Principales respuestas
authoritative restore system state

Pregunta
-
Escenario:
Un forest
DC=srv1.stany.com
OU=sales (mas varios OU hijos)
DNS integrated=192.168.1.1
Backup system state=ok
FSMO=Schema master
Domain role owner
PDC
RID
InfrastructureDC=srv2.stany.com
Backup system state=ok
DNS integrated=192.168.1.2
Backup system state=ok
FSMO=noneEn srv1 elimino el contenido de OU sales, reinicio como dsrepair, ejecuto dsutil y aparece el suiguiente mensaje adjuntado, que puede ser o que estoy haciendo mal ?
Respuestas
-
Bajo ningun punto de vista ejecutas el comando ese en un domain controller en un entorno productivo :)
http://blogs.technet.com/b/janelewis/archive/2009/10/21/interesting-issue-with-major-implications.aspx
Si has tenido que correr este comando y resetear la seguridad, es probable hayas modificado algun setting de seguridad del domain controller, por eso te mencionaba en el otro post, de no modificar nada en cuanto a seguridad a menos que estes completamente seguro del cambio a ser efectuado.
Hablando de los tipos de restore ...En el caso de un restore NO AUTORITATIVO , se usa por ejemplo si tu tienes un incoveniente con un domain controller lo instalas nuevamente y recuperas la informacion desde un backup, luego de eso este domain controller estara operativo y sera capaz de recibir todos los cambios desde el momento del backup desde otro domain controller.
LA REALIDAD ES QUE AL DIA DE HOY , SI TIENES MULTIPLES DOMAIN CONTROLLERS Y EN EL MISMO SITE UNO SE DAÑA, ANTES QUE LEVANTAR UN BACKUP Y ESPERAR LA REPLICA , ES MAS SENCILLO INSTALAR UN NUEVO DC Y PROMOVERLO. En casos donde tienes un domain controller remoto quizas levantar un backup del system state y luego aguardar la replicacion puede ser mas efectivo con el objetivo de reducir los tiempos de la replicacion inicial.En el caso de un restore AUTORITATIVO, se usa por ejemplo en casos donde algun objeto fue modificado, y quieres volver el objeto con las modificaciones al momento del backup, en ese caso haces un restore autoritativo donde el proceso se ocupara de agregar un numero mayor al USN guardado (USN + 100.000) de manera que al replicarse siempre sea el que gane.
Aqui tienes mas informacion al respecto
http://www.windowsnetworking.com/kbase/windowstips/windows2003/admintips/activedirectory/Authoritativevs.Non-AuthoritativeRestorationofActiveDirectory.html
Sebastian del Rio - MCP - MCSA +S - MCSE +S - MCITP:Enterprise Administrator Buenos Aires - Argentina Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho. Ud. asume los riesgos
- Marcado como respuesta Ignacio Barrios domingo, 6 de mayo de 2012 21:47
Todas las respuestas
-
¿Sistema operativo? Si es W2008-R2 lo primero cuando entrás al NTDSUTIL es ACTIVATE INSTANCE NTDS
Porque puede ser también LDS
Guillermo Delprato - Buenos Aires, Argentina
Visite Notas Windows Server
MVP - MCT - MCSE - MCSA
MCITP: Enterprise Administrator / Server Administrator
MCTS: Active Directory/Network Configuration/Applications Configuration/Server Virtualization/Windows 7 Configuration/Windows 7 & Office 2010 Deployment/Vista Configuration
Este mensaje se proporciona "como está" sin garantías de ninguna clase. Usted asume todos los riesgos. -
-
Porque estás tratando de recuperar algo que no se ha eliminado :)
Tu dices que se ha eliminado *el contenido* de Sales, pero sin embargo tratas de recuperar *la OU* Sales
Si lo que se ha eliminado es el contenido, entonces hay que recuperar cada uno de los elementos individualmente
Si no recuerdas todos los nombres: Viewing deleted objects in Active Directory:
http://support.microsoft.com/kb/258310Y antes que lo preguntes ;)
How to restore deleted user accounts and their group memberships in Active Directory:
http://support.microsoft.com/kb/840001/en-usGuillermo Delprato - Buenos Aires, Argentina
Visite Notas Windows Server
MVP - MCT - MCSE - MCSA
MCITP: Enterprise Administrator / Server Administrator
MCTS: Active Directory/Network Configuration/Applications Configuration/Server Virtualization/Windows 7 Configuration/Windows 7 & Office 2010 Deployment/Vista Configuration
Este mensaje se proporciona "como está" sin garantías de ninguna clase. Usted asume todos los riesgos. -
-
Buenos dias Ignaba,
Si estas haciendo bien, el restore de la OU sales traera todo su contenido aunque no recuperara la membresia de usuarios a menos hagas el procedimiento adicional para importar los archivos ldf con ldifde http://support.microsoft.com/kb/840001/en-us
When you restore an OU, any changes that are made up to the time that a backup is restored are rolled back to their values at the time of the backup. For any user accounts, computer accounts, and security groups in the restored OU that were not among the deletions being restored, this rollback might mean the loss of the most recent changes to passwords, home directory, profile path, location and container information, group membership, and any security descriptors that are defined on those objects and attributes.
