Hi All,
We have one forest domain (XXXX.LOCAL)and lots of child domains (XXX.XXXX.LOCAL).
We are facing issue that child domains are not able to login with forest administrator account and there are also lots of replication errors.
Exchange OWA gives error of not able to find particular XXX.XXX.local child domain.
dcdiag from child domain is :
--------------------------------------------------------------------------------------------------------------------
C:\Windows\system32>
C:\Windows\system32>nltest.exe /dsregdns
Flags: 0
Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully
C:\Windows\system32>nltest.exe /dsregdns
Flags: 0
Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully
C:\Windows\system32>
C:\Windows\system32>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = PMA-DC01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: HEC-CITY\PMA-DC01
Starting test: Connectivity
......................... PMA-DC01 passed test Connectivity
Doing primary tests
Testing server: HEC-CITY\PMA-DC01
Starting test: Advertising
Warning: PMA-DC01 is not advertising as a time server.
......................... PMA-DC01 failed test Advertising
Starting test: FrsEvent
......................... PMA-DC01 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... PMA-DC01 failed test DFSREvent
Starting test: SysVolCheck
......................... PMA-DC01 passed test SysVolCheck
Starting test: KccEvent
......................... PMA-DC01 passed test KccEvent
Starting test: KnowsOfRoleHolders
[PMA-DC02] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: PMA-DC02 is the PDC Owner, but is not responding to DS RPC
Bind.
[PMA-DC02] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: PMA-DC02 is the PDC Owner, but is not responding to LDAP
Bind.
Warning: PMA-DC02 is the Rid Owner, but is not responding to DS RPC
Bind.
Warning: PMA-DC02 is the Rid Owner, but is not responding to LDAP
Bind.
Warning: PMA-DC02 is the Infrastructure Update Owner, but is not
responding to DS RPC Bind.
Warning: PMA-DC02 is the Infrastructure Update Owner, but is not
responding to LDAP Bind.
......................... PMA-DC01 failed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... PMA-DC01 passed test MachineAccount
Starting test: NCSecDesc
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
......................... PMA-DC01 failed test NCSecDesc
Starting test: NetLogons
......................... PMA-DC01 passed test NetLogons
Starting test: ObjectsReplicated
......................... PMA-DC01 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,Replications Check] Inbound replication is
disabled.
To correct, run "repadmin /options PMA-DC01 -DISABLE_INBOUND_REPL"
[Replications Check,PMA-DC01] Outbound replication is disabled.
To correct, run "repadmin /options PMA-DC01 -DISABLE_OUTBOUND_REPL"
......................... PMA-DC01 failed test Replications
Starting test: RidManager
......................... PMA-DC01 failed test RidManager
Starting test: Services
w32time Service is stopped on [PMA-DC01]
......................... PMA-DC01 failed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x00000010
Time Generated: 04/21/2014 19:16:04
Event String:
Unable to Connect: Windows is unable to connect to the automatic upd
ates service and therefore cannot download and install updates according to the
set schedule. Windows will continue to try to establish a connection.
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:42
Event String:
The dynamic registration of the DNS record '_kerberos._tcp.dc._msdcs
.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the fol
lowing DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kerberos._tcp.PMA.XXXX.
LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kerberos._tcp.HEC-LAHOR
E._sites.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on
the following DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kerberos._udp.PMA.XXXX.
LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kpasswd._tcp.PMA.XXXX.L
OCAL. 600 IN SRV 0 100 464 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kpasswd._udp.PMA.XXXX.L
OCAL. 600 IN SRV 0 100 464 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kerberos._tcp.HEC-LAHOR
E._sites.dc._msdcs.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.'
failed on the following DNS server:
An error event occurred. EventID: 0x00000C8A
Time Generated: 04/21/2014 19:44:51
Event String:
This computer could not authenticate with \\LHR-DC01.XXXX.LOCAL, a W
indows domain controller for domain XXXX, and therefore this computer might deny
logon requests. This inability to authenticate might be caused by another compu
ter on the same network using the same name or the password for this computer ac
count is not recognized. If this message appears again, contact your system admi
nistrator.
