properly. (Although, you should use NSLOOKUP to query DNS directly for further testing of DNS.)

Because you have multiple domains, it is important that your servers and clients use the proper DOMAIN SUFFIXES.

For example, if your domain names were: company1.com, test.company.com, and testing.com -- and it was important for each node on the network to resolve through DNS using just HOST name (no FQDN required), you should add these DNS suffixes to each client.

Where are DNS suffixes listed? In the TCP/IP properties of each Windows system. On the DNS tab, there is an APPEND THESE DNS SUFFIXES box. You can list each domain name here... Once you do this, you will no longer be required to place the fully qualified domain name when pinging. You can just use the host name and the suffixes will automatically be appended.

-maybe this will help in your situation?

-later



Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please check out (Sales@njcomputernetworks.com)
 
We have checked that the DNS suffixes are properly noted, at least when we go to Computer Name under System Properties and look at more, we see the DNS suffx listed as subdomain.domain.com.
We can also ping either server from the cmd prompt on both servers using just server1 or server2.

We had both servers set up as DNS servers for redundancy and have removed that role from server2 with no effect.

We have two domains. One is the w2k3 domain, and the other is the NT4 domain. They are both set up as subdomain.domain.com, with only the subdomain being different. In fact there are no clients authenticating into the NT domain, but we have left it up until we are sure this conversion is complete.
 
Sounds also like a kerberos issue. I would check to see if you have a secure channel between these 2 servers by using either nltest or the netdom utilities.
 
Yeah, it looks like the secure channel may be broken on both machines. It's a little unusual though, since there only two DCs in the domain.
 
OK, I have more info on this.

Using nltest I see the following:

nltest /server:server1 /sc-query:subdomain.domain.com
I_NetLogonControl failed status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

If however I change server 1 to 2, I get the following:

nltest /server:server2 /sc_query:subdomain.domain.com
Flags: 30 HAS_IP HAS_TMESERV
Trusted DC Name \\server1.subdomain.domain.com
Trusted DC Connection Status Status = 0 0x0 NERR_Sucess
The command completed successfully

This is true whether these commands are entered from server1 or server2's command line.

I can also run nltest against deskops and member servers. They respond with either server1 or server2 as success, and I would imagine the reason for responding with one server or the other would be which DC they auth'd against.

The only consistent symptom is if I use:
nltest /server:server1 /sc-query:subdomain.domain.com
I_NetLogonControl failed status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

I haven't worked with netdom yet.

Thanks for everyone's help so far....
 
Try this on server one:

Stop the KDC service and set it to disabled.

Run 'netdom resetpwd /server:server1 /userd:domain\administrator /passwordd:*'

It will prompt you for the password and you should get a command completed successfully. Then reboot the server.
 
I have tried the fix suggested above on server1 with no result.
nltest /server:server1 /sc-query:subdomain.domain.com
I_NetLogonControl failed status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

remains the same.

Infact, when it did not work on server1, I tried the same command on server2 about an hour later with the same results. The Kerberos errors, and the FRS warnings continue to appear as well.


 
Maybe this patch will help?
Windows 2000 Patch:GetEffectiveRightsFromAcl Function Causes ERROR_NO_SUCH_DOMAIN


Probably not though...

How bout this? 2088 » I get an error using nltest.exe, when querying the Global Catalog?


Testing Domain Connection:
How can I quickly determine whether a domain controller (DC) is available for a specific domain?



Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please check out (Sales@njcomputernetworks.com)
 
I am a little afraid to try the 1st patch, since we are on w2k3, and it is for 2000. Or am I wrong?

nltest /dsgetdc:subdomain.domain.com /GC returns:

DC: \\server2.subdomain.domain.com
Address: \\192.168.0.4
Dom Guid: Lots of numbers
Dom Name: subdomain.domain.com
Forest Name: subdomain.domain.com
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE

nltest /dsgetdc:subdomain.domain.com returns:

DC: \\server1.subdomain.domain.com
Address: \\192.168.0.11
Dom Guid: Lots of numbers
Dom Name: subdomain.domain.com
Forest Name: subdomain.domain.com
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC DS LDAP KDC TIMESERV GTIMESERV WRITEABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE

 
You are correct...don't apply the patch.

Here is an article that talks about tools used to test AD. (Although this applies to w2K, I think the tools work the same in W2K3)



(I think your results are good...)

Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please check out (Sales@njcomputernetworks.com)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top