One of my domain controllers has encountered a problem that caused replication errors on the other DCs. In the event viewer of my other two controllers I got the following error every few minutes:

Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1699
User: CORP \ DC01 $
Computer: DC02
Description:
The local domain controller failed to retrieve the changes requested for the following directory partition. Consequently, it could not send change requests to the domain controller at the following network address.

Directory partition:
DC = corp, DC = local, DC = com
Network Address:
0c03a47c-75e2-4745-b632-6a0671731f28._msdcs.corp.local.com
Extended request code:
0

Additional data
Error value:
The 8453 Replication access was denied.

System Center Operations Manager 2007 I also recovered errors, indicating that replication was slow or not working on some domain controllers.

When I tried to force replication from DC01 in Active Directory Sites and Services I got an error "The replication operation failed due to incorrect matching patterns between the servers involved." From DC02 or DC03 I got a success message "Active Directory has replicated the connections".
Continue reading "Replication error 1699 on Windows 2003"

In a field it is important that the clocks of all machines are synchronized. Indeed the Kerberos authentication protocol default requires a maximum difference of 5 minutes ENTERED clocks to prevent attacks.

If authentication was based solely on a username and a password it would be theoretically possible for an attacker to record network traffic, extract data and replay them to the server. The Kerberos session keys are unique and based on the client's time, which avoids these attacks if the maximum permissible difference is relatively small.

To be certain that all clocks are synchronized with each other it is necessary to define an authoritative time source. It is possible to configure the domain controller PDC operation master so that it becomes a source of stratum 2 time source synchronizing to a Stratum 1 time (usually a time server based on an atomic clock) .

Continue reading "Setting up an authoritative time server in Windows 2003"

I recently installed two new domain controllers in Windows 2003 R2 to replace an old Domain Controller in Windows 2000 which showed some signs of weakness. Problem, after the usual phase of dcpromo the SYSVOL and NETLOGON shares have not created automatically on two new CDs. FSMO role transfers them have gone smoothly and Active Directory (users, computers) and the DNS replicate perfectly.

This problem is really critical because if the domain controller in Windows 2000 should die it would not be possible to authenticate to the field or on the SQL Server using Windows authentication. A very regular backup system state with ntbackup of DC is critical as the situation is not stabilized. Second group policies are not replicated and servers are not fully considered as domain controllers SYSVOL and NETLOGON shares have not been created.

Continue reading "Problem replication of SYSVOL and NETLOGON shares"