Active Directory Replication Problems Solved with Preparation Wizard


For those of you who are new to these tools, we’ve talked about the Preparation and Planning


Wizards before on our blog.  We also have a dedicated page for it here.  As well, the team over at


TechNet Edge did an article on the tools.


 


These tools are not just for customers with Essential Business Server or those who are planning to


deploy this solution in their environments. These tools are for anyone with Active Directory in


their network who would like to verify the health of their environment.


 


Today I would like to focus on a special category of issues that these tools help resolve around


Active Directory replication.  


 


As a member of the EBS team, I see a lot of mid-sized networks (25-300 PCs) where


Active Directory replication errors are very common. These issues are also very hard to troubleshoot, mostly because there are quite a few potential causes of these problems.  To name just a few, AD replication may fail due to DNS issues, connectivity problems, security issues, time synchronization problems, etc. etc. TechNet has a great description of some of these potential causes.


How do the tools help find and resolve AD replication issues?


Preparation Wizard is a great tool that helps troubleshoot Active Directory replication issues.  The tool scans the existing network, identifies the source of AD replication errors and provides links to knowledge based articles that explain how to correct these issues. In order to identify the source of Active Directory replication errors, Preparation Wizard uses LDAP, DNS queries and WMI to contact each server in the network and run a set of checks to verify that AD replication is functioning correctly.  In addition, the tool specifically looks for events that indicate Active Directory replication problems. Note that Preparation Wizard does not change the environment, so the tool is completely safe to run at any time!


How is it different from other tools?


Unlike many other known tools which simply dump large amounts of networking data collected from a single source (such as event logs, for instance), Preparation Wizard is able to gather data from many different areas( Active Directory, DNS, SYSVOL, event logs, etc.), cross reference that data, and make conclusions about the overall health of the network. Preparation Wizard has over 100 different checks which are based on most common issues resolved by Microsoft Customer Support Services over the past 10 years!


Specifics tool verifies?


There are several tests that Preparation Wizard runs to ensure AD replication functions correctly.  Among others, the tool verifies that:


·         Network connectivity is available and network settings are properly configured


·         Name resolution for all domain controllers is functioning properly


·         Inbound AD replication is enabled for all domain controller


·         Outbound AD replication is enabled for all domain controllers


·         AD replication with corrupt partners is disabled


·         Each domain controller replicates changes within a certain threshold (AD replication is fast enough)


·         Domain, Schema, and Configuration naming contexts are defined on all domain controllers in the Active Directory sites


·         All naming contexts can replicate successfully


·         Knowledge Consistency Checker’s automatic generation of intra-site or inter-site topology management is enabled


Go get it – it’s FREE!


http://www.microsoft.com/ebs/en/us/preparation.aspx


Link to supporting documents and other resources on troubleshooting Active Directory replication:


http://www.windowsnetworking.com/articles_tutorials/Active-Directory-Troubleshooting-Part1.html


http://searchwindowsserver.techtarget.com/generic/0,295582,sid68_gci1263312,00.html#


 


Thanks!


Julia Kuzminova
EBS Community Program Manager

Comments (17)

  1. s.sullivan1 says:

    Have you tried troubleshooting WMI as suggested in this article:

    http://support.microsoft.com/kb/875605

    (Preparation Wizard should be pointing to this article) ?

    Also, how did you disable the firewall on the Security Server?  net stop "microsoft firewall"?

  2. s.sullivan1 says:

    Try stopping firewall by running:

    net stop fwsrv

    from the command line.  Also, it would be helpful to know exactly which steps you tried from the blog you are pointing to:

    1) Did you try to run WBEMTEST?

    2) Which ports did you open? The blog talks about port 135. TCP ports used by RPC and DCOM include port 135, port 445 as well as dynamically-assigned ports (usually in the range of 1024 to 1034).

    3) Did you enable

    Windows Firewall: Allow remote administration exception

    ?

  3. s.sullivan1 says:

    You should be ready to upgrade :). To answer you questions:

    .Com or .Local does not matter — you should be ok with this configuration.

    Exchange 2007 does allow you to have over 2GB per mailbox, so you will be able to migrate those mailoxes just fine.

    EBS has the Active-Sync feature with Exchange 2007 as well, so you can use it (our default firewall rules allow Active Sync communication with Exchange). As far as Blackberry, you will need to check with your vendor about its compatibility with Exchange 2007 (but most likely it will work).

  4. s.sullivan1 says:

    Lev,

    We opened a support case for you, but need additional contact info details from you. I sent you an email with all the details.

    Julia

  5. s.sullivan1 says:

    Please make sure that:

    1) Remote WMI access is enabled (since the tool uses WMI to contact all DCs, DNS and Exchange servers in the network). See http://support.microsoft.com/kb/875605 for details.

    2) You are running the tool in the root domain.

    3) If you continue getting collection errors, take a look at the AD (specifically, machine accounts under Active Directory Users and Computers) and make sure it reflects your current infrastructure.

    Finally, details about each error are recorded in Windows Essential Business ServerWizardsLogsWEBS.BPA.Console.log file.

    Let us know if you are still having problems!

  6. s.sullivan1 says:

    If WBEMTEST is not working, the issue is not with the tool.  The issue is that WMI is still being blocked. We would like to open a support case for you to figure out what is going on, but we do need your contact information (name and phone number)  to do that.  Can you please reply with your contact information (when you reply to this post, we will not post your information publicly, so only EssentialBloggers will be able to see it)?

