Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What happens when Active Directory fails?


  • Please log in to reply
12 replies to this topic

#1 northbayteky

northbayteky

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:All around you
  • Local time:01:14 PM

Posted 22 September 2015 - 12:40 PM

A little background first:
 
One of our library departments is in a building that used to be used by the county. Since they (our county IT overlords) had already routed all the network traffic to their personal liking, once technical services (it's not what you think) moved in, they didn't change the routing.
 
I have a DC in that building and it is now having difficulty replicating. When I force replication from it, I get the standard message one or more connections are in different sites and AD DS will attempt to replicate across these connections.
 
However, when I try to replicate from any other site or DC to this DC, I get the following message:
 
The following error occurred during the attempt to synchronize naming context my.domain.com from DC Krypton to DC Freon: The naming context is in the process of being moved or is not replicated from the specified server. This operation will not continue.
 
I have told my boss that there are significant errors on multiple DCs in regard to replicating from Krypton and I believe it's the firewall between that DC and everyone else. He asked the county IT guys to open up that firewall and gave him the IP address of all the other DCs, but nothing has changed. Even though it is "wide open." I have my doubts.
 
So, I think DNS is failing because all the servers stopped reporting to the WSUS server at the same time (roughly) 5/31 -6/1 is the last time any of them reported. It could be something completely different, but AD is completely dependent on DNS functioning correctly. With one DC basically out of the loop entirely, I expect things to start failing little by little.
 
I have researched some of the errors I've found on other DCs and the first thing in the list of things to check is usually make sure there is no firewall between DCs. 
 
So, since I can't get the firewall out of this equation, what kind of workaround options do I have? Or do I have any options?
 
What other failures can I expect to see, as I don't see any resolution?


BC AdBot (Login to Remove)

 


#2 packetanalyzer

packetanalyzer

  • Members
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:14 PM

Posted 22 September 2015 - 01:35 PM

By chance are one of those DCs running Windows 2000?

 

Microsoft admit's that Windows 2000 DCs may have this error if a DCPROMO was run. The error can be caused by any of the following1:

 

  • Changes to your DC replication schema
  • Modifications that have not yet completed in the forest
  • Use of REPADMIN.EXE /SYNCALL when the list of DCs is out of date on one of the DCs
  • Demotion of catalog servers

Do you know if any of those have taken place around the time you began having the error?



#3 northbayteky

northbayteky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:All around you
  • Local time:01:14 PM

Posted 22 September 2015 - 01:48 PM

Oh, gosh, sorry, I didn't give any of the OS versions at all. :-( 

 

The only change that likely took place was the demotion of a catalog server, though not at the site that is affected. As we replace our old 2003 servers with 2012 servers, we demote and remove the servers being replaced.  And to be honest, I don't really remember when (or if) forced replication from Krypton was successful.

 

Krypton is Server 2003 and has been in service for years (obviously I guess.) We are kind of mixed with 2003 and 2012 R2 DCs. 



#4 packetanalyzer

packetanalyzer

  • Members
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:14 PM

Posted 22 September 2015 - 02:00 PM

The only change that likely took place was the demotion of a catalog server, though not at the site that is affected.

 

That is good to know! Okay, so around the same time a catalog server was demoted at another site you began seeing replication failures. If you run "dcdiag" on one of the DCs, what errors do you have?

 

Specifically, the two command you may want to run are:

dsquery server -isgc

and

DCdiag / v /c /d /e

Those commands will give you detailed information about if the current global catalog is detected and the health status of replication of your DCs.


Edited by packetanalyzer, 22 September 2015 - 02:03 PM.


#5 northbayteky

northbayteky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:All around you
  • Local time:01:14 PM

Posted 22 September 2015 - 02:03 PM

 

The only change that likely took place was the demotion of a catalog server, though not at the site that is affected.

 

That is good to know! Okay, so around the same time a catalog server was demoted at another site you began seeing replication failures. If you run "dcdiag" on one of the DCs, what errors do you have?

 

 

Hmm, I will have to try that and see what I get. Thank you :-)



#6 packetanalyzer

packetanalyzer

  • Members
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:14 PM

Posted 22 September 2015 - 02:05 PM

I updated my post with more specific commands. Please let me know if you find more errors when you run them.



#7 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 23 September 2015 - 10:01 AM

Is Krypton's subnet listed in AD Sites and Services?



#8 northbayteky

northbayteky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:All around you
  • Local time:01:14 PM

Posted 23 September 2015 - 01:51 PM

Is Krypton's subnet listed in AD Sites and Services?

Oh yes. 

 

I'm running those dcdiag commands now. Looks like it may take awhile. 

 

I guess I should have had this spit the output to a file. 


Edited by northbayteky, 23 September 2015 - 02:02 PM.


#9 packetanalyzer

packetanalyzer

  • Members
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:14 PM

Posted 23 September 2015 - 02:14 PM

I guess I should have had this spit the output to a file.


I'm sorry I should have suggested that. Commands to send the output to a file would be:

dsquery server -isgc > %userprofile%\Desktop\dsquery.txt
DCdiag /v /c /d /e > %userprofile%\Desktop\dcdiag.txt


#10 northbayteky

northbayteky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:All around you
  • Local time:01:14 PM

Posted 23 September 2015 - 02:33 PM

I'm thinking I should probably run this test again, against one DC at a time. Some seem to be testing OK, some have a lot of errors. It's making my head hurt :-(



#11 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:06:14 AM

Posted 23 September 2015 - 05:23 PM

First i would check to make sure no one has set static routes usign the command

route print

Then odviously check your DNS settings in ncpa.cpl, i would then reset the SERVER's account in AD using the comamnd

netdom resetpwd /s:ReachableGlobalCatServer /ud:domainname\DomainAdminAccount /pd:DomainAdminPassword

I would proceed to AD sites and services (dssite.msc) and check the Subnets to ensure you have the next hop/hops then make sure that the server is set to correct subnet and Location.

Now i would use repadmin command to try and replicate the whole catologe (Or right click the server in NTDS subtree and try replicate that way)

Also while in AD sites ad services, make sure you are communicating through IP or SMTP on all servers.

 

these might show last error or sync times (Make sure server is set to the NTD time server usign the command(net time \\somesrevername /set /y)

 

Rep Summary (Check for failures)

repadmin /replsum *

Check for failures from AD cat

repadmin /showrepl * | more

lets em know hwo that goes mate


Edited by JohnnyJammer, 23 September 2015 - 05:26 PM.


#12 northbayteky

northbayteky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:All around you
  • Local time:01:14 PM

Posted 22 October 2015 - 02:10 PM

...i would then reset the SERVER's account in AD using the comamnd...

 

Why would you reset the server account? And more to the point, which server account? 

 

I have determined there are some tombstone issues, probably because the one DC was not able to replicate. 



#13 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:06:14 AM

Posted 22 October 2015 - 06:10 PM

It appears you have replication issue and along with the tombestone period (This could be a kerboeros ticket not being updated) you would need to reset the servers machine SID in active directory mate and then manually force replication of the whole domain catalogue using the command.

repadmin /replicate NotWorkingServer WorkignSERVER DC=yourDomainName,DC=com /force

 

Try it mate as i have had the exact same issue!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users