Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » AD replication issues on vmware
AD replication issues on vmware [message #345747] Wed, 16 December 2009 09:36 Go to next message
jcalisi  is currently offline jcalisi  United States
Messages: 3
Registered: December 2009
Junior Member
Little bit of history. I have two physical 2003 ad servers )(dc01 dc02)
and two esx vm 2008 rs2 ad servers (dc04 dc05). I'm planning on
decominishing the 2003 servers. After going through the steps of
dcpromo and moving the roles over to the new vm's everthing seemed to be
ok. then one day the time was off and caused some problems. However it
was caught in time and resync and everything was fine. Two months
forward ntp was not setup on the esx servers and one of the vm's which
has all of the roles lost time again and for what looks like two
months... Now replication doesn't work. I have not done any type of
clone or restore. tbrdc04 is the vm with the problems.

Also, everything is on the same subnet with now firewalls in between.


I now have ntp running on all of my esx host and everything is in sync
but I think I will have to take more steps than this to fix. Any help
would be greatly appreciated.


+----------------------------------------------------------- --------+
|Filename: dcdiag.txt |
|Download: http://forums.techarena.in/attachment.php?attachmentid=10509 |
+----------------------------------------------------------- --------+

--
jcalisi
------------------------------------------------------------ ------------
jcalisi's Profile: http://forums.techarena.in/members/164535.htm
View this thread: http://forums.techarena.in/active-directory/1283042.htm

http://forums.techarena.in
Re: AD replication issues on vmware [message #345759 is a reply to message #345747] Wed, 16 December 2009 10:41 Go to previous messageGo to next message
florian  is currently offline florian  Germany
Messages: 484
Registered: July 2009
Senior Member
Howdie!

jcalisi schrieb:
> Little bit of history. I have two physical 2003 ad servers )(dc01 dc02)
> and two esx vm 2008 rs2 ad servers (dc04 dc05). I'm planning on
> decominishing the 2003 servers. After going through the steps of
> dcpromo and moving the roles over to the new vm's everthing seemed to be
> ok. then one day the time was off and caused some problems. However it
> was caught in time and resync and everything was fine. Two months
> forward ntp was not setup on the esx servers and one of the vm's which
> has all of the roles lost time again and for what looks like two
> months... Now replication doesn't work. I have not done any type of
> clone or restore. tbrdc04 is the vm with the problems.
>
> Also, everything is on the same subnet with now firewalls in between.

Yeah, time is one of the biggest challenges when having DC virtualized.
That's why most people run at least one DC as a physical host and leave
it at that.

So -- did you get the time sync working? Are those machines in time
again? I would recommend switching off VMWare time services so that VMs
times won't be overwritten by the VM host.

Is that dcdiag output before or after you fixed the time issue? I would
assume after it. I'd be interested in event log messages that come up
and an output of repadmin /showrepl to see whether replication takes
place now. Other than that, a newer dcdiag would be useful.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
ANY advice you get on the Newsgroups should be tested thoroughly in your
lab.
Re: AD replication issues on vmware [message #345798 is a reply to message #345747] Wed, 16 December 2009 10:49 Go to previous messageGo to next message
PledgeTechnologies  is currently offline PledgeTechnologies  United States
Messages: 19
Registered: December 2009
Junior Member
As per the DCDIAG report, looks like DC is in USN Rollback state.


Check this article to confirm more:
http://support.microsoft.com/kb/875495

If there is a registry key on TBRDC04 DC, then its a USN Rollback for
sure.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NTDS\Pa rameter\
Key: DSANotWritable
Value: 4

Follow the KB 875495 for resolution.


Please feel free to reply back if you have any queries.

Regards,
Pledge Technologies.


--
PledgeTechnologies
------------------------------------------------------------ ------------
PledgeTechnologies's Profile: http://forums.techarena.in/members/161606.htm
View this thread: http://forums.techarena.in/active-directory/1283042.htm

http://forums.techarena.in
Re: AD replication issues on vmware [message #345882 is a reply to message #345798] Wed, 16 December 2009 12:54 Go to previous messageGo to next message
jcalisi  is currently offline jcalisi  United States
Messages: 3
Registered: December 2009
Junior Member
thanks for the help so far.

Yes that dcdiag is after ntp was correctly setup and vm have correct
time.

Also, that article is for 2003 would that be the same for 2008 as well.
dc04 is a 2008 r2 box.

thanks again for the help.


--
jcalisi
------------------------------------------------------------ ------------
jcalisi's Profile: http://forums.techarena.in/members/164535.htm
View this thread: http://forums.techarena.in/active-directory/1283042.htm

http://forums.techarena.in
Re: AD replication issues on vmware [message #345930 is a reply to message #345747] Wed, 16 December 2009 13:56 Go to previous messageGo to next message
PledgeTechnologies  is currently offline PledgeTechnologies  United States
Messages: 19
Registered: December 2009
Junior Member
As far as I know, every setting is same. However, you can check the link
below for any other setting in specific.

http://www.articlesbase.com/operating-systems-articles/how-t o-configure-an-authoritative-time-server-in-windows-server-2 008-461336.html

Regards,
Pledge Technologies.


