Ouch.. what a mess..
Check through your event logs... the symptoms you are describing suggest an underlying
problem, e.g. DNS... the enviable situation you're in, I suspect, is a byproduct of
that (machine account/kerberos/security problems etc), together with some new ones you
may have introduced trying to fix the problem.
This little chestnut was interesting......
Error NT-AUTORITÄT\DOMÄNENCONTROLLER DER ORGANISATION doesn't have
Replicating Directory Changes
Replication Syncronization
Manage Replication Topology
Have you been changed any AD/OU security or turned off AD inheritance within your
domain tree ???? Click on Advanced in ADUC, go to the root of your domain and click on
the Security tab.. what do you see ?
Enterprise Domain Controllers (built-in group) should have Manage Replication
Topology, Replicating directory changes and Replication Synchronization Allow
permissions. Exchange Enterprise Servers (built-in) should have Manage Replication
Topology.
How are you applying group policy within your organisation ? If you're using some of
the Microsoft GPO Templates (e.g. SECUREDC.INF)and applying those on your Exchange
Server, you may experience *ahem* some loss of functionality, killing Exchange in the
process.
For problems with machine accounts, have a look at Technet Q260575.. this deals with
machine account 'Access Denied' errors. Also, if you've moved the machine accounts for
your DC's out of the built-in domain controllers OU and not re-linked in the default
domain controllers group policy back to the new OU, you'll get lots of SceCli messages
in the event log (although you're event id does not suggest this).
Leave SYSVOL alone... the SYSVOL\SYSVOL path/junction is normal... don't touch! Use
GPOTOOL on the Reskit and NTFRSUTL to troubleshoot general GPO/SYSVOL/FRS issues.
In short, don't go making big changes to things which are unlikely to be the cause of
the problem. Make sure DNS is working.. and check out that security problem mentioned
earlier.
Seeing as it's rather hard to see what chain of events have occurred to get you into
this situation, if you're still in the mire, get out your wallet and give Micrsoft PSS
a call.
Regards
Mylo
-----Original Message-----
From: Elmer Stöwer [mailto:[EMAIL PROTECTED]]
Sent: 04 June 2002 20:14
To: Exchange Discussions
Subject: RE: slightly OT: ExchangeServer stops every 10 minutes (Active
Direct ory issue?)
Single local domain, single site two servers (einstein DC fileserver, platon DC
exchangeserver).
no event log failures, but the seems to stand for almost a minute at the same time as
SceCli applies security policy on the exchange server (event 1704).
netdiag is not very helpful.
DCdiag was a good hint. I put the output of both servers here, cause I don't know what
to do anymore (maybe 12h work is to much for one day)
output of DCdiag on einstein:
------------------------------
Doing primary tests
Testing server: Alt-Moabit\EINSTEIN
Starting test: Replications
[Replications Check,EINSTEIN] A recent replication attempt failed:
From PLATON to EINSTEIN
Naming Context: DC=cyberconsult,DC=lan
The replication generated an error (8453):
Der Replikationszugriff wurde verweigert.
The failure occurred at 2002-06-04 19:48.21.
The last success occurred at 2002-05-23 17:02.11.
3115 failures have occurred since the last success.
The machine account for the destination EINSTEIN.
is not configured properly.
Check the userAccountControl field.
Kerberos Error.
The machine account is not present, or does not match on the.
destination, source or KDC servers.
Verify domain partition of KDC is in sync with rest of enterprise.
The tool repadmin/syncall can be used for this purpose.
......................... EINSTEIN passed test Replications
Starting test: NCSecDesc
---------------------
output of DCdiag on platon:
Doing primary tests
Testing server: Alt-Moabit\PLATON
Starting test: Replications
......................... PLATON passed test Replications
Starting test: NCSecDesc
Error NT-AUTORITÄT\DOMÄNENCONTROLLER DER ORGANISATION doesn't have
Replicating Directory Changes
Replication Syncronization
Manage Replication Topology
access rights for the naming context:
DC=cyberconsult,DC=lan
......................... PLATON failed test NCSecDesc
---------------------
Using replmon.exe to determine the status of replication
I get the following:
---------------------
Directory Partition: DC=cyberconsult,DC=lan
Partner Name: Alt-Moabit\PLATON
Partner GUID: FFF5003A-7832-48CD-A5E0-9D8227C95EC0
Last Attempted Replication: 6/4/2002 4:31:46 PM (local)
Last Successful Replication: 5/23/2002 5:02:11
PM (local)
Number of Failures: 3077
Failure Reason Error Code: 8453
Failure Description: Der Replikationszugriff wurde
verweigert.
