Here's the situation:
I created a new domain in an existing forest using Windows Server 2003. I did not configure DNS (I selected that I would set it up later).
DCPROMO ran fine, and the new domain was up and running. I went to set up the DNS server, and it won't let me create a partition to store the DNS on. I get this error when I click "Create Default Application Directory Partitions...":
"The partition to replicate zone data to all DNS servers in the Active Directory domain was not created. The application directory partition operation failed. The domain controller holding the domain naming master role is down or unable to service the request or is not running Windows Server 2003".
The DN master role is held by another 2003 server in our main domain, and it is pingable by netbios and FQDN, etc... I have tried restarting netlogon on both machines to no avail. DNS on the new server is pointing to itself and is running fine, but the new domain's DNS information is not replicating to our other DNS servers. The new DNS server is reading all of the other domain's DNS information just fine, and all of the other domans' forward & reverse lookup zones show up on the new DNS server.
I can't seem to find the root cause, I keep running in circles. DCDIAG gives me this as the only semi-error:
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source SERVER-IN-OTHER-DOMAIN
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.
Of course, they are not replicating at all despite what it says. I can pull replication through sites & services but when I try to replicate with the new domain from any other domain controller I get this:
"The following error occured during the attempt to synchronize naming contect Configuration from domain controller NEWDOMAINCTRL to domain controller PRIMARYDOMAINCTRL:
The naming context is in the process of being removed or is not replicated from the specified server.
This operation will not continue."
What else...
When I try to add the new domain's Administrator to the Enterprise Admins universal security group, I get stopped due to the primary domain knowing almost nothing about the new domain (no DNS info on it due to lack of replication...):
"The following error prevented the display of any items:
The server is not operational."
I added the new domain controller to HOSTS & LMHOSTS on one of the primary domain's controllers and got this when trying to browse the ADUC contents of the new domain:
"The following error prevented the display of any items:
The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."
Somehow I had gotten past that in the past and was able to browse the contents of the new domain's ADUC but was stopped when clicking OK after adding NEWDOMAIN\Administrator to the group. It gave me an error about the user not actually existing, and waiting 15 minutes for the GC to repliate (which would never happen).
And the worst part:
I can't just DCPROMO and remove the domain to start over. I get this error when trying to uninstall AD:
"The operation failed because:
Active Directory could not transfer the remaining data in directory partition
CN=Schema,CN=Configuration
,DC=PRIMAR
YDOMAIN,DC
=COM to the domain controller PRIMARYDC.PRIMARYDOMAIN.CO
M.
'The DSA operation is unable to proceed because of a DNS lookup failure.'"
I've almost given up on this, but I really, really don't want to be cleaning up metadata for the next week or so. Any ideas?
Start Free Trial
