Replication Issues

[rotomme]

I am having a hard time Replicating a site in AD. It gives me an "Access Denied" error when I run Replmon. I also did a DCDIAG test and got these results. The site is called Woburn. Any insight would be huge.

C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:

Done gathering initial info.

Doing initial required tests

Testing server: Horsham\HQDC01

Starting test: Connectivity

......................... HQDC01 passed test Connectivity

Doing primary tests

Testing server: Horsham\HQDC01

Starting test: Replications

[Replications Check,HQDC01] A recent replication attempt failed:

From AURORA to HQDC01

Naming Context: DC=ForestDnsZones,DC=CORPORATE,DC=LOCAL

The replication generated an error (1256):

The remote system is not available. For information about network tr

oubleshooting, see Windows Help.

The failure occurred at 2005-10-03 12:45:58.

The last success occurred at 2005-09-23 04:45:48.

496 failures have occurred since the last success.

[Replications Check,HQDC01] A recent replication attempt failed:

From AURORA to HQDC01

Naming Context: DC=DomainDnsZones,DC=CORPORATE,DC=LOCAL

The replication generated an error (1256):

The remote system is not available. For information about network tr

oubleshooting, see Windows Help.

The failure occurred at 2005-10-03 12:45:58.

The last success occurred at 2005-09-23 04:45:48.

496 failures have occurred since the last success.

[Replications Check,HQDC01] A recent replication attempt failed:

From AURORA to HQDC01

Naming Context: CN=Schema,CN=Configuration,DC=CORPORATE,DC=LOCAL

The replication generated an error (1722):

The RPC server is unavailable.

The failure occurred at 2005-10-03 12:46:47.

The last success occurred at 2005-09-23 04:45:46.

496 failures have occurred since the last success.

^C

C:\Program Files\Support Tools>dcdiag /test:securityerror

Test not found. Please re-enter a valid test name.

C:\Program Files\Support Tools>dcdiag /test:checksecurityerror

Domain Controller Diagnosis

Performing initial setup:

Done gathering initial info.

Doing initial required tests

Testing server: Horsham\HQDC01

Starting test: Connectivity

......................... HQDC01 passed test Connectivity

Doing primary tests

Testing server: Horsham\HQDC01

Starting test: CheckSecurityError

Source DC AURORA has possible security error (1722). Diagnosing...

No KDC found for domain CORPORATE.LOCAL in site AURORA (1355, NUL

L)

[AURORA] Unable to contact this DC. Cannot continue diagnosing e

rrors with this DC.

[LINDENWOLD] DsBindWithSpnEx() failed with error 1722,

The RPC server is unavailable..

Ignoring DC LINDENWOLD in the convergence test of object CN=HQDC01,OU=D

omain Controllers,DC=CORPORATE,DC=LOCAL, because we cannot connect!

[AURORA] DsBindWithSpnEx() failed with error 1722,

The RPC server is unavailable..

Ignoring DC AURORA in the convergence test of object CN=HQDC01,OU=Domai

n Controllers,DC=CORPORATE,DC=LOCAL, because we cannot connect!

Authoritative attribute dBCSPwd on HQDC02 (writeable)

usnLocalChange = 14581070

LastOriginatingDsa = HQDC01

usnOriginatingChange = 51810650

timeLastOriginatingChange = 2005-09-28 23:32:51

VersionLastOriginatingChange = 15

Out-of-date attribute dBCSPwd on WOBURN (writeable)

usnLocalChange = 11154431

LastOriginatingDsa = HQDC01

usnOriginatingChange = 49944195

timeLastOriginatingChange = 2005-08-29 16:32:50

VersionLastOriginatingChange = 14

Authoritative attribute lmPwdHistory on MAITLAND (writeable)

usnLocalChange = 7682906

LastOriginatingDsa = HQDC01

usnOriginatingChange = 51810650

timeLastOriginatingChange = 2005-09-28 23:32:51

VersionLastOriginatingChange = 15

Out-of-date attribute lmPwdHistory on WOBURN (writeable)

usnLocalChange = 11154431

LastOriginatingDsa = HQDC01

usnOriginatingChange = 49944195

timeLastOriginatingChange = 2005-08-29 16:32:50

VersionLastOriginatingChange = 14

Authoritative attribute ntPwdHistory on HAVERHILL (writeable)

