Hi guys,
Would anyone be able to help with the below? I'm having trouble updating the schema, and it seems there are replication issues with it and I can't figure out why.
I've got two DC's, Windows Server 2012, and the other is 2012 r2 which is the primary.
I've confirmed the IP setup is correct, time and date is correct, and both the firewalls are off. They can contact each other fine (i.e. pinging and accessing other services, even active directory objects are replicating between the two fine, it just seems to be the schema which isn't working).
I'm getting the following error within event logs for the Directory Services:
repadmin /showrepl:
Netdom /query fsmo:
Because of the above I can't update the schema.
Any suggestions or pointers?
Would anyone be able to help with the below? I'm having trouble updating the schema, and it seems there are replication issues with it and I can't figure out why.
I've got two DC's, Windows Server 2012, and the other is 2012 r2 which is the primary.
I've confirmed the IP setup is correct, time and date is correct, and both the firewalls are off. They can contact each other fine (i.e. pinging and accessing other services, even active directory objects are replicating between the two fine, it just seems to be the schema which isn't working).
I'm getting the following error within event logs for the Directory Services:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 09/03/2015 14:28:06
Event ID: 2092
Task Category: Replication
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: Server01.theden.uk
Description:
This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: DC=theden,DC=uk
User Action:
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors. Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners are expected to be offline (for example, because of maintenance or disaster recovery), you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="32768">2092</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>5</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2015-03-09T14:28:06.396545300Z" />
<EventRecordID>5111</EventRecordID>
<Correlation />
<Execution ProcessID="560" ThreadID="656" />
<Channel>Directory Service</Channel>
<Computer>Server01.theden.uk</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>DC=theden,DC=uk</Data>
</EventData>
</Event>
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 09/03/2015 14:28:06
Event ID: 2092
Task Category: Replication
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: Server01.theden.uk
Description:
This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: DC=theden,DC=uk
User Action:
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors. Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners are expected to be offline (for example, because of maintenance or disaster recovery), you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="32768">2092</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>5</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2015-03-09T14:28:06.396545300Z" />
<EventRecordID>5111</EventRecordID>
<Correlation />
<Execution ProcessID="560" ThreadID="656" />
<Channel>Directory Service</Channel>
<Computer>Server01.theden.uk</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>DC=theden,DC=uk</Data>
</EventData>
</Event>
repadmin /showrepl:
PS C:\Users\Administrator> repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\SERVER01
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: d02408b5-0f61-4288-bcd2-658ec5f78c5e
DSA invocationID: d02408b5-0f61-4288-bcd2-658ec5f78c5e
==== INBOUND NEIGHBORS ======================================
DC=theden,DC=uk
Default-First-Site-Name\DC02 via RPC
DSA object GUID: e2072760-7a68-4094-8b16-fd16c5956071
Last attempt @ 2015-03-09 14:30:25 was successful.
CN=Configuration,DC=theden,DC=uk
Default-First-Site-Name\DC02 via RPC
DSA object GUID: e2072760-7a68-4094-8b16-fd16c5956071
Last attempt @ 2015-03-09 14:32:09 was successful.
CN=Schema,CN=Configuration,DC=theden,DC=uk
Default-First-Site-Name\DC02 via RPC
DSA object GUID: e2072760-7a68-4094-8b16-fd16c5956071
Last attempt @ 2015-03-09 14:29:16 failed, result 1908 (0x774):
Could not find the domain controller for this domain.
55 consecutive failure(s).
Last success @ 2015-01-29 00:05:12.
DC=DomainDnsZones,DC=theden,DC=uk
Default-First-Site-Name\DC02 via RPC
DSA object GUID: e2072760-7a68-4094-8b16-fd16c5956071
Last attempt @ 2015-03-09 14:30:08 was successful.
DC=ForestDnsZones,DC=theden,DC=uk
Default-First-Site-Name\DC02 via RPC
DSA object GUID: e2072760-7a68-4094-8b16-fd16c5956071
Last attempt @ 2015-03-09 14:33:39 was successful.
Source: Default-First-Site-Name\DC02
******* 55 CONSECUTIVE FAILURES since 2015-01-29 00:05:12
Last error: 1908 (0x774):
Could not find the domain controller for this domain.
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\SERVER01
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: d02408b5-0f61-4288-bcd2-658ec5f78c5e
DSA invocationID: d02408b5-0f61-4288-bcd2-658ec5f78c5e
==== INBOUND NEIGHBORS ======================================
DC=theden,DC=uk
Default-First-Site-Name\DC02 via RPC
DSA object GUID: e2072760-7a68-4094-8b16-fd16c5956071
Last attempt @ 2015-03-09 14:30:25 was successful.
CN=Configuration,DC=theden,DC=uk
Default-First-Site-Name\DC02 via RPC
DSA object GUID: e2072760-7a68-4094-8b16-fd16c5956071
Last attempt @ 2015-03-09 14:32:09 was successful.
CN=Schema,CN=Configuration,DC=theden,DC=uk
Default-First-Site-Name\DC02 via RPC
DSA object GUID: e2072760-7a68-4094-8b16-fd16c5956071
Last attempt @ 2015-03-09 14:29:16 failed, result 1908 (0x774):
Could not find the domain controller for this domain.
55 consecutive failure(s).
Last success @ 2015-01-29 00:05:12.
DC=DomainDnsZones,DC=theden,DC=uk
Default-First-Site-Name\DC02 via RPC
DSA object GUID: e2072760-7a68-4094-8b16-fd16c5956071
Last attempt @ 2015-03-09 14:30:08 was successful.
DC=ForestDnsZones,DC=theden,DC=uk
Default-First-Site-Name\DC02 via RPC
DSA object GUID: e2072760-7a68-4094-8b16-fd16c5956071
Last attempt @ 2015-03-09 14:33:39 was successful.
Source: Default-First-Site-Name\DC02
******* 55 CONSECUTIVE FAILURES since 2015-01-29 00:05:12
Last error: 1908 (0x774):
Could not find the domain controller for this domain.
Netdom /query fsmo:
PS C:\Users\Administrator> netdom /query fsmo
Schema master Server01.theden.uk
Domain naming master Server01.theden.uk
PDC Server01.theden.uk
RID pool manager Server01.theden.uk
Infrastructure master Server01.theden.uk
The command completed successfully.
Schema master Server01.theden.uk
Domain naming master Server01.theden.uk
PDC Server01.theden.uk
RID pool manager Server01.theden.uk
Infrastructure master Server01.theden.uk
The command completed successfully.
Because of the above I can't update the schema.
Any suggestions or pointers?
