Page 2 of 2 FirstFirst 12
Results 16 to 29 of 29

Thread: NTDS Replication event 2023 error 8589

  1. #16
    Paul Williams [MVP] Guest

    Re: NTDS Replication event 2023 error 8589

    This is looking more and more like the only issue is with replicating that
    app partition rather than an issue with FRS.

    Delete all the connection objects for each server object in DSSITE.MSC and
    go and get yourself a cup of coffee. After you've drank it, fire up REPLMON
    and force replication between DCs in the same domain and across domains (the
    enterprise and app partitions).

    Rescan the event logs.

    Also, run DCDIAG /V /C /E and post any errors or warnings.

    --
    Paul Williams
    Microsoft MVP - Windows Server - Directory Services
    http://www.msresource.net | http://forums.msresource.net



  2. #17
    Mr Major Thorburn Guest

    Re: NTDS Replication event 2023 error 8589

    Paul, thanks for your help so far.
    The links were all regenerated automatically, eventually. Sorry for the delay.
    I am still getting the event error but for a different server same domain.
    I have checked replmon for this link and it completed successfully last time.
    I ran DCDIAG on one of the servers that is getting the event error and the
    output is posted below:
    Regards, Major.

    Domain Controller Diagnosis

    Performing initial setup:
    * Verifying that the local machine phcntsjhdc01, is a DC.
    * Connecting to directory service on server phcntsjhdc01.
    * Collecting site info.
    * Identifying all servers.
    * Identifying all NC cross-refs.
    * Found 8 DC(s). Testing 8 of them.
    Done gathering initial info.

    Doing initial required tests

    Testing server: virtual\SJHDC01
    Starting test: Connectivity
    * Active Directory LDAP Services Check
    * Active Directory RPC Services Check
    ......................... SJHDC01 passed test Connectivity

    Testing server: virtual\SMHDC01
    Starting test: Connectivity
    * Active Directory LDAP Services Check
    * Active Directory RPC Services Check
    ......................... SMHDC01 passed test Connectivity

    Testing server: virtual\PHCNTSJHDC01
    Starting test: Connectivity
    * Active Directory LDAP Services Check
    * Active Directory RPC Services Check
    ......................... PHCNTSJHDC01 passed test Connectivity

    Testing server: virtual\PHTSMHDC01
    Starting test: Connectivity
    * Active Directory LDAP Services Check
    * Active Directory RPC Services Check
    ......................... PHTSMHDC01 passed test Connectivity

    Testing server: virtual\PHTQAHDC01
    Starting test: Connectivity
    * Active Directory LDAP Services Check
    * Active Directory RPC Services Check
    ......................... PHTQAHDC01 passed test Connectivity

    Testing server: virtual\VIRTDC04
    Starting test: Connectivity
    * Active Directory LDAP Services Check
    * Active Directory RPC Services Check
    ......................... VIRTDC04 passed test Connectivity

    Testing server: virtual\QAHDC01
    Starting test: Connectivity
    * Active Directory LDAP Services Check
    * Active Directory RPC Services Check
    ......................... QAHDC01 passed test Connectivity

    Testing server: virtual\PHTQAHDC04
    Starting test: Connectivity
    * Active Directory LDAP Services Check
    * Active Directory RPC Services Check
    ......................... PHTQAHDC04 passed test Connectivity