Mas informacion al respecto : http://technet.microsoft.com/en-us/library/cc779573(v=ws.10).aspx
An authoritative restoration on an OU subtree restores all the attributes and objects that reside in the container. Any changes that were made up to the time that a system state backup is restored are rolled back to their values at the time of the backup. With user accounts, computer accounts, and security groups, this rollback may mean the loss of the most recent changes to passwords, to the home directory, to the profile path, to location and to contact info, to group membership, and to any security descriptors that are defined on those objects and attributes.
http://support.microsoft.com/kb/840001
Sebastian del Rio - MCP - MCSA +S - MCSE +S - MCITP:Enterprise Administrator Buenos Aires - Argentina Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho. Ud. asume los riesgos
- Editado Sebastian del RioMicrosoft employee, Moderator viernes, 4 de mayo de 2012 13:53
-
-
Fijate que el error dice que no se puede ubicar el DN "OU=Sales" pon todo el Distinsguished name entre comillas
Restore subtree "ou=sales,DC=stany,dc=com"
Sebastian del Rio - MCP - MCSA +S - MCSE +S - MCITP:Enterprise Administrator Buenos Aires - Argentina Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho. Ud. asume los riesgos
- Editado Sebastian del RioMicrosoft employee, Moderator viernes, 4 de mayo de 2012 16:04
-
-
Estas siguiendo estos pasos descriptos en http://support.microsoft.com/kb/241594?
- Restart the domain controller.
- When the Windows 2000 Startup menu is displayed, select Directory Services Restore Mode, and then press ENTER.
- Restore the data from backup media for an authoritative restore. To do this, follow these steps:
- In Directory Services Restore mode, click Start, point to Programs, point to Accessories, point to System Tools, and then click Backup to start the Windows 2000 Server Backup utility.
- Click Restore Wizard, and then click Next.
- Select the appropriate backup location, and then make sure that at least the System disk and System State containers are selected.
- Click Advanced, and then make sure that you restore junction points. If you do not use the Advanced menu, the restore process will not be successful.
- In the Restore Files to list, click Original Location.
- Click OK, and then complete the restore process. A visual progress indicator is displayed.
- When you are prompted to restart the computer, do not restart.
- At a command prompt, type ntdsutil, and then press ENTER.
- Type authoritative restore, and then press ENTER.
- Type the following command, and then press ENTER:
restore subtree ou=<var>OU_Name</var>,dc=<var>Domain_Name</var>,dc=<var>xxx</var>
Sebastian del Rio - MCP - MCSA +S - MCSE +S - MCITP:Enterprise Administrator Buenos Aires - Argentina Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho. Ud. asume los riesgos
- Editado Sebastian del RioMicrosoft employee, Moderator viernes, 4 de mayo de 2012 16:10
-
No, sigo los pasos que dice el articulo http://technet.microsoft.com/en-us/library/cc757068(v=ws.10).aspx
- Editado Ignacio Barrios viernes, 4 de mayo de 2012 17:23
-
Yo veo en el mensaje "Records found: 0000000000", lo que como es obvio indica que no encuentra el objeto a marcar como "autoritativo"
Entonces comienzo a preguntar:
- ¿Seguro que está bien escrito el DN, y no será que "sales" estaba colgando de otra OU?
- ¿Es seguro que primero se hizo el backup y luego se borró a "Sales"?
- ¿Es seguro que se borró Sales y no sólo su contenido?
- ¿Qué estará haciendo ignaba? ¡Ah! No esta no :D
Hagamos una prueba, busca si el objeto realmente fue borrado, y revisa su DN
How to search for deleted objects in Active Directory:
http://support.microsoft.com/kb/284928Entiendo que estás haciendo una prueba ¿es así? Si es así yo trataría de repetir el procedimiento porque hay "algo que no cierra" :)
Guillermo Delprato - Buenos Aires, Argentina
Visite Notas Windows Server
MVP - MCT - MCSE - MCSA
MCITP: Enterprise Administrator / Server Administrator
MCTS: Active Directory/Network Configuration/Applications Configuration/Server Virtualization/Windows 7 Configuration/Windows 7 & Office 2010 Deployment/Vista Configuration
Este mensaje se proporciona "como está" sin garantías de ninguna clase. Usted asume todos los riesgos. -
Sigue los pasos tal cual los deje en el post anterior, no queda claro si estabas efectuando el restore antes de utilizar ntdsutil ...
- Restart the domain controller.
- When the Windows 2000 Startup menu is displayed, select Directory Services Restore Mode, and then press ENTER.
- Restore the data from backup media for an authoritative restore. To do this, follow these steps:
- In Directory Services Restore mode, click Start, point toPrograms, point to Accessories, point to System Tools, and then click Backup to start the Windows 2000 Server Backup utility.
- Click Restore Wizard, and then click Next.
- Select the appropriate backup location, and then make sure that at least theSystem disk and System State containers are selected.
- Click Advanced, and then make sure that you restore junction points. If you do not use the Advanced menu, the restore process will not be successful.
- In the Restore Files to list, click Original Location.
- Click OK, and then complete the restore process. A visual progress indicator is displayed.
- When you are prompted to restart the computer, do not restart.
- At a command prompt, type ntdsutil, and then press ENTER.
- Type authoritative restore, and then press ENTER.
- Type the following command, and then press ENTER:
restore subtree ou=<var>OU_Name</var>,dc=<var>Domain_Name</var>,dc=<var>xxx</var>
Sebastian del Rio - MCP - MCSA +S - MCSE +S - MCITP:Enterprise Administrator Buenos Aires - Argentina Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho. Ud. asume los riesgos
-
Sebastian, hice todos los pasos pero no funcionó
Guillermo te respondo:
DN esta bien escrito
Se hizo un backup y luego de eliminó"Aparentemente el bkp estaba dañado" Reinicié el DC en modo normal, cree nuevamente las OUs, realicé bkp, eliminé el contenido de SALES, reinicio en modo DR, ejecuto ntdsutil (adjunto imagen), lo hace bien, reinicio en modo normal pero me doy cuenta que no está el contenido de SALES, y cuando intento crear un grupo aparece popup (imagen)
-
La recuperacion que se esta haciendo parece normal, ya que el screenshoot muestra "Found 1 record to update". Creo saber lo que esta pasando aunque primero me gustaria hagas una prueba
1. Crea la siguiente estructura de OU utilizando estos nombres o cualquier otro diferente a los que has usado
Test OU
---- ChildOU1
-----ChildOU2
Y crea usuarios en las tres OU.
