Sign in with
Sign up | Sign in
Your question

machine account password replication not working

Last response: in Windows 2000/NT
Share
Anonymous
April 29, 2005 5:09:20 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello,

I have 2 domains with 4 servers each. 2 servers are DCs and 2 servers
are designated file/print servers. All 8 servers are using windows
server 2003. For the last few weeks off and on the servers have all
been reporting file replication errors but seemingly overnight they go
away. The file/print servers were reporting that they couldn't find
their computer objcet in AD even though I looked and saw them plain as
day in the same OU they had always been in. That error showed up a
couple days before errors about not being able to bind to AD started
showing up. I found out that resetting the machine account password on
the file/print servers wasn't a good idea as now they can't connect to
AD at all, even to let a domain user authenticate to them thru Remote
Desktop although file share access is still possible (thank goodness).

It sounds like that somewhere along the line when the machine account
password is due for a reset that the member server adn the domain
controllers get out of sync. The member servers reported access denied
errors indicating that their machine password is no longer in sync with
AD and AD won't let anything happen between the DCs adn the member
servers. Can anyone tell me as to how this might happen?

We were also having replication issues even between 2 domain controllers
in the same domain (the domains involved are not in a trust
relationship) and it is working today between those 2 machines and I
didnt find out until after everyone left so I don't know if it fixed
itself or if someone ran the netdom command to reset their machine
passwords. The last time i did that it fixed replication because the
secure channel could be established again between the DCs but doing that
for the member servers today totally broke them off from the domain and
they will need to be rejoined from what I've read about the issue on MS
technet.

thanks for any input
Anonymous
April 29, 2005 12:56:11 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Brandon,

Not really familiar with WIN2003 ( well, not enough to be giving out any
reasonable advice ) so this may or may not apply.

Install the Support Tools on each Domain Controller and on each Member
Server. Or, on the workstation on which you do your Admin-type work. Run
dcdiag /v on each Domain Controller. Run netdiag /v on all servers. I
would even redirect the output of each to a text file so that you can search
for 'fail', 'warn' and 'error'. You do this by entering dcdiag /v
>c:\dcdiagdc01.txt ( you can name the file whatever you like ).

Not sure if repadmin is available on WIN2003. Also not sure if replmon is
available on WIN2003. If they are take a look at them. They can be of
great assistance ( well, in WIN2000!!! ).

I am confused by the 'sometimes it works and sometimes it doesn't'. Are
there any event ids in the appropriate logs? If so, what are they? You can
use those log ids to find some possible solutions by going to
http://www.eventid.net. This is a very helpful web site.

Is everything okay with DNS?

Is the time correct? Meaning, if you look at the clock on DC01 is the time
the same as on DC02 and as on MEMSRVR01 and MEMSRVR02? And on the
workstations? Or, if not, how much difference in time is there? 5 minutes
is the maximum - by default - before things start getting nasty.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Brandon McCombs" <bmccombs@ma.rr.com> wrote in message
news:42718995.E25A6B2@ma.rr.com...
> Hello,
>
> I have 2 domains with 4 servers each. 2 servers are DCs and 2 servers
> are designated file/print servers. All 8 servers are using windows
> server 2003. For the last few weeks off and on the servers have all
> been reporting file replication errors but seemingly overnight they go
> away. The file/print servers were reporting that they couldn't find
> their computer objcet in AD even though I looked and saw them plain as
> day in the same OU they had always been in. That error showed up a
> couple days before errors about not being able to bind to AD started
> showing up. I found out that resetting the machine account password on
> the file/print servers wasn't a good idea as now they can't connect to
> AD at all, even to let a domain user authenticate to them thru Remote
> Desktop although file share access is still possible (thank goodness).
>
> It sounds like that somewhere along the line when the machine account
> password is due for a reset that the member server adn the domain
> controllers get out of sync. The member servers reported access denied
> errors indicating that their machine password is no longer in sync with
> AD and AD won't let anything happen between the DCs adn the member
> servers. Can anyone tell me as to how this might happen?
>
> We were also having replication issues even between 2 domain controllers
> in the same domain (the domains involved are not in a trust
> relationship) and it is working today between those 2 machines and I
> didnt find out until after everyone left so I don't know if it fixed
> itself or if someone ran the netdom command to reset their machine
> passwords. The last time i did that it fixed replication because the
> secure channel could be established again between the DCs but doing that
> for the member servers today totally broke them off from the domain and
> they will need to be rejoined from what I've read about the issue on MS
> technet.
>
> thanks for any input
>
Anonymous
April 29, 2005 1:10:49 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Sorry,

Forgot a few things.

