DS replication error

[Andrea]

Hi,
I've promote 2008 server in a 2003 domain, after promote when i run repadmin
/showreps it shows me this error at DFS replication:

==== INBOUND NEIGHBORS ======================================

DC=sincosald,DC=lan
Nome-predefinito-primo-sito\SINCOSRV via RPC
DSA object GUID: 1b8c7cb8-cd17-4cd4-bbb6-adac85033d4b
Last attempt @ 2008-11-21 23:20:03 was successful.

CN=Configuration,DC=sinco,DC=lan
Nome-predefinito-primo-sito\SINCOSRV via RPC
DSA object GUID: 1b8c7cb8-cd17-4cd4-bbb6-adac85033d4b
Last attempt @ 2008-11-21 23:08:59 was successful.

CN=Schema,CN=Configuration,DC=sinco,DC=lan
Nome-predefinito-primo-sito\SINCOSRV via RPC
DSA object GUID: 1b8c7cb8-cd17-4cd4-bbb6-adac85033d4b
Last attempt @ 2008-11-21 22:48:28 was successful.

DC=DomainDnsZones,DC=sinco,DC=lan
Nome-predefinito-primo-sito\SINCOSRV via RPC
DSA object GUID: 1b8c7cb8-cd17-4cd4-bbb6-adac85033d4b
Last attempt @ 2008-11-21 22:48:28 was successful.

DC=ForestDnsZones,DC=sinco,DC=lan
Nome-predefinito-primo-sito\SINCOSRV via RPC
DSA object GUID: 1b8c7cb8-cd17-4cd4-bbb6-adac85033d4b
Last attempt @ 2008-11-21 22:48:28 was successful.
DsReplicaGetInfo() failed with status 8453 (0x2105):
Replication access was denied.
DsReplicaGetInfo() failed with status 8453 (0x2105):
Replication access was denied.


two domain controllers have DNS integrated.
Someone can help me how i find out problem?

Thanks very much for support

Andrew

[Meinolf Weber]

Hello Andrea,

Is the server in the same site?

Any additional errors in the event viewer?

Do you use AD integrated zones and are all DC's registered correctly?

Did you run dcdiag /v and netdiag /v on the 2003 DC's and dcdiag /v on the
2008 to check for errors?

Best regards

[Andrea]

Meinolf Weber ha scritto:
> Hello Andrea,
> Is the server in the same site?

yes

> Any additional errors in the event viewer?

few alerts:

DNS log:
Event ID 4013
"The DNS server is waiting for Active Directory Domain Services (AD DS) to
signal that the initial synchronization of the directory has been completed.
The DNS server service cannot start until the initial synchronization is
complete because critical DNS data might not yet be replicated onto this
domain controller. "

> Do you use AD integrated zones and are all DC's registered correctly?

yes , DNS AD integrated and DC are registered as domain controller.

> Did you run dcdiag /v and netdiag /v on the 2003 DC's and dcdiag /v on
> the 2008 to check for errors?

Strange is that repadmin check from 2003 does not return any error and
dcdiag only :
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x00000457
Time Generated: 11/22/2008 01:20:29
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 11/22/2008 01:20:47
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 11/22/2008 01:20:48
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 11/22/2008 01:20:48
(Event String could not be retrieved)
......................... SINCOSRV failed test systemlog



Instead of DCDIAG on server 2008 where there are a lot of errors:

......................... BG01 passed test MachineAccount

Starting test: NCSecDesc

* Security Permissions check for all NC's on DC BG01.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for
DC=ForestDnsZones,DC=sinco,DC=lan
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:

DC=ForestDnsZones,DC=sinco,DC=lan
* Security Permissions Check for
DC=DomainDnsZones,DC=sinco,DC=lan
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:

DC=DomainDnsZones,DC=sinco,DC=lan
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=sinco,DC=lan
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=sinco,DC=lan
(Configuration,Version 3)
* Security Permissions Check for
DC=sincosald,DC=lan
(Domain,Version 3)
......................... BG01 failed test NCSecDesc

Starting test: NetLogons

* Network Logons Privileges Check
Verified share \\BG01\netlogon
Verified share \\BG01\sysvol
[BG01] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.

