locked
File Replication Gone wrong RRS feed

  • Question

  • I was in the process troubleshooting a failed replication between the GC and a DC. Then I begin recieving error messages saying the domain is unavailable.

    All of my active directory windows stopped working displaying a message that includes "The specified Domain either does not exist or cannot be contacted"

    DCDiag output

    Microsoft Windows [Version 6.0.6002]
    Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

    C:\Users\Administrator.LLRAMDHANNY>dcdiag /q
             Fatal Error:DsGetDcName (HADES) call failed, error 1355
    The Locator could not find the server.
             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
                Replicating Directory Changes In Filtered Set
             access rights for the naming context:
             DC=DomainDnsZones,DC=LLRAMDHANNY,DC=LOCAL
             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
                Replicating Directory Changes In Filtered Set
             access rights for the naming context:
             DC=ForestDnsZones,DC=LLRAMDHANNY,DC=LOCAL
             ......................... HADES failed test NCSecDesc
             Unable to connect to the NETLOGON share! ("\\HADES\netlogon")
             [HADES] An net use or LsaPolicy operation failed with error 67,
             The network name cannot be found..
             ......................... HADES failed test NetLogons
             An Error Event occurred.  EventID: 0x00000406
                Time Generated: 10/31/2012   04:50:07
                Event String:
                The processing of Group Policy failed. Windows attempted to retrieve
     new Group Policy settings for this user or computer. Look in the details tab fo
    r error code and description. Windows will automatically retry this operation at
     the next refresh cycle. Computers joined to the domain must have proper name re
    solution and network connectivity to a domain controller for discovery of new Gr
    oup Policy objects and settings. An event will be logged when Group Policy is su
    ccessful.
             An Error Event occurred.  EventID: 0x00000406
                Time Generated: 10/31/2012   04:55:09
                Event String:
                The processing of Group Policy failed. Windows attempted to retrieve
     new Group Policy settings for this user or computer. Look in the details tab fo
    r error code and description. Windows will automatically retry this operation at
     the next refresh cycle. Computers joined to the domain must have proper name re
    solution and network connectivity to a domain controller for discovery of new Gr
    oup Policy objects and settings. An event will be logged when Group Policy is su
    ccessful.
             An Error Event occurred.  EventID: 0x00000406
                Time Generated: 10/31/2012   05:00:12
                Event String:
                The processing of Group Policy failed. Windows attempted to retrieve
     new Group Policy settings for this user or computer. Look in the details tab fo
    r error code and description. Windows will automatically retry this operation at
     the next refresh cycle. Computers joined to the domain must have proper name re
    solution and network connectivity to a domain controller for discovery of new Gr
    oup Policy objects and settings. An event will be logged when Group Policy is su
    ccessful.
             An Error Event occurred.  EventID: 0x00000406
                Time Generated: 10/31/2012   05:05:15
                Event String:
                The processing of Group Policy failed. Windows attempted to retrieve
     new Group Policy settings for this user or computer. Look in the details tab fo
    r error code and description. Windows will automatically retry this operation at
     the next refresh cycle. Computers joined to the domain must have proper name re
    solution and network connectivity to a domain controller for discovery of new Gr
    oup Policy objects and settings. An event will be logged when Group Policy is su
    ccessful.
             An Error Event occurred.  EventID: 0x00000406
                Time Generated: 10/31/2012   05:10:17
                Event String:
                The processing of Group Policy failed. Windows attempted to retrieve
     new Group Policy settings for this user or computer. Look in the details tab fo
    r error code and description. Windows will automatically retry this operation at
     the next refresh cycle. Computers joined to the domain must have proper name re
    solution and network connectivity to a domain controller for discovery of new Gr
    oup Policy objects and settings. An event will be logged when Group Policy is su
    ccessful.
             An Error Event occurred.  EventID: 0x00000406
                Time Generated: 10/31/2012   05:15:20
                Event String:
                The processing of Group Policy failed. Windows attempted to retrieve
     new Group Policy settings for this user or computer. Look in the details tab fo
    r error code and description. Windows will automatically retry this operation at
     the next refresh cycle. Computers joined to the domain must have proper name re
    solution and network connectivity to a domain controller for discovery of new Gr
    oup Policy objects and settings. An event will be logged when Group Policy is su
    ccessful.
             An Error Event occurred.  EventID: 0x00000406
                Time Generated: 10/31/2012   05:20:23
                Event String:
                The processing of Group Policy failed. Windows attempted to retrieve
     new Group Policy settings for this user or computer. Look in the details tab fo
    r error code and description. Windows will automatically retry this operation at
     the next refresh cycle. Computers joined to the domain must have proper name re
    solution and network connectivity to a domain controller for discovery of new Gr
    oup Policy objects and settings. An event will be logged when Group Policy is su
    ccessful.
             An Error Event occurred.  EventID: 0x00000406
                Time Generated: 10/31/2012   05:25:25
                Event String:
                The processing of Group Policy failed. Windows attempted to retrieve
     new Group Policy settings for this user or computer. Look in the details tab fo
    r error code and description. Windows will automatically retry this operation at
     the next refresh cycle. Computers joined to the domain must have proper name re
    solution and network connectivity to a domain controller for discovery of new Gr
    oup Policy objects and settings. An event will be logged when Group Policy is su
    ccessful.
             An Error Event occurred.  EventID: 0x00000406
                Time Generated: 10/31/2012   05:30:28
                Event String:
                The processing of Group Policy failed. Windows attempted to retrieve
     new Group Policy settings for this user or computer. Look in the details tab fo
    r error code and description. Windows will automatically retry this operation at
     the next refresh cycle. Computers joined to the domain must have proper name re
    solution and network connectivity to a domain controller for discovery of new Gr
    oup Policy objects and settings. An event will be logged when Group Policy is su
    ccessful.
             An Error Event occurred.  EventID: 0x00000406
                Time Generated: 10/31/2012   05:35:30
                Event String:
                The processing of Group Policy failed. Windows attempted to retrieve
     new Group Policy settings for this user or computer. Look in the details tab fo
    r error code and description. Windows will automatically retry this operation at
     the next refresh cycle. Computers joined to the domain must have proper name re
    solution and network connectivity to a domain controller for discovery of new Gr
    oup Policy objects and settings. An event will be logged when Group Policy is su
    ccessful.
             An Error Event occurred.  EventID: 0x00000406
                Time Generated: 10/31/2012   05:40:33
                Event String:
                The processing of Group Policy failed. Windows attempted to retrieve
     new Group Policy settings for this user or computer. Look in the details tab fo
    r error code and description. Windows will automatically retry this operation at
     the next refresh cycle. Computers joined to the domain must have proper name re
    solution and network connectivity to a domain controller for discovery of new Gr
    oup Policy objects and settings. An event will be logged when Group Policy is su
    ccessful.
             ......................... HADES failed test SystemLog
             Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
             A Global Catalog Server could not be located - All GC's are down.
             Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
             A Time Server could not be located.
             The server holding the PDC role is down.
             Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
             1355
             A Good Time Server could not be located.
             Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
             A KDC could not be located - All the KDCs are down.
             ......................... LLRAMDHANNY.LOCAL failed test LocatorCheck

