locked
Problema Replicação AD e DNS RRS feed

  • Pergunta

  • Boa tarde. Estamos com um problema em nossa infra, em que nossos 2 Servidores de AD e DNS não estão se replicando.

    O Cenário:

    Servidor 1 : Windows Server 2012. Ele é o RID, PDC e Infrastructure. Também é o DNS Secundário.

    Servidor 2: Windows Server 2008. Ele é o BDC. Também é o DNS Primário.

    A Replicação no AD não está funcionando e nem do DNS. Tudo leva a crer que seja problema no Servidor 1.

    Abaixo os erros que encontramos:

    Os erros de Replicação que estão no AD usando o Replmon.

    Uma observação é que pelo Replmon, o Servidor 2 consegue resultado colocando tanto xxx.yyy.zzz, quanto somente xxx. Já o Servidor 1, só consegue resultado pelo xxx , colocando xxx.yyy.zzz, ele não acha.

    Replication Error gerado no Servidor 1:

    Active Directory Replication Domain Controller Replication Failure Output
    Printed at    4/18/2017 12:18:24 PM

    Below are the replication failures detected on Domain Controllers for this domain:

    Domain Controller Name:                   Servidor 2
                  Directory Partition:        DC=DomainDnsZones,DC=xxx,DC=yyy,DC=zzz
                  Replication Partner:        Default-First-Site-Name\Servidor 1
                  Failure Code:                1256
                  Failure Reason:             The remote system is not available. For information about network troubleshooting, see Windows Help.

    Domain Controller Name:                   Servidor 2
                  Directory Partition:        DC=ForestDnsZones,DC=xxx,DC=yyy,DC=zzz
                  Replication Partner:        Default-First-Site-Name\Servidor 1
                  Failure Code:                1256
                  Failure Reason:             The remote system is not available. For information about network troubleshooting, see Windows Help.

    Domain Controller Name:                   Servidor 1
                  Directory Partition:        DC=xxx,DC=yyy,DC=zzz
                  Replication Partner:        Default-First-Site-Name\Servidor 2
                  Failure Code:                8457
                  Failure Reason:             The destination server is currently rejecting replication requests.

    Domain Controller Name:                   Servidor 1
                  Directory Partition:        CN=Configuration,DC=xxx,DC=yyy,DC=zzz
                  Replication Partner:        Default-First-Site-Name\Servidor 2
                  Failure Code:                8457
                  Failure Reason:             The destination server is currently rejecting replication requests.

    Domain Controller Name:                   Servidor 1
                  Directory Partition:        CN=Schema,CN=Configuration,DC=xxx,DC=yyy,DC=zzz
                  Replication Partner:        Default-First-Site-Name\Servidor 2
                  Failure Code:                8457
                  Failure Reason:             The destination server is currently rejecting replication requests.

    Domain Controller Name:                   Servidor 1
                  Directory Partition:        DC=DomainDnsZones,DC=xxx,DC=yyy,DC=zzz
                  Replication Partner:        Default-First-Site-Name\Servidor 2
                  Failure Code:                8457
                  Failure Reason:             The destination server is currently rejecting replication requests.

    Domain Controller Name:                   Servidor 1
                  Directory Partition:        DC=ForestDnsZones,DC=xxx,DC=yyy,DC=zzz
                  Replication Partner:        Default-First-Site-Name\Servidor 2
                  Failure Code:                8457
                  Failure Reason:             The destination server is currently rejecting replication requests.

    Replication Error gerado no Servidor 2:

    Active Directory Replication Domain Controller Replication Failure Output
    Printed at    4/18/2017 12:23:33 PM

    Below are the replication failures detected on Domain Controllers for this domain:

    Domain Controller Name:                   Servidor 2
                  Directory Partition:        DC=DomainDnsZones,DC=xxx,DC=yyy,DC=zzz
                  Replication Partner:        Default-First-Site-Name\Servidor 1
                  Failure Code:                1256
                  Failure Reason:             The remote system is not available. For information about network troubleshooting, see Windows Help.

    Domain Controller Name:                   Servidor 2
                  Directory Partition:        DC=ForestDnsZones,DC=xxx,DC=yyy,DC=zzz
                  Replication Partner:        Default-First-Site-Name\Servidor 1
                  Failure Code:                1256
                  Failure Reason:             The remote system is not available. For information about network troubleshooting, see Windows Help.