......................... BG01 failed test NetLogons

Starting test: ObjectsReplicated

BG01 is in domain DC=sincosald,DC=lan
Checking for CN=BG01,OU=Domain Controllers,DC=sinco,DC=lan in
domain DC=sinco,DC=lan on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=BG01,CN=Servers,CN=Nome-predefinito-primo-sito,CN=Sites,CN=Configuration,DC=sinco,DC=lan
in domain CN=Configuration,DC=sinco,DC=lan on 1 servers
Object is up-to-date on all servers.
......................... BG01 passed test ObjectsReplicated

Test omitted by user request: OutboundSecureChannels
Starting test: Replications

* Replications Check
[Replications Check,BG01] DsReplicaGetInfo(PENDING_OPS, NULL) failed,

error 0x2105 "Win32 Error 8453"

......................... BG01 failed test Replications

Starting test: RidManager

* Available RID Pool for the Domain is 2609 to 1073741823
* sincosrv.sincosald.lan is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 2109 to 2608
* rIDPreviousAllocationPool is 2109 to 2608
* rIDNextRID: 2120
......................... BG01 passed test RidManager

Starting test: Services

* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
Could not open NTDS Service on BG01, error 0x5 "Win32 Error 5"

* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... BG01 failed test Services

Starting test: SystemLog

* The System Event log test
An Error Event occurred. EventID: 0x00000457

Time Generated: 11/22/2008 01:01:29

EvtFormatMessage failed, error 15100 Win32 Error 15100.
(Event String (event log = System) could not be retrieved, error
0x3afc)

An Error Event occurred. EventID: 0x00000457

Time Generated: 11/22/2008 01:01:30

EvtFormatMessage failed, error 15100 Win32 Error 15100.
(Event String (event log = System) could not be retrieved, error
0x3afc)

......................... BG01 failed test SystemLog



thanks!
andrew

[Meinolf Weber]

