H
Herb Martin
I got lost - what's you real question?
(Also thought you were handling the issue yourself <grin>)
(Also thought you were handling the issue yourself <grin>)
R
Ryan Rinehart
When I have tried to run replmon against remote DCs, it has always been
with an Enterprise Administrator account. With Enterprise Admin rights you
should be able to use replmon successfully. If you connect to the remote DC
with an account that does not have the proper rights, then you cannot read
the directory information regarding to USNs and objects replicated to and
from what DC...
Yes you should see the kerberos and ldap srv rrs for both dcs in the
_msdcs.whatever.com zone. The _sites. has subcontainers that contain site
specific dc srv rr's and GC records I believe.
The only extra info I have on replmon is from using it from time to time. I
use repadmin quite a bit also. It is quick to view replication summaries
and force synchronization.
Ryan
with an Enterprise Administrator account. With Enterprise Admin rights you
should be able to use replmon successfully. If you connect to the remote DC
with an account that does not have the proper rights, then you cannot read
the directory information regarding to USNs and objects replicated to and
from what DC...
Yes you should see the kerberos and ldap srv rrs for both dcs in the
_msdcs.whatever.com zone. The _sites. has subcontainers that contain site
specific dc srv rr's and GC records I believe.
The only extra info I have on replmon is from using it from time to time. I
use repadmin quite a bit also. It is quick to view replication summaries
and force synchronization.
Ryan
R
Ryan Rinehart
Thats seems to be the equivalent of what i have. Do you have an
Alias(Cname) record in the _msdcs. zone with the guid for each dc?
Alias(Cname) record in the _msdcs. zone with the guid for each dc?
P
Paul
you should try to set you date and things would work for you. If one server
has the wrong time then it could cause such a problem.
has the wrong time then it could cause such a problem.
G
Gary Neil
Scenario:
One Forest, two domains (one local/one remote across a WAN).
Two AD DCs at each end.
Connecting through two routers either end. (Firewalls temporarily removed -
don't worry, it's not yet a net connected scenario).
i.e.
WAN
W2K3S AD DC ---------> Router ---------> Router---------->W2K3S AD DC.
Local AD Int DNS Zone
Local AD Int DNS Zone
Sec Copy Of Remote DNS Zone
Sec Copy Of Remote DNS Zone
Replication seems Ok.
However, when using replmon (at either end) to try and view AD partition
details for the remote machine, the
following error pops up.
"The server (whatever) could not be contacted or you had insufficient
permissions to read
the status of the server".
I can get the partition info displayed if I enter the remote domain in the
wizard (to obtain site info from) and connect via remote domain admin
credentials, explicitly specifying the FQDN of the remote server.
Q1: Is this default behaviour for replmon ? First time I've done remote AD
scenario setup and I've got nothing to base whether or not this is
default/expected behaviour.
Q2: Are there supposed to be SRV RRs in _tcp._sites.dc_msdcs.whatever.com
(Forest wide zone) for both
DCs ? According to W2K Resource Kit this seems to be the case. Only SRV for
forest root domain
is in there at present..
Anybody done a similar setup in the past and want to share their thoughts ?
G
One Forest, two domains (one local/one remote across a WAN).
Two AD DCs at each end.
Connecting through two routers either end. (Firewalls temporarily removed -
don't worry, it's not yet a net connected scenario).
i.e.
WAN
W2K3S AD DC ---------> Router ---------> Router---------->W2K3S AD DC.
Local AD Int DNS Zone
Local AD Int DNS Zone
Sec Copy Of Remote DNS Zone
Sec Copy Of Remote DNS Zone
Replication seems Ok.
However, when using replmon (at either end) to try and view AD partition
details for the remote machine, the
following error pops up.
"The server (whatever) could not be contacted or you had insufficient
permissions to read
the status of the server".
I can get the partition info displayed if I enter the remote domain in the
wizard (to obtain site info from) and connect via remote domain admin
credentials, explicitly specifying the FQDN of the remote server.
Q1: Is this default behaviour for replmon ? First time I've done remote AD
scenario setup and I've got nothing to base whether or not this is
default/expected behaviour.
Q2: Are there supposed to be SRV RRs in _tcp._sites.dc_msdcs.whatever.com
(Forest wide zone) for both
DCs ? According to W2K Resource Kit this seems to be the case. Only SRV for
forest root domain
is in there at present..
Anybody done a similar setup in the past and want to share their thoughts ?
G
G
Gary Neil
Darn.
"Local AD Int DNS Zone" & "Sec Copy Of Remote DNS Zone" below are for the
local & remote domains respectively. Apols for the word-wrap.
G
"Local AD Int DNS Zone" & "Sec Copy Of Remote DNS Zone" below are for the
local & remote domains respectively. Apols for the word-wrap.