    Domain Controller Name:                   Servidor 1
                  Directory Partition:        ERROR reading partition: DC=xxx,DC=yyy,DC=zzz
                  Replication Partner:       
                  Failure Code:              
                  Failure Reason:            

    Domain Controller Name:                   Servidor 1
                  Directory Partition:        ERROR reading partition: CN=Configuration,DC=xxx,DC=yyy,DC=zzz
                  Replication Partner:       
                  Failure Code:              
                  Failure Reason:            

    Domain Controller Name:                   Servidor 1
                  Directory Partition:        ERROR reading partition: CN=Schema,CN=Configuration,DC=xxx,DC=yyy,DC=zzz
                  Replication Partner:       
                  Failure Code:              
                  Failure Reason:            

    Domain Controller Name:                   Servidor 1
                  Directory Partition:        ERROR reading partition: DC=DomainDnsZones,DC=xxx,DC=yyy,DC=zzz
                  Replication Partner:       
                  Failure Code:              
                  Failure Reason:            

    Domain Controller Name:                   Servidor 1
                  Directory Partition:        ERROR reading partition: DC=ForestDnsZones,DC=xxx,DC=yyy,DC=zzz
                  Replication Partner:       
                  Failure Code:              
                  Failure Reason:            

    Algumas observações:

    De dentro do Servidor 1, colocando \\Servidor 2 , conseguimos acesso.

    De dentro do Servidor 2, colocando \\Servidor 1, não conseguimos acesso, dá o erro "Logon Failure. The target account name is incorrect."

    De dentro do Servidor 1, conseguimos abrir normalmente o Active Directory Domains and Trusts.

    De dentro do Servidor 2, não conseguimos abrir o Active Directory Domains and Trusts, dá o erro "The configuration information describing this enterprise is not available. The target principal name is incorrect."

    De dentro do Servidor 1, executando o comando

    C:\Program Files (x86)\Support Tools>netdom query fsmo
    Schema owner                Servidor 1.xxx.yyy.zzz

    Domain role owner          Servidor 1.xxx.yyy.zzz

    PDC role                         Servidor 1.xxx.yyy.zzz

    RID pool manager           Servidor 1.xxx.yyy.zzz

    Infrastructure owner        Servidor 1.xxx.yyy.zzz

    The command completed successfully.

    De dentro do Servidor 2 não conseguimos executar o comando acima.

    Não conseguimos mudar o Operations Masters do Domínio, de dentro do Servidor 2, ao tentarmos mudar o  RID, PDC ou Infrastructure , além de no campo Operation Master de cada aba acima citada, estar escrito ERROR, ao invés de estar Servidor 1.xxx.yyy.zzz , ao clicar em Change , dá o erro " The transfer of the operations máster role cannot be performed because: The requested FSMO operation failed. The current FSMO holder could not be contacted."

    Erros no EventViewer no Servidor 1:

    Log Name:      Application
    Source:        Microsoft-Windows-CertificateServicesClient-AutoEnrollment
    Date:          4/19/2017 9:55:35 AM
    Event ID:      6
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Servidor 1.xxx.yyy.zzz
    Description:
    Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

    Log Name:      Application
    Source:        Microsoft-Windows-CertificateServicesClient-CertEnroll
    Date:          4/19/2017 9:55:35 AM
    Event ID:      82
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          SYSTEM
    Computer:      Servidor 1.xxx.yyy.zzz
    Description:
    Certificate enrollment for Local system failed in authentication to all urls for enrollment server associated with policy id: {55A451A9-FCCC-49F2-815D-6C92766867A2} (The RPC server is unavailable. 0x800706ba (WIN32: 1722)). Failed to enroll for template: DomainController

    Log Name:      Active Directory Web Services
    Source:        ADWS
    Date:          3/2/2017 12:00:55 PM
    Event ID:      1202
    Task Category: ADWS Instance Events
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Servidor 1.xxx.yyy.zzz
    Description:
    This computer is now hosting the specified directory instance, but Active Directory Web Services could not service it. Active Directory Web Services will retry this operation periodically.
     
     Directory instance: NTDS
     Directory instance LDAP port: 389
     Directory instance SSL port: 636

    Log Name:      DFS Replication
    Source:        DFSR
    Date:          4/12/2017 5:41:31 PM
    Event ID:      1202
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Servidor 1.xxx.yyy.zzz
    Description:
    The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
     
    Additional Information:
    Error: 160 (One or more arguments are not correct.)

    Log Name:      Directory Service
    Source:        Microsoft-Windows-ActiveDirectory_DomainService
    Date:          4/18/2017 6:55:06 PM
    Event ID:      1864
    Task Category: Replication
    Level:         Error
    Keywords:      Classic
    User:          ANONYMOUS LOGON
    Computer:      Servidor 1.xxx.yyy.zzz
    Description:
    This is the replication status for the following directory partition on this directory server.
     
    Directory partition:
    DC=ForestDnsZones,DC=xxx,DC=yyy,DC=zzz
     
    This directory server has not recently received replication information from a number of directory servers.  The count of directory servers is shown, divided into the following intervals.
     
