ColinRoyds
asked on
The DNS server was unable to connect to the domain naming FSMO
Right Experts, here is one for you;
New Windows 2003 DC in a previously Win 2000 domain with the following error in DNS
Event ID :4510
source DNS
The DNS server was unable to connect to the domain naming FSMO "". No modifications to Directory Partitions are possible until the FSMO server is available for LDAP connections. The event data contains the error code.
Using NTDSUTIL we have forced the roles on to the Win 2K3 server and still having the same result.
Any help would be aprreciated.
New Windows 2003 DC in a previously Win 2000 domain with the following error in DNS
Event ID :4510
source DNS
The DNS server was unable to connect to the domain naming FSMO "". No modifications to Directory Partitions are possible until the FSMO server is available for LDAP connections. The event data contains the error code.
Using NTDSUTIL we have forced the roles on to the Win 2K3 server and still having the same result.
Any help would be aprreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hmm sorted out the time issue by re-registering it!! but still have the orig prob
ASKER
Domain is now in 2k native mode, but still no help!
Other errors
event id 40960
The Security System detected an authentication error for the server cifs/servername. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
(0xc000005e)".
Other errors
event id 40960
The Security System detected an authentication error for the server cifs/servername. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
(0xc000005e)".
This screaming out to me DNS errors. Keberos relies on DNS, so if one or other of the servers isn't registered properly, or the DNS still has residue of the older server in its system then it could cause problems.
I would go through the entire DNS and flush out anything that points at the old server. Also attempt to re-register the DCs with DNS. You have them configured correctly - point at themselves for primary and each other for secondary?
Simon.
I would go through the entire DNS and flush out anything that points at the old server. Also attempt to re-register the DCs with DNS. You have them configured correctly - point at themselves for primary and each other for secondary?
Simon.
ASKER
Hi Simon
I tend to agree with you, however I was thinking in two lines of thought, but I am steering towards a DNS issue.
the first is that in the beginning I was getting IPSEC errors, and simple service such as Time which was working started to fail stating no authentication protocol available along with numerous others giving me the same idea.
However after removing AD, DNS and Wins, and re-installing only AD, everything was working fine using the 2K DNS server. Once I added DNS onto the 2K3 box it all went horribly wrong again.
Once again remove DNS , fine added it problems. After analyzing all of this I found that the first error was a Net Logon, stating no DC could be found, obviously after that all the event logs started filling up.
At the moment I have checked and removed every last bit of the old DC that I could find in DNS,Wins and AD, but thinking about it, there is a trust relationship with an Office in NY where WINS may have been replicated too and a very well might still have a ref to the old DC.
Other than that, yes DNS is configured properly and will resolve absolutely everything both local, over the trust and on the net, with each servers dns pointing at itself.
I will have to carry on