Hello Andrea,

If the DC is installed just some short timne ago give it time for replication,
check if the DNS server services is started on the 2008. Even after the reboot
when AD states the promotion is succesful it can take time for becoming complete.
Make sure the new server is still using only the 2003 DC/DNS server on the
NIC as preferred until the domain runs properly and you have no replication
errors. Please post an unedited ipconfig /all from both servers.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Meinolf Weber ha scritto:
>
>> Hello Andrea,
>> Is the server in the same site?
> yes
>
>> Any additional errors in the event viewer?
>>
> few alerts:
>
> DNS log:
> Event ID 4013
> "The DNS server is waiting for Active Directory Domain Services (AD
> DS) to
> signal that the initial synchronization of the directory has been
> completed.
> The DNS server service cannot start until the initial synchronization
> is
> complete because critical DNS data might not yet be replicated onto
> this
> domain controller. "
>> Do you use AD integrated zones and are all DC's registered correctly?
>>
> yes , DNS AD integrated and DC are registered as domain controller.
>
>> Did you run dcdiag /v and netdiag /v on the 2003 DC's and dcdiag /v
>> on the 2008 to check for errors?
>>
> Strange is that repadmin check from 2003 does not return any error and
> dcdiag only :
> Starting test: systemlog
> * The System Event log test
> An Error Event occured. EventID: 0x00000457
> Time Generated: 11/22/2008 01:20:29
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0x00000457
> Time Generated: 11/22/2008 01:20:47
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0x00000457
> Time Generated: 11/22/2008 01:20:48
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0x00000457
> Time Generated: 11/22/2008 01:20:48
> (Event String could not be retrieved)
> ......................... SINCOSRV failed test systemlog
> Instead of DCDIAG on server 2008 where there are a lot of errors:
>
> ......................... BG01 passed test MachineAccount
>
> Starting test: NCSecDesc
>
> * Security Permissions check for all NC's on DC BG01.
> The forest is not ready for RODC. Will skip checking ERODC
> ACEs.
> * Security Permissions Check for
> DC=ForestDnsZones,DC=sinco,DC=lan
> (NDNC,Version 3)
> Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't
> have
> Replicating Directory Changes In Filtered Set
> access rights for the naming context:
> DC=ForestDnsZones,DC=sinco,DC=lan
> * Security Permissions Check for
> DC=DomainDnsZones,DC=sinco,DC=lan
> (NDNC,Version 3)
> Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't
> have
> Replicating Directory Changes In Filtered Set
> access rights for the naming context:
> DC=DomainDnsZones,DC=sinco,DC=lan
> * Security Permissions Check for
> CN=Schema,CN=Configuration,DC=sinco,DC=lan
> (Schema,Version 3)
> * Security Permissions Check for
> CN=Configuration,DC=sinco,DC=lan
> (Configuration,Version 3)
> * Security Permissions Check for
> DC=sincosald,DC=lan
> (Domain,Version 3)
> ......................... BG01 failed test NCSecDesc
> Starting test: NetLogons
>
> * Network Logons Privileges Check
> Verified share \\BG01\netlogon
> Verified share \\BG01\sysvol
> [BG01] User credentials does not have permission to perform
> this
> operation.
> The account used for this test must have network logon
> privileges
> for this machine's domain.
> ......................... BG01 failed test NetLogons
>
> Starting test: ObjectsReplicated
>
> BG01 is in domain DC=sincosald,DC=lan
> Checking for CN=BG01,OU=Domain Controllers,DC=sinco,DC=lan
> in
> domain DC=sinco,DC=lan on 1 servers
> Object is up-to-date on all servers.
> Checking for CN=NTDS
> Settings,CN=BG01,CN=Servers,CN=Nome-predefinito-primo-sito,CN=Sites,CN
> =Configuration,DC=sinco,DC=lan
> in domain CN=Configuration,DC=sinco,DC=lan on 1 servers
> Object is up-to-date on all servers.
> ......................... BG01 passed test ObjectsReplicated
> Test omitted by user request: OutboundSecureChannels
> Starting test: Replications
> * Replications Check
> [Replications Check,BG01] DsReplicaGetInfo(PENDING_OPS,
> NULL) failed,
> error 0x2105 "Win32 Error 8453"
>
> ......................... BG01 failed test Replications
>
> Starting test: RidManager
>
> * Available RID Pool for the Domain is 2609 to 1073741823
> * sincosrv.sincosald.lan is the RID Master
> * DsBind with RID Master was successful
> * rIDAllocationPool is 2109 to 2608
> * rIDPreviousAllocationPool is 2109 to 2608
> * rIDNextRID: 2120
> ......................... BG01 passed test RidManager
> Starting test: Services
>
> * Checking Service: EventSystem
> * Checking Service: RpcSs
> * Checking Service: NTDS
> Could not open NTDS Service on BG01, error 0x5 "Win32
> Error 5"
> * Checking Service: DnsCache
> * Checking Service: NtFrs
> * Checking Service: IsmServ
> * Checking Service: kdc
> * Checking Service: SamSs
> * Checking Service: LanmanServer
> * Checking Service: LanmanWorkstation
> * Checking Service: w32time
> * Checking Service: NETLOGON
> ......................... BG01 failed test Services
> Starting test: SystemLog
>
> * The System Event log test
> An Error Event occurred. EventID: 0x00000457
> Time Generated: 11/22/2008 01:01:29
>
> EvtFormatMessage failed, error 15100 Win32 Error 15100.
> (Event String (event log = System) could not be
> retrieved, error
> 0x3afc)
> An Error Event occurred. EventID: 0x00000457
>
> Time Generated: 11/22/2008 01:01:30
>
> EvtFormatMessage failed, error 15100 Win32 Error 15100.
> (Event String (event log = System) could not be
> retrieved, error
> 0x3afc)
> ......................... BG01 failed test SystemLog
>
> thanks!
> andrew

[Andrea]

Meinolf Weber ha scritto:
> Hello Andrea,
>
> If the DC is installed just some short timne ago give it time for
> replication, check if the DNS server services is started on the 2008.
> Even after the reboot when AD states the promotion is succesful it can
> take time for becoming complete. Make sure the new server is still using
> only the 2003 DC/DNS server on the NIC as preferred until the domain
> runs properly and you have no replication errors. Please post an
> unedited ipconfig /all from both servers.


Hello Weber,
DNS on 2008 work seems fine, all nslookup query is ok.
New 2008 has become DC about 7 days ago.