2. Toma un backup del System State
3. Borra la OU TEST OULuego sigue tal cual estos pasos, al llegar al momento del restore subtree tu comando seria
restore subtree "OU=Test OU,DC=stany,DC=com"
- Restart the domain controller.
- When the Windows 2000 Startup menu is displayed, select Directory Services Restore Mode, and then press ENTER.
-
Restore the data from backup media for an authoritative restore. To do this, follow these steps:
- In Directory Services Restore mode, click Start, point toPrograms, point to Accessories, point to System Tools, and then click Backup to start the Windows 2000 Server Backup utility.
- Click Restore Wizard, and then click Next.
- Select the appropriate backup location, and then make sure that at least theSystem disk and System State containers are selected.
- Click Advanced, and then make sure that you restore junction points. If you do not use the Advanced menu, the restore process will not be successful.
- In the Restore Files to list, click Original Location.
- Click OK, and then complete the restore process. A visual progress indicator is displayed.
- When you are prompted to restart the computer, do not restart.
- At a command prompt, type ntdsutil, and then press ENTER.
- Type authoritative restore, and then press ENTER.
-
Type the following command, and then press ENTER:
restore subtree ou=<var>OU_Name</var>,dc=<var>Domain_Name</var>,dc=<var>xxx</var>
Y cuentame que sucede.
Sebastian del Rio - MCP - MCSA +S - MCSE +S - MCITP:Enterprise Administrator Buenos Aires - Argentina Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho. Ud. asume los riesgos
- Editado Sebastian del RioMicrosoft employee, Moderator sábado, 5 de mayo de 2012 14:57
- Propuesto como respuesta Sebastian del RioMicrosoft employee, Moderator domingo, 6 de mayo de 2012 17:10
-
Pude realizar todos los pasos sin problemas, reinicio en normal mode, (adjunto imagenes), no puedo crear objetos en "test ou".
- Editado Ignacio Barrios sábado, 5 de mayo de 2012 16:47
-
Bien, o sea que el restore funciono, te trajo la estructura de OUs, solo que al crear usuarios da el error mencionado eso es un segundo problema por lo que parece
Puedes crear usuarios en otra OU ?
Ejecuta un dcdiag /v en el servidor y postea el contenido aqui por favor.
Sebastian del Rio - MCP - MCSA +S - MCSE +S - MCITP:Enterprise Administrator Buenos Aires - Argentina Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho. Ud. asume los riesgos
- Editado Sebastian del RioMicrosoft employee, Moderator sábado, 5 de mayo de 2012 18:23
-
El tema de la OU Sales me parece que viene por un tema de versionado, los objetos replican de acuerdo al USN (Update Sequence Number) lo que sucede es, hagamos de cuenta que al momento del backup tu objeto tiene un USN de 10, tu efectuas el backup y el objeto es guardo con este USN (10), luego haces cambios en el objeto y cada uno de esos cambios va a aumentar el USN +1, por lo cual ahora si hubieron 100 cambios el USN pasaria a ser 110. Luego el objeto se borra por algun incoveniente y tu utilizas el ultimo backup disponible donde el USN recordemos era 10.
Al hacer un backup autoritativo para que el objeto pueda replicarse a los demas domain controllers el proceso de auth restore le suma 100.000 al numero del USN , por lo cual luego del backup el USN quedara en 100.010 lo cual causara que cualquier otro DC que reciba el cambio vea que el cambio recibido es mas actualizado que el que guarda para el objeto, ( A menos que haya habido mas de 100.000 cambios entre el backup y el restore :) ). Entonces digamos que el objeto sigue siendo cambiado por lo cual ahora tiene un USN de 100.200 y tu utilizas el mismo backup para recuperarlo de nuevo, por que nuevamente ha sido borrado, en ese caso los DCs conocen como USN de este objeto 100.200 pero tu backup recordemos que tenia un USN guardado de 10, al sumarle 100.000 de acuerdo al restore autorativo 100.010 sera menor al USN guardado en los DCs que es 100.200, por lo cual en ese caso el objeto no se replicara y al contrario sera borrado desde otro Domain controller =).
Para resolver este tipo de problemas se puede utilizar un parametro adicional en el proceso de restore " Restore <object | subtree> "<object DN>" verinc 200.000," el cual agregaria 200.000 o el numero que queramos al USN existente.Este problema se da a menudo cuando se utiliza el mismo backup para hacer diferentes restores, por lo cual luego de un restore es recomendable tomar un nuevo backup y mantener los mismos al dia y siempre testeados.
Mira la siguiente nota :
http://technet.microsoft.com/en-us/library/cc757068(v=ws.10).aspxEspero se haya entendido la explicacion, y como escribi tanto espero no haberme equivocado :)
Sebastian del Rio - MCP - MCSA +S - MCSE +S - MCITP:Enterprise Administrator Buenos Aires - Argentina Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho. Ud. asume los riesgos
- Propuesto como respuesta Sebastian del RioMicrosoft employee, Moderator domingo, 6 de mayo de 2012 17:10
-
Deja crear OUs en otro lugar del dominio, incluso da un evento (adjunto imagen). Copio rta del dcdiag /v.
parte 1:
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine srv1, is a DC.
* Connecting to directory service on server srv1.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 4 DC(s). Testing 1 of them.
Done gathering initial info.Doing initial required tests
Testing server: site1\SRV1
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... SRV1 passed test ConnectivityDoing primary tests
Testing server: site1\SRV1
Starting test: Replications
* Replications Check
[Replications Check,SRV1] A recent replication attempt failed:
From SRV2 to SRV1
Naming Context: DC=ForestDnsZones,DC=stany,DC=com
The replication generated an error (1256):
Win32 Error 1256
The failure occurred at 2012-05-05 21:57:38.
The last success occurred at 2012-04-27 13:30:56.
