none
authoritative restore system state RRS feed

  • Pregunta

  • Escenario:

    Un forest
    DC=srv1.stany.com
    OU=sales (mas varios OU hijos)
    DNS integrated=192.168.1.1
    Backup system state=ok
    FSMO=Schema master
             Domain role owner
             PDC
             RID
             Infrastructure

    DC=srv2.stany.com
    Backup system state=ok
    DNS integrated=192.168.1.2
    Backup system state=ok
    FSMO=none

    En srv1 elimino el contenido de OU sales, reinicio como dsrepair, ejecuto dsutil y aparece el suiguiente mensaje adjuntado, que puede ser o que estoy haciendo mal ?

    viernes, 4 de mayo de 2012 11:05

Respuestas

  • Bajo ningun punto de vista ejecutas el comando ese en un domain controller en un entorno productivo :)

    http://blogs.technet.com/b/janelewis/archive/2009/10/21/interesting-issue-with-major-implications.aspx

    Si has tenido que correr este comando y resetear la seguridad, es probable hayas modificado algun setting de seguridad del domain controller, por eso te mencionaba en el otro post, de no modificar nada en cuanto a seguridad a menos que estes completamente seguro del cambio a ser efectuado.

    Hablando de los tipos de restore ... 

    En el caso de un restore NO AUTORITATIVO , se usa por ejemplo si tu tienes un incoveniente con un domain controller lo instalas nuevamente y recuperas la informacion desde un backup, luego de eso este domain controller estara operativo y sera capaz de recibir todos los cambios desde el momento del backup desde otro domain controller.
    LA REALIDAD ES QUE AL DIA DE HOY , SI TIENES MULTIPLES DOMAIN CONTROLLERS Y EN EL MISMO SITE UNO SE DAÑA, ANTES QUE LEVANTAR UN BACKUP Y ESPERAR LA REPLICA , ES MAS SENCILLO INSTALAR UN NUEVO DC Y PROMOVERLO. En casos donde tienes un domain controller remoto quizas levantar un backup del system state y luego aguardar la replicacion puede ser mas efectivo con el objetivo de reducir los tiempos de la replicacion inicial.

    En el caso de un restore AUTORITATIVO, se usa por ejemplo en casos donde algun objeto fue modificado, y quieres volver el objeto con las modificaciones al momento del backup, en ese caso haces un restore autoritativo donde el proceso se ocupara de agregar un numero mayor al USN guardado (USN + 100.000) de manera que al replicarse siempre sea el que gane.


    Aqui tienes mas informacion al respecto
    http://www.windowsnetworking.com/kbase/windowstips/windows2003/admintips/activedirectory/Authoritativevs.Non-AuthoritativeRestorationofActiveDirectory.html



    Sebastian del Rio - MCP - MCSA +S - MCSE +S - MCITP:Enterprise Administrator Buenos Aires - Argentina Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho. Ud. asume los riesgos

    domingo, 6 de mayo de 2012 17:09
    Moderador

Todas las respuestas

  • ¿Sistema operativo? Si es W2008-R2 lo primero cuando entrás al NTDSUTIL es ACTIVATE INSTANCE NTDS

    Porque puede ser también LDS

     


    Guillermo Delprato - Buenos Aires, Argentina
    Visite Notas Windows Server
    MVP - MCT - MCSE - MCSA
    MCITP: Enterprise Administrator / Server Administrator
    MCTS: Active Directory/Network Configuration/Applications Configuration/Server Virtualization/Windows 7 Configuration/Windows 7 & Office 2010 Deployment/Vista Configuration
    Este mensaje se proporciona "como está" sin garantías de ninguna clase. Usted asume todos los riesgos.

    viernes, 4 de mayo de 2012 11:09
    Moderador
  • Perdon, es 2003 Enterprise Edition SP2.
    viernes, 4 de mayo de 2012 11:14
  • Porque estás tratando de recuperar algo que no se ha eliminado :)

    Tu dices que se ha eliminado *el contenido* de Sales, pero sin embargo tratas de recuperar *la OU* Sales

    Si lo que se ha eliminado es el contenido, entonces hay que recuperar cada uno de los elementos individualmente

    Si no recuerdas todos los nombres: Viewing deleted objects in Active Directory:
    http://support.microsoft.com/kb/258310

    Y antes que lo preguntes ;)
    How to restore deleted user accounts and their group memberships in Active Directory:
    http://support.microsoft.com/kb/840001/en-us

     


    Guillermo Delprato - Buenos Aires, Argentina
    Visite Notas Windows Server
    MVP - MCT - MCSE - MCSA
    MCITP: Enterprise Administrator / Server Administrator
    MCTS: Active Directory/Network Configuration/Applications Configuration/Server Virtualization/Windows 7 Configuration/Windows 7 & Office 2010 Deployment/Vista Configuration
    Este mensaje se proporciona "como está" sin garantías de ninguna clase. Usted asume todos los riesgos.

    viernes, 4 de mayo de 2012 12:40
    Moderador
  • En realidad si eliminé, unas OUs y usuarios de SALES, y quiero usar authoritative restore para recuperar el contenido, en vez de usar un restore normal; nose si estoy haciendo bien.
    viernes, 4 de mayo de 2012 13:35
  • Buenos dias Ignaba,

    Si estas haciendo bien, el restore de la OU sales traera todo su contenido aunque no recuperara la membresia de usuarios a menos hagas el procedimiento adicional para importar los archivos ldf con ldifde http://support.microsoft.com/kb/840001/en-us

    When you restore an OU, any changes that are made up to the time that a backup is restored are rolled back to their values at the time of the backup. For any user accounts, computer accounts, and security groups in the restored OU that were not among the deletions being restored, this rollback might mean the loss of the most recent changes to passwords, home directory, profile path, location and container information, group membership, and any security descriptors that are defined on those objects and attributes.

    Mas informacion al respecto : http://technet.microsoft.com/en-us/library/cc779573(v=ws.10).aspx

    An authoritative restoration on an OU subtree restores all the attributes and objects that reside in the container. Any changes that were made up to the time that a system state backup is restored are rolled back to their values at the time of the backup. With user accounts, computer accounts, and security groups, this rollback may mean the loss of the most recent changes to passwords, to the home directory, to the profile path, to location and to contact info, to group membership, and to any security descriptors that are defined on those objects and attributes.

    http://support.microsoft.com/kb/840001


    Sebastian del Rio - MCP - MCSA +S - MCSE +S - MCITP:Enterprise Administrator Buenos Aires - Argentina Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho. Ud. asume los riesgos


    viernes, 4 de mayo de 2012 13:50
    Moderador
  • Comprendo, el tema es que no se porque aparece el popup cuando ejecuto ntdsutil (imagen arriba)
    viernes, 4 de mayo de 2012 14:04
  • Fijate que el error dice que no se puede ubicar el DN "OU=Sales" pon todo el Distinsguished name entre comillas

    Restore subtree "ou=sales,DC=stany,dc=com"


    Sebastian del Rio - MCP - MCSA +S - MCSE +S - MCITP:Enterprise Administrator Buenos Aires - Argentina Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho. Ud. asume los riesgos



    viernes, 4 de mayo de 2012 14:37
    Moderador
  • Coloco:

    authotitative restore: res sub "ou=sales,dc=stany,dc=com"

    y luego:

    viernes, 4 de mayo de 2012 15:56
  • Estas siguiendo estos pasos descriptos en http://support.microsoft.com/kb/241594?