    C:\Users\Administrator.LLRAMDHANNY>

    Does anyone have any ideas?

    • Moved by Boo_MonstersInc Friday, November 2, 2012 1:27 AM (From:Management)
    Wednesday, October 31, 2012 10:27 AM

Answers

  • Hi,

    After checking the log you provided in the thread, the issue could be related to a DNS name resolution issue. At this time, we should do the following things first:

    1. Make sure that each DC/DNS server points to itself as primary DNS server and to other internal DNS servers as secondary ones
    2. Make sure that each DC without DNS points to the correct internal DNS servers as DNS servers
    3. Restart Netlogon service on DCs
    4. Make sure that the DC to promote points to the correct internal DNS server as primary one

    Also we should make sure that there is no firewall blocking the traffic. All needed ports are mentioned in this Microsoft article:

    http://technet.microsoft.com/en-us/library/bb727063.aspx

    Regarding how to troubleshooting DNS related issue, please refer to the following article.

    Troubleshooting Active Directory—Related DNS Problems

    http://technet.microsoft.com/en-us/library/bb727055.aspx

    In addition, here is a thread as reference, it may be useful to us.

    Unable to connect to Netlogon share in Windows 2008 R2

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/19afe599-d403-4d25-a804-de99d5b1bb4b/

    Best Regards,

    Andy Qi

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    • Marked as answer by Andy Qi Thursday, November 8, 2012 11:17 AM
    Friday, November 2, 2012 9:30 AM
  • Did you perform any changes on the firewall or router or in the domain? It appears that the DC with PDC role can't be contacted. Can you verify the the time services on the DC i running & it is in sync with the PDC.

