active directory replication not worked

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

window 2000 active directory replication not worked....

when do replicate now in site and service console,,, it log the following
into system events.

Event Type: Warning
Event Source: NTDS KCC
Event Category: (1)
Event ID: 1265
Date: 7/21/2006
Time: 11:13:11 AM
User: N/A
Computer: KSPDC
Description:
The attempt to establish a replication link with parameters

Partition: CN=Configuration,DC=wnc,DC=com,DC=tw
Source DSA DN: CN=NTDS
Settings,CN=AD-SERVER01,CN=Servers,CN=Kunshan,CN=Sites,CN=Configuration,DC=wnc,DC=com,DC=tw
Source DSA Address: 4d224a95-ae6a-4093-a8be-5ce3e30d0341._msdcs.wnc.com.tw
Inter-site Transport (if any):

failed with the following status:

Access is denied.

The record data is the status code. This operation will be retried.
Data:
0000: 05 00 00 00 ....

why it denied the replication... have no idea,,,,

any reply would be app...
 
Jeffery Chen said:
window 2000 active directory replication not worked....
Click to expand...

Assuming basic IP connectivity, practically all replication
(and authentication) problems in AD are REALLY DNS
problems.
when do replicate now in site and service console,,, it log the following
into system events.

Event Type: Warning
Event Source: NTDS KCC
Event Category: (1)
Event ID: 1265
Date: 7/21/2006
Time: 11:13:11 AM
User: N/A
Computer: KSPDC
Description:
The attempt to establish a replication link with parameters

Partition: CN=Configuration,DC=wnc,DC=com,DC=tw
Source DSA DN: CN=NTDS
Settings,CN=AD-SERVER01,CN=Servers,CN=Kunshan,CN=Sites,CN=Configuration,DC=wnc,DC=com,DC=tw
Source DSA Address: 4d224a95-ae6a-4093-a8be-5ce3e30d0341._msdcs.wnc.com.tw
Inter-site Transport (if any):

failed with the following status:

Access is denied.
Click to expand...

Start with this, DNS for AD

1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
 
hello, Martin,

the server is windows 2000 server,, and the ip conectivity is ok.
there have three DC in the domain,, the replication between the other DC
worked fine. but not work with this one,,,
And the DNS service is intergated with AD.

And have checked the DNS service. there have not any issue,

USE repadmin.exe to manually add the replication link between the bad dc
with the worked dc, the system report access deny.

thanks,,,

any other idea,,, i would check DNS once agian,,

thanks again..

Jeffery

Herb Martin said:
Jeffery Chen said:
window 2000 active directory replication not worked....
Click to expand...

Assuming basic IP connectivity, practically all replication
(and authentication) problems in AD are REALLY DNS
problems.
when do replicate now in site and service console,,, it log the following
into system events.

Event Type: Warning
Event Source: NTDS KCC
Event Category: (1)
Event ID: 1265
Date: 7/21/2006
Time: 11:13:11 AM
User: N/A
Computer: KSPDC
Description:
The attempt to establish a replication link with parameters

Partition: CN=Configuration,DC=wnc,DC=com,DC=tw
Source DSA DN: CN=NTDS
Settings,CN=AD-SERVER01,CN=Servers,CN=Kunshan,CN=Sites,CN=Configuration,DC=wnc,DC=com,DC=tw
Source DSA Address:
4d224a95-ae6a-4093-a8be-5ce3e30d0341._msdcs.wnc.com.tw
Inter-site Transport (if any):

failed with the following status:

Access is denied.
Click to expand...

Start with this, DNS for AD

1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

...or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Click to expand...
 
jeffery said:
hello, Martin,

the server is windows 2000 server,, and the ip conectivity is ok.
there have three DC in the domain,, the replication between the other DC
worked fine. but not work with this one,,,
And the DNS service is intergated with AD.

And have checked the DNS service. there have not any issue,
Click to expand...

How did you check? Did you follow my guidelines?

Merely saying "not any issue" is unconvincing since we
see so many people who have setup their DNS incorrectly
and don't know to use DCDiag etc to check it.
USE repadmin.exe to manually add the replication link between the bad dc
with the worked dc, the system report access deny.
Click to expand...