    • Restart the domain controller.
    • When the Windows 2000 Startup menu is displayed, select Directory Services Restore Mode, and then press ENTER.
    • Restore the data from backup media for an authoritative restore. To do this, follow these steps:
      1. In Directory Services Restore mode, click Start, point to Programs, point to Accessories, point to System Tools, and then click Backup to  start the Windows 2000 Server Backup utility.
      2. Click  Restore Wizard, and then click Next.
      3. Select the appropriate backup location, and then make sure that at least the System disk and System State containers are selected.
      4. Click Advanced,  and then make sure that you  restore junction points. If you do not use the Advanced menu, the restore process will not be successful.
      5. In the Restore Files to list, click Original Location.
      6. Click OK, and then complete the restore process. A visual progress indicator is displayed.
      7. When you are prompted to restart the computer, do not restart.
    • At a command prompt, type ntdsutil, and then press ENTER.
    • Type authoritative restore, and then press ENTER.
    • Type the following command, and then press ENTER:
      restore subtree ou=<var>OU_Name</var>,dc=<var>Domain_Name</var>,dc=<var>xxx</var>

    Sebastian del Rio - MCP - MCSA +S - MCSE +S - MCITP:Enterprise Administrator Buenos Aires - Argentina Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho. Ud. asume los riesgos


    viernes, 4 de mayo de 2012 16:09
    Moderador
  • viernes, 4 de mayo de 2012 17:21
  • Yo veo en el mensaje "Records found: 0000000000", lo que como es obvio indica que no encuentra el objeto a marcar como "autoritativo"

    Entonces comienzo a preguntar:

    - ¿Seguro que está bien escrito el DN, y no será que "sales" estaba colgando de otra OU?

    - ¿Es seguro que primero se hizo el backup y luego se borró a "Sales"?

    - ¿Es seguro que se borró Sales y no sólo su contenido?

    - ¿Qué estará haciendo ignaba? ¡Ah! No esta no :D

    Hagamos una prueba, busca si el objeto realmente fue borrado, y revisa su DN
    How to search for deleted objects in Active Directory:
    http://support.microsoft.com/kb/284928

    Entiendo que estás haciendo una prueba ¿es así? Si es así yo trataría de repetir el procedimiento porque hay "algo que no cierra" :)

     


    Guillermo Delprato - Buenos Aires, Argentina
    Visite Notas Windows Server
    MVP - MCT - MCSE - MCSA
    MCITP: Enterprise Administrator / Server Administrator
    MCTS: Active Directory/Network Configuration/Applications Configuration/Server Virtualization/Windows 7 Configuration/Windows 7 & Office 2010 Deployment/Vista Configuration
    Este mensaje se proporciona "como está" sin garantías de ninguna clase. Usted asume todos los riesgos.

    viernes, 4 de mayo de 2012 18:17
    Moderador
  • Sigue los pasos tal cual los deje en el post anterior, no queda claro si estabas efectuando el restore antes de utilizar ntdsutil ...

    • Restart the domain controller.
    • When the Windows 2000 Startup menu is displayed, select Directory Services Restore Mode, and then press ENTER.
    • Restore the data from backup media for an authoritative restore. To do this, follow these steps:
      1. In Directory Services Restore mode, click Start, point toPrograms, point to Accessories, point to System Tools, and then click Backup to  start the Windows 2000 Server Backup utility.
      2. Click  Restore Wizard, and then click Next.
      3. Select the appropriate backup location, and then make sure that at least theSystem disk and System State containers are selected.
      4. Click Advanced,  and then make sure that you  restore junction points. If you do not use the Advanced menu, the restore process will not be successful.
      5. In the Restore Files to list, click Original Location.
      6. Click OK, and then complete the restore process. A visual progress indicator is displayed.
      7. When you are prompted to restart the computer, do not restart.
    • At a command prompt, type ntdsutil, and then press ENTER.
    • Type authoritative restore, and then press ENTER.
    • Type the following command, and then press ENTER:
      restore subtree ou=<var>OU_Name</var>,dc=<var>Domain_Name</var>,dc=<var>xxx</var>

    Sebastian del Rio - MCP - MCSA +S - MCSE +S - MCITP:Enterprise Administrator Buenos Aires - Argentina Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho. Ud. asume los riesgos

    viernes, 4 de mayo de 2012 20:23
    Moderador
  • Sebastian, hice todos los pasos pero no funcionó
    Guillermo te respondo:
    DN esta bien escrito
    Se hizo un backup y luego de eliminó

    "Aparentemente el bkp estaba dañado" Reinicié el DC en modo normal, cree nuevamente las OUs, realicé bkp, eliminé el contenido de SALES, reinicio en modo DR, ejecuto ntdsutil (adjunto imagen), lo hace bien, reinicio en modo normal pero me doy cuenta que no está el contenido de SALES, y cuando intento crear un grupo aparece popup (imagen)

    viernes, 4 de mayo de 2012 22:51
  • La recuperacion que se esta haciendo parece normal, ya que el screenshoot muestra "Found 1 record to update". Creo saber lo que esta pasando aunque primero me gustaria hagas una prueba

    1. Crea la siguiente estructura de OU utilizando estos nombres o cualquier otro diferente a los que has usado

    Test OU

    ---- ChildOU1

    -----ChildOU2

    Y crea usuarios en las tres OU.

    2. Toma un backup del System State
    3. Borra la OU TEST OU

    Luego sigue tal cual estos pasos, al llegar al momento del restore subtree tu comando seria 

    restore subtree "OU=Test OU,DC=stany,DC=com" 

    • Restart the domain controller.
    • When the Windows 2000 Startup menu is displayed, select Directory Services Restore Mode, and then press ENTER.
    • Restore the data from backup media for an authoritative restore. To do this, follow these steps:
      1. In Directory Services Restore mode, click Start, point toPrograms, point to Accessories, point to System Tools, and then click Backup to  start the Windows 2000 Server Backup utility.
      2. Click  Restore Wizard, and then click Next.
      3. Select the appropriate backup location, and then make sure that at least theSystem disk and System State containers are selected.
      4. Click Advanced,  and then make sure that you  restore junction points. If you do not use the Advanced menu, the restore process will not be successful.
      5. In the Restore Files to list, click Original Location.
      6. Click OK, and then complete the restore process. A visual progress indicator is displayed.
      7. When you are prompted to restart the computer, do not restart.
    • At a command prompt, type ntdsutil, and then press ENTER.
    • Type authoritative restore, and then press ENTER.
    • Type the following command, and then press ENTER:
      restore subtree ou=<var>OU_Name</var>,dc=<var>Domain_Name</var>,dc=<var>xxx</var>

    Y cuentame que sucede.


