Shulou(Shulou.com)06/02 Report--

Common symptoms of replication failure

Common symptoms that indicate an intra-site replication failure include:

Users and computers did not receive the updated policy. The correct SYSVOL shared content was not copied to all domain controllers (DC).

Note: a FRS failure can also cause this symptom.

To resolve these issues, use the following utilities:

Domain Controller Diagnostics (Dcdiag.exe) and Network Diagnostics (Netdiag.exe) utilities. You can obtain these tools from the Windows 2000 support tools on Windows 2000 CD-ROM. For additional information about how to obtain and use the Dcdiag.exe and Netdiag.exe diagnostic utilities, click the article number below to view the appropriate article in the Microsoft knowledge base:

265706 (DCDiag and NetDiag in http://support.microsoft.com/kb/265706/EN-US/) Windows 2000 facilitate domain joining and DC creation

Copy Diagnostic Utility (Repadmin.exe). Use this tool to verify that the site links are correct and that inbound and outbound connections are displayed. You can also use it to display replication queues. You can obtain this tool from the Windows 2000 support tool on Windows 2000 CD-ROM. For additional information about how to obtain and use the Repadmin.exe utility, click the article number below to view the appropriate article in the Microsoft knowledge base:

229896 (http://support.microsoft.com/kb/229896/EN-US/) Using Repadmin.exe to Troubleshoot Active Directory Replication

File replication Service Utility (Ntfrsutil.exe). Active Directory replication Monitor (Replmon.exe). You can obtain this tool from the Windows 2000 support tool on Windows 2000 CD-ROM.

The following table describes the basic steps to follow when trying to solve such problems:

Ensure that the Domain name Service (DNS) is configured correctly. Correct directory replication requires the correct DNS configuration. Make sure that you can use the Ping.exe utility to "ping" the domain controller by hostname and IP address from its network center partner. Make sure that the computers in the network branch can resolve the names in the network center. For example, "ping" server1.domain1.site1.forest.com. Ensure that you can ping the server through the globally unique identifier (GUID) of the server listed in the event log. If you can successfully ping the server by its hostname, but not through its GUID, there is a DNS configuration problem. Run the Dcdiag.exe utility. This utility runs a series of tests that either pass or fail. Ensure that all tests pass smoothly. View the directory service log for the event Viewer on the branch of the network where you have a problem. Study and resolve all errors. Verify that the site links are correct by using the Repadmin.exe utility with the / showreps switch. Verify the inbound connection by using the Repadmin.exe utility with the / showconn switch. View all log files in the Winnt/Debug folder. Specific symptoms and troubleshooting steps

Note: in the following sections, the domain controller that reports the problem is called the "destination server". The domain controller from which the destination server attempts to copy content is called the source server.

"Access Denied" (access denied) error

When you use the Repadmin.exe tool with the / showreps switch, one or more "Access Denied" error messages are listed in the replication status information returned. This indicates that the last time the domain controller tried to contact another domain controller was unsuccessful. Because the domain controller is a member of the Enterprise Domain Controllers group, it has the right to call any function on other domain controllers. If you find that calls between domain controllers cause a "Access_Denied" error, the problem is not the lack of correct credentials, but that one of the domain controllers is not configured correctly.

If the error is "ERROR_ACCESS_DENIED", look for the Kerberos problem. If the error is "ERROR_DRA_ACCESS_DENIED", check to see if the computer accounts of both computers involved in both directories are correct. Ensure that the "userAccountControl" field of the domain controller is correct. Repadmin.exe or Replmon.exe reports "Access Denied" for a specific directory partition (access denied)

This problem usually indicates a Kerberos authentication failure, although there are some exceptions. In this case, to resolve the replication failure, resolve the authentication failure before attempting to resolve the replication problem. To resolve this issue, follow these steps:

1. Ensure that the access to this computer from the network user right in the security policy of the source server includes the machine account of the destination server. You can do this through the Everyone group, the Enterprise Domain Controllers group, or by specifying them individually. two。 Ensure that the key Distribution Center service is started. You can use Dcdiag.exe to test for service failures on all domain controllers with the dcdiag / test:services command.