    Doing primary tests

    Testing server: virtual\SJHDC01
    Starting test: Replications
    * Replications Check
    [Replications Check,SJHDC01] DsReplicaGetInfoW(PENDING_OPS) failed
    with error 8453,
    Replication access was denied..
    ......................... SJHDC01 failed test Replications
    Starting test: Topology
    * Configuration Topology Integrity Check
    * Analyzing the connection topology for
    DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for
    DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for
    CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for
    CN=Configuration,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    ......................... SJHDC01 passed test Topology
    Starting test: CutoffServers
    * Configuration Topology Aliveness Check
    * Analyzing the alive system replication topology for
    DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    CN=Configuration,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    ......................... SJHDC01 passed test CutoffServers
    Starting test: NCSecDesc
    * Security Permissions check for all NC's on DC SJHDC01.
    * Security Permissions Check for
    DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk
    (NDNC,Version 2)
    * Security Permissions Check for
    DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk
    (NDNC,Version 2)
    * Security Permissions Check for
    CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk
    (Schema,Version 2)
    * Security Permissions Check for
    CN=Configuration,DC=xports,DC=nhs,DC=uk
    (Configuration,Version 2)
    * Security Permissions Check for
    DC=xports,DC=nhs,DC=uk
    (Domain,Version 2)
    ......................... SJHDC01 passed test NCSecDesc
    Starting test: NetLogons
    * Network Logons Privileges Check
    Verified share \\SJHDC01\netlogon
    Verified share \\SJHDC01\sysvol
    [SJHDC01] User credentials does not have permission to perform this
    operation.
    The account used for this test must have network logon privileges
    for this machine's domain.
    ......................... SJHDC01 failed test NetLogons
    Starting test: Advertising
    The DC SJHDC01 is advertising itself as a DC and having a DS.
    The DC SJHDC01 is advertising as an LDAP server
    The DC SJHDC01 is advertising as having a writeable directory
    The DC SJHDC01 is advertising as a Key Distribution Center
    Warning: SJHDC01 is not advertising as a time server.
    ......................... SJHDC01 failed test Advertising
    Starting test: KnowsOfRoleHolders
    Role Schema Owner = CN=NTDS
    Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    Role Domain Owner = CN=NTDS
    Settings,CN=SMHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    Role PDC Owner = CN=NTDS
    Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    Role Rid Owner = CN=NTDS
    Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    Role Infrastructure Update Owner = CN=NTDS
    Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    ......................... SJHDC01 passed test KnowsOfRoleHolders
    Starting test: RidManager
    * Available RID Pool for the Domain is 5603 to 1073741823
    * sjhdc01.xports.nhs.uk is the RID Master
    * DsBind with RID Master was successful
    * rIDAllocationPool is 4603 to 5102
    * rIDPreviousAllocationPool is 4603 to 5102
    * rIDNextRID: 4604
    ......................... SJHDC01 passed test RidManager
    Starting test: MachineAccount
    Checking machine account for DC SJHDC01 on DC SJHDC01.
    * SPN found :LDAP/sjhdc01.xports.nhs.uk/xports.nhs.uk
    * SPN found :LDAP/sjhdc01.xports.nhs.uk
    * SPN found :LDAP/SJHDC01
    * SPN found :LDAP/sjhdc01.xports.nhs.uk/PORTS
    * SPN found
    :LDAP/881ebe49-647f-46f2-8017-b0a14f94b25a._msdcs.xports.nhs.uk
    * SPN found
    :E3514235-4B06-11D1-AB04-00C04FC2DCD2/881ebe49-647f-46f2-8017-b0a14f94b25a/xports.nhs.uk
    * SPN found :HOST/sjhdc01.xports.nhs.uk/xports.nhs.uk
    * SPN found :HOST/sjhdc01.xports.nhs.uk
    * SPN found :HOST/SJHDC01
    * SPN found :HOST/sjhdc01.xports.nhs.uk/PORTS
    * SPN found :GC/sjhdc01.xports.nhs.uk/xports.nhs.uk
    ......................... SJHDC01 passed test MachineAccount
    Starting test: Services
    Could not open Service Control Manager on [SJHDC01]:failed with 5:
    Access is denied.
    ......................... SJHDC01 failed test Services
    Starting test: OutboundSecureChannels
    * The Outbound Secure Channels test
    ** Did not run Outbound Secure Channels test
    because /testdomain: was not entered
    ......................... SJHDC01 passed test OutboundSecureChannels
    Starting test: ObjectsReplicated
    SJHDC01 is in domain DC=xports,DC=nhs,DC=uk
    Checking for CN=SJHDC01,OU=Domain
    Controllers,DC=xports,DC=nhs,DC=uk in domain DC=xports,DC=nhs,DC=uk on 6
    servers
    Object is up-to-date on all servers.
    Checking for CN=NTDS
    Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk in domain CN=Configuration,DC=xports,DC=nhs,DC=uk on 8 servers
    Object is up-to-date on all servers.
    ......................... SJHDC01 passed test ObjectsReplicated
    Starting test: frssysvol
    * The File Replication Service SYSVOL ready test
    File Replication Service's SYSVOL is ready
    ......................... SJHDC01 passed test frssysvol
    Starting test: frsevent
    * The File Replication Service Event log test
    Error 5 accessing FRS eventlog: Access is denied.
    ......................... SJHDC01 failed test frsevent
    Starting test: kccevent
    * The KCC Event log test
    Error 5 accessing FRS eventlog: Access is denied.
    Failed to enumerate event log records, error Access is denied.
    ......................... SJHDC01 failed test kccevent
    Starting test: systemlog
    * The System Event log test
    Error 5 accessing FRS eventlog: Access is denied.
    Failed to enumerate event log records, error Access is denied.
    ......................... SJHDC01 failed test systemlog
    Starting test: VerifyReplicas
    ......................... SJHDC01 passed test VerifyReplicas
    Starting test: VerifyReferences
    The system object reference (serverReference)
    CN=SJHDC01,OU=Domain Controllers,DC=xports,DC=nhs,DC=uk and backlink
    on

    CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    are correct.
    The system object reference (frsComputerReferenceBL)
    CN=SJHDC01,CN=Domain System Volume (SYSVOL share),CN=File
    Replication Service,CN=System,DC=xports,DC=nhs,DC=uk
    and backlink on
    CN=SJHDC01,OU=Domain Controllers,DC=xports,DC=nhs,DC=uk are correct.
    The system object reference (serverReferenceBL)
    CN=SJHDC01,CN=Domain System Volume (SYSVOL share),CN=File
    Replication Service,CN=System,DC=xports,DC=nhs,DC=uk
    and backlink on
    CN=NTDS
    Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    are correct.
    ......................... SJHDC01 passed test VerifyReferences
    Starting test: VerifyEnterpriseReferences
    ......................... SJHDC01 passed test
    VerifyEnterpriseReferences
    Starting test: CheckSecurityError
    * Dr Auth: Beginning security errors check!
    Found KDC QAHDC01 for domain xports.nhs.uk in site virtual
    Checking machine account for DC SJHDC01 on DC QAHDC01.
    * SPN found :LDAP/sjhdc01.xports.nhs.uk/xports.nhs.uk
    * SPN found :LDAP/sjhdc01.xports.nhs.uk
    * SPN found :LDAP/SJHDC01
    * SPN found :LDAP/sjhdc01.xports.nhs.uk/PORTS
    * SPN found
    :LDAP/881ebe49-647f-46f2-8017-b0a14f94b25a._msdcs.xports.nhs.uk
    * SPN found
    :E3514235-4B06-11D1-AB04-00C04FC2DCD2/881ebe49-647f-46f2-8017-b0a14f94b25a/xports.nhs.uk
    * SPN found :HOST/sjhdc01.xports.nhs.uk/xports.nhs.uk
    * SPN found :HOST/sjhdc01.xports.nhs.uk
    * SPN found :HOST/SJHDC01
    * SPN found :HOST/sjhdc01.xports.nhs.uk/PORTS
    * SPN found :GC/sjhdc01.xports.nhs.uk/xports.nhs.uk
    Checking for CN=SJHDC01,OU=Domain
    Controllers,DC=xports,DC=nhs,DC=uk in domain DC=xports,DC=nhs,DC=uk on 2
    servers
    Object is up-to-date on all servers.
    [SJHDC01] DsReplicaGetInfo(KCC_DS_CONNECT_FAILURES) failed with
    error 8453,
    Replication access was denied..
    [SJHDC01] Unable to query the list of KCC connection failures.
    Continuing...
    [SJHDC01] No security related replication errors were found on this
    DC! To target the connection to a specific source DC use /ReplSource:<DC>.
    ......................... SJHDC01 passed test CheckSecurityError