18 failures have occurred since the last success.
[Replications Check,SRV1] A recent replication attempt failed:
From SRV4 to SRV1
Naming Context: DC=ForestDnsZones,DC=stany,DC=com
The replication generated an error (1256):
Win32 Error 1256
The failure occurred at 2012-05-05 21:58:30.
The last success occurred at 2012-04-27 12:48:25.
11 failures have occurred since the last success.
[Replications Check,SRV1] A recent replication attempt failed:
From SRV3 to SRV1
Naming Context: DC=ForestDnsZones,DC=stany,DC=com
The replication generated an error (1256):
Win32 Error 1256
The failure occurred at 2012-05-05 22:27:49.
The last success occurred at 2012-05-01 12:59:40.
50 failures have occurred since the last success.
[Replications Check,SRV1] A recent replication attempt failed:
From SRV2 to SRV1
Naming Context: DC=DomainDnsZones,DC=stany,DC=com
The replication generated an error (1256):
Win32 Error 1256
The failure occurred at 2012-05-05 21:57:38.
The last success occurred at 2012-04-27 13:30:56.
18 failures have occurred since the last success.
[Replications Check,SRV1] A recent replication attempt failed:
From SRV3 to SRV1
Naming Context: DC=DomainDnsZones,DC=stany,DC=com
The replication generated an error (1256):
Win32 Error 1256
The failure occurred at 2012-05-05 22:27:49.
The last success occurred at 2012-05-01 12:59:40.
50 failures have occurred since the last success.
[Replications Check,SRV1] A recent replication attempt failed:
From SRV4 to SRV1
Naming Context: CN=Schema,CN=Configuration,DC=stany,DC=com
The replication generated an error (1722):
Win32 Error 1722
The failure occurred at 2012-05-05 22:00:03.
The last success occurred at 2012-04-27 12:47:42.
10 failures have occurred since the last success.
[SRV4] DsBindWithSpnEx() failed with error 1722,
Win32 Error 1722.
Printing RPC Extended Error Info:
Error Record 1, ProcessID is 3768 (DcDiag)
System Time is: 5/6/2012 1:37:47:597
Generating component is 8 (winsock)
Status is 1722: The RPC server is unavailable.Detection location is 322
Error Record 2, ProcessID is 3768 (DcDiag)
System Time is: 5/6/2012 1:37:47:597
Generating component is 8 (winsock)
Status is 11001: No such host is known.Detection location is 320
NumberOfParameters is 1
Unicode string: 2c9ba0bf-81df-4aca-8738-6cf3be2cc8eb._msdcs.stany.com
The source remains down. Please check the machine.
[Replications Check,SRV1] A recent replication attempt failed:
From SRV2 to SRV1
Naming Context: CN=Schema,CN=Configuration,DC=stany,DC=com
The replication generated an error (1722):
Win32 Error 1722
The failure occurred at 2012-05-05 22:00:24.
The last success occurred at 2012-04-27 13:30:56.
17 failures have occurred since the last success.
[SRV2] DsBindWithSpnEx() failed with error 1722,
Win32 Error 1722.
Printing RPC Extended Error Info:
Error Record 1, ProcessID is 3768 (DcDiag)
System Time is: 5/6/2012 1:38:8:557
Generating component is 8 (winsock)
Status is 1722: The RPC server is unavailable.Detection location is 323
Error Record 2, ProcessID is 3768 (DcDiag)
System Time is: 5/6/2012 1:38:8:557
Generating component is 8 (winsock)
Status is 1237: The operation could not be completed. A retry should be performed.Detection location is 313
Error Record 3, ProcessID is 3768 (DcDiag)
System Time is: 5/6/2012 1:38:8:557
Generating component is 8 (winsock)
Status is 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.Detection location is 311
NumberOfParameters is 3
Long val: 135
Pointer val: 0
Pointer val: 0
Error Record 4, ProcessID is 3768 (DcDiag)
System Time is: 5/6/2012 1:38:8:557
Generating component is 8 (winsock)
Status is 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.Detection location is 318
The source remains down. Please check the machine.
[Replications Check,SRV1] A recent replication attempt failed:
From SRV3 to SRV1
Naming Context: CN=Schema,CN=Configuration,DC=stany,DC=com
The replication generated an error (1722):
Win32 Error 1722
The failure occurred at 2012-05-05 22:28:31.
The last success occurred at 2012-05-01 12:59:19.
49 failures have occurred since the last success.
[SRV3] DsBindWithSpnEx() failed with error 1722,
Win32 Error 1722.
Printing RPC Extended Error Info:
Error Record 1, ProcessID is 3768 (DcDiag)
System Time is: 5/6/2012 1:38:29:487
Generating component is 8 (winsock)
Status is 1722: The RPC server is unavailable.Detection location is 323
Error Record 2, ProcessID is 3768 (DcDiag)
System Time is: 5/6/2012 1:38:29:487
Generating component is 8 (winsock)
Status is 1237: The operation could not be completed. A retry should be performed.Detection location is 313
Error Record 3, ProcessID is 3768 (DcDiag)
System Time is: 5/6/2012 1:38:29:487
Generating component is 8 (winsock)
Status is 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.Detection location is 311
NumberOfParameters is 3
Long val: 135
Pointer val: 0
Pointer val: 0
Error Record 4, ProcessID is 3768 (DcDiag)
System Time is: 5/6/2012 1:38:29:487
Generating component is 8 (winsock)
Status is 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.Detection location is 318
The source remains down. Please check the machine.
[Replications Check,SRV1] A recent replication attempt failed:
From SRV4 to SRV1
Naming Context: CN=Configuration,DC=stany,DC=com
The replication generated an error (1722):
Win32 Error 1722
The failure occurred at 2012-05-05 21:58:30.
The last success occurred at 2012-04-27 12:47:21.
11 failures have occurred since the last success.