    More than 24 hours:
    1
    More than a week:
    1
    More than one month:
    1
    More than two months:
    0
    More than a tombstone lifetime:
    0
    Tombstone lifetime (days):
    60
     
    Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
     
    To identify the directory servers by name, use the dcdiag.exe tool.
    You can also use the support tool repadmin.exe to display the replication latencies of the directory servers.   The command is "repadmin /showvector /latency <partition-dn>".

    OBS: O mesmo erro ocorre para os seguintes Directory partition:

    DC=DomainDnsZones,DC=xxx,DC=yyy,DC=zzz
    CN=Schema,CN=Configuration,DC=xxx,DC=yyy,DC=zzz
    DC=xxx,DC=yyy,DC=zzz
    CN=Configuration,DC=xxx,DC=yyy,DC=zzz

    Resultado do comando repadmin /showvector /latency <partition-dn>:

    Caching GUIDs.
    ..
    b0929a9d-4c7e-4009-9a5d-d26bce904629 @ USN    999873 @ Time (unknown)
    f698b7d6-9e67-43a3-8b14-a6e87d190feb @ USN      4356 @ Time (unknown)
    41e46130-d9b0-4fda-8c4e-8311d719ca4b @ USN   4263172 @ Time (unknown)
    db19eb39-4b42-4fbc-8851-cb8cc1fc4048 @ USN      8528 @ Time (unknown)
    d9d3b145-2999-4277-8e46-849569a74d86 @ USN    640091 @ Time (unknown)
    d4b91058-f34f-4ae5-9789-4bac0b3d7e77 @ USN   7860684 @ Time (unknown)
    fff95b4d-68b0-4eb2-a2da-211d54e88bb7 @ USN    837923 @ Time (unknown)
    c4480c71-5aa5-4b13-845e-278f9a75c959 @ USN   4287567 @ Time (unknown)
    93d8a70f-1f70-4f49-ac7e-3e6a2efd4628 @ USN  17773933 @ Time 2013-01-02 16:50:59
    6c5c4739-d554-49e6-8803-caa1a264c444 @ USN  14009081 @ Time 2013-01-17 11:32:49
    3f1af169-998c-43fd-9736-4f0df23ea05f @ USN  17903992 @ Time 2013-01-17 16:39:47
    Default-First-Site-Name\Servidor 2       @ USN  66994388 @ Time 2017-02-24 07:31:08
    Default-First-Site-Name\Servidor 1       @ USN 100896950 @ Time 2017-04-18 11:18:19

    Log Name:      DNS Server
    Source:        Microsoft-Windows-DNS-Server-Service
    Date:          4/12/2017 5:43:56 PM
    Event ID:      4000
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Servidor 1.xxx.yyy.zzz
    Description:
    The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

    Log Name:      File Replication Service
    Source:        NtFrs
    Date:          4/12/2017 5:56:11 PM
    Event ID:      13568
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Servidor 1.xxx.yyy.zzz
    Description:
    The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.
     
     Replica set name is    : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
     Replica root path is   : "c:\windows\sysvol\domain"
     Replica root volume is : "\\.\C:"
     A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found.  This can occur because of one of the following reasons.
     
     [1] Volume "\\.\C:" has been formatted.
     [2] The NTFS USN journal on volume "\\.\C:" has been deleted.
     [3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
     [4] File Replication Service was not running on this computer for a long time.
     [5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:".
     Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
     [1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service.
     [2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.
     
    WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again.
     
    To change this registry parameter, run regedit.
     
    Click on Start, Run and type regedit.
     
    Expand HKEY_LOCAL_MACHINE.
    Click down the key path:
       "System\CurrentControlSet\Services\NtFrs\Parameters"
    Double click on the value name
       "Enable Journal Wrap Automatic Restore"
    and update the value.
     
    If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.

    Erros no EventViewer no Servidor 2:

    Log Name:      System
    Source:        Microsoft-Windows-GroupPolicy
    Date:          4/19/2017 3:30:43 PM
    Event ID:      1058
    Task Category: None
    Level:         Error
    Keywords:     
    User:          SYSTEM
    Computer:      Servidor 2.xxx.yyy.zzz
    Description:
    The processing of Group Policy failed. Windows attempted to read the file \\xxx.yyy.zzz\sysvol\xxx.yyy.zzz\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
    a) Name Resolution/Network Connectivity to the current domain controller.
    b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
    c) The Distributed File System (DFS) client has been disabled.

