DC will not replicate, does not know FSMO and will not bind to LDAP (LDAP bind failed with error 8341)

-
Problem Noticed: 
OS : Windows server 2008 R2

 I noticed that DNS did not have entries for this DC so I created them manually... That got the machine to talk somewhat, but still not replicating.
2.  DCDIAG /test:fsmocheck shows: [good-server] LDAP bind failed with error 8341, a directory service error has occurred
3.  The time on the machine is good with network time.
4.  I have McAfee 8.0, but I turned off the policy that stops updates to the windows folders and that did not help.
5.  The application log shows a 1030 (can not query group policy objects) and 1058 error (can not access file gpt.ini for GPO (... ) (Login failure: the target account name is incorrect)...
6.  The directory service log shows 1925 (attempt to establish link to writeable replication link failed) and 1945 (AD did not perform an authenticated RPC to another DC because desired SPN for destination DC is not registered on the KDC...) errors.
7.  The FRS log shows 13508 errors to this DC and the desired replication partners
8.  The system log shows errors event 4 (bad kerberos password used to encrypt the services) and 5774 (Dynamic registration of the DNS record......returned a response code of 5 and a status code of 9017) - I'm guessing these errors are because I entered the DNS records manually...

 Solution:
Here is how I fixed my problem:
run w32tm /rysync /rediscover (run this command 2-3 times on DC and reboot the machine)\

  Here is the solution which worked for some other persons having same issue :
1.  Disable KDC and restart bad DC
2.  Access CMD and reset the secure channel PSWD: using netdom
     netdom resetpwd /server:server_name /userd:domain_name\administrator /passwordd:administrator_password
  
Where server_name is the name of the server that is the PDC Emulator operations master role holder. 
3.  Restart bad DC, WAIT 15 MINUTES for the bad AD to synchronize with the PDC (make sure you made a connection from the bad DC to the PDC in the sites/services)
4.  Check your replication, you should be groovy :)
5.  Re-enable KDC and reboot DC

Comments

Post a Comment

Popular posts from this blog

Changes in Windows 2008 Active Directory

-
Active Directory Domain Services Active Directory Domain Services (AD DS), formerly known as Active Directory Directory Services, is the central location for configuration information, authentication requests, and information about all of the objects that are stored within your forest. Using Active Directory, you can efficiently manage users, computers, groups, printers, applications, and other directory-enabled objects from one secure, centralized location. Auditing.  Changes made to Active Directory objects can be recorded so that you know what was changed on the object, as well as the previous and current values for the changed attributes. Fine-Grained Passwords.  Password policies can be configured for distinct groups within the domain. No longer does every account have to use the same password policy within the domain. Read-Only Domain Controller.  A domain controller with a read-only version of the Active Directory database can be deployed in environments where the security of
Read more

Windows Server Support Interview Questions and Answers (L1)

-
IIS • Fault-tolerant process architecture----- The IIS 6.0 fault-tolerant process architecture isolates Web sites and applications into self-contained units called application pools • Health Monitoring---- IIS 6.0 periodically checks the status of an application pool with automatic restart on failure of the Web sites and applications within that application pool, increasing application availability. IIS 6.0 protects the server, and other applications, by automatically disabling Web sites and applications that fail too often within a short amount of time • Automatic Process Recycling--- IIS 6.0 automatically stops and restarts faulty Web sites and applications based on a flexible set of criteria, including CPU utilization and memory consumption, while queuing requests • Rapid-fail Protection---- If an application fails too often within a short amount of time, IIS 6.0 will automatically disable it and return a "503 Service Unavailable" error message to any new or queued re
Read more

How to Write a Letter Requesting Sponsorship

-
Write the letter in proper format. Start with the title of the person you are addressing, the address, and date. Begin with a description of the company (if it's a corporate letter) or state who you are (if it's for personal sponsorship) For example, So and So firm is a nonprofit organization committed to rehabilitation... whatever. State the event and the purpose in lucid terms. "We are holding a ---- event on ----- for raising money/making a video/whatever the reason." Request sponsorship by saying "We would be grateful if you helped in sponsoring our event...". Try to give a plan, for example do you want a banner? An announcement? If it's a banner or the sort you could quote sizes and prices. This makes it easier for companies to select a sponsorship plan instead of trying to figure out what exactly you want and how much. Give details. For example, how many people are attending? Who will be the Chief Guest/guests, whether your event will be
Read more