Active Directory Replication Problems Solved with Preparation Wizard

Active Directory Replication Problems Solved with Preparation Wizard

  • Comments 17
  • Likes

For those of you who are new to these tools, we’ve talked about the Preparation and Planning

Wizards before on our blog.  We also have a dedicated page for it here.  As well, the team over at

TechNet Edge did an article on the tools.

 

These tools are not just for customers with Essential Business Server or those who are planning to

deploy this solution in their environments. These tools are for anyone with Active Directory in

their network who would like to verify the health of their environment.

 

Today I would like to focus on a special category of issues that these tools help resolve around

Active Directory replication.  

 

As a member of the EBS team, I see a lot of mid-sized networks (25-300 PCs) where

Active Directory replication errors are very common. These issues are also very hard to troubleshoot, mostly because there are quite a few potential causes of these problems.  To name just a few, AD replication may fail due to DNS issues, connectivity problems, security issues, time synchronization problems, etc. etc. TechNet has a great description of some of these potential causes.

How do the tools help find and resolve AD replication issues?

Preparation Wizard is a great tool that helps troubleshoot Active Directory replication issues.  The tool scans the existing network, identifies the source of AD replication errors and provides links to knowledge based articles that explain how to correct these issues. In order to identify the source of Active Directory replication errors, Preparation Wizard uses LDAP, DNS queries and WMI to contact each server in the network and run a set of checks to verify that AD replication is functioning correctly.  In addition, the tool specifically looks for events that indicate Active Directory replication problems. Note that Preparation Wizard does not change the environment, so the tool is completely safe to run at any time!

How is it different from other tools?

Unlike many other known tools which simply dump large amounts of networking data collected from a single source (such as event logs, for instance), Preparation Wizard is able to gather data from many different areas( Active Directory, DNS, SYSVOL, event logs, etc.), cross reference that data, and make conclusions about the overall health of the network. Preparation Wizard has over 100 different checks which are based on most common issues resolved by Microsoft Customer Support Services over the past 10 years!

Specifics tool verifies?

There are several tests that Preparation Wizard runs to ensure AD replication functions correctly.  Among others, the tool verifies that:

·         Network connectivity is available and network settings are properly configured

·         Name resolution for all domain controllers is functioning properly

·         Inbound AD replication is enabled for all domain controller

·         Outbound AD replication is enabled for all domain controllers

·         AD replication with corrupt partners is disabled

·         Each domain controller replicates changes within a certain threshold (AD replication is fast enough)

·         Domain, Schema, and Configuration naming contexts are defined on all domain controllers in the Active Directory sites

·         All naming contexts can replicate successfully

·         Knowledge Consistency Checker's automatic generation of intra-site or inter-site topology management is enabled

Go get it – it’s FREE!

http://www.microsoft.com/ebs/en/us/preparation.aspx

Link to supporting documents and other resources on troubleshooting Active Directory replication:

http://www.windowsnetworking.com/articles_tutorials/Active-Directory-Troubleshooting-Part1.html

http://searchwindowsserver.techtarget.com/generic/0,295582,sid68_gci1263312,00.html#

 

Thanks!

Julia Kuzminova
EBS Community Program Manager

Comments
  • PingBack from http://bh-server.com/the-essential-business-server-team-blog-active-directory/

  • I'm running the EBS Server prep tool and can't get it to run sucessfully nor does it give me any ideas of the problem beyond "Connectivity did not occur during the prerequisite validation phase. Refer to sections of the analysis report for details."  and then: Server can be queried using DNS “DNS query access for DNS server sbs1.zebra.com” is the error message. Not sure where to even start troubleshoot. Is this because it is not a .local domain? Any help would be greatly appreciated.

  • Please make sure that:

    1) Remote WMI access is enabled (since the tool uses WMI to contact all DCs, DNS and Exchange servers in the network). See http://support.microsoft.com/kb/875605 for details.

    2) You are running the tool in the root domain.

    3) If you continue getting collection errors, take a look at the AD (specifically, machine accounts under Active Directory Users and Computers) and make sure it reflects your current infrastructure.

    Finally, details about each error are recorded in \Windows Essential Business Server\Wizards\Logs\WEBS.BPA.Console.log file.

    Let us know if you are still having problems!

  • OK, everything works now; there were two issues it turns out.

    1) Firewall address is .254 but gateway is .1 because of VLAN after changing to .1 the EBS wizard ran complete but with a DNS query failure.

    2) DNS query failure was a result of an old DNS machine still referenced in the current machine. After running DNScleanup.vbs and removing this reference, everything ran fine. Only warning was MaxPosPhaseCorrection and MaxNegPhaseCorrection registry entries, correct via reference in tool and everything was good.

    Now my question would be since the EBS wizard ran without error, is the domain a candidate for upgrade correct? Given that this domain is a .com instead of .local what would you do? The .com domain isn't the same as their public facing site nor do they even have it registered or access it. There is no significance / relationship between the internal domain name and the corresponding public name. I appreciate your help and hope you can provide some insight here too.

    Paul

  • OK, it's working now, I think it was a combination of two problems.

    1) EBSW wouldn't scan with the FW address .254 but using the gateway of .1 it would but fail. I think this is related to the VLAN setup.

    2) Once the gateway was corrected, the failure indicating a left over DNS server from SBS2K to SBS2k3 upgrade (inherited network, I know better, lol) Once I cleaned up DNS, it worked like a charm.

    So now that it's running, I've got a few questions with regards to upgrading.

    Do I need to have any concern with regards to it being a DC with .Com instead of .Local? A little background, it's not the same internal as external DN. Also the DN they are using internally doesn't have anything to do with them externally, although it is a valid DN, they don't have any need to access it.

    Migrating Exchange, they have 8 mailboxes over 2GB each, is that a concern?

    Do you know if I can run Blackberry Pro and Active-Sync on EBS 2008?

    Thanks for the help.

    Paul

  • You should be ready to upgrade :). To answer you questions:

    .Com or .Local does not matter -- you should be ok with this configuration.

    Exchange 2007 does allow you to have over 2GB per mailbox, so you will be able to migrate those mailoxes just fine.

    EBS has the Active-Sync feature with Exchange 2007 as well, so you can use it (our default firewall rules allow Active Sync communication with Exchange). As far as Blackberry, you will need to check with your vendor about its compatibility with Exchange 2007 (but most likely it will work).

  • Have you tried troubleshooting WMI as suggested in this article:

    http://support.microsoft.com/kb/875605

    (Preparation Wizard should be pointing to this article) ?

    Also, how did you disable the firewall on the Security Server?  net stop "microsoft firewall"?

  • Thank you reply

    I have tried all the stuff listed here:

    http://social.microsoft.com/Forums/ru-RU/netfxbcl/thread/4207c95f-bfbc-4b04-8d99-27abd5c0d96b

    getting exatcly the same feedback. No luck.

    In addition I have tried to stop the Microsoft Firewall with the Services mmc GUI snapin, and check again. No difference.

  • Try stopping firewall by running:

    net stop fwsrv

    from the command line.  Also, it would be helpful to know exactly which steps you tried from the blog you are pointing to:

    1) Did you try to run WBEMTEST?

    2) Which ports did you open? The blog talks about port 135. TCP ports used by RPC and DCOM include port 135, port 445 as well as dynamically-assigned ports (usually in the range of 1024 to 1034).

    3) Did you enable

    Windows Firewall: Allow remote administration exception

    ?

  • >>net stop fwsrv

    done; also, I have surely

    shut down the "Windows Firewall with Advanced Security" on both the Management and Security servers

    Wbemtest (from the Management Server): still can't connect to \\security.mango.local\root\cimv2

    ???

  • If WBEMTEST is not working, the issue is not with the tool.  The issue is that WMI is still being blocked. We would like to open a support case for you to figure out what is going on, but we do need your contact information (name and phone number)  to do that.  Can you please reply with your contact information (when you reply to this post, we will not post your information publicly, so only EssentialBloggers will be able to see it)?

  • next attempt

    tried installing update rollup, no luck

    also I have reinstalled a brand new Security Server

    The freshly upodated Preparation Wizard fails running from different computers

    Remote WMI access is enabled on servers

    Error: The <securityserver.my.domain> server could not be accessed using WMI. Actions that you can perform to resolve this issue might include stopping the firewall before you run the wizard, ensuring that the server is available, installing WMI provider on a Windows 2000 server, enabling WMI access on the server, or removing the server object from Active Directory Sites and Services if the server has been decommissioned.

    See also: KB 875605, KB 216364, KB 682138

  • Lev,

    We opened a support case for you, but need additional contact info details from you. I sent you an email with all the details.

    Julia

  • Follow-up with Lev:

    If you are running the Planning and Preparation wizards in an EBS Environment (or any environment with TMG/ISA, really), we have to be able to query WMI on the TMG server from the workstation or server you are running the wizards on.  If you can sacrifice taking the entire network offline while the wizards run (this obviously won't work if you have remote sites), running "net stop fweng /y" from the TMG server will allow the wizards to run.

    The more complete way to do this is to temporarily open up TMG to allow the wizards to run:

    1.  Create a bi-directional allow-all access rule between the two machines:

    Name:  Allow all

    Protocols:  All outbound traffic

    From:  local host; machine running wizards

    To:  local host; machine running wizards

    Users:  All users

    Right-click on the rule, choose "Configure RPC Protocol", and de-select "Enforce strict RPC compliance"

    2.  Edit the 'RPC (all interfaces)' protocol in toolbox and deselect the RPC filter.

    3.  Right-click on Firewall Policy, Choose 'edit system policy ...', and choose 'Active Directory'.   De-select "Enforce strict RPC compliance"

    Click apply and ok to save the settings, and refresh Monitoring\Configuration until it shows 'Server configuration matches the Configuration Storage server configuration'

  • I am getting the same error:

    "Connectivity did not occur during the prerequisite validation phase"

    The majority of the tests are skipped because of this.  

    The Windows Firewall is not enabled and we are not running ISA.  WBEMTest appears to connect and display objects using Enum Objects/Recursive.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment