Rock996
asked on
primary domain controller (PDC) emulator cannot be contacted
When I attempt to check my trusts by right clicking on my AD Domain, I get the error: "you cannot modify domain or trust information because a primary domain controller (PDC) emulator cannot be contacted. Please verify that the PDC emulator and the network are both online and functioning properly."
I am not sure what is causing this. I don't know if this is the same issue or not, but I also don't know if I have a global catalog server or not, or how to make my DC a GC. Thanks for any help.
I am not sure what is causing this. I don't know if this is the same issue or not, but I also don't know if I have a global catalog server or not, or how to make my DC a GC. Thanks for any help.
ASKER
Thanks Chris, that helped a lot. I have gotten the info from the ntdsutil. It looks like I have the correct name loaded for the PDC: "PDC - CN=NTDS Settings\0ADEL:8daa7e71-28
The server name is CCI_DC but I still get the error I mentioned earlier. Is it possible to reregister CCI_DC as the PDC? If I haven't given enough info, please let me know, and thank you for the help so far.
Eric
The server name is CCI_DC but I still get the error I mentioned earlier. Is it possible to reregister CCI_DC as the PDC? If I haven't given enough info, please let me know, and thank you for the help so far.
Eric
This bit:
\0ADEL:8daa7e71-2851-4a59-
Doesn't look too helpful - did you have a domain controller fail at some point? Are any of the other FSMO roles displaying like that?
To make sure your CCI_DC is the PDC do:
Start
Run
ntdsutil
Roles
Connections
Connect to Server CCI_DC
Quit
Then first try:
Transfer PDC
If that fails try:
Seize PDC
We're pretty safe doing this with the PDC without making absolutely sure that the server that holds it is never coming back. But most of the other roles seizing is a pretty serious step.
ASKER
Okay, I seized the PDc and it is now listing it correctly in the ntdsutil. "PDC - CN=NTDS Settings,CN=CCI_DC" But, the problem still exists when I try and check the properties of the AD. Am I missing something still?
Do this little lot from the command line and try again:
ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon
It's possible it just isn't registered in DNS, those commands should make it check everything has been registered properly.
also run dcdiag and netdiag on your DCs from command line... these are two tests that test to see if your domain is setup correctly. If you dont have these tools installed you can install them from MS's website for free.
ASKER
I am still getting the same error. I have the correct machine listed in NTDSUTIL, but I am unable to check Trusts because it says the PDC does not exist. I also get this error when I attempt to check Group Policies: "Domain controller not Found. The Domain Controller for Group Policy operations is not available"
Can you drop in the full output from ntdsutil above for where it thinks the roles are assigned. And dcdiag / netdiag as Mike suggests would be good.
ASKER
I get a lot of test failures when I run DCDIAG. When I run DCDIAG it also seems to still be holding that \0ADEL:8daa7e71-2851-4a59-
Warning: CCI_DC is not advertising as a time server.
......................... CCI_DC failed test Advertising
Starting test: KnowsOfRoleHolders
Warning: CN=NTDS Settings\0ADEL:8daa7e71-28
=CCI_DC,CN=Servers,CN=Defa
=ccius,DC=com is the Rid Owner, but is deleted.
......................... CCI_DC failed test KnowsOfRoleHolders
Starting test: RidManager
Warning: FSMO Role Owner is deleted.
Warning: attribute rIdSetReferences missing from CN=CCI_DC,OU=Domain Co
ntrollers,DC=us,DC=ccius,D
The last one says: Warning: DcGetDcName(PDC_Required) call failed, error 1355 A Primary Domain Controller Could not be located. The server holding the PDC role is down
Warning: CCI_DC is not advertising as a time server.
......................... CCI_DC failed test Advertising
Starting test: KnowsOfRoleHolders
Warning: CN=NTDS Settings\0ADEL:8daa7e71-28
=CCI_DC,CN=Servers,CN=Defa
=ccius,DC=com is the Rid Owner, but is deleted.
......................... CCI_DC failed test KnowsOfRoleHolders
Starting test: RidManager
Warning: FSMO Role Owner is deleted.