    Log Name:      System
    Source:        Microsoft-Windows-Security-Kerberos
    Date:          4/19/2017 3:13:33 PM
    Event ID:      4
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Servidor 2.xxx.yyy.zzz
    Description:
    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server Servidor 1$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/e0b1a345-f271-4609-a01f-6a941b974581/xxx.yyy.zzz@xxx.yyy.zzz. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (XXX.YYY.ZZZ) is different from the client domain (XXX.YYY.ZZZ), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

    Log Name:      DFS Replication
    Source:        DFSR
    Date:          4/12/2017 5:50:22 PM
    Event ID:      1202
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Servidor 2.xxx.yyy.zzz
    Description:
    The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
     
    Additional Information:
    Error: 160 (One or more arguments are not correct.)

    Log Name:      Directory Service
    Source:        Microsoft-Windows-ActiveDirectory_DomainService
    Date:          4/19/2017 1:23:27 PM
    Event ID:      1864
    Task Category: Replication
    Level:         Error
    Keywords:      Classic
    User:          ANONYMOUS LOGON
    Computer:      Servidor 2.xxx.yyy.zzz
    Description:
    This is the replication status for the following directory partition on this directory server.
     
    Directory partition:
    DC=ForestDnsZones,DC=xxx,DC=yyy,DC=zzz
     
    This directory server has not recently received replication information from a number of directory servers.  The count of directory servers is shown, divided into the following intervals.
     
    More than 24 hours:
    1
    More than a week:
    1
    More than one month:
    1
    More than two months:
    0
    More than a tombstone lifetime:
    0
    Tombstone lifetime (days):
    60
     
    Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
     
    To identify the directory servers by name, use the dcdiag.exe tool.
    You can also use the support tool repadmin.exe to display the replication latencies of the directory servers.   The command is "repadmin /showvector /latency <partition-dn>".

    OBS: O mesmo erro ocorre para os seguintes Directory partition:

    DC=DomainDnsZones,DC=xxx,DC=yyy,DC=zzz
    CN=Schema,CN=Configuration,DC=xxx,DC=yyy,DC=zzz
    DC=xxx,DC=yyy,DC=zzz
    CN=Configuration,DC=xxx,DC=yyy,DC=zzz

    Resultado do comando repadmin /showvector /latency <partition-dn>:

    Caching GUIDs.
    ..
    b0929a9d-4c7e-4009-9a5d-d26bce904629 @ USN    999873 @ Time (unknown)
    f698b7d6-9e67-43a3-8b14-a6e87d190feb @ USN      4356 @ Time (unknown)
    41e46130-d9b0-4fda-8c4e-8311d719ca4b @ USN   4263172 @ Time (unknown)
    db19eb39-4b42-4fbc-8851-cb8cc1fc4048 @ USN      8528 @ Time (unknown)
    d9d3b145-2999-4277-8e46-849569a74d86 @ USN    640091 @ Time (unknown)
    d4b91058-f34f-4ae5-9789-4bac0b3d7e77 @ USN   7860684 @ Time (unknown)
    fff95b4d-68b0-4eb2-a2da-211d54e88bb7 @ USN    837923 @ Time (unknown)
    c4480c71-5aa5-4b13-845e-278f9a75c959 @ USN   4287567 @ Time (unknown)
    93d8a70f-1f70-4f49-ac7e-3e6a2efd4628 @ USN  17773933 @ Time 2013-01-02 16:50:59
    6c5c4739-d554-49e6-8803-caa1a264c444 @ USN  14009081 @ Time 2013-01-17 11:32:49
    3f1af169-998c-43fd-9736-4f0df23ea05f @ USN  17903992 @ Time 2013-01-17 16:39:47
    Default-First-Site-Name\Servidor 1       @ USN  94037939 @ Time 2017-02-24 07:37:16
    Default-First-Site-Name\Servidor 2       @ USN  74128448 @ Time 2017-04-18 11:16:39

    Log Name:      DNS Server
    Source:        Microsoft-Windows-DNS-Server-Service
    Date:          4/12/2017 5:51:26 PM
    Event ID:      4000
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Servidor 2.xxx.yyy.zzz
    Description:
    The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

    Log Name:      File Replication Service
    Source:        NtFrs
    Date:          4/17/2017 12:25:18 PM
    Event ID:      13568
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Servidor 2.xxx.yyy.zzz
    Description:
    The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.
     
     Replica set name is    : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
     Replica root path is   : "c:\windows\sysvol\domain"
     Replica root volume is : "\\.\C:"
     A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found.  This can occur because of one of the following reasons.
     
     [1] Volume "\\.\C:" has been formatted.
     [2] The NTFS USN journal on volume "\\.\C:" has been deleted.
     [3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
     [4] File Replication Service was not running on this computer for a long time.
     [5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:".
     Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
     [1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service.
     [2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.
     
    WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again.
     
    To change this registry parameter, run regedit.
     
    Click on Start, Run and type regedit.
     
    Expand HKEY_LOCAL_MACHINE.
    Click down the key path:
       "System\CurrentControlSet\Services\NtFrs\Parameters"
    Double click on the value name
       "Enable Journal Wrap Automatic Restore"
    and update the value.
     
