Single child domain server will not replicate to parent domain servers

-

i started new job, , inherited problem child domain server. server 2012 server domain controller child domain. can't add domain controller because child domain server not replicating parent domain, , dcdiag shows "server has not finished promoting gc." appear there no global catalog in child domain available show computer account. doesn’t matter if add new server domain before start ad wizard or not. in both cases wizard fails error, "the operation failed because: domain controller not contacted domain xxxx contained account computer. make computer member of workgroup , rejoin domain before trying promotion. access denied." i've done couple of times doesn't make difference.

i tried install media, same error. can't delete domain , recreate because has lots of client computers.

i'm not sure started all, 1 candidate c: drive full when got here. added second disk , moved temp , page files d:, , cleaned bit there 5.6gb free.

there lots of things going on, , keep going in circles. need completed global catalog on server can add domain controller. allow me demote server , re-promote fix errors i'm having. until can @ least global catalog working, i'm stumped.

i can't connect child domain in ad users , computers. error:

  • the domain child not found because: server not operational

i checked firewall , says ports open between 2 domains. can telnet between child , parent domain on replication ports required, @ least work between parent controllers replicating (i no response on ports 138 or 3268 on of domain controllers).

dcdiag says:

c:\users\administrator>dcdiag | more

directory server diagnosis

performing initial setup:

   trying find home server...

   home server = childserver

   * identified ad forest.

   done gathering initial info.

doing initial required tests

   testing server: default-first-site-name\childserver

      starting test: connectivity

         ......................... childserver passed test connectivity

doing primary tests

   testing server: default-first-site-name\childserver

      starting test: advertising

         warning: childserver has not finished promoting gc.

         check event log domains cannot replicated.

         warning: childserver not advertising global catalog.

         check server finished gc promotion.

         check event log on server enough source replicas gc available.

         ......................... childserver failed test advertising

      starting test: frsevent

         ......................... childserver passed test frsevent

      starting test: dfsrevent

         there warning or error events within last 24 hours after the

         group policy problems.   failing sysvol replication problems may cause

         ......................... childserver failed test dfsrevent

      starting test: sysvolcheck

         ......................... childserver passed test sysvolcheck

      starting test: kccevent

(note: duplicate events not shown)

* error event occurred.  eventid: 0xc000066d

            time generated: 09/24/2014   13:23:42

            event string:

            active directory domain services did not perform authenticated remote procedure call (rpc) directory server because desired service principal name (spn) destination directory server not registered on key distribution center (kdc) domain controller resolves spn.

* warning event occurred.  eventid: 0x80000677

            time generated: 09/24/2014   13:23:42

            event string:

            active directory domain services attempted communicate following global catalog , attempts unsuccessful.

* error event occurred.  eventid: 0xc0000466

            time generated: 09/24/2014   13:23:42

            event string:

            active directory domain services unable establish connection global catalog.

* warning event occurred.  eventid: 0x80000785

            time generated: 09/24/2014   13:24:06

            event string:

            the attempt establish replication link following writable directory partition failed.

* warning event occurred.  eventid: 0x80000785

            time generated: 09/24/2014   13:24:06

            event string:

            the attempt establish replication link read-only directory partition following parameters failed.

* event occurred.  eventid: 0x40000617

            time generated: 09/24/2014   13:32:24

            event string:

            the local domain controller has been selected global catalog . however, domain controller not host read-only replica of following directory partition.

         an event occurred.  eventid: 0x40000617

            time generated: 09/24/2014   13:32:24

* event occurred.  eventid: 0x4000062a

            time generated: 09/24/2014   13:32:24

            event string:

            promotion of local domain controller global catalog has been delayed because directory partition occupancy requirements have not been met. occupancy requirement level , current domain controller level follows.

* event occurred.  eventid: 0x40000456

            time generated: 09/24/2014   13:32:24

            event string:

            promotion of domain controller global catalog delayed following interval.

         ......................... childserver failed test kccevent

      starting test: knowsofroleholders

         [parent1] dsbindwithspnex() failed error 5,

         access denied..

         warning: parent1 schema owner, not responding ds rpc bind.

         [parent1] ldap bind failed error 1326,

         the user name or password incorrect..

         bind.ng: parent1 schema owner, not responding ldap

         warning: parent1 domain owner, not responding ds rpc bind.

         bind.ng: parent1 domain owner, not responding ldap

         ......................... childserver failed test knowsofroleholders

      starting test: machineaccount

         ......................... childserver passed test machineaccount

      starting test: ncsecdesc

         ......................... childserver passed test ncsecdesc

      starting test: netlogons

         ......................... childserver passed test netlogons

      starting test: objectsreplicated

         ......................... childserver passed test objectsreplicated

      starting test: replications

         [replications check,childserver] recent replication attempt failed:

            from parent2 childserver

            naming context: dc=forestdnszones,dc=cee-w,dc=net

            the replication generated error (1908):

            could not find domain controller domain.

            the failure occurred @ 2014-09-24 13:02:23.

            the last success occurred @ 2014-01-18 20:49:14.

            5935 failures have occurred since last success.

            kerberos error.

            a kdc not found authenticate call.

            check sufficient domain controllers available.

         [parent2] dsbindwithspnex() failed error 5,

         access denied..

         [replications check,childserver] recent replication attempt failed:

            from parent2 childserver

            naming context: cn=schema,cn=configuration,dc=cee-w,dc=net

            the replication generated error (1908):

            could not find domain controller domain.

            the failure occurred @ 2014-09-24 13:02:23.

            the last success occurred @ 2014-01-18 20:49:14.

            5935 failures have occurred since last success.

            kerberos error.

            a kdc not found authenticate call.

            check sufficient domain controllers available.

         [replications check,childserver] recent replication attempt failed:

            from parent2 childserver

            naming context: cn=configuration,dc=cee-w,dc=net

            the replication generated error (1908):

            could not find domain controller domain.

            the failure occurred @ 2014-09-24 13:02:23.

            the last success occurred @ 2014-01-18 20:49:13.

            5942 failures have occurred since last success.

            kerberos error.

            a kdc not found authenticate call.

            check sufficient domain controllers available.

         ......................... childserver failed test replications

      starting test: ridmanager

         ......................... childserver passed test ridmanager

      starting test: services

         ......................... childserver passed test services

      starting test: systemlog

* error event occurred.  eventid: 0xc00038d6

            time generated: 09/24/2014   12:59:25

            event string:

            the dfs namespace service not initialize cross forest trust information on domain controller, periodically retry operation. return code in record data.

* warning event occurred.  eventid: 0x000727a5

            time generated: 09/24/2014   13:01:03

            event string:

            the winrm service not listening ws-management requests.

* error event occurred.  eventid: 0xc0ff05dc

            time generated: 09/24/2014   13:02:03

            event string:

            the snmp service encountered error while accessing registry key system\currentcontrolset\services\snmp\parameters\trapconfiguration.

* warning event occurred.  eventid: 0x00001796

            time generated: 09/24/2014   13:02:23

            event string:

            microsoft windows server has detected ntlm authentication presently being used between clients , server. event occurs once per boot of server on first time client uses ntlm server.

* error event occurred.  eventid: 0x0000168e

            time generated: 09/24/2014   13:02:28

            event string:

            the dynamic registration of dns record 'child-domain.domain.net. 600 in 192.168.215.15' failed on following dns server:

* error event occurred.  eventid: 0x0000168e

            time generated: 09/24/2014   13:02:30

            event string:

            the dynamic registration of dns record '_ldap._tcp.child-domain.domain.net.

 600 in srv 0 100 389 childserver.child-domain.domain.net.' failed on following dns server:

* error event occurred.  eventid: 0x0000168e

            time generated: 09/24/2014   13:02:32

            event string:

            the dynamic registration of dns record '40b4b99e-4e62-42ee-aa39-

66d69b66660f._msdcs.domain.net. 600 in cname childserver.child-domain.domain.net.' failed on following dns server:

* error event occurred.  eventid: 0x00000457

            time generated: 09/24/2014   13:04:08

            event string:

            driver send microsoft onenote 2010 driver required printer send onenote 2010 unknown. contact administrator install driver before log in again.

* warning event occurred.  eventid: 0x000727aa

            time generated: 09/24/2014   13:04:30

            event string:

            the winrm service failed create following spns: wsman/childserver.child-domain.domain.net; wsman/childserver.

* error event occurred.  eventid: 0x0000168e

            time generated: 09/24/2014   13:07:32

            event string:

            the dynamic registration of dns record '40b4b99e-4e62-42ee-aa39-66d69b66660f._msdcs.domain.net. 600 in cname childserver.child-domain.domain.net.' failed on following dns server:

* error event occurred.  eventid: 0x0000168f

            time generated: 09/24/2014   13:17:32

            event string:

            the dynamic deletion of dns record '_gc._tcp.domain.net. 600 in srv 0 100 3268 childserver.child-domain.domain.net.' failed on following dns server:

* error event occurred.  eventid: 0x0000168f

            time generated: 09/24/2014   13:17:32

            event string:

            the dynamic deletion of dns record '_gc._tcp.default-first-site-name._sites.domain.net. 600 in srv 0 100 3268 childserver.child-domain.domain.net.' failed on

the following dns server:

* error event occurred.  eventid: 0x0000168e

            time generated: 09/24/2014   13:17:34

            event string:

            the dynamic registration of dns record '40b4b99e-4e62-42ee-aa39-66d69b66660f._msdcs.domain.net. 600 in cname childserver.child-domain.domain.net.' failed on following dns server:

* error event occurred.  eventid: 0x0000168e

* error event occurred.  eventid: 0x0000168e

            time generated: 09/24/2014   13:37:36

            event string:

            the dynamic registration of dns record '40b4b99e-4e62-42ee-aa39-66d69b66660f._msdcs.domain.net. 600 in cname childserver.child-domain.domain.net.' failed on following dns server:

         ......................... childserver failed test systemlog

      starting test: verifyreferences

         ......................... childserver passed test verifyreferences

   running partition tests on : child-domain

      starting test: checksdrefdom

         ......................... child-domain passed test checksdrefdom

      starting test: crossrefvalidation

         ......................... child-domain passed test crossrefvalidation

   running partition tests on : forestdnszones

      starting test: checksdrefdom

         ......................... forestdnszones passed test checksdrefdom

      starting test: crossrefvalidation

         ......................... forestdnszones passed test

         crossrefvalidation

   running partition tests on : schema

      starting test: checksdrefdom

         ......................... schema passed test checksdrefdom

      starting test: crossrefvalidation

         ......................... schema passed test crossrefvalidation

   running partition tests on : configuration

      starting test: checksdrefdom

         ......................... configuration passed test checksdrefdom

      starting test: crossrefvalidation

         ......................... configuration passed test crossrefvalidation

   running enterprise tests on : domain.net

      starting test: locatorcheck

         ......................... domain.net passed test locatorcheck

      starting test: intersite

            the dynamic registration of dns record '40b4b99e-4e62-42ee-aa39-66d69b66660f._msdcs.domain.net. 600 in cname childserver.child-domain.domain.net.' failed on following dns server:

         ......................... childserver failed test systemlog

      starting test: verifyreferences

         ......................... childserver passed test verifyreferences

   running partition tests on : child-domain

      starting test: checksdrefdom

         ......................... child-domain passed test checksdrefdom

      starting test: crossrefvalidation

         ......................... child-domain passed test crossrefvalidation

   running partition tests on : forestdnszones

      starting test: checksdrefdom

         ......................... forestdnszones passed test checksdrefdom

      starting test: crossrefvalidation

         ......................... forestdnszones passed test

         crossrefvalidation

   running partition tests on : schema

      starting test: checksdrefdom

         ......................... schema passed test checksdrefdom

      starting test: crossrefvalidation

         ......................... schema passed test crossrefvalidation

   running partition tests on : configuration

      starting test: checksdrefdom

         ......................... configuration passed test checksdrefdom

      starting test: crossrefvalidation

         ......................... configuration passed test crossrefvalidation

   running enterprise tests on : domain.net

      starting test: locatorcheck

         ......................... domain.net passed test locatorcheck

      starting test: intersite

         ......................... domain.net passed test intersite

the directory service error log shows:

* event id: 1126. active directory domain services unable establish connection global catalog. error value: 1355 specified domain either not exist or not contacted.

* event id:      1126. active directory domain services unable establish connection global catalog. error value: 8430 directory service encountered internal failure.

* event id: 1655. active directory domain services attempted communicate following global catalog , attempts unsuccessful. global catalog: \\parent4.domain.net  the operation in progress might unable continue. active directory domain services use domain controller locator try find available global catalog server.

* event id: 1645. active directory domain services did not perform authenticated remote procedure call (rpc) directory server because desired service principal name (spn) destination directory server not registered on key distribution center (kdc) domain controller resolves spn.

* event id: 1869. active directory domain services has located global catalog in following site. global catalog: \\parent4.domain.net

* event id:      1645. active directory domain services did not perform authenticated remote procedure call (rpc) directory server because desired service principal name (spn) destination directory server not registered on key distribution center (kdc) domain controller resolves spn.

 destination directory server:

\\parent3.domain.net

spn:

gc/parent3.domain.net/domain.net@domain.net

the active directory error log shows:

* event id:      1202. computer hosting specified directory instance, active directory web services not service it. active directory web services retry operation periodically.

the dns server error log shows:

* event id:      4512. dns server unable create built-in directory partition domaindnszones.child-domain.domain.net. error 9571.

* event id:      4013. dns server waiting active directory domain services (ad ds) signal initial synchronization of directory has been completed. dns server service cannot start until initial synchronization complete because critical dns data might not yet replicated onto domain controller. if events in ad ds event log indicate there problem dns name resolution, consider adding ip address of dns server domain dns server list in internet protocol properties of computer. event logged every 2 minutes until ad ds has signaled initial synchronization has completed.

the windows system error log shows:

* event id:      5774. dynamic registration of dns record '40b4b99e-4e62-42ee-aa39-66d69b66660f._msdcs.domain.net. 600 in cname childserver.child-domain.domain.net.' failed on following dns server: 

dns server ip address: 172.20.200.170

returned response code (rcode): 5

returned status code: 9017 

* event id:      5775. dynamic deletion of dns record '_gc._tcp.default-first-site-name._sites.domain.net. 600 in srv 0 100 3268 childserver.child-domain.domain.net.' failed on following dns server: 

dns server ip address: 172.21.24.16

returned response code (rcode): 5

returned status code: 9017 

* event id:      5775.

the dynamic deletion of dns record '_gc._tcp.domain.net. 600 in srv 0 100 3268 childserver.child-domain.domain.net.' failed on following dns server: 

dns server ip address: 172.21.24.16

returned response code (rcode): 5

returned status code: 9017 

i don’t' see dfs replication error log entries, although had reinitialize replication after freed disk space.

repadmin /replsummary shows:

c:\users\administrator>repadmin /replsummary

replication summary start time: 2014-09-24 14:26:44

beginning data collection replication summary, may take awhile:

  .........

source dsa          largest delta    fails/total %%   error

parent2       >60 days            3 /   3  100  (5) access denied.

destination dsa     largest delta    fails/total %%   error

childserver        >60 days            3 /   3  100  (5) access denied.

experienced following operational errors trying retrieve replication information:

        1326 – parent1.domain.net

        1326 – parent2.domain.net

        1326 – parent3.domain.net

        1326 – parent4.domain.net

          58 - 81cd2013-357e-40ed-a006-e6546fc6735f._msdcs.domain.net

c:\users\administrator>

i looked @ spds on each domain controller, there no mingling of spds between parent , forest domain. i'm not sure if there should be. parent1 through parent2 contain references each other, none childserver, , vice-versa. tried running setspd –a per kb article error log reference said, fails because computer accounts cannot identified across parent/child domain boundary.

i know permissions or replication issue, don't know start. can help?

thanks, jack

you welcome. looking forward report.

i forgot add, think may prudent ensure there no duplicate ad integrated zones. must check each dc see if specific dc *sees* zone differently others, if there are, indicate replication issues. explains in more detail:

using adsi edit resolve conflicting or duplicate ad integrated dns zones
http://blogs.msmvps.com/acefekay/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones/

ace fekay
mvp, mct, mcse 2012, mcitp ea & mcts windows 2008/r2, exchange 2013, 2010 ea & 2007, mcse & mcsa 2003/2000, mcsa messaging 2003
microsoft certified trainer
microsoft mvp - directory services
complete list of technical blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

this posting provided as-is no warranties or guarantees , confers no rights.

facebook twitter linkedin



Windows Server  >  Directory Services



Comments

Post a Comment

Popular posts from this blog

Azure MFA with Azure AD and RDS

-
i have setup following lab in azure , need help. a server (domain controller) , remote desktop services. and server multi factor authentication server. i have setup following one http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/ and when im connecting got following error. the user "domain\username", on client computer "xxx.xxx.xxx.xxx", did not meet connection authorization policy requirements , therefore not authorized access rd gateway server. authentication method used was: "ntlm" , connection protocol used: "rpc-http". following error occurred: "23003". also on security log i've got following authentication details: connection request policy name: ts gateway authorization policy network policy name: - authentication provider: radius proxy authentication server: test.test.local authenticati...
Read more

Failed to setup initiator portal. Error status is given in the dump data.

-
hi team, server configured boot san  after booting  facing issue windows server 2008 r2 system logs continuously generating iscsi port error event id 5 failed setup initiator portal. error status given in dump data. eventdata \device\raidport1 000004000100000000000000050000c0000000000000000000000000000000000000000000000000070200c0 binary data: in words 0000: 00040000 00000001 00000000 c0000005 0008: 00000000 00000000 00000000 00000000 0010: 00000000 00000000 c0000207 in bytes 0000: 00 00 04 00 01 00 00 00 ........ 0008: 00 00 00 00 05 00 00 c0 .......À 0010: 00 00 00 00 00 00 00 00 ........ 0018: 00 00 00 00 00 00 00 00 ........ 0020: 00 00 00 00 00 00 00 00 ........ 0028: 07 02 00 c0 ...À hi, please read through article below troubleshoot issue: error event id 5 logged in system log on computer uses iscsi software initiator connect iscsi target device http://suppo...
Read more

Failed to delete the test record dcdiag-test-record in zone test.com

-
ps c:\users\administrator.test> dcdiag /test:dns directory server diagnosis performing initial setup:    trying find home server...    home server = dc02    * identified ad forest.    done gathering initial info. doing initial required tests    testing server: default-first-site-name\dc02       starting test: connectivity          ......................... dc02 passed test connectivity doing primary tests    testing server: default-first-site-name\dc02       starting test: dns          dns tests running , not hung. please wait few minutes...          ......................... dc02 passed test dns    running partition tests on : forestdnszones    running partition tests on : domaindnszones    running partition tests on : schema ...
Read more