  7. paul says:

    I’m running the EBS Server prep tool and can’t get it to run sucessfully nor does it give me any ideas of the problem beyond “Connectivity did not occur during the prerequisite validation phase. Refer to sections of the analysis report for details.”  and then: Server can be queried using DNS “DNS query access for DNS server sbs1.zebra.com” is the error message. Not sure where to even start troubleshoot. Is this because it is not a .local domain? Any help would be greatly appreciated.

  8. paul says:

    OK, everything works now; there were two issues it turns out.

    1) Firewall address is .254 but gateway is .1 because of VLAN after changing to .1 the EBS wizard ran complete but with a DNS query failure.

    2) DNS query failure was a result of an old DNS machine still referenced in the current machine. After running DNScleanup.vbs and removing this reference, everything ran fine. Only warning was MaxPosPhaseCorrection and MaxNegPhaseCorrection registry entries, correct via reference in tool and everything was good.

    Now my question would be since the EBS wizard ran without error, is the domain a candidate for upgrade correct? Given that this domain is a .com instead of .local what would you do? The .com domain isn’t the same as their public facing site nor do they even have it registered or access it. There is no significance / relationship between the internal domain name and the corresponding public name. I appreciate your help and hope you can provide some insight here too.

    Paul

  9. paul says:

    OK, it’s working now, I think it was a combination of two problems.

    1) EBSW wouldn’t scan with the FW address .254 but using the gateway of .1 it would but fail. I think this is related to the VLAN setup.

    2) Once the gateway was corrected, the failure indicating a left over DNS server from SBS2K to SBS2k3 upgrade (inherited network, I know better, lol) Once I cleaned up DNS, it worked like a charm.

    So now that it’s running, I’ve got a few questions with regards to upgrading.

    Do I need to have any concern with regards to it being a DC with .Com instead of .Local? A little background, it’s not the same internal as external DN. Also the DN they are using internally doesn’t have anything to do with them externally, although it is a valid DN, they don’t have any need to access it.

    Migrating Exchange, they have 8 mailboxes over 2GB each, is that a concern?

    Do you know if I can run Blackberry Pro and Active-Sync on EBS 2008?

    Thanks for the help.

    Paul

  10. LevT says:

    Thank you reply

    I have tried all the stuff listed here:

    http://social.microsoft.com/Forums/ru-RU/netfxbcl/thread/4207c95f-bfbc-4b04-8d99-27abd5c0d96b

    getting exatcly the same feedback. No luck.

    In addition I have tried to stop the Microsoft Firewall with the Services mmc GUI snapin, and check again. No difference.

  11. LevT says:

    >>net stop fwsrv

    done; also, I have surely

    shut down the “Windows Firewall with Advanced Security” on both the Management and Security servers

    Wbemtest (from the Management Server): still can’t connect to \security.mango.localrootcimv2

    ???

  12. LevT says:

    next attempt

    tried installing update rollup, no luck

    also I have reinstalled a brand new Security Server

    The freshly upodated Preparation Wizard fails running from different computers

    Remote WMI access is enabled on servers

    Error: The <securityserver.my.domain> server could not be accessed using WMI. Actions that you can perform to resolve this issue might include stopping the firewall before you run the wizard, ensuring that the server is available, installing WMI provider on a Windows 2000 server, enabling WMI access on the server, or removing the server object from Active Directory Sites and Services if the server has been decommissioned.

    See also: KB 875605, KB 216364, KB 682138

  13. Mark Stanfill says:

    Follow-up with Lev:

    If you are running the Planning and Preparation wizards in an EBS Environment (or any environment with TMG/ISA, really), we have to be able to query WMI on the TMG server from the workstation or server you are running the wizards on.  If you can sacrifice taking the entire network offline while the wizards run (this obviously won’t work if you have remote sites), running "net stop fweng /y" from the TMG server will allow the wizards to run.

    The more complete way to do this is to temporarily open up TMG to allow the wizards to run:

    1.  Create a bi-directional allow-all access rule between the two machines:

    Name:  Allow all

    Protocols:  All outbound traffic

    From:  local host; machine running wizards

    To:  local host; machine running wizards

    Users:  All users

    Right-click on the rule, choose "Configure RPC Protocol", and de-select "Enforce strict RPC compliance"

    2.  Edit the ‘RPC (all interfaces)’ protocol in toolbox and deselect the RPC filter.

    3.  Right-click on Firewall Policy, Choose ‘edit system policy …’, and choose ‘Active Directory’.   De-select "Enforce strict RPC compliance"

    Click apply and ok to save the settings, and refresh MonitoringConfiguration until it shows ‘Server configuration matches the Configuration Storage server configuration’

  14. Tim Jackson says:

    I am getting the same error:

    "Connectivity did not occur during the prerequisite validation phase"

    The majority of the tests are skipped because of this.  

    The Windows Firewall is not enabled and we are not running ISA.  WBEMTest appears to connect and display objects using Enum Objects/Recursive.

  15. Tim Jackson says:

    FIXED my problem!

    I ran DCDIAG with Win2K3 SP2 Support Tools and found that both the Windows Time and Intersite Messaging services were set to Disabled.  I set to Automatic and started them both, and the EBS Preparation Wizard ran correctly.

    Just wanted to share with others.  Thanks.

  16. LevT says:

    Hi

    the Preparation Wizard gave me an impression of its capability to install a fresh servers trinity (i.e. new instance of EBS 2008) in existent EBS domain

    But this impression is false: the Planning wizard denies an attempt installing new Management instance while the first one is connected. It forces the "single server replacement" scenario inadvertenly.

    The Preparation wizard may check this condition in the first screen.