Let's do the most basic of troubleshooting. Checking for replication
issues.

Do the following on one Domain Controller. Open up the sysvol shared folder
( by default it is located at c:\winnt\SYSVOL\sysvol ) and place a simple
..txt file in there. You can do this in NotePad. Simply call it
DC0120050429.txt and in the body simply put something like...."This is
created on DC01 on April 29, 2005 at around 9:08 EDT". Then, go look at the
other Domain Controllers in that Domain and see when ( if ) that .txt file
shows up in the sysvol folder. This is checking FRS replication.

To check AD replication simply create a non-mail enabled user account
object. Does it show up within five minutes if you open up the ADUC MMC on
the other Domain Controllers in that Domain?

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:o qXRYrLTFHA.544@TK2MSFTNGP15.phx.gbl...
> Brandon,
>
> Not really familiar with WIN2003 ( well, not enough to be giving out any
> reasonable advice ) so this may or may not apply.
>
> Install the Support Tools on each Domain Controller and on each Member
> Server. Or, on the workstation on which you do your Admin-type work. Run
> dcdiag /v on each Domain Controller. Run netdiag /v on all servers. I
> would even redirect the output of each to a text file so that you can
> search for 'fail', 'warn' and 'error'. You do this by entering dcdiag /v
> >c:\dcdiagdc01.txt ( you can name the file whatever you like ).
>
> Not sure if repadmin is available on WIN2003. Also not sure if replmon is
> available on WIN2003. If they are take a look at them. They can be of
> great assistance ( well, in WIN2000!!! ).
>
> I am confused by the 'sometimes it works and sometimes it doesn't'. Are
> there any event ids in the appropriate logs? If so, what are they? You
> can use those log ids to find some possible solutions by going to
> http://www.eventid.net. This is a very helpful web site.
>
> Is everything okay with DNS?
>
> Is the time correct? Meaning, if you look at the clock on DC01 is the
> time the same as on DC02 and as on MEMSRVR01 and MEMSRVR02? And on the
> workstations? Or, if not, how much difference in time is there? 5
> minutes is the maximum - by default - before things start getting nasty.
>
> --
> Cary W. Shultz
> Roanoke, VA 24012
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "Brandon McCombs" <bmccombs@ma.rr.com> wrote in message
> news:42718995.E25A6B2@ma.rr.com...
>> Hello,
>>
>> I have 2 domains with 4 servers each. 2 servers are DCs and 2 servers
>> are designated file/print servers. All 8 servers are using windows
>> server 2003. For the last few weeks off and on the servers have all
>> been reporting file replication errors but seemingly overnight they go
>> away. The file/print servers were reporting that they couldn't find
>> their computer objcet in AD even though I looked and saw them plain as
>> day in the same OU they had always been in. That error showed up a
>> couple days before errors about not being able to bind to AD started
>> showing up. I found out that resetting the machine account password on
>> the file/print servers wasn't a good idea as now they can't connect to
>> AD at all, even to let a domain user authenticate to them thru Remote
>> Desktop although file share access is still possible (thank goodness).
>>
>> It sounds like that somewhere along the line when the machine account
>> password is due for a reset that the member server adn the domain
>> controllers get out of sync. The member servers reported access denied
>> errors indicating that their machine password is no longer in sync with
>> AD and AD won't let anything happen between the DCs adn the member
>> servers. Can anyone tell me as to how this might happen?
>>
>> We were also having replication issues even between 2 domain controllers
>> in the same domain (the domains involved are not in a trust
>> relationship) and it is working today between those 2 machines and I
>> didnt find out until after everyone left so I don't know if it fixed
>> itself or if someone ran the netdom command to reset their machine
>> passwords. The last time i did that it fixed replication because the
>> secure channel could be established again between the DCs but doing that
>> for the member servers today totally broke them off from the domain and
>> they will need to be rejoined from what I've read about the issue on MS
>> technet.
>>
>> thanks for any input
>>
>
>
Related resources
Anonymous
April 29, 2005 5:58:26 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Cary Shultz [A.D. MVP]" wrote:

