I am inclined to agree with Laura, the initial sync in DCPROMO should be forcing a time sync with the partner it is sourcing from and unless the time server setting is incorrect or the hardware was extremely bad and the clock was losing its time on power off or something similar I can't really visualize where this would blow after the reboot and first "normal" replication. Did you happen to get info on the errors that replication was throwing prior to the time sync (repadmin /showreps or event log errors for instance)? Any replication queue monitoring to verify that items were being queued and processed? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 16, 2006 5:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange DC behavior and error I'm inclined to attribute that to luck as opposed to some magic that's happening under the covers. The process of making the machine a DC is going to ensure that there's time sync, and there's a whole bunch of stuff going on at that first boot after promotion. Just because you don't "see" replication happening doesn't mean it isn't happening. For that matter, it already *has* happened by then- during dcpromo. I can pretty well guarantee that your issuing the w32tm command is having absolutely zero effect on the process. Laura _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott, Anthony Sent: Thursday, November 16, 2006 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange DC behavior and error Ive installed new DCs that dont replicate at first. As soon as I issue the w32tm command I listed below replication kicks off. Not in all cases, but a few. Thanks, Anthony Scott Microsoft Consultant Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED] <http://www.berbee.com/> Berbee From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, November 16, 2006 1:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange DC behavior and error Windows machines get time based on their config... if they aren't set to use a specific server and just follow the Windows architecture, they use the DC that authenticated the secure channel. This usually means members go to a local DC, the local DC goes to the PDC of the domain they are in and the Domain PDCs go to the forest root PDC. The NET TIME command (except for /querysntp) does not accurately reflect what DC is being used for the time service. Search on posts from Bob Free in the archives, he has laid this out in painful detail at least 4 or 5 times on exactly how it all works. What specifically have you seen not working as advertised? joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott, Anthony Sent: Thursday, November 16, 2006 10:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange DC behavior and error Windows is supposed to get its time from the PDC role holder, sometimes though this does not work as advertised. So I usually issue this command on any new DCs I bring up: W32tm /config /synchfromflags:DOMHIER /update Then: Net stop w32time & net start w32time Thanks, Anthony Scott From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz Sent: Thursday, November 16, 2006 10:21 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange DC behaviour and error the same issue started happening last night about 10:35 last night. this was after i plugged in my DR link to the ad box out at my disaster recovery site. I came in this morning only to find that when i run a NET TIME from my DC's it was resolving this DR Domain Controller. i disconnected the link, reset the local machine passwords, rebooted and all is up now. what gives ? anyone have any ideas ? On 11/15/06, hboogz <[EMAIL PROTECTED]> wrote: Hey Guys, Thanks for responses. I've been stuck in the data center for the past few hours. Here goes: It all started with this error in the event log: Event Type: Error Event Source: Kerberos Event Category: None Event ID: 4 Date: 11/15/2006 Time: 03:17:45 PM User: N/A Computer: PHMAINDC1 Description: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/phmaindc1.phippsny.org. The target name used was cifs/PHMAINDC1. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm ( PHIPPSNY.ORG), and the client realm. Please contact your system administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Then it became all of these: Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40960 Date: 11/15/2006 Time: 03:13:19 PM User: N/A Computer: PHMAINDC1 Description: The Security System detected an authentication error for the server cifs/PHMAINDC1.phippsny.org. The failure code from authentication protocol Kerberos was "The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)". For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp . Data: 0000: 6d 00 00 c0 m..À Event Type: Error Event Source: Userenv Event Category: None Event ID: 1030 Date: 11/15/2006 Time: 02:58:23 PM User: PHIPPSNY\Administrator Computer: PHMAINDC1 Description: Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Error Event Source: Userenv Event Category: None Event ID: 1053 Date: 11/15/2006 Time: 03:03:19 PM User: NT AUTHORITY\SYSTEM Computer: PHMAINDC1 Description: Windows cannot determine the user or computer name. (Access is denied. ). Group Policy processing aborted. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Strangely, the maindc, phmaindc1, lost its forward lookup zone (ad-int) and it's reverse lookup zone ( ad-int ) but my second DC maintained them. I tried adding the zones back into phmaind1, only to get an error indicating "invalid data". So, what i did was make all working zones on the working DC primary ( non-ad) and added secondary zones into phmaindc1. i tried, dcdiag /fix and netdiag /fix - but nothing. tried restarting the netlogon service - nothing. I came across the forums that indicated the PTR and A record entries -- didn't find any duplicates or wrong entries, everything is a one-to-one mapping. I then looked inside wins, and didn't see any conflicts. Because I've had issues with wins in the past, i deleted both wins databases and created new ones from scratch. That didn't work. i then attmpeted a net time from the DC in question and got another DC in our DR site. This DR server is not holding any roles and isn't accessible to all of our workstations. I tried to force this server as the authoritative Time server settings the annouceFlags to A, but it didn't take. I disabled the link to the DR site, but the problems persisted. Every time i would attempt a Net Time from a client workstation, i would get a "Access Denied" grr I then came across the recommendation to reset the local machine account password of the DC's. using the NETBIOS name of phmaindc1 didn't work, i needed to use the IP. netdom resetpwd /s:192.168.1.1 /ud:domain\username /pd:* rebooted ( ran above while KDC service was running ) That didn't work. I then needed to reset the local machine account for the other DC that was working fine once i reset that using netdom and rebooted, everything came back up. whew! Now that i've created non AD-int dns zones, i saw somewhere someone recommended deleting my previous created dns partititions and recreating them and making the zones AD-int again. i've tried -- DNSCMD /DELETEDIRECTORYPARTITION but i need the FQDN of the partition, which i dont know ? any ideas on what to do to cleanup what's going on ? or any insight as to why this happened and what design,implementation change i could do to prevent it ? Thanks for the responses, On 11/15/06, Scott, Anthony < <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]> wrote: Verify DNS is working properly and that DCs are synching time. These are two things that can cause Kerberos/ log on problems. Also, make sure there is not another computer object in AD, DNS record, WINS record named phmaindc1. LMK if you need help in doing these tasks. Thanks, Anthony Scott Microsoft Consultant Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED] <http://www.berbee.com/> Berbee From: [EMAIL PROTECTED] [mailto: <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] On Behalf Of hboogz Sent: Wednesday, November 15, 2006 12:43 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Strange DC behaviour and error Hey Guys, I receive this error on my DC and my newly created Citrix Server. Event Type: Error Event Source: Kerberos Event Category: None Event ID: 4 Date: 11/15/2006 Time: 12:30:17 PM User: N/A Computer: PHMAINDC1 Description: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/phmaindc1.phippsny.org. The target name used was DNS/phmaindc1.phippsny.org. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm ( PHIPPSNY.ORG), and the client realm. Please contact your system administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp <http://go.microsoft.com/fwlink/events.asp> . The citrix server can't connect to the termincal server licensing component on here and everytime a user logs in, they receive an access denied indicated that they could retrieve their TS profile information. everytime i try to run dsa.msc on the citrix box, i get an error. I'm running windows 2003 standard R2 on AD and standard w/ SP1 on the citrix box. I also get this error/message when i run dcdiag on the dc The account PHMAINDC1 is not a DC account. It cannot replicate. Warning: Attribute userAccountControl of PHMAINDC1 is: 0x1000 = ( UF_W ORKSTATION_TRUST_ACCOUNT ) Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TR USTED_FOR_DELEGATION ) This may be affecting replication? any ideas ? i'm stuck with all my citrix users being denied logon! -- HBooGz:\> -- HBooGz:\> -- HBooGz:\>
image001.gif
Description: GIF image
