In Single Domain, Windows Server 2003 environment with Main DC and Second DC, I continue to experience replication errors."dcdiag /test:dns" run from MainDC or SecondDC fails "Delegations" test with "Failure: Missing Glue A Record", specifically: TEST: Delegations (Del) Warning: DNS server: MainDC.server.domain. IP: <Unavailable> Failure: Missing glue A recordHow do I resolve this?P.S. DSLINT showed NO missing Glue A record.-------------------------------------------------------------------------------------- I know this will be asked, so the following was run on SecondDC as well:dcdiag /test:CheckSecurityError /ReplSource:MainDCDomain Controller DiagnosisPerforming initial setup: Done gathering initial info.Doing initial required tests Testing server: Default-First-Site-Name\SecondDC Starting test: Connectivity ......................... SecondDC passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\SecondDC Starting test: CheckSecurityError * Missing SPN :LDAP/SecondDC.mydomain.com/mydomain.com * Missing SPN :LDAP/SecondDC.mydomain.com * Missing SPN :LDAP/SecondDC * Missing SPN :LDAP/SecondDC.mydomain.com/mydomain * Missing SPN :LDAP/b8f0dc98-c7b6-4be6-80d9-09c2adc6162f._msdcs.mydomain.com * Missing SPN :HOST/SecondDC.mydomain.com/mydomain.com * Missing SPN :HOST/SecondDC.mydomain.com/mydomain * Missing SPN :GC/SecondDC.mydomain.com/mydomain.com Unable to verify the machine account (CN=SecondDC,OU=Domain Controllers,DC=mydomain,DC=com) for SecondDC on MainDC. Source DC MainDC has possible security error (8453). Diagnosing... Error mydomain\Domain Controllers doesn't have Replicating Directory Changes All access rights for the naming context: DC=mydomain,DC=com Authoritative attribute dBCSPwd on SecondDC (writeable) usnLocalChange = 136177 LastOriginatingDsa = SecondDC usnOriginatingChange = 136177 timeLastOriginatingChange = 2010-02-22 14:18:53 VersionLastOriginatingChange = 8 Out-of-date attribute dBCSPwd on MainDC (writeable) usnLocalChange = 1353856 LastOriginatingDsa = MainDC usnOriginatingChange = 1353856 timeLastOriginatingChange = 2010-02-08 22:42:53 VersionLastOriginatingChange = 3 Authoritative attribute lmPwdHistory on SecondDC (writeable) usnLocalChange = 136177 LastOriginatingDsa = SecondDC usnOriginatingChange = 136177 timeLastOriginatingChange = 2010-02-22 14:18:53 VersionLastOriginatingChange = 8 Out-of-date attribute lmPwdHistory on MainDC (writeable) usnLocalChange = 1353856 LastOriginatingDsa = MainDC usnOriginatingChange = 1353856 timeLastOriginatingChange = 2010-02-08 22:42:53 VersionLastOriginatingChange = 3 Authoritative attribute ntPwdHistory on SecondDC (writeable) usnLocalChange = 136177 LastOriginatingDsa = SecondDC usnOriginatingChange = 136177 timeLastOriginatingChange = 2010-02-22 14:18:53 VersionLastOriginatingChange = 8 Out-of-date attribute ntPwdHistory on MainDC (writeable) usnLocalChange = 1353856 LastOriginatingDsa = MainDC usnOriginatingChange = 1353856 timeLastOriginatingChange = 2010-02-08 22:42:53 VersionLastOriginatingChange = 3 Authoritative attribute nTSecurityDescriptor on MainDC (writeable) usnLocalChange = 1356727 LastOriginatingDsa = MainDC usnOriginatingChange = 1356727 timeLastOriginatingChange = 2010-02-11 02:33:56 VersionLastOriginatingChange = 2 Out-of-date attribute nTSecurityDescriptor on SecondDC (writeable) usnLocalChange = 12290 LastOriginatingDsa = SecondDC usnOriginatingChange = 12290 timeLastOriginatingChange = 2010-02-07 18:17:57 VersionLastOriginatingChange = 2 Authoritative attribute pwdLastSet on SecondDC (writeable) usnLocalChange = 136175 LastOriginatingDsa = SecondDC usnOriginatingChange = 136175 timeLastOriginatingChange = 2010-02-22 14:18:53 VersionLastOriginatingChange = 7 Out-of-date attribute pwdLastSet on MainDC (writeable) usnLocalChange = 1353856 LastOriginatingDsa = MainDC usnOriginatingChange = 1353856 timeLastOriginatingChange = 2010-02-08 22:42:53 VersionLastOriginatingChange = 3 Authoritative attribute servicePrincipalName on SecondDC (writeable) usnLocalChange = 12597 LastOriginatingDsa = SecondDC usnOriginatingChange = 12597 timeLastOriginatingChange = 2010-02-07 18:47:01 VersionLastOriginatingChange = 7 Out-of-date attribute servicePrincipalName on MainDC (writeable) usnLocalChange = 1351843 LastOriginatingDsa = MainDC usnOriginatingChange = 1351843 timeLastOriginatingChange = 2010-02-07 18:14:57 VersionLastOriginatingChange = 3 Authoritative attribute supplementalCredentials on SecondDC (writeable) usnLocalChange = 136178 LastOriginatingDsa = SecondDC usnOriginatingChange = 136178 timeLastOriginatingChange = 2010-02-22 14:18:53 VersionLastOriginatingChange = 7 Out-of-date attribute supplementalCredentials on MainDC (writeable) usnLocalChange = 1353857 LastOriginatingDsa = MainDC usnOriginatingChange = 1353857 timeLastOriginatingChange = 2010-02-08 22:42:53 VersionLastOriginatingChange = 2 Authoritative attribute unicodePwd on SecondDC (writeable) usnLocalChange = 136177 LastOriginatingDsa = SecondDC usnOriginatingChange = 136177 timeLastOriginatingChange = 2010-02-22 14:18:53 VersionLastOriginatingChange = 8 Out-of-date attribute unicodePwd on MainDC (writeable) usnLocalChange = 1353856 LastOriginatingDsa = MainDC usnOriginatingChange = 1353856 timeLastOriginatingChange = 2010-02-08 22:42:53 VersionLastOriginatingChange = 3 Unable to verify the convergence of this machine account (CN=SecondDC,OU=Domain Controllers,DC=mydomain,DC=com) on this domain (DC=mydomain,DC=com). Does the machine account password need reseting? ......................... SecondDC failed test CheckSecurityError Running partition tests on : ForestDnsZones Running partition tests on : DomainDnsZones Running partition tests on : Schema Running partition tests on : Configuration Running partition tests on : mydomain Running enterprise tests on : mydomain.com-------------------------------------------------------------------Thanks for any help.Dave

Hello,please post an unedited ipconfig /all from both DCs so we can exclude DNS as a major problem.Are all DCs listed with there A record in Forward/Reverse lookup zones and if DNS server also with there Nameserver record?Are any firewalls enabled between the DCs?Also post an unedited repadmin /showrepl from each DC.Always a starting point is here for AD replication problems:http://technet.microsoft.com/en-us/library/cc738415(WS.10).aspxBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks for the reply Meinolf.Results as follows:From MainDC: ipconfig /allWindows IP Configuration Host Name . . . . . . . . . . . . : MAINDC Primary Dns Suffix . . . . . . . : MYDOMAIN.COM Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : MYDOMAIN.COM Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2 Physical Address. . . . . . . . . : 00-E0-81-40-34-33 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Autoconfiguration IP Address. . . : 169.254.226.28 Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . : Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet Physical Address. . . . . . . . . : 00-E0-81-40-34-32 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.150.201 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.150.200 DNS Servers . . . . . . . . . . . : 192.168.150.201 192.168.150.202************************************************From SecondDC: ipconfig /allWindows IP Configuration Host Name . . . . . . . . . . . . : SecondDC Primary Dns Suffix . . . . . . . : MYDOMAIN.COM Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : MYDOMAIN.COM Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) #4 Physical Address. . . . . . . . . : 00-25-64-F8-AA-56 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.150.202 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.150.200 DNS Servers . . . . . . . . . . . : 192.168.150.201 192.168.150.202************************************************From MainDC: repadmin /showreplrepadmin running command /showrepl against server localhostDefault-First-Site-Name\MAINDCDC Options: IS_GCSite Options: (none)DC object GUID: de66c2d3-eda2-4ab2-a393-fdea108ad439DC invocationID: de66c2d3-eda2-4ab2-a393-fdea108ad439 ==== INBOUND NEIGHBORS ======================================CN=Configuration,DC=MYDOMAIN,DC=COM Default-First-Site-Name\SECONDDC via RPC DC object GUID: b8f0dc98-c7b6-4be6-80d9-09c2adc6162f Last attempt @ 2010-02-23 10:57:41 failed, result -2146893022 (0x80090322): The target principal name is incorrect. 54 consecutive failure(s). Last success @ 2010-02-22 13:51:10. CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=COM Default-First-Site-Name\SECONDDC via RPC DC object GUID: b8f0dc98-c7b6-4be6-80d9-09c2adc6162f Last attempt @ 2010-02-23 10:51:10 failed, result -2146893022 (0x80090322): The target principal name is incorrect. 