- Remove From My Forums
AD Replication Failure Between Server 2008 R2 and Server 2003 — LDAP bind failed with error 8341
-
Question
-
Hello,
I adopted a rather messy network from a previous engineer. We have a 2008 r2 domain controller that cannot replicate from a 2003 domain controller. The 2003 is PDCe, holding all FSMO roles. Both servers are DNS servers.
As you can see from the below, replication has not occurred in almost 3 months. This has become a large issue for workstations on the network, as well as the Exchange server.
Please note that I believe I have done a good job of making sure there are not duplicate DNS entries for either DC2003 or DC2008R2 on
either server.Thank you for any help you can give.
Issues encountered while running commands from DC2008R2:
— When I browse \DC2003 from DC2008R2 I receive the error: Logon Failure: The account name is incorrect.
— When I run dcdiag /test:dns
I receive the following initial error:
- Performing initial setup:
Trying to find home server…
Home Server = DC2008R2
* Identified AD Forest.
[DC2003] LDAP bind failed with error 8341,
A directory service error has occurred..
Got error while checking if the DC is using FRS or DFSR. Error:
A directory service error has occurred.The VerifyReferences, FrsEvent and
DfsrEvent tests might fail because of this error.
Done gathering initial info.
— The following event shows up in the System event viewer:
- Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Date: 8/7/2012 5:02:48 PM
Event ID: 4
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DC2008R2.contoso.com
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/DC2003.contoso.com. The target name used was LDAP/3d3f03ae-eadc-4080-888f-4b765fd5e0ea._msdcs.contoso.com. This indicates that the target server failed to decrypt the ticket provided
by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server.
This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC
are both updated to use the current password. If the server name is not fully qualified, and the target domain (contoso.COM) is different from the client domain (contoso.COM), check if there are identically named server accounts in these two domains, or use
the fully-qualified name to identify the server.
Event Xml:
<Event xmlns=»http://schemas.microsoft.com/win/2004/08/events/event»>
<System>
<Provider Name=»Microsoft-Windows-Security-Kerberos» Guid=»{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}» EventSourceName=»Kerberos» />
<EventID Qualifiers=»16384″>4</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime=»2012-08-08T00:02:48.000000000Z» />
<EventRecordID>182676</EventRecordID>
<Correlation />
<Execution ProcessID=»0″ ThreadID=»0″ />
<Channel>System</Channel>
<Computer>DC2008R2.contoso.com</Computer>
<Security />
</System>
<EventData>
<Data Name=»Server»>host/DC2003.contoso.com</Data>
<Data Name=»TargetRealm»>contoso.COM</Data>
<Data Name=»Targetname»>LDAP/3d3f03ae-eadc-4080-888f-4b765fd5e0ea._msdcs.contoso.com</Data>
<Data Name=»ClientRealm»>contoso.COM</Data>
<Binary>
</Binary>
</EventData>
</Event>
— When I run repadmin /showreps I receive the following:
- Default-First-Site-NameDC2008R2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 9653ed10-c0b2-4a8d-be12-051ba20d71ba
DSA invocationID: 529bd905-ccfb-43f6-bec9-888e7449c173==== INBOUND NEIGHBORS ======================================
DC=contoso,DC=com
Default-First-Site-NameDC2003 via RPC
DSA object GUID: 3d3f03ae-eadc-4080-888f-4b765fd5e0ea
Last attempt @ 2012-08-07 18:58:43 failed, result -2146893022 (0x80090322):
The target principal name is incorrect.
2673 consecutive failure(s).
Last success @ 2012-05-13 04:27:38.CN=Configuration,DC=contoso,DC=com
Default-First-Site-NameDC2003 via RPC
DSA object GUID: 3d3f03ae-eadc-4080-888f-4b765fd5e0ea
Last attempt @ 2012-08-07 18:58:43 failed, result -2146893022 (0x80090322):
The target principal name is incorrect.
3426 consecutive failure(s).
Last success @ 2012-05-13 03:54:46.CN=Schema,CN=Configuration,DC=contoso,DC=com
Default-First-Site-NameDC2003 via RPC
DSA object GUID: 3d3f03ae-eadc-4080-888f-4b765fd5e0ea
Last attempt @ 2012-08-07 18:58:43 failed, result -2146893022 (0x80090322):
The target principal name is incorrect.
