Как устранить ошибки связанные с репликацией 2-х контроллеров домена?
Есть 2 контроллера домена которые друг друга реплицируют не давно возникла проблема что пользователь меняет свой пароль он меняется на контроллере но не реплицируется на другой контроллер домена. Как можно найти и устранить неполадку? Логи которые нужны могу показать. Спасибо!
ldv: A domain named PrimaryDC could not be located.
The error is
The specified domain either does not exist or could not be contacted.
Check syntax and validity of specified name.
The specified naming context is incorrect and will be ignored.
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine PrimaryDC, is a Directory Server.
Home Server = PrimaryDC
* Connecting to directory service on server PrimaryDC.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=micros,DC=ucd,DC=uz,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micros,DC=ucd,DC=uz
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=micros,DC=ucd,DC=uz,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=SDCORE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micros,DC=ucd,DC=uz
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=PRIMARYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micros,DC=ucd,DC=uz
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micros,DC=ucd,DC=uz
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
Ldap search capability attribute search failed on server SDCORE, return
value = 81
Got error while checking if the DC is using FRS or DFSR. Error:
Win32 Error 81The VerifyReferences, FrsEvent and DfsrEvent tests might fail
because of this error.
* Found 3 DC(s). Testing 3 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SDCORE
Starting test: Connectivity
* Active Directory LDAP Services Check
The host ed08c8f0-574f-4fa7-88bf-a813fe6b6154._msdcs.micros.ucd.uz
could not be resolved to an IP address. Check the DNS server, DHCP,
server name, etc.
Neither the the server name (SDCORE.micros.ucd.uz) nor the Guid DNS
name (ed08c8f0-574f-4fa7-88bf-a813fe6b6154._msdcs.micros.ucd.uz) could
be resolved by DNS. Check that the server is up and is registered
correctly with the DNS server.
Got error while checking LDAP and RPC connectivity. Please check your
firewall settings.
......................... SDCORE failed test Connectivity
Testing server: Default-First-Site-Name\PRIMARYDC
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... PRIMARYDC passed test Connectivity
Testing server: Default-First-Site-Name\DC2
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... DC2 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SDCORE
Skipping all tests, because server SDCORE is not responding to directory
service requests.
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Testing server: Default-First-Site-Name\PRIMARYDC
Starting test: Advertising
The DC PRIMARYDC is advertising itself as a DC and having a DS.
The DC PRIMARYDC is advertising as an LDAP server
The DC PRIMARYDC is advertising as having a writeable directory
The DC PRIMARYDC is advertising as a Key Distribution Center
The DC PRIMARYDC is advertising as a time server
The DS PRIMARYDC is advertising as a GC.
......................... PRIMARYDC passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... PRIMARYDC passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... PRIMARYDC passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... PRIMARYDC passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
A warning event occurred. EventID: 0x8000082C
Time Generated: 08/05/2016 18:19:36
Event String:
This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: DC=micros,DC=ucd,DC=uz
User Action:
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors. Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners are expected to be offline (for example, because of maintenance or disaster recovery), you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on support.microsoft.com.
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.
A warning event occurred. EventID: 0x80000785
Time Generated: 08/05/2016 18:26:59
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
This directory service will be unable to replicate with the source directory service until this problem is corrected.
User Action
Verify if the source directory service is accessible or network connectivity is available.
Additional Data
Error value:
8524 The DSA operation is unable to proceed because of a DNS lookup failure.
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... PRIMARYDC passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=PRIMARYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micros,DC=ucd,DC=uz
Role Domain Owner = CN=NTDS Settings,CN=PRIMARYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micros,DC=ucd,DC=uz
Role PDC Owner = CN=NTDS Settings,CN=PRIMARYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micros,DC=ucd,DC=uz
Role Rid Owner = CN=NTDS Settings,CN=PRIMARYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micros,DC=ucd,DC=uz
Role Infrastructure Update Owner = CN=NTDS Settings,CN=PRIMARYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micros,DC=ucd,DC=uz
......................... PRIMARYDC passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC PRIMARYDC on DC PRIMARYDC.
