Determine if replication is failing between domain controllers in different domains or the same domain. Review the directory service event logs very closely to identify what the source of the error is, such as a conflicting object.
I. If replication is failing between domain controllers in different domains:
- Add the registry value below to the upstream replication partner.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Value name: Replicator Allow SPN Fallback
Value type: REG_DWORD
Value data: 1 - Run the following command from the upstream partner:
repadmin /add CN=Configuration,DC=<Contoso>,DC=<com> <root DC name> <fully qualified name of child DC> - Remove the Replicator Allow SPN Fallback registry value after testing replication.
II. Search for duplicate computer or user accounts in the domain of the failing domain controller and its upstream replication partner. For more information see KB article 310340.
III. Review the server objects of the problematic domain controllers in Active Directory Sites and Services to make sure there are no duplicates or conflicting objects present.
IV. Verify that multiple server names with the same IP address are not registered in DNS, which can happen if a domain controller is renamed and old DNS records are not scavenged. Use Adsiedit or Ldp (both are included in the Windows 2000 Support Tools) to verify that the dNSHostName attribute on each domain controller is populated with the correct value. To do this, perform the following steps.
- Type adsiedit.msc from Start, Run.
- Expand the Domain NC container.
- Expand the object below, i.e. DC=Contoso, DC=COM.
- Expand OU=Domain Controllers.
- Right-click CN=<domain_controller>, and select Properties.
- Under Select a property to view, select dNSHostName and verify the value contains the fully qualified name of the server, i.e. dc1.contoso.com.
V. If the problem domain controllers exist in only one domain with more than two domain controllers, then force all computer accounts to be replicated throughout the enterprise. That means all domain controllers must be synchronized with all other copies of their domain. For each computer that is reporting a replication error, use the following command to force that computer to become synchronized. The domain to synchronize must be specified. For more information see KB article 296993.
repadmin /syncall /d /e <problem domain controller> <DN of domain>
Note For large environments, remove the /e switch to replicate domain controllers with the same site or use /sync to target specific domain controllers in remote sites.
VI. If the failing domain controllers reside in different domains, then specify the configuration partition. For more information see KB article 296993.
repadmin /syncall /d /e <problem domain controller> <DN of config>
Note For large environments remove the /e switch to replicate domain controllers with the same site or use /sync to target specific domain controllers in remote sites.
VII. If the problem exists between domain controllers from different domains, check the trust relationship by doing the following:
- Open Active Directory Domains and Trusts.
- Right-click the desired domain and select Properties.
- Click the Trusts tab.
- Highlight the domain to verify and click Edit.
- Click Verify.
The Netdom tool, included in the Windows 2000 Support Tools, can also be used to verify the trust.
netdom trust <trusting_domain_name> /domain:<trusted_domain_name> /userd:<administrator> /password:<password> /verify /kerberos
VIII. If the error happens when attempting replication between two domain controllers in different domains that have a parent/child or tree root trust relationship, it may be the result of a missing object that represents the trust relationship between the two domains. This object is known as a trustedDomain object and is found in the System container in the Active Directory Users and Computers tool. This type of object directly relates to the trust relationships displayed in Active Directory Domains and Trusts. If this object is not present Active Directory, cross-domain authentication will fail. If you discover that the trustedDomain object is missing, refer to the “Missing trustedDomain object” section of the troubleshooter.
IX. Make sure the Service Principal Name (SPN) is registered for each domain controller object on each partner domain controller. For more information see KB article 308111.
Review the Registered Service Principal Names section of the Netdiag output on partner domain controllers to ensure that the test passes. Export the SPNs of each domain controller object involved in the replication failure from each partner using the following command:
ldifde -f spndump.txt -p base -l servicePrincipalName -d <DN of DC>
Either visually compare the SPNs or use the Windiff tool from the Windows 2000 Support Tools to compare the files for differences. Under the Options menu in Windiff, uncheck everything except Show different files, Show left-only lines, and Show right-only lines. Once you have identified the missing SPNs, edit the good SPN file with the following steps:
- Change changetype: add to changetype: modify.
- Add replace: servicePrincipalName after the changetype line.
- Add "-" to the last line of the file.
Import the correctly registered SPNs on the partner domain controllers that do not have proper SPNs registered for its replication partner domain controllers.
ldifde -I -f goodSPNs.txt
Posts
