No replication between DC´s - Netlogon 5774 error observed
I have encountered a strange situation between 2 DC´s. One could be considered the good DC, and appears to be working well. It is also the DHCP and DNS server. There is a second DC which has been promoted today, and also has WSUS installed.
The problem is that the second DC just cannot register it´s service records on the first DC, specified in the NIC properties on both DC´s. There is no external IP DNS record specified in either NIC.
The above problem has been registered on the bad DC, for each one of its service records, with the "DNS Operation Refused" message appearing at the bottom of the message. Restarting netlogon on the server reproduces the errors. It is possible to send pings to each server in both directions, and both DCs have their firewalls disabled. There is no firewall between the DC´s.
In sites and services on the good DC, it is not possible to replicate to the other PC, it just produces the "The naming context is in the process of being removed or is not replicated from the specified server."
In the DNS diagnostic logging, there are repeated entries saying "0580 refused."
The forward lookup zone for the domain and all other ones are AD integrated, and allow secure updates only.
Both DC´s are Windows Server 2003, one with SP1 and the other with SP2 (can´t remember which is which.)
The bad DC also registers KCC 1308 and Userenv 1053 errors.
It is possible to access the Netlogon share on the good DC from the bad DC.
I´d be greatly obliged if anyone can help me with this, because meantime there is no replication and no redundancy in the AD.
Hopefully I can give you more information about the current status, etc.
The "good" server, A, has the IP address 10.184.108.20. Subnet mask 255.255.255.0, Default gateway 10.184.108.22 (ISA 2004.) It has WINS installed and points to itself for DNS and WINS, and is selected to register itself in DNS.
The "bad" server, WSUS, has IP address 10.184.108.25, subnet mask 255.255.255.0, default gateway 10.184.108.22, DNS 10.184.108.20, WINS 10.184.108.20. Also registering itself in DNS.
I today ran the netdiag /fix on the bad server, which seemed to sort half the problem. Now in Replmon, under the node for the good server, replication is working. However, inder the "bad" server, I see "Replication failure. The reason is: Access is denied."
I strongly feel the problem is with the good server, as 2 otherwise working servers have both had issues when promoted to being DC´s.
As an observation, for some reason the client has unlinked the Default Domain Policy from the domain, and it has been heavily modified.
When I use AD Sites and Services using the site links under the WSUS node, I receive an "Access is denied" when synchronizing the naming partition from the good DC, A, to the bad one, WSUS.
I also observerved the "Naming context is in the process of being moved or is not replicated from the specified server" in the second site link under the WSUS DC.
On starting up, the bad DC displays errors DnsApi 11163, a failure to update host A resource records (RR´s.)
Also, the good DC displays Security Logon/Logoff errors, eventid 529, from WSUS and various other computers.
After running netdiag /fix on the WSUS DC, I received a few errors, including the following:
Could not get Rid set Reference :failed with 8481: The search failed to retrieve attributes from the database.
Unable to connect to the NETLOGON share! (\\xxxxx-WSUS\netlogon)
[xxxxx-WSUS] An net use or LsaPolicy operation failed with error 1203,
No network provider accepted the given network path..
From xxxxxxA to xxxxx-WSUS
Naming Context: CN=Schema,CN=Configuration,DC=domainname,DC=com
The replication generated an error (5):
Access is denied.
Thanks a lot for any pointers you may be able to give. My current thoughts are to use the two commands to restore the DC and domain GPO´s to their defaults and add in again any specified and justifiable personalizations, if they seem reasonable.
I decided to remove the other DC, and have now replaced the default domain and DC policies.
However, the clients keep reporting Usernv 1053 errors, every time I run gpupdate /force. There are hardly any errors in the DC Event Viewer. In the clients I run rsop.msc and there are errors under computer configuration, access denied. I can contact the sysvol share and open the policies with the corresponding GUIS from the client.
I will have to add another DC in the future and I am worried it will not be installed correctly, as those are now 2 DC´s that have been unable to replicate with the primary DC.
On the DC I cannot run group policy results modelling from the GPMC console as it marks I do not have the required permission......the plot thickens.
Re: No replication between DC´s - Netlogon 5774 error observed
I've seen similar issues from DC's that were cloned...apparantly talk of the demise of the SID are premature.
|Tags: dhcp, dns, dns server, netlogon, nic, server records|
|Thread Tools||Search this Thread|
|Similar Threads for: "No replication between DC´s - Netlogon 5774 error observed"|
|Thread||Thread Starter||Forum||Replies||Last Post|
|NTDS Replication: How to remove a replication partner?||haritable||Small Business Server||3||10-05-2012 10:50 PM|
|different temperature readings observed in intel core i7 chip.||JalB By||Motherboard Processor & RAM||4||12-08-2011 09:06 AM|
|DS replication error||Andrea||Active Directory||8||24-11-2008 02:47 AM|
|5719 Netlogon Error||Jack P||Active Directory||3||23-01-2008 11:49 PM|
|One way replication error between sites||Agilent||Active Directory||4||22-09-2005 11:32 PM|