Can't read replication status from secondary domain controller

By mkoskenk ·

I have been troubleshooting account lockout problem. I have previously had a GPO in place that locks the user account after five wrong password login attempts. This caused some issues with our travellers who would occasionally have to update the password over VPN or OWA. I removed the account lockout setting from the GPO but the accounts still got locked out. I edited the GPO again and added number of incorrect logins (account lockout treshold) to be zero (which is same as disabling the setting). Accounts still get locked out.

I started looking into this more deeply and checked replication between two domain controllers we have. AL lockout status tool is not able to connect to secondary DC, it will only read the lockout status from primary DC. However, in most cases it will show that lockout has originated from the seondary DC.

I also ran the AD replication status tool. It checks two things from each DC, LDAP query (objectClass=nTDSConnection) and DC replication status. LDAP query returns success from both servers but replication status cannot be read from the secondary DC. The error is:

Domain controller "FQDN.of.the.server" does not exist or it cannot be connected.

Also these two details are given about the error message:




I have read some references that SYSVOL or NETLOGON not being accessible could cause this but I checked it on both servers and I can access them. Security settings for shares are as MS suggests.

Running dcdiag on the secondary DC gives these two fails:

failed test frsevent
failed test systemlog

Other tests pass fine. All tests pass fine on the primary DC.

I'm running out of ideas here what to check next or how to proceed fixing this... Any help is appreciated.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Share your knowledge

Related Discussions

Related Forums