none
Replication failing between 2 DC 2008 R2

    Question

  • Hello everybody,

    I need some help to get ride of a critical error on my DCs.

    I've got two DC (SRV & SRV-AAPLIS) on the same site and one of them (SRV-APPLIS) is handeling RID, CDP and Infrastructure operation master roles. There are both Global Catalogue.

    I found there was an error because i was trying to push a GPO to some of my computers but no effect on them. That's how i found that replication was running not properly on both DCs.

    Here is what i found in the log viewer:

    Nom du journal :Directory Service
    Source :       Microsoft-Windows-ActiveDirectory_DomainService
    Date :         13/08/2013 03:06:12
    ID de l’événement :2887
    Catégorie de la tâche :Interface LDAP
    Niveau :       Avertissement
    Mots clés :    Classique
    Utilisateur :  ANONYMOUS LOGON
    Ordinateur :   SRV-APPLIS.domaine.local

    Nom du journal :Directory Service
    Source :       Microsoft-Windows-ActiveDirectory_DomainService
    Date :         13/08/2013 04:06:12
    ID de l’événement :1863
    Catégorie de la tâche :Réplication
    Niveau :       Erreur
    Mots clés :    Classique
    Utilisateur :  ANONYMOUS LOGON
    Ordinateur :   SRV-APPLIS.domaine.local



    Nom du journal :Directory Service
    Source :       Microsoft-Windows-ActiveDirectory_DomainService
    Date :         13/08/2013 04:06:12
    ID de l’événement :2093
    Catégorie de la tâche :Réplication
    Niveau :       Avertissement
    Mots clés :    Classique
    Utilisateur :  ANONYMOUS LOGON
    Ordinateur :   SRV-APPLIS.domaine.local

    It seems like INBOUND and OUTBOUND replication are disabled... 
    When i try to do a repadmin/options - DISABLE_OUTBOUND_REPL and repadmin/options - DISABLE_INBOUND_REPL, i've got an LDAP error 81 : Server down

    I need your help on this because i'm a bit lost...

    Thanks for your help

    Best

    Nic


    • Edited by nvlop Tuesday, August 20, 2013 7:08 AM
    Tuesday, August 13, 2013 2:30 PM

Answers

  • Ace,

    For financial reasons, i can't have a second server doing DC only, that's why we have SRV-APPLIS which is making DC, DNS and applications server... This server is really important and i can't avoid to loose it.

    Correct me if i'm wrong but here is what i want to try:

    - Shutdown SRV-APPLIS
    - Seize the FMSO roles from SRV-APPLIS to SRV (i can only do this if SRV-APPLIS is shutdown right?)
    - Boot SRV-APPLIS and make a dcpromo /forceremoval
    - Clean up the metadata of SRV
    From here, i should have SRV working properly as the main and only DC with FMSO roles.
    Then i can try to:
    - Make a dcpromo on SRV-APPLIS to make it as a second DC
    - Try replication which should work

    What do you thing of this action plan? Is there any recommandations to take before doing it?


    Do not simply shutdown SRV-APPLIS. AD must still be removed off it. As I said before, JUST DEMOTE IT!!

    To be specific so there are no questions or assumptions, here are my receommendations, and this will work AS LONG AS (and I said this before) that Exchange or SQL server is not on the machine, and it's not a certificate server). Note: if Exchange, SQL or Certificate services are on it, this procedure will not work. Third party apps, WINS or DHCP will NOT be affected.

    1. On SRV, make sure the first DNS is pointing to itself, and the second DNS entry is the Loopback (127.0.0.1).
    2. On SRV, uninstall any antivirus and disable the Windows firewall.
    3. On SRV-APPLIS, uninstall any antivirus and disable the Windows firewall.
    4. On SRV-APPLIS, make sure the ONLY DNS in the NIC is set to SRV. That's it.
    5. On SRV-APPLIS, uninstall DNS. Do NOT delete the zone. Simply UNINSTALL DNS. That's it. You can leave WINS or DHCP on it, if you like.
    6. On SRV-APPLIS, run dcpromo /forcedemote to force demote it. This will remove all of the AD binaries off the machine and turn it into a member server. This will also preserve your third party applications and other services running on it.
    7. On SRV-APPLIS, run PortQRY from SRV-APPLIS to SRV. Make sure no ports are being blocked. If any ports are blocked, make sure antivirus and the firewalls were uninstalled.
    8. On SRV, run a metadata cleanup, and clean all other areas. I already posted my blog on how to do this in this thread, but for your convenience, for a complete step-by-step, please click this - and it shows how to seize roles, cleanout DNS, Sites, etc: Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, cleanup DNS (Nameservertab), AD Sites (old DC references), transfer or fix time settings, WINS settings, etc.
    9. Set time service on SRV:
       W32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update
       W32tm /resync /rediscover
    10. After all the above has been completed, then on SRV-APPLIS, run dcpromo to re-promote it to a DC. Choose the Option to install DNS as part of the process.
    11. If you receive a message or error that a DNS delegation can't be found, IGNORE IT. Continue with the promotion.
    12. Open DNS. Check the zones if they populated. If they didn't, JUST WAIT. DO NOT manually create any zones. They will appear automatically. Go have lunch or dinner or something. Check later. They will automatically populate. If you manually create the zone, it will cause NUMEROUS problems.
    13. Check the Event logs to make sure no errors appear.
    14. Wait a day or two, then on SRV-APPLIS, set the first DNS to SRV, and the second as the Loopback address.
    15. Check the Event logs to make sure no errors appear.

    -

    After completed, post back with your results.

    -


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by nvlop Monday, August 26, 2013 12:15 PM
    Friday, August 23, 2013 4:44 PM

All replies

  • One thing, the replication is failing since 2013/08/06 so i guess the situation can be fix without doing dcpromo /forceremoval...

    I hope someone could help me on this

    Thanks

    Tuesday, August 13, 2013 3:26 PM
  • Hello,

    to complete understand the setup please upload the following files:

    ipconfig /all >c:\ipconfig.log [all DCs]
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.log
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.log  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)
    ADREPLSTATUS: http://www.microsoft.com/en-us/download/details.aspx?id=30005 can also be exported to file.

    As the output will become large, DON'T post them into the thread, please use Windows Sky Drive(with open access!) https://skydrive.live.com and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, August 14, 2013 8:37 AM
  • Does anyone got time to help me with this please?

    Wednesday, August 14, 2013 9:33 AM
  • Hi Nic,

    I understand your situation, let’s try to work it out together.

    Could you please run ipconfig/all and DCDiag on both the problematic DCs, then post out the results?

    That would be very helpful to analysis the problem.

    Here are some links below could be helpful to you:

    Dcdiag

    http://technet.microsoft.com/en-us/library/cc731968.aspx

    Event ID: 2887

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/99df486c-bb43-4d0c-b507-52856be7b1c6/event-id-2887

    Repadmin for Experts

    http://technet.microsoft.com/en-us/library/cc811549(v=WS.10).aspx

    LDAP Error 81

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/78039544-3b12-4533-8f82-5b6b1fb7dfd7/ldap-error-81

    Please keep update, so we could help you effectively.

    Best Regards,

    Amy Wang
    Wednesday, August 14, 2013 9:44 AM
    Moderator
  • Does anyone got time to help me with this please?

    Hello,

    sure but please understand that the description is NOT enough to help you. Please upload the requested files.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, August 14, 2013 10:46 AM
  • Hello,

    Sorry for the delay, my alert on this topic was not on... so didn't see your message earlier.
    Thanks for taking time to help me out with this problem, so here are the logs required:


    From SRV:

    IPCONFIG /ALL

    Configuration IP de Windows

       Nom de l'h“te . . . . . . . . . . : SRV
       Suffixe DNS principal . . . . . . : domaine.local
       Type de noeud. . . . . . . . . .  : Hybride
       Routage IP activ‚ . . . . . . . . : Non
       Proxy WINS activ‚ . . . . . . . . : Non
       Liste de recherche du suffixe DNS.: domaine.local

    Carte Ethernet Connexion au r‚seau local :

       Suffixe DNS propre … la connexion. . . : 
       Description. . . . . . . . . . . . . . : HP NC326i PCIe Dual Port Gigabit Server Adapter
       Adresse physique . . . . . . . . . . . : 9C-8E-99-1A-26-B4
       DHCP activ‚. . . . . . . . . . . . . . : Non
       Configuration automatique activ‚e. . . : Oui
       Adresse IPv4. . . . . . . . . . . . . .: 192.168.110.250(pr‚f‚r‚) 
       Masque de sous-r‚seau. . . .ÿ. . . . . : 255.255.255.0
       Passerelle par d‚faut. . . .ÿ. . . . . : 192.168.110.254
       Serveurs DNS. . .  . . . . . . . . . . : 127.0.0.1
                                  192.168.110.254
       NetBIOS sur Tcpip. . . . . . . . . . . : Activ,


    DCDIAG:

    Diagnostic du serveur d'annuaire

    Ex‚cution de l'installation initialeÿ: 

       Tentative de recherche de serveur associ‚...

       Serveur associ‚ÿ: SRV

       * Forˆt AD identifi‚e. 
       Collecte des informations initiales termin‚e.

    Ex‚cution des tests initiaux n‚cessaires


       Test du serveurÿ: Default-First-Site-Name\SRV

          D‚marrage du testÿ: Connectivity

             ......................... Le test Connectivity

              de SRV a r‚ussi

    Ex‚cution des tests principaux


       Test du serveurÿ: Default-First-Site-Name\SRV

          D‚marrage du testÿ: Advertising

             Avertissementÿ: SRV n'effectue pas de publications en tant que serveur

             de temps.

             ......................... Le test Advertising

              de SRV a ‚chou‚
          D‚marrage du testÿ: FrsEvent

             ......................... Le test FrsEvent

              de SRV a r‚ussi
          D‚marrage du testÿ: DFSREvent

             ......................... Le test DFSREvent

              de SRV a r‚ussi
          D‚marrage du testÿ: SysVolCheck

             ......................... Le test SysVolCheck

              de SRV a r‚ussi
          D‚marrage du testÿ: KccEvent

             ......................... Le test KccEvent

              de SRV a r‚ussi
          D‚marrage du testÿ: KnowsOfRoleHolders

             ......................... Le test KnowsOfRoleHolders

              de SRV a r‚ussi
          D‚marrage du testÿ: MachineAccount

             ......................... Le test MachineAccount

              de SRV a r‚ussi
          D‚marrage du testÿ: NCSecDesc

             ......................... Le test NCSecDesc

              de SRV a r‚ussi
          D‚marrage du testÿ: NetLogons

             ......................... Le test NetLogons

              de SRV a r‚ussi
          D‚marrage du testÿ: ObjectsReplicated

             ......................... Le test ObjectsReplicated

              de SRV a r‚ussi
          D‚marrage du testÿ: Replications

             [Replications Check,SRV] Une tentative de r‚plication r‚cente a

             ‚chou‚ÿ:

                De SRV-APPLIS vers SRV

                Contexte de nommageÿ: DC=ForestDnsZones,DC=domaine,DC=local

                La r‚plication a g‚n‚r‚ une erreur (8456)ÿ:

                Le serveur source rejette actuellement les demandes de r‚plication.

                L'‚chec s'est produit … 2013-08-20 08:18:33.

                La derniŠre r‚ussite s'est produite … 2013-08-06 16:59:08.

                532 ‚checs se sont produits depuis la derniŠre r‚ussite.

                La r‚plication a ‚t‚ explicitement d‚sactiv‚e via les options de

                serveur.

             [Replications Check,SRV] Une tentative de r‚plication r‚cente a

             ‚chou‚ÿ:

                De SRV-APPLIS vers SRV

                Contexte de nommageÿ: DC=DomainDnsZones,DC=domaine,DC=local

                La r‚plication a g‚n‚r‚ une erreur (8456)ÿ:

                Le serveur source rejette actuellement les demandes de r‚plication.

                L'‚chec s'est produit … 2013-08-20 08:18:30.

                La derniŠre r‚ussite s'est produite … 2013-08-06 16:59:08.

                586 ‚checs se sont produits depuis la derniŠre r‚ussite.

                La r‚plication a ‚t‚ explicitement d‚sactiv‚e via les options de

                serveur.

             [Replications Check,SRV] Une tentative de r‚plication r‚cente a

             ‚chou‚ÿ:

                De SRV-APPLIS vers SRV

                Contexte de nommageÿ: CN=Schema,CN=Configuration,DC=domaine,DC=local

                La r‚plication a g‚n‚r‚ une erreur (8456)ÿ:

                Le serveur source rejette actuellement les demandes de r‚plication.

                L'‚chec s'est produit … 2013-08-20 07:59:10.

                La derniŠre r‚ussite s'est produite … 2013-08-06 16:59:08.

                327 ‚checs se sont produits depuis la derniŠre r‚ussite.

                La r‚plication a ‚t‚ explicitement d‚sactiv‚e via les options de

                serveur.

             [Replications Check,SRV] Une tentative de r‚plication r‚cente a

             ‚chou‚ÿ:

                De SRV-APPLIS vers SRV

                Contexte de nommageÿ: CN=Configuration,DC=domaine,DC=local

                La r‚plication a g‚n‚r‚ une erreur (8456)ÿ:

                Le serveur source rejette actuellement les demandes de r‚plication.

                L'‚chec s'est produit … 2013-08-20 07:59:10.

                La derniŠre r‚ussite s'est produite … 2013-08-06 16:59:08.

                331 ‚checs se sont produits depuis la derniŠre r‚ussite.

                La r‚plication a ‚t‚ explicitement d‚sactiv‚e via les options de

                serveur.

             [Replications Check,SRV] Une tentative de r‚plication r‚cente a

             ‚chou‚ÿ:

                De SRV-APPLIS vers SRV

                Contexte de nommageÿ: DC=domaine,DC=local

                La r‚plication a g‚n‚r‚ une erreur (8456)ÿ:

                Le serveur source rejette actuellement les demandes de r‚plication.

                L'‚chec s'est produit … 2013-08-20 08:41:26.

                La derniŠre r‚ussite s'est produite … 2013-08-06 17:47:00.

                3224 ‚checs se sont produits depuis la derniŠre r‚ussite.

                La r‚plication a ‚t‚ explicitement d‚sactiv‚e via les options de

                serveur.

             ......................... Le test Replications

              de SRV a ‚chou‚
          D‚marrage du testÿ: RidManager

             ......................... Le test RidManager

              de SRV a r‚ussi
          D‚marrage du testÿ: Services

             ......................... Le test Services

              de SRV a r‚ussi
          D‚marrage du testÿ: SystemLog

             ......................... Le test SystemLog

              de SRV a r‚ussi
          D‚marrage du testÿ: VerifyReferences

             ......................... Le test VerifyReferences

              de SRV a r‚ussi


       Ex‚cution de tests de partitions sur ForestDnsZones

          D‚marrage du testÿ: CheckSDRefDom

             ......................... Le test CheckSDRefDom

              de ForestDnsZones a r‚ussi
          D‚marrage du testÿ: CrossRefValidation

             ......................... Le test CrossRefValidation

              de ForestDnsZones a r‚ussi

       Ex‚cution de tests de partitions sur DomainDnsZones

          D‚marrage du testÿ: CheckSDRefDom

             ......................... Le test CheckSDRefDom

              de DomainDnsZones a r‚ussi
          D‚marrage du testÿ: CrossRefValidation

             ......................... Le test CrossRefValidation

              de DomainDnsZones a r‚ussi

       Ex‚cution de tests de partitions sur Schema

          D‚marrage du testÿ: CheckSDRefDom

             ......................... Le test CheckSDRefDom

              de Schema a r‚ussi
          D‚marrage du testÿ: CrossRefValidation

             ......................... Le test CrossRefValidation

              de Schema a r‚ussi

       Ex‚cution de tests de partitions sur Configuration

          D‚marrage du testÿ: CheckSDRefDom

             ......................... Le test CheckSDRefDom

              de Configuration a r‚ussi
          D‚marrage du testÿ: CrossRefValidation

             ......................... Le test CrossRefValidation

              de Configuration a r‚ussi

       Ex‚cution de tests de partitions sur domaine

          D‚marrage du testÿ: CheckSDRefDom

             ......................... Le test CheckSDRefDom

              de domainea r‚ussi
          D‚marrage du testÿ: CrossRefValidation

             ......................... Le test CrossRefValidation

              de domainea r‚ussi

       Ex‚cution de tests d'entreprise sur domaine.local

          D‚marrage du testÿ: LocatorCheck

             Avertissementÿ: l'appel DcGetDcName(TIME_SERVER) a ‚chou‚ÿ; erreur

             1355

             Serveur de temps introuvable.

             Le serveur contenant le r“le PDC ne fonctionne pas.

             Avertissementÿ: l'appel DcGetDcName(GOOD_TIME_SERVER_PREFERRED) a

             ‚chou‚ÿ; erreur 1355

             Serveur de temps introuvable.

             ......................... Le test LocatorCheck

              de domaine.local a ‚chou‚
          D‚marrage du testÿ: Intersite

             ......................... Le test Intersite

              de domaine.local a r‚ussi


    From SRV-APPLIS:

    IPCONFIG /ALL

    Configuration IP de Windows

       Nom de l'h“te . . . . . . . . . . : SRV-APPLIS
       Suffixe DNS principal . . . . . . : domaine.local
       Type de noeud. . . . . . . . . .  : Hybride
       Routage IP activ‚ . . . . . . . . : Non
       Proxy WINS activ‚ . . . . . . . . : Non
       Liste de recherche du suffixe DNS.: domaine.local

    Carte Ethernet Connexion au r‚seau local :

       Suffixe DNS propre … la connexion. . . : 
       Description. . . . . . . . . . . . . . : Connexion r‚seau Intel(R) PRO/1000 MT
       Adresse physique . . . . . . . . . . . : 00-0C-29-C4-9E-17
       DHCP activ‚. . . . . . . . . . . . . . : Non
       Configuration automatique activ‚e. . . : Oui
       Adresse IPv4. . . . . . . . . . . . . .: 192.168.110.5(pr‚f‚r‚) 
       Masque de sous-r‚seau. . . .ÿ. . . . . : 255.255.255.0
       Passerelle par d‚faut. . . .ÿ. . . . . : 192.168.110.254
       Serveurs DNS. . .  . . . . . . . . . . : 127.0.0.1
                                  192.168.110.254
       NetBIOS sur Tcpip. . . . . . . . . . . : Activ‚


    DCDIAG


    Diagnostic du serveur d'annuaire


    Ex‚cution de l'installation initialeÿ: 

       Tentative de recherche de serveur associ‚...

       Serveur associ‚ÿ: SRV-APPLIS

       * Forˆt AD identifi‚e. 
       Collecte des informations initiales termin‚e.


    Ex‚cution des tests initiaux n‚cessaires


       Test du serveurÿ: Default-First-Site-Name\SRV-APPLIS

          D‚marrage du testÿ: Connectivity

             ......................... Le test Connectivity

              de SRV-APPLIS a r‚ussi


    Ex‚cution des tests principaux


       Test du serveurÿ: Default-First-Site-Name\SRV-APPLIS

          D‚marrage du testÿ: Advertising

             Avertissementÿ: DsGetDcName a retourn‚ des informations pour

             \\SRV.domaine.local lors de la tentative d'accŠs … SRV-APPLIS.

             Le serveur ne r‚pond pas ou n'est pas appropri‚.

             ......................... Le test Advertising

              de SRV-APPLIS a ‚chou‚
          D‚marrage du testÿ: FrsEvent

             ......................... Le test FrsEvent

              de SRV-APPLIS a r‚ussi
          D‚marrage du testÿ: DFSREvent

             ......................... Le test DFSREvent

              de SRV-APPLIS a r‚ussi
          D‚marrage du testÿ: SysVolCheck

             ......................... Le test SysVolCheck

              de SRV-APPLIS a r‚ussi
          D‚marrage du testÿ: KccEvent

             ......................... Le test KccEvent

              de SRV-APPLIS a r‚ussi
          D‚marrage du testÿ: KnowsOfRoleHolders

             ......................... Le test KnowsOfRoleHolders

              de SRV-APPLIS a r‚ussi
          D‚marrage du testÿ: MachineAccount

             ......................... Le test MachineAccount

              de SRV-APPLIS a r‚ussi
          D‚marrage du testÿ: NCSecDesc

             ......................... Le test NCSecDesc

              de SRV-APPLIS a r‚ussi
          D‚marrage du testÿ: NetLogons

             ......................... Le test NetLogons

              de SRV-APPLIS a r‚ussi
          D‚marrage du testÿ: ObjectsReplicated

             ......................... Le test ObjectsReplicated

              de SRV-APPLIS a r‚ussi
          D‚marrage du testÿ: Replications

             [V‚rification des r‚plications, Replications Check] R‚plication

             entrante d‚sactiv‚e.

             Pour corriger ce problŠme, ex‚cutez ®ÿrepadmin /options SRV-APPLIS

             -DISABLE_INBOUND_REPLÿ¯

             [V‚rification des r‚plications, SRV-APPLIS] R‚plication sortante

             d‚sactiv‚e.

             Pour corriger ce problŠme, ex‚cutez ®ÿrepadmin /options SRV-APPLIS

             -DISABLE_OUTBOUND_REPLÿ¯

             ......................... Le test Replications

              de SRV-APPLIS a ‚chou‚
          D‚marrage du testÿ: RidManager

             ......................... Le test RidManager

              de SRV-APPLIS a r‚ussi
          D‚marrage du testÿ: Services

                Le service w32time est arrˆt‚ sur [SRV-APPLIS]

                Le service NETLOGON est interrompu sur [SRV-APPLIS]

             ......................... Le test Services

              de SRV-APPLIS a ‚chou‚
          D‚marrage du testÿ: SystemLog

             Un ‚v‚nement d'erreur s'est produit. ID de l'‚v‚nementÿ: 0x00000457

                Temps g‚n‚r‚ÿ: 08/20/2013   08:41:18

                ChaŒne d'‚v‚nementÿ:

                Le pilote Samsung SCX-3400 Series requis pour l'imprimante Samsung SCX-3400 Series est inconnu. Contactez l'administrateur pour installer le pilote avant de vous reconnecter.

             Un ‚v‚nement d'erreur s'est produit. ID de l'‚v‚nementÿ: 0x00000457

                Temps g‚n‚r‚ÿ: 08/20/2013   08:41:20

                ChaŒne d'‚v‚nementÿ:

                Le pilote Brother PCL5e Driver requis pour l'imprimante !!srv-applis!Brother RDC est inconnu. Contactez l'administrateur pour installer le pilote avant de vous reconnecter.

             Un ‚v‚nement d'erreur s'est produit. ID de l'‚v‚nementÿ: 0x00000457

                Temps g‚n‚r‚ÿ: 08/20/2013   08:41:21

                ChaŒne d'‚v‚nementÿ:

                Le pilote Canon iR C2380/2550 UFR II requis pour l'imprimante Canon iR C2380/2550 UFR II est inconnu. Contactez l'administrateur pour installer le pilote avant de vous reconnecter.

             Un ‚v‚nement d'erreur s'est produit. ID de l'‚v‚nementÿ: 0x00000457

                Temps g‚n‚r‚ÿ: 08/20/2013   08:41:22

                ChaŒne d'‚v‚nementÿ:

                Le pilote WebEx Document Loader requis pour l'imprimante WebEx Document Loader est inconnu. Contactez l'administrateur pour installer le pilote avant de vous reconnecter.

             Un ‚v‚nement d'erreur s'est produit. ID de l'‚v‚nementÿ: 0x00000457

                Temps g‚n‚r‚ÿ: 08/20/2013   08:41:22

                ChaŒne d'‚v‚nementÿ:

                Le pilote Samsung SCX-3400 Series requis pour l'imprimante SCX-3400 est inconnu. Contactez l'administrateur pour installer le pilote avant de vous reconnecter.

             Un ‚v‚nement d'erreur s'est produit. ID de l'‚v‚nementÿ: 0x00000457

                Temps g‚n‚r‚ÿ: 08/20/2013   08:41:25

                ChaŒne d'‚v‚nementÿ:

                Le pilote PDFCreator requis pour l'imprimante PDFCreator est inconnu. Contactez l'administrateur pour installer le pilote avant de vous reconnecter.

             Un ‚v‚nement d'erreur s'est produit. ID de l'‚v‚nementÿ: 0x00000457

                Temps g‚n‚r‚ÿ: 08/20/2013   08:41:25

                ChaŒne d'‚v‚nementÿ:

                Le pilote Canon MG3100 series Printer requis pour l'imprimante Canon MG3100 series Printer est inconnu. Contactez l'administrateur pour installer le pilote avant de vous reconnecter.

             ......................... Le test SystemLog

              de SRV-APPLIS a ‚chou‚
          D‚marrage du testÿ: VerifyReferences

             ......................... Le test VerifyReferences

              de SRV-APPLIS a r‚ussi


       Ex‚cution de tests de partitions sur ForestDnsZones

          D‚marrage du testÿ: CheckSDRefDom

             ......................... Le test CheckSDRefDom

              de ForestDnsZones a r‚ussi
          D‚marrage du testÿ: CrossRefValidation

             ......................... Le test CrossRefValidation

              de ForestDnsZones a r‚ussi

       Ex‚cution de tests de partitions sur DomainDnsZones

          D‚marrage du testÿ: CheckSDRefDom

             ......................... Le test CheckSDRefDom

              de DomainDnsZones a r‚ussi
          D‚marrage du testÿ: CrossRefValidation

             ......................... Le test CrossRefValidation

              de DomainDnsZones a r‚ussi

       Ex‚cution de tests de partitions sur Schema

          D‚marrage du testÿ: CheckSDRefDom

             ......................... Le test CheckSDRefDom

              de Schema a r‚ussi
          D‚marrage du testÿ: CrossRefValidation

             ......................... Le test CrossRefValidation

              de Schema a r‚ussi

       Ex‚cution de tests de partitions sur Configuration

          D‚marrage du testÿ: CheckSDRefDom

             ......................... Le test CheckSDRefDom

              de Configuration a r‚ussi
          D‚marrage du testÿ: CrossRefValidation

             ......................... Le test CrossRefValidation

              de Configuration a r‚ussi

       Ex‚cution de tests de partitions sur domaine

          D‚marrage du testÿ: CheckSDRefDom

             ......................... Le test CheckSDRefDom

              de domainea r‚ussi
          D‚marrage du testÿ: CrossRefValidation

             ......................... Le test CrossRefValidation

              de domainea r‚ussi

       Ex‚cution de tests d'entreprise sur domaine.local

          D‚marrage du testÿ: LocatorCheck

             Avertissementÿ: l'appel DcGetDcName(TIME_SERVER) a ‚chou‚ÿ; erreur

             1355

             Serveur de temps introuvable.

             Le serveur contenant le r“le PDC ne fonctionne pas.

             Avertissementÿ: l'appel DcGetDcName(GOOD_TIME_SERVER_PREFERRED) a

             ‚chou‚ÿ; erreur 1355

             Serveur de temps introuvable.

             ......................... Le test LocatorCheck

              de domaine.local a ‚chou‚
          D‚marrage du testÿ: Intersite

             ......................... Le test Intersite

              de domaine.local a r‚ussi

    The logs are in french since its a french OS... hope you will understand it all and could help me with it.

    Thanks anyway for the help


                                                       
    • Edited by nvlop Tuesday, August 20, 2013 7:08 AM
    Tuesday, August 20, 2013 7:05 AM
  • ello,

    you rely on the default gateway as DNS server which is WRONG "Passerelle par d‚faut. . . .ÿ. . . . . : 192.168.110.254"!!!

    In a domain DNS is the most important part and must be configured correct. the domain internal DNS servers should be, if possible the DCs with AD integrated DNS zones.

    192.168.110.5 and 192.168.110.250 should be the domain internal DNS servers.

    Or you work with another not Microsoft DNS server BUT it must have the correct records for a domain to work.

    I assume the DCs are also DNS servers, at least the first installed one, so please change ALL domain machines to the internal DNS servers on the NIC and NONE else. After that run ipconfig /flushdns and ipconfig /registerdns and restart the netlogon service on DCs and reboot all other machines.

    Then check again with the support tools for errors.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, August 20, 2013 7:35 AM
  • Hello,

    We set up default gateway as second DNS because our gateway (Kerio Control) is setting up to forward dns to 192.168.110.250 & 192.168.110.5 (the 2 internal DNS servers) so it must be correct as far as i know. Am i wrong?

    Moreover, this set up on both DC didn't change from the time it worked until now it does not work anymore so problem should be else where, no?


    Tuesday, August 20, 2013 7:45 AM
  • Hello,

    then you would be lucky if it works until now.

    The DG is NOT a DNS server where AD relies on and this result in multiple problems. SO please remove it and also configure the real ip addresses from the internal DNS servers as preferred and the other one as secondary DNS server and the loopback ip address 127.0.0.1 as 3rd on the NIC(recommended from the DNS BPA)

    As FORWARDER configure the internal DNS servers on the DNS server properties in the DNS management console instead.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, August 20, 2013 8:04 AM
  • Hello Meinolf,

    So to resume, here is what i should set up:

    On SRV,

    setting up the NIC like this:

    First DNS  192.168.110.5 
    Second DNS 192.168.110.250
    Third DNS 127.0.0.1

    In DNS server Management console, change forwarders in properties as 192.168.110.250

    Do a ipconfig /flushdns & /registerdns, plus doing a reboot of netlogon services

    On SRV-APPLIS,

    setting up the NIC like this:

    First DNS  192.168.110.250 
    Second DNS 192.168.110.5
    Third DNS 127.0.0.1

    In DNS server Management console, change forwarders in properties as 192.168.110.5

    Do a ipconfig /flushdns & /registerdns, plus doing a reboot of netlogon services

    This is it?


    • Edited by nvlop Tuesday, August 20, 2013 8:44 AM
    Tuesday, August 20, 2013 8:43 AM
  • Recommandation steps has been done on both DCs.

    The replication is still failing with the error "The destination server is currently rejecting requests
    replication" when i try to force it manually by replicating now.

    And i still got the LDAP error 81 : Server down when i enter the command repadmin/options - DISABLE_OUTBOUND_REPL and repadmin/options - DISABLE_INBOUND_REPL.

     Any idea?

    Tuesday, August 20, 2013 11:56 AM
  • In addition, here is the log of REPADMIN from both DC:

    From SRV:

    repadmin /showrepl  /verbose /all /intersite

    Repadminÿ: ex‚cution de la commande /showrepl sur le contr“leur de domaine complet localhost

    Default-First-Site-Name\SRV

    Options DSAÿ: IS_GC 

    Options de siteÿ: (none)

    GUID de l'objet DSAÿ: 97bae7f5-e644-4311-906a-0ceeb321f1e5

    ID de l'invocation DSAÿ: 97bae7f5-e644-4311-906a-0ceeb321f1e5



    === INSTANCES VOISINES ENTRANTES ==================================



    = INSTANCES VOISINES SORTANTES POUR NOTIFICATIONS DE MODIFICATION =



    DC=domaine,DC=local

        Default-First-Site-Name\SRV-APPLIS via RPC

            GUID de l'objet DSAÿ: 00bd7556-be24-4c71-ace4-64d98b737403

            Adresseÿ: 00bd7556-be24-4c71-ace4-64d98b737403._msdcs.domaine.local

            WRITEABLE

            La derniŠre tentative, le 2013-08-20 15:18:05, a r‚ussi.



    CN=Configuration,DC=domaine,DC=local

        Default-First-Site-Name\SRV-APPLIS via RPC

            GUID de l'objet DSAÿ: 00bd7556-be24-4c71-ace4-64d98b737403

            Adresseÿ: 00bd7556-be24-4c71-ace4-64d98b737403._msdcs.domaine.local

            WRITEABLE

            La derniŠre tentative, le 2013-08-13 14:33:52, a r‚ussi.



    CN=Schema,CN=Configuration,DC=domaine,DC=local

        Default-First-Site-Name\SRV-APPLIS via RPC

            GUID de l'objet DSAÿ: 00bd7556-be24-4c71-ace4-64d98b737403

            Adresseÿ: 00bd7556-be24-4c71-ace4-64d98b737403._msdcs.domaine.local

            WRITEABLE

            La derniŠre tentative, le 2013-08-06 09:59:26, a r‚ussi.



    DC=DomainDnsZones,DC=domaine,DC=local

        Default-First-Site-Name\SRV-APPLIS via RPC

            GUID de l'objet DSAÿ: 00bd7556-be24-4c71-ace4-64d98b737403

            Adresseÿ: 00bd7556-be24-4c71-ace4-64d98b737403._msdcs.domaine.local

            WRITEABLE

            La derniŠre tentative, le 2013-08-20 10:36:48, a r‚ussi.



    DC=ForestDnsZones,DC=domaine,DC=local

        Default-First-Site-Name\SRV-APPLIS via RPC

            GUID de l'objet DSAÿ: 00bd7556-be24-4c71-ace4-64d98b737403

            Adresseÿ: 00bd7556-be24-4c71-ace4-64d98b737403._msdcs.domaine.local

            WRITEABLE

            La derniŠre tentative, le 2013-08-20 10:40:20, a r‚ussi.



    ==== OBJETS DE CONNEXION DU VRIFICATEUR DE COHRENCE DES DONNES ======

    Connexion --

        Nom de la connexion..ÿ: 1962db1a-2d56-4918-9fc5-bcedef4c259a

        Nom du serveur DNS...ÿ: SRV.domaine.local

        Nom unique du serveurÿ: CN=NTDS Settings,CN=SRV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domaine,DC=local

            Sourceÿ: Default-First-Site-Name\SRV-APPLIS

    ******* 3294 checs cons‚cutifs depuis 2013-08-06 17:47:00

    DerniŠre erreurÿ: 8456 (0x2108):

                Le serveur source rejette actuellement les demandes de r‚plication.

            Type de transportÿ: appel de proc‚dure distante intrasite

            Optionsÿ:  isGenerated

            Contexte de nom des r‚plicasÿ: DC=domaine,DC=local

            Raisonÿ:  StaleServersTopology

                    Le lien du r‚plica a ‚t‚ ajout‚.

            Contexte de nom des r‚plicasÿ: DC=DomainDnsZones,DC=domaine,DC=local

            Raisonÿ:  StaleServersTopology

                    Le lien du r‚plica a ‚t‚ ajout‚.

            Contexte de nom des r‚plicasÿ: CN=Configuration,DC=domaine,DC=local

            Raisonÿ:  StaleServersTopology

                    Le lien du r‚plica a ‚t‚ ajout‚.

            Contexte de nom des r‚plicasÿ: DC=ForestDnsZones,DC=domaine,DC=local

            Raisonÿ:  StaleServersTopology

                    Le lien du r‚plica a ‚t‚ ajout‚.

            Contexte de nom des r‚plicasÿ: CN=Schema,CN=Configuration,DC=domaine,DC=local

            Raisonÿ:  StaleServersTopology

                    Le lien du r‚plica a ‚t‚ ajout‚.

            Connexion activ‚eÿ: TRUE

            Date de modificationÿ: 20130806174936.0Z

            Date de cr‚ationÿ: 20130522133655.0Z

            Planificationÿ:

            jourÿ: 0123456789ab0123456789ab

            Dim: 111111111111111111111111

            Lun: 111111111111111111111111

            Mar: 111111111111111111111111

            Mer: 111111111111111111111111

            Jeu: 111111111111111111111111

            Ven: 111111111111111111111111

            Sam: 111111111111111111111111

    1 connexions trouv‚es.

    Chargement de la planification de la r‚partition des partitionsÿ:



          00      01      02      03      04      05      06      07      08      09      10      11



     0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3

            Dim: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Dim: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Lun: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Lun: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Mar: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Mar: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Mer: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Mer: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Jeu: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Jeu: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Ven: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Ven: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Sam: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Sam: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

    From SRV-APPLIS:


    Repadminÿ: ex‚cution de la commande /showrepl sur le contr“leur de domaine complet localhost

    Default-First-Site-Name\SRV-APPLIS

    Options DSAÿ: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL 

    Options de siteÿ: (none)

    GUID de l'objet DSAÿ: 00bd7556-be24-4c71-ace4-64d98b737403

    ID de l'invocation DSAÿ: cc19ba4a-7a79-4ee4-a24a-11b868b2167b



    === INSTANCES VOISINES ENTRANTES ==================================



    = INSTANCES VOISINES SORTANTES POUR NOTIFICATIONS DE MODIFICATION =



    DC=domaine,DC=local

        Default-First-Site-Name\SRV via RPC

            GUID de l'objet DSAÿ: 97bae7f5-e644-4311-906a-0ceeb321f1e5

            Adresseÿ: 97bae7f5-e644-4311-906a-0ceeb321f1e5._msdcs.domaine.local

            WRITEABLE

            La derniŠre tentative, le 2013-08-20 15:16:46, a r‚ussi.



    CN=Configuration,DC=domaine,DC=local

        Default-First-Site-Name\SRV via RPC

            GUID de l'objet DSAÿ: 97bae7f5-e644-4311-906a-0ceeb321f1e5

            Adresseÿ: 97bae7f5-e644-4311-906a-0ceeb321f1e5._msdcs.domaine.local

            WRITEABLE

            La derniŠre tentative, le 2013-08-13 14:34:55, a r‚ussi.



    CN=Schema,CN=Configuration,DC=domaine,DC=local

        Default-First-Site-Name\SRV via RPC

            GUID de l'objet DSAÿ: 97bae7f5-e644-4311-906a-0ceeb321f1e5

            Adresseÿ: 97bae7f5-e644-4311-906a-0ceeb321f1e5._msdcs.domaine.local

            WRITEABLE

            La derniŠre tentative, le 2013-08-06 00:47:11, a r‚ussi.



    DC=DomainDnsZones,DC=domaine,DC=local

        Default-First-Site-Name\SRV via RPC

            GUID de l'objet DSAÿ: 97bae7f5-e644-4311-906a-0ceeb321f1e5

            Adresseÿ: 97bae7f5-e644-4311-906a-0ceeb321f1e5._msdcs.domaine.local

            WRITEABLE

            La derniŠre tentative, le 2013-08-20 13:23:09, a r‚ussi.



    DC=ForestDnsZones,DC=domaine,DC=local

        Default-First-Site-Name\SRV via RPC

            GUID de l'objet DSAÿ: 97bae7f5-e644-4311-906a-0ceeb321f1e5

            Adresseÿ: 97bae7f5-e644-4311-906a-0ceeb321f1e5._msdcs.domaine.local

            WRITEABLE

            La derniŠre tentative, le 2013-08-20 13:21:15, a r‚ussi.



    ==== OBJETS DE CONNEXION DU VRIFICATEUR DE COHRENCE DES DONNES ======

    Connexion --

        Nom de la connexion..ÿ: 34386628-e595-4108-b072-bbad2ee5439c

        Nom du serveur DNS...ÿ: SRV-APPLIS.domaine.local

        Nom unique du serveurÿ: CN=NTDS Settings,CN=SRV-APPLIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domaine,DC=local

            Sourceÿ: Default-First-Site-Name\SRV

    ******* 19973 checs cons‚cutifs depuis 2013-08-06 17:39:15

    DerniŠre erreurÿ: 8457 (0x2109):

                Le serveur de destination rejette actuellement les demandes de r‚plication.

            Type de transportÿ: appel de proc‚dure distante intrasite

            Optionsÿ:  isGenerated

            Contexte de nom des r‚plicasÿ: DC=domaine,DC=local

            Raisonÿ:  StaleServersTopology

                    Le lien du r‚plica a ‚t‚ ajout‚.

            Contexte de nom des r‚plicasÿ: DC=DomainDnsZones,DC=domaine,DC=local

            Raisonÿ:  StaleServersTopology

                    Le lien du r‚plica a ‚t‚ ajout‚.

            Contexte de nom des r‚plicasÿ: CN=Configuration,DC=domaine,DC=local

            Raisonÿ:  StaleServersTopology

                    Le lien du r‚plica a ‚t‚ ajout‚.

            Contexte de nom des r‚plicasÿ: DC=ForestDnsZones,DC=domaine,DC=local

            Raisonÿ:  StaleServersTopology

                    Le lien du r‚plica a ‚t‚ ajout‚.

            Contexte de nom des r‚plicasÿ: CN=Schema,CN=Configuration,DC=domaine,DC=local

            Raisonÿ:  StaleServersTopology

                    Le lien du r‚plica a ‚t‚ ajout‚.

            Connexion activ‚eÿ: TRUE

            Date de modificationÿ: 20130806174655.0Z

            Date de cr‚ationÿ: 20130522133536.0Z

            Planificationÿ:

            jourÿ: 0123456789ab0123456789ab

            Dim: 111111111111111111111111

            Lun: 111111111111111111111111

            Mar: 111111111111111111111111

            Mer: 111111111111111111111111

            Jeu: 111111111111111111111111

            Ven: 111111111111111111111111

            Sam: 111111111111111111111111

    1 connexions trouv‚es.

    Chargement de la planification de la r‚partition des partitionsÿ:

         

          00      01      02      03      04      05      06      07      08      09      10      11

         

     0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3

            Dim: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Dim: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Lun: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Lun: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Mar: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Mar: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Mer: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Mer: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Jeu: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Jeu: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Ven: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Ven: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Sam: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

            Sam: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000


              
    • Edited by nvlop Tuesday, August 20, 2013 2:06 PM
    Tuesday, August 20, 2013 2:01 PM
  • Does anyone got time to help me with this please?

    I agree with Meinolf. The event IDs are generic replication issues, We need the information he requested to provide specifics.

    Also, on the posted Event ID 2093, you did not post the whole event. We need to see the additional info about the partitions that didn't replicate and the part that says, "Elapsed time since last successful replication (hours): xxxx." This part is important due to knowing whether it's beyond the tombstone or not.

    -

    If you cannot post the requested info, what I can say in general terms is:

    1. Make sure that any installed AV has been properly excluded for DC operations. If not sure how, consult the AV vendor website. If they don't offer any info, uninstall it. AV is one of the MAIN factors for replication errors.
    2. Multihomed DCs. If it has more than one unteamed NIC, IP address, RRAS installed or an iSCSI interface, that will cause additional DNS registration data causing replication issues.
    3. Disable the Windows Firewall or any other third party firewall.
    4. Run PortQry to check for firewalled ports - info below.
    5. Do not install applications on a DC other than just DHCP, DNS and WINS.
    6. Duplicate DNS zones can cause this. Read this for more info - "Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones"
    7. Check your AD Tombstone. If it's 60, change it to 180. Watch this for more info - "AD Tombstone Value = What it is and How to Change it"
    8. Make sure that the first DNS entry in the NIC is to a partner DC, and the second one is to itself or the Loopback address (127.0.0.1).
    9. Do NOT use an ISP's or some other outside or any other DNS server that does not have any info about your AD zone. All DNS server entries on the NIC must have equivalent data. You can't mix internal and external DNS entries.
    10. AD zone is a single-label name. The zone called "DOMAIN" does not work with AD. It must be minimally two level, such as "domain.local," "domain.com," "domain.nvol," etc.

    -

    Run PortQry GUI choosing the "Domains & Trusts" option between each other (DCs). Run the test from a DC to a DC from both sides to each other. Post only errors with "NOTLISTENING," 0x00000001, and 0x00000002.
           PortQryUI - GUI - Version 2.0 8/2/2004
           http://www.microsoft.com/download/en/details.aspx?id=24009

    -


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, August 20, 2013 2:20 PM
  • Hello Ace,

    Thanks for trying to help me too.

    I understand i need to provide maximum informations to you in order to resolve this situation.
    So here is the complete log about event ID 2093:

    Nom du journal :Directory Service
    Source :       Microsoft-Windows-ActiveDirectory_DomainService
    Date :         19/08/2013 10:01:29
    ID de l’événement :2093
    Catégorie de la tâche :Réplication
    Niveau :       Avertissement
    Mots clés :    Classique
    Utilisateur :  ANONYMOUS LOGON
    Ordinateur :   SRV-APPLIS.domaine.local
    Description :

    Le serveur distant qui est le propriétaire d’un rôle FSMO ne répond pas. Ce serveur n’a pas effectué récemment de réplication avec le propriétaire du rôle FSMO. 
     
    Les opérations nécessitant de contacter un maître d’opérations FSMO échoueront tant que cette condition n’est pas corrigée. 
     
    Rôle FSMO : CN=Schema,CN=Configuration,DC=domaine,DC=local 
    Nom de domaine du serveur FSMO : CN=NTDS Settings,CN=SRV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domaine,DC=local 
    Seuil de latence (heures) : 24 
    Temps écoulé depuis la dernière réplication réussie (heures) : 305 
     
    Action utilisateur : 
     
    Ce serveur n’a pas effectué de réplication réussie avec le serveur détenteur du rôle FSMO. 
    1. Le serveur détenteur du rôle FSMO est peut-être arrêté ou ne répond pas. Résolvez le problème de ce serveur. 
    2. Déterminez si le rôle est défini correctement sur le serveur détenteur du rôle FSMO. Si le rôle doit être ajusté, utilisez NTDSUTIL.EXE pour transférer ou vous approprier le rôle. Ceci peut être effectué selon les étapes décrites dans les articles 255504 et 324801 de la Base de connaissances à l’adresse : http://support.microsoft.com. 
    3. Si le serveur détenteur du rôle FSMO était un contrôleur de domaine mais qu’il a été rétrogradé correctement, les objets représentant ce serveur se trouvent encore dans la forêt. Ceci peut se produire si le système d’exploitation a été réinstallé sur un contrôleur de domaine ou si une suppression forcée a été effectuée. Ces objets d’état résiduels doivent être supprimés avec la fonction de nettoyage des métadonnées de NTDSUTIL.EXE. 
    4. Le détenteur du rôle FSMO peut ne pas être un partenaire de réplication directe. S’il s’agit d’un partenaire indirect ou de transition, il existe alors un ou plusieurs partenaires de réplication intermédiaire à travers lesquels les données de la réplication circulent. Le temps de latence total de la réplication doit être inférieur au seuil de latence de réplication, sinon cet avertissement peut être émis de façon prématurée. 
    5. La réplication est bloquée quelque part le long de la chaîne de serveurs entre le serveur détenteur du rôle FSMO et ce serveur. Consultez le plan de la topologie de votre forêt pour déterminer la route probable de la réplication entre ces serveurs. Vérifiez l’état de la réplication à l’aide de repadmin /showrepl pour chacun de ces serveurs. 
     
    Les opérations suivantes peuvent être affectées : 
    Schéma : vous ne pourrez plus modifier le schéma pour cette forêt. 
    Attribution de noms de domaine : vous ne pourrez plus ajouter ou supprimer des domaines pour cette forêt. 
    Contrôleur de domaine principal : vous ne pourrez plus effectuer des opérations de contrôleur de domaine principal, telles que des mises à jour de la stratégie de groupe et des réinitialisations de mot de passe pour des comptes qui ne font pas partie des services de domaine Active Directory. 
    ID relatif (RID) : vous ne pourrez pas allouer de nouveaux identifiants de sécurité pour de nouveaux comptes d’utilisateurs ou d’ordinateurs, ni à des groupes de sécurité. 
    Infrastructure : les références de noms entre domaines, telles que les appartenances de groupes universels, ne seront pas mises à jour correctement si leur objet cible est déplacé ou renommé.
    XML de l’événement :
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
        <EventID Qualifiers="32768">2093</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>5</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8080000000000000</Keywords>
        <TimeCreated SystemTime="2013-08-19T08:01:29.809567700Z" />
        <EventRecordID>1685</EventRecordID>
        <Correlation />
        <Execution ProcessID="524" ThreadID="652" />
        <Channel>Directory Service</Channel>
        <Computer>SRV-APPLIS.domaine.local</Computer>
        <Security UserID="S-1-5-7" />
      </System>
      <EventData>
        <Data>CN=Schema,CN=Configuration,DC=domaine,DC=local</Data>
        <Data>CN=NTDS Settings,CN=SRV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domaine,DC=local</Data>
        <Data>24</Data>
        <Data>305</Data>
      </EventData>
    </Event>

    Hope it will help...

    Tuesday, August 20, 2013 2:28 PM
  • Recommandation steps has been done on both DCs.

    The replication is still failing with the error "The destination server is currently rejecting requests
    replication" when i try to force it manually by replicating now.

    And i still got the LDAP error 81 : Server down when i enter the command repadmin/options - DISABLE_OUTBOUND_REPL and repadmin/options - DISABLE_INBOUND_REPL.

     Any idea?

    I don't read or write French, so it's a bit difficult to understand. And it would have been better as originally suggested by Meinolf, to post this info to Skydrive or some other sharing site due to the large amount of data that will make this thread grow very large and difficult to navigate.

    From what I see is that replication is disabled on this DC, based on the error "The destination server is currently rejecting requests."

    The causes for this are:

    • A USN rollback occurred (NTDS General Event 2103).
    • The hard disk is full (NTDS General Event 1393). 
    • A corrupt UTD vector is present (Event 2881).

    More info:

    Troubleshooting AD Replication error 8456 or 8457: "The source | destination server is currently rejecting replication requests"
    http://support.microsoft.com/kb/2023007

    -

    Are the DCs virtual or physical? If virtual, did you ever perform a snapshot restore? If yes, then that will cause a USN rollback, which can be the cause of the whole problem, and the DC would be better off force-demoted, run a metadata cleanup, then re-promote.

    Were the DCs created by an image that was not Sysprepped?

    -

    Glad you got the DNS settings corrected with Meinolf's help.

    -

    And why are you Forwarding to 192.168.110.5? That is one of the DCs. Forwarding between each other can cause a forwarding loop, which is problematic and nothing will get resolved. I recommend removing the forwarders or forward to your ISP.

    -


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    • Edited by Ace Fekay [MCT]MVP Tuesday, August 20, 2013 3:53 PM added link to "...rejecting requests."
    Tuesday, August 20, 2013 3:52 PM
  • Hello Ace,

    SRV is a physical DC and SRV-APPLIS is a virtual DC which has made from a non sysprep image. We never performed a rollback snapshot on this DC.

    The problem is that SRV-APPLIS (the virtual one) was the FMSO master so i guess i can't force demoted and re promote it to the domain? I can't transfert the FMSO roles to SRV (the physical one) because the actual FMSO master (SRV-APPLIS) can't be contacted anymore by SRV... 

    So what can i do to have one of my 2 DC working properly and repair the second one to have a good replication again?

    Thanks to Meinolf, i corrected my DNS settings from his instructions so now i should be good on that. I also put my internal DNS servers in forwarding because Meinolf told me that (as i understood). Do i have to pull off the two internal DNS servers from forwarding and pull in my gateway (Kerio Control firewall) in it instead?

    Thanks for your time on this.

    PS: I put all my logs on Skydrive but as i am not a verified member, i can't post links on my post :(

    Wednesday, August 21, 2013 6:49 AM
  • Hello Ace,

    SRV is a physical DC and SRV-APPLIS is a virtual DC which has made from a non sysprep image. We never performed a rollback snapshot on this DC.

    The problem is that SRV-APPLIS (the virtual one) was the FMSO master so i guess i can't force demoted and re promote it to the domain? I can't transfert the FMSO roles to SRV (the physical one) because the actual FMSO master (SRV-APPLIS) can't be contacted anymore by SRV... 

    So what can i do to have one of my 2 DC working properly and repair the second one to have a good replication again?

    Thanks to Meinolf, i corrected my DNS settings from his instructions so now i should be good on that. I also put my internal DNS servers in forwarding because Meinolf told me that (as i understood). Do i have to pull off the two internal DNS servers from forwarding and pull in my gateway (Kerio Control firewall) in it instead?

    Thanks for your time on this.

    PS: I put all my logs on Skydrive but as i am not a verified member, i can't post links on my post :(

    Was the image used to build SRV-APPLIS also used elsewhere on another server? If it was, that could be the basis for all the problems, due to the identical SID numbers. Sysprep rips out the SIDs of an image so anytime you use it for a new installation, it builds new SIDs while it goes through a mini-setup, such as the same thing when you buy a new computer from Dell, HP, Lenovo, etc. The mini-setup portion when you put your name and computer name, etc, in, is when it does that.

    At this time, my suggestion is to shut down and delete SRV-APPLIS, then seize (not transfer) the FSMO roles to SRV, then perform a metadata cleanup on SRV to remove all references of SRV-APPLIS. I have a step-by-step showing how to do all that and all the places you have to make sure it's cleaned out of:

    Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, cleanup DNS (Nameservertab), AD Sites (old DC references), transfer or fix time settings, WINS settings, etc.
     Published by Ace Fekay, MCT, MVP DS on Oct 5, 2010 at 12:14 AM
    http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

    -

    Forwarders:

    As for forwarders, you may have misunderstood Meinolf. We cannot forward between DCs, because as I said above, it will cause a resolution loop, which causes major problems. The only time we can forward between DCs is with a parent-child domain DNS delegation, but you do not have such a design. I also do NOT recommend forwarding to your router. The router is not a DNS server. Forward directly to your ISP's DNS servers. Contact your ISP for their DNS addresses. You can also use 4.2.2.3 & 4.2.2.2, but I would rather you find your ISP's DNS server addresses for your locale.

    -

    Reinstall and Build SRV-APPLIS from scratch!!!

    Once you've removed SRV-APPLIS, cleaned up the metadata, and fixed your forwarders, then you want to build a DC from scratch. Please do not use an un-Sysprepped image. Build it from scratch. Believe me, if you don't have a sysprepped image, you really, really want to build it from scratch using the DVD. You can use the same name, if you like.

    -

    As for verification, I'm not sure what's involved. I believe that verification is required to prevent spammers, which was a problem in the past. Just keep posting! :-)

    And between all of us here, we'll help you get this fixed up. Just take the steps one at a time, but definitely closely follow directions for a smooth resolution.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, August 21, 2013 2:24 PM
  • Thanks Ace for your recomandations and explanations.

    I didn't expressed myself well on my last post. 
    SRV-APPLIS has been build from scratch with Microsoft ISO. I assume that the SID is unique but i could check to be sure.

    Other thing i didn't said, is the fact i can't delete SRV-APPLIS because (i know this is not recommanded) it got other rôles as application server and file server with shares in production... So i can't follow your action plan to resolve the situation.

    Thanks for the FORWARDERS precisions, i understand better how it works now so i will fix this paramaters too in order to be sure it doesn't come with more parallels problems.

    Any other idea to fix SRV-APPLIS?
    Can i try to backup the system state from a backup at a time it was working well (probably 8th August image)? Do you think it is a good idea? Any risk?

    I really don't know how i can fix this all without disturbing my production... :/

    Wednesday, August 21, 2013 2:38 PM
  • Thanks Ace for your recomandations and explanations.

    I didn't expressed myself well on my last post. 
    SRV-APPLIS has been build from scratch with Microsoft ISO. I assume that the SID is unique but i could check to be sure.

    Other thing i didn't said, is the fact i can't delete SRV-APPLIS because (i know this is not recommanded) it got other rôles as application server and file server with shares in production... So i can't follow your action plan to resolve the situation.

    Thanks for the FORWARDERS precisions, i understand better how it works now so i will fix this paramaters too in order to be sure it doesn't come with more parallels problems.

    Any other idea to fix SRV-APPLIS?
    Can i try to backup the system state from a backup at a time it was working well (probably 8th August image)? Do you think it is a good idea? Any risk?

    I really don't know how i can fix this all without disturbing my production... :/

    You could try a system state, but you also have to restore the C: drive when you do that (there are numerous folders that Windows relies on that's on C:), but it may affect your applications. This is one of the *main* reasons we do NOT recommend installing applications on a DC.

    Can you move the stuff off the DC to a member server (Non-DC)?


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, August 21, 2013 3:22 PM
  • I forgot to say  ----> Or just demote it.

    If you don't have any Microsoft applications on it, such as Exchange, SQL, then you can do it. Just demote it.

    Then leave it a member server.

    Then build another Windows installation and promote that, but do NOT install anything else other than DNS, WINS, and possibly DHCP (if needed).


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, August 21, 2013 3:24 PM
  • Ace,

    For financial reasons, i can't have a second server doing DC only, that's why we have SRV-APPLIS which is making DC, DNS and applications server... This server is really important and i can't avoid to loose it.

    Correct me if i'm wrong but here is what i want to try:

    - Shutdown SRV-APPLIS
    - Seize the FMSO roles from SRV-APPLIS to SRV (i can only do this if SRV-APPLIS is shutdown right?)
    - Boot SRV-APPLIS and make a dcpromo /forceremoval
    - Clean up the metadata of SRV
    From here, i should have SRV working properly as the main and only DC with FMSO roles.
    Then i can try to:
    - Make a dcpromo on SRV-APPLIS to make it as a second DC
    - Try replication which should work

    What do you thing of this action plan? Is there any recommandations to take before doing it?


    Friday, August 23, 2013 7:05 AM
  • Ace,

    For financial reasons, i can't have a second server doing DC only, that's why we have SRV-APPLIS which is making DC, DNS and applications server... This server is really important and i can't avoid to loose it.

    Correct me if i'm wrong but here is what i want to try:

    - Shutdown SRV-APPLIS
    - Seize the FMSO roles from SRV-APPLIS to SRV (i can only do this if SRV-APPLIS is shutdown right?)
    - Boot SRV-APPLIS and make a dcpromo /forceremoval
    - Clean up the metadata of SRV
    From here, i should have SRV working properly as the main and only DC with FMSO roles.
    Then i can try to:
    - Make a dcpromo on SRV-APPLIS to make it as a second DC
    - Try replication which should work

    What do you thing of this action plan? Is there any recommandations to take before doing it?


    Do not simply shutdown SRV-APPLIS. AD must still be removed off it. As I said before, JUST DEMOTE IT!!

    To be specific so there are no questions or assumptions, here are my receommendations, and this will work AS LONG AS (and I said this before) that Exchange or SQL server is not on the machine, and it's not a certificate server). Note: if Exchange, SQL or Certificate services are on it, this procedure will not work. Third party apps, WINS or DHCP will NOT be affected.

    1. On SRV, make sure the first DNS is pointing to itself, and the second DNS entry is the Loopback (127.0.0.1).
    2. On SRV, uninstall any antivirus and disable the Windows firewall.
    3. On SRV-APPLIS, uninstall any antivirus and disable the Windows firewall.
    4. On SRV-APPLIS, make sure the ONLY DNS in the NIC is set to SRV. That's it.
    5. On SRV-APPLIS, uninstall DNS. Do NOT delete the zone. Simply UNINSTALL DNS. That's it. You can leave WINS or DHCP on it, if you like.
    6. On SRV-APPLIS, run dcpromo /forcedemote to force demote it. This will remove all of the AD binaries off the machine and turn it into a member server. This will also preserve your third party applications and other services running on it.
    7. On SRV-APPLIS, run PortQRY from SRV-APPLIS to SRV. Make sure no ports are being blocked. If any ports are blocked, make sure antivirus and the firewalls were uninstalled.
    8. On SRV, run a metadata cleanup, and clean all other areas. I already posted my blog on how to do this in this thread, but for your convenience, for a complete step-by-step, please click this - and it shows how to seize roles, cleanout DNS, Sites, etc: Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, cleanup DNS (Nameservertab), AD Sites (old DC references), transfer or fix time settings, WINS settings, etc.
    9. Set time service on SRV:
       W32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update
       W32tm /resync /rediscover
    10. After all the above has been completed, then on SRV-APPLIS, run dcpromo to re-promote it to a DC. Choose the Option to install DNS as part of the process.
    11. If you receive a message or error that a DNS delegation can't be found, IGNORE IT. Continue with the promotion.
    12. Open DNS. Check the zones if they populated. If they didn't, JUST WAIT. DO NOT manually create any zones. They will appear automatically. Go have lunch or dinner or something. Check later. They will automatically populate. If you manually create the zone, it will cause NUMEROUS problems.
    13. Check the Event logs to make sure no errors appear.
    14. Wait a day or two, then on SRV-APPLIS, set the first DNS to SRV, and the second as the Loopback address.
    15. Check the Event logs to make sure no errors appear.

    -

    After completed, post back with your results.

    -


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by nvlop Monday, August 26, 2013 12:15 PM
    Friday, August 23, 2013 4:44 PM
  • Thanks Ace for your action plan.

    I actually did step 1 to 9 and everything is fine again.
    I will try either try to do step 10 to 15 to repromote it as a DC or try to add a second server with only the DC, DNS roles to secure the whole things as recommanded.

    Thanks again for your help and time on this. It was really appreciated.

    I will come back with an updates as soon as i will made the repromote to give feedback and close the ticket.

    Best

    Monday, August 26, 2013 9:08 AM
  • Thanks Ace for your action plan.

    I actually did step 1 to 9 and everything is fine again.
    I will try either try to do step 10 to 15 to repromote it as a DC or try to add a second server with only the DC, DNS roles to secure the whole things as recommanded.

    Thanks again for your help and time on this. It was really appreciated.

    I will come back with an updates as soon as i will made the repromote to give feedback and close the ticket.

    Best

    It would be better to promote it if you want the server to be a DNS server, otherwise you have to play around with Secondary zones. If it's a DC, just install DNS and replication will *automatically* populate the zone without any further action on your part.

    Looking forward to your update.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, August 26, 2013 5:38 PM