Note: in this command, there is a colon between "test" and "services". 3. Ensure that the destination server has connection objects from other source servers. If the knowledge consistency Checker (KCC) does not automatically create a connection or is disabled, you may have to create a manual connection when it does not have connection objects from other source servers. 4. Ensure that the KCC topology is connected. If KCC has not yet formed a full topology, the changes cannot be replicated. To test this, use the dcdiag/test:topology command and specify the domain topology you want to check. 5. Make sure that in the Domain Controller Properties dialog box in the Active Directory users and computers MMC snap-in, the Trust computer as delegation check box is selected on the General tab. 6. If the problem exists between domain controllers in different domains, check the trust relationship. To do this, use the Active Directory domains and Trust relationships snap-in or use the netdom trusttrusting_domain_name/domain:trusted_domain_name/verify / kerberos command. 7. Ensure that each computer synchronizes the configuration name context (Config NC). KCC must know which servers and sites it is. You can use the repadmin/syncall command to force the server to keep synchronized with the entire enterprise. Specifies that the name context you want to synchronize is Config NC. Make sure your site link topology is correct. Force KCC to run on each server to regenerate the topology, or wait 15 minutes. 8. Ensure that the key bridgehead server is running properly. You must determine whether your changes can flow across the enterprise. Run the dcdiag/test:intersite command once for each site. This command returns the names of these bridgehead servers and returns information about whether they report errors. 9. Check the properties of the userAccountControl property. Ensure that the UF_SERVER_TRUST_ACCOUNT 0x2000 and UF_TRUSTED_FOR_DELEGATION 0x80000 features are defined. For example, if you convert the decimal property value 532480 to hexadecimal, the value becomes x82000, where 0x8000 corresponds to UF_TRUSTED_FOR_DELEGATION and 0x2000 corresponds to UF_SERVER_TRUST_ACCOUNT. 10. Use the Replmon.exe utility to determine whether the pwdLastSet and unicodePwd features of multiple computers have a consistent time / date stamp. 11. Ensure that the service principal name (SPN) is registered on each domain controller. Use the dcdiag/test:outboundsecurechannels command to test this. You can use the previous GUID to identify the SPN:E3514235-4B06-11D1-AB04-00C04FC2DCD2/b2f6f255-4446-45e8-81a3-0649d5d71a66/domain.com used for replication. twelve。 Forcibly copy all computer accounts throughout the enterprise. This means that all domain controllers must be synchronized with all other copies of their domain. For each computer that is reporting replication errors, such as "Access Denied" (access denied), use the repadmin/syncall command to force the computer to stay synchronized. Note that you must specify the domain you want to synchronize. 13. When you run the previous Repadmin.exe command, you may receive the following error message:

The security context could not be established due to a failure in the requested quality of service.

If you do receive this error message, go to internal processing and look for "DSID". For information about how to obtain the Dsid.exe tool, contact Microsoft Product support Services (PSS). For information about how to contact Microsoft PSS, visit the following Microsoft Web site:

Http://support.microsoft.com (http://support.microsoft.com/)

14. Make sure that the Enterprise Domain Controllers group has the required permissions on the directory partition ACL: a. Start the Active Directory users and computers snap-in. b. On the View menu, click Advanced Features, if it is not already selected. c. Right-click the root domain object, and then click Properties. d. Click the Security tab, click ENTERPRISE DOMAIN CONTROLLERS in the name list, and then make sure the following permissions under allow are selected:

Managing replication Topology

Copy directory changes

Replication synchronization

15. Use the Active Directory sites and Services snap-in to ensure that the server object and its corresponding NTDS Settings sub-objects exist in the correct site. 16. Check that the ticket owned by the destination server is obsolete or invalid for the source server. Use the Kerbtray, Krbtest, and Klist Windows 2000 Resource Kit utilities to perform the above tests. Use the NETDOM RESETPWD command to reset the account password and write the change to the nearest replication partner. This effectively changes the password, sets the old password and the new password to the same password, and then writes the change to the replication partner. This requires you to use the following command or restart your computer:

Krbtest / system / callpackage:purge

-or-

Klist purgeall

"The DSA Operation Is Unable to Proceed Because of a DNS Lookup Failure" (DSA operation cannot continue due to DNS lookup failure) error

To troubleshoot this error:

1. Use the Nltest / dsgetdc:/pdc / force / avoidself command to determine if the PDC returned is correct. two。 If there is a connection object and the REPLMON or REPADMIN command does not report a replication link, the problem may be related to KCC. 3. Run the following command on PDC, and then submit the output to Microsoft PSS for further troubleshooting:

Nltest / DBFLAG:0x2000FFFF

-and-

Nltest / DSGETDC:/GC

4. Run the nltest / dsgetdc:/gc / force command to determine if you can contact the global catalog server (GC). 5. Check the "when the password was last changed" parameter on PDC and the server where you have a problem. The operation is queued or no copy links are displayed

When you run the Repadmin.exe or Replmon.exe utility, no replication links are reported. To resolve this issue, start KCC and see if there are any KCC-related events in the directory service log. This usually indicates that a failure occurred while communicating with the domain controller.

