Replication Problems

  • Thread starter Thread starter Bartosz Wegrzyn
  • Start date Start date
B

Bartosz Wegrzyn

Hi there,

I am having problems with AD and replication.
I have one PDC and one secondary domain controller.
After I added the secondary DC I am having problems.
On the PDC I do see those error messages in the event viewer.

Event ID 1411
The Directory Service failed to construct a mutual authentication
Service Principal Name (SPN) for server
a7127243-37d4-45e6-bf54-7a796809af1e._msdcs.saintferdinand.org. The
call is denied. The error was:
The DSA object could not be found.

The record data is the status code.



When I try to ping a7127243-37d4-45e6-bf54-7a796809af1e._msdcs.saintferdinand.org
everything is ok, I get the reply.
Both servers can talk to each other very easiliy.



On the backup domain controller:



EventID-13508

The File Replication Service is having trouble enabling replication
from SATURN to MOON for c:\winnt\sysvol\domain using the DNS name
saturn.saintferdinand.org. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name
saturn.saintferdinand.org from this computer.
[2] FRS is not running on saturn.saintferdinand.org.
[3] The topology information in the Active Directory for this replica
has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the
problem is fixed you will see another event log message indicating
that the connection has been established.

When I ping saturn.saintferdinand.org I receive reply so looks like
the conectivity is ok.
I run netdiag on the Backup domain controler I rewceive this:


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : gateway

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : moon
IP Address . . . . . . . . : 192.168.40.254
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.40.99
Dns Servers. . . . . . . . : 192.168.40.1


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.

Adapter : local

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : moon
IP Address . . . . . . . . : 192.168.40.4
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . :
Dns Servers. . . . . . . . : 192.168.40.1


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Skipped
[WARNING] No gateways defined for this adapter.

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to
the local
machine. This machine is not working properly as a DC.


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{B47D9731-45E9-47C0-8619-9973B3B67785}
NetBT_Tcpip_{B54C0BCC-9B82-4A7E-9875-16FBEA359373}
2 NetBt transports currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'192.168.40.1
' and other DCs also have some of the names registered.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{B47D9731-45E9-47C0-8619-9973B3B67785}
NetBT_Tcpip_{B54C0BCC-9B82-4A7E-9875-16FBEA359373}
The redir is bound to 2 NetBt transports.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{B54C0BCC-9B82-4A7E-9875-16FBEA359373}
NetBT_Tcpip_{B47D9731-45E9-47C0-8619-9973B3B67785}
The browser is bound to 2 NetBt transports.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'SAINTFERDINAND' is broken.
[ERROR_ACCESS_D
ENIED]


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.


The command completed successfully



So it looks like that there is something wrong with the relationship.
If I run the netdiag on PDC i receive:

Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Team #0 - Adaptive Load Balancing Mode

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : saturn
IP Address . . . . . . . . : 192.168.40.1
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.40.99
Dns Servers. . . . . . . . : 127.0.0.1


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{F2A5CFF7-9D38-448A-AB5B-D32759083607}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'127.0.0.1' a
nd other DCs also have some of the names registered.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{F2A5CFF7-9D38-448A-AB5B-D32759083607}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{F2A5CFF7-9D38-448A-AB5B-D32759083607}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC
'moon.saintferdinand.org'.


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.




Please help.
I tried to read all the articels from eventid.net, but looks like I
dont understand what is going on.

Thanks
 
In
Bartosz Wegrzyn said:
Hi there,

I am having problems with AD and replication.
I have one PDC and one secondary domain controller.
After I added the secondary DC I am having problems.
On the PDC I do see those error messages in the event viewer.

Event ID 1411
The Directory Service failed to construct a mutual authentication
Service Principal Name (SPN) for server
a7127243-37d4-45e6-bf54-7a796809af1e._msdcs.saintferdinand.org. The
call is denied. The error was:
The DSA object could not be found.

The record data is the status code.



When I try to ping
a7127243-37d4-45e6-bf54-7a796809af1e._msdcs.saintferdinand.org
everything is ok, I get the reply.
Both servers can talk to each other very easiliy.