You almost certainly have a DNS issue. You almost
certainly should not be using RepAdmin to setup replication,
and in fact, you probably use use ONLY "AD Sites and Services"
for that, and only if you have more than one site.

Post your output from DCDiag from each DC and the "IPConfig /all"
from each affected DC and from one which is working.

Make sure you mark each item so we can tell whether it is a
working or broken one.

You might have some other, weirder problem, but the odds
are with DNS until proven otherwise. About 95% of the
time.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
thanks,,,

any other idea,,, i would check DNS once agian,,

thanks again..

Jeffery

Herb Martin said:
Jeffery Chen said:
window 2000 active directory replication not worked....
Click to expand...

Assuming basic IP connectivity, practically all replication
(and authentication) problems in AD are REALLY DNS
problems.
when do replicate now in site and service console,,, it log the
following
into system events.

Event Type: Warning
Event Source: NTDS KCC
Event Category: (1)
Event ID: 1265
Date: 7/21/2006
Time: 11:13:11 AM
User: N/A
Computer: KSPDC
Description:
The attempt to establish a replication link with parameters

Partition: CN=Configuration,DC=wnc,DC=com,DC=tw
Source DSA DN: CN=NTDS
Settings,CN=AD-SERVER01,CN=Servers,CN=Kunshan,CN=Sites,CN=Configuration,DC=wnc,DC=com,DC=tw
Source DSA Address:
4d224a95-ae6a-4093-a8be-5ce3e30d0341._msdcs.wnc.com.tw
Inter-site Transport (if any):

failed with the following status:

Access is denied.
Click to expand...

Start with this, DNS for AD

1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

...or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Click to expand...
Click to expand...
 
hi, martin,,


The problem resolved.

the cause is the time between DCs not synced.


Jeffery

Herb Martin said:
jeffery said:
hello, Martin,

the server is windows 2000 server,, and the ip conectivity is ok.
there have three DC in the domain,, the replication between the other DC
worked fine. but not work with this one,,,
And the DNS service is intergated with AD.

And have checked the DNS service. there have not any issue,
Click to expand...

How did you check? Did you follow my guidelines?

Merely saying "not any issue" is unconvincing since we
see so many people who have setup their DNS incorrectly
and don't know to use DCDiag etc to check it.
USE repadmin.exe to manually add the replication link between the bad dc
with the worked dc, the system report access deny.
Click to expand...

You almost certainly have a DNS issue. You almost
certainly should not be using RepAdmin to setup replication,
and in fact, you probably use use ONLY "AD Sites and Services"
for that, and only if you have more than one site.

Post your output from DCDiag from each DC and the "IPConfig /all"
from each affected DC and from one which is working.

Make sure you mark each item so we can tell whether it is a
working or broken one.

You might have some other, weirder problem, but the odds
are with DNS until proven otherwise. About 95% of the
time.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
thanks,,,

any other idea,,, i would check DNS once agian,,

thanks again..

Jeffery

Herb Martin said:
window 2000 active directory replication not worked....

Assuming basic IP connectivity, practically all replication
(and authentication) problems in AD are REALLY DNS
problems.

when do replicate now in site and service console,,, it log the
following
into system events.

Event Type: Warning
Event Source: NTDS KCC
Event Category: (1)
Event ID: 1265
Date: 7/21/2006
Time: 11:13:11 AM
User: N/A
Computer: KSPDC
Description:
The attempt to establish a replication link with parameters

Partition: CN=Configuration,DC=wnc,DC=com,DC=tw
Source DSA DN: CN=NTDS
Settings,CN=AD-SERVER01,CN=Servers,CN=Kunshan,CN=Sites,CN=Configuration,DC=wnc,DC=com,DC=tw
Source DSA Address:
4d224a95-ae6a-4093-a8be-5ce3e30d0341._msdcs.wnc.com.tw
Inter-site Transport (if any):

failed with the following status:

Access is denied.

Start with this, DNS for AD

1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or
indirectly)

netdiag /fix

...or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Click to expand...
Click to expand...
Click to expand...
 
Back
Top