Interesting. When you say that the Linux (samba) servers can't talk to DC20, what are you seeing? Authentication failures? How is Samba configured? NTLM, or Kerberos ?
Any thoughts of upgrading the 2008 DCs to 2008 R2? See if the issue persists? Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected] The Guardian Life Insurance Company of America www.guardianlife.com From: Elijah Buck <[email protected]> To: "NT System Admin Issues" <[email protected]> Date: 01/29/2013 10:30 AM Subject: Re: DC eventid 1168, bizarre behavior A reboot does fix the issue. We've rebooted three times this month to fix the issue. Oddly, the errors do go back to 12/20/12, but we apparently didn't notice the problem in December. It has never happened on DC20 (our only 2008R2 DC). The Linux servers are in the CAL site and can talk to the RODC in the CAL site, all four DCs in CORP, but cannot talk to DC20. We aren't running a daily DCDIAG, but running DCDIAG on DC11 and DC20 both report all tests passed. Here is the frequency of error 1168 on DC11. The error seems to occur every time an ADSI edit read fails. 1 12/20/2012 1 12/21/2012 1 12/22/2012 1 12/23/2012 1 12/24/2012 1 12/25/2012 1 12/26/2012 1 12/27/2012 5 12/28/2012 28 12/29/2012 5 12/30/2012 17 12/31/2012 1 1/1/2013 13 1/2/2013 9 1/3/2013 12 1/4/2013 13 1/5/2013 1 1/6/2013 4 1/7/2013 2 1/8/2013 17 1/9/2013 65 1/10/2013 26 1/11/2013 1 1/12/2013 1 1/13/2013 1 1/14/2013 17 1/16/2013 10 1/17/2013 8 1/19/2013 1 1/20/2013 1 1/21/2013 2 1/23/2013 1 1/24/2013 13 1/25/2013 1 1/26/2013 1 1/27/2013 3 1/28/2013 1 1/29/2013 Replication seems OK: C:\>repadmin /showrepl |findstr Last Last attempt @ 2013-01-29 10:26:08 was successful. Last attempt @ 2013-01-29 10:26:18 was successful. Last attempt @ 2013-01-29 10:26:39 was successful. Last attempt @ 2013-01-29 09:52:31 was successful. Last attempt @ 2013-01-29 09:52:31 was successful. Last attempt @ 2013-01-29 10:22:31 was successful. Last attempt @ 2013-01-29 09:52:31 was successful. Last attempt @ 2013-01-29 09:52:31 was successful. Last attempt @ 2013-01-29 10:22:31 was successful. Last attempt @ 2013-01-29 09:52:31 was successful. Last attempt @ 2013-01-29 09:52:32 was successful. Last attempt @ 2013-01-29 10:22:31 was successful. Last attempt @ 2013-01-29 09:52:32 was successful. Last attempt @ 2013-01-29 09:52:32 was successful. Last attempt @ 2013-01-29 10:22:31 was successful. On Tue, Jan 29, 2013 at 9:23 AM, Christopher Bodnar < [email protected]> wrote: Never happened on DC20 ? When this happens, does a reboot resolve the issue? What has been the frequency? any chance you run a daily DCDIAG report? What does your replication health look like on a daily basis? Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected] The Guardian Life Insurance Company of America www.guardianlife.com From: Elijah Buck <[email protected]> To: "NT System Admin Issues" <[email protected] > Date: 01/28/2013 05:05 PM Subject: DC eventid 1168, bizarre behavior Hello, I've been battling an odd issue with our domain controllers, and am completely stumped. This seems to have been precipitated by adding a Read Only Domain Controller and adding a number of Linux samba servers. The symptoms of the issue follows: On DC11 (2008 sp2 ReadWrite DC, 2GB ram, virtual machine on ESXi 5.0u2): 0.) cpu usage is low, typically under 5%. Memory is 800M cached. 118M free. 1.) In the Directory Service event log the following two errors are logged: *Event ID 1168 - Internal error: An Active Directory Domain Services error has occured. Additional data: Error value (decimal): 1450, Error Value (hex): 5aa, Internal ID: 124048b *Event ID 1168 - Internal error: An Active Directory Domain Services error has occured. Additional data: Error value (decimal): 1450, Error Value (hex): 5aa, Internal ID: 1240627 2.) This has happened three times on DC11, and once on DC10 (also 2008 sp2). The time that it affected both DC11 and DC10, manually pushing passwords-to-be-cached to the RODC failed. 3.) Trying to read the properties of an object with ADSI edit (connected to DC11) returns: Windows could not load the values for all the attributes. Operation failed. Error Code: 0x2121. The search failed to retrieve attributes from the database. 00002121: SvcErr: DSID-0312048E, problem 5012 (DIR_ERROR), data 1450. 4.) Attempting to run Windows Update gives Error 0x800705AA, which I believe is ERROR_NO_SYSTEM_RESOURCE. 5.) Running 'runas /user:me cmd' fails with "5: Access is denied" 6.) The server appears to continue to service auth requests, and LDAP binds still work. However, we seem to encounter intermittent issues with the samba servers during this time. Site topology: CORP: DC4, DC5 (server 2003, auto-site coverage disabled by registry) DC10, DC11 (server 2008 sp2) CAL: connected to CORP RODC1 (server 2008 R2, read only domain controller) NY: connected to CORP and DRSITE NYDC4 (server 2003) DRSITE: connected to CORP and NY DC3 (server 2003) DC20 (server 2008 R2) DC4 is the Schema Master. All other roles are on DC5. repadmin /showrepl and dcdiag don't show any errors. Two additional bits of information. (1) For some reasons, IIS is installed on the DC10 and DC11 domain controllers. (2) a similar thing recently happened with our Exchange 2010 server (2008 R2). The same error with 'runas' failing occured, IIS app pools couldn't restart, and the windows process activation service couldn't be restarted (also with error 5 access denied). I am planning on setting up a new RWDC, physically in CORP but in the CAL AD site, and seeing if the issue follows the new server or stays with DC11. Any help would be appreciated. Thanks, Elijah ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image/jpeg>>
<<image/jpeg>>