G
G
Gary Neil
Me too. I'll need to get out of the habit of talking to myself. Will you
Gary ?. Err...yes I will.
Aw darn-done it again !.
I'll try to clarify.
WAN
W2K3S ----->Router ----->Router ----->W2K3S
AD DC AD DC
<---- VPN ----->
Domain 1 Domain 2
Local AD Int DNS Local AD Int DNS
Sec DNS Zone For Remote Domain Sec DNS Zone For Remote Domain
Main question is the issue surrounding the use of replmon when trying to
read AD partition details for remote server
(at either end)..
i.e.
Load replmon
Select "Add Monitored Server"
Select "Search the directory for the server to add"
Local domain is found.
Hit "Next>"
The "Add Server To Monitor" dialog is displayed.
Replmon displays local and remote Site info (guess this is being picked up
from the Configuration partition).
Expand the local site and select the local AD DC.
Replmon displays AD partition info as expected.
Next-try to get the same info for the remote server.
Select "Add Monitored Server"
Select "Search the directory for the server to add"
Local domain is found.
Hit "Next>"
The "Add Server To Monitor" dialog is displayed.
Replmon displays local and remote Site info
Expand the remote site and select the remote AD DC.
Replmon displays "The server (whatever) could not be contacted or you had
insufficient permissions to read the status of
the server".
The only way I can get replmon to display remote site AD partition details
is by doing the following:
Select "Add Monitored Server"
Select "Search the directory for the server to add"
Local domain is found.
Overwrite the local domain with the name of the remote domain
Select "Use Alternate Credentials to get Site List"
Enter remote admin credentials\password (in form Remote Domain\Admin
User).
Hit "Next>".
The "Add Server To Monitor" dialog is displayed (but no site/remote domain
info is displayed).
Select "Enter the name of the server to monitor explicitly"
Enter the FQDN of the remote DC.
Select "Use Alternate Credentials" and again enter the name of the remote
DC Admin user.
I'm just wondering if this is normal replmon behaviour for trying to display
AD partition info from a remote domain ?
Also, according to the Win2K Res Kit if I've read it correctly (haven't yet
checked the Win2K3 Res Kit) there should be _kerberos & _ldap SRV RRs for
both local and remote DCs in _tcp._sites.dc_msdcs.whatever.com (the forest
wide DNS zone).
Just want to know if anyone else can confirm/deny that ?
Finally, anyone know of a source of good info re replmon. Info is a bit thin
on the ground.
If that's as clear as mud let me know
TIA
G
Gary ?. Err...yes I will.
Aw darn-done it again !.
I'll try to clarify.
WAN
W2K3S ----->Router ----->Router ----->W2K3S
AD DC AD DC
<---- VPN ----->
Domain 1 Domain 2
Local AD Int DNS Local AD Int DNS
Sec DNS Zone For Remote Domain Sec DNS Zone For Remote Domain
Main question is the issue surrounding the use of replmon when trying to
read AD partition details for remote server
(at either end)..
i.e.
Load replmon
Select "Add Monitored Server"
Select "Search the directory for the server to add"
Local domain is found.
Hit "Next>"
The "Add Server To Monitor" dialog is displayed.
Replmon displays local and remote Site info (guess this is being picked up
from the Configuration partition).
Expand the local site and select the local AD DC.
Replmon displays AD partition info as expected.
Next-try to get the same info for the remote server.
Select "Add Monitored Server"
Select "Search the directory for the server to add"
Local domain is found.
Hit "Next>"
The "Add Server To Monitor" dialog is displayed.
Replmon displays local and remote Site info
Expand the remote site and select the remote AD DC.
Replmon displays "The server (whatever) could not be contacted or you had
insufficient permissions to read the status of
the server".
The only way I can get replmon to display remote site AD partition details
is by doing the following:
Select "Add Monitored Server"
Select "Search the directory for the server to add"
Local domain is found.
Overwrite the local domain with the name of the remote domain
Select "Use Alternate Credentials to get Site List"
Enter remote admin credentials\password (in form Remote Domain\Admin
User).
Hit "Next>".
The "Add Server To Monitor" dialog is displayed (but no site/remote domain
info is displayed).
Select "Enter the name of the server to monitor explicitly"
Enter the FQDN of the remote DC.
Select "Use Alternate Credentials" and again enter the name of the remote
DC Admin user.
I'm just wondering if this is normal replmon behaviour for trying to display
AD partition info from a remote domain ?
Also, according to the Win2K Res Kit if I've read it correctly (haven't yet
checked the Win2K3 Res Kit) there should be _kerberos & _ldap SRV RRs for
both local and remote DCs in _tcp._sites.dc_msdcs.whatever.com (the forest
wide DNS zone).
Just want to know if anyone else can confirm/deny that ?
Finally, anyone know of a source of good info re replmon. Info is a bit thin
on the ground.