* SPN found :LDAP/PrimaryDC.micros.ucd.uz/micros.ucd.uz
* SPN found :LDAP/PrimaryDC.micros.ucd.uz
* SPN found :LDAP/PRIMARYDC
* SPN found :LDAP/PrimaryDC.micros.ucd.uz/MICROS
* SPN found :LDAP/355f3073-aa9f-42e4-b5a7-a52e47b1fd75._msdcs.micros.ucd.uz
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/355f3073-aa9f-42e4-b5a7-a52e47b1fd75/micros.ucd.uz
* SPN found :HOST/PrimaryDC.micros.ucd.uz/micros.ucd.uz
* SPN found :HOST/PrimaryDC.micros.ucd.uz
* SPN found :HOST/PRIMARYDC
* SPN found :HOST/PrimaryDC.micros.ucd.uz/MICROS
* SPN found :GC/PrimaryDC.micros.ucd.uz/micros.ucd.uz
......................... PRIMARYDC passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC PRIMARYDC.
* Security Permissions Check for
DC=ForestDnsZones,DC=micros,DC=ucd,DC=uz
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=micros,DC=ucd,DC=uz
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=micros,DC=ucd,DC=uz
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=micros,DC=ucd,DC=uz
(Configuration,Version 3)
* Security Permissions Check for
DC=micros,DC=ucd,DC=uz
(Domain,Version 3)
......................... PRIMARYDC passed test NCSecDesc
PRIMARYDC is in domain DC=micros,DC=ucd,DC=uz
Checking for CN=PRIMARYDC,OU=Domain Controllers,DC=micros,DC=ucd,DC=uz in domain DC=micros,DC=ucd,DC=uz on 2 servers
Authoritative attribute userAccountControl on DC2 (writeable)
usnLocalChange = 5297504
LastOriginatingDsa = DC2
usnOriginatingChange = 5297504
timeLastOriginatingChange = 2016-06-07 17:32:05
VersionLastOriginatingChange = 6
Out-of-date attribute userAccountControl on PRIMARYDC (writeable)
usnLocalChange = 5511937
LastOriginatingDsa = PRIMARYDC
usnOriginatingChange = 5511936
timeLastOriginatingChange = 2016-06-01 11:48:35
VersionLastOriginatingChange = 6
Checking for CN=NTDS Settings,CN=PRIMARYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micros,DC=ucd,DC=uz in domain CN=Configuration,DC=micros,DC=ucd,DC=uz on 2 servers
Object is up-to-date on all servers.
......................... PRIMARYDC failed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
[Replications Check,PRIMARYDC] A recent replication attempt failed:
From DC2 to PRIMARYDC
Naming Context: DC=micros,DC=ucd,DC=uz
The replication generated an error (8453):
Replication access was denied.
The failure occurred at 2016-08-05 17:48:33.
The last success occurred at 2016-06-01 11:48:36.
1582 failures have occurred since the last success.
The machine account for the destination PRIMARYDC.
is not configured properly.
Check the userAccountControl field.
Kerberos Error.
The machine account is not present, or does not match on the.
destination, source or KDC servers.
Verify domain partition of KDC is in sync with rest of enterprise.
The tool repadmin/syncall can be used for this purpose.
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source DC2
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.
......................... PRIMARYDC failed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 31100 to 1073741823
* PrimaryDC.micros.ucd.uz is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 30600 to 31099
* rIDPreviousAllocationPool is 29100 to 29599
* rIDNextRID: 29393
......................... PRIMARYDC passed test RidManager
* The System Event log test
An error event occurred. EventID: 0xC00010E1
Time Generated: 08/05/2016 17:51:02
Event String:
The name "MICROS :1b" could not be registered on the interface with IP address 192.168.1.88. The computer with the IP address 192.168.1.8 did not allow the name to be claimed by this computer.
An error event occurred. EventID: 0xC00010E1
Time Generated: 08/05/2016 17:51:23
Event String:
The name "MICROS :1b" could not be registered on the interface with IP address 192.168.1.88. The computer with the IP address 192.168.1.8 did not allow the name to be claimed by this computer.
......................... PRIMARYDC failed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=PRIMARYDC,OU=Domain Controllers,DC=micros,DC=ucd,DC=uz and backlink
are correct.
