Windows Server 2003 Event 1864 and 1311
-
Thursday, April 19, 2012 8:05 AM
Dear All,
I have recently shifted my PDC to a new Server machine. I am a child domain of the worldwide company forest. i am continuously facing these errors in event log 1864 and 1311 and also the warning 1865.
And the same server is also the exchange server of my domain so that due to replication problems the users i create are not reflecting in the GAL as well.
I have also set the ISTG using ADSI wizard previously my ISTG was the old server name.
Please help me to resolve the issue.
Also please help me that is there any way possible either in ADSI or other mmc that i can View all the tree of our forest and can check either my DC is replicating to the co location server or not?
Kind Regards,
Rashid Ali
All Replies
-
Thursday, April 19, 2012 8:15 AMModerator
How many domain and forest you have? How is the DNS configuration? How your AD topology been configured? Are you saying your domain controller is also a exchange server? You need to provide more information in detail?
Troubleshooting KCC Event Log Errors http://blogs.technet.com/b/askds/archive/2008/10/31/troubleshooting-kcc-event-log-errors.aspx
Awinish Vishwakarma - MVP - Directory Services
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Thursday, April 19, 2012 8:28 AM
Please provide more inputs on this problem.
Refer below link which might help you to narrow down the problem.
http://technet.microsoft.com/en-us/library/cc740252(v=ws.10).aspx
Regards,
_Prashant_
MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights. Email-giteepag@yahoo.co.in
-
Thursday, April 19, 2012 8:33 AM
Few questions-
Did you properly move your PDC to new DC?
Is this the only DC in your child domain?
What errors you see in dcdiag /q on this DC?
Did you run repadmin /kcc ?
Do you see the connection object created for this DC under your site (use dssite.msc)?
What directory partition is failing to replicate in event 1311?
Is site links configured properly for all the sites? open AD sites and services(dssite.msc) snap in to check.
How did you set ISTG? used adsiedit.msc?
Also please help me that is there any way possible either in ADSI or other mmc that i can View all the tree of our forest and can check either my DC is replicating to the co location server or not?
= Use dssite.msc snap in.
Also refer to this article for -
Troubleshooting replication
http://technet.microsoft.com/en-us/library/cc755349(WS.10).aspx
Sachin Gadhave (MCP, MCTS)
- Edited by Sachin Gadhave Thursday, April 19, 2012 8:34 AM
-
Thursday, April 19, 2012 8:36 AM
It seems to be DNS name resolution issue or or necessary ports are not fully opened between locations or network connectivity issue.Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.
Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
Disable Windows Firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx
Active Directory and Active Directory Domain Services Port Requirements.
http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspxEnsure the following dns setting on DC:
1. Each DC / DNS server points to its private IP address as primary DNS server and other remote/local DNS servers as secondary in TCP/IP properties.
2. Each DC has just one IP address and single network adapter is enabled.
3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.
4. Once you are done, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service each DC.
Do not put private DNS IP addresses in forwarder list.
5.Assigning static IP address to DC if IP address is assigned by DHCP server to DC.It is strongly not recommendedTroubleshooting Event ID 1311: Knowledge Consistency Checker:
http://support.microsoft.com/kb/214745
Event ID 1566 — Network Name Resource Availability:
http://technet.microsoft.com/en-us/library/dd353930(WS.10).aspx
Event ID 1865 — KCC Replication Path Computation:
http://technet.microsoft.com/en-us/library/cc756648(WS.10).aspx
Can you post the following to further help us diagnose this?
•Unedited ipconfig /all from each DC
•A PortQry result- (just post any "FILTERED" or "NOT LISTENING" in the results)
•Dcdiag /q and repadmin /replsum outputHope this helps
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.- Proposed As Answer by VenkatSP Friday, April 27, 2012 7:46 PM
-
Thursday, April 19, 2012 8:51 AM
Hello,
IIRC this belongs to another thread you already had started? If yes please add the link here so we can have a look in previous answers as this hardly belong to this problems.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
-
Thursday, April 19, 2012 9:16 AM
Hello,
You have to provide us with additional information about your AD domain (See Awinish reply).
I would recommend starting with basic troubleshooting steps to solve your AD replication issue:
Check that all needed ports for AD replication are opened in both directions between all DCs: http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspxUse PortQryUI or PortQry V2 for checking.
For the DNS resolution, I would recommend proceeding like that:
- Choose a healthy DC / DNS server in the main office
- Make all DCs points to this DC as primary DNS server
- Make sure that each DC has one IP address in use and one single NIC card enabled
- Make sure that public DNS servers as set as forwarders and not in IP settings of DCs
Once done, run ipconfig /registerdns and restart netlogon on each DC you have. This will let all DCs update their DNS records on the chosen DC and start by it for DNS resolution. For that, I would assume that it will be okay for DNS resolution.
Once done, run repadmin /syncall and check results. Note that if your DNS zones are AD-Integrated, they will be replicated via AD replication.
Once all is okay, you can make 2008 / 2008 R2 DCs points to their private IP address as primary DNS server and other DNS servers as secondary ones. For 2003 DCs, I would recommend not making them point to their private IP address as primary DNS server to avoid slow logons when restarting them.
Note also that this can be due to security softwares running on DCs. For that, you may try disabling them on DCs temporary.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer -
Thursday, April 19, 2012 10:12 AM
Dear All,
Thanks for your inputs.
i give answer to you all one by one.
Awinish:
As i have told you i am a child domain of the forest and there are multiple DC's in the forest but in my domain i have only 2 DC's. i have set the DNS on these both 2 DC's. Additionally to link with the forest i have other 4 DNS servers that i have added in the forwarders of my internal DNS's. And yes i am running the exchange server on the same DC.
Sachin:
- i have properly move PDC to other DC.
- this is the main DC in child domain, domain have 2 DC's
- i ran showreps/kcc
- connection objects are created for site
- the replication failure coz of 1311 i dont know why?
- i set DC3 in ISTG using the ADSI. in CN of site i have edit the server name
Sandesh,
- Sorry but i cannot post ipconfig/all here.
- Dcdiag/q is post as above
- and repadmin/ replsum is taking too much time for output
Weber,
Previously i was having ISTG setting question and that has been done. and some other post about re-addition of DC without decommissioning but i have covered through that.
Awaiting for your valuable feedback.
Regards,
-
Thursday, April 19, 2012 10:22 AMModerator
Exchange on the DC is the bad design and nether its supported.The first disadvantage of the Exchange on the DC, you can't demote DC without removing exchange role, second it will not look any other GC in the domain part from the DC it is being installed. Did you refer earlier posted article and does it provide any help.
http://technet.microsoft.com/en-us/library/aa997060%28v=exchg.80%29.aspx
Sysvol/Netlogon share is not accessible and it can be due to network issue or high latency. First verify the connectivity and then health of the DC's using dcdiag tool.
I guess there is some change either at the network or firewall level, just verify it.Make sure DNS are configured according to the below article.
http://awinish.wordpress.com/2011/04/09/configuring-dns-in-child-domain/
Awinish Vishwakarma - MVP - Directory Services
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Thursday, April 19, 2012 10:37 AM
From the dcdiag log the netlogon share are not available.Can you verify does the sysvol folder contain policies and script folder.If it is missing you need to to prefrom authorative and non authorative restore of sysvol.
1) Normally for an Authoritative Restore you stop at NTFRS services on all DCs.
2) Set burflags to D4 on a known good sysvol (or at this time restore sysvol data from backup then set burflags to D4) then start NTFRS on this server. You may want to rename the old folders with .old extensions prior to restoring good data.
3) Clean up the folders on all the remaining servers (Policies, Scripts, etc) - renamed them with .old extensions.
4) Set burflags to D2 on all remaining servers and start NTFRS.
5) Wait for FRS to replicate.
6) Clean up the .old stuff if things look good.This is probably what you need to do to get it back.Essentially the "http://support.microsoft.com/kb/290762/" article.
Note:Kindly take the backup of the sysvol folder of windows 2000/2003 DC that is copy paste the content of the sysvol to temp location and perform the authorative and non authorative restore of sysvol as mentioned.
Also ensure that dns setting is configured on DC and required port are open for AD replication before you proceed.It is not good idea to have exchange role on DC it is not recommended it should be on member server,however if you have budget issue you have no choice.
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Edited by Sandesh DubeyMicrosoft Community Contributor Thursday, April 19, 2012 10:39 AM
-
Thursday, April 19, 2012 11:16 AM
Hi
This issue is normally occur when there is problem of Replication.
Please run the following command to check the replication status.
Repadmin /showrepl
Repadmin /test: replication
Please also refer the below given link to resolve the issue.
http://blog.joeware.net/2009/10/04/1721/
Hope this will help.
Ajay sharma.
-
Thursday, April 19, 2012 12:20 PM
Hi,
The results for repadmin/showrepl and repadmin/test are both result successful.
do you please help me that with which command i can add automatically generate the sites for replication.
Regards,
Rashid
-
Thursday, April 19, 2012 12:26 PMModerator
You need to make sure site/subnet/sitelinks are properly defined and you can run repadmin /kcc* to generate the connection object automatically.You have to run this cmd on each dc.
http://blogs.technet.com/b/markmoro/archive/2011/08/05/you-are-not-smarter-than-the-kcc.aspx
Awinish Vishwakarma - MVP - Directory Services
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Thursday, April 19, 2012 12:36 PM
If the repadmin /replsum does not report any error and required topology is already created then you can perform non authorative restore(d2) to fix the issue,unless and until the sysvol and netlogn share are not available the server will not act as DC.
http://support.microsoft.com/kb/290762/"
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Edited by Sandesh DubeyMicrosoft Community Contributor Thursday, April 19, 2012 12:53 PM
-
Thursday, April 19, 2012 1:58 PM
hi all,
i am trying to fix the sysvol and netlog share errors.
will contact you after it with the feedback.
Regards,
Rashid
-
Friday, April 27, 2012 7:35 AM
Dear All,
Hope you all doing well.
i have worked alot to solve out the issues on my PDC. as mentioned.
Well i came to know that my PDC secure channel is broken and it couldn't create the trust with the domain. and the netlogon is not working properly. as i am continuously facing Event 5719.
As i have investigated when i run nltest /sc_verify:mydomain.com on my PDC (Server1) it shows error I_Netlogoncontrol failed : status = 1355 0x54b ERROR_NO_SUCH_DOMAIN.
And if i run the same on BDC (Server2, an additional DC) the result is Successful.
Same is the case if i try to run nltest /sc_reset:mydomain.com on PDC (Server1) shows same error I_Netlogoncontrol failed : status = 1355 0x54b ERROR_NO_SUCH_DOMAIN.
Please help me to sort out the issue, you help is appreciated.
Regards, Rashid
-
Friday, April 27, 2012 8:26 AM
Dear All,
Hope you all doing well.
i have worked alot to solve out the issues on my PDC. as mentioned.
Well i came to know that my PDC secure channel is broken and it couldn't create the trust with the domain. and the netlogon is not working properly. as i am continuously facing Event 5719.
As i have investigated when i run nltest /sc_verify:mydomain.com on my PDC (Server1) it shows error I_Netlogoncontrol failed : status = 1355 0x54b ERROR_NO_SUCH_DOMAIN.
And if i run the same on BDC (Server2, an additional DC) the result is Successful.
Same is the case if i try to run nltest /sc_reset:mydomain.com on PDC (Server1) shows same error I_Netlogoncontrol failed : status = 1355 0x54b ERROR_NO_SUCH_DOMAIN.
Please help me to sort out the issue, you help is appreciated.
Regards, Rashid
Rashid,
Did you sort out your sysvol and netlogon share issue? If not please have this resolved. http://support.microsoft.com/kb/290762/
Also ,
Please check the below link which helps you to understand neccessary ports required for replication over Firewall.
Additionally you can use PortQry tool to check the firewall ports. You can download it from the below link.
http://www.microsoft.com/download/en/details.aspx?id=17148
Using PortQry for Troubleshooting.
http://blogs.technet.com/b/askds/archive/2009/01/22/using-portqry-for-troubleshooting.aspx
Also is your DNS is in Place? Check for DNS misconfiguration.
Refer below article to understand this.
http://support.microsoft.com/kb/321046
About your Nltest result Refer - http://serverfault.com/questions/204765/active-directory-1355-0x54b-error-no-such-domain
Also I am curios here,
You have just posted part of dcdiag /q results in earliest post which indicates there is an issue with sysvol and netlogon share , Are you getting any other error message other than this?
I would request you to run dcdiag /q and post unedited results here.
Regards,
_Prashant_
MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
- Marked As Answer by Bruce-LiuModerator Friday, April 27, 2012 9:21 AM
- Unmarked As Answer by Rashid.Ali Friday, April 27, 2012 9:45 AM
-
Friday, April 27, 2012 8:45 AM
As mentioned in the previous post if the netlogon and sysvol share are not avaialble then the server will not act as DC.You wont be able to open AD sites and services,AD users and computer,etc also the netlogon share will not be avaialble.You need to first take care of the same.http://support.microsoft.com/kb/290762
Hope this helps
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Friday, April 27, 2012 9:30 AM
Bruce-Liu,
Please unmark my answer , as the issue is still understand discussion and is not resolved.
Regards,
_Prashant_
MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
-
Friday, April 27, 2012 2:50 PM
Thank sandesh and Prashant,
Well i have read through the articles you have provided. and understood to resolve the sysvol and netlogon, but in the same KB article to fix burgflags there are some considerations as follow:
- Verify that Active Directory replication is successful. Resolve Active Directory replication issues before you perform additional FRS troubleshooting. Use the Repadmin /showreps command to verify that Active Directory replication is occurring successfully. The Repadmin.exe tool is located in the Support\Tools folder on the Windows 2000 CD-ROM.
- Verify that inbound and outbound Active Directory replication occurs between all domain controllers that host SYSVOL replica sets and between all domain controllers that host computer accounts for servers that participate in DFS replica sets.
- Verify that FRS member objects, subscriber objects and connection objects exist in the Active Directory for all the computers that participate in FRS replication.
- Verify that inbound and outbound connection objects exist for all domain controllers in the domain for SYSVOL replica sets.
- Verify that all the members of DFS replica sets have at least inbound connection objects in a topology to avoid islands of replication.
- Review the FRS and SYSTEM event logs on direct replication partners that are having difficulty.
- Review the FRS debug logs in the %SYSTEMROOT%\DEBUG\NTFRS_*.LOG between the direct replication partners that are having replication problems.
and i have replication issues already. i cannot take risk to change the registry key before fixing these considerations and the SERVER1 is the main DC of my domain and also having exchange server on it :-(
so looking more research i came to know that there could be the DNS problem also. and i am facing Warning 409 whenever i restart the DNS.
Secondly there is an continuous warning 32772 "The interdomain trust account for the domain mydomain.com could not be created. The return code is the data."
Are this trust and DNS problem can be the main reason. i want to solve it step by step and start from DNS.
i have activated DNS on both Server1 and Server2 on my domain.
Please suggest.
Regards,
Rashid
.png)