--
PledgeTechnologies
------------------------------------------------------------ ------------
PledgeTechnologies's Profile: http://forums.techarena.in/members/161606.htm
View this thread: http://forums.techarena.in/active-directory/1283042.htm

http://forums.techarena.in
Re: AD replication issues on vmware [message #346446 is a reply to message #345882] Thu, 17 December 2009 06:29 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Are you saying you have resolved the time issue before dcdiag was run?
According to the dcdiag you are off by 304 minutes. You will never get
replication to work (Kerberos) without dc's having consistent and correct
time. DON'T allow the virtual host to control the time of the DC's.


Have you followed the KB article below?
http://support.microsoft.com/kb/888794


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"jcalisi" <jcalisi.43b07c@DoNotSpam.com> wrote in message
news:jcalisi.43b07c@DoNotSpam.com...
>
> thanks for the help so far.
>
> Yes that dcdiag is after ntp was correctly setup and vm have correct
> time.
>
> Also, that article is for 2003 would that be the same for 2008 as well.
> dc04 is a 2008 r2 box.
>
> thanks again for the help.
>
>
> --
> jcalisi
> ------------------------------------------------------------ ------------
> jcalisi's Profile: http://forums.techarena.in/members/164535.htm
> View this thread: http://forums.techarena.in/active-directory/1283042.htm
>
> http://forums.techarena.in
>
Re: AD replication issues on vmware [message #346541 is a reply to message #346446] Thu, 17 December 2009 08:00 Go to previous messageGo to next message
jcalisi  is currently offline jcalisi  United States
Messages: 3
Registered: December 2009
Junior Member
show here are the steps I've done so far. After your help I figured out
that the dc04 was in rollback. Not sure why but will look at that after
I get everything back in order.

so I demoted dc04 forceful and is now a workgroup server.
siezed all of the roles to dc01 (2k3)
I have the article on running the metadata cleanup. My question is
should I run this on dc01 and if so is it a safe procedure.

thanks again for all of your help.


--
jcalisi
------------------------------------------------------------ ------------
jcalisi's Profile: http://forums.techarena.in/members/164535.htm
View this thread: http://forums.techarena.in/active-directory/1283042.htm

http://forums.techarena.in
Re: AD replication issues on vmware [message #346606 is a reply to message #346541] Thu, 17 December 2009 08:27 Go to previous messageGo to next message
PledgeTechnologies  is currently offline PledgeTechnologies  United States
Messages: 19
Registered: December 2009
Junior Member
You can run Metadata Cleanup on any Domain Controller. Make sure once
you do metadata cleanup, the active directory replication is working
fine. Once confirmed, promote the server back as DC if required.
Use Ntdsutil command to do so.. http://support.microsoft.com/kb/216498

Feel free to reply back if you have any queries.

Regards,
Pledge Technologies.


--
PledgeTechnologies
------------------------------------------------------------ ------------
PledgeTechnologies's Profile: http://forums.techarena.in/members/161606.htm
View this thread: http://forums.techarena.in/active-directory/1283042.htm

http://forums.techarena.in
Re: AD replication issues on vmware [message #347069 is a reply to message #346541] Thu, 17 December 2009 16:04 Go to previous message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
You can perform the metadata cleanup on any operating dc

Once this is complete
Run diagnostics against your Active Directory domain.

If you don't have the support tools installed, install them from your server
install disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
-> ntfrsutl ds your_dc_name > c:\sysvol.log
-> dnslint /ad /s "ip address of your dc"

**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take into
account slow links to dc's will also add to the testing time.

If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests without
having to learn all the switch options. The details will be output in
notepad text files that pop up automagically.

The script is located on my website at
http://www.pbbergs.com/windows/downloads.htm

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.

Description and download for dnslint
http://support.microsoft.com/kb/321045

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"jcalisi" <jcalisi.43cgzb@DoNotSpam.com> wrote in message
news:jcalisi.43cgzb@DoNotSpam.com...
>
> show here are the steps I've done so far. After your help I figured out
> that the dc04 was in rollback. Not sure why but will look at that after
> I get everything back in order.
>
> so I demoted dc04 forceful and is now a workgroup server.
> siezed all of the roles to dc01 (2k3)
> I have the article on running the metadata cleanup. My question is
> should I run this on dc01 and if so is it a safe procedure.
>
> thanks again for all of your help.
>
>
> --
> jcalisi
> ------------------------------------------------------------ ------------
> jcalisi's Profile: http://forums.techarena.in/members/164535.htm
> View this thread: http://forums.techarena.in/active-directory/1283042.htm
>
> http://forums.techarena.in
>
Previous Topic:Replication Not being Triggered
Next Topic:Event ID 5774
Goto Forum:
  


Current Time: Tue Jan 23 16:38:32 MST 2018

Total time taken to generate the page: 0.09589 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software