    Sebastian del Rio - MCP - MCSA +S - MCSE +S - MCITP:Enterprise Administrator Buenos Aires - Argentina Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho. Ud. asume los riesgos


    sábado, 5 de mayo de 2012 14:56
    Moderador
  • Pude realizar todos los pasos sin problemas, reinicio en normal mode, (adjunto imagenes), no puedo crear objetos en "test ou".


    sábado, 5 de mayo de 2012 16:42
  • Bien, o sea que el restore funciono, te trajo la estructura de OUs, solo que al crear usuarios da el error mencionado eso es un segundo problema por lo que parece

    Puedes crear usuarios en otra OU ? 

    Ejecuta un dcdiag /v en el servidor y postea el contenido aqui por favor.


    Sebastian del Rio - MCP - MCSA +S - MCSE +S - MCITP:Enterprise Administrator Buenos Aires - Argentina Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho. Ud. asume los riesgos


    sábado, 5 de mayo de 2012 18:17
    Moderador
  • El tema de la OU Sales me parece que viene por un tema de versionado, los objetos replican de acuerdo al USN  (Update Sequence Number) lo que sucede es, hagamos de cuenta que al momento del backup tu objeto tiene un USN de 10, tu efectuas el backup y el objeto es guardo con este USN (10), luego haces cambios en el objeto y cada uno de esos cambios va a aumentar el USN +1, por lo cual ahora si hubieron 100 cambios el USN pasaria a ser 110. Luego el objeto se borra por algun incoveniente y tu utilizas el ultimo backup disponible donde el USN recordemos era 10.

    Al hacer un backup autoritativo para que el objeto pueda replicarse a los demas domain controllers el proceso de auth restore le suma 100.000 al numero del USN , por lo cual luego del backup el USN quedara en 100.010 lo cual causara que cualquier otro DC que reciba el cambio vea que el cambio recibido es mas actualizado que el que guarda para el objeto, ( A menos que haya habido mas de 100.000 cambios entre el backup y el restore :) ). Entonces digamos que el objeto sigue siendo cambiado por lo cual ahora tiene un USN de 100.200 y tu utilizas el mismo backup para recuperarlo de nuevo, por que nuevamente ha sido borrado, en ese caso los DCs conocen como USN de este objeto 100.200 pero tu backup recordemos que tenia un USN guardado de 10, al sumarle 100.000 de acuerdo al restore autorativo 100.010 sera menor al USN guardado en los DCs que es 100.200, por lo cual en ese caso el objeto no se replicara y al contrario sera borrado desde otro Domain controller =).

    Para resolver este tipo de problemas se puede utilizar un parametro adicional en el proceso de restore " Restore <object | subtree> "<object DN>" verinc 200.000," el cual agregaria 200.000 o el numero que queramos al USN existente.

    Este problema se da a menudo cuando se utiliza el mismo backup para hacer diferentes restores, por lo cual luego de un restore es recomendable tomar un nuevo backup y mantener los mismos al dia y siempre testeados.

    Mira la siguiente nota :
    http://technet.microsoft.com/en-us/library/cc757068(v=ws.10).aspx

    Espero se haya entendido la explicacion, y como escribi tanto espero no haberme equivocado :)


    Sebastian del Rio - MCP - MCSA +S - MCSE +S - MCITP:Enterprise Administrator Buenos Aires - Argentina Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho. Ud. asume los riesgos

    sábado, 5 de mayo de 2012 18:49
    Moderador
  • Deja crear OUs en otro lugar del dominio, incluso da un evento (adjunto imagen). Copio rta del dcdiag /v.

    parte 1:

    Domain Controller Diagnosis

    Performing initial setup:
       * Verifying that the local machine srv1, is a DC.
       * Connecting to directory service on server srv1.
       * Collecting site info.
       * Identifying all servers.
       * Identifying all NC cross-refs.
       * Found 4 DC(s). Testing 1 of them.
       Done gathering initial info.

    Doing initial required tests
      
       Testing server: site1\SRV1
          Starting test: Connectivity
             * Active Directory LDAP Services Check
             * Active Directory RPC Services Check
             ......................... SRV1 passed test Connectivity

    Doing primary tests
      
       Testing server: site1\SRV1
          Starting test: Replications
             * Replications Check
             [Replications Check,SRV1] A recent replication attempt failed:
                From SRV2 to SRV1
                Naming Context: DC=ForestDnsZones,DC=stany,DC=com
                The replication generated an error (1256):
                Win32 Error 1256
                The failure occurred at 2012-05-05 21:57:38.
                The last success occurred at 2012-04-27 13:30:56.
                18 failures have occurred since the last success.
             [Replications Check,SRV1] A recent replication attempt failed:
                From SRV4 to SRV1
                Naming Context: DC=ForestDnsZones,DC=stany,DC=com
                The replication generated an error (1256):
                Win32 Error 1256
                The failure occurred at 2012-05-05 21:58:30.
                The last success occurred at 2012-04-27 12:48:25.
                11 failures have occurred since the last success.
             [Replications Check,SRV1] A recent replication attempt failed:
                From SRV3 to SRV1
                Naming Context: DC=ForestDnsZones,DC=stany,DC=com
                The replication generated an error (1256):
                Win32 Error 1256
                The failure occurred at 2012-05-05 22:27:49.
                The last success occurred at 2012-05-01 12:59:40.
                50 failures have occurred since the last success.
             [Replications Check,SRV1] A recent replication attempt failed:
                From SRV2 to SRV1
                Naming Context: DC=DomainDnsZones,DC=stany,DC=com
                The replication generated an error (1256):
                Win32 Error 1256
                The failure occurred at 2012-05-05 21:57:38.
                The last success occurred at 2012-04-27 13:30:56.
                18 failures have occurred since the last success.
             [Replications Check,SRV1] A recent replication attempt failed:
                From SRV3 to SRV1
                Naming Context: DC=DomainDnsZones,DC=stany,DC=com
                The replication generated an error (1256):
                Win32 Error 1256
                The failure occurred at 2012-05-05 22:27:49.
                The last success occurred at 2012-05-01 12:59:40.
                50 failures have occurred since the last success.
             [Replications Check,SRV1] A recent replication attempt failed:
                From SRV4 to SRV1
                Naming Context: CN=Schema,CN=Configuration,DC=stany,DC=com
                The replication generated an error (1722):
                Win32 Error 1722
                The failure occurred at 2012-05-05 22:00:03.
                The last success occurred at 2012-04-27 12:47:42.
                10 failures have occurred since the last success.
                [SRV4] DsBindWithSpnEx() failed with error 1722,
                Win32 Error 1722.
                Printing RPC Extended Error Info:
                Error Record 1, ProcessID is 3768 (DcDiag)           
                   System Time is: 5/6/2012 1:37:47:597
                   Generating component is 8 (winsock)
                   Status is 1722: The RPC server is unavailable.