21 consecutive failure(s). Last success @ 2010-02-22 13:51:10. DC=DomainDnsZones,DC=MYDOMAIN,DC=COM Default-First-Site-Name\SECONDDC via RPC DC object GUID: b8f0dc98-c7b6-4be6-80d9-09c2adc6162f Last attempt @ 2010-02-23 10:58:17 failed, result -2146893022 (0x80090322): The target principal name is incorrect. 32 consecutive failure(s). Last success @ 2010-02-22 14:17:51. DC=ForestDnsZones,DC=MYDOMAIN,DC=COM Default-First-Site-Name\SECONDDC via RPC DC object GUID: b8f0dc98-c7b6-4be6-80d9-09c2adc6162f Last attempt @ 2010-02-23 10:51:10 failed, result 1256 (0x4e8): The remote system is not available. For information about network troubleshooting, see Windows Help. 25 consecutive failure(s). Last success @ 2010-02-22 14:17:48. Source: Default-First-Site-Name\SECONDDC******* 676 CONSECUTIVE FAILURES since 2010-02-16 10:40:19Last error: 8453 (0x2105): Replication access was denied. Naming Context: DC=MYDOMAIN,DC=COMSource: Default-First-Site-Name\SECONDDC******* WARNING: KCC could not add this REPLICA LINK due to error.************************************************From SecondDC: repadmin /showreplrepadmin running command /showrepl against server localhostDefault-First-Site-Name\SECONDDCDC Options: IS_GCSite Options: (none)DC object GUID: b8f0dc98-c7b6-4be6-80d9-09c2adc6162fDC invocationID: db7d8879-39f4-46bc-a7b5-abde1460e419 ==== INBOUND NEIGHBORS ======================================DC=MYDOMAIN,DC=COM Default-First-Site-Name\MAINDC via RPC DC object GUID: de66c2d3-eda2-4ab2-a393-fdea108ad439 Last attempt @ 2010-02-23 10:52:24 failed, result 8453 (0x2105): Replication access was denied. 6561 consecutive failure(s). Last success @ 2010-02-07 18:15:32. CN=Configuration,DC=MYDOMAIN,DC=COM Default-First-Site-Name\MAINDC via RPC DC object GUID: de66c2d3-eda2-4ab2-a393-fdea108ad439 Last attempt @ 2010-02-23 10:52:24 was successful. CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=COM Default-First-Site-Name\MAINDC via RPC DC object GUID: de66c2d3-eda2-4ab2-a393-fdea108ad439 Last attempt @ 2010-02-23 10:52:24 was successful. DC=DomainDnsZones,DC=MYDOMAIN,DC=COM Default-First-Site-Name\MAINDC via RPC DC object GUID: de66c2d3-eda2-4ab2-a393-fdea108ad439 Last attempt @ 2010-02-23 10:52:24 was successful. DC=ForestDnsZones,DC=MYDOMAIN,DC=COM Default-First-Site-Name\MAINDC via RPC DC object GUID: de66c2d3-eda2-4ab2-a393-fdea108ad439 Last attempt @ 2010-02-23 10:52:24 was successful. Source: Default-First-Site-Name\MAINDC******* 6561 CONSECUTIVE FAILURES since 2010-02-07 18:15:32Last error: 8453 (0x2105): Replication access was denied.************************************************Thanks for the help.Dave

Hello,the ipconfig output of both DCs looks ok, just on the MAINDC disable the unused NIC and make sure it isn;t listed in the DNS forward/reveerse lookup zones. If it is listed delete it and unr ipconfig /flushdns and ipconfig /registerdns on MAINDC and run repadmin /syncall to make sure the DNS chagnes are rpelicated to the other DNS server if AD integrated zones are used, otherwise update the DNS servers manual.What about the other questions?Are all DCs listed with there A record in Forward/Reverse lookup zones and if DNS server also with there Nameserver record?Are any firewalls enabled between the DCs?Did you check this one:http://technet.microsoft.com/en-us/library/cc738415(WS.10).aspxBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

Hello Meinolf and all,Thanks for reviewing this issue. I disabled the unused NIC on MAINDC, and note that it is NOT listed in forward/reverse lookup zones.Ran the following anyway: "ipconfig /flushdns", "ipconfig /registerdns", "repadmin /syncall". Sync successful.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - DC's are listed in Forward Lookup Zones on BOTH DC's the same: (NS) MAINDC w/ Host (A) 192.168.150.201 (NS) SECONDDC w/ Host (A) 192.168.150.202Only (NS) for both in Reverse Lookup [No Host (A)] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - There are NO firewalls are enabled between controllers.I did go through the TechNet article you referenced in your post. Going down throught that, there are no hardware failures, upgrades, other disconnections. Beyond that, I am plugging through various troubleshooting steps and following the many, many branches off those pages, as well as others I have found or been referred to.The problem I am running into is that every time I