    If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.

    Comando executado no Servidor 2:

    C:\Windows\system32>dcdiag /test:replications

    Directory Server Diagnosis

    Performing initial setup:
       Trying to find home server...
       Home Server = Servidor 2
       * Identified AD Forest.
       Done gathering initial info.

    Doing initial required tests

       Testing server: Default-First-Site-Name\Servidor 2
          Starting test: Connectivity
             ......................... Servidor 2 passed test Connectivity

    Doing primary tests

       Testing server: Default-First-Site-Name\Servidor 2
          Starting test: Replications
             [Replications Check,Servidor 2] A recent replication attempt failed:
                From Servidor 1 to Servidor 2
                Naming Context: DC=ForestDnsZones,DC=xxx,DC=yyy,DC=zzz
                The replication generated an error (1256):
                Win32 Error 1256
                The failure occurred at 2017-04-18 10:54:27.
                The last success occurred at 2017-02-24 06:53:42.
                1281 failures have occurred since the last success.
             [Servidor 1] DsBindWithSpnEx() failed with error -2146893022,
             Win32 Error -2146893022.
             [Replications Check,Servidor 2] A recent replication attempt failed:
                From Servidor 1 to Servidor 2
                Naming Context: DC=DomainDnsZones,DC=xxx,DC=yyy,DC=zzz
                The replication generated an error (1256):
                Win32 Error 1256
                The failure occurred at 2017-04-18 10:54:27.
                The last success occurred at 2017-02-24 06:53:42.
                1281 failures have occurred since the last success.
             [Replications Check,Servidor 2] A recent replication attempt failed:
                From Servidor 1 to Servidor 2
                Naming Context:
                CN=Schema,CN=Configuration,DC=xxx,DC=yyy,DC=zzz
                The replication generated an error (-2146893022):
                Win32 Error -2146893022
                The failure occurred at 2017-04-18 10:54:27.
                The last success occurred at 2017-02-24 06:53:42.
                1281 failures have occurred since the last success.
             [Replications Check,Servidor 2] A recent replication attempt failed:
                From Servidor 1 to Servidor 2
                Naming Context: CN=Configuration,DC=xxx,DC=yyy,DC=zzz
                The replication generated an error (-2146893022):
                Win32 Error -2146893022
                The failure occurred at 2017-04-18 10:54:27.
                The last success occurred at 2017-02-24 06:53:42.
                1284 failures have occurred since the last success.
             [Replications Check,Servidor 2] A recent replication attempt failed:
                From Servidor 1 to Servidor 2
                Naming Context: DC=xxx,DC=yyy,DC=zzz
                The replication generated an error (-2146893022):
                Win32 Error -2146893022
                The failure occurred at 2017-04-18 10:59:00.
                The last success occurred at 2017-02-24 07:37:16.
                144067 failures have occurred since the last success.
             ......................... Servidor 2 failed test Replications


       Running partition tests on : ForestDnsZones

       Running partition tests on : DomainDnsZones

       Running partition tests on : Schema

       Running partition tests on : Configuration

       Running partition tests on : xxx

       Running enterprise tests on : xxx.yyy.zzz

    C:\Windows\system32>repadmin /showrepl

    Repadmin: running command /showrepl against full DC localhost
    Default-First-Site-Name\Servidor 2
    DSA Options: IS_GC
    Site Options: (none)
    DSA object GUID: 9777be35-e2f3-478d-997b-969c0fa38287
    DSA invocationID: 40094999-e432-4425-9c82-4476d75b4843

    ==== INBOUND NEIGHBORS ======================================

    DC=xxx,DC=yyy,DC=zzz
        Default-First-Site-Name\Servidor 1 via RPC
            DSA object GUID: e0b1a345-f271-4609-a01f-6a941b974581
            Last attempt @ 2017-04-19 16:25:18 failed, result -2146893022 (0x8009032
    2):
                The target principal name is incorrect.
            150364 consecutive failure(s).
            Last success @ 2017-02-24 07:37:16.

    CN=Configuration,DC=xxx,DC=yyy,DC=zzz
        Default-First-Site-Name\Servidor 1 via RPC
            DSA object GUID: e0b1a345-f271-4609-a01f-6a941b974581
            Last attempt @ 2017-04-19 15:53:27 failed, result -2146893022 (0x8009032
    2):
                The target principal name is incorrect.
            1315 consecutive failure(s).
            Last success @ 2017-02-24 06:53:42.

    CN=Schema,CN=Configuration,DC=xxx,DC=yyy,DC=zzz
        Default-First-Site-Name\Servidor 1 via RPC
            DSA object GUID: e0b1a345-f271-4609-a01f-6a941b974581
            Last attempt @ 2017-04-19 15:53:27 failed, result -2146893022 (0x8009032
    2):
                The target principal name is incorrect.
            1310 consecutive failure(s).
            Last success @ 2017-02-24 06:53:42.