                   Detection location is 322
                Error Record 2, ProcessID is 3768 (DcDiag)           
                   System Time is: 5/6/2012 1:37:47:597
                   Generating component is 8 (winsock)
                   Status is 11001: No such host is known.

                   Detection location is 320
                   NumberOfParameters is 1
                   Unicode string: 2c9ba0bf-81df-4aca-8738-6cf3be2cc8eb._msdcs.stany.com
                The source remains down. Please check the machine.
             [Replications Check,SRV1] A recent replication attempt failed:
                From SRV2 to SRV1
                Naming Context: CN=Schema,CN=Configuration,DC=stany,DC=com
                The replication generated an error (1722):
                Win32 Error 1722
                The failure occurred at 2012-05-05 22:00:24.
                The last success occurred at 2012-04-27 13:30:56.
                17 failures have occurred since the last success.
                [SRV2] DsBindWithSpnEx() failed with error 1722,
                Win32 Error 1722.
                Printing RPC Extended Error Info:
                Error Record 1, ProcessID is 3768 (DcDiag)           
                   System Time is: 5/6/2012 1:38:8:557
                   Generating component is 8 (winsock)
                   Status is 1722: The RPC server is unavailable.

                   Detection location is 323
                Error Record 2, ProcessID is 3768 (DcDiag)           
                   System Time is: 5/6/2012 1:38:8:557
                   Generating component is 8 (winsock)
                   Status is 1237: The operation could not be completed. A retry should be performed.

                   Detection location is 313
                Error Record 3, ProcessID is 3768 (DcDiag)           
                   System Time is: 5/6/2012 1:38:8:557
                   Generating component is 8 (winsock)
                   Status is 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

                   Detection location is 311
                   NumberOfParameters is 3
                   Long val: 135
                   Pointer val: 0
                   Pointer val: 0
                Error Record 4, ProcessID is 3768 (DcDiag)           
                   System Time is: 5/6/2012 1:38:8:557
                   Generating component is 8 (winsock)
                   Status is 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

                   Detection location is 318
                The source remains down. Please check the machine.
             [Replications Check,SRV1] A recent replication attempt failed:
                From SRV3 to SRV1
                Naming Context: CN=Schema,CN=Configuration,DC=stany,DC=com
                The replication generated an error (1722):
                Win32 Error 1722
                The failure occurred at 2012-05-05 22:28:31.
                The last success occurred at 2012-05-01 12:59:19.
                49 failures have occurred since the last success.
                [SRV3] DsBindWithSpnEx() failed with error 1722,
                Win32 Error 1722.
                Printing RPC Extended Error Info:
                Error Record 1, ProcessID is 3768 (DcDiag)           
                   System Time is: 5/6/2012 1:38:29:487
                   Generating component is 8 (winsock)
                   Status is 1722: The RPC server is unavailable.

                   Detection location is 323
                Error Record 2, ProcessID is 3768 (DcDiag)           
                   System Time is: 5/6/2012 1:38:29:487
                   Generating component is 8 (winsock)
                   Status is 1237: The operation could not be completed. A retry should be performed.

                   Detection location is 313
                Error Record 3, ProcessID is 3768 (DcDiag)           
                   System Time is: 5/6/2012 1:38:29:487
                   Generating component is 8 (winsock)
                   Status is 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

                   Detection location is 311
                   NumberOfParameters is 3
                   Long val: 135
                   Pointer val: 0
                   Pointer val: 0
                Error Record 4, ProcessID is 3768 (DcDiag)           
                   System Time is: 5/6/2012 1:38:29:487
                   Generating component is 8 (winsock)
                   Status is 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

                   Detection location is 318
                The source remains down. Please check the machine.
             [Replications Check,SRV1] A recent replication attempt failed:
                From SRV4 to SRV1
                Naming Context: CN=Configuration,DC=stany,DC=com
                The replication generated an error (1722):
                Win32 Error 1722
                The failure occurred at 2012-05-05 21:58:30.
                The last success occurred at 2012-04-27 12:47:21.
                11 failures have occurred since the last success.
                The source remains down. Please check the machine.
             [Replications Check,SRV1] A recent replication attempt failed:
                From SRV2 to SRV1
                Naming Context: CN=Configuration,DC=stany,DC=com
                The replication generated an error (1722):
                Win32 Error 1722
                The failure occurred at 2012-05-05 21:58:51.
                The last success occurred at 2012-04-27 13:30:56.
                18 failures have occurred since the last success.
                The source remains down. Please check the machine.
             [Replications Check,SRV1] A recent replication attempt failed:
                From SRV3 to SRV1
                Naming Context: CN=Configuration,DC=stany,DC=com
                The replication generated an error (1722):
                Win32 Error 1722
                The failure occurred at 2012-05-05 22:28:10.
                The last success occurred at 2012-05-01 12:58:07.
                50 failures have occurred since the last success.
                The source remains down. Please check the machine.
             [Replications Check,SRV1] A recent replication attempt failed:
                From SRV2 to SRV1
                Naming Context: DC=stany,DC=com
                The replication generated an error (1722):
                Win32 Error 1722
                The failure occurred at 2012-05-05 21:57:38.
                The last success occurred at 2012-04-27 13:30:56.
                17 failures have occurred since the last success.
                The source remains down. Please check the machine.
             [Replications Check,SRV1] A recent replication attempt failed:
                From SRV3 to SRV1
                Naming Context: DC=stany,DC=com
                The replication generated an error (1722):
                Win32 Error 1722
                The failure occurred at 2012-05-05 22:27:49.
                The last success occurred at 2012-05-01 12:59:40.
                49 failures have occurred since the last success.
                The source remains down. Please check the machine.
             [Replications Check,SRV1] A recent replication attempt failed:
                From SRV2 to SRV1
                Naming Context: DC=child,DC=stany,DC=com
                The replication generated an error (1256):
                Win32 Error 1256
                The failure occurred at 2012-05-05 21:57:38.
                The last success occurred at 2012-04-27 13:30:56.
                15 failures have occurred since the last success.
             [Replications Check,SRV1] A recent replication attempt failed:
                From SRV4 to SRV1
                Naming Context: DC=child,DC=stany,DC=com
                The replication generated an error (1256):
                Win32 Error 1256
                The failure occurred at 2012-05-05 21:58:30.
                The last success occurred at 2012-04-27 12:48:25.
                8 failures have occurred since the last success.
             * Replication Latency Check
             REPLICATION-RECEIVED LATENCY WARNING
             SRV1:  Current time is 2012-05-05 22:37:43.
                DC=ForestDnsZones,DC=stany,DC=com
                   Last replication recieved from SRV2 at 2012-04-27 13:31:03.
                   Last replication recieved from SRV3 at 2012-05-01 12:59:46.
                   Last replication recieved from SRV4 at 2012-04-27 12:48:29.
                   Latency information for 6 entries in the vector were ignored.
                      6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
                DC=DomainDnsZones,DC=stany,DC=com
                   Last replication recieved from SRV2 at 2012-04-27 13:31:03.
                   Last replication recieved from SRV3 at 2012-05-01 12:59:46.
                   Latency information for 6 entries in the vector were ignored.
                      6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
                CN=Schema,CN=Configuration,DC=stany,DC=com
                   Last replication recieved from SRV2 at 2012-04-27 13:31:03.
                   Last replication recieved from SRV3 at 2012-05-01 12:59:25.
                   Last replication recieved from SRV4 at 2012-04-27 12:47:47.
                   Latency information for 5 entries in the vector were ignored.
                      5 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
                CN=Configuration,DC=stany,DC=com
                   Last replication recieved from SRV2 at 2012-04-27 13:31:03.
                   Last replication recieved from SRV3 at 2012-05-01 12:58:13.
                   Last replication recieved from SRV4 at 2012-04-27 12:47:26.
                   Latency information for 6 entries in the vector were ignored.
                      6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
                DC=stany,DC=com
                   Last replication recieved from SRV2 at 2012-04-27 13:31:03.
                   Last replication recieved from SRV3 at 2012-05-01 12:59:46.
                   Latency information for 6 entries in the vector were ignored.
                      6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
                DC=child,DC=stany,DC=com
                   Last replication recieved from SRV4 at 2012-04-27 12:48:29.
                   Latency information for 3 entries in the vector were ignored.
                      2 were retired Invocations.  1 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
             * Replication Site Latency Check
             REPLICATION-RECEIVED LATENCY WARNING