Replication access is denied or name context is being deleted

When you try to start a replication operation, you receive one of the following messages:

Replication access is denied.

-or-

The naming context is in the process of being deleted.

This problem can occur if a user who uses the Active Directory sites and Services snap-in to start a replication operation on a domain controller does not have the appropriate permissions to start the replication operation. Please check the credentials of the user who performed this operation.

There are duplicate connection objects between sites

To resolve this problem, follow these steps: warning: improper use of Registry Editor can cause serious problems and may require a reinstallation of the operating system. Microsoft does not guarantee that you can solve problems caused by improper use of the registry editor. Using Registry Editor requires you to do so at your own risk.

1. Determine if explicit bridgeheads between sites have been used in the past and have not been deleted, or that explicit bridgeheads between sites are currently used but are misconfigured. One way to verify this is to use the LDP tool to connect to the site-to-site Topology Builder (ISTG) in a site with repeated connections. If you browse Config NC to reach the site-to-site transport container, and then to "cn=ip", you can view this object. If it contains the "bridgeheadServerListBL" feature, there is an explicit bridgehead. For additional information about how to determine the ISTG of the site, click the article number below to view the appropriate article in the Microsoft knowledge base:

224599 (http://support.microsoft.com/kb/224599/EN-US/) Determining the Inter-Site Topology Generator (ISTG) of a Site in the Active Directory

two。 Determine whether duplicate connections appear in all sites or in a specific site subset. Look for a pattern, such as a duplicate connection between some specific server collections. In a site with a duplicate connection, view the fromServer feature on the duplicate connection. For the "fromServer", consider the site where it is located. Try to isolate the activities in this site. How many servers are there in this site? Is it possible to reach some servers by using the Ping utility from ISTG? 3. Ensure that the replication interval is set properly and that ISTG can complete its replication. 4. To help isolate duplicate connection problems, follow these steps: a. Select a DC that is generating duplicate connections between inbound sites. For example, the same source DC and destination DC, not just the same source and destination sites. The selected DC must be the ISTG of its site. You can determine the ISTG of a site by viewing the NTDS site Settings property of the site in the Active Directory sites and Services snap-in. b. Increase the size of the directory service event log to make it very large. For example, 64 MB. c. Using the registry editor regedit, change the "1 Knowledge Consistency Checker" value in the following registry subkey to the data value 5, and the "9 Internal Processing" value to the data value 1:

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/NTDS/Diagnostics

d. Run the ldifde-f before.ldf-d "CN=Sites,CN=Configuration,DC=Site1,DC=Forest1,DC=com" command. e. Make T0 = the current time. f. Run the repadmin / kcc command and wait for it to finish running. g. Start the event Viewer and make sure that the directory service event log records informational events (including KCC event 1009: "The consistency checker has started updating the replication topology for this server") since time T0. If there is no record, double the event log size and go back to step e: make T0 = the current time. h. Save the directory service event log. i. Run the ldifde-f after.ldf-d "CN=Sites,CN=Configuration,DC=Site1,DC=Forest1,DC=com" command. j. View the Before.ldf, After.ldf, and directory service event logs for further analysis. Inconsistent group policies applied across multiple domain controllers

You can use the following sample script to ensure that Group Policy is correctly replicated to all domain controllers in your domain. The programming examples provided by Microsoft are for illustrative purposes only, without any express or implied warranties, including, but not limited to, implied warranties of merchantability and / or fitness for a particular purpose. This article assumes that you are familiar with the programming language being demonstrated and the tools for creating and debugging processes. Microsoft's professional support staff can help explain the functionality of a particular process, but they will not modify these examples to provide additional functionality or build process to meet your specific needs. If you do not have enough programming experience, you may need to contact a Microsoft certified partner or call Microsoft charging telephone number (800936-5200). For more information about Microsoft Certified Partners, visit the following Microsoft Web site:

Http://www.microsoft.com/partner/referral/ (http://www.microsoft.com/partner/referral/)

For additional information about the support options provided by Microsoft, visit the following Microsoft Web site:

Http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS (http://support.microsoft.com/default.aspx?scid=fh;en-us;cntactms)

Run this script using the name command of the domain where chkpolicy resides:

@ echo off

REM / logs/chkpolicydomain_name

Set filename=sysvol/%dom_name%/Policies/ {6AC1786C-016F-11D2-945F-00C04fB984F9} / Machine/Microsoft/Windows NT/SecEdit/GPTTMPL.INF

Nltest / dclist:%dom_name% > dclist.tmp

Del dclist1.tmp

FOR / F "eol=; tokens=1 delims=,"% I in (dclist.tmp) do (

@ echo I > > dclist1.tmp

)