2079 consecutive failure(s).
Last success @ 2012-05-13 03:54:46.DC=DomainDnsZones,DC=contoso,DC=com
Default-First-Site-NameDC2003 via RPC
DSA object GUID: 3d3f03ae-eadc-4080-888f-4b765fd5e0ea
Last attempt @ 2012-08-07 18:58:43 failed, result 1256 (0x4e8):
The remote system is not available. For information about network troubleshooting, see Windows Help.
2081 consecutive failure(s).
Last success @ 2012-05-13 03:54:46.DC=ForestDnsZones,DC=contoso,DC=com
Default-First-Site-NameDC2003 via RPC
DSA object GUID: 3d3f03ae-eadc-4080-888f-4b765fd5e0ea
Last attempt @ 2012-08-07 18:58:43 failed, result 1256 (0x4e8):
The remote system is not available. For information about network troubleshooting, see Windows Help.
2079 consecutive failure(s).
Last success @ 2012-05-13 03:54:46.Source: Default-First-Site-NameDC2003
******* 3425 CONSECUTIVE FAILURES since 2012-05-13 04:27:38
Last error: -2146893022 (0x80090322):
The target principal name is incorrect.
-
Edited by
Wednesday, August 8, 2012 3:22 AM
- Performing initial setup:
Answers
-
I agree with Awinish. The easiest course of action is to simply run dcpromo /forceremoval, clean out AD with a metadata cleanup process, then re-promote it.
Complete Step by Step to Remove an Orphaned Domain Controller
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx.
However, if you are up to it and have plenty of time on your hands, look at the following link, scroll down to «To reinitialize replication due to lingering objects, which is due to replication failing far beyond the Tombstone AD limit,» and follow the lengthy
suggestions to reinitialize the DC.Active Directory Lingering Objects, Journal Wraps, USN Rollbacks, Tombstone
Lifetime, and Event IDs 13568, 13508, 1388, 1988, 2042, 2023, 2095, 1113, 1115,
2103, and more …
http://msmvps.com/blogs/acefekay/archive/2011/12/27/active-directory-lingering-objects-journal-wraps-tombstone-lifetime-and-event-ids-13568-13508-1388-1988-2042-2023.aspx.
I also suggest to find out the root cause, such as if firewall ports are blocking DC to DC communications.
Active Directory Firewall Ports — Let’s Try To Make This Simple
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx.
We haven’t seen any ipconfigs, but just in case, I suggest that if any of the DCs are multihomed (more than one NIC, IP RRAS, iSCSI interface, etc), to single home them. Multihomed DCs are problematic.
.
Another suggestion is to change the AD tombstone time to 180 from 60 days. Apparently the very first DC installed was based on a Windows 2000 or Windows 2003 pre-SP1 installation, whiich is why the tombstone is 60 days.
Changing the Tombstone Lifetime Attribute in Active Directory
http://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.htm.
And glad to hear so far you’re doing your best to clean up an inherited mess from a previous admin.
.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP — Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis post is provided AS-IS with no warranties or guarantees and confers no rights.
-
Proposed as answer by
Sandesh Dubey
Wednesday, August 8, 2012 5:10 PM -
Marked as answer by
MikeHSB
Tuesday, August 14, 2012 5:29 AM
-
Proposed as answer by
Есть домен domainOne.ru. Есть два контроллера домена:
dc1.domainOne.ru — в питере AD+DNS+DHCP
dc3.tver.domainOne.ru — в твери. AD+DNS+DHCP
Работало всё хорошо после установки всей системы уже месяца 4, и тут в пятницу ещё ухожу домой — всё ОК. в субботу утром, то бишь 1 ноября получаю:
пользователи с тверского домена не авторизуються на питерском терминальном сервере. Смотрю дальше. по логам не идёт репликация dc1 c dc3.
с dc1 не могу попасть на dc3 через AD Users and Computers — нет доступа, не прошёл аутентификацию.