              Source site:

             CN=NTDS Site Settings,CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com

              Current time: 2012-05-05 22:38:29

              Last update time: 2012-04-27 13:04:09

              Check if source site has an elected ISTG running.

              Check replication from source site to this server.
             REPLICATION-RECEIVED LATENCY WARNING

              Source site:

             CN=NTDS Site Settings,CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com

              Current time: 2012-05-05 22:38:29

              Last update time: 2012-05-01 12:39:10

              Check if source site has an elected ISTG running.

              Check replication from source site to this server.
             ......................... SRV1 passed test Replications
          Test omitted by user request: Topology
          Test omitted by user request: CutoffServers
          Starting test: NCSecDesc
             * Security Permissions check for all NC's on DC SRV1.
             * Security Permissions Check for
               DC=ForestDnsZones,DC=stany,DC=com
                (NDNC,Version 2)
             * Security Permissions Check for
               DC=DomainDnsZones,DC=stany,DC=com
                (NDNC,Version 2)
             * Security Permissions Check for
               CN=Schema,CN=Configuration,DC=stany,DC=com
                (Schema,Version 2)
             * Security Permissions Check for
               CN=Configuration,DC=stany,DC=com
                (Configuration,Version 2)
             * Security Permissions Check for
               DC=stany,DC=com
                (Domain,Version 2)
             * Security Permissions Check for
               DC=child,DC=stany,DC=com
                (Domain,Version 2)
             ......................... SRV1 passed test NCSecDesc
          Starting test: NetLogons
             * Network Logons Privileges Check
             Unable to connect to the NETLOGON share! (\\SRV1\netlogon)
             [SRV1] An net use or LsaPolicy operation failed with error 1203, Win32 Error 1203.
             ......................... SRV1 failed test NetLogons
          Starting test: Advertising
             Fatal Error:DsGetDcName (SRV1) call failed, error 1355
             The Locator could not find the server.
             ......................... SRV1 failed test Advertising
          Starting test: KnowsOfRoleHolders
             Role Schema Owner = CN=NTDS Settings,CN=SRV1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=stany,DC=com
             Role Domain Owner = CN=NTDS Settings,CN=SRV1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=stany,DC=com
             Role PDC Owner = CN=NTDS Settings,CN=SRV1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=stany,DC=com
             Role Rid Owner = CN=NTDS Settings,CN=SRV2,CN=Servers,CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com
             Warning: SRV2 is the Rid Owner, but is not responding to DS RPC Bind.
             RPC Extended Error Info not available. Use group policy on the local machine at "Computer Configuration/Administrative Templates/System/Remote Procedure Call" to enable it.
             [SRV2] LDAP search failed with error 58,
             Win32 Error 58.
             Warning: SRV2 is the Rid Owner, but is not responding to LDAP Bind.
             Role Infrastructure Update Owner = CN=NTDS Settings,CN=SRV2,CN=Servers,CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com
             Warning: SRV2 is the Infrastructure Update Owner, but is not responding to DS RPC Bind.
             RPC Extended Error Info not available. Use group policy on the local machine at "Computer Configuration/Administrative Templates/System/Remote Procedure Call" to enable it.
             Warning: SRV2 is the Infrastructure Update Owner, but is not responding to LDAP Bind.
             ......................... SRV1 failed test KnowsOfRoleHolders
          Starting test: RidManager
             * Available RID Pool for the Domain is 4603 to 1073741823
             * srv2.stany.com is the RID Master
             ......................... SRV1 failed test RidManager
          Starting test: MachineAccount
             Checking machine account for DC SRV1 on DC SRV1.
             * SPN found :LDAP/srv1.stany.com/stany.com
             * SPN found :LDAP/srv1.stany.com
             * SPN found :LDAP/SRV1
             * SPN found :LDAP/srv1.stany.com/STANY
             * SPN found :LDAP/24a99e62-056a-43f4-b177-102a34dd6e34._msdcs.stany.com
             * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/24a99e62-056a-43f4-b177-102a34dd6e34/stany.com
             * SPN found :HOST/srv1.stany.com/stany.com
             * SPN found :HOST/srv1.stany.com
             * SPN found :HOST/SRV1
             * SPN found :HOST/srv1.stany.com/STANY
             * SPN found :GC/srv1.stany.com/stany.com
             ......................... SRV1 passed test MachineAccount

    domingo, 6 de mayo de 2012 1:55
  • parte 2:

     

