|Subject:||NTDS Replication 1083 & 1955, and SAM 12294 after 2003 upgrade|
|Posted by:||Alex (newsgrou…@news.microsoftnews.com)|
|Date:||Mon, 18 Dec 2006|
Hi. We have recently added a 2003 DC to a single 2000 DC domain. The
addition of the new DC went smoothly, dcdiag /v, repadmin /showrepl and
netdiag tests were all clear and everything appeared to be working
correctly. Unfortunately we have now started to get the errors below for
the Domain Administrator account. I have followed a number of articles to
connect to the DCs using ldp.exe and query for duplication entries. If I
connect to dc1.domain.net, Bind with the Domain Administrator account and
search for Base Dn: DC=MODERNISE,DC=NET and filter on (CN=Administrator) I
get the result Matched DNs: Getting 1 entries. I have enabled NTDS
Debugging until tomorrow to see if the SAM error re-appears, the NTDS errors
are occurring too often to be busy DCs, the DCs are significantly
over-spec'd with only a small number of users.. The SAM entries below
started occurring on Saturday at 01:00 in the morning, we added a new server
to the network which may have been incorrectly configured to use the
Administrator account, therefore with the wrong password as well. I have
taken this server off the network to see if this resolves the SAM errors but
am currently not sure. If the SAM errors are resolved with this I'm
presuming the SAM error is because AD was attempting to lock the
Administrator account which cannot be done therefore causing the error.
If anyone has any advice on how I can investigate further the NTDS
Replication it would really be appreciated. I was hoping to complete the
replacement of the 2000 DC with 2003 but don't want to procede until this
issue is resolved. If these errors had been occurring on any other account
I would just have deleted the account and recreated it, but unfortunately it
is the default Domain Admin account. If I make any changes to this account
e.g. set a First Name this change is replicated to both DCs.
Thanks again for everyone's help,
DC1 - Windows 2000 SP4
SAM Category: None ID - 12294 [This has only been occuring since the
addition of a new server on Friday]
SAM Database was unable to lockout the account of [strange symbol - looks
like a 'w' with a vertical line coming down at the right end] due to a
Error Data contains: 0000: a5 02 00 c0
NTDS Replication Category - (5) ID - 1083 [This is occuring once per
day] for the last 4 days.
Replication warning: The directory is busy. It couldn't update object
CN=Administrator,DC=Domain,DC=Net with changes made by directory
6b09247..........._msdcs.DOMAIN.NET. Will try again later.
DC2 - Windows 2003 SP1 R2
NTDS Replication Category: Replication ID - 1083 [This has only started
occuring today, after the domain admin account password was reset]
Active Directory could not update the following object with changes received
from the domain controller at the following network address because Active
Directory was busy processing information.
This operation will be tried again later.