вот логи с netdiag и dcdiag с обоих контроллер домена + перекрёстый опрос (вывел только ошибки, что бы не заграмождать):
На DC3:
Netdiag
Computer Name: DC3
DNS Host Name: dc3.tver.domainOne.ru
Host Name. . . . . . . . . : dc3
IP Address . . . . . . . . : 10.2.0.31
Subnet Mask. . . . . . . . : 255.255.0.0
Default Gateway. . . . . . : 10.2.0.1
Dns Servers. . . . . . . . : 10.2.0.31
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS — All the DNS entries for DC are registered on DNS server ‘10.2.0.31’ a
nd other DCs also have some of the names registered.
Redir and Browser test . . . . . . : Failed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{FBC5505E-9A1E-459F-A6E7-92E000FB66B6}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{FBC5505E-9A1E-459F-A6E7-92E000FB66B6}
The browser is bound to 1 NetBt transport.
[FATAL] Cannot send mailslot message to ‘\DOMAINONE*MAILSLOTNETNETLO
GON’ via redir. [ERROR_BAD_NETPATH]
DC list test . . . . . . . . . . . : Failed
Failed to enumerate DCs by using the browser. [ERROR_NO_BROWSER_SERVERS_
FOUND]
Dcdiag
Starting test: NCSecDesc
[DC3] LDAP bind failed with error 8341,
Win32 Error 8341.
……………………. DC3 failed test NCSecDesc
Starting test: KnowsOfRoleHolders
[DC1] DsBindWithSpnEx() failed with error -2146892976,
Win32 Error -2146892976.
Warning: DC1 is the Schema Owner, but is not responding to DS RPC Bind.
[DC1] LDAP bind failed with error 8341,
Win32 Error 8341.
Warning: DC1 is the Schema Owner, but is not responding to LDAP Bind.
[DC2] DsBindWithSpnEx() failed with error -2146892976,
Win32 Error -2146892976.
Warning: DC2 is the Domain Owner, but is not responding to DS RPC Bind.
[DC2] LDAP bind failed with error 8341,
Win32 Error 8341.
Warning: DC2 is the Domain Owner, but is not responding to LDAP Bind.
……………………. DC3 failed test KnowsOfRoleHolders
На DC1
netdiag
Computer Name: DC1
DNS Host Name: dc1.domainOne.ru
Host Name. . . . . . . . . : dc1
IP Address . . . . . . . . : 10.1.0.31
Subnet Mask. . . . . . . . : 255.255.0.0
Default Gateway. . . . . . : 10.1.0.1
Dns Servers. . . . . . . . : 10.1.0.31
10.1.0.32
Прошёл без ошибок
Dcdiag
Прошёл без ошибок
Хотя ранее выдавал:
Testing server: Spb-SiteDC1
Starting test: Replications
что тут ошибка, не может сделать репликацию с dc3
Далее перекрестную провёрку решил попробовать:
На DC3:
dcdiag /sc1
Testing server: Spb-SiteDC1
Starting test: Replications
[DC2] DsBindWithSpnEx() failed with error -2146892976,
Win32 Error -2146892976.
……………………. DC1 passed test Replications
Starting test: NCSecDesc
[DC1] LDAP bind failed with error 8341,
Win32 Error 8341.
……………………. DC1 failed test NCSecDesc
Starting test: NetLogons
……………………. DC1 passed test NetLogons
Starting test: Advertising
……………………. DC1 passed test Advertising
Starting test: KnowsOfRoleHolders
Warning: DC2 is the Domain Owner, but is not responding to DS RPC Bind.
[DC2] LDAP bind failed with error 8341,
Win32 Error 8341.
Warning: DC2 is the Domain Owner, but is not responding to LDAP Bind.
Warning: DC2 is the Infrastructure Update Owner, but is not responding
to DS RPC Bind.
Warning: DC2 is the Infrastructure Update Owner, but is not responding
to LDAP Bind.
