Hi All,
We seem to have developed quite a major fault in our Active Directory Services.
Picking on one server for starters, which was recently re-installed, we have the following errors:
EVENT ID 1645
Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center
(KDC) domain controller that resolves the SPN.
Destination directory server:
1b2c197f-d976-4e02-b830-99afd75c7bbc._msdcs.mydomain.local
SPN:
E3514235-4B06-11D1-AB04-00C04FC2DCD2/1b2c197f-d976-4e02-b830-99afd75c7bbc/mydomain.local@mydomain.local
User Action
Verify that the names of the destination directory server and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination directory server has been recently promoted, it will be necessary for the local directory
server’s account data to replicate to the KDC before this directory server can be authenticated.
EVENT ID 2042
It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.
The reason that replication is not allowed to continue is that the two DCs may contain lingering objects. Objects that have been deleted and garbage collected from an Active Directory Domain Services partition but still exist in the writable partitions
of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as "lingering objects". If the local destination DC was allowed to replicate with the source DC, these potential lingering object
would be recreated in the local Active Directory Domain Services database.
Time of last successful replication:
2012-06-25 13:42:17
Invocation ID of source directory server:
83290b33-3a96-423c-8c8e-166d62bb813d
Name of source directory server:
5ee25484-8248-493b-8316-a2b560193ad5._msdcs.mydomain.local
Tombstone lifetime (days):
60
The replication operation has failed.
User Action:
The action plan to recover from this error can be found at http://support.microsoft.com/?id=314282.
If both the source and destination DCs are Windows Server 2003 DCs, then install the support tools included on the installation CD. To see which objects would be deleted without actually performing the deletion run "repadmin /removelingeringobjects
<Source DC> <Destination DC DSA GUID> <NC> /ADVISORY_MODE". The eventlogs on the source DC will enumerate all lingering objects. To remove lingering objects from a source domain controller run "repadmin /removelingeringobjects <Source
DC> <Destination DC DSA GUID> <NC>".
If either source or destination DC is a Windows 2000 Server DC, then more information on how to remove lingering objects on the source DC can be found at http://support.microsoft.com/?id=314282 or from your Microsoft support personnel.
If you need Active Directory Domain Services replication to function immediately at all costs and don't have time to remove lingering objects, enable replication by setting the following registry key to a non-zero value:
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
Replication errors between DCs sharing a common partition can prevent user and compter acounts, trust relationships, their passwords, security groups, security group memberships and other Active Directory Domain Services configuration data to vary between
DCs, affecting the ability to log on, find objects of interest and perform other critical operations. These inconsistencies are resolved once replication errors are resolved. DCs that fail to inbound replicate deleted objects within tombstone lifetime
number of days will remain inconsistent until lingering objects are manually removed by an administrator from each local DC. Additionally, replication may continue to be blocked after this registry key is set, depending on whether lingering objects are
located immediately.
Alternate User Action:
Force demote or reinstall the DC(s) that were disconnected.
***Note, we have added this registry key in order to get replication working, but still have the other problems, and really need to clean up these "lingering objects" but not sure how.
EVENT ID 1925
The attempt to establish a replication link for the following writable directory partition failed.
Directory partition:
CN=Configuration,DC=mydomain,DC=local
Source directory service:
CN=NTDS Settings,CN=SERVER01,CN=Servers,CN=SITE01,CN=Sites,CN=Configuration,DC=mydomain,DC=local
Source directory service address:
8fdb483b-339b-45bf-9c1e-5be1b37e7ccc._msdcs.mydomain.local
Intersite transport (if any):
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=mydomain,DC=local
This directory service will be unable to replicate with the source directory service until this problem is corrected.
User Action
Verify if the source directory service is accessible or network connectivity is available.
Additional Data
Error value:
8614 The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
EVENT ID 1865
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
Sites:
CN=RemoteSite01,CN=Sites,CN=Configuration,DC=mydomain,DC=local
EVENT ID 1311
Directory partition:
CN=Configuration,DC=mydomain,DC=local
There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.
User Action
Perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.
If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.
And last of all for now is the error in bold below:
C:\Users\Administrator.mydomain>repadmin /showrepsREMOTESITE\SERVER02
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: aa0d5e4d-4070-410c-9fc7-330f034cbbf4
DSA invocationID: b4b60e77-9910-493d-800e-d5945c96b02d
==== INBOUND NEIGHBORS ======================================
DC=mydomain,DC=local
MAINSITE\SERVER03 via RPC
DSA object GUID: 8fdb483b-339b-45bf-9c1e-5be1b37e7ccc
Last attempt @ 2012-10-23 20:51:57 was successful.
MAINSITE\SERVER01 via RPC
DSA object GUID: 1b2c197f-d976-4e02-b830-99afd75c7bbc
Last attempt @ 2012-10-23 21:20:50 failed, result 1396 (0x574):
Logon Failure: The target account name is incorrect.
10121 consecutive failure(s).
...erm I think that's enough for now! Can anybody help? Or should I just raise a paid support ticket for resolution from Microsoft?
Any directions would be most appreciated.
Thanks,
J.