Article ID: 892426 - View products that this article applies to.
For a Microsoft Windows Server 2003 version of this article, see 816577
A Windows 2000-based domain controller cannot replicate the configuration or the schema partitions with replication partners that belong to another domain of the forest. Additionally, if the domain controller is a global catalog server, it cannot replicate the other domain partitions with these replication partners.
In the following example, MYDC1 is a domain controller that belongs to the mydomain.com domain. MYDC2 is a replication partner of MYDC1 that belongs to the subdom.mydomain.com domain.
The following event is logged every 15 minutes in the Directory Services event log:
Event ID 1265:
Event ID: 63
If you run the dcdiag command on MYDC1, you receive the following output:
... CN=Configuration,DC=mydomain,DC=com MySite\MYDC2 via RPC objectGuid: a6999e16-99b5-432f-9bc5-3eecf5dc192f<BR/> Last attempt @ 2002-08-26 17:30.54 failed, result 1326:<BR/> Logon failure: unknown user name or bad password.<BR/> Last success @ 2002-08-19 14:42.40.<BR/> 1995 consecutive failure(s).
DC Diagnosis ... [Replications Check,DC-LV1] A recent replication attempt failed: From MYDC2 to MYDC1 Naming Context: CN=Configuration,DC=mydomain,DC=com The replication generated an error (1326): Logon failure: unknown user name or bad password. The failure occurred at 2002-08-22 14:02.04. The last success occurred at 2002-08-20 17:10.52. 617 failures have occurred since the last success. Kerberos Error. The machine account is not present, or does not match on the. destination, source or KDC servers. Verify domain partition of KDC is in sync with rest of enterprise. The repadmin /syncall command can be used for this purpose.
This issue occurs if the password of the inter-domain trust account is not synchronized on both sides of the trust relationship.
To resolve this issue, reset the trust relationship. To do this, follow these steps:
You can use either of the following two methods to view the trust relationship between the two domains.
Use the Active Directory Domains and Trust Snap-in
Use the Netdom.exe command-line utilityAt a command prompt, type netdom trust MyDomain /domain:subdom /verify, and then press ENTER. You receive the following output: Although the tools that you use to examine the trust relationship status say that the trust relationship is okay, you receive an error message during the authentication between the domain controller and its replication partner over the trust.
MYDC1 must authenticate against MYDC2 before MYDC1 replicates from MYDC2. To authenticate, MYDC1 sends a Kerberos KRB_TGS_REQ request to the key distribution center of the subdom domain. The service principal name that MYDC1 uses for this authentication is the same one that it uses for replication. For example, the service principal name is E3514235-4B06-11D1-AB04-00C04FC2DCD2/a6999e16-99b5-432f-9bc5-3ee//mydomain.com.
The key distribution center of the child domain returns the following KRB_ERROR error message to this request:
This error message means that the key distribution center cannot decrypt the ticket-granting ticket data that is included in the request. Because the key that is used to decrypt this data comes from the password of the inter-domain trust account, resetting the key resynchronizes the password on both sides and fixes the problem.
Message stream modified.
Article ID: 892426 - Last Review: October 30, 2006 - Revision: 1.1