……………………. DC1 failed test KnowsOfRoleHolders
На DC1:
dcdiag /sc3
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Tver-SiteDC3
Starting test: Connectivity
……………………. DC3 passed test Connectivity
Doing primary tests
Testing server: Tver-SiteDC3
Starting test: Replications
……………………. DC3 passed test Replications
Starting test: NCSecDesc
……………………. DC3 passed test NCSecDesc
Starting test: NetLogons
……………………. DC3 passed test NetLogons
Starting test: Advertising
……………………. DC3 passed test Advertising
Starting test: KnowsOfRoleHolders
……………………. DC3 passed test KnowsOfRoleHolders
Starting test: RidManager
……………………. DC3 passed test RidManager
Starting test: MachineAccount
……………………. DC3 passed test MachineAccount
Starting test: Services
……………………. DC3 passed test Services
Starting test: ObjectsReplicated
……………………. DC3 passed test ObjectsReplicated
Starting test: frssysvol
……………………. DC3 passed test frssysvol
Starting test: frsevent
……………………. DC3 passed test frsevent
Starting test: kccevent
……………………. DC3 passed test kccevent
Starting test: systemlog
……………………. DC3 passed test systemlog
Starting test: VerifyReferences
……………………. DC3 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
……………………. DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
……………………. DomainDnsZones passed test CheckSDRefDom
Running partition tests on : tver
Starting test: CrossRefValidation
……………………. tver passed test CrossRefValidation
Starting test: CheckSDRefDom
……………………. tver passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
……………………. ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
……………………. ForestDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
……………………. Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
……………………. Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
……………………. Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
……………………. Configuration passed test CheckSDRefDom
Running enterprise tests on : domainOne.ru
Starting test: Intersite
……………………. domainOne.ru passed test Intersite
Starting test: FsmoCheck
……………………. domainOne.ru passed test FsmoCheck
Получается проблемный контроллер DC3, но не могу понять в чём проблема
Что смотрел:
часовые зоны, время проверил — совпадают.
ДНС и там и там вроде работает, ошибок в логах ДНС нету.
попробовал dcdiag /fix and netdiag /fix на обоих серверах, результата никакого не дала.
Подскажите советом, где искать…
Есть домен domainOne.ru. Есть два контроллера домена:
dc1.domainOne.ru — в питере AD+DNS+DHCP
dc3.tver.domainOne.ru — в твери. AD+DNS+DHCP
Работало всё хорошо после установки всей системы уже месяца 4, и тут в пятницу ещё ухожу домой — всё ОК. в субботу утром, то бишь 1 ноября получаю:
пользователи с тверского домена не авторизуються на питерском терминальном сервере. Смотрю дальше. по логам не идёт репликация dc1 c dc3.
с dc1 не могу попасть на dc3 через AD Users and Computers — нет доступа, не прошёл аутентификацию.
вот логи с netdiag и dcdiag с обоих контроллер домена + перекрёстый опрос (вывел только ошибки, что бы не заграмождать):
На DC3:
Netdiag
Computer Name: DC3
DNS Host Name: dc3.tver.domainOne.ru
Host Name. . . . . . . . . : dc3
IP Address . . . . . . . . : 10.2.0.31
Subnet Mask. . . . . . . . : 255.255.0.0
Default Gateway. . . . . . : 10.2.0.1
Dns Servers. . . . . . . . : 10.2.0.31
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS — All the DNS entries for DC are registered on DNS server ‘10.2.0.31’ a
nd other DCs also have some of the names registered.
Redir and Browser test . . . . . . : Failed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{FBC5505E-9A1E-459F-A6E7-92E000FB66B6}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{FBC5505E-9A1E-459F-A6E7-92E000FB66B6}
The browser is bound to 1 NetBt transport.
[FATAL] Cannot send mailslot message to ‘DOMAINONE*MAILSLOTNETNETLO
GON’ via redir. [ERROR_BAD_NETPATH]
DC list test . . . . . . . . . . . : Failed
Failed to enumerate DCs by using the browser. [ERROR_NO_BROWSER_SERVERS_
FOUND]
Dcdiag
Starting test: NCSecDesc
[DC3] LDAP bind failed with error 8341,
Win32 Error 8341.
……………………. DC3 failed test NCSecDesc
Starting test: KnowsOfRoleHolders
[DC1] DsBindWithSpnEx() failed with error -2146892976,
Win32 Error -2146892976.
Warning: DC1 is the Schema Owner, but is not responding to DS RPC Bind.
[DC1] LDAP bind failed with error 8341,
Win32 Error 8341.
Warning: DC1 is the Schema Owner, but is not responding to LDAP Bind.
[DC2] DsBindWithSpnEx() failed with error -2146892976,
Win32 Error -2146892976.