usnLocalChange = 120475

LastOriginatingDsa = HQDC01

usnOriginatingChange = 51810650

timeLastOriginatingChange = 2005-09-28 23:32:51

VersionLastOriginatingChange = 15

Out-of-date attribute ntPwdHistory on WOBURN (writeable)

usnLocalChange = 11154431

LastOriginatingDsa = HQDC01

usnOriginatingChange = 49944195

timeLastOriginatingChange = 2005-08-29 16:32:50

VersionLastOriginatingChange = 14

Authoritative attribute pwdLastSet on WELLESLEY (writeable)

usnLocalChange = 2486866

LastOriginatingDsa = HQDC01

usnOriginatingChange = 51810650

timeLastOriginatingChange = 2005-09-28 23:32:51

VersionLastOriginatingChange = 15

Out-of-date attribute pwdLastSet on WOBURN (writeable)

usnLocalChange = 11154431

LastOriginatingDsa = HQDC01

usnOriginatingChange = 49944195

timeLastOriginatingChange = 2005-08-29 16:32:50

VersionLastOriginatingChange = 14

Authoritative attribute supplementalCredentials on PORTSMOUTH (write

able)

usnLocalChange = 8326916

LastOriginatingDsa = HQDC01

usnOriginatingChange = 51810651

timeLastOriginatingChange = 2005-09-28 23:32:51

VersionLastOriginatingChange = 14

Out-of-date attribute supplementalCredentials on WOBURN (writeable)

usnLocalChange = 11154431

LastOriginatingDsa = HQDC01

usnOriginatingChange = 49944196

timeLastOriginatingChange = 2005-08-29 16:32:50

VersionLastOriginatingChange = 13

Authoritative attribute unicodePwd on HOWELL (writeable)

usnLocalChange = 487272

LastOriginatingDsa = HQDC01

usnOriginatingChange = 51810650

timeLastOriginatingChange = 2005-09-28 23:32:51

VersionLastOriginatingChange = 15

Out-of-date attribute unicodePwd on WOBURN (writeable)

usnLocalChange = 11154431

LastOriginatingDsa = HQDC01

usnOriginatingChange = 49944195

timeLastOriginatingChange = 2005-08-29 16:32:50

VersionLastOriginatingChange = 14

Unable to verify the convergence of this machine account (CN=HQDC01,OU=

Domain Controllers,DC=CORPORATE,DC=LOCAL) on this domain (DC=CORPORATE,DC=LOCAL)

. Does the machine account password need reseting?

......................... HQDC01 failed test CheckSecurityError

Running partition tests on : ForestDnsZones

Running partition tests on : DomainDnsZones

Running partition tests on : Schema

Running partition tests on : Configuration

Running partition tests on : CORPORATE

Running enterprise tests on : CORPORATE.LOCAL

Ty,

Tommy

[BiJiCool]

Try to ping from your "failing" DC to the one that has the "PDC-role" (usually the first DC in your AD has this role). Make sure you can ping it using the DNS name and not just the IP address.

What kind of connectivity do you have between the sites? Make sure no firewalls are blocking traffic that they shouldn't

[rotomme]

Try to ping from your "failing" DC to the one that has the "PDC-role" (usually the first DC in your AD has this role).  Make sure you can ping it using the DNS name and not just the IP address.

What kind of connectivity do you have between the sites?  Make sure no firewalls are blocking traffic that they shouldn't

586616269[/snapback]

I can ping fine and it is a VPN tunnel. I have many sites setup like this but this is the only one giving me trouble. In my post it says Out-of-date passwords. I think this relivant. I ran replmon and got an error from this site saying access denied.

[Mattimeo]

How long ago was it since the last successful replication? I think AD has a limit of like 60 days before something like this happens...

[rotomme]

How long ago was it since the last successful replication? I think AD has a limit of like 60 days before something like this happens...

586616710[/snapback]

It looks like that is about right 60 days. I just dont know how to fix it.

[BiJiCool]

Maybe this is an option:

configure a new DC in your central site, let it replicate and then move it (physically too) to the failing site. Set that server as bridgehead. Then you can safely demote and promote back the failing server.

[cyriliano]

You must reset security channel.

First disable Kerberos KDC and restart DC.Then use

netdom resetpwd /server:server_name /userd:domain_name\administrator /passwordd:administrator_password

wait 10 mins and check replication.It must be OK.Then enable Kerberos KDC and restart dc.That's all