> Sorry,
>
> Forgot a few things.
>
> Let's do the most basic of troubleshooting. Checking for replication
> issues.
>
> Do the following on one Domain Controller. Open up the sysvol shared folder
> ( by default it is located at c:\winnt\SYSVOL\sysvol ) and place a simple
> .txt file in there. You can do this in NotePad. Simply call it
> DC0120050429.txt and in the body simply put something like...."This is
> created on DC01 on April 29, 2005 at around 9:08 EDT". Then, go look at the
> other Domain Controllers in that Domain and see when ( if ) that .txt file
> shows up in the sysvol folder. This is checking FRS replication.
>
> To check AD replication simply create a non-mail enabled user account
> object. Does it show up within five minutes if you open up the ADUC MMC on
> the other Domain Controllers in that Domain?

The tools you mentioned in your first email are all available for win2003 and
I've already used them before during the first time I had replication problems.
That's how the first time I was able to see that the secure channel between the
2 DCs couldn't be established so I used netdom to reset the DCs passwords. THis
time though, at least yesterday afternoon, all the tests from netdiag and dcdiag
passsed but I might have ran them after another administrator already used
netdom on the domain controllers. I'm just not sure about that since I haven't
talked to any of the other administrators yet. But based on the logs there was
a time period of at least a few weeks where no changes would occur but yet the
file replication service would report problems. In fact, for a certain
time/date the FRS would report everything being okay and then 2 min later in the
same log it would say that it was having trouble replicating data which didn't
make sense to me. As of right now the 2 DCs are able to replicate both
directions as I tested using AD Sites and Services last night.

But all that has mainly been between 2 DCs, now as I stated in the original
post, I'm seeing the file/print servers have replication issues and I think it's
due to the machine passwords getting out of sync but I can't figure out how that
ends up happening. Could it be a setting within the group policy security
settings that prevent the password from replicating? I am not refusing machine
password changes and they are set to reset every 7 days. When I forced a
password change I lost the file/print servers and will have to rejoin them to
the domain.

thanks
Anonymous
April 29, 2005 5:58:27 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Brandon,

It used to be seven days ( in the old WINNT days ). In WIN2000 and WIN2003
it is actually 30 days. But, the actual value is not that important. You
have the concept down pat and that is what is important.

What event ids are you seeing on the files/print servers?

And I think that you mean synch errors, right? And not replication
errors....What replication errors do you mean?

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Brandon McCombs" <bmccombs@ma.rr.com> wrote in message
news:42723DDE.691DC4B1@ma.rr.com...
>
>
> "Cary Shultz [A.D. MVP]" wrote:
>
>> Sorry,
>>
>> Forgot a few things.
>>
>> Let's do the most basic of troubleshooting. Checking for replication
>> issues.
>>
>> Do the following on one Domain Controller. Open up the sysvol shared
>> folder
>> ( by default it is located at c:\winnt\SYSVOL\sysvol ) and place a simple
>> .txt file in there. You can do this in NotePad. Simply call it
>> DC0120050429.txt and in the body simply put something like...."This is
>> created on DC01 on April 29, 2005 at around 9:08 EDT". Then, go look at
>> the
>> other Domain Controllers in that Domain and see when ( if ) that .txt
>> file
>> shows up in the sysvol folder. This is checking FRS replication.
>>
>> To check AD replication simply create a non-mail enabled user account
>> object. Does it show up within five minutes if you open up the ADUC MMC
>> on
>> the other Domain Controllers in that Domain?
>
> The tools you mentioned in your first email are all available for win2003
> and
> I've already used them before during the first time I had replication
> problems.
> That's how the first time I was able to see that the secure channel
> between the
> 2 DCs couldn't be established so I used netdom to reset the DCs passwords.
> THis
> time though, at least yesterday afternoon, all the tests from netdiag and
> dcdiag
> passsed but I might have ran them after another administrator already used
> netdom on the domain controllers. I'm just not sure about that since I
> haven't
> talked to any of the other administrators yet. But based on the logs
> there was
> a time period of at least a few weeks where no changes would occur but yet
> the
> file replication service would report problems. In fact, for a certain
> time/date the FRS would report everything being okay and then 2 min later
> in the
> same log it would say that it was having trouble replicating data which
> didn't
> make sense to me. As of right now the 2 DCs are able to replicate both
> directions as I tested using AD Sites and Services last night.
>
> But all that has mainly been between 2 DCs, now as I stated in the
> original
> post, I'm seeing the file/print servers have replication issues and I
> think it's
> due to the machine passwords getting out of sync but I can't figure out
> how that
> ends up happening. Could it be a setting within the group policy security
> settings that prevent the password from replicating? I am not refusing
> machine
> password changes and they are set to reset every 7 days. When I forced a
> password change I lost the file/print servers and will have to rejoin them
> to
> the domain.
>
> thanks
>
Anonymous
April 30, 2005 5:25:56 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Cary Shultz [A.D. MVP]" wrote:

> Brandon,
>
> It used to be seven days ( in the old WINNT days ). In WIN2000 and WIN2003
> it is actually 30 days. But, the actual value is not that important. You
> have the concept down pat and that is what is important.
>
> What event ids are you seeing on the files/print servers?

I didn't write them down and I can't view them remotely so I can't tell you.

>
>
> And I think that you mean synch errors, right? And not replication
> errors....What replication errors do you mean?

There were replication errors between the domain controllers and the fileprint
servers were complaining of not having any licenses so it looked like the file
servers weren't getting any licensing information replicated but I mention that
because I think tha tsomehow the replication is related to the machine password
synchronization but maybe not. We rejoined the file servers to the domain today
and they are working now but I have to wonder that in 7 days whether or not
we're going to see some errors again somewhere.

>
>
> --
> Cary W. Shultz
> Roanoke, VA 24012
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
> "Brandon McCombs" <bmccombs@ma.rr.com> wrote in message
> news:42723DDE.691DC4B1@ma.rr.com...
> >
> >
> > "Cary Shultz [A.D. MVP]" wrote:
> >
> >> Sorry,
> >>
> >> Forgot a few things.
> >>
> >> Let's do the most basic of troubleshooting. Checking for replication
> >> issues.
> >>
> >> Do the following on one Domain Controller. Open up the sysvol shared
> >> folder
> >> ( by default it is located at c:\winnt\SYSVOL\sysvol ) and place a simple
> >> .txt file in there. You can do this in NotePad. Simply call it
> >> DC0120050429.txt and in the body simply put something like...."This is
> >> created on DC01 on April 29, 2005 at around 9:08 EDT". Then, go look at
> >> the
> >> other Domain Controllers in that Domain and see when ( if ) that .txt
> >> file
> >> shows up in the sysvol folder. This is checking FRS replication.
> >>
> >> To check AD replication simply create a non-mail enabled user account
> >> object. Does it show up within five minutes if you open up the ADUC MMC
> >> on
> >> the other Domain Controllers in that Domain?
> >
> > The tools you mentioned in your first email are all available for win2003
> > and
> > I've already used them before during the first time I had replication
> > problems.
> > That's how the first time I was able to see that the secure channel
> > between the
> > 2 DCs couldn't be established so I used netdom to reset the DCs passwords.
> > THis
> > time though, at least yesterday afternoon, all the tests from netdiag and
> > dcdiag
> > passsed but I might have ran them after another administrator already used
> > netdom on the domain controllers. I'm just not sure about that since I
> > haven't
> > talked to any of the other administrators yet. But based on the logs
> > there was
> > a time period of at least a few weeks where no changes would occur but yet
> > the
> > file replication service would report problems. In fact, for a certain
> > time/date the FRS would report everything being okay and then 2 min later
> > in the
> > same log it would say that it was having trouble replicating data which
> > didn't
> > make sense to me. As of right now the 2 DCs are able to replicate both
> > directions as I tested using AD Sites and Services last night.
> >
> > But all that has mainly been between 2 DCs, now as I stated in the
> > original
> > post, I'm seeing the file/print servers have replication issues and I
> > think it's
> > due to the machine passwords getting out of sync but I can't figure out
> > how that
> > ends up happening. Could it be a setting within the group policy security
> > settings that prevent the password from replicating? I am not refusing
> > machine
> > password changes and they are set to reset every 7 days. When I forced a
> > password change I lost the file/print servers and will have to rejoin them
> > to
> > the domain.
> >
> > thanks
> >
!