    DC=DomainDnsZones,DC=xxx,DC=yyy,DC=zzz
        Default-First-Site-Name\Servidor 1 via RPC
            DSA object GUID: e0b1a345-f271-4609-a01f-6a941b974581
            Last attempt @ 2017-04-19 15:53:27 failed, result 1256 (0x4e8):
                The remote system is not available. For information about network tr
    oubleshooting, see Windows Help.
            1310 consecutive failure(s).
            Last success @ 2017-02-24 06:53:42.

    DC=ForestDnsZones,DC=xxx,DC=yyy,DC=zzz
        Default-First-Site-Name\Servidor 1 via RPC
            DSA object GUID: e0b1a345-f271-4609-a01f-6a941b974581
            Last attempt @ 2017-04-19 15:53:27 failed, result 1256 (0x4e8):
                The remote system is not available. For information about network tr
    oubleshooting, see Windows Help.
            1310 consecutive failure(s).
            Last success @ 2017-02-24 06:53:42.

    Source: Default-First-Site-Name\Servidor 1
    ******* 150326 CONSECUTIVE FAILURES since 2017-02-24 07:37:16
    Last error: -2146893022 (0x80090322):
                The target principal name is incorrect.

    Comando executado no Servidor 1:

    C:\Windows\system32>REPADMIN /SHOWREPL

    Repadmin: running command /SHOWREPL against full DC localhost
    Default-First-Site-Name\Servidor 1
    DSA Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL
    Site Options: (none)
    DSA object GUID: e0b1a345-f271-4609-a01f-6a941b974581
    DSA invocationID: 5ad699b6-ab71-4646-b241-862e9c7f2743

    ==== INBOUND NEIGHBORS ======================================

    DC=xxx,DC=yyy,DC=zzz
        Default-First-Site-Name\Servidor 2 via RPC
            DSA object GUID: 9777be35-e2f3-478d-997b-969c0fa38287
            Last attempt @ 2017-04-19 15:54:06 failed, result 8457 (0x2109):
                The destination server is currently rejecting replication requests.
            1163 consecutive failure(s).
            Last success @ 2017-02-24 07:31:08.

    CN=Configuration,DC=xxx,DC=yyy,DC=zzz
        Default-First-Site-Name\Servidor 2 via RPC
            DSA object GUID: 9777be35-e2f3-478d-997b-969c0fa38287
            Last attempt @ 2017-04-19 15:54:06 failed, result 8457 (0x2109):
                The destination server is currently rejecting replication requests.
            30 consecutive failure(s).
            Last success @ 2017-04-18 10:34:49.

    CN=Schema,CN=Configuration,DC=xxx,DC=yyy,DC=zzz
        Default-First-Site-Name\Servidor 2 via RPC
            DSA object GUID: 9777be35-e2f3-478d-997b-969c0fa38287
            Last attempt @ 2017-04-19 15:54:06 failed, result 8457 (0x2109):
                The destination server is currently rejecting replication requests.
            1163 consecutive failure(s).
            Last success @ 2017-02-24 06:47:53.

    DC=DomainDnsZones,DC=xxx,DC=yyy,DC=zzz
        Default-First-Site-Name\Servidor 2 via RPC
            DSA object GUID: 9777be35-e2f3-478d-997b-969c0fa38287
            Last attempt @ 2017-04-19 15:54:06 failed, result 8457 (0x2109):
                The destination server is currently rejecting replication requests.
            1163 consecutive failure(s).
            Last success @ 2017-02-24 06:47:53.

    DC=ForestDnsZones,DC=xxx,DC=yyy,DC=zzz
        Default-First-Site-Name\Servidor 2 via RPC
            DSA object GUID: 9777be35-e2f3-478d-997b-969c0fa38287
            Last attempt @ 2017-04-19 15:54:06 failed, result 8457 (0x2109):
                The destination server is currently rejecting replication requests.
            1163 consecutive failure(s).
            Last success @ 2017-02-24 06:47:53.

    Source: Default-First-Site-Name\Servidor 2
    ******* 1163 CONSECUTIVE FAILURES since 2017-04-18 10:34:49
    Last error: 8457 (0x2109):
                The destination server is currently rejecting replication requests.

    Pesquisamos na internet, mas não conseguimos achar nada que conseguisse resolver o problema. Só não fizemos uma solução, pois teria que ser feita no PDC e como não estamos conseguindo mudar o BDC para ser o PDC, achamos muito arriscado. O procedimento que não fizemos seria o abaixo:

    "It seems the easiest way is indeed to remove active directory and reinstall it, and it can be done without wiping out the entire server. This leaves anything else on the server untouched. However, since you can't remove active directory properly, you have to force it to be removed from the server then cleanup manually on a good domain controller.