Warning: attribute rIdSetReferences missing from CN=CCI_DC,OU=Domain Co
ntrollers,DC=us,DC=ccius,D
The last one says: Warning: DcGetDcName(PDC_Required) call failed, error 1355 A Primary Domain Controller Could not be located. The server holding the PDC role is down
ASKER
Okay, this is a lot of text, but here is the full txt from both tests:
NTDSUTIL:
fsmo maintenance: transfer PDC
Server "CCI_DC" knows about 5 roles
Schema - CN=NTDS Settings,CN=JEDI,CN=Server
,CN=Configuration,DC=us,DC
Domain - CN=NTDS Settings,CN=CCI_DC,CN=Serv
es,CN=Configuration,DC=us,
PDC - CN=NTDS Settings,CN=CCI_DC,CN=Serv
CN=Configuration,DC=us,DC=
RID - CN=NTDS Settings\0ADEL:8daa7e71-28
ervers,CN=Default-First-Si
m
Infrastructure - CN=NTDS Settings,CN=JEDI,CN=Server
CN=Sites,CN=Configuration,
fsmo maintenance: quit
ntdsutil: quit
DCDIAG:
C:\Documents and Settings\Administrator.CCI
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\CC
Starting test: Connectivity
......................... CCI_DC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\CC
Starting test: Replications
......................... CCI_DC passed test Replications
Starting test: NCSecDesc
......................... CCI_DC passed test NCSecDesc
Starting test: NetLogons
......................... CCI_DC passed test NetLogons
Starting test: Advertising
Warning: CCI_DC is not advertising as a time server.
......................... CCI_DC failed test Advertising
Starting test: KnowsOfRoleHolders
Warning: CN=NTDS Settings\0ADEL:8daa7e71-28
=CCI_DC,CN=Servers,CN=Defa
=ccius,DC=com is the Rid Owner, but is deleted.
......................... CCI_DC failed test KnowsOfRoleHolders
Starting test: RidManager
Warning: FSMO Role Owner is deleted.
Warning: attribute rIdSetReferences missing from CN=CCI_DC,OU=Domain C
ntrollers,DC=us,DC=ccius,D
Could not get Rid set Reference :failed with 8481: The search failed t
retrieve attributes from the database.
......................... CCI_DC failed test RidManager
Starting test: MachineAccount
......................... CCI_DC passed test MachineAccount
Starting test: Services
......................... CCI_DC passed test Services
Starting test: ObjectsReplicated
......................... CCI_DC passed test ObjectsReplicated
Starting test: frssysvol
......................... CCI_DC passed test frssysvol
Starting test: frsevent
Error 5 opening FRS eventlog \\CCI_DC:File Replication Service:
Access is denied.
......................... CCI_DC failed test frsevent
Starting test: kccevent
Error 5 opening FRS eventlog \\CCI_DC:Directory Service:
Access is denied.
Failed to enumerate event log records, error Access is denied.
......................... CCI_DC failed test kccevent
Starting test: systemlog
Error 5 opening FRS eventlog \\CCI_DC:System:
Access is denied.
Failed to enumerate event log records, error Access is denied.
......................... CCI_DC failed test systemlog
Starting test: VerifyReferences
......................... CCI_DC passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidatio
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidatio
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : us
Starting test: CrossRefValidation
......................... us passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... us passed test CheckSDRefDom
Running enterprise tests on : us.ccius.com
Starting test: Intersite
......................... us.ccius.com passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERV
5
A Good Time Server could not be located.
......................... us.ccius.com failed test FsmoCheck
C:\Documents and Settings\Administrator.CCI
NTDSUTIL:
fsmo maintenance: transfer PDC
Server "CCI_DC" knows about 5 roles
Schema - CN=NTDS Settings,CN=JEDI,CN=Server
,CN=Configuration,DC=us,DC
Domain - CN=NTDS Settings,CN=CCI_DC,CN=Serv
es,CN=Configuration,DC=us,
PDC - CN=NTDS Settings,CN=CCI_DC,CN=Serv
CN=Configuration,DC=us,DC=
RID - CN=NTDS Settings\0ADEL:8daa7e71-28
ervers,CN=Default-First-Si
m
Infrastructure - CN=NTDS Settings,CN=JEDI,CN=Server
CN=Sites,CN=Configuration,
fsmo maintenance: quit
ntdsutil: quit
DCDIAG:
C:\Documents and Settings\Administrator.CCI
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\CC
Starting test: Connectivity
......................... CCI_DC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\CC
Starting test: Replications
......................... CCI_DC passed test Replications
Starting test: NCSecDesc
......................... CCI_DC passed test NCSecDesc
Starting test: NetLogons
......................... CCI_DC passed test NetLogons
Starting test: Advertising
Warning: CCI_DC is not advertising as a time server.
......................... CCI_DC failed test Advertising
Starting test: KnowsOfRoleHolders
Warning: CN=NTDS Settings\0ADEL:8daa7e71-28
=CCI_DC,CN=Servers,CN=Defa
=ccius,DC=com is the Rid Owner, but is deleted.