An error event occurred. EventID: 0xC00A0038
Time Generated: 04/21/2014 19:46:02
Event String:
The Terminal Server security layer detected an error in the protocol
stream and has disconnected the client. Client IP: 10.87.193.37.
An error event occurred. EventID: 0x40000004
Time Generated: 04/21/2014 19:52:41
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver pma-dc02$. The target name used was PMA\PMA-DC02$. This indicates that the
target server failed to decrypt the ticket provided by the client. This can occu
r when the target server principal name (SPN) is registered on an account other
than the account the target service is using. Please ensure that the target SPN
is registered on, and only registered on, the account used by the server. This e
rror can also happen when the target service is using a different password for t
he target service account than what the Kerberos Key Distribution Center (KDC) h
as for the target service account. Please ensure that the service on the server
and the KDC are both updated to use the current password. If the server name is
not fully qualified, and the target domain (PMA.XXXX.LOCAL) is different from th
e client domain (PMA.XXXX.LOCAL), check if there are identically named server ac
counts in these two domains, or use the fully-qualified name to identify the ser
ver.
A warning event occurred. EventID: 0x8000001C
Time Generated: 04/21/2014 19:53:42
Event String:
When generating a cross realm referal from domain XXXX.LOCAL the KDC
was not able to find the suitable key to verify the ticket. The ticket key vers
ion in the request was 25 and the available key version was 22. This most common
reason for this error is a delay in replicating the keys. In order to remove th
is problem try forcing replication or wait for the replication of keys to occur.
An error event occurred. EventID: 0x40000004
Time Generated: 04/21/2014 20:13:25
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver pma-dc02$. The target name used was LDAP/4a166db9-c39c-4069-99e7-8a233ce2c0
be._msdcs.XXXX.LOCAL. This indicates that the target server failed to decrypt th
e ticket provided by the client. This can occur when the target server principal
name (SPN) is registered on an account other than the account the target servic
e is using. Please ensure that the target SPN is registered on, and only registe
red on, the account used by the server. This error can also happen when the targ
et service is using a different password for the target service account than wha
t the Kerberos Key Distribution Center (KDC) has for the target service account.
Please ensure that the service on the server and the KDC are both updated to us
e the current password. If the server name is not fully qualified, and the targe
t domain (PMA.XXXX.LOCAL) is different from the client domain (PMA.XXXX.LOCAL),
check if there are identically named server accounts in these two domains, or us
e the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 04/21/2014 20:13:25
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver pma-dc02$. The target name used was ldap/pma-dc02.pma.XXXX.LOCAL. This indi
cates that the target server failed to decrypt the ticket provided by the client
. This can occur when the target server principal name (SPN) is registered on an
account other than the account the target service is using. Please ensure that
the target SPN is registered on, and only registered on, the account used by the
server. This error can also happen when the target service is using a different
password for the target service account than what the Kerberos Key Distribution
Center (KDC) has for the target service account. Please ensure that the service
on the server and the KDC are both updated to use the current password. If the
server name is not fully qualified, and the target domain (PMA.XXXX.LOCAL) is di
fferent from the client domain (PMA.XXXX.LOCAL), check if there are identically
named server accounts in these two domains, or use the fully-qualified name to i
dentify the server.
......................... PMA-DC01 failed test SystemLog
Starting test: VerifyReferences
......................... PMA-DC01 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : PMA
Starting test: CheckSDRefDom
......................... PMA passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... PMA passed test CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running enterprise tests on : XXXX.LOCAL
Starting test: LocatorCheck
......................... XXXX.LOCAL passed test LocatorCheck
Starting test: Intersite
......................... XXXX.LOCAL passed test Intersite
C:\Windows\system32>