DCPROMO ok, but replication immediately not working via VPN

D

David N. Spink

Hello,

I'm having a confusing time try to work out why I'm having an issue getting Domain Controllers to replicate - I think it might be something to do with the VPN connection between the two sites, but I'm unclear why.

The setup is as follows:

PDC PIA001 (Server 2016 Standard), and DC MAIL (Server 2008 R2 Standard) are located at the main site.

DC PIA003 (Server 2016 Standard), and member server PIASVR2 (Server 2008 R2 Standard) are at a remote site connected by a VPN.

I originally had a server called PIA002 at the remote site (Server 2016 Standard) which was a DC - however when I noticed it wasn't replicating I demoted it and then tried to promote it again, but couldn't, so I've installed PIA003 from scratch today.

PIA003 joined the domain just fine, the DCPROMO also worked but took about an hour. However immediately I'm getting lots of odd errors from DCDIAG.

I should mention that these are all virtual machines - the 2016 machines are running on HyperV (Server 2016 Standard), and the 2008 R2's are running on VMWare hosts.


DCDIAG run from PIA003 produces this:

===================================================================


Directory Server Diagnosis


Performing initial setup:

Trying to find home server...

Home Server = PIA003

* Identified AD Forest.
Done gathering initial info.


Doing initial required tests


Testing server: Glasgow\PIA003

Starting test: Connectivity

......................... PIA003 passed test Connectivity



Doing primary tests


Testing server: Glasgow\PIA003

Starting test: Advertising

Warning: PIA003 is not advertising as a time server.

......................... PIA003 failed test Advertising

Starting test: FrsEvent

......................... PIA003 passed test FrsEvent

Starting test: DFSREvent

There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may cause

Group Policy problems.
......................... PIA003 passed test DFSREvent

Starting test: SysVolCheck

......................... PIA003 passed test SysVolCheck

Starting test: KccEvent

......................... PIA003 passed test KccEvent

Starting test: KnowsOfRoleHolders

[PIA001] LDAP bind failed with error 1053,

The service did not respond to the start or control request in a timely fashion..
Warning: PIA001 is the Schema Owner, but is not responding to LDAP

Bind.

Warning: PIA001 is the Domain Owner, but is not responding to LDAP

Bind.

Warning: PIA001 is the PDC Owner, but is not responding to LDAP Bind.

Warning: PIA001 is the Rid Owner, but is not responding to LDAP Bind.

Warning: PIA001 is the Infrastructure Update Owner, but is not

responding to LDAP Bind.

......................... PIA003 failed test KnowsOfRoleHolders

Starting test: MachineAccount

......................... PIA003 passed test MachineAccount

Starting test: NCSecDesc

......................... PIA003 passed test NCSecDesc

Starting test: NetLogons

......................... PIA003 passed test NetLogons

Starting test: ObjectsReplicated

......................... PIA003 passed test ObjectsReplicated

Starting test: Replications

......................... PIA003 passed test Replications

Starting test: RidManager

......................... PIA003 passed test RidManager

Starting test: Services

......................... PIA003 passed test Services

Starting test: SystemLog

An error event occurred. EventID: 0x00002720

Time Generated: 05/09/2018 17:52:13

Event String:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID


An error event occurred. EventID: 0xC0000007

Time Generated: 05/09/2018 17:56:20

Event String:

The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was LDAP/f663d11b-f1b4-4577-8e8c-5d34e643b596._msdcs.not-actual-domain.org.uk and lookup type 0x48.

An error event occurred. EventID: 0xC0000007

Time Generated: 05/09/2018 18:10:14

Event String:

The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was and lookup type 0x108.

An error event occurred. EventID: 0xC0000007

Time Generated: 05/09/2018 18:11:14

Event String:

The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was ESSENTIALS_PWD_SYNC/PIA001.not-actual-domain.org.uk and lookup type 0x48.

An error event occurred. EventID: 0xC0000007

Time Generated: 05/09/2018 18:25:09

Event String:

The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was DNS/pia001.not-actual-domain.org.uk and lookup type 0x48.

An error event occurred. EventID: 0xC0000007

Time Generated: 05/09/2018 18:31:37

Event String:

The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was ldap/PIA001.not-actual-domain.org.uk and lookup type 0x48.