If that's as clear as mud let me know
TIA
G
G
Gary Neil
Me too. I'll need to get out of the habit of talking to myself. Will you
Gary ?. Err...yes I will.
Aw darn-done it again !.
I'll try to clarify.
WAN
W2K3S ----->Router ----->Router ----->W2K3S
AD DC AD DC
<---- VPN ----->
Domain 1 Domain 2
Local AD Int DNS Local AD Int DNS
Sec DNS Zone For Remote Domain Sec DNS Zone For Remote Domain
Main question is the issue surrounding the use of replmon when trying to
read AD partition details for remote server
(at either end)..
i.e.
Load replmon
Select "Add Monitored Server"
Select "Search the directory for the server to add"
Local domain is found.
Hit "Next>"
The "Add Server To Monitor" dialog is displayed.
Replmon displays local and remote Site info (guess this is being picked up
from the Configuration partition).
Expand the local site and select the local AD DC.
Replmon displays AD partition info as expected.
Next-try to get the same info for the remote server.
Select "Add Monitored Server"
Select "Search the directory for the server to add"
Local domain is found.
Hit "Next>"
The "Add Server To Monitor" dialog is displayed.
Replmon displays local and remote Site info
Expand the remote site and select the remote AD DC.
Replmon displays "The server (whatever) could not be contacted or you had
insufficient permissions to read the status of
the server".
The only way I can get replmon to display remote site AD partition details
is by doing the following:
Select "Add Monitored Server"
Select "Search the directory for the server to add"
Local domain is found.
Overwrite the local domain with the name of the remote domain
Select "Use Alternate Credentials to get Site List"
Enter remote admin credentials\password (in form Remote Domain\Admin
User).
Hit "Next>".
The "Add Server To Monitor" dialog is displayed (but no site/remote domain
info is displayed).
Select "Enter the name of the server to monitor explicitly"
Enter the FQDN of the remote DC.
Select "Use Alternate Credentials" and again enter the name of the remote
DC Admin user.
I'm just wondering if this is normal replmon behaviour for trying to display
AD partition info from a remote domain ?
Also, according to the Win2K Res Kit if I've read it correctly (haven't yet
checked the Win2K3 Res Kit) there should be _kerberos & _ldap SRV RRs for
both local and remote DCs in _tcp._sites.dc_msdcs.whatever.com (the forest
wide DNS zone).
Just want to know if anyone else can confirm/deny that ?
Finally, anyone know of a source of good info re replmon. Info is a bit thin
on the ground.
If that's as clear as mud let me know
TIA
G
Gary ?. Err...yes I will.
Aw darn-done it again !.
I'll try to clarify.
WAN
W2K3S ----->Router ----->Router ----->W2K3S
AD DC AD DC
<---- VPN ----->
Domain 1 Domain 2
Local AD Int DNS Local AD Int DNS
Sec DNS Zone For Remote Domain Sec DNS Zone For Remote Domain
Main question is the issue surrounding the use of replmon when trying to
read AD partition details for remote server
(at either end)..
i.e.
Load replmon
Select "Add Monitored Server"
Select "Search the directory for the server to add"
Local domain is found.
Hit "Next>"
The "Add Server To Monitor" dialog is displayed.
Replmon displays local and remote Site info (guess this is being picked up
from the Configuration partition).
Expand the local site and select the local AD DC.
Replmon displays AD partition info as expected.
Next-try to get the same info for the remote server.
Select "Add Monitored Server"
Select "Search the directory for the server to add"
Local domain is found.
Hit "Next>"
The "Add Server To Monitor" dialog is displayed.
Replmon displays local and remote Site info
Expand the remote site and select the remote AD DC.
Replmon displays "The server (whatever) could not be contacted or you had
insufficient permissions to read the status of
the server".
The only way I can get replmon to display remote site AD partition details
is by doing the following:
Select "Add Monitored Server"
Select "Search the directory for the server to add"
Local domain is found.
Overwrite the local domain with the name of the remote domain
Select "Use Alternate Credentials to get Site List"
Enter remote admin credentials\password (in form Remote Domain\Admin
User).
Hit "Next>".
The "Add Server To Monitor" dialog is displayed (but no site/remote domain
info is displayed).
Select "Enter the name of the server to monitor explicitly"
Enter the FQDN of the remote DC.
Select "Use Alternate Credentials" and again enter the name of the remote
DC Admin user.
I'm just wondering if this is normal replmon behaviour for trying to display
AD partition info from a remote domain ?
Also, according to the Win2K Res Kit if I've read it correctly (haven't yet
checked the Win2K3 Res Kit) there should be _kerberos & _ldap SRV RRs for
both local and remote DCs in _tcp._sites.dc_msdcs.whatever.com (the forest
wide DNS zone).
