There aren't any events on the workstations, but it seems we have a serious issue with replication between two RODC servers we are in the process of setting up for two branch offices. Right now the two machines are all set up and sitting on the network in our main office. They are in AD in our main office Site and have IP addresses on the main office subnet. They have actually been sitting here for weeks while we wait for some construction to finish at the branch sites.
Apparently something happened about a week ago that started triggering replication errors. Also it seems that For at least one user, only on Windows 7, authentication is always against one of the RODCs instead of one of the writable DCs. Shutting down the RODCs eliminates the logon problem the user was having (no computer account for this workstation trust relationship), but that obviously doesn't solve the problem. The writable DCs are both flooded with: Directory Service error Event ID 1168 where the user listed is Domain\RODC1$ and the computer is the writeable DC with the error. The description, helpfully, is "An Active Directory Domain Services error has occurred." I turned on Kerberos logging on one of the Writeable DCs and am seeing this event every few minutes: Log Name: System Source: Microsoft-Windows-Security-Kerberos Date: 6/27/2011 9:43:49 AM Event ID: 3 Task Category: None Level: Error Keywords: Classic User: N/A Computer: writeableDC.domain.int Description: A Kerberos Error Message was received: on logon session Client Time: Server Time: 13:43:49.0000 6/27/2011 Z Error Code: 0xd KDC_ERR_BADOPTION Extended Error: 0xc00000bb KLIN(0) Client Realm: Client Name: Server Realm: DOMAIN.INT Server Name: [email protected] Target Name: writeableDC$@[email protected] Error Text: File: 9 Line: e2d Error Data is in record data. On the RODCs there are numerous errors showing: Event ID: 1084 Task Category: Replication Level: Error Keywords: Classic User: ANONYMOUS LOGON Computer: RODC1.domain.int Description: Internal event: Active Directory Domain Services could not update the following object with changes received from the following source directory service. This is because an error occurred during the application of the changes to Active Directory Domain Services on the directory service. Object: CN=krbtgt_34223\0ADEL:3a86013f-f788-48e2-91a5-5b1c769446a8,CN=Deleted Objects,DC=domain,DC=int Object GUID: 3a86013f-f788-48e2-91a5-5b1c769446a8 Source directory service: a15205a0-a8d5-4b28-96a8-a052877d4066._msdcs.domain.int Synchronization of the directory service with the source directory service is blocked until this update problem is corrected. This operation will be tried again at the next scheduled replication. User Action Restart the local computer if this condition appears to be related to low system resources (for example, low physical or virtual memory). Additional Data Error value: 8633 The replication operation failed because the required attributes of the local krbtgt object are missing. I'm searching for information on these errors, but if anyone has a clue (which I obviously don't) I'd be grateful for any help. Thanks, Ralph -----Original Message----- From: Michael B. Smith [mailto:[email protected]] Sent: Friday, June 24, 2011 11:37 AM To: NT System Admin Issues Subject: RE: Win 7 login problem with trust relationship error Account corruptions are very rare. This should be generating event log errors on both the client machine and on the authenticating domain controller indicating, in more detail, what the issues are. Have you checked those out? Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: John Aldrich [mailto:[email protected]] Sent: Friday, June 24, 2011 11:33 AM To: NT System Admin Issues Subject: RE: Win 7 login problem with trust relationship error Well, I'm no expert by any stretch of anyone's imagination, but it sounds to me like her account has gotten corrupted somehow. Have you checked her A/D account? -----Original Message----- From: Ralph Smith [mailto:[email protected]] Sent: Friday, June 24, 2011 11:22 AM To: NT System Admin Issues Subject: RE: Win 7 login problem with trust relationship error I could do that but it's a bit of a hassle between migrating her profile on each of the computers she uses as well as her Exchange mailbox and blackberry account. It might resolve the immediate problem, but I wouldn't be any closer to knowing what is wrong. The thing is, I really want to understand the root cause of the issue so that if there is something in my environment that is causing the problem it can be fixed before we roll out Windows 7 to all of our users and find out this isn't an isolated incident. -----Original Message----- From: John Aldrich [mailto:[email protected]] Sent: Friday, June 24, 2011 10:11 AM To: NT System Admin Issues Subject: RE: Win 7 login problem with trust relationship error Have you tried deleting the user and recreating her? Since, as you stated, other people can log on without problems, it would appear to be primarily the user's A/D account. From: Ralph Smith [mailto:[email protected]] Sent: Friday, June 24, 2011 10:00 AM To: NT System Admin Issues Subject: RE: Win 7 login problem with trust relationship error I thought of that, but this seems to be affecting a specific user account on multiple computers, some of which are new and I know don't have duplicate names. It doesn't seem reasonable t have to change the name on every win 7 computer in the domain. From: Tom Miller [mailto:[email protected]] Sent: Friday, June 24, 2011 9:55 AM To: NT System Admin Issues Subject: Re: Win 7 login problem with trust relationship error This sounds familiar. I had an issue with a PC and it was something like this. Turned out it was a duplicate name. Try changing the name and see what happens. We just changed the problem PC from something like 4097 to 4097A and that did it. >>> "Ralph Smith" <[email protected]> 6/24/2011 9:34 AM >>> Has anyone seen a problem like this and found an explanation / solution? Windows 2008 domain and all Windows XP clients except for five Windows 7 machines. Single forest, single domain - no trusts or child domains. One machine is a laptop we just upgraded to Win 7, and when we went to have the user log on to it she got this error: "The security database on the server does not have a computer account for this workstation trust relationship." The odd thing is that the IT staff and one test account can all log in to the machine with no errors, so it doesn't seem like it's the computer. She has no trouble logging on to any windows XP clients or 2003 terminal servers, so it doesn't seem as though her user account is bad. She gets the same error logging on to all of the other four Win 7 machines, so it seems to be a combination of something with her user account and something about Windows 7. On the laptop we found that if we take it off the domain, reboot, join it to the domain, reboot, the user can log on for a limited time and then the error comes back. Also, per some advice we got from Google Tech Support, on another computer we used Adsiedit to change the dnshost attribute from "win7pc" to "win7pc.domain.com", and added "win7pc.domain.com" to servicePrincipalName. This also was a temporary resolution. We also found that sometimes she can successfully log in if we use the "[email protected]" format, but sometimes that also results in the same error. All the information I have been able to find seems to be related to issues involving trusts between computers in different domains or errors when joining a computer to a domain. But these issues all seem to affect all users logging in to a computer, and don't seem to apply here. Any ideas? I greatly appreciate any insight someone may have. Thanks, Ralph Confidentiality Notice: ----------------------- This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email, delete and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin Confidentiality Notice: ************************* This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email, and delete and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
