Troubleshooting NETLOGON Domain Sync messages.
(Last modified: 08Oct2002)
This document (10062713) is provided subject to the disclaimer at the end of this document.
goal
Troubleshooting NETLOGON Domain Sync messages.
fact
Novell Account Management 2.1
symptom
5716 The partial synchronization replication of the SAM database from the primary domain controller \\PDCname failed with the following error: <no error> 0000: c0000134
5717 The full synchronization replication of the SAM database from the primary domain controller \\PDCname completed successfully.
5713 The full synchronization request from the server BDCname completed successfully. 258 object(s) has(have) been returned to the caller.
5712 The partial synchronization request from the server BDCname failed with the following error:
<no error> 0000: c0000134 (STATUS_SYNCHRONIZATION_REQUIRED)
5712 The partial synchronization request from the server BDCname failed with the following error: group already exists.
5730 - Replication of the SAM Global group (RID:0x200) from primary domain controller <Domain name> failed with the following error: cannot perform this operation on built-in accounts.
fix
Verify that the SAMSRV.DLL on each of the Domain Controllers is the same version and that none of the Domain Controllers are using an older version of the SAMSRV.DLL.
Verify the RIDs for the built-in accounts Guest and Administrator exist. Verify the built-in Domain and Local Groups have not been deleted and have the correct RIDs. These steps can be done with the NDS for NT Toolbox 1.3a NDS4NTTB.EXE available from Novell Support.
Verify the Domain Object in DS has supervisor rights to all the objects in the tree that are members of the domain. If the domain object can not read all the attributes when syncing to one of the BDC's then the sync will fail and retry over and over.
Check this using the NDS4NT Tool Box with the following steps:
SELECT <NDS TOOLS>
Type the FDN of the domain object and press USERS and the press RIGHTS. This will check the effective rights of the Domain Object to each member of the Domain. If there are any errors please add the Domain as a trustee of the User with Supervisor rights
Obtain the latest SAMSRV.DLL patch from Novell Support. Partial sync errors with "group already exists" errors are fixed in a SAMSRV patch.
Using the NDS for NT Toolbox 1.3a NDS4NTTB.EXE, check for incomplete users or workstations. If any are found, delete the accounts from the domain and then re-add the account. Check for incomplete users again before proceeding. Incomplete accounts can cause NETLOGON Domain Sync errors and can prevent adding a new domain controller to the domain.
As a last resort the NT servers use a file called NETLOGON.CHG to see if they need to perform a sync. If this file becomes corrupt then the Domain Controller will request a sync from the PDC. The Novell version of SAMSRV.DLL does not update this change log so if the domain was in a healthy state when everything was installed these files should be the same on all servers.
The only way to get that file back in sync is to replace Novell's version of Samsrv.dll with Microsoft Samsrv.dll and let the sync occur and then put Novell's version of Samsrv.dll back in place. IMPORTANT NOTE: The Administrator user's password will be whatever it was before NDS for NT or Account Management was installed. The NT SAM database basically will be whatever it was before the database was redirected to NDS for the duration of this procedure. The current NT accounts and passwords remain in NDS and are not effected by this procedure.
To do this please follow these steps starting with the PDC:
1. Stop the Novell Service Pack Sentry service, and set the service to Disabled.
2. Rename \WINNT\SYSTEM32\SAMSRV.DLL to SAMSRV.NOV
3. Copy \WINNT\SYSTEM32\MSSAMSRV.DLL to SAMSRV.DLL
4. Rename \WINNT\SYSTEM32\SPSENTRY.EXE to SPSENTRY.NOV
Repeat these four steps on each of the BDCs, and then down the PDC and all the BDCs. Start the PDC alone, and once it is finished load one BDC, and then watch for a NETLOGON event that a full sync of the domain to succeeded. Then load another BDC and watch for the full sync to happen again. Repeat until all BDCs have been loaded and the domain has fully synched.This will allow the NETLOGON.CHG file to be updated and recreated if needed.
At this point reverse the steps above to put the correct files back and restart the Novell Service Pack Sentry service as follows:
1. Rename \WINNT\SYSTEM32\SPSENRTY.NOV to SPSENTRY.EXE
2. Rename \WINNT\SYSTEM32\SAMSRV.DLL to MSSAMSRV.DLL
3. Rename \WINNT\SYSTEM32\SAMSRV.NOV to SAMSRV.DLL
4. Set the Novell Service Pack Sentry service to autostart.
Reboot each the servers, PDC first. The databases should be redirected again.
document
| Document Title: | Troubleshooting NETLOGON Domain Sync messages. |
| Document ID: | 10062713 |
| Solution ID: | NOVL49263 |
| Creation Date: | 29May2001 |
| Modified Date: | 08Oct2002 |
| Novell Product Class: | NetWare Novell eDirectory |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.