    • Disconnect the problem server from the network to prevent any of this from potentially breaking active directory on the good servers.
    • On the problem server, run dcpromo /forceremoval. This allows you to remove active directory on the system without removing all it's records on the other domain controllers.
    • Use ntdsutil from a good domain controller to remove the problem server from active directory. Instructions are in the help link when you run dcpromo /forceremoval, or here: http://technet.microsoft.com/en-us/library/cc736378%28WS.10%29.aspx
    • Delete the server object in AD Sites and Services
    • Delete the server in AD Users and Computers if it still exists
    • Delete the server from DNS:
      • Remove the NS entry in reverse lookup zones
      • Remove the A entry in forward lookup zones
      • Remove the CNAME entry in forward lookup\domain_msdcs
      • Remove the numerous SRV records under _msdcs, _sites, _tcp and _udp refering to the problem server

    Repromote the problem server and configure site settings like you would a brand new DC."

    Agradecemos qualquer tipo de ajuda.

    Gratos!


    • Editado Cstutz quarta-feira, 19 de abril de 2017 19:28
    quarta-feira, 19 de abril de 2017 19:02

Respostas

  • Resolvido.

    Precisei despromover o DC problemático, fazer o Metadata Cleanup, etc... Depois é só desinstalar o DNS e o AD, , reiniciar o servidor, instalar tudo novamente e fazer todas as configurações como se fosse um novo DC.

    "- no for seize fsmo roles you must connect to the server which you want to be the fsmo role holder, for seizeing you do not need the current FSMO role holder to be up and accessible.

    try to connect to the server you want to be the FSMO role holder in future and simply seize roles then remove ex FSMO role holder, make sure you dissconnect the current FSMO role holder while you do the hole process.
     
    Marked as answer by Amy Wang_Microsoft contingent staff, Moderator Friday, October 10, 2014 2:23 AM


    - seize roles :           http://www.petri.com/seizing_fsmo_roles.htm

    delete failed DC :   http://www.petri.com/delete_failed_dcs_from_ad.htm
     
    Proposed as answer by Dalili Cyrus Monday, September 08, 2014 10:11 AM
    Marked as answer by ShahzadHaider87 Tuesday, September 09, 2014 3:45 AM


    - Hello,

    it seems that  ADDH3 has some problems or was restored from not AD aware backup or whatever was done with the other 2 DCs.

    So which machines are the correct working DCs?

    But in a single forest domain as yours there can ONLY be ONE FSMO roles holder and as there are listed also on ADDH3 some this is problematic.

    If the DC ADDH3 had problems and was not working correct or was restored then remove that DC run metadata cleanup on one of the other DCs and wait for replication between the healthy DCs.

    Now you can install a new machine and promote it as 3rd DC if required.

    For Metadata cleanup  http://blogs.msmvps.com/mweber/2010/05/16/active-directory-metadata-cleanup/ And also check that the problem DC is removed from AD sites and services, DNS zones and DNS zone properties, Name server tab.

    Best regards

    Meinolf Weber

    MVP, MCP, MCTS

    Microsoft MVP - Directory Services
    My Blog: http://blogs.msmvps.com/MWeber
    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
    Twitter:  

     
    Edited by Meinolf Weber Monday, September 08, 2014 11:04 AM
    Marked as answer by ShahzadHaider87 Tuesday, September 09, 2014 3:45 AM


    - Thank you guys it worked perfectly fine.

    I seized the roles to FU-ADDH1 and removed the faulty DC. Afterwards did the meta cleanup. Now the problem is resolved.


    Tuesday, September 09, 2014 3:47 AM

    • Marcado como Resposta Cstutz quarta-feira, 26 de abril de 2017 22:32
    quarta-feira, 26 de abril de 2017 22:32

Todas as Respostas

  • quinta-feira, 20 de abril de 2017 02:04
  • Bom dia Maykon. Agradeço pela ajuda.

    Porém, o conteúdo do primeiro link não condiz com os problemas que estão ocorrendo em nosso ambiente. O segundo link não conseguimos forçar, justamente porque o PDC não é acessado pelo BDC.

    No caso do segundo link, dá a mensagem de erro "DsBindWithSpnExW error 0x80090322(The target principal name is incorrect.)"

    Teria mais alguma dica?

    Obrigado!

    segunda-feira, 24 de abril de 2017 13:33
  • Fiz essas etapas abaixo, porém não funcionou também

    "Follow these steps to reset KDC password :-

    1. Stop the Key Distribution Center (KDC) service on Server all Domain controller expect PDC role holder server. To do so, open
     a Command Prompt, type net stop KDC, and press Enter.

