The DNS server was unable to connect to the domain naming FSMO

Right Experts, here is one for you;

New Windows 2003 DC in a previously Win 2000 domain with the following error in DNS

Event ID :4510
source DNS

The DNS server was unable to connect to the domain naming FSMO "". No modifications to Directory Partitions are possible until the FSMO server is available for LDAP connections. The event data contains the error code.

Using NTDSUTIL we have forced the roles on to the Win 2K3 server and still having the same result.

Any help would be aprreciated.
LVL 12
ColinRoydsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SembeeCommented:
Is this domain still in mixed mode?
Any Windows 2000 DCs still in use? Any DCs not removed properly?

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ColinRoydsAuthor Commented:
Hi Simon

I think the domain is still in mixed mode, but need to check, will be going onsite in a min or two, and yes again the client removed a 2K DC but never took it off the domain before, flattening the server and rebuilding it.(dcpromo was run)
Bizarre thing is I removed the AD off the 2003 box, as well as DNS and WINS, re-installed ADS and everything worked fine.
However when I put DNS back on everything stopped working correctly, even the time service was no able to contact the 2000 DC stating no authentication protocol available.
I am wondering if there is some sort of IPSEC or similar policy being inforced  for DC to DC traffic which is causing this issue.
Otherwise DNS seems to be working fine on both servers, which is the bizarre thing!


Your help will be appreciated.

Best Wishes

Colin
0
ColinRoydsAuthor Commented:
Hmm sorted out the time issue by re-registering it!! but still have the orig prob
0
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

ColinRoydsAuthor Commented:
Domain is now in 2k native mode, but still no help!

Other errors

event id 40960

The Security System detected an authentication error for the server cifs/servername.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".
0
SembeeCommented:
This screaming out to me DNS errors. Keberos relies on DNS, so if one or other of the servers isn't registered properly, or the DNS still has residue of the older server in its system then it could cause problems.
I would go through the entire DNS and flush out anything that points at the old server. Also attempt to re-register the DCs with DNS. You have them configured correctly - point at themselves for primary and each other for secondary?

Simon.
0
ColinRoydsAuthor Commented:
Hi Simon

I tend to agree with you, however I was thinking in two lines of thought, but I am steering towards a DNS issue.
the first is that in the beginning I was getting IPSEC errors, and simple service such as Time which was working started to fail stating no authentication protocol available along with numerous others giving me the same idea.
However after removing AD, DNS and Wins, and re-installing only AD, everything was working fine using the 2K DNS server. Once I added DNS onto the 2K3 box it all went horribly wrong again.
Once again remove DNS , fine added it problems. After analyzing all of this I found that the first error was a Net Logon, stating no DC could be found, obviously after that all the event logs started filling up.
At the moment I have checked and removed every last bit of the old DC that I could find in DNS,Wins and AD, but thinking about it, there is a trust relationship with an Office in NY where WINS may have been replicated too and a very well might still have a ref to the old DC.
Other than that, yes DNS is configured properly and will resolve absolutely everything both local, over the trust and on the net, with each servers dns pointing at itself.

I will have to carry on tomorrow, but thanks for your assistance so far, it's much appreciated.

Best Wishes

Colin
0
Sebo2000Commented:
Point the DNS to itself only
Delete the _zones restart net logon service and KDC refresh DNS and see if the _zones got recreated. Flip the forward lookup zone to Primary and do not store in AD.
open AD users and computers in adv view and go to system-> micrsoftDNS and see if there is no zone if it is delete it.
Flip the Primary DNS to AD integrated restart the box and see if you still have an error.
Make sure that you have all the FSMO roles on the network.
0
ColinRoydsAuthor Commented:
Sorry I ment to add not only a Wins server in the NY office but a DNS server with a copy of the zone.
0
ColinRoydsAuthor Commented:
I am going to close this Q? as it "seems" like the problem has been resolved. I must say that I am still not to certain exactly what was causing it, and after forcing the domain naming service on to the 2k3 server again using ntdsutil, it seems to have worked. Besides for that nothinng else was changed

The only change made from the previous attempt was chaning the domain from mixed mode to native. How this made a diff I am not certain but that is all I can put it down too.

Thanks to you both for your assistance.

Regards

Colin

Simon your Q? on the mixed mode I think solved this one for me, thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.