Replication error root/child domain
-
viernes, 30 de marzo de 2012 19:31
Hi,
We had some replication issues during our root and child domain.Repadmin /showreps show me: Last error 5 - access denied. DNS and time are fine and no additional errors in the eventlog or at the BPA.
The error started at 11am at the morning when user from our child domain could not verfied. On GC is located in our site in Hamburg. As a result it could not be a WAN problem. The domain trust looks fine too.After we restarted all DC in the child domain everthing comes up fine after a few minutes.
What could the reason for such a issue?
Thanks in advance to some lightning errors!
Best regards
Christian
Todas las respuestas
-
viernes, 30 de marzo de 2012 19:39
Its seems to be dns misconfig or necessary port not open for AD replication.As you have mentioned that you are getting access denied it could be also due to secure channel broken between the DC.
Ensure the following on DC:
1. Each DC / DNS server points to its private IP address as primary DNS server and other remote/local DNS servers as secondary in TCP/IP properties.
2. Each DC has just one IP address and single network adapter is enabled.
3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.
4. Once you are done, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service each DC.
Do not put private DNS IP addresses in forwarder list.
5.Assigning static IP address to DC if IP address is assigned by DHCP server to DC.It is strongly not recommended.Active Directory Firewall Ports - Let's Try To Make This Simple
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspxRefer below link:
Typical Symptoms when secure channel is broken
http://blogs.technet.com/b/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx
Refer below link:
http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e9c162cb-1e26-43e0-80df-73c491c22aac/If still the issue persist post the dcdiag /q and repadmin /replsum as well ipconfig /all details of DC.
Hope this helps
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.- Editado Sandesh DubeyMicrosoft Community Contributor viernes, 30 de marzo de 2012 19:41
-
viernes, 30 de marzo de 2012 20:05
Hi Sandesh,
Thanks for you very fast response! I was thinking to a broken secure channel but still reading about.
The right IP addresses were registered and nslookup works fine in both directions. I did everything/flushdns restart netlogon service and so on.
I will check your links!
THANKS
Christian -
sábado, 31 de marzo de 2012 6:10
Christian,
Replication Error 5 "access denied" Can be caused due to multiple reasons like ,
1. SMB signing Mismatch between Source and Destination domain controllers ,
2.Antivirus software blocking some communications
3.Port Blockage on Firewall , Etc.
Refer below link which explains this behaviour , Its causes and resolution for that.
http://technet.microsoft.com/en-us/library/replication-error-5-access-is-denied(v=ws.10).aspx
you can use PortQry Tool to check the necessary ports are open are not.
Below is the link which you can refer to,
http://www.microsoft.com/download/en/details.aspx?id=17148
How to use PortQry tool to troubleshoot Active directory connectivity problems.
http://support.microsoft.com/kb/310456
Also make sure the account you are using to run repadmin command line has appropraite administrator permission on it.
If nothing of the above works as sandesh suggested , Post Dcdaig and repadmin /replsum and Ipconfig /all details.
Regards,
_Prashant_
MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
- Editado Prashant Girennavar sábado, 31 de marzo de 2012 6:42
- Marcado como respuesta Elytis ChengModerator jueves, 05 de abril de 2012 9:30
-
sábado, 31 de marzo de 2012 7:40Moderador
If rebooting resolves your issue then it might be either server was hanged or there is memory leak issue. Have you checked event log, what it says? Also, i would recommend to run a health check of your AD/domain to find out whats going wrong behind the scenes.There can also be a network network which have triggered it or antivirus creating issues.
Even though trust for the parent and child domain automatically gets created during during configuration of the child domain, but its good idea to check the trust between parent/child domain using Nltest tool.
http://technet.microsoft.com/en-us/library/cc731935%28v=ws.10%29.aspx
Awinish Vishwakarma - MVP-DS
My Blog: awinish.wordpress.com DisclaimerThis posting is provided AS-IS with no warranties/guarantees and confers no rights.- Editado AwinishMVP, Moderator sábado, 31 de marzo de 2012 7:52
- Marcado como respuesta Elytis ChengModerator jueves, 05 de abril de 2012 9:30
-
sábado, 31 de marzo de 2012 10:31
Hi,
Access Denied Replication Error indicates the domain controller failed to authenticate against its replication partner. This typically happens when the secure channel is broken, means its computer account password is not synchronized with the computer account password that is stored in the Active Directory of its replication.
Check this for resolution: http://technet.microsoft.com/en-us/library/bb727057.aspx#EEAA
.
Also check for antivirus applications, some of them are with a 'network protect' feature that causes trouble.
.
If issue reoccurs post the dcdiag /q and repadmin /replsum result.Best Regards,
Abhijit Waikar.
MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.- Marcado como respuesta Elytis ChengModerator jueves, 05 de abril de 2012 9:30
.png)
