Microsoft KB Archive/938702

= Windows Server 2003-based domain controllers in a parent-and-child domain environment may be unable to replicate changes =

Article ID: 938702

Article Last Modified on 7/25/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

-



SYMPTOMS
When Microsoft Windows Server 2003-based domain controllers are in a parent-and-child domain environment, the domain controllers in the parent domain and in the child domain may be unable to replicate changes. Additionally, you may notice the following symptoms:  The net view /domain:  command returns an error. You expect this command to list the domain controllers from the child domain.  When you run the repadmin /showrepl command on the root domain controller of the parent domain, the command returns output that resembles the following: DomainName\ServerName via RPC objectGuid: Server_GUID Last attempt @ 2004-08-19 09:05.02 failed, result 5: Access is denied. You expect this command to list the replication partners.   An event that resembles the following may appear in the Directory Service logs of the domain controllers in the parent domain:

Event ID: 1925 Event Type: Warning

Event Source: NTDS KCC

Event Category: Knowledge Consistency Checker

Event ID: 1925

Date:

Time:

User: NT AUTHORITY\ANONYMOUS LOGON

Computer:

Description:

The attempt to establish a replication link for the following writable directory partition failed.

Directory partition:

CN=Configuration,DC=contoso,DC=com Source domain controller: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=com Source domain controller address: ._msdcs. Intersite transport (if any):

This domain controller will be unable to replicate with the source domain controller until this problem is corrected.

User Action

Verify if the source domain controller is accessible or network connectivity is available.

Additional Data

Error value: 5

Access is denied.   The following events may appear in the System log of the root domain controller in the parent domain:

Event ID: 40960 Event Type: Warning

Event Source: LSASRV

Event Category: SPNEGO (Negotiator)

Event ID: 40960

Date:

Time:

User: N/A

Computer:

Description:

The Security System detected an authentication error for the server ldap/ ._msdcs. . The failure code from authentication protocol Kerberos was &quot;The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)&quot;. Event ID: 40961 Event Type: Warning

Event Source: LSASRV

Event Category: SPNEGO (Negotiator)

Event ID: 40961

Date:

Time:

User: N/A

Computer:

Description:

The Security System could not establish a secured connection with the server ldap/ .com. No authentication protocol was available.   The following Kerberos events may appear in the System log of the domain controllers in the parent domain and in the child domain:

Event ID: 3 Event Type: Error

Event Source: Kerberos

Event ID: 3

Description:

A Kerberos Error Message was received: on logon session InitializeSecurityContext

Client Time:

Server Time:

Error Code: 0x29 KRB_AP_ERR_MODIFIED

Client Realm:

Client Name:

Server Realm:

Server Name: krbtgt/

Target Name: ldap/ _msdcs. @

Error Text:

File: 9

Line: ab8

Error Data is in record data. Event ID: 594 Event Type: Error

Event Source: Kerberos

Event ID: 594

Description:

A Kerberos Error Message was received: on logon session InitializeSecurityContext

Client Time:

Server Time:

Error Code: 0x29 KRB_AP_ERR_MODIFIED

Client Realm:

Client Name:

Server Realm:

Server Name: krbtgt/

Target Name: host/server. @

Error Text:

File:

Line: 



RESOLUTION
To resolve this problem, follow these steps:
 * 1) Run the following command on the root domain controllers of the parent domain and of the child domain. This command resets the trust relationship between the parent and child domain.

Netdom trust  /Domain:  /UserD:  /PasswordD:* /UserO:  /PasswordO:* /reset

Notes
 * 1) * The  placeholder represents the name of the trusting domain.
 * 2) * The  placeholder represents the name of the trusted domain.
 * 3) * The  placeholder in the /UserD:  parameter represents the user account that connects to the trusted domain.
 * 4) * The  placeholder in the /UserO:  parameter represents the user account that connects to the trusting domain.
 * 5) Let the parent and child domain controllers replicate the changes.
 * 6) Restart the root domain controllers of the parent domain and of the child domain. Restarting these domain controllers removes the Kerberos tickets.

Note You can also use the Kerbtray tool to remove the Kerberos tickets. The Kerbtray tool is included in the Windows Server 2003 Resource Kit Tools package.



MORE INFORMATION
For more information about how to use the Kerbtray tool, click the following article number to view the article in the Microsoft Knowledge Base:

319723 How to use Kerberos authentication in SQL Server

For more information about how to download the Windows Server 2003 Resource Kit Tools package, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en

Keywords: kbtshoot kbexpertiseadvanced kbprb KB938702

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.