    Windows Time Server Role in AD Forest/Domain  http://awinish.wordpress.com/2011/10/07/time-server-role-in-forestdomain/

    You can also use newly released ADREPLStatus tool from the MS to troubleshoot replication issues.

    http://awinish.wordpress.com/2012/06/15/active-directory-replication-status-tool/

    http://social.technet.microsoft.com/wiki/contents/articles/2285.active-directory-domain-services-ad-ds-troubleshooting-survival-guide-and-content-map.aspx

    To troubleshoot missing sysvol/netlogon shares, refer below article.

    http://support.microsoft.com/kb/257338


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by Andy Qi Thursday, November 8, 2012 11:17 AM
    Friday, November 2, 2012 10:42 AM
  •  

    Please make sure that Sysvol and Netlogon shares are available on the DC. You can check it by using Netshare command. If it is not available then you can refer MS KB article http://support.microsoft.com/kb/290762

    If this is not case please elaborate more about environment and the error or warning events from Directory Service & File Replication Service in event viewer.

    • Marked as answer by Andy Qi Thursday, November 8, 2012 11:18 AM
    Friday, November 2, 2012 11:54 AM
  • ......................... HADES failed test NCSecDesc
             Unable to connect to the NETLOGON share! ("\\HADES\netlogon")
             [HADES] An net use or LsaPolicy operation failed with error 67,
             The network name cannot be found..
             ......................... HADES failed test NetLogons

    From the log it is clear that netlogon share is not available.It seems that sysvol is not replication and hence gproup policy failed to apply.Run net share command to verify both netlogon and sysvol share is available.Also verify the sysvol folder both policies and script folder should be avaialble.If this is not the case then you need tp perfrom authorative and non authorative restore of sysvol.http://support.microsoft.com/kb/290762

    Kindly take the backup of the sysvol folder of  all DC's that is copy paste the content of the sysvol to temp location and perform the authorative and non authorative restore of sysvol.I have seen many case when 2008 DC is introduced in the 2000/2003 network sysvol and netlgon share are not available on win2008 DC also policies and script folder does not replication i.e sysvol folder is empty.To fix the same you need to perform auth and non auth restore of sysvol.

    Also ensure that correct dns setting is set correctly on DC as below.
    Best practices for DNS client settings on DC and domain members.
    http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by Andy Qi Thursday, November 8, 2012 11:18 AM
    Saturday, November 3, 2012 8:05 PM
  • And just to point out, don't worry about the following error in the dcdiag:

     Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
                Replicating Directory Changes In Filtered Set
             access rights for the naming context:

    That just means you haven't ran adprep/rodcprep because you didn't intend to install an RODC, which is explained here:

    Dcdiag fails for NCSecDesc test on Windows 2008 Domain Controllers
    http://support.microsoft.com/kb/967482

    .

    .

    However, I agree with everyone's assessment that's it's a DNS resolution issue that is causing what you're seeing. As everyone's asked, let's hear about your environment.

    Let's also see an unedited ipconfig /all from all of your DCs.

    .

    .

    If you have multiple domains (parent & child and/or root and additional Tree), then can you describe your DNS design between the domains, please? Here's an idea of DNS design options in such a scenario:

    DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest 
    http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx

    .

    .

    I do want to point out one more thing:

    ... I was in the process troubleshooting a failed replication between the GC and a DC. ...

    It's actually recommended to make all DCs a GC.

    Phantoms, tombstones and the infrastructure master.
    The GC role will conflict with a global catalog in a multi-domain forest. To overcome this conflict, all DCs are recommended to be GCs.
    http://support.microsoft.com/kb/248047

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Andy Qi Thursday, November 8, 2012 11:18 AM
    Sunday, November 4, 2012 12:21 AM

All replies

  • Hi,

    After checking the log you provided in the thread, the issue could be related to a DNS name resolution issue. At this time, we should do the following things first:

    1. Make sure that each DC/DNS server points to itself as primary DNS server and to other internal DNS servers as secondary ones
    2. Make sure that each DC without DNS points to the correct internal DNS servers as DNS servers
    3. Restart Netlogon service on DCs
    4. Make sure that the DC to promote points to the correct internal DNS server as primary one

    Also we should make sure that there is no firewall blocking the traffic. All needed ports are mentioned in this Microsoft article:

    http://technet.microsoft.com/en-us/library/bb727063.aspx

    Regarding how to troubleshooting DNS related issue, please refer to the following article.

    Troubleshooting Active Directory—Related DNS Problems

    http://technet.microsoft.com/en-us/library/bb727055.aspx

    In addition, here is a thread as reference, it may be useful to us.