Just want to know if anyone else can confirm/deny that ?
Finally, anyone know of a source of good info re replmon. Info is a bit thin
on the ground.
If that's as clear as mud let me know
TIA
G
G
Gary Neil
Many thanks to both of you.
Enterprise Admin a/c was being used at both ends and the result is the same.
Ryan, based on your experience, could you possibly look over the following
DNS details & let me have your feedback ?.
I think the DNS setup here may be slightly screwy (I've not yet got a
template to base that on).
Scenario is still the same two sites, local & remote
Ideally, I'd like to build a sort of basic AD DNS template which will make
future troubleshooting easier.
I think I know wher the problems lie, but I'd *really* appreciate a
second/third/forth opinion.
Current DNS Setup:
_msdcs.whatever.com (The Forest Wide Zone)
dc
_sites
ADRepFirstSite
_tcp
_kerberos dc.domain1.com
_ldap dc.domain1.com
ADRepSecondSite
_tcp
_kerberos dc.domain1.com
_ldap dc.domain1.com
_tcp
_kerberos dc.domain1.com
_ldap dc.domain1.com
domains
Domain1 Guid
_tcp
_ldap dc.domain1.com
Domain2 Guid
_tcp
_ldap dc.domain2.com
gc
_sites
ADRepFirstSite
_tcp
_ldap dc.domain1.com
ADRepSecondSite
_tcp
_ldap dc.domain2.com
_tcp
_ldap dc.domain1.com
_ldap dc.domain2.com
Host RR For domain1 DC
Host RR For domain2 DC
pdc
_tcp
_ldap dc.domain1.com
Many many TIA.
Cheers. G
Enterprise Admin a/c was being used at both ends and the result is the same.
Ryan, based on your experience, could you possibly look over the following
DNS details & let me have your feedback ?.
I think the DNS setup here may be slightly screwy (I've not yet got a
template to base that on).
Scenario is still the same two sites, local & remote
Ideally, I'd like to build a sort of basic AD DNS template which will make
future troubleshooting easier.
I think I know wher the problems lie, but I'd *really* appreciate a
second/third/forth opinion.
Current DNS Setup:
_msdcs.whatever.com (The Forest Wide Zone)
dc
_sites
ADRepFirstSite
_tcp
_kerberos dc.domain1.com
_ldap dc.domain1.com
ADRepSecondSite
_tcp
_kerberos dc.domain1.com
_ldap dc.domain1.com
_tcp
_kerberos dc.domain1.com
_ldap dc.domain1.com
domains
Domain1 Guid
_tcp
_ldap dc.domain1.com
Domain2 Guid
_tcp
_ldap dc.domain2.com
gc
_sites
ADRepFirstSite
_tcp
_ldap dc.domain1.com
ADRepSecondSite
_tcp
_ldap dc.domain2.com
_tcp
_ldap dc.domain1.com
_ldap dc.domain2.com
Host RR For domain1 DC
Host RR For domain2 DC
pdc
_tcp
_ldap dc.domain1.com
Many many TIA.
Cheers. G
G
Gary Neil
Ryan,
Hmm... Seems like I've got another issue then if it ain't DNS. Many thanks.
Yes two CNAME's for both DCs in either site, along with the (usual) SOA & 2
NS RRs..
Sorry for omitting that in the previous post.
In the:
_msdcs.whatever.com (The Forest Wide Zone)
dc
_sites
ADRepFirstSite
_tcp
ADRepSecondSite
_tcp
I was a bit surprised to see _kerberos & _ldap RRs for dc1 in the
ADRepSecondSite subzone.
I would have expected to see RRs for dc2 instead of dc1.
However, seeing as this is the forest-wide zone, I'm assuming these RRs just
designate the sites the forest-root dc is applied to.
Just create another site and that seems to be the case - only RRs for the
forest-root dc are being added..
Oh well, looks like I'll have to do some more digging to find the root
cause.
Thanks for your input. Send you a beer by email.
G
Hmm... Seems like I've got another issue then if it ain't DNS. Many thanks.
Yes two CNAME's for both DCs in either site, along with the (usual) SOA & 2
NS RRs..
Sorry for omitting that in the previous post.
In the:
_msdcs.whatever.com (The Forest Wide Zone)
dc
_sites
ADRepFirstSite
_tcp
ADRepSecondSite
_tcp
I was a bit surprised to see _kerberos & _ldap RRs for dc1 in the
ADRepSecondSite subzone.
I would have expected to see RRs for dc2 instead of dc1.
However, seeing as this is the forest-wide zone, I'm assuming these RRs just
designate the sites the forest-root dc is applied to.
Just create another site and that seems to be the case - only RRs for the
forest-root dc are being added..
Oh well, looks like I'll have to do some more digging to find the root
cause.
Thanks for your input. Send you a beer by email.
G