The source remains down. Please check the machine.
[Replications Check,SRV1] A recent replication attempt failed:
From SRV2 to SRV1
Naming Context: CN=Configuration,DC=stany,DC=com
The replication generated an error (1722):
Win32 Error 1722
The failure occurred at 2012-05-05 21:58:51.
The last success occurred at 2012-04-27 13:30:56.
18 failures have occurred since the last success.
The source remains down. Please check the machine.
[Replications Check,SRV1] A recent replication attempt failed:
From SRV3 to SRV1
Naming Context: CN=Configuration,DC=stany,DC=com
The replication generated an error (1722):
Win32 Error 1722
The failure occurred at 2012-05-05 22:28:10.
The last success occurred at 2012-05-01 12:58:07.
50 failures have occurred since the last success.
The source remains down. Please check the machine.
[Replications Check,SRV1] A recent replication attempt failed:
From SRV2 to SRV1
Naming Context: DC=stany,DC=com
The replication generated an error (1722):
Win32 Error 1722
The failure occurred at 2012-05-05 21:57:38.
The last success occurred at 2012-04-27 13:30:56.
17 failures have occurred since the last success.
The source remains down. Please check the machine.
[Replications Check,SRV1] A recent replication attempt failed:
From SRV3 to SRV1
Naming Context: DC=stany,DC=com
The replication generated an error (1722):
Win32 Error 1722
The failure occurred at 2012-05-05 22:27:49.
The last success occurred at 2012-05-01 12:59:40.
49 failures have occurred since the last success.
The source remains down. Please check the machine.
[Replications Check,SRV1] A recent replication attempt failed:
From SRV2 to SRV1
Naming Context: DC=child,DC=stany,DC=com
The replication generated an error (1256):
Win32 Error 1256
The failure occurred at 2012-05-05 21:57:38.
The last success occurred at 2012-04-27 13:30:56.
15 failures have occurred since the last success.
[Replications Check,SRV1] A recent replication attempt failed:
From SRV4 to SRV1
Naming Context: DC=child,DC=stany,DC=com
The replication generated an error (1256):
Win32 Error 1256
The failure occurred at 2012-05-05 21:58:30.
The last success occurred at 2012-04-27 12:48:25.
8 failures have occurred since the last success.
* Replication Latency Check
REPLICATION-RECEIVED LATENCY WARNING
SRV1: Current time is 2012-05-05 22:37:43.
DC=ForestDnsZones,DC=stany,DC=com
Last replication recieved from SRV2 at 2012-04-27 13:31:03.
Last replication recieved from SRV3 at 2012-05-01 12:59:46.
Last replication recieved from SRV4 at 2012-04-27 12:48:29.
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=stany,DC=com
Last replication recieved from SRV2 at 2012-04-27 13:31:03.
Last replication recieved from SRV3 at 2012-05-01 12:59:46.
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=stany,DC=com
Last replication recieved from SRV2 at 2012-04-27 13:31:03.
Last replication recieved from SRV3 at 2012-05-01 12:59:25.
Last replication recieved from SRV4 at 2012-04-27 12:47:47.
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=stany,DC=com
Last replication recieved from SRV2 at 2012-04-27 13:31:03.
Last replication recieved from SRV3 at 2012-05-01 12:58:13.
Last replication recieved from SRV4 at 2012-04-27 12:47:26.
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=stany,DC=com
Last replication recieved from SRV2 at 2012-04-27 13:31:03.
Last replication recieved from SRV3 at 2012-05-01 12:59:46.
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=child,DC=stany,DC=com
Last replication recieved from SRV4 at 2012-04-27 12:48:29.
Latency information for 3 entries in the vector were ignored.
2 were retired Invocations. 1 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
* Replication Site Latency Check
REPLICATION-RECEIVED LATENCY WARNINGSource site:
CN=NTDS Site Settings,CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com
Current time: 2012-05-05 22:38:29
Last update time: 2012-04-27 13:04:09
Check if source site has an elected ISTG running.
Check replication from source site to this server.
REPLICATION-RECEIVED LATENCY WARNINGSource site:
CN=NTDS Site Settings,CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com
Current time: 2012-05-05 22:38:29
Last update time: 2012-05-01 12:39:10
Check if source site has an elected ISTG running.
Check replication from source site to this server.
......................... SRV1 passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC SRV1.
* Security Permissions Check for
DC=ForestDnsZones,DC=stany,DC=com
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=stany,DC=com
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=stany,DC=com
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=stany,DC=com
(Configuration,Version 2)
* Security Permissions Check for
DC=stany,DC=com
(Domain,Version 2)
* Security Permissions Check for
DC=child,DC=stany,DC=com
(Domain,Version 2)
......................... SRV1 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\SRV1\netlogon)
[SRV1] An net use or LsaPolicy operation failed with error 1203, Win32 Error 1203.
......................... SRV1 failed test NetLogons
Starting test: Advertising
Fatal Error:DsGetDcName (SRV1) call failed, error 1355
The Locator could not find the server.
......................... SRV1 failed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=SRV1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=stany,DC=com
Role Domain Owner = CN=NTDS Settings,CN=SRV1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=stany,DC=com
Role PDC Owner = CN=NTDS Settings,CN=SRV1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=stany,DC=com
Role Rid Owner = CN=NTDS Settings,CN=SRV2,CN=Servers,CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com
Warning: SRV2 is the Rid Owner, but is not responding to DS RPC Bind.
RPC Extended Error Info not available. Use group policy on the local machine at "Computer Configuration/Administrative Templates/System/Remote Procedure Call" to enable it.
[SRV2] LDAP search failed with error 58,
Win32 Error 58.
Warning: SRV2 is the Rid Owner, but is not responding to LDAP Bind.