......................... PIA003 failed test SystemLog

Starting test: VerifyReferences

......................... PIA003 passed test VerifyReferences



Running partition tests on : DomainDnsZones

Starting test: CheckSDRefDom

......................... DomainDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... DomainDnsZones passed test

CrossRefValidation


Running partition tests on : ForestDnsZones

Starting test: CheckSDRefDom

......................... ForestDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... ForestDnsZones passed test

CrossRefValidation


Running partition tests on : Schema

Starting test: CheckSDRefDom

......................... Schema passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Schema passed test CrossRefValidation


Running partition tests on : Configuration

Starting test: CheckSDRefDom

......................... Configuration passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Configuration passed test CrossRefValidation


Running partition tests on : not-actual-domain

Starting test: CheckSDRefDom

......................... not-actual-domain passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... not-actual-domain passed test

CrossRefValidation


Running enterprise tests on : not-actual-domain.org.uk

Starting test: LocatorCheck

......................... not-actual-domain.org.uk passed test

LocatorCheck

Starting test: Intersite

......................... not-actual-domain.org.uk passed test

Intersite


===================================================================



DCDIAG /s:pIA001 run from server MAIL at the main site produces this:

===================================================================


Directory Server Diagnosis


Performing initial setup:

* Identified AD Forest.
Done gathering initial info.


Doing initial required tests


Testing server: Edinburgh\PIA001

Starting test: Connectivity

......................... PIA001 passed test Connectivity



Doing primary tests


Testing server: Edinburgh\PIA001

Starting test: Advertising

......................... PIA001 passed test Advertising

Starting test: FrsEvent

......................... PIA001 passed test FrsEvent

Starting test: DFSREvent

......................... PIA001 passed test DFSREvent

Starting test: SysVolCheck

......................... PIA001 passed test SysVolCheck

Starting test: KccEvent

......................... PIA001 passed test KccEvent

Starting test: KnowsOfRoleHolders

......................... PIA001 passed test KnowsOfRoleHolders

Starting test: MachineAccount

......................... PIA001 passed test MachineAccount

Starting test: NCSecDesc

......................... PIA001 passed test NCSecDesc

Starting test: NetLogons

......................... PIA001 passed test NetLogons

Starting test: ObjectsReplicated

......................... PIA001 passed test ObjectsReplicated

Starting test: Replications

REPLICATION LATENCY WARNING

PIA001: This replication path was preempted by higher priority work.

from PIA003 to PIA001

Reason: The operation completed successfully.

The last success occurred at (never).

Replication of new changes along this path will be delayed.

REPLICATION LATENCY WARNING

PIA001: This replication path was preempted by higher priority work.

from PIA003 to PIA001

Reason: The operation completed successfully.

The last success occurred at (never).

Replication of new changes along this path will be delayed.

REPLICATION LATENCY WARNING

PIA001: This replication path was preempted by higher priority work.

from PIA003 to PIA001

Reason: The operation completed successfully.

The last success occurred at (never).

Replication of new changes along this path will be delayed.

......................... PIA001 passed test Replications

Starting test: RidManager

......................... PIA001 passed test RidManager

Starting test: Services

......................... PIA001 passed test Services

Starting test: SystemLog

......................... PIA001 passed test SystemLog

Starting test: VerifyReferences

......................... PIA001 passed test VerifyReferences



Running partition tests on : ForestDnsZones

Starting test: CheckSDRefDom

......................... ForestDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... ForestDnsZones passed test

CrossRefValidation


Running partition tests on : DomainDnsZones

Starting test: CheckSDRefDom

......................... DomainDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... DomainDnsZones passed test

CrossRefValidation


Running partition tests on : Schema

Starting test: CheckSDRefDom

......................... Schema passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Schema passed test CrossRefValidation


Running partition tests on : Configuration

Starting test: CheckSDRefDom

......................... Configuration passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Configuration passed test CrossRefValidation


Running partition tests on : not-actual-domain

Starting test: CheckSDRefDom

......................... not-actual-domain passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... not-actual-domain passed test

CrossRefValidation


Running enterprise tests on : not-actual-domain.org.uk

Starting test: LocatorCheck

......................... not-actual-domain.org.uk passed test

LocatorCheck

Starting test: Intersite

......................... not-actual-domain.org.uk passed test

Intersite

===================================================

I'm not really understanding where or what the problem is. Can anyone give me any ideas where I should be looking?


Thanks

Continue reading...
 
Back
Top Bottom