......................... CCI_DC failed test KnowsOfRoleHolders
Starting test: RidManager
Warning: FSMO Role Owner is deleted.
Warning: attribute rIdSetReferences missing from CN=CCI_DC,OU=Domain C
ntrollers,DC=us,DC=ccius,D
Could not get Rid set Reference :failed with 8481: The search failed t
retrieve attributes from the database.
......................... CCI_DC failed test RidManager
Starting test: MachineAccount
......................... CCI_DC passed test MachineAccount
Starting test: Services
......................... CCI_DC passed test Services
Starting test: ObjectsReplicated
......................... CCI_DC passed test ObjectsReplicated
Starting test: frssysvol
......................... CCI_DC passed test frssysvol
Starting test: frsevent
Error 5 opening FRS eventlog \\CCI_DC:File Replication Service:
Access is denied.
......................... CCI_DC failed test frsevent
Starting test: kccevent
Error 5 opening FRS eventlog \\CCI_DC:Directory Service:
Access is denied.
Failed to enumerate event log records, error Access is denied.
......................... CCI_DC failed test kccevent
Starting test: systemlog
Error 5 opening FRS eventlog \\CCI_DC:System:
Access is denied.
Failed to enumerate event log records, error Access is denied.
......................... CCI_DC failed test systemlog
Starting test: VerifyReferences
......................... CCI_DC passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidatio
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidatio
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : us
Starting test: CrossRefValidation
......................... us passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... us passed test CheckSDRefDom
Running enterprise tests on : us.ccius.com
Starting test: Intersite
......................... us.ccius.com passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERV
5
A Good Time Server could not be located.
......................... us.ccius.com failed test FsmoCheck
C:\Documents and Settings\Administrator.CCI
you have more than 1 DC right? i would transfer all the roles to one, wait 20 min or so and then run the tests again.
The RID Master role needs to be moved to a server that is alive... this will do it:
Start
Run
ntdsutil
Roles
Connections
Connect to Server CCI_DC
Quit
Seize RID Master
Seize for this role is acceptable since the DC it is hosted on has been deleted.
Give it 20 minutes, then rerun dcdiag again...
ASKER
I waited about a half hour after seizing the PDC and RID roles for the server called CCI_DC I still got the same error. I then took my back up controller and transfered the roles to it. I still get the same error. I can not get a PDC recognized by either DC.
Silly one first, can you check the Windows Time service is started on CCI_DC.
Fun stuff... it doesn't look like they are registering ownership of the services in DNS correctly. Now this isn't too surprising actually because by default DNS does not support names with underscores in.
So head to your DNS Server and follow the instructions in here:
http://www.petri.co.il/naming_convention_in_windows_2000_2003_dns.htm
Once done try:
ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon
Then see if the errors are still in DCDiag.
ASKER
I wish I could offer more help, but this problem still exists. I have made all of the changes suggested and the problem persists. I think they have had a machine that did not get demoted properly setup as the same name in the past (cci_dc) I think that is may be where the \0ADEL:8daa7e71-2851-4a59-
characters are coming from. I can't understand why handing all of this off to the Backup DC hasn't resolved it either though. The timer server is running. I checked that after reading the dcdiag. Still shows as not running in the diag though.
characters are coming from. I can't understand why handing all of this off to the Backup DC hasn't resolved it either though. The timer server is running. I checked that after reading the dcdiag. Still shows as not running in the diag though.
It might be worth Transferring the PDC Role to Jedi, just to see if it still reports the same problem.
The steps for that one are:
Start
Run
ntdsutil
Roles
Connections
Connect to Server Jedi
Quit
Transfer PDC
Chris
ASKER
Sorry, I wasn't more clear. I did transfer it to Jedi and I still have the same problem. The result of this problem is the Trust to our remote site is down. That is why the Urgency to resolve this.
Well it's possible that it's a problem with DNS, happy to go ahead and re-create the DNS zones to see if that has any effect?
I'll go and find out where I left the steps to do it.
Okay... this is the article we need to use, let me know if you have any questions about it:
http://support.microsoft.com/?kbid=305967
This completely deletes any information stored in DNS, and should not be performed without preparation if you have a lot of static records in DNS.
If the records are all dynamically registered you should have no problem.
Chris
ASKER
I went thru that article and followed the instructions to clear bad data. I am going to give it some time to repopulate and I will recheck the PDC status, an immediate check still failed.