          Starting test: Services
             * Checking Service: Dnscache
             * Checking Service: NtFrs
             * Checking Service: IsmServ
             * Checking Service: kdc
             * Checking Service: SamSs
             * Checking Service: LanmanServer
             * Checking Service: LanmanWorkstation
             * Checking Service: RpcSs
             * Checking Service: w32time
             * Checking Service: NETLOGON
             ......................... SRV1 passed test Services
          Test omitted by user request: OutboundSecureChannels
          Starting test: ObjectsReplicated
             SRV1 is in domain DC=stany,DC=com
             Checking for CN=SRV1,OU=Domain Controllers,DC=stany,DC=com in domain DC=stany,DC=com on 1 servers
                Object is up-to-date on all servers.
             Checking for CN=NTDS Settings,CN=SRV1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=stany,DC=com in domain CN=Configuration,DC=stany,DC=com on 1 servers
                Object is up-to-date on all servers.
             ......................... SRV1 passed test ObjectsReplicated
          Starting test: frssysvol
             * The File Replication Service SYSVOL ready test
             The registry lookup failed to determine the state of the SYSVOL.  The

             error returned  was 0 (Win32 Error 0).  Check the FRS event log to see

             if the SYSVOL has successfully been shared.
             ......................... SRV1 passed test frssysvol
          Starting test: frsevent
             * The File Replication Service Event log test
             There are warning or error events within the last 24 hours after the

             SYSVOL has been shared.  Failing SYSVOL replication problems may cause

             Group Policy problems.
             An Warning Event occured.  EventID: 0x800034FE
                Time Generated: 05/05/2012   12:58:05
                (Event String could not be retrieved)
             An Warning Event occured.  EventID: 0x800034FD
                Time Generated: 05/05/2012   13:15:59
                (Event String could not be retrieved)
             An Warning Event occured.  EventID: 0x800034C4
                Time Generated: 05/05/2012   13:18:41
                (Event String could not be retrieved)
             An Warning Event occured.  EventID: 0x800034C4
                Time Generated: 05/05/2012   13:18:42
                (Event String could not be retrieved)
             An Warning Event occured.  EventID: 0x800034C4
                Time Generated: 05/05/2012   13:33:41
                (Event String could not be retrieved)
             An Warning Event occured.  EventID: 0x800034C4
                Time Generated: 05/05/2012   14:03:20
                (Event String could not be retrieved)
             ......................... SRV1 failed test frsevent
          Starting test: kccevent
             * The KCC Event log test
             An Warning Event occured.  EventID: 0x8000061E
                Time Generated: 05/05/2012   22:32:29
                Event String: All domain controllers in the following site that

    can replicate the directory partition over this

    transport are currently unavailable.

     

    Site:

    CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com

     

    Directory partition:

    DC=stany,DC=com

    Transport:

    CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=stany,DC=com

     
             An Warning Event occured.  EventID: 0x8000061E
                Time Generated: 05/05/2012   22:32:29
                Event String: All domain controllers in the following site that

    can replicate the directory partition over this

    transport are currently unavailable.

     

    Site:

    CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com

     

    Directory partition:

    DC=stany,DC=com

    Transport:

    CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=stany,DC=com

     
             An Error Event occured.  EventID: 0xC000051F
                Time Generated: 05/05/2012   22:32:29
                Event String: The Knowledge Consistency Checker (KCC) has

    detected problems with the following directory

    partition.

     

    Directory partition:

    DC=stany,DC=com

     

    There is insufficient site connectivity

    information in Active Directory Sites and

    Services for the KCC to create a spanning tree

    replication topology. Or, one or more domain

    controllers with this directory partition are

    unable to replicate the directory partition

    information. This is probably due to inaccessible

    domain controllers.

     

    User Action

    Use Active Directory Sites and Services to

    perform one of the following actions:

    - Publish sufficient site connectivity

    information so that the KCC can determine a route

    by which this directory partition can reach this

    site. This is the preferred option.

    - Add a Connection object to a domain controller

    that contains the directory partition in this

    site from a domain controller that contains the

    same directory partition in another site.

     

    If neither of the Active Directory Sites and

    Services tasks correct this condition, see

    previous events logged by the KCC that identify

    the inaccessible domain controllers.
             An Warning Event occured.  EventID: 0x80000749
                Time Generated: 05/05/2012   22:32:29
                Event String: The Knowledge Consistency Checker (KCC) was

    unable to form a complete spanning tree network

    topology. As a result, the following list of

    sites cannot be reached from the local site.

     

    Sites:

    CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com

     

    CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com

     

     

     

     

     

     

     
             An Warning Event occured.  EventID: 0x8000061E
                Time Generated: 05/05/2012   22:32:29
                Event String: All domain controllers in the following site that

    can replicate the directory partition over this

    transport are currently unavailable.

     

    Site:

    CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com

     

    Directory partition:

    DC=DomainDnsZones,DC=stany,DC=com

    Transport:

    CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=stany,DC=com

     
             An Warning Event occured.  EventID: 0x8000061E
                Time Generated: 05/05/2012   22:32:29
                Event String: All domain controllers in the following site that

    can replicate the directory partition over this

    transport are currently unavailable.

     

    Site:

    CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com

     

    Directory partition:

    DC=DomainDnsZones,DC=stany,DC=com

    Transport:

    CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=stany,DC=com

     
             An Error Event occured.  EventID: 0xC000051F
                Time Generated: 05/05/2012   22:32:29
                Event String: The Knowledge Consistency Checker (KCC) has

    detected problems with the following directory

    partition.

     

    Directory partition:

    DC=DomainDnsZones,DC=stany,DC=com

     

    There is insufficient site connectivity

    information in Active Directory Sites and

    Services for the KCC to create a spanning tree

    replication topology. Or, one or more domain

    controllers with this directory partition are

    unable to replicate the directory partition

    information. This is probably due to inaccessible

    domain controllers.

     

    User Action

    Use Active Directory Sites and Services to

    perform one of the following actions:

    - Publish sufficient site connectivity

    information so that the KCC can determine a route

    by which this directory partition can reach this

    site. This is the preferred option.

    - Add a Connection object to a domain controller

    that contains the directory partition in this

    site from a domain controller that contains the

    same directory partition in another site.

     

    If neither of the Active Directory Sites and

    Services tasks correct this condition, see

    previous events logged by the KCC that identify

    the inaccessible domain controllers.
             An Warning Event occured.  EventID: 0x80000749
                Time Generated: 05/05/2012   22:32:29
                Event String: The Knowledge Consistency Checker (KCC) was

    unable to form a complete spanning tree network

    topology. As a result, the following list of

    sites cannot be reached from the local site.

     

    Sites:

    CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com

     

    CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com

     

     

     

     

     

     

     
             An Warning Event occured.  EventID: 0x8000061E
                Time Generated: 05/05/2012   22:32:29
                Event String: All domain controllers in the following site that

    can replicate the directory partition over this

    transport are currently unavailable.