The system object reference (msDFSR-ComputerReferenceBL)
CN=PRIMARYDC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=micros,DC=ucd,DC=uz
and backlink on
CN=PRIMARYDC,OU=Domain Controllers,DC=micros,DC=ucd,DC=uz are correct.
......................... PRIMARYDC passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Testing server: Default-First-Site-Name\DC2
Starting test: Advertising
The DC DC2 is advertising itself as a DC and having a DS.
The DC DC2 is advertising as an LDAP server
The DC DC2 is advertising as having a writeable directory
The DC DC2 is advertising as a Key Distribution Center
The DC DC2 is advertising as a time server
The DS DC2 is advertising as a GC.
......................... DC2 passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... DC2 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
The event log DFS Replication on server DC2.micros.ucd.uz could not be
queried, error 0x6ba "The RPC server is unavailable."
......................... DC2 failed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... DC2 passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
The event log Directory Service on server DC2.micros.ucd.uz could not
be queried, error 0x6ba "The RPC server is unavailable."
......................... DC2 failed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=PRIMARYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micros,DC=ucd,DC=uz
Role Domain Owner = CN=NTDS Settings,CN=PRIMARYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micros,DC=ucd,DC=uz
Role PDC Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micros,DC=ucd,DC=uz
Role Rid Owner = CN=NTDS Settings,CN=PRIMARYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micros,DC=ucd,DC=uz
Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micros,DC=ucd,DC=uz
......................... DC2 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC DC2 on DC DC2.
* SPN found :LDAP/DC2.micros.ucd.uz/micros.ucd.uz
* SPN found :LDAP/DC2.micros.ucd.uz
* SPN found :LDAP/DC2
* SPN found :LDAP/DC2.micros.ucd.uz/MICROS
* SPN found :LDAP/2d31823c-1519-440a-8aa0-04ae367602dc._msdcs.micros.ucd.uz
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/2d31823c-1519-440a-8aa0-04ae367602dc/micros.ucd.uz
* SPN found :HOST/DC2.micros.ucd.uz/micros.ucd.uz
* SPN found :HOST/DC2.micros.ucd.uz
* SPN found :HOST/DC2
* SPN found :HOST/DC2.micros.ucd.uz/MICROS
* SPN found :GC/DC2.micros.ucd.uz/micros.ucd.uz
......................... DC2 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DC2.
* Security Permissions Check for
DC=ForestDnsZones,DC=micros,DC=ucd,DC=uz
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=micros,DC=ucd,DC=uz
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=micros,DC=ucd,DC=uz
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=micros,DC=ucd,DC=uz
(Configuration,Version 3)
* Security Permissions Check for
DC=micros,DC=ucd,DC=uz
(Domain,Version 3)
......................... DC2 passed test NCSecDesc
DC=ForestDnsZones,DC=micros,DC=ucd,DC=uz
Last replication received from SDCORE at
2014-04-04 09:54:54
WARNING: This latency is over the Tombstone Lifetime of 180
days!
Latency information for 12 entries in the vector were ignored.
12 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=micros,DC=ucd,DC=uz
Last replication received from SDCORE at
2014-04-04 09:54:54
WARNING: This latency is over the Tombstone Lifetime of 180
days!
Latency information for 12 entries in the vector were ignored.
12 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=micros,DC=ucd,DC=uz
Last replication received from SDCORE at
2014-04-04 09:54:54
WARNING: This latency is over the Tombstone Lifetime of 180
days!
Latency information for 12 entries in the vector were ignored.
12 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=micros,DC=ucd,DC=uz
Last replication received from SDCORE at
2014-04-04 09:54:54
WARNING: This latency is over the Tombstone Lifetime of 180
days!
Latency information for 12 entries in the vector were ignored.
12 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=micros,DC=ucd,DC=uz
Last replication received from SDCORE at
2014-04-04 10:00:33
WARNING: This latency is over the Tombstone Lifetime of 180
days!
Latency information for 12 entries in the vector were ignored.
12 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... DC2 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 31100 to 1073741823
* PrimaryDC.micros.ucd.uz is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 30100 to 30599
* rIDPreviousAllocationPool is 30100 to 30599
* rIDNextRID: 30244
......................... DC2 passed test RidManager
Простой