Role Infrastructure Update Owner = CN=NTDS Settings,CN=SRV2,CN=Servers,CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com
Warning: SRV2 is the Infrastructure Update Owner, but is not responding to DS RPC Bind.
RPC Extended Error Info not available. Use group policy on the local machine at "Computer Configuration/Administrative Templates/System/Remote Procedure Call" to enable it.
Warning: SRV2 is the Infrastructure Update Owner, but is not responding to LDAP Bind.
......................... SRV1 failed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 4603 to 1073741823
* srv2.stany.com is the RID Master
......................... SRV1 failed test RidManager
Starting test: MachineAccount
Checking machine account for DC SRV1 on DC SRV1.
* SPN found :LDAP/srv1.stany.com/stany.com
* SPN found :LDAP/srv1.stany.com
* SPN found :LDAP/SRV1
* SPN found :LDAP/srv1.stany.com/STANY
* SPN found :LDAP/24a99e62-056a-43f4-b177-102a34dd6e34._msdcs.stany.com
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/24a99e62-056a-43f4-b177-102a34dd6e34/stany.com
* SPN found :HOST/srv1.stany.com/stany.com
* SPN found :HOST/srv1.stany.com
* SPN found :HOST/SRV1
* SPN found :HOST/srv1.stany.com/STANY
* SPN found :GC/srv1.stany.com/stany.com
......................... SRV1 passed test MachineAccount -
parte 2:
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... SRV1 passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
SRV1 is in domain DC=stany,DC=com
Checking for CN=SRV1,OU=Domain Controllers,DC=stany,DC=com in domain DC=stany,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=SRV1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=stany,DC=com in domain CN=Configuration,DC=stany,DC=com on 1 servers
Object is up-to-date on all servers.
......................... SRV1 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
The registry lookup failed to determine the state of the SYSVOL. Theerror returned was 0 (Win32 Error 0). Check the FRS event log to see
if the SYSVOL has successfully been shared.
......................... SRV1 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after theSYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
An Warning Event occured. EventID: 0x800034FE
Time Generated: 05/05/2012 12:58:05
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800034FD
Time Generated: 05/05/2012 13:15:59
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800034C4
Time Generated: 05/05/2012 13:18:41
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800034C4
Time Generated: 05/05/2012 13:18:42
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800034C4
Time Generated: 05/05/2012 13:33:41
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800034C4
Time Generated: 05/05/2012 14:03:20
(Event String could not be retrieved)
......................... SRV1 failed test frsevent
Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/05/2012 22:32:29
Event String: All domain controllers in the following site thatcan replicate the directory partition over this
transport are currently unavailable.
Site:
CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com
Directory partition:
DC=stany,DC=com
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=stany,DC=com
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/05/2012 22:32:29
Event String: All domain controllers in the following site thatcan replicate the directory partition over this
transport are currently unavailable.
Site:
CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com
Directory partition:
DC=stany,DC=com
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=stany,DC=com
An Error Event occured. EventID: 0xC000051F
Time Generated: 05/05/2012 22:32:29
Event String: The Knowledge Consistency Checker (KCC) hasdetected problems with the following directory
partition.
Directory partition:
DC=stany,DC=com
There is insufficient site connectivity
information in Active Directory Sites and
Services for the KCC to create a spanning tree
replication topology. Or, one or more domain
controllers with this directory partition are
unable to replicate the directory partition
information. This is probably due to inaccessible
domain controllers.
User Action
Use Active Directory Sites and Services to
perform one of the following actions:
- Publish sufficient site connectivity
information so that the KCC can determine a route
by which this directory partition can reach this
site. This is the preferred option.
- Add a Connection object to a domain controller
that contains the directory partition in this
site from a domain controller that contains the
same directory partition in another site.
If neither of the Active Directory Sites and
Services tasks correct this condition, see
previous events logged by the KCC that identify
the inaccessible domain controllers.
An Warning Event occured. EventID: 0x80000749
Time Generated: 05/05/2012 22:32:29
Event String: The Knowledge Consistency Checker (KCC) wasunable to form a complete spanning tree network
topology. As a result, the following list of
sites cannot be reached from the local site.
Sites:
CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com
CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/05/2012 22:32:29
Event String: All domain controllers in the following site thatcan replicate the directory partition over this
transport are currently unavailable.
Site:
CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com
Directory partition:
DC=DomainDnsZones,DC=stany,DC=com
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=stany,DC=com
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/05/2012 22:32:29
Event String: All domain controllers in the following site thatcan replicate the directory partition over this
transport are currently unavailable.
Site:
CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com
Directory partition:
DC=DomainDnsZones,DC=stany,DC=com
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=stany,DC=com
An Error Event occured. EventID: 0xC000051F
Time Generated: 05/05/2012 22:32:29
Event String: The Knowledge Consistency Checker (KCC) hasdetected problems with the following directory
partition.
Directory partition:
DC=DomainDnsZones,DC=stany,DC=com
There is insufficient site connectivity
information in Active Directory Sites and
Services for the KCC to create a spanning tree
replication topology. Or, one or more domain
controllers with this directory partition are
unable to replicate the directory partition
information. This is probably due to inaccessible
domain controllers.
User Action
Use Active Directory Sites and Services to
perform one of the following actions:
- Publish sufficient site connectivity
information so that the KCC can determine a route
by which this directory partition can reach this
site. This is the preferred option.
- Add a Connection object to a domain controller
that contains the directory partition in this
site from a domain controller that contains the
same directory partition in another site.
If neither of the Active Directory Sites and
Services tasks correct this condition, see
previous events logged by the KCC that identify
the inaccessible domain controllers.
An Warning Event occured. EventID: 0x80000749
Time Generated: 05/05/2012 22:32:29
Event String: The Knowledge Consistency Checker (KCC) wasunable to form a complete spanning tree network
topology. As a result, the following list of
sites cannot be reached from the local site.