    Unable to connect to Netlogon share in Windows 2008 R2

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/19afe599-d403-4d25-a804-de99d5b1bb4b/

    Best Regards,

    Andy Qi

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    • Marked as answer by Andy Qi Thursday, November 8, 2012 11:17 AM
    Friday, November 2, 2012 9:30 AM
  • Did you perform any changes on the firewall or router or in the domain? It appears that the DC with PDC role can't be contacted. Can you verify the the time services on the DC i running & it is in sync with the PDC.

    Windows Time Server Role in AD Forest/Domain  http://awinish.wordpress.com/2011/10/07/time-server-role-in-forestdomain/

    You can also use newly released ADREPLStatus tool from the MS to troubleshoot replication issues.

    http://awinish.wordpress.com/2012/06/15/active-directory-replication-status-tool/

    http://social.technet.microsoft.com/wiki/contents/articles/2285.active-directory-domain-services-ad-ds-troubleshooting-survival-guide-and-content-map.aspx

    To troubleshoot missing sysvol/netlogon shares, refer below article.

    http://support.microsoft.com/kb/257338


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by Andy Qi Thursday, November 8, 2012 11:17 AM
    Friday, November 2, 2012 10:42 AM
  • Can you start by describing your environment? How many domains do you have in your AD forests? How many domain controllers are in each domain?
    If you have a single domain forest - then every domain controller should be designated as a Global Catalog. Similarly, you might want to consider ensuring that two or more are configured as DNS servers - and that every domain computer (including domain controllers) is ponting to these as their primary/secondary DNS servers.
    I'd agree with Andy that the first troubleshooting step in this case is ensuring that DNS settings on domain controllers are configured properly - follow his suggestions and let us know about the outcome
    hth
    Marcin
    Friday, November 2, 2012 11:26 AM
  •  

    Please make sure that Sysvol and Netlogon shares are available on the DC. You can check it by using Netshare command. If it is not available then you can refer MS KB article http://support.microsoft.com/kb/290762

    If this is not case please elaborate more about environment and the error or warning events from Directory Service & File Replication Service in event viewer.

    • Marked as answer by Andy Qi Thursday, November 8, 2012 11:18 AM
    Friday, November 2, 2012 11:54 AM
  • ......................... HADES failed test NCSecDesc
             Unable to connect to the NETLOGON share! ("\\HADES\netlogon")
             [HADES] An net use or LsaPolicy operation failed with error 67,
             The network name cannot be found..
             ......................... HADES failed test NetLogons

    From the log it is clear that netlogon share is not available.It seems that sysvol is not replication and hence gproup policy failed to apply.Run net share command to verify both netlogon and sysvol share is available.Also verify the sysvol folder both policies and script folder should be avaialble.If this is not the case then you need tp perfrom authorative and non authorative restore of sysvol.http://support.microsoft.com/kb/290762

    Kindly take the backup of the sysvol folder of  all DC's that is copy paste the content of the sysvol to temp location and perform the authorative and non authorative restore of sysvol.I have seen many case when 2008 DC is introduced in the 2000/2003 network sysvol and netlgon share are not available on win2008 DC also policies and script folder does not replication i.e sysvol folder is empty.To fix the same you need to perform auth and non auth restore of sysvol.

    Also ensure that correct dns setting is set correctly on DC as below.
    Best practices for DNS client settings on DC and domain members.
    http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by Andy Qi Thursday, November 8, 2012 11:18 AM
    Saturday, November 3, 2012 8:05 PM
  • And just to point out, don't worry about the following error in the dcdiag:

     Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
                Replicating Directory Changes In Filtered Set
             access rights for the naming context:

    That just means you haven't ran adprep/rodcprep because you didn't intend to install an RODC, which is explained here:

    Dcdiag fails for NCSecDesc test on Windows 2008 Domain Controllers
    http://support.microsoft.com/kb/967482

    .

    .

    However, I agree with everyone's assessment that's it's a DNS resolution issue that is causing what you're seeing. As everyone's asked, let's hear about your environment.

    Let's also see an unedited ipconfig /all from all of your DCs.

    .

    .

    If you have multiple domains (parent & child and/or root and additional Tree), then can you describe your DNS design between the domains, please? Here's an idea of DNS design options in such a scenario:

    DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest 
    http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx

    .

    .

    I do want to point out one more thing:

    ... I was in the process troubleshooting a failed replication between the GC and a DC. ...

    It's actually recommended to make all DCs a GC.

    Phantoms, tombstones and the infrastructure master.
    The GC role will conflict with a global catalog in a multi-domain forest. To overcome this conflict, all DCs are recommended to be GCs.
    http://support.microsoft.com/kb/248047

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Andy Qi Thursday, November 8, 2012 11:18 AM
    Sunday, November 4, 2012 12:21 AM