     

    Site:

    CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com

     

    Directory partition:

    DC=ForestDnsZones,DC=stany,DC=com

    Transport:

    CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=stany,DC=com

     
             An Warning Event occured.  EventID: 0x8000061E
                Time Generated: 05/05/2012   22:32:29
                Event String: All domain controllers in the following site that

    can replicate the directory partition over this

    transport are currently unavailable.

     

    Site:

    CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com

     

    Directory partition:

    DC=ForestDnsZones,DC=stany,DC=com

    Transport:

    CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=stany,DC=com

     
             An Error Event occured.  EventID: 0xC000051F
                Time Generated: 05/05/2012   22:32:29
                Event String: The Knowledge Consistency Checker (KCC) has

    detected problems with the following directory

    partition.

     

    Directory partition:

    DC=ForestDnsZones,DC=stany,DC=com

     

    There is insufficient site connectivity

    information in Active Directory Sites and

    Services for the KCC to create a spanning tree

    replication topology. Or, one or more domain

    controllers with this directory partition are

    unable to replicate the directory partition

    information. This is probably due to inaccessible

    domain controllers.

     

    User Action

    Use Active Directory Sites and Services to

    perform one of the following actions:

    - Publish sufficient site connectivity

    information so that the KCC can determine a route

    by which this directory partition can reach this

    site. This is the preferred option.

    - Add a Connection object to a domain controller

    that contains the directory partition in this

    site from a domain controller that contains the

    same directory partition in another site.

     

    If neither of the Active Directory Sites and

    Services tasks correct this condition, see

    previous events logged by the KCC that identify

    the inaccessible domain controllers.
             An Warning Event occured.  EventID: 0x80000749
                Time Generated: 05/05/2012   22:32:29
                Event String: The Knowledge Consistency Checker (KCC) was

    unable to form a complete spanning tree network

    topology. As a result, the following list of

    sites cannot be reached from the local site.

     

    Sites:

    CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com

     

    CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com

     

     

     

     

     

     

     
             An Warning Event occured.  EventID: 0x8000061E
                Time Generated: 05/05/2012   22:32:29
                Event String: All domain controllers in the following site that

    can replicate the directory partition over this

    transport are currently unavailable.

     

    Site:

    CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com

     

    Directory partition:

    DC=child,DC=stany,DC=com

    Transport:

    CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=stany,DC=com

     
             An Warning Event occured.  EventID: 0x8000061E
                Time Generated: 05/05/2012   22:32:29
                Event String: All domain controllers in the following site that

    can replicate the directory partition over this

    transport are currently unavailable.

     

    Site:

    CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com

     

    Directory partition:

    DC=child,DC=stany,DC=com

    Transport:

    CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=stany,DC=com

     
             An Error Event occured.  EventID: 0xC000051F
                Time Generated: 05/05/2012   22:32:29
                Event String: The Knowledge Consistency Checker (KCC) has

    detected problems with the following directory

    partition.

     

    Directory partition:

    DC=child,DC=stany,DC=com

     

    There is insufficient site connectivity

    information in Active Directory Sites and

    Services for the KCC to create a spanning tree

    replication topology. Or, one or more domain

    controllers with this directory partition are

    unable to replicate the directory partition

    information. This is probably due to inaccessible

    domain controllers.

     

    User Action

    Use Active Directory Sites and Services to

    perform one of the following actions:

    - Publish sufficient site connectivity

    information so that the KCC can determine a route

    by which this directory partition can reach this

    site. This is the preferred option.

    - Add a Connection object to a domain controller

    that contains the directory partition in this

    site from a domain controller that contains the

    same directory partition in another site.

     

    If neither of the Active Directory Sites and

    Services tasks correct this condition, see

    previous events logged by the KCC that identify

    the inaccessible domain controllers.
             An Warning Event occured.  EventID: 0x80000749
                Time Generated: 05/05/2012   22:32:29
                Event String: The Knowledge Consistency Checker (KCC) was

    unable to form a complete spanning tree network

    topology. As a result, the following list of

    sites cannot be reached from the local site.

     

    Sites:

    CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com

     

    CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com

     

     

     

     

     

     

     
             An Warning Event occured.  EventID: 0x8000061E
                Time Generated: 05/05/2012   22:32:29
                Event String: All domain controllers in the following site that

    can replicate the directory partition over this

    transport are currently unavailable.

     

    Site:

    CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com

     

    Directory partition:

    CN=Configuration,DC=stany,DC=com

    Transport:

    CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=stany,DC=com

     
             An Warning Event occured.  EventID: 0x8000061E
                Time Generated: 05/05/2012   22:32:29
                Event String: All domain controllers in the following site that

    can replicate the directory partition over this

    transport are currently unavailable.

     

    Site:

    CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com

     

    Directory partition:

    CN=Configuration,DC=stany,DC=com

    Transport:

    CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=stany,DC=com

     
             An Error Event occured.  EventID: 0xC000051F
                Time Generated: 05/05/2012   22:32:29
                Event String: The Knowledge Consistency Checker (KCC) has

    detected problems with the following directory

    partition.

     

    Directory partition:

    CN=Configuration,DC=stany,DC=com

     

    There is insufficient site connectivity

    information in Active Directory Sites and

    Services for the KCC to create a spanning tree

    replication topology. Or, one or more domain

    controllers with this directory partition are

    unable to replicate the directory partition

    information. This is probably due to inaccessible

    domain controllers.

     

    User Action

    Use Active Directory Sites and Services to

    perform one of the following actions:

    - Publish sufficient site connectivity

    information so that the KCC can determine a route

    by which this directory partition can reach this

    site. This is the preferred option.

    - Add a Connection object to a domain controller

    that contains the directory partition in this

    site from a domain controller that contains the

    same directory partition in another site.

     

    If neither of the Active Directory Sites and

    Services tasks correct this condition, see

    previous events logged by the KCC that identify

    the inaccessible domain controllers.
             An Warning Event occured.  EventID: 0x80000749
                Time Generated: 05/05/2012   22:32:29
                Event String: The Knowledge Consistency Checker (KCC) was

    unable to form a complete spanning tree network

    topology. As a result, the following list of

    sites cannot be reached from the local site.