    Testing server: virtual\SMHDC01
    Starting test: Replications
    * Replications Check
    REPLICATION LATENCY WARNING
    SMHDC01: This replication path was preempted by higher priority work.
    from PHTSMHDC01 to SMHDC01
    Reason: Synchronization attempt failed because the destination
    DC is currently waiting to synchronize new partial attributes from source.
    This condition is normal if a recent schema change modified the partial
    attribute set. The destination partial attribute set is not a subset of
    source partial attribute set.
    The last success occurred at 2006-02-06 07:22:10.
    Replication of new changes along this path will be delayed.
    REPLICATION LATENCY WARNING
    SMHDC01: This replication path was preempted by higher priority work.
    from PHTSMHDC01 to SMHDC01
    Reason: Synchronization attempt failed because the destination
    DC is currently waiting to synchronize new partial attributes from source.
    This condition is normal if a recent schema change modified the partial
    attribute set. The destination partial attribute set is not a subset of
    source partial attribute set.
    The last success occurred at 2006-02-06 05:57:24.
    Replication of new changes along this path will be delayed.
    [Replications Check,SMHDC01] DsReplicaGetInfoW(PENDING_OPS) failed
    with error 8453,
    Replication access was denied..
    ......................... SMHDC01 failed test Replications
    Starting test: Topology
    * Configuration Topology Integrity Check
    * Analyzing the connection topology for
    DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for
    DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for
    CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for
    CN=Configuration,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for
    DC=pht-master,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for
    DC=pha,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for
    DC=phcnt,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    ......................... SMHDC01 passed test Topology
    Starting test: CutoffServers
    * Configuration Topology Aliveness Check
    * Analyzing the alive system replication topology for
    DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    CN=Configuration,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    DC=pht-master,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    DC=pha,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    DC=phcnt,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    ......................... SMHDC01 passed test CutoffServers
    Starting test: NCSecDesc
    * Security Permissions check for all NC's on DC SMHDC01.
    * Security Permissions Check for
    DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk
    (NDNC,Version 2)
    * Security Permissions Check for
    DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk
    (NDNC,Version 2)
    * Security Permissions Check for
    CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk
    (Schema,Version 2)
    * Security Permissions Check for
    CN=Configuration,DC=xports,DC=nhs,DC=uk
    (Configuration,Version 2)
    * Security Permissions Check for
    DC=xports,DC=nhs,DC=uk
    (Domain,Version 2)
    * Security Permissions Check for
    DC=pht-master,DC=xports,DC=nhs,DC=uk
    (Domain,Version 2)
    * Security Permissions Check for
    DC=pha,DC=xports,DC=nhs,DC=uk
    (Domain,Version 2)
    * Security Permissions Check for
    DC=phcnt,DC=xports,DC=nhs,DC=uk
    (Domain,Version 2)
    ......................... SMHDC01 passed test NCSecDesc
    Starting test: NetLogons
    * Network Logons Privileges Check
    Verified share \\SMHDC01\netlogon
    Verified share \\SMHDC01\sysvol
    [SMHDC01] User credentials does not have permission to perform this
    operation.
    The account used for this test must have network logon privileges
    for this machine's domain.
    ......................... SMHDC01 failed test NetLogons
    Starting test: Advertising
    The DC SMHDC01 is advertising itself as a DC and having a DS.
    The DC SMHDC01 is advertising as an LDAP server
    The DC SMHDC01 is advertising as having a writeable directory
    The DC SMHDC01 is advertising as a Key Distribution Center
    Warning: SMHDC01 is not advertising as a time server.
    The DS SMHDC01 is advertising as a GC.
    ......................... SMHDC01 failed test Advertising
    Starting test: KnowsOfRoleHolders
    Role Schema Owner = CN=NTDS
    Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    Role Domain Owner = CN=NTDS
    Settings,CN=SMHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    Role PDC Owner = CN=NTDS
    Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    Role Rid Owner = CN=NTDS
    Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    Role Infrastructure Update Owner = CN=NTDS
    Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    ......................... SMHDC01 passed test KnowsOfRoleHolders
    Starting test: RidManager
    * Available RID Pool for the Domain is 5603 to 1073741823
    * sjhdc01.xports.nhs.uk is the RID Master
    * DsBind with RID Master was successful
    * rIDAllocationPool is 4103 to 4602
    * rIDPreviousAllocationPool is 4103 to 4602
    * rIDNextRID: 4103
    ......................... SMHDC01 passed test RidManager
    Starting test: MachineAccount
    Checking machine account for DC SMHDC01 on DC SMHDC01.
    * SPN found :LDAP/smhdc01.xports.nhs.uk/xports.nhs.uk
    * SPN found :LDAP/smhdc01.xports.nhs.uk
    * SPN found :LDAP/SMHDC01
    * SPN found :LDAP/smhdc01.xports.nhs.uk/PORTS
    * SPN found
    :LDAP/1dc26881-4ba8-42f7-bbc7-ed9f1ed16e0b._msdcs.xports.nhs.uk
    * SPN found
    :E3514235-4B06-11D1-AB04-00C04FC2DCD2/1dc26881-4ba8-42f7-bbc7-ed9f1ed16e0b/xports.nhs.uk
    * SPN found :HOST/smhdc01.xports.nhs.uk/xports.nhs.uk
    * SPN found :HOST/smhdc01.xports.nhs.uk
    * SPN found :HOST/SMHDC01
    * SPN found :HOST/smhdc01.xports.nhs.uk/PORTS
    * SPN found :GC/smhdc01.xports.nhs.uk/xports.nhs.uk
    ......................... SMHDC01 passed test MachineAccount
    Starting test: Services
    Could not open Service Control Manager on [SMHDC01]:failed with 5:
    Access is denied.
    ......................... SMHDC01 failed test Services
    Starting test: OutboundSecureChannels
    * The Outbound Secure Channels test
    ** Did not run Outbound Secure Channels test
    because /testdomain: was not entered
    ......................... SMHDC01 passed test OutboundSecureChannels
    Starting test: ObjectsReplicated
    SMHDC01 is in domain DC=xports,DC=nhs,DC=uk
    Checking for CN=SMHDC01,OU=Domain
    Controllers,DC=xports,DC=nhs,DC=uk in domain DC=xports,DC=nhs,DC=uk on 6
    servers
    Object is up-to-date on all servers.
    Checking for CN=NTDS
    Settings,CN=SMHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk in domain CN=Configuration,DC=xports,DC=nhs,DC=uk on 8 servers
    Object is up-to-date on all servers.
    ......................... SMHDC01 passed test ObjectsReplicated
    Starting test: frssysvol
    * The File Replication Service SYSVOL ready test
    File Replication Service's SYSVOL is ready
    ......................... SMHDC01 passed test frssysvol
    Starting test: frsevent
    * The File Replication Service Event log test
    Error 5 accessing FRS eventlog: Access is denied.
    ......................... SMHDC01 failed test frsevent
    Starting test: kccevent
    * The KCC Event log test
    Error 5 accessing FRS eventlog: Access is denied.
    Failed to enumerate event log records, error Access is denied.
    ......................... SMHDC01 failed test kccevent
    Starting test: systemlog
    * The System Event log test
    Error 5 accessing FRS eventlog: Access is denied.
    Failed to enumerate event log records, error Access is denied.
    ......................... SMHDC01 failed test systemlog
    Starting test: VerifyReplicas