Warning: DC2 is the Domain Owner, but is not responding to DS RPC Bind.
[DC2] LDAP bind failed with error 8341,
Win32 Error 8341.
Warning: DC2 is the Domain Owner, but is not responding to LDAP Bind.
……………………. DC3 failed test KnowsOfRoleHolders
На DC1
netdiag
Computer Name: DC1
DNS Host Name: dc1.domainOne.ru
Host Name. . . . . . . . . : dc1
IP Address . . . . . . . . : 10.1.0.31
Subnet Mask. . . . . . . . : 255.255.0.0
Default Gateway. . . . . . : 10.1.0.1
Dns Servers. . . . . . . . : 10.1.0.31
10.1.0.32
Прошёл без ошибок
Dcdiag
Прошёл без ошибок
Хотя ранее выдавал:
Testing server: Spb-SiteDC1
Starting test: Replications
что тут ошибка, не может сделать репликацию с dc3
Далее перекрестную провёрку решил попробовать:
На DC3:
dcdiag /sc1
Testing server: Spb-SiteDC1
Starting test: Replications
[DC2] DsBindWithSpnEx() failed with error -2146892976,
Win32 Error -2146892976.
……………………. DC1 passed test Replications
Starting test: NCSecDesc
[DC1] LDAP bind failed with error 8341,
Win32 Error 8341.
……………………. DC1 failed test NCSecDesc
Starting test: NetLogons
……………………. DC1 passed test NetLogons
Starting test: Advertising
……………………. DC1 passed test Advertising
Starting test: KnowsOfRoleHolders
Warning: DC2 is the Domain Owner, but is not responding to DS RPC Bind.
[DC2] LDAP bind failed with error 8341,
Win32 Error 8341.
Warning: DC2 is the Domain Owner, but is not responding to LDAP Bind.
Warning: DC2 is the Infrastructure Update Owner, but is not responding
to DS RPC Bind.
Warning: DC2 is the Infrastructure Update Owner, but is not responding
to LDAP Bind.
……………………. DC1 failed test KnowsOfRoleHolders
На DC1:
dcdiag /sc3
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Tver-SiteDC3
Starting test: Connectivity
……………………. DC3 passed test Connectivity
Doing primary tests
Testing server: Tver-SiteDC3
Starting test: Replications
……………………. DC3 passed test Replications
Starting test: NCSecDesc
……………………. DC3 passed test NCSecDesc
Starting test: NetLogons
……………………. DC3 passed test NetLogons
Starting test: Advertising
……………………. DC3 passed test Advertising
Starting test: KnowsOfRoleHolders
……………………. DC3 passed test KnowsOfRoleHolders
Starting test: RidManager
……………………. DC3 passed test RidManager
Starting test: MachineAccount
……………………. DC3 passed test MachineAccount
Starting test: Services
……………………. DC3 passed test Services
Starting test: ObjectsReplicated
……………………. DC3 passed test ObjectsReplicated
Starting test: frssysvol
……………………. DC3 passed test frssysvol
Starting test: frsevent
……………………. DC3 passed test frsevent
Starting test: kccevent
……………………. DC3 passed test kccevent
Starting test: systemlog
……………………. DC3 passed test systemlog
Starting test: VerifyReferences
……………………. DC3 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
……………………. DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
……………………. DomainDnsZones passed test CheckSDRefDom
Running partition tests on : tver
Starting test: CrossRefValidation
……………………. tver passed test CrossRefValidation
Starting test: CheckSDRefDom
……………………. tver passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
……………………. ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
……………………. ForestDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
……………………. Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
……………………. Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
……………………. Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
……………………. Configuration passed test CheckSDRefDom
Running enterprise tests on : domainOne.ru
Starting test: Intersite
……………………. domainOne.ru passed test Intersite
Starting test: FsmoCheck
……………………. domainOne.ru passed test FsmoCheck
Получается проблемный контроллер DC3, но не могу понять в чём проблема
Что смотрел:
часовые зоны, время проверил — совпадают.
ДНС и там и там вроде работает, ошибок в логах ДНС нету.
попробовал dcdiag /fix and netdiag /fix на обоих серверах, результата никакого не дала.
Подскажите советом, где искать…