Found this, under Troubleshooting Active Directory : http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/d87e1c8f-2e6b-4ce3-b72b-7108acc6aecb.mspx
More
to the point there are some special security checks in DCDIAG for 2003 SP1 that
may be able to help. From the link above:
An "Access denied" or other security error has caused replication problems
Replication problems that have security causes can be tested and diagnosed by using the version of Dcdiag.exe that is included with Windows Support Tools in Windows Server 2003 Service Pack 1 (SP1).
Cause
A replication destination domain controller cannot contact its source replication partner to get Active Directory updates as a result of one or more security errors occurring on the connection between the two domain controllers.
Solution
Run the replication security error diagnostic test that is available in the version of Dcdiag in Windows Support Tools that is included in Windows Server 2003 SP1.
Test a Domain Controller for Replication Security Errors
You can test any or all domain controllers in your forest for security errors.
Requirements
| |
Administrative credentials: To complete this procedure, you must be a member of the Domain Admins group to test a domain controller in your domain or a member of the Enterprise Admins group to test a domain controller in another domain. | ||||
| |
Tool: Dcdiag.exe (Windows Support Tools) in Windows Server 2003 SP1 | ||||
| |
Operating system:
|
To test a domain controller for replication security errors
|
1. |
At a command prompt, type the following command, and then press ENTER: dcdiag /test:CheckSecurityError /s:DomainControllerName DomainControllerName The Domain Name System (DNS) name, network basic input/output system (NetBIOS) name, or distinguished name of the domain controller on which you want to test If you do not use the /s: switch, the test is run against the local domain controller. You can also test all domain controllers in the forest by using /e: instead of /s:. |
|
2. |
Copy the report into Notepad or an equivalent text editor |
|
3. |
Scroll to the Summary table near the bottom of the Dcdiag log file. |
|
4. |
Note the names of all domain controllers that reported Warn or Fail status in the Summary table. |
|
5. |
Find the detailed breakout section for the problem domain controller by searching on the string DC: DomainControllerName. |
|
6. |
Make the required configuration changes on the domain controllers. Rerun Dcdiag /test:CheckSecurityError with the /e: or /s: switch to validate the configuration changes. |
Test the Connection Between Two Domain Controllers for Replication Security Errors
You can test the connection between two domain controllers in your forest for replication security errors. The domain controller that represents the source of the inbound connection does not have to be an existing source to run this test; that is, a connection object from that domain controller does not have to exist on the destination domain controller. The test is useful in the following scenarios:
| |
A connection exists between a source and a destination, and you receive a security error. |
| |
A connection should be created automatically by the Knowledge Consistency Checker (KCC) and you want to test why the connection does not exist. |
| |
You are trying to create a connection between two domain controllers and you receive a security error. |
| |
You want to determine whether a connection could be created if you wanted to add one on this destination from the specified source. |
Requirements
| |
Administrative credentials: To complete this procedure, you must be a member of the Domain Admins group to test the connection between domain controllers in your domain or a member of the Enterprise Admins group to test the connection between domain controllers in different domains. | ||||
| |
Tool: Dcdiag.exe (Windows Support Tools) included in Windows Server 2003 SP1 | ||||
| |
Operating system:
|
To test the connection between two domain controllers for replication security errors
|
1. |
At a command prompt, type the following command, and then press ENTER: dcdiag /test:CheckSecurityError /ReplSource:SourceDomainControllerName SourceDomainControllerName The DNS name, NetBIOS name, or distinguished name of the real or potential "from" server that is represented by a real or potential connection object that you want to test. This command tests the connection between the domain controller on which you run the command and the source domain controller. |
|
2. |
Copy the report into Notepad or an equivalent text editor. |
|
3. |
Scroll to the Summary table near the bottom of the Dcdiag log file. |
|
4. |
Note the names of all domain controllers that reported Warn or Fail status in the Summary table |
|
5. |
Find the detailed breakout section for the problem domain controller by searching on the string DC: DomainControllerName. |
|
6. |
Make the required configuration changes on the domain controllers. |
|
7. |
Rerun Dcdiag /test:CheckSecurityError /ReplSource:SourceDomainControllerName to validate configuration changes. |
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Figueroa, Johnny
Sent: Friday, July 29, 2005 1:40 PM
To: [email protected]
Subject: RE: [ActiveDir] Urgh... troubleshooting....
What happens when you run DCDIAG from the broken DC ?
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Free, Bob
Sent: Friday, July 29, 2005 1:32 PM
To: [email protected]
Subject: RE: [ActiveDir] Urgh... troubleshooting....
Michel-
Care to elaborate? We have 8.0i in the lab and I haven't noticed any ill effects on the DC's but this certainly caught my eye as we are scheduled to move it over to production soon.
Thanks
Bob
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bruyere, Michel
Sent: Friday, July 29, 2005 1:22 PM
To: [email protected]
Subject: RE: [ActiveDir] Urgh... troubleshooting....
May look strange but are you running McAfee 8.0i??
Got someone that had something similar and the TDI driver of VS8 was the culprit...
> -----Message d'origine-----
> De : [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] De la part de vex Envoyé : Friday, July 29,
> 2005 4:15 PM À : [email protected] Objet : [ActiveDir]
> Urgh... troubleshooting....
>
> Greetings,
> I've been a lurker here for quite some time and have had a
> relatively quiet AD until recently.
>
> We have a small network with 2K servers and a mix of 2K and XP2
> workstations.
> Until recently, everything was find.
>
> Then Something Happened.
>
> I'm not sure what started the ball rolling, but it's certainly rolling
> now.
>
> I have one server that is listed in the AD and DNS as a DC, but it
> won't replicate AD either direction. I've spent a couple of hours
> doing some web surfing and initial troubleshooting, but I've had less
> than stellar success. (at one point in time it was working fine, since
> I have a lot of older AD information on the problem server)
>
> I've run DnsLint and all the DNS entries look good.
>
> When I do a 'net view \\servername' from the DC that does not have up
> to date AD information, I get a message back, "access denied", and a
> corresponding entry in the security log about a failure audit of the
> server I'm attempting to view. But when I do the same thing and use an
> IP address instead of a server name, the net view information
> displays.
>
> Another symptom is printer connections and drive mapping. If I'm at
> the server with the out of date AD information, I'm getting an 'access
> denied'
> message when
> attempting to connect to a network printer or map a network drive.
>
> All of the steps outlined above work fine when initiated from any of
> the other servers. It's almost like the server with the out of date AD
> information is allowing access, but the rest of the servers in the
> organization won't let
> *that* particular server have access to any domain related "stuff",
> such as printers and network shares.
>
> I can't even run dcpromo and remove AD from the affected server
> because it asks for some sort of authorization from other DC's located
> in the organization, but the other DC's won't allow it to access
> information. I'm assuming it's trying to tell the other DC's to remove
> any pertinent entries from the AD in regards to the server that's
> attempting to have it's AD removed....
>
> Does anyone have any links to places I can continue to search for
> troubleshooting information?
>
>
>
> --Brett
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