Sites:
CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com
CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/05/2012 22:32:29
Event String: All domain controllers in the following site thatcan replicate the directory partition over this
transport are currently unavailable.
Site:
CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com
Directory partition:
DC=ForestDnsZones,DC=stany,DC=com
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=stany,DC=com
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/05/2012 22:32:29
Event String: All domain controllers in the following site thatcan replicate the directory partition over this
transport are currently unavailable.
Site:
CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com
Directory partition:
DC=ForestDnsZones,DC=stany,DC=com
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=stany,DC=com
An Error Event occured. EventID: 0xC000051F
Time Generated: 05/05/2012 22:32:29
Event String: The Knowledge Consistency Checker (KCC) hasdetected problems with the following directory
partition.
Directory partition:
DC=ForestDnsZones,DC=stany,DC=com
There is insufficient site connectivity
information in Active Directory Sites and
Services for the KCC to create a spanning tree
replication topology. Or, one or more domain
controllers with this directory partition are
unable to replicate the directory partition
information. This is probably due to inaccessible
domain controllers.
User Action
Use Active Directory Sites and Services to
perform one of the following actions:
- Publish sufficient site connectivity
information so that the KCC can determine a route
by which this directory partition can reach this
site. This is the preferred option.
- Add a Connection object to a domain controller
that contains the directory partition in this
site from a domain controller that contains the
same directory partition in another site.
If neither of the Active Directory Sites and
Services tasks correct this condition, see
previous events logged by the KCC that identify
the inaccessible domain controllers.
An Warning Event occured. EventID: 0x80000749
Time Generated: 05/05/2012 22:32:29
Event String: The Knowledge Consistency Checker (KCC) wasunable to form a complete spanning tree network
topology. As a result, the following list of
sites cannot be reached from the local site.
Sites:
CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com
CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/05/2012 22:32:29
Event String: All domain controllers in the following site thatcan replicate the directory partition over this
transport are currently unavailable.
Site:
CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com
Directory partition:
DC=child,DC=stany,DC=com
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=stany,DC=com
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/05/2012 22:32:29
Event String: All domain controllers in the following site thatcan replicate the directory partition over this
transport are currently unavailable.
Site:
CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com
Directory partition:
DC=child,DC=stany,DC=com
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=stany,DC=com
An Error Event occured. EventID: 0xC000051F
Time Generated: 05/05/2012 22:32:29
Event String: The Knowledge Consistency Checker (KCC) hasdetected problems with the following directory
partition.
Directory partition:
DC=child,DC=stany,DC=com
There is insufficient site connectivity
information in Active Directory Sites and
Services for the KCC to create a spanning tree
replication topology. Or, one or more domain
controllers with this directory partition are
unable to replicate the directory partition
information. This is probably due to inaccessible
domain controllers.
User Action
Use Active Directory Sites and Services to
perform one of the following actions:
- Publish sufficient site connectivity
information so that the KCC can determine a route
by which this directory partition can reach this
site. This is the preferred option.
- Add a Connection object to a domain controller
that contains the directory partition in this
site from a domain controller that contains the
same directory partition in another site.
If neither of the Active Directory Sites and
Services tasks correct this condition, see
previous events logged by the KCC that identify
the inaccessible domain controllers.
An Warning Event occured. EventID: 0x80000749
Time Generated: 05/05/2012 22:32:29
Event String: The Knowledge Consistency Checker (KCC) wasunable to form a complete spanning tree network
topology. As a result, the following list of
sites cannot be reached from the local site.
Sites:
CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com
CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/05/2012 22:32:29
Event String: All domain controllers in the following site thatcan replicate the directory partition over this
transport are currently unavailable.
Site:
CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com
Directory partition:
CN=Configuration,DC=stany,DC=com
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=stany,DC=com
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/05/2012 22:32:29
Event String: All domain controllers in the following site thatcan replicate the directory partition over this
transport are currently unavailable.
Site:
CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com
Directory partition:
CN=Configuration,DC=stany,DC=com
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=stany,DC=com
An Error Event occured. EventID: 0xC000051F
Time Generated: 05/05/2012 22:32:29
Event String: The Knowledge Consistency Checker (KCC) hasdetected problems with the following directory
partition.
Directory partition:
CN=Configuration,DC=stany,DC=com
There is insufficient site connectivity
information in Active Directory Sites and
Services for the KCC to create a spanning tree
replication topology. Or, one or more domain
controllers with this directory partition are
unable to replicate the directory partition
information. This is probably due to inaccessible
domain controllers.
User Action
Use Active Directory Sites and Services to
perform one of the following actions:
- Publish sufficient site connectivity
information so that the KCC can determine a route
by which this directory partition can reach this
site. This is the preferred option.
- Add a Connection object to a domain controller
that contains the directory partition in this
site from a domain controller that contains the
same directory partition in another site.
If neither of the Active Directory Sites and
Services tasks correct this condition, see
previous events logged by the KCC that identify
the inaccessible domain controllers.
An Warning Event occured. EventID: 0x80000749
Time Generated: 05/05/2012 22:32:29
Event String: The Knowledge Consistency Checker (KCC) wasunable to form a complete spanning tree network
topology. As a result, the following list of
sites cannot be reached from the local site.
Sites:
CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com
CN=site3,CN=Sites,CN=Configuration,DC=stany,DC=com
......................... SRV1 failed test kccevent
Starting test: systemlog
* The System Event log test
Found no errors in System Event log in the last 60 minutes.
......................... SRV1 passed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)CN=SRV1,OU=Domain Controllers,DC=stany,DC=com and backlink on
CN=SRV1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=stany,DC=com
are correct.
The system object reference (frsComputerReferenceBL)CN={5495c546-af16-497f-b121-0f7123b4afee},CN=root2,CN=root2,CN=DFS Volumes,CN=File Replication Service,CN=System,DC=stany,DC=com
and backlink on CN=SRV1,OU=Domain Controllers,DC=stany,DC=com are
correct.
