The error was Access Denied... My colleague has found a workaround for the replication issue by adding the accounts of the DCs that were trying to pull to Builtin\Administrators group. After that the replication started to flow. More investigation showed that the DC was rejecting any connection of accounts that are not members of Administrators group as a result of local security settings corruption.
It looks like WMI db corruption was not along there. Restoring the local security settings solved the issue. Guy On Fri, 2004-05-28 at 01:53, joe wrote: > I doubt the GPO is it, could be wrong, but doubt it. However what did you > change in the GPO? > > What does repadmin /showreps say on the DC trying to pull? > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky > Sent: Wednesday, May 26, 2004 11:40 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] DC not replicating out > > Both come up clean, despite the fact that the A record for the DC initially > didn't have the BAD_DC$ account in the ACL and the owner was SYSTEM instead > of BAD_DC$. I adjusted that manually and the change replicated to all DCs. > Still the netdiag and dcdiag do not show any DNS related problems - only FRS > and AD outbound replication is failing. All other tests are fine. > > Other DCs that participate in the replication with bad DC come up with KCC > errors (eventid 1311: there is insufficient site connectivity, > blabla...) - it's the only DC at site. > > It looks almost like island DNS, but it's W2K3 and that should not happen. > > Guy > > On Wed, 2004-05-26 at 17:50, Mulnick, Al wrote: > > Would be relatively easy to check DNS. DCDIAG and NETDIAG would be > > two tools to use to check to see that all is well from the bad dc and > > good dc perspectives. I'd say go the easy part first. > > > > Invalid Checksum? Hmmm... Anything in the security logs that gives > > an indication? > > > > Al > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Guy > > Teverovsky > > Sent: Tuesday, May 25, 2004 6:02 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] DC not replicating out > > > > > > I am banging my head against the wall the whole day. > > > > In pilot environment we applied a GPO to replace the Default DC GPO. > > Apparently one of the DCs had some issues when the GPO was applied. > > The result was: the inbound replication on the DC works, but no other > > DC can pull from the sick one. > > Closer examination showed total WMI repository corruption. I have > > rebuilt it and it looks that WMI is back (not sure it's related, but > > worth mentioning) > > > > Since than, the new GPO has been unlinked and replaced with default > > (and as the inbound replication on the DC in question is working, it > > has replicated to it). But that has not resolved the issue. > > > > >From faulty DC issued: > > repadmin /replicate good_dc bad_dc cn=configuration,dc=compay,dc=com > > /force > > > > Traced the session with network monitor from the good DC... > > What I see is: > > - LDAP bind > > - some searches performed and answered correctly > > - MSRPC session initiated > > - RPC request from good DC, RPC response from bad DC > > - RPC bind request from good DC and RCP Bind Ack from bad DC > > - again RPC request from good DC, RPC response from bad DC > > - again RPC bind request from good DC and RPC Bind Nack from bad DC > > with Provider Reject Reason: "Invalid checksum" > > > > I was about to blame the DNS till I got this "Invalid checksum" in the > > trace... > > > > Now the question is: am I complicating the whole thing and should look > > closer into DNS or this is something else ? > > > > Thanks, > > Guy > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
