3

I recently discovered that Active Directory replication started failing about a month ago. If I attempt to Replicate Now from the failing domain controller, I receive The following error occurred during the attempt to synchronize the domain controllers: Access is denied.

Directory Service log tells basically the same story; repeating two events

  • 1061: Internal error: The directory replication agent (DRA) call returned error 5.
  • 1085: Replication warning: The directory replication agent (DRA) couldn't synchronize partition DC=OUR_DOMAIN with partition on directory server big-long-guid._msdcs.OUR_DOMAIN. The error was: Access is denied

It is between two servers at a remote site. One is Windows 2003 and the other is Windows 2000; the Windows 2000 machines is experiencing the errors. The domain is older OUR_DOMAIN style.

Attempts so far:

  • I disabled Kerberos service on the Windows 2000 server and restarted
  • RPC and RPC locater services have expected settings
  • HKEY_Local_Machine\Software\Microsoft\Rpc\ClientProtocols missing ncacn_nb_tcp on Windows 20003 server (added)
  • Portqry reports okay
  • Firewall disabled
  • netdom resetpwd (and reboot) on Windows 2000 server.
  • ENTERPRISE DOMAIN ADMINS has read access to site on both servers
  • dcdiag /c on 2003: Pass all except DNS Forward; several errors related to root hint servers, which don't seem relevent
  • dcdiag /c on 2000: says replication failed (duh) (3 reports) and then passes the test(?) Reports IISADMIN and SMTPSVC missing (don't see why they would be needed) Lists some error events for kccevent (where are those in event viewer?) and some printer errors from systemlog.
Justin Love
  • 554
  • 3
  • 9
  • 18

2 Answers2

0

I would also like to share my experience, I will immediately say that resetting the secure channel on the failed domain controller helped me, and I also rebooted the PDC. I did all the actions according to the detailed instructions, by the way, in parallel, I still need to solve problems with the DNS so that all the records are relevant in it in the servers.

100 most
  • 1
0

Are there any relevant errors in the System, Authentication or Directory Service Event logs to accompany this? Do dcdiag and/or netdiag on the servers give any clues? Does ENTERPRISE DOMAIN CONTROLLERS have read access to the sites in AD Sites and Services? Just same basic things to check and ask because this could be cause by any number of things. At the very least, I would expect some sort of error or authentication failure to be logged when you force the replication. You may want to increase your auditing for the purposes of troubleshooting.

sinping
  • 2,055
  • 14
  • 12
  • There some messages in the Directory Service log, (added to main question text) but they tell the same story (Access is denied) – Justin Love Apr 19 '10 at 21:31
  • dcdiag on 2003 said it skipped `CheckSecurityErrors` because it needed a server name. (this option is sadly missing on 2000 dcdiag) Running it said there was 340 sec. time skew, enough to break the kerberos 5-minute window. **Changing the clocks did it** (Now off to find out to keep them in sync.) – Justin Love Apr 21 '10 at 15:04
  • The servers should really sync themselves assuming the PDC Emulator has a valid time source. Good reference for setting this up: http://support.microsoft.com/kb/816042 – sinping Apr 21 '10 at 17:18