follow a link to another page of troubleshooting steps, I am instructed to review additional pages which link to additional pages which link to additional pages. I'm sure it's a good thing that there is so much information and that there are so many tests, I just think it is a bit overwhelming to a newcomer.I know it will all make sense eventually as I am able to visualize the process as a whole, but it seems somewhat like an endless maze at this point.I will keep plugging through all of the info and running tests, but sure would appreciate some very specific, targeted direction in what step(s) will produce the most useful results next.I've compiled some additional log info and test results that I think may be helpful in troubleshooting. Event Log [dir] warnings/errors from each DC are below, as well as partial results from each for "dcdiag /test:CheckSecurityError"Please advise. *********************************************************************************FROM MAINDC:Event ID: 1925 [warning] - The attempt to establish a replication link for the following writable directory partition failed. (Partition is the domain name, source is the SECONDDC, controller address is correct GUID for SECONDDC) Additional Data: Error value: 2148074274 - The target principal name is incorrect.Event ID: 1977 [error] - The requesting domain controller does not have access to a writable copy of this directory partition. (Requesting DC is the correct GUID for SECONDDC)Event ID: 1699 [error] - same basic idea as above Additional Data: Error value: 8453 - REPLICATION ACCESS WAS DENIED.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -FROM SECONDDC:Event ID: 2093 [NTDS Replication warning] The remote server which is the owner of a FSMO role is not responding. This server has not replicated with the FSMO role owner recently. Shows correctly MYDOMAIN and MAINDC as FSMO role holder. Event ID: 1586 [warning] The Windows NT 4.0 or earlier replication checkpoint with the PDC emulator master was unsuccessful. Additional Data: Error value: 8453 - REPLICATION ACCESS WAS DENIED.Event ID: 1308 [NTDS KCC Warning] "...successive attempts to replicate... failed..." (shows FQDN of MAINDC)Event ID: 1864 [error] - "...has not received replication info..."Event ID: 1699 [error] - "...failed to retrieve changes requested for partition (MYDOMAIN)...." (Requesting DC is the correct GUID for MAINDC) Additional Data: Error value: 8453 - REPLICATION ACCESS WAS DENIED.Event ID: 1977 [error] - The requesting domain controller does not have access to a writable copy of this directory partition. (Requesting DC is the correct GUID for MAINDC)**********************************************************************************There is a lot to grasp for someone just getting his feet wet, so I really appreciate insights that will help me to jump ahead of this.So far, I have followed many suggestions, as they seemed related, branching off the TechNet article:- Reset Secure Channel Password, Restarted Netlogons, Ran Netdom Metadata Cleanup- Test: ping IP_address -f -l 1472 passed without any adjustment needed- dcdiag /test:CheckSecuityError on MAINDC generates several lines starting with "Missing SPN :LDAP" then ends with "Unable to verify the machine account.... SECONDDC.... on... MAINDC) "Source DC MAINDC has possible security error (8453)"- dcdiag /test:CheckSecuityError on SECONDDC generates several lines starting with "Missing SPN :LDAP" Unable to verify the machine account (CN=SECONDDC,OU=Domain Controllers,DC=MYDOMAIN,DC=COM) for SECONDDC on MAINDC. Error MYDOMAIN\Domain Controllers doesn't have Replicating Directory Changes All access rights for the naming context: DC=MYDOMAIN,DC=COM ........................ MAINDC failed test CheckSecurityError "Source DC SECONDDC has possible security error (1722)" **********************************************************************************Thanks!Dave

Hello,does this posting belong to:http://social.technet.microsoft.com/Forums/en/winservergen/thread/da438e14-8fa3-4ce3-ae7f-e681b62b2747Did you follow all steps mentioned there?Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

Sorry for those trying to follow this thread.This is the third one leading to a dead end.I will post once I am able to resolve the issue.

Hi ,Were are you able to resolve the problem , if you need further assistance do let us know.