The system object reference (serverReferenceBL)CN=SRV1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=stany,DC=com
and backlink on
CN=NTDS Settings,CN=SRV1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=stany,DC=com
are correct.
......................... SRV1 passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : stany
Starting test: CrossRefValidation
......................... stany passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... stany passed test CheckSDRefDom
Running enterprise tests on : stany.com
Starting test: Intersite
Skipping site site1, this site is outside the scope provided by thecommand line arguments provided.
Skipping site site2, this site is outside the scope provided by thecommand line arguments provided.
Skipping site site3, this site is outside the scope provided by thecommand line arguments provided.
......................... stany.com passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
PDC Name: \\srv1.stany.com
Locator Flags: 0xe00003fd
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... stany.com failed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS -
Ignaba,
Tienes que trabajar en ese dominio son demasiados errores por lo cual es dificil diagnosticar algo en ese estado :)
El error que te da al crear el usuario es relacionado a no poder contactar al RID masterRole Rid Owner = CN=NTDS Settings,CN=SRV2,CN=Servers,CN=site2,CN=Sites,CN=Configuration,DC=stany,DC=com
Warning: SRV2 is the Rid Owner, but is not responding to DS RPC Bind.
"Domain controllers running AD DS have a shared RID pool. The RID operations master is responsible for maintaining a pool of RIDs to be used by the domain controllers in its domain and for providing groups of RIDs to each domain controller when necessary. When a new AD DS domain controller is added to the domain, the RID master allocates a batch of approximately 500 RIDs from the domain RID pool to that domain controller. Each time a new security principal is created on a domain controller, the domain controller draws from its local pool of RIDs and assigns one to the new object. When the number of RIDs in a domain controller’s RID pool falls below approximately 100, that domain controller submits background requests (by means of RPC) for additional RIDs from the domain’s RID master. The RID master allocates a block of approximately 500 RIDs from the domain’s RID pool to the pool of the requesting domain controller."Probablemente si intentas agregar un objeto, como computadora, grupo o usuario en cualquier parte del dominio falle, ya que cuando el RID master no esta disponible y el pool de RIDs del domain controller ya fue consumido cualquier objeto que necesite crear un SID no podra ser creado, adicionalmente es probable tengas errores 16445 o 16650.
Necesitas trabajar en los errores del DCDIAG antes de seguir trabajando cualquier problema sobre ese dominio.El tema del restore esta claro, al restorear la OU nueva que creaste se restoreo todo aunque al no poder crear usuarios por falta de RID en el pool de Available Pools la estructura de OUs se ha restoreado (ya que el objeto OU no tiene un SID) aunque no asi los usuarios ( Que si tienen un SID) ya que no pueden ser creados.
Por los temas adicionales te pediria habras un nuevo hilo de manera de no tratar mas de un tema por hilo y mantener ordenado el foro.
Sebastian del Rio - MCP - MCSA +S - MCSE +S - MCITP:Enterprise Administrator Buenos Aires - Argentina Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho. Ud. asume los riesgos
- Editado Sebastian del RioMicrosoft employee, Moderator domingo, 6 de mayo de 2012 14:00
- Propuesto como respuesta Sebastian del RioMicrosoft employee, Moderator domingo, 6 de mayo de 2012 17:09
-
Compmrendo, mira buscando soporte por internet aplique lo siguiente:
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
Luego de reiniciar, hice:
seize rid master
seize infrastructure master(Adjunto imagen) ahora puedo crear objetos dentro de OU "test OU", pero mi gran duda es
cual es la diferencia de hacer un authoritative restore y no-authoritative restore ? -
Bajo ningun punto de vista ejecutas el comando ese en un domain controller en un entorno productivo :)
http://blogs.technet.com/b/janelewis/archive/2009/10/21/interesting-issue-with-major-implications.aspx
Si has tenido que correr este comando y resetear la seguridad, es probable hayas modificado algun setting de seguridad del domain controller, por eso te mencionaba en el otro post, de no modificar nada en cuanto a seguridad a menos que estes completamente seguro del cambio a ser efectuado.
Hablando de los tipos de restore ...En el caso de un restore NO AUTORITATIVO , se usa por ejemplo si tu tienes un incoveniente con un domain controller lo instalas nuevamente y recuperas la informacion desde un backup, luego de eso este domain controller estara operativo y sera capaz de recibir todos los cambios desde el momento del backup desde otro domain controller.
LA REALIDAD ES QUE AL DIA DE HOY , SI TIENES MULTIPLES DOMAIN CONTROLLERS Y EN EL MISMO SITE UNO SE DAÑA, ANTES QUE LEVANTAR UN BACKUP Y ESPERAR LA REPLICA , ES MAS SENCILLO INSTALAR UN NUEVO DC Y PROMOVERLO. En casos donde tienes un domain controller remoto quizas levantar un backup del system state y luego aguardar la replicacion puede ser mas efectivo con el objetivo de reducir los tiempos de la replicacion inicial.En el caso de un restore AUTORITATIVO, se usa por ejemplo en casos donde algun objeto fue modificado, y quieres volver el objeto con las modificaciones al momento del backup, en ese caso haces un restore autoritativo donde el proceso se ocupara de agregar un numero mayor al USN guardado (USN + 100.000) de manera que al replicarse siempre sea el que gane.
Aqui tienes mas informacion al respecto
http://www.windowsnetworking.com/kbase/windowstips/windows2003/admintips/activedirectory/Authoritativevs.Non-AuthoritativeRestorationofActiveDirectory.html
Sebastian del Rio - MCP - MCSA +S - MCSE +S - MCITP:Enterprise Administrator Buenos Aires - Argentina Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho. Ud. asume los riesgos
- Marcado como respuesta Ignacio Barrios domingo, 6 de mayo de 2012 21:47