On the backup domain controller:



EventID-13508

The File Replication Service is having trouble enabling replication
from SATURN to MOON for c:\winnt\sysvol\domain using the DNS name
saturn.saintferdinand.org. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name
saturn.saintferdinand.org from this computer.
[2] FRS is not running on saturn.saintferdinand.org.
[3] The topology information in the Active Directory for this replica
has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the
problem is fixed you will see another event log message indicating
that the connection has been established.

When I ping saturn.saintferdinand.org I receive reply so looks like
the conectivity is ok.
I run netdiag on the Backup domain controler I rewceive this:


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : gateway

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : moon
IP Address . . . . . . . . : 192.168.40.254
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.40.99
Dns Servers. . . . . . . . : 192.168.40.1


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.

Adapter : local

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : moon
IP Address . . . . . . . . : 192.168.40.4
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . :
Dns Servers. . . . . . . . : 192.168.40.1


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Skipped
[WARNING] No gateways defined for this adapter.

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to
the local
machine. This machine is not working properly as a DC.


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{B47D9731-45E9-47C0-8619-9973B3B67785}
NetBT_Tcpip_{B54C0BCC-9B82-4A7E-9875-16FBEA359373}
2 NetBt transports currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'192.168.40.1
' and other DCs also have some of the names registered.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{B47D9731-45E9-47C0-8619-9973B3B67785}
NetBT_Tcpip_{B54C0BCC-9B82-4A7E-9875-16FBEA359373}
The redir is bound to 2 NetBt transports.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{B54C0BCC-9B82-4A7E-9875-16FBEA359373}
NetBT_Tcpip_{B47D9731-45E9-47C0-8619-9973B3B67785}
The browser is bound to 2 NetBt transports.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'SAINTFERDINAND' is broken.
[ERROR_ACCESS_D
ENIED]


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.


The command completed successfully



So it looks like that there is something wrong with the relationship.
If I run the netdiag on PDC i receive:

Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Team #0 - Adaptive Load Balancing Mode

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : saturn
IP Address . . . . . . . . : 192.168.40.1
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.40.99
Dns Servers. . . . . . . . : 127.0.0.1


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{F2A5CFF7-9D38-448A-AB5B-D32759083607}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'127.0.0.1' a
nd other DCs also have some of the names registered.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{F2A5CFF7-9D38-448A-AB5B-D32759083607}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{F2A5CFF7-9D38-448A-AB5B-D32759083607}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC
'moon.saintferdinand.org'.


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.




Please help.
I tried to read all the articels from eventid.net, but looks like I
dont understand what is going on.

Thanks

Let;s see what we can do here, but for starters, just as an FYI, there is no
such thing as a PDC with AD. One machine in a domain does hold a token Role
for the PDC Emulator, but its just to offer services for legacy clients and
the time service. Otherwise, all DCs are just replica DCs.

Change the DNS address from 127.0.0.1 to 192.168.40.1.
If you disable the NIC teaming, does it work? Or is that enabled? The
netdiag hints at that.
Do the SRV records exist in DNS?
Is Moon on a different subnet than Saturn? It doesn;t appear to be, but if
so, are there any firewalls in place?

Actually, pinging is not helpful to test for replication connectivity. The
SRV records need to exist in the zone for the domain. If there are any
firewalls, (personal or entry point) that may affect LDAP connectivity,
which is what this needs. LDAP, Kerberos or RPC cannot traverse NAT devices
either. If using VPNs between locations, if MTU settings are altered below
1500, that causes LDAP non connectivity as well.

But I think the problem may lie with this dual NIC configuration below...

On this machine with this config that I copied and pasted below from your
output, it shows two NICs, one labeled as 'gateway' (assuming its the
outside NIC) and the other labeled as 'local'. But both IPs are on the same
subnet but yet on two different physical segments??? I'm sorry, I don't
understand this configuration. Can you elaborate on this? Also keep in mind,
multihomed DC/DNS servers are problematic at best and require additional
administrative overhead (incliding registry changes) to make it function
properly. Ususally we suggest to use a 3rd party router to offer NAT, that
is if this is running NAT for you network.
--------------------------------------------------
Adapter : gateway

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : moon
IP Address . . . . . . . . : 192.168.40.254
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.40.99
Dns Servers. . . . . . . . : 192.168.40.1

Adapter : local

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : moon
IP Address . . . . . . . . : 192.168.40.4
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . :
Dns Servers. . . . . . . . : 192.168.40.1
----------------------------------------------

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
Back
Top