Synchronization Flags:
DRS_WRIT_REP,DRS_INIT_SYNC,DRS_PER_SYNC
USN of Last Property Updated: 337656
USN of Last Object Updated: 337656
Transport: Intra-Site RPC
Change Notifications for this Directory Partition
-------------------------------------------------
Server Name: Alt-Moabit\PLATON
Object GUID: DBE24D70-EE08-479C-9129-D048C1A6CD91
Time Added: 12.02.2002 15:20:29
Flags: DRS_WRIT_REP
Transport: RPC
---------------------
"Der Replikationszugriff wurde verweigert" means "replication access was denied".
There are no errors for other partitions or into the other direction.
What is also strange to me:
under .\sysvol I have the shared directory .\sysvol\sysvol including the
.\sysvol\sysvol\'domain_name' directory in it (last change 5/23/2002). But I also have
an .\sysvol\domain directory with the same content as .\sysvol\sysvol\'domain_name'. I
found a registry key from
frs which is pointing there.
So if someone has the hint to fix that replication issue it would be just great... I
know that I can not expect people from a mailing list to go through a lot of text and
log-files. But maybe one is interested in that issue...
regards
elmer
> -----Original Message-----
> From: Kevin Miller [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, June 04, 2002 6:51 PM
> To: Exchange Discussions
> Subject: RE: slightly OT: ExchangeServer stops every 10
> minutes (Active
> Direct ory issue?)
>
>
> Event log entries.. DCdiag report, Netdiag report. Get some
> information
> before you do something.
>
> --Kevinm KMAP-SR, M, WLKMMAS, UCC+WCA, And Beyond
> http://www.daughtry.ca/ For Graphics and WebDesign, GO here!
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Elmer Stöwer
> Sent: Tuesday, June 04, 2002 9:41 AM
> To: Exchange Discussions
> Subject: RE: slightly OT: ExchangeServer stops every 10
> minutes (Active
> Direct ory issue?)
>
>
> Exchange hangs every ten minutes because the AD replication
> doesn't work
> (single domain, two DCs with exchange on one of them).
>
> Now I wonder if it is a very bad Idea to use dcpromo to change the
> server from DC to a member server.
>
> regards
>
> Elmer
>
> > -----Original Message-----
> > From: Elmer Stöwer
> > Sent: Wednesday, May 29, 2002 3:22 PM
> > To: Exchange Discussions
> > Subject: slightly OT: ExchangeServer stops every 10 minutes (Active
> > Direct ory issue?)
> >
> >
> > I already posted this one to W2K diskussion group. Nobody
> > replied. I think
> > it is an AD issue but it affects mainly our E2K-Server. So
> > maybe someone
> > here has an idea. This really drives me crazy...
> >
> > Situation:
> > ----------
> > Two 2K-AD-Servers (one of them Exchange and global catalogue
> > server). Both
> > upgraded from NT half a year ago,
> > One Site, one Domain.
> > 15 W2K and one XP clients.
> >
> > Problem:
> > --------
> > The Exchange/global catalogue server stands about every 10
> > minutes for about
> > 45 seconds. No response on any click, nor it is possible to
> work with
> > outlook 'on' that server for the 45 seconds.
> >
> > According to the event log I had a couple of issues with user
> > rights in
> > local security (power user etc.) (SceCli every 8 minutes). I
> > followed the
> > Microsoft guides and removed the group entries from local
> > security policy.
> >
> > No I don't have any event log entries anymore, but the
> > problem persists.
> >
> > speculation of Cause/Solution?
> > ------------------------------
> > I guess that there is still a problem with AD. On the second
> > server I can
> > see issues in the AD replication monitor for the first
> > server. Objects could
> > not be replicated due to access failure.
> >
> > On the Exchange/global catalogue server in the registry in
> > HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NtFrs\Paramet
> > ers\Replica
> > Sets\d5c32359-0ee1-42a9-8bac72a28682a096 I found a wrong path for
> > ...\sysvol\domain. It points to an non existing directory.
> > So it seems that active directory is not able to find active
> > directory.
> >
> > I did not want to correct it via the registry. There must be
> > a better way to
> > correct wrong path settings for the active directory container.
> >
> > Here is the main question
> > -------------------------
> > I appreciate any hint how to fix the ntfrs/AD settings on
> > that machine.
> > Where are path settings stored? Is it necessary to use DC
> > promo to remove
> > and add the server from/to the domain or is there an easier
> > way to fix it?
> >
> > Best Regards
> >
> > Elmer [glad that the machines are still running under these
> > circumstances]
> > --
> > Elmer Stöwer
> > System- und Netzwerkadministration
> > CyberConsult GmbH
> > mailto:[EMAIL PROTECTED]
> > www.cyberconsult.de
> > >
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