FOR / F "eol=. tokens=1 delims=."% I in (dclist1.tmp) do (

@ echo% I

Dir / /%% iUnix% filename%

)

The directory service is too busy to complete the operation

You may receive error 8438 ERROR_DS_DRA_BUSY: "The directory service is too busy to complete the replication operation at this time" (the directory service is currently too busy to complete the replication operation). This error occurs if the directory service is deleting the name context (500 objects have been deleted) but needs to complete too many objects at a time without hindering the replication queue. If the global catalog cleanup operation prevents replication from succeeding, you can create a batch file to speed up the process. You can then re-promote the computer to act as a global catalog server. The following sample script provides this functionality: the programming examples provided by Microsoft are for illustrative purposes only, without any express or implied warranties, including, but not limited to, implied warranties of merchantability and / or fitness for a particular purpose. This article assumes that you are familiar with the programming language being demonstrated and the tools for creating and debugging processes. Microsoft support staff can help explain the functionality of a particular process, but they will not modify these examples to provide additional functionality or build process to meet your special needs. If you do not have enough programming experience, you may need to contact a Microsoft certified partner or call Microsoft charging telephone number (800936-5200). For more information about Microsoft Certified Partners, visit the following Microsoft Web site:

Http://www.microsoft.com/partner/referral/ (http://www.microsoft.com/partner/referral/)

For additional information about the support options provided by Microsoft, visit the following Microsoft Web site:

Http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS (http://support.microsoft.com/default.aspx?scid=fh;en-us;cntactms)

Setlocal

Set destgc=__setgcnamehere__.site1.forest1.com

: domain1

Repadmin / delete DC=domain1,DC=site1,DC=forest1,DC=com% destgc% / nosource

If% errorlevel% = = 8438 goto: domain2

: domain2

Repadmin / delete DC=domain2,DC=Site1,DC=forest1,DC=com% destgc% / nosource

If% errorlevel% = = 8438 goto: domain3

REM...

Endlocal

Advanced troubleshooting skills knowledge consistency Checker and ISTG

You can create an event log that contains more diagnostic information for the knowledge consistency Checker. To do this, perform the following steps on the ISTG of the site where the duplicate connection occurs:

1. Save the contents of the event log and clear the event log. two。 Set the "1 Knowledge Consistency Checker" registry double byte value to 5 in the following registry subkey:

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/NTDS/Diagnostics

3. Run the knowledge consistency checker by running the repadmin / kcc command. 4. Reset the 1 Knowledge Consistency Checker registry double byte value to 0 (zero). 5. Save the new event log.

To get a new benchmark metric, follow these steps:

1. Make sure your computer has a site link to the center of the network. If such a link does not exist, create it. two。 Delete all connection objects that enter the computer. 3. Run the knowledge consistency checker by running the repadmin / kcc command. 4. Ensure that the required connections have been created by running the repadmin / showconn command. 5. Look for errors in the directory service event log. You may see an error indicating that a copy cannot be added to the name context X (for example, event ID 1265) and error Y. Determine if this error is related to a DNS problem, or if it is a connection error, and then try to correct the problem. If the error indicates that a target account name is incorrect, or if it is a SPN error, it may be more difficult to resolve. 6. If the event log report successfully added a copy, check it by running the "repadmin / showreps" command.

After adjusting the site link replication interval, wait for the configuration changes to replicate to other network center servers, and then restart each network center server to clear the replication queue. You can use the repadmin/sync command or the Active Directory sites and servers snap-in to forcibly copy the configuration name context so that you can see updated site links on each network center server before restarting them. Use the Dcdiag.exe utility to evaluate the integrity of replication at each site. The tool can be run remotely through scripts and analyze the existence of "fail" in the output. You can use the following sample script as an example: the programming examples provided by Microsoft are for illustrative purposes only without any express or implied warranties, including, but not limited to, implied warranties of merchantability and / or fitness for a particular purpose. This article assumes that you are familiar with the programming language being demonstrated and the tools for creating and debugging processes. Microsoft support staff can help explain the functionality of a particular process, but they will not modify these examples to provide additional functionality or build process to meet your special needs. If you do not have enough programming experience, you may need to contact a Microsoft certified partner or call Microsoft charging telephone number (800936-5200). For more information about Microsoft Certified Partners, visit the following Microsoft Web site:

Http://www.microsoft.com/partner/referral/ (http://www.microsoft.com/partner/referral/)

For additional information about the support options provided by Microsoft, visit the following Microsoft Web site:

Http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS (http://support.microsoft.com/default.aspx?scid=fh;en-us;cntactms)