    2. Load Kerbtray.exe on problem DC in you case it is Server07. You can do so by clicking Start, clicking Run, and
     then typing c:\program files\resource kit\kerbtray.exe and pressing Enter.You should see a little green ticket icon in your system tray in the lower right corner of your desktop.

    3. Purge the ticket cache on Server7, right-click the green ticket icon in your system tray, and then click Purge Tickets. You should receive a confirmation that your ticket cache was purged. Click OK.

    4. Reset the Server domain controller account password on Server (the PDC
     emulator).

    To do so, open a command prompt and type: netdom /resetpwd /server:server2 /userd:domain.com\administrator /passwordd:password, and then press Enter.

    5. Synchronize the domain. To do so, open a command prompt, type repadmin
     /syncall, and then press Enter.

    6. Start the KDC service on Server7 and all other DC. To do so, open a command prompt, typenet start KDC, and press Enter. This completes the process."

    Deu erro no passo 5 e não conseguimos prosseguir.

    Dá o erro abaixo no passo em questão

    "C:\Windows\System32>repadmin /syncall
    CALLBACK MESSAGE: Error contacting server 9777be35-e2f3-478d-997b-969c0fa38287._
    msdcs.cps.sei.rj.gov.br (network error): -2146892976 (0x80090350):
        The system cannot contact a domain controller to service the authentication
    request. Please try again later.
    CALLBACK MESSAGE: Error contacting server e0b1a345-f271-4609-a01f-6a941b974581._
    msdcs.cps.sei.rj.gov.br (network error): -2146892976 (0x80090350):
        The system cannot contact a domain controller to service the authentication
    request. Please try again later.

    SyncAll exited with fatal Win32 error: 8440 (0x20f8):
        The naming context specified for this replication operation is invalid."



    • Editado Cstutz terça-feira, 25 de abril de 2017 17:32
    • Marcado como Resposta Cstutz quarta-feira, 26 de abril de 2017 22:31
    • Não Marcado como Resposta Cstutz quarta-feira, 26 de abril de 2017 22:31
    terça-feira, 25 de abril de 2017 15:55
  • Resolvido.

    Precisei despromover o DC problemático, fazer o Metadata Cleanup, etc... Depois é só desinstalar o DNS e o AD, , reiniciar o servidor, instalar tudo novamente e fazer todas as configurações como se fosse um novo DC.

    "- no for seize fsmo roles you must connect to the server which you want to be the fsmo role holder, for seizeing you do not need the current FSMO role holder to be up and accessible.

    try to connect to the server you want to be the FSMO role holder in future and simply seize roles then remove ex FSMO role holder, make sure you dissconnect the current FSMO role holder while you do the hole process.
     
    Marked as answer by Amy Wang_Microsoft contingent staff, Moderator Friday, October 10, 2014 2:23 AM


    - seize roles :           http://www.petri.com/seizing_fsmo_roles.htm

    delete failed DC :   http://www.petri.com/delete_failed_dcs_from_ad.htm
     
    Proposed as answer by Dalili Cyrus Monday, September 08, 2014 10:11 AM
    Marked as answer by ShahzadHaider87 Tuesday, September 09, 2014 3:45 AM


    - Hello,

    it seems that  ADDH3 has some problems or was restored from not AD aware backup or whatever was done with the other 2 DCs.

    So which machines are the correct working DCs?

    But in a single forest domain as yours there can ONLY be ONE FSMO roles holder and as there are listed also on ADDH3 some this is problematic.

    If the DC ADDH3 had problems and was not working correct or was restored then remove that DC run metadata cleanup on one of the other DCs and wait for replication between the healthy DCs.

    Now you can install a new machine and promote it as 3rd DC if required.

    For Metadata cleanup  http://blogs.msmvps.com/mweber/2010/05/16/active-directory-metadata-cleanup/ And also check that the problem DC is removed from AD sites and services, DNS zones and DNS zone properties, Name server tab.

    Best regards

    Meinolf Weber

    MVP, MCP, MCTS

    Microsoft MVP - Directory Services
    My Blog: http://blogs.msmvps.com/MWeber
    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
    Twitter:  

     
    Edited by Meinolf Weber Monday, September 08, 2014 11:04 AM
    Marked as answer by ShahzadHaider87 Tuesday, September 09, 2014 3:45 AM


    - Thank you guys it worked perfectly fine.

    I seized the roles to FU-ADDH1 and removed the faulty DC. Afterwards did the meta cleanup. Now the problem is resolved.


    Tuesday, September 09, 2014 3:47 AM

    • Marcado como Resposta Cstutz quarta-feira, 26 de abril de 2017 22:32
    quarta-feira, 26 de abril de 2017 22:32