Domain replication problem

[irolfi]

Hello,

I have a replication problem with my 2 domain controllers. Here is the dcdiag result:

C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\PDC
Starting test: Connectivity
......................... PDC passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\PDC
Starting test: Replications
[Replications Check,PDC] A recent replication attempt failed:
From FILESERVER to PDC
Naming Context: CN=Schema,CN=Configuration,DC=fiu,DC=local
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2011-12-07 08:48:53.
The last success occurred at 2010-11-18 11:18:34.
147 failures have occurred since the last success.
[FILESERVER] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
[Replications Check,PDC] A recent replication attempt failed:
From FILESERVER to PDC
Naming Context: CN=Configuration,DC=fiu,DC=local
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2011-12-07 08:48:53.
The last success occurred at 2010-11-18 12:45:43.
144 failures have occurred since the last success.
[Replications Check,PDC] A recent replication attempt failed:
From FILESERVER to PDC
Naming Context: DC=fiu,DC=local
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2011-12-07 08:48:53.
The last success occurred at 2010-11-18 12:45:16.
144 failures have occurred since the last success.
REPLICATION-RECEIVED LATENCY WARNING
PDC: Current time is 2011-12-07 09:09:08.
CN=Schema,CN=Configuration,DC=fiu,DC=local
Last replication recieved from FILESERVER at 2010-11-18 11:18:34.

WARNING: This latency is over the Tombstone Lifetime of 60 days!

CN=Configuration,DC=fiu,DC=local
Last replication recieved from FILESERVER at 2010-11-18 12:38:52.

WARNING: This latency is over the Tombstone Lifetime of 60 days!

DC=fiu,DC=local
Last replication recieved from FILESERVER at 2010-11-18 12:38:25.

WARNING: This latency is over the Tombstone Lifetime of 60 days!

......................... PDC passed test Replications
Starting test: NCSecDesc
......................... PDC passed test NCSecDesc
Starting test: NetLogons
......................... PDC passed test NetLogons
Starting test: Advertising
......................... PDC passed test Advertising
Starting test: KnowsOfRoleHolders
......................... PDC passed test KnowsOfRoleHolders
Starting test: RidManager
......................... PDC passed test RidManager
Starting test: MachineAccount
......................... PDC passed test MachineAccount
Starting test: Services
......................... PDC passed test Services
Starting test: ObjectsReplicated
......................... PDC passed test ObjectsReplicated
Starting test: frssysvol
......................... PDC passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... PDC failed test frsevent
Starting test: kccevent
......................... PDC passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00000457
Time Generated: 12/07/2011 08:09:19
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 12/07/2011 08:48:11
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 12/07/2011 08:48:53
Event String: The kerberos client received a
An Error Event occured. EventID: 0x825A0030
Time Generated: 12/07/2011 08:50:00
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 12/07/2011 08:50:31
Event String: The kerberos client received a
An Error Event occured. EventID: 0x0000165B
Time Generated: 12/07/2011 08:55:23
Event String: The session setup from computer 'DRD' failed
An Error Event occured. EventID: 0x40000004
Time Generated: 12/07/2011 09:00:10
Event String: The kerberos client received a
An Error Event occured. EventID: 0x000016AD
Time Generated: 12/07/2011 09:04:14
Event String: The session setup from the computer DRD failed to
......................... PDC failed test systemlog
Starting test: VerifyReferences
......................... PDC passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : fiu
Starting test: CrossRefValidation
......................... fiu passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... fiu passed test CheckSDRefDom

Running enterprise tests on : fiu.local
Starting test: Intersite
......................... fiu.local passed test Intersite
Starting test: FsmoCheck
......................... fiu.local passed test FsmoCheck

C:\Program Files\Support Tools>



The repadmin /showreps result below:

C:\Program Files\Support Tools>repadmin /showreps
Default-First-Site-Name\PDC
DC Options: IS_GC
Site Options: (none)
DC object GUID: 0ea3a9ab-3388-4d1c-a844-8f4b05f0b041
DC invocationID: 0ea3a9ab-3388-4d1c-a844-8f4b05f0b041

==== INBOUND NEIGHBORS ======================================

DC=fiu,DC=local
Default-First-Site-Name\FILESERVER via RPC
DC object GUID: fc7f64a9-6972-407a-b599-ddcf6dcb831f
Last attempt @ 2011-12-07 08:48:53 failed, result -2146893022 (0x8009032
2):
The target principal name is incorrect.
144 consecutive failure(s).
Last success @ 2010-11-18 12:45:16.

CN=Configuration,DC=fiu,DC=local
Default-First-Site-Name\FILESERVER via RPC
DC object GUID: fc7f64a9-6972-407a-b599-ddcf6dcb831f
Last attempt @ 2011-12-07 08:48:53 failed, result -2146893022 (0x8009032
2):
The target principal name is incorrect.
144 consecutive failure(s).
Last success @ 2010-11-18 12:45:43.

