# Issue with PDC checkpoint and general replication *Help*



## Awizarddidit (Aug 26, 2008)

Hey guys,

I've been dealing with a problem for a while now and I haven't really been making much leeway, so this is a bit of a shot in the dark. I've inherited the job of supporting a windows server AD domain that's been around for quite some time here... are the specifics.

Environment
Two domain controllers and 24 computers all at one location. It is a single domain/forest running in windows server 2000 native mode. first DC is srv1.domain.lan and second DC is srv2.domain.lan

srv1
windows server 2000 - fully patched, GC server, DNS/DC and holds the schema FSMO role
ip: 192.168.10.99
SN: 255.255.255.0
GW 192.168.10.254
DNS 192.168.10.100

srv 2
Windows server 2003 R2 - fully patched, NOT GC server, DNS/DC and holds PDC, domain naming, infrastructure & RID FSMO roles
ip 192.168.10.100
SN 255.255.255.0
GW 192.168.10.254
DNS 192.168.10.100

dhcp is handled by router which serves as gateway as well 192.168.10.254

There is only one site all the systems are behind the same firewall and both DC's are using Trendmicro Client/Server

The servers are only separated by a 48 port switch. I can ping each server from the other server with less than a millisecond latency, nslookup from either server for the other server resolves is successfully.

I have checked all the srv records and they appear to be correct the only things to really also note are that:
host, PTR and NS records for both DC's are shown and correct.
SOA record is for srv1.domain.lan
ForwardLookupZones/DomainDNSZones/_sites & ForwardLookupZones/DomainDNSZones/_tcp there is a _ldap srv record that points to srv2.domain.lan only
only _gc srv record correctly points to srv1.domain.lan
PDC _ldap srv record correctly points to srv2.domain.lan

Problem
I am getting every 4 hours an Event ID 1586 on srv1 'checkpoint with the PDC was unsuccessful...The error was [].' When i check the role on srv2 PDC displays the correct information under operations master and no errors show on srv2 pertaining to the PDC role. I do have the following two errors though on srv2....

In the event log under application I have a event 1058 error that says 'Windows cannot access the file gpt.ini for GPO ...access is denied Group Policy processing aborted I checked the file and it is there and I don't see any outstanding deny's on the folder either directly or through inheritance. But I think this is minor compared to the second error below....

In the event log on srv2 under DS Event ID 2042. When I follow the solution from MS here: http://technet.microsoft.com/en-us/library/cc757610(WS.10).aspx
repadmin lists six objects replicating via RPC (obviously as this is all local) that are out of sync with srv1.
I updated the time on both servers with net time cmd and set them to the same NTP servers the started and stopped the w32time service on both machines and now both computers show the exact same time and the event log shows a successful time update (they were out by 4 minutes)
I have not removed the 'lingering objects' as I don't have either of the event id's showing in the logs that MS lists. should I remove those objects or should I just update HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters to allow for replication with divergent and corrupted partner....it seems these servers have been out of sync since mid april.....

I also wanted to include that I ran netdiag on srv2 and it passed every test. DCdiag on srv2 the other hand had issues with the replication (obviously), systemlog and the kccevent check*see bottom*

Two other minor questions....

Shouldn't the Start of Authority Record point to srv2, as it has the only _ldap srv record in domaindnszone and srv1 does not?

I am sure the original reason for the not having srv2 as a GC server was the infrastructure FSMO role it owns but seeing as there is only one domain (and there will never be an additional domain) would it be wise to set srv2 up as a GC server as well?

Any help would be greatly appreciated, I am aware this is a major problem, these issues are not my responsibility(currently they're no ones) but I am committed to fixing this if at all possible. Any help is GREATLY appreciated, let me know if i missed anything or need to provide any extra information.

/R

*****************************************************************************************************************************

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\SRV2
Starting test: Connectivity
......................... SRV2 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\SRV2
Starting test: Replications
[Replications Check,SRV2] A recent replication attempt failed:
From SRV1 to SRV2
Naming Context: CN=Schema,CN=Configuration,DC=domain,DC=lan
The replication generated an error (8614):
The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
The failure occurred at 2010-10-12 13:46:24.
The last success occurred at 2009-04-03 06:50:29.
13410 failures have occurred since the last success.
[Replications Check,SRV2] A recent replication attempt failed:
From SRV1 to SRV2
Naming Context: CN=Configuration,DC=domain,DC=lan
The replication generated an error (8614):
The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
The failure occurred at 2010-10-12 14:02:07.
The last success occurred at 2009-04-03 07:11:38.
20341 failures have occurred since the last success.
[Replications Check,SRV2] A recent replication attempt failed:
From SRV1 to SRV2
Naming Context: DC=domain,DC=lan
The replication generated an error (8614):
The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
The failure occurred at 2010-10-12 14:12:19.
The last success occurred at 2009-04-03 07:09:09.
16202 failures have occurred since the last success.
REPLICATION-RECEIVED LATENCY WARNING
SRV2: Current time is 2010-10-12 14:13:50.
CN=Schema,CN=Configuration,DC=domain,DC=lan
Last replication recieved from SRV1 at 2009-04-03 06:50:29.
WARNING: This latency is over the Tombstone Lifetime of 60 days!
CN=Configuration,DC=domain,DC=lan
Last replication recieved from SRV1 at 2009-04-03 07:11:38.
WARNING: This latency is over the Tombstone Lifetime of 60 days!
DC=domain,DC=lan
Last replication recieved from SRV1 at 2009-04-03 07:09:09.
WARNING: This latency is over the Tombstone Lifetime of 60 days!
......................... SRV2 passed test Replications
Starting test: NCSecDesc
......................... SRV2 passed test NCSecDesc
Starting test: NetLogons
......................... SRV2 passed test NetLogons
Starting test: Advertising
......................... SRV2 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... SRV2 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... SRV2 passed test RidManager
Starting test: MachineAccount
......................... SRV2 passed test MachineAccount
Starting test: Services
......................... SRV2 passed test Services
Starting test: ObjectsReplicated
......................... SRV2 passed test ObjectsReplicated
Starting test: frssysvol
......................... SRV2 passed test frssysvol
Starting test: frsevent
......................... SRV2 passed test frsevent
Starting test: kccevent
An Error Event occured. EventID: 0xC00007FA
Time Generated: 10/12/2010 14:02:07
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC00007FA
Time Generated: 10/12/2010 14:06:17
(Event String could not be retrieved)
......................... SRV2 failed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x40000004
Time Generated: 10/12/2010 13:22:51
Event String: The kerberos client received a

......................... SRV2 failed test systemlog
Starting test: VerifyReferences
......................... SRV2 passed test VerifyReferences

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : domain
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom

Running enterprise tests on : domain.lan
Starting test: Intersite
......................... domain.lan passed test Intersite
Starting test: FsmoCheck
......................... domain.lan passed test FsmoCheck

any place where the actual domain was listed i did replace with 'domain'....just fyi (it's just for privacy's sake.) Thanks again.


----------