    "Paul Williams [MVP]" wrote:

    > This is looking more and more like the only issue is with replicating that
    > app partition rather than an issue with FRS.
    >
    > Delete all the connection objects for each server object in DSSITE.MSC and
    > go and get yourself a cup of coffee. After you've drank it, fire up REPLMON
    > and force replication between DCs in the same domain and across domains (the
    > enterprise and app partitions).
    >
    > Rescan the event logs.
    >
    > Also, run DCDIAG /V /C /E and post any errors or warnings.
    >
    > --
    > Paul Williams
    > Microsoft MVP - Windows Server - Directory Services
    > http://www.msresource.net | http://forums.msresource.net
    >
    >
    >


  3. #18
    Mr Major Thorburn Guest

    Re: NTDS Replication event 2023 error 8589

    Paul, further to my previous response I have removed two DCs that I had added
    (was trying to force the regerneration of the links). Nw ow back to the
    original 8 (2 per domain, 1 paernt 3 children)
    The dcdiag still shows errors but most of them seem to be for access denied.
    The id I am using to run the command is a domain admin in the sub domain and
    the server it is concerned about is in the parent domain.
    I tried to 'manage' the server in the parent domain and when I tried to open
    the services I got access denied. When I tried the same on the live
    production system it worked fine.
    What access rights are required for a domain administrator of a child domain
    to open services on a DC in a partent domain?
    Regards, Major.


    "Paul Williams [MVP]" wrote:

    > This is looking more and more like the only issue is with replicating that
    > app partition rather than an issue with FRS.
    >
    > Delete all the connection objects for each server object in DSSITE.MSC and
    > go and get yourself a cup of coffee. After you've drank it, fire up REPLMON
    > and force replication between DCs in the same domain and across domains (the
    > enterprise and app partitions).
    >
    > Rescan the event logs.
    >
    > Also, run DCDIAG /V /C /E and post any errors or warnings.
    >
    > --
    > Paul Williams
    > Microsoft MVP - Windows Server - Directory Services
    > http://www.msresource.net | http://forums.msresource.net
    >
    >
    >


  4. #19
    Paul Williams [MVP] Guest

    Re: NTDS Replication event 2023 error 8589

    You'll need to be administrator in that domain. Which means you need to be
    a member of the built-in\administrators group (or EA).

    --
    Paul Williams
    Microsoft MVP - Windows Server - Directory Services
    http://www.msresource.net | http://forums.msresource.net



  5. #20
    Mr Major Thorburn Guest

    Re: NTDS Replication event 2023 error 8589

    Paul, thanks for staying with me on this.
    I have put the domain admins group of each sub domain into the enterprise
    admins group.
    I reran the dcdiag and I am still getting access denied errors.
    Regards, Major.

    Domain Controller Diagnosis

    Performing initial setup:
    * Verifying that the local machine phcntsjhdc01, is a DC.
    * Connecting to directory service on server phcntsjhdc01.
    * Collecting site info.
    * Identifying all servers.
    * Identifying all NC cross-refs.
    * Found 6 DC(s). Testing 6 of them.
    Done gathering initial info.

    Doing initial required tests

    Testing server: virtual\SJHDC01
    Starting test: Connectivity
    * Active Directory LDAP Services Check
    * Active Directory RPC Services Check
    ......................... SJHDC01 passed test Connectivity

    Testing server: virtual\SMHDC01
    Starting test: Connectivity
    * Active Directory LDAP Services Check
    * Active Directory RPC Services Check
    ......................... SMHDC01 passed test Connectivity

    Testing server: virtual\PHCNTSJHDC01
    Starting test: Connectivity
    * Active Directory LDAP Services Check
    * Active Directory RPC Services Check
    ......................... PHCNTSJHDC01 passed test Connectivity

    Testing server: virtual\PHTSMHDC01
    Starting test: Connectivity
    * Active Directory LDAP Services Check
    * Active Directory RPC Services Check
    ......................... PHTSMHDC01 passed test Connectivity

    Testing server: virtual\PHTQAHDC01
    Starting test: Connectivity
    * Active Directory LDAP Services Check
    * Active Directory RPC Services Check
    ......................... PHTQAHDC01 passed test Connectivity

