Windows 2003 AD & Replication Issues

[JesusisLord]

Dear AD Experts,

I got a network migration scheduled in under 2 weeks time and I’m panicking because i'm having NTDS replication errors in event viewer, alongside some LsaSrv "Can't find any logon servers" as well as a User... error complaining about not being able to access a GPO when it blatantly can.

Anyway, I ran a netdiag /fix and then ran dcdiag /test:dns and it reports that there are no dns errors. When I run repadmin /syncall it says replication completed without any errors.... so i'm so confused and very frustrated as it is a new domain, so far I have two dc's one mail server which is a member server and i got an ISA server to getup and running and time is running out.

In fact I think everything was working fine until I introduced ISA and installed the ISA F/W client on the DC's but then I was having some issues so I uninstalled the ISA F/W client and have turned off the ISA server and just want to get AD Replication working, or the error messages to go away at least.

Any help would be so greatly appreciated.

Thanks in advanced.

 

[JesusisLord]

More info, i get this error in event viewer:-

Event Type: Warning
Event Source: NTDS Replication
Event Category: DS RPC Client
Event ID: 2088
Date: 10/19/2006
Time: 9:34:36 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC1
Description:
Active Directory could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.

Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory forest, including logon authentication or access to network resources.

You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.

Alternate server name:
dc2
Failing DNS host name:
faf8f717-8b18-472a-9145-1ef7e0293030._msdcs.dottedeyes.local

NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:

Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client

User Action:

1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.

2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".

3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns

dcdiag /test:dns

4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:

dcdiag /test:dns

5) For further analysis of DNS error failures see KB 824449:
http://support.microsoft.com/?kbid=824449

Additional Data
Error value:
11004 The requested name is valid, but no data of the requested type was found.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


As well as:-

Event Type: Error
Event Source: NTDS Replication
Event Category: DS RPC Client
Event ID: 1960
Date: 10/19/2006
Time: 9:34:36 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC1
Description:
Internal event: The following domain controller received an exception from a remote procedure call (RPC) connection. The operation may have failed.

Process ID:
588

Reported error information:
Error value:
Could not find the domain controller for this domain. (1908)
Domain controller:
faf8f717-8b18-472a-9145-1ef7e0293030._msdcs.dottedeyes.local

Extended error information:
Error value:
No authority could be contacted for authentication. (2148074257)
Domain controller:
dc1

Additional Data
Internal ID:
5000bab

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

when i rund cddiag /test:dns i get:-

DNS Tests are running and not hung. Please wait a few minutes...

Running partition tests on : ForestDnsZones

Running partition tests on : DomainDnsZones

Running partition tests on : Schema

Running partition tests on : Configuration

Running partition tests on : domainname

Running enterprise tests on : domainname.local
Starting test: DNS
......................... domainname.local passed test DNS

I don't understand, when i run repadmin /syncall i get:-

C:\Documents and Settings\Administrator>repadmin /syncall
CALLBACK MESSAGE: The following replication is in progress:
From: faf8f717-8b18-472a-9145-1ef7e0293030._msdcs.dottedeyes.local
To : 796a6a00-1252-4585-a246-137de36d40c3._msdcs.dottedeyes.local
CALLBACK MESSAGE: The following replication completed successfully:
From: faf8f717-8b18-472a-9145-1ef7e0293030._msdcs.dottedeyes.local
To : 796a6a00-1252-4585-a246-137de36d40c3._msdcs.dottedeyes.local
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

All though i noticed the path for dos says Administrator (even though i renames the admin acount but i'm sure that wouldn't be causing these issues)

please help someone

 

[riser]

It would be worth your time to call in a consultant.

Not sure what the problem would be though, as I have limited experience in the area and its been 2 years since I was able to dive into troubleshooting those errors.

 

[JesusisLord]

that problem has been fixed thankfully, not quite sure exactly how i fixed after doing a number of different things, i think it was updating the dns that might have helped, i.e re registering the dns for both servers..

if anyone has got any isa experience and exchange give me a shout

 

[fattony]

i wish i got to your post earlier, it's possible that isa had blocked your zone replication, also for testing you can disable the rpc port blocking it has in there

next time if you have replication issues use replmon.exe from the windows 2003 support tools (or was it resource kit?), very helpful gui utility for replication

 

[JesusisLord]

Thanks for your post, yep I tried repadmin /syncall and it didn't show any replication errors, I also did a number of tests like dcdiag /test:dns as well as changing the syntax to test each part like, basicdns, dynamicdns, srv records (although the first command i believe tests all of these) and even thoough the tests all said successful, i was still getting NTDS errors.

I took ISA out of the equation, but now it is back in the equation and I need to work out how to configure it securely for my network, so if anyone likes to help out on ISA would be greatly appreciated (ISA2006)