     

    Sites:

    CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com

     

    CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com

     

     

     

     

     

     

     
             ......................... SRV1 failed test kccevent
          Starting test: systemlog
             * The System Event log test
             Found no errors in System Event log in the last 60 minutes.
             ......................... SRV1 passed test systemlog
          Test omitted by user request: VerifyReplicas
          Starting test: VerifyReferences
             The system object reference (serverReference)

             CN=SRV1,OU=Domain Controllers,DC=stany,DC=com and backlink on

             CN=SRV1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=stany,DC=com

             are correct.
             The system object reference (frsComputerReferenceBL)

             CN={5495c546-af16-497f-b121-0f7123b4afee},CN=root2,CN=root2,CN=DFS Volumes,CN=File Replication Service,CN=System,DC=stany,DC=com

             and backlink on CN=SRV1,OU=Domain Controllers,DC=stany,DC=com are

             correct.
             The system object reference (serverReferenceBL)

             CN=SRV1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=stany,DC=com

             and backlink on

             CN=NTDS Settings,CN=SRV1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=stany,DC=com

             are correct.
             ......................... SRV1 passed test VerifyReferences
          Test omitted by user request: VerifyEnterpriseReferences
          Test omitted by user request: CheckSecurityError
      
       Running partition tests on : ForestDnsZones
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
      
       Running partition tests on : DomainDnsZones
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
      
       Running partition tests on : Schema
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
      
       Running partition tests on : Configuration
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
      
       Running partition tests on : stany
          Starting test: CrossRefValidation
             ......................... stany passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... stany passed test CheckSDRefDom
      
       Running enterprise tests on : stany.com
          Starting test: Intersite
             Skipping site site1, this site is outside the scope provided by the

             command line arguments provided.
             Skipping site site2, this site is outside the scope provided by the

             command line arguments provided.
             Skipping site site3, this site is outside the scope provided by the

             command line arguments provided.
             ......................... stany.com passed test Intersite
          Starting test: FsmoCheck
             Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
             A Global Catalog Server could not be located - All GC's are down.
             PDC Name: \\srv1.stany.com
             Locator Flags: 0xe00003fd
             Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
             A Time Server could not be located.
             The server holding the PDC role is down.
             Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
             A Good Time Server could not be located.
             Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
             A KDC could not be located - All the KDCs are down.
             ......................... stany.com failed test FsmoCheck
          Test omitted by user request: DNS
          Test omitted by user request: DNS

    domingo, 6 de mayo de 2012 1:56
  • Ignaba,

    Tienes que trabajar en ese dominio son demasiados errores por lo cual es dificil diagnosticar algo en ese estado :)
    El error que te da al crear el usuario es relacionado a no poder contactar al RID master

        Role Rid Owner = CN=NTDS Settings,CN=SRV2,CN=Servers,CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com
             Warning: SRV2 is the Rid Owner, but is not responding to DS RPC Bind.

    "Domain controllers running AD DS have a shared RID pool. The RID operations master is responsible for maintaining a pool of RIDs to be used by the domain controllers in its domain and for providing groups of RIDs to each domain controller when necessary. When a new AD DS domain controller is added to the domain, the RID master allocates a batch of approximately 500 RIDs from the domain RID pool to that domain controller. Each time a new security principal is created on a domain controller, the domain controller draws from its local pool of RIDs and assigns one to the new object. When the number of RIDs in a domain controller’s RID pool falls below approximately 100, that domain controller submits background requests (by means of RPC) for additional RIDs from the domain’s RID master. The RID master allocates a block of approximately 500 RIDs from the domain’s RID pool to the pool of the requesting domain controller."

    Probablemente si intentas agregar un objeto, como computadora, grupo o usuario en cualquier parte del dominio falle, ya que cuando el RID master no esta disponible y el pool de RIDs del domain controller ya fue consumido cualquier objeto que necesite crear un SID no podra ser creado, adicionalmente es probable tengas errores 16445 o 16650.

    Necesitas trabajar en los errores del DCDIAG antes de seguir trabajando cualquier problema sobre ese dominio.

    El tema del restore esta claro, al restorear la OU nueva que creaste se restoreo todo aunque al no poder crear usuarios por falta de RID en el pool de Available Pools la estructura de OUs se ha restoreado (ya que el objeto OU no tiene un SID) aunque no asi los usuarios ( Que si tienen un SID) ya que no pueden ser creados.

    Por los temas adicionales te pediria habras un nuevo hilo de manera de no tratar mas de un tema por hilo y mantener ordenado el foro.


    Sebastian del Rio - MCP - MCSA +S - MCSE +S - MCITP:Enterprise Administrator Buenos Aires - Argentina Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho. Ud. asume los riesgos


    domingo, 6 de mayo de 2012 14:00
    Moderador
  • Compmrendo, mira buscando soporte por internet aplique lo siguiente:

    secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

    Luego de reiniciar, hice:

    seize rid master
    seize infrastructure master

    (Adjunto imagen) ahora puedo crear objetos dentro de OU "test OU", pero mi gran duda es
    cual es la diferencia de hacer un authoritative restore y no-authoritative restore ?

    domingo, 6 de mayo de 2012 16:46
  • Bajo ningun punto de vista ejecutas el comando ese en un domain controller en un entorno productivo :)

    http://blogs.technet.com/b/janelewis/archive/2009/10/21/interesting-issue-with-major-implications.aspx

    Si has tenido que correr este comando y resetear la seguridad, es probable hayas modificado algun setting de seguridad del domain controller, por eso te mencionaba en el otro post, de no modificar nada en cuanto a seguridad a menos que estes completamente seguro del cambio a ser efectuado.

    Hablando de los tipos de restore ... 

    En el caso de un restore NO AUTORITATIVO , se usa por ejemplo si tu tienes un incoveniente con un domain controller lo instalas nuevamente y recuperas la informacion desde un backup, luego de eso este domain controller estara operativo y sera capaz de recibir todos los cambios desde el momento del backup desde otro domain controller.
    LA REALIDAD ES QUE AL DIA DE HOY , SI TIENES MULTIPLES DOMAIN CONTROLLERS Y EN EL MISMO SITE UNO SE DAÑA, ANTES QUE LEVANTAR UN BACKUP Y ESPERAR LA REPLICA , ES MAS SENCILLO INSTALAR UN NUEVO DC Y PROMOVERLO. En casos donde tienes un domain controller remoto quizas levantar un backup del system state y luego aguardar la replicacion puede ser mas efectivo con el objetivo de reducir los tiempos de la replicacion inicial.

    En el caso de un restore AUTORITATIVO, se usa por ejemplo en casos donde algun objeto fue modificado, y quieres volver el objeto con las modificaciones al momento del backup, en ese caso haces un restore autoritativo donde el proceso se ocupara de agregar un numero mayor al USN guardado (USN + 100.000) de manera que al replicarse siempre sea el que gane.


    Aqui tienes mas informacion al respecto
    http://www.windowsnetworking.com/kbase/windowstips/windows2003/admintips/activedirectory/Authoritativevs.Non-AuthoritativeRestorationofActiveDirectory.html



    Sebastian del Rio - MCP - MCSA +S - MCSE +S - MCITP:Enterprise Administrator Buenos Aires - Argentina Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho. Ud. asume los riesgos

    domingo, 6 de mayo de 2012 17:09
    Moderador