REM check replications in sitesite1dcdiag / s:dc1 / test:replications / a / n:domain1dcdiag / s:dc1 / test:replications / a / n:domain2dcdiag / s:dc1 / test:replications / a / n:domain3REM check replications ins itesite2REM continue Dcdiag statements for domains insite2 File replication Service (FRS) 1. If you think directory service replication works, but FRS fails, make sure that the post-FRS Service Pack 1 (SP1) fix is installed in all replication partners. This update is included in Windows 2000 Service Pack 2 and Service Pack 3. two。 Run the Ntfrsutil ds command to verify that there is only one subscriber object named "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" and that it has "Member Ref". For example: SUBSCRIBER:DOMAIN SYSTEM VOLUME (SYSVOL SHARE) Member Ref:CN=TEST1,CN=Domain System Volume (SYSVOL share), CN=File Replication Se... Locate the member object output ("dump") for this domain controller, and make sure it has the "Server Ref" and "Computer Ref" attributes. Also make sure that there is at least one connection directly below this member object. This refers to the inbound connection to the domain controller. For example: MEMBER:TEST1Server Ref: CN=NTDS Settings,CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sit...Computer Ref: cn=test1,ou=domain controllers,dc=domain1,dc=site1,dc=forest1,dc=com...DN: cn=d7874204-c331-4750-82ecmur30b96a8ec732 Make sure that at least one other member object has this domain controller as its inbound partner. Use the "Partner Dn" feature to indicate which partner this connection comes from. Partner Dn: cn=ntds settings,cn=test1,cn=servers,cn=default-first-site-name,cn=sit...3. Run the Ntfrsutil command to check that the Service status value of the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is "ACTIVE". For example:

ServiceState: 3 (ACTIVE)

Ensure that this domain controller has at least one inbound connection and one outbound connection. For example:

Inbound: FALSE

Inbound: TRUE

4. Increase the FRS logging level. To do this, add the following registry values to the HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/NtFrs/Parameters registry subkey:

Numeric name: Debug Log Severity

Numeric type: REG_DWORD

Value: 0x00000004

Numeric name: Debug Maximum Log Messages

Numeric type: REG_DWORD

Value: 50000

Numeric name: Debug Log Files

Numeric type: REG_DWORD

Value: 0x00000032

5. To help with troubleshooting, you can "dump" the status of the FRS on the domain controller to a file. The following sample scripts can be used as examples of how to do this: the programming examples provided by Microsoft are for illustrative purposes only without any express or implied warranties, including, but not limited to, implied warranties of merchantability and / or fitness for a particular purpose. This article assumes that you are familiar with the programming language being demonstrated and the tools for creating and debugging processes. Microsoft support staff can help explain the functionality of a particular process, but they will not modify these examples to provide additional functionality or build process to meet your special needs. If you do not have enough programming experience, you may need to contact a Microsoft certified partner or call Microsoft charging telephone number (800936-5200). For more information about Microsoft Certified Partners, visit the following Microsoft Web site:

Http://www.microsoft.com/partner/referral/ (http://www.microsoft.com/partner/referral/)

For additional information about the support options provided by Microsoft, visit the following Microsoft Web site:

Http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS (http://support.microsoft.com/default.aspx?scid=fh;en-us;cntactms)

@ echo offREM FRS_CHECK.CMD-Records the state of FRSSETLOCAL ENABLEEXTENSIONSSET FRSCK=C:/FRS_CHECKif NOT EXIST% FRSCK% (md% FRSCK%) REM run dcdiagdcdiag >% FRSCK%/dcdiag.txtREM For FRSntfrsutl ds >% FRSCK%/ntfrs_ds.txtntfrsutl sets >% FRSCK%/ntfrs_sets.txtntfrsutl inlog >% FRSCK%/ntfrs_inlog.txtntfrsutl outlog >% FRSCK%/ntfrs_outlog.txtntfrsutl version >% FRSCK%/ntfrs_version.txtregdmp HKEY_LOCAL_MACHINE/system/currentcontrolset/services/NtFrs/Parameters >% FRSCK % / ntfrs_reg.txtdir /. / sysvol / s >% FRSCK%/ntfrs_sysvol.txtREM scan the frs debug logs for errors.findstr / I ": SO: error invalid fail abort warn"% windir%/debug/ntfrs_*.log | findstr / v "IO_PEND ERROR_SUCCESS FrsErrorSuccess" >% FRSCK%/ntfrs_errscan.txtREM For DS replicationrepadmin / showreps >% FRSCK%/ds_showreps.txtrepadmin / showconn >% FRSCK%/ds_showconn.txt

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.