    Testing server: virtual\VIRTDC04
    Starting test: Connectivity
    * Active Directory LDAP Services Check
    * Active Directory RPC Services Check
    ......................... VIRTDC04 passed test Connectivity

    Doing primary tests

    Testing server: virtual\SJHDC01
    Starting test: Replications
    * Replications Check
    [Replications Check,SJHDC01] DsReplicaGetInfoW(PENDING_OPS) failed
    with error 8453,
    Replication access was denied..
    ......................... SJHDC01 failed test Replications
    Starting test: Topology
    * Configuration Topology Integrity Check
    * Analyzing the connection topology for
    DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for
    DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for
    CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for
    CN=Configuration,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    ......................... SJHDC01 passed test Topology
    Starting test: CutoffServers
    * Configuration Topology Aliveness Check
    * Analyzing the alive system replication topology for
    DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    CN=Configuration,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    ......................... SJHDC01 passed test CutoffServers
    Starting test: NCSecDesc
    * Security Permissions check for all NC's on DC SJHDC01.
    * Security Permissions Check for
    DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk
    (NDNC,Version 2)
    * Security Permissions Check for
    DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk
    (NDNC,Version 2)
    * Security Permissions Check for
    CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk
    (Schema,Version 2)
    * Security Permissions Check for
    CN=Configuration,DC=xports,DC=nhs,DC=uk
    (Configuration,Version 2)
    * Security Permissions Check for
    DC=xports,DC=nhs,DC=uk
    (Domain,Version 2)
    ......................... SJHDC01 passed test NCSecDesc
    Starting test: NetLogons
    * Network Logons Privileges Check
    Verified share \\SJHDC01\netlogon
    Verified share \\SJHDC01\sysvol
    [SJHDC01] User credentials does not have permission to perform this
    operation.
    The account used for this test must have network logon privileges
    for this machine's domain.
    ......................... SJHDC01 failed test NetLogons
    Starting test: Advertising
    The DC SJHDC01 is advertising itself as a DC and having a DS.
    The DC SJHDC01 is advertising as an LDAP server
    The DC SJHDC01 is advertising as having a writeable directory
    The DC SJHDC01 is advertising as a Key Distribution Center
    Warning: SJHDC01 is not advertising as a time server.
    ......................... SJHDC01 failed test Advertising
    Starting test: KnowsOfRoleHolders
    Role Schema Owner = CN=NTDS
    Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    Role Domain Owner = CN=NTDS
    Settings,CN=SMHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    Role PDC Owner = CN=NTDS
    Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    Role Rid Owner = CN=NTDS
    Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    Role Infrastructure Update Owner = CN=NTDS
    Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    ......................... SJHDC01 passed test KnowsOfRoleHolders
    Starting test: RidManager
    * Available RID Pool for the Domain is 5603 to 1073741823
    * sjhdc01.xports.nhs.uk is the RID Master
    * DsBind with RID Master was successful
    * rIDAllocationPool is 4603 to 5102
    * rIDPreviousAllocationPool is 4603 to 5102
    * rIDNextRID: 4604
    ......................... SJHDC01 passed test RidManager
    Starting test: MachineAccount
    Checking machine account for DC SJHDC01 on DC SJHDC01.
    * SPN found :LDAP/sjhdc01.xports.nhs.uk/xports.nhs.uk
    * SPN found :LDAP/sjhdc01.xports.nhs.uk
    * SPN found :LDAP/SJHDC01
    * SPN found :LDAP/sjhdc01.xports.nhs.uk/PORTS
    * SPN found
    :LDAP/881ebe49-647f-46f2-8017-b0a14f94b25a._msdcs.xports.nhs.uk
    * SPN found
    :E3514235-4B06-11D1-AB04-00C04FC2DCD2/881ebe49-647f-46f2-8017-b0a14f94b25a/xports.nhs.uk
    * SPN found :HOST/sjhdc01.xports.nhs.uk/xports.nhs.uk
    * SPN found :HOST/sjhdc01.xports.nhs.uk
    * SPN found :HOST/SJHDC01
    * SPN found :HOST/sjhdc01.xports.nhs.uk/PORTS
    * SPN found :GC/sjhdc01.xports.nhs.uk/xports.nhs.uk
    ......................... SJHDC01 passed test MachineAccount
    Starting test: Services
    Could not open Service Control Manager on [SJHDC01]:failed with 5:
    Access is denied.
    ......................... SJHDC01 failed test Services
    Starting test: OutboundSecureChannels
    * The Outbound Secure Channels test
    ** Did not run Outbound Secure Channels test
    because /testdomain: was not entered
    ......................... SJHDC01 passed test OutboundSecureChannels
    Starting test: ObjectsReplicated
    SJHDC01 is in domain DC=xports,DC=nhs,DC=uk
    Checking for CN=SJHDC01,OU=Domain
    Controllers,DC=xports,DC=nhs,DC=uk in domain DC=xports,DC=nhs,DC=uk on 5
    servers
    Object is up-to-date on all servers.
    Checking for CN=NTDS
    Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk in domain CN=Configuration,DC=xports,DC=nhs,DC=uk on 6 servers
    Object is up-to-date on all servers.
    ......................... SJHDC01 passed test ObjectsReplicated
    Starting test: frssysvol
    * The File Replication Service SYSVOL ready test
    File Replication Service's SYSVOL is ready
    ......................... SJHDC01 passed test frssysvol
    Starting test: frsevent
    * The File Replication Service Event log test
    Error 5 accessing FRS eventlog: Access is denied.
    ......................... SJHDC01 failed test frsevent
    Starting test: kccevent
    * The KCC Event log test
    Error 5 accessing FRS eventlog: Access is denied.
    Failed to enumerate event log records, error Access is denied.
    ......................... SJHDC01 failed test kccevent
    Starting test: systemlog
    * The System Event log test
    Error 5 accessing FRS eventlog: Access is denied.
    Failed to enumerate event log records, error Access is denied.
    ......................... SJHDC01 failed test systemlog
    Starting test: VerifyReplicas
    ......................... SJHDC01 passed test VerifyReplicas
    Starting test: VerifyReferences
    The system object reference (serverReference)
    CN=SJHDC01,OU=Domain Controllers,DC=xports,DC=nhs,DC=uk and backlink
    on

    CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    are correct.
    The system object reference (frsComputerReferenceBL)
    CN=SJHDC01,CN=Domain System Volume (SYSVOL share),CN=File
    Replication Service,CN=System,DC=xports,DC=nhs,DC=uk
    and backlink on
    CN=SJHDC01,OU=Domain Controllers,DC=xports,DC=nhs,DC=uk are correct.
    The system object reference (serverReferenceBL)
    CN=SJHDC01,CN=Domain System Volume (SYSVOL share),CN=File
    Replication Service,CN=System,DC=xports,DC=nhs,DC=uk
    and backlink on
    CN=NTDS
    Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    are correct.
    ......................... SJHDC01 passed test VerifyReferences
    Starting test: VerifyEnterpriseReferences
    ......................... SJHDC01 passed test
    VerifyEnterpriseReferences
    Starting test: CheckSecurityError
    * Dr Auth: Beginning security errors check!
    Found KDC SJHDC01 for domain xports.nhs.uk in site virtual
    Checking machine account for DC SJHDC01 on DC SJHDC01.
    * SPN found :LDAP/sjhdc01.xports.nhs.uk/xports.nhs.uk
    * SPN found :LDAP/sjhdc01.xports.nhs.uk
    * SPN found :LDAP/SJHDC01
    * SPN found :LDAP/sjhdc01.xports.nhs.uk/PORTS
    * SPN found
    :LDAP/881ebe49-647f-46f2-8017-b0a14f94b25a._msdcs.xports.nhs.uk
    * SPN found
    :E3514235-4B06-11D1-AB04-00C04FC2DCD2/881ebe49-647f-46f2-8017-b0a14f94b25a/xports.nhs.uk
    * SPN found :HOST/sjhdc01.xports.nhs.uk/xports.nhs.uk
    * SPN found :HOST/sjhdc01.xports.nhs.uk
    * SPN found :HOST/SJHDC01
    * SPN found :HOST/sjhdc01.xports.nhs.uk/PORTS
    * SPN found :GC/sjhdc01.xports.nhs.uk/xports.nhs.uk
    [SJHDC01] DsReplicaGetInfo(KCC_DS_CONNECT_FAILURES) failed with
    error 8453,
    Replication access was denied..
    [SJHDC01] Unable to query the list of KCC connection failures.
    Continuing...
    [SJHDC01] No security related replication errors were found on this
    DC! To target the connection to a specific source DC use /ReplSource:<DC>.
    ......................... SJHDC01 passed test CheckSecurityError