Here is the ipconfig on new 2008 srv:

Windows IP Configuration
Host Name . . . . . . . . . . . . : BG01
Primary Dns Suffix . . . . . . . : sinco.lan
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : sinco.lan

Ethernet adapter LAN Priority:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC373i Multifunction Gigabit
Server Ad
apter #2
Physical Address. . . . . . . . . : 00-1F-29-EC-97-A8
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::7ce1:f337:ac58:e0d5%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.7.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.7.2
DNS Servers . . . . . . . . . . . : 192.168.7.5
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 8:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . :
isatap.{503CFB87-A338-4F4F-B9CC-E14DEB440
12E}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes




AND THIS IS 2003 POST:

Configurazione IP di Windows
Nome host . . . . . . . . . . . . . . : sincosrv
Suffisso DNS primario . . . . . . . . : sinco.lan
Tipo nodo . . . . . . . . . . . . . . : Ibrido
Routing IP abilitato . . . . . . . . : Sì
Proxy WINS abilitato . . . . . . . . : No
Elenco di ricerca suffissi DNS. . . . : sinco.lan

Scheda Ethernet Rete Sinco:

Suffisso DNS specifico per connessione:
Descrizione . . . . . . . . . . . . . : HP NC7761 Gigabit Server Adapter
Indirizzo fisico. . . . . . . . . . . : 00-17-A4-8B-15-73
DHCP abilitato. . . . . . . . . . . . : No
Indirizzo IP. . . . . . . . . . . . . : 192.168.7.1
Subnet mask . . . . . . . . . . . . . : 255.255.255.0
Gateway predefinito . . . . . . . . . :
Server DNS . . . . . . . . . . . . . : 192.168.7.1
Server WINS primario . . . . . . . . : 192.168.7.1

Scheda Ethernet Internet:

Suffisso DNS specifico per connessione:
Descrizione . . . . . . . . . . . . . : NIC Fast Ethernet PCI Realtek
RTL8139
Family
Indirizzo fisico. . . . . . . . . . . : 00-13-49-A9-C0-38
DHCP abilitato. . . . . . . . . . . . : No
Indirizzo IP. . . . . . . . . . . . . : 192.168.8.253
Subnet mask . . . . . . . . . . . . . : 255.255.255.0
Gateway predefinito . . . . . . . . . : 192.168.8.254
NetBIOS su TCPIP. . . . . . : Disabilitato




Maybe ipv6 on 2008 can give problems?


thanks again

[Andrea]

For update, when i launch repadmin /syncall on new 2008 server it shows me
this err:


CALLBACK MESSAGE: The following replication is in progress:
From: 1b8c7cb8-cd17-4cd4-bbb6-adac85033d4b._msdcs.sinco.lan
To : 6e7052f0-e1f4-48f1-b885-917c03eaf0f2._msdcs.sinco.lan
CALLBACK MESSAGE: Error issuing replication: 8453 (0x2105):
Replication access was denied.
From: 1b8c7cb8-cd17-4cd4-bbb6-adac85033d4b._msdcs.sinco.lan
To : 6e7052f0-e1f4-48f1-b885-917c03eaf0f2._msdcs.sinco.lan
CALLBACK MESSAGE: SyncAll Finished.

SyncAll reported the following errors:
Error issuing replication: 8453 (0x2105):
Replication access was denied.
From: 1b8c7cb8-cd17-4cd4-bbb6-adac85033d4b._msdcs.sinco.lan
To : 6e7052f0-e1f4-48f1-b885-917c03eaf0f2._msdcs.sinco.lan


I hope in your support
Thanks

[Andrea]

ops.. sorry, replication test fails because I launch it with account
without schema admin.
If I try with administrator account all works fine.

thank

[Meinolf Weber]

Hello Andrea,

You can uncheck IPv6 if you not use it.

As i asked before did you point during promoting the 2008 on the NIC only
to the old DC?

Configure on both DC's the other one as secondary DNS.

Your 2003 is multihomed what is for DC's a not good solution. This can create
lot of problems in a domain. Is the 2003 a SBS version of windows? If possible
do not multihome the DC, how is the second NIC connected, to switch or router?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

[Andrea]

secondary IP was connected to router but now I've moved it to another
server, so I just disable second NIC on 2003 SBS.
Tomorrow i relaunch all tests with dcdiag and repadmin.

Thanks
Andrew