CN=Schema,CN=Configuration,DC=fiu,DC=local
Default-First-Site-Name\FILESERVER via RPC
DC object GUID: fc7f64a9-6972-407a-b599-ddcf6dcb831f
Last attempt @ 2011-12-07 08:48:53 failed, result -2146893022 (0x8009032
2):
The target principal name is incorrect.
147 consecutive failure(s).
Last success @ 2010-11-18 11:18:34.

Source: Default-First-Site-Name\FILESERVER
******* 147 CONSECUTIVE FAILURES since 2010-11-18 12:45:43
Last error: -2146893022 (0x80090322):
The target principal name is incorrect.

C:\Program Files\Support Tools>epadmin /showrepl
'epadmin' is not recognized as an internal or external command,
operable program or batch file.

C:\Program Files\Support Tools>



Also the following error are present in the Primary Domain Controller Event Viewer:

Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1864
Date: 12/6/2011
Time: 6:03:53 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: PDC
Description:
This is the replication status for the following directory partition on the local domain controller.

Directory partition:
CN=Schema,CN=Configuration,DC=fiu,DC=local

The local domain controller has not recently received replication information from a number of domain controllers. The count of domain controllers is shown, divided into the following intervals.

More than 24 hours:
1
More than a week:
1
More than one month:
1
More than two months:
1
More than a tombstone lifetime:
1
Tombstone lifetime (days):
60
Domain controllers that do not replicate in a timely manner may encounter errors. It may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.

To identify the domain controllers by name, install the support tools included on the installation CD and run dcdiag.exe.
You can also use the support tool repadmin.exe to display the replication latencies of the domain controllers in the forest. The command is "repadmin /showvector /latency <partition-dn>".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event Type: Warning
Event Source: NTDS Replication
Event Category: Replication
Event ID: 2092
Date: 12/6/2011
Time: 6:03:53 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: PDC
Description:

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

Operations which require contacting a FSMO operation master will fail until this condition is corrected.

FSMO Role: CN=Schema,CN=Configuration,DC=fiu,DC=local

User Action:

1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors. Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.

The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event Type: Warning
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1308
Date: 12/6/2011
Time: 5:08:53 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: PDC
Description:
The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following domain controller has consistently failed.

Attempts:
131
Domain controller:
CN=NTDS Settings,CN=FILESERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fiu,DC=local
Period of time (minutes):
551783

The Connection object for this domain controller will be ignored, and a new temporary connection will be established to ensure that replication continues. Once replication with this domain controller resumes, the temporary connection will be removed.

Additional Data
Error value:
1908 Could not find the domain controller for this domain.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event Type: Error
Event Source: NTDS Replication
Event Category: DS RPC Client
Event ID: 2087
Date: 12/6/2011
Time: 5:05:25 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: PDC
Description:
Active Directory could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.

Source domain controller:
FILEServer
Failing DNS host name:
fc7f64a9-6972-407a-b599-ddcf6dcb831f._msdcs.fiu.local

NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:

Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client

User Action:

1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.

2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".

3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns

dcdiag /test:dns

4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:

dcdiag /test:dns

5) For further analysis of DNS error failures see KB 824449:
http://support.microsoft.com/?kbid=824449

Additional Data
Error value:
11004 The requested name is valid, but no data of the requested type was found.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



What can I do to resolve this problems?

Thanks,
Flori

[EINSTEIN_007]

I think that you need to grant "NT Authority\System" full control of the sysvol share on DC2 (BDC)? Can you confirm the permissions on the SBS sysvol folder match those on the BDC? I believe they should match identically, so I would mirror them on the BDC if they are not the same.

[irolfi]

Hi,
Yes they match and are full rights. I noticed now that every one hour in the primary domain controller event viewer there is only 1 error repeating:

Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 2042
Date: 12/7/2011
Time: 9:55:34 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: PDC
Description:
It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.
The reason that replication is not allowed to continue is that the two machine's views of deleted objects may now be different. The source machine may still have copies of objects that have been deleted (and garbage collected) on this machine. If they were allowed to replicate, the source machine might return objects which have already been deleted.
Time of last successful replication:
2010-11-18 12:38:25
Invocation ID of source:
043df6c8-f6b8-043d-0100-000000000000
Name of source:
fc7f64a9-6972-407a-b599-ddcf6dcb831f._msdcs.fiu.local
Tombstone lifetime (days):
60

The replication operation has failed.

User Action:

Determine which of the two machines was disconnected from the forest and is now out of date. You have three options:

1. Demote or reinstall the machine(s) that were disconnected.
2. Use the "repadmin /removelingeringobjects" tool to remove inconsistent deleted objects and then resume replication.
3. Resume replication. Inconsistent deleted objects may be introduced. You can continue replication by using the following registry key. Once the systems replicate once, it is recommended that you remove the key to reinstate the protection.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.