    Testing server: virtual\SMHDC01
    Starting test: Replications
    * Replications Check
    REPLICATION LATENCY WARNING
    SMHDC01: This replication path was preempted by higher priority work.
    from PHTSMHDC01 to SMHDC01
    Reason: Synchronization attempt failed because the destination
    DC is currently waiting to synchronize new partial attributes from source.
    This condition is normal if a recent schema change modified the partial
    attribute set. The destination partial attribute set is not a subset of
    source partial attribute set.
    The last success occurred at 2006-02-10 11:58:28.
    Replication of new changes along this path will be delayed.
    REPLICATION LATENCY WARNING
    SMHDC01: This replication path was preempted by higher priority work.
    from PHTSMHDC01 to SMHDC01
    Reason: Synchronization attempt failed because the destination
    DC is currently waiting to synchronize new partial attributes from source.
    This condition is normal if a recent schema change modified the partial
    attribute set. The destination partial attribute set is not a subset of
    source partial attribute set.
    The last success occurred at 2006-02-10 11:58:28.
    Replication of new changes along this path will be delayed.
    [Replications Check,SMHDC01] DsReplicaGetInfoW(PENDING_OPS) failed
    with error 8453,
    Replication access was denied..
    ......................... SMHDC01 failed test Replications
    Starting test: Topology
    * Configuration Topology Integrity Check
    * Analyzing the connection topology for
    DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for
    DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for
    CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for
    CN=Configuration,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for
    DC=pht-master,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for
    DC=pha,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for
    DC=phcnt,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    ......................... SMHDC01 passed test Topology
    Starting test: CutoffServers
    * Configuration Topology Aliveness Check
    * Analyzing the alive system replication topology for
    DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    CN=Configuration,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    DC=pht-master,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    DC=pha,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for
    DC=phcnt,DC=xports,DC=nhs,DC=uk.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    ......................... SMHDC01 passed test CutoffServers
    Starting test: NCSecDesc
    * Security Permissions check for all NC's on DC SMHDC01.
    * Security Permissions Check for
    DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk
    (NDNC,Version 2)
    * Security Permissions Check for
    DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk
    (NDNC,Version 2)
    * Security Permissions Check for
    CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk
    (Schema,Version 2)
    * Security Permissions Check for
    CN=Configuration,DC=xports,DC=nhs,DC=uk
    (Configuration,Version 2)
    * Security Permissions Check for
    DC=xports,DC=nhs,DC=uk
    (Domain,Version 2)
    * Security Permissions Check for
    DC=pht-master,DC=xports,DC=nhs,DC=uk
    (Domain,Version 2)
    * Security Permissions Check for
    DC=pha,DC=xports,DC=nhs,DC=uk
    (Domain,Version 2)
    * Security Permissions Check for
    DC=phcnt,DC=xports,DC=nhs,DC=uk
    (Domain,Version 2)
    ......................... SMHDC01 passed test NCSecDesc
    Starting test: NetLogons
    * Network Logons Privileges Check
    Verified share \\SMHDC01\netlogon
    Verified share \\SMHDC01\sysvol
    [SMHDC01] User credentials does not have permission to perform this
    operation.
    The account used for this test must have network logon privileges
    for this machine's domain.
    ......................... SMHDC01 failed test NetLogons
    Starting test: Advertising
    The DC SMHDC01 is advertising itself as a DC and having a DS.
    The DC SMHDC01 is advertising as an LDAP server
    The DC SMHDC01 is advertising as having a writeable directory
    The DC SMHDC01 is advertising as a Key Distribution Center
    Warning: SMHDC01 is not advertising as a time server.
    The DS SMHDC01 is advertising as a GC.
    ......................... SMHDC01 failed test Advertising
    Starting test: KnowsOfRoleHolders
    Role Schema Owner = CN=NTDS
    Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    Role Domain Owner = CN=NTDS
    Settings,CN=SMHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    Role PDC Owner = CN=NTDS
    Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    Role Rid Owner = CN=NTDS
    Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    Role Infrastructure Update Owner = CN=NTDS
    Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
    ......................... SMHDC01 passed test KnowsOfRoleHolders
    Starting test: RidManager
    * Available RID Pool for the Domain is 5603 to 1073741823
    * sjhdc01.xports.nhs.uk is the RID Master
    * DsBind with RID Master was successful
    * rIDAllocationPool is 4103 to 4602
    * rIDPreviousAllocationPool is 4103 to 4602
    * rIDNextRID: 4103
    ......................... SMHDC01 passed test RidManager
    Starting test: MachineAccount
    Checking machine account for DC SMHDC01 on DC SMHDC01.
    * SPN found :LDAP/smhdc01.xports.nhs.uk/xports.nhs.uk
    * SPN found :LDAP/smhdc01.xports.nhs.uk
    * SPN found :LDAP/SMHDC01
    * SPN found :LDAP/smhdc01.xports.nhs.uk/PORTS
    * SPN found
    :LDAP/1dc26881-4ba8-42f7-bbc7-ed9f1ed16e0b._msdcs.xports.nhs.uk
    * SPN found
    :E3514235-4B06-11D1-AB04-00C04FC2DCD2/1dc26881-4ba8-42f7-bbc7-ed9f1ed16e0b/xports.nhs.uk
    * SPN found :HOST/smhdc01.xports.nhs.uk/xports.nhs.uk
    * SPN found :HOST/smhdc01.xports.nhs.uk
    * SPN found :HOST/SMHDC01
    * SPN found :HOST/smhdc01.xports.nhs.uk/PORTS
    * SPN found :GC/smhdc01.xports.nhs.uk/xports.nhs.uk
    ......................... SMHDC01 passed test MachineAccount
    Starting test: Services
    Could not open Service Control Manager on [SMHDC01]:failed with 5:
    Access is denied.
    ......................... SMHDC01 failed test Services
    Starting test: OutboundSecureChannels
    * The Outbound Secure Channels test
    ** Did not run Outbound Secure Channels test
    because /testdomain: was not entered
    ......................... SMHDC01 passed test OutboundSecureChannels
    Starting test: ObjectsReplicated
    SMHDC01 is in domain DC=xports,DC=nhs,DC=uk
    Checking for CN=SMHDC01,OU=Domain
    Controllers,DC=xports,DC=nhs,DC=uk in domain DC=xports,DC=nhs,DC=uk on 5
    servers
    Object is up-to-date on all servers.
    Checking for CN=NTDS
    Settings,CN=SMHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk in domain CN=Configuration,DC=xports,DC=nhs,DC=uk on 6 servers
    Object is up-to-date on all servers.
    ......................... SMHDC01 passed test ObjectsReplicated
    Starting test: frssysvol
    * The File Replication Service SYSVOL ready test
    File Replication Service's SYSVOL is ready
    ......................... SMHDC01 passed test frssysvol
    Starting test: frsevent
    * The File Replication Service Event log test
    Error 5 accessing FRS eventlog: Access is denied.
    ......................... SMHDC01 failed test frsevent
    Starting test: kccevent
    * The KCC Event log test
    Error 5 accessing FRS eventlog: Access is denied.
    Failed to enumerate event log records, error Access is denied.
    ......................... SMHDC01 failed test kccevent
    Starting test: systemlog
    * The System Event log test
    Error 5 accessing FRS eventlog: Access is denied.
    Failed to enumerate event log records, error Access is denied.
    ......................... SMHDC01 failed test systemlog
    Starting test: VerifyReplicas


    "Paul Williams [MVP]" wrote:

    > You'll need to be administrator in that domain. Which means you need to be
    > a member of the built-in\administrators group (or EA).
    >
    > --
    > Paul Williams
    > Microsoft MVP - Windows Server - Directory Services
    > http://www.msresource.net | http://forums.msresource.net
    >
    >
    >


  6. #21
    Mr Major Thorburn Guest

    Re: NTDS Replication event 2023 error 8589

    Paul, I have just noticed that dcdiag failed to complete.
    The text in the event log was

    Faulting application dcdiag.exe, version 5.2.3790.1830, faulting module
    dcdiag.exe, version 5.2.3790.1830, fault address 0x0004a66c.

    Any suggestions for that?

    Regards, Major.


    "Paul Williams [MVP]" wrote:

    > You'll need to be administrator in that domain. Which means you need to be
    > a member of the built-in\administrators group (or EA).
    >
    > --
    > Paul Williams
    > Microsoft MVP - Windows Server - Directory Services
    > http://www.msresource.net | http://forums.msresource.net
    >
    >
    >


  7. #22
    Mr Major Thorburn Guest

    Re: NTDS Replication event 2023 error 8589

    Paul, I have subsequently run dcdiag /v /c on each DC.
    Some of them, particualarly in the sub domains, have downstream topology is
    disconnected messages.
    Any hints for this?
    Regards, Major.

    "Paul Williams [MVP]" wrote:

    > You'll need to be administrator in that domain. Which means you need to be
    > a member of the built-in\administrators group (or EA).
    >
    > --
    > Paul Williams
    > Microsoft MVP - Windows Server - Directory Services
    > http://www.msresource.net | http://forums.msresource.net
    >
    >
    >


  8. #23
    Paul Williams [MVP] Guest

    Re: NTDS Replication event 2023 error 8589

    Sorry for the delay. This post is a long way down...

    I would try the newest version. The support tools ship newer versions with
    the SPs, but don't install as part of the SP. You can also download the
    latest versions.

    --
    Paul Williams
    Microsoft MVP - Windows Server - Directory Services
    http://www.msresource.net | http://forums.msresource.net



  9. #24
    Paul Williams [MVP] Guest

    Re: NTDS Replication event 2023 error 8589

    This is strange. All of those errors are accessed denied. Are these DCs
    still members of the Domain Controllers group?

    --
    Paul Williams
    Microsoft MVP - Windows Server - Directory Services
    http://www.msresource.net | http://forums.msresource.net



  10. #25
    Mr Major Thorburn Guest

    Re: NTDS Replication event 2023 error 8589

    Paul, thanks for getting back to me. I have been working on other things
    since the last post so any delay has not been a problem. I'm just glad of
    your response.

    All the DCs are in the appropriate domain controllers grooup and the domains
    are intact because I can promote a new server as a DC in each of them without
    any problems.
    I am able to do some more diagnosis now as my other work is complete.
    Regards, Major.


    "Paul Williams [MVP]" wrote:

    > This is strange. All of those errors are accessed denied. Are these DCs
    > still members of the Domain Controllers group?
    >
    > --
    > Paul Williams
    > Microsoft MVP - Windows Server - Directory Services
    > http://www.msresource.net | http://forums.msresource.net
    >
    >
    >


  11. #26
    Mr Major Thorburn Guest

    Re: NTDS Replication event 2023 error 8589

    Paul, dont worry about the delay, I was doing other things.
    Did you want me to start a new thread?
    The version of dcdiag I was using is 5.2.3790.1830. Is that the latest?

    The DS errors have changed a bit.
    On the root domain DCs I am getting
    Active Directory failed to construct a mutual authentication service
    principal name (SPN) for the following domain controller.

    Domain controller:
    1201a128-9b81-4adf-b2cf-2fab2180c3b0._msdcs.xports.nhs.uk

    The call was denied. Communication with this domain controller might be
    affected.

    Additional Data
    Error value:
    8419 The DSA object could not be found.

    And on the sub domain DCs
    The local domain controller was unable to replicate changes to the following
    remote domain controller for the following directory partition.

    Remote domain controller:
    84741a6c-b847-42bc-9c0f-a9fe7b6de218._msdcs.xports.nhs.uk
    Directory partition:
    DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk

    The local domain controller cannot complete demotion.

    User Action
    Investigate why replication between these two domain controllers cannot be
    performed. Then, try to demote this domain controller again.

    Additonal Data
    Error value:
    8419 The DSA object could not be found.

    Regards, Major.

    "Paul Williams [MVP]" wrote:

    > Sorry for the delay. This post is a long way down...
    >
    > I would try the newest version. The support tools ship newer versions with
    > the SPs, but don't install as part of the SP. You can also download the
    > latest versions.
    >
    > --
    > Paul Williams
    > Microsoft MVP - Windows Server - Directory Services
    > http://www.msresource.net | http://forums.msresource.net
    >
    >
    >


  12. #27
    Paul Williams [MVP] Guest

    Re: NTDS Replication event 2023 error 8589

    Clutching at straws here, as it gets tricky without being there:
    -- http://support.microsoft.com/?id=320063


    This still looks like its DNS related.

    --
    Paul Williams
    Microsoft MVP - Windows Server - Directory Services
    http://www.msresource.net | http://forums.msresource.net



  13. #28
    Paul Williams [MVP] Guest

    Re: NTDS Replication event 2023 error 8589

    That looks like there are still DCs in AD that aren't there. Or, there are
    stale CNAME records in DNS. Delete _msdcs and restart NETLOGON on the DCs
    (this is a test lab if I remember correctly).

    Follow kb216498 to be sure you've not left anything in there that shouldn't
    be.

    --
    Paul Williams
    Microsoft MVP - Windows Server - Directory Services
    http://www.msresource.net | http://forums.msresource.net



  14. #29
    Mr Major Thorburn Guest

    Re: NTDS Replication event 2023 error 8589

    Paul, I have created a new post for the same setup.
    I did a DC demotion/promotion and that seemd to resolve this particular issue.

    I would appreciate your help with the new problem in the new post if that is
    ok with you.

    I may get back to this sort of problem when i attempt another domain rename.

    At the moment I am trying to do an exchange 2003 installation and the AD
    replication problems are stopping that which is in the new post.

    Thanks for you help on this one.

    Regards, Major.

    "Paul Williams [MVP]" wrote:

    > Clutching at straws here, as it gets tricky without being there:
    > -- http://support.microsoft.com/?id=320063
    >
    >
    > This still looks like its DNS related.
    >
    > --
    > Paul Williams
    > Microsoft MVP - Windows Server - Directory Services
    > http://www.msresource.net | http://forums.msresource.net
    >
    >
    >


Page 2 of 2 FirstFirst 12

Similar Threads

  1. New DC problem with event log NTDS Replication error 1864
    By Elettra in forum Active Directory
    Replies: 4
    Last Post: 21-01-2010, 02:34 PM
  2. Replies: 4
    Last Post: 14-05-2009, 02:20 PM
  3. NTDS Replication, Event ID: 1864
    By Edwin Delgado in forum Windows Server Help
    Replies: 0
    Last Post: 04-12-2005, 07:34 AM
  4. event ID: 1083 and 1955 ntds replication
    By pain112 in forum Active Directory
    Replies: 8
    Last Post: 16-09-2005, 02:44 AM
  5. NTDS ISAM / NTDS Replication major issues
    By MikeY007 in forum Active Directory
    Replies: 3
    Last Post: 18-07-2005, 03:20 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,692,573.52383 seconds with 17 queries