ASKER
I appreciate all of the help you have given so far, but I am still at a loss here. I still am not able to get past the No PDC message. DCDiag still reports:
Starting test: FsmoCheck
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Starting test: FsmoCheck
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Okay in theory DNS is advertising the correct server now, but it would be a good idea to make absolutely sure...
Open DNS Manager, expand the _msdcs folder then the _pdc folder and the _tcp folder under that one.
There should be an _ldap record in there and the name of a server which will hopefully match the name of your normal server?
Chris
ASKER
You are correct, it is advertising the correct name in the _ldap record.
It is also still giving me the error that says no PDC emulator found.
It is also still giving me the error that says no PDC emulator found.
ASKER
If I have to go into every machine and manually set the PDC and every instance that MS looks I will, Do you have anyother suggestions on forcing the correct machine to be the PDC? I have already done the seize with no change in error messages, Are their any other settings I can manually change or clear?
Sorry for the lack of response... holiday yesterday and stuff.
Okay, if DNS is reporting it correctly then it points more towards something in the AD database being incorrect. You may want to consider following the steps in this article - I'm not sure how far you'll get since the status of the dead server was a bit ambiguous:
http://www.petri.co.il/fix_unsuccessful_demotion.htm
See how that goes to start with if you could.
Chris
ASKER
No problem Chris, I understand the Holiday, I appreciate the help you've given so far. I read the document yesterday and it reported the correct DC and all of the correct machines, nothings seems wrong using that article, but from it I decided to do a few things. I transfered the PDC role to Jedi (the BDC) last week. I verified that DcDiag saw Jedi as the PDC. I then Demoted CCI_DC (the current DC) to a stand a lone server and then shut it down. I reran the commands in the document you suggested and it still reported correctly, CCI_DC was now gone from the list and just Jedi showed up, authentication was fine, DCDiag still reported no PDC:
(Starting test: FsmoCheck
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.)
I brought up a new Server (also Server 2003) and promoted it to a DC and then transfered PDC roles to it. The above document and Dcdiag verified the successful transfer but still reported that a the server holding the PDC role is down. so my question is this: If it is being seen as the PDC by DNS, Ntdsutil, most of the tests in DCdiag, where is it looking when it does the FsmoCheck. If I know where that is, maybe I can change that. It seems to have the PDC role correct in most of the locations it should, but whatever the Trust uses and the FsmoCheck uses, it is still advertising an incorrect setting.
thanks again,
Eric
(Starting test: FsmoCheck
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.)
I brought up a new Server (also Server 2003) and promoted it to a DC and then transfered PDC roles to it. The above document and Dcdiag verified the successful transfer but still reported that a the server holding the PDC role is down. so my question is this: If it is being seen as the PDC by DNS, Ntdsutil, most of the tests in DCdiag, where is it looking when it does the FsmoCheck. If I know where that is, maybe I can change that. It seems to have the PDC role correct in most of the locations it should, but whatever the Trust uses and the FsmoCheck uses, it is still advertising an incorrect setting.
thanks again,
Eric
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The "dcdiag /e /c /v /f:logfile.txt" gave me enough info to figure it out. It always ends up being something simple and dumb. An old NT server on the network was advertising itself as the PDC. The extended DCDIAG reported that is was advertising. I shut the NT server down and everything started working. Chris, Thank you very much for all the help over the last weeks.
Eric
Eric
Pleasure Eric... glad it's all working now.
Chris
***ERROR: There is an inconsistency in the DS, suggest you run dcdiag in a
few moments, perhaps on a different DC.
few moments, perhaps on a different DC.
To check if you have a PDC Emulator do this lot:
Start
Run
ntdsutil
This brings up a lovely black screen with the ntdsutil prompt. Typing the following will tell you where all the FSMO roles are (including the PDC emulator):
Roles
Connections
Connect to Server <Then the name of any of your Domain Controllers>
Quit
Select Operation Target
List Roles for Connected Server
And you get a screen full of data telling where each of the roles are, the line you want looks something like this:
PDC - CN=NTDS Settings,CN=<The Name of the Server That is PDC Goes here>
Followed by the rest of the ADS path (which you don't need to worry about too much). Make sure that server exists though - the PDC Emulator is quite important.
If the server is the right one then just type Quit until NTDSUtil exits. If not post again and it can be fixed.
To check something is a Global Catalog open Active Directory Sites and Services and find your server in the tree. Underneath it you should see NTDS Settings, right click on there and select properties and there will be a little tick box for Global Catalog. That's all you have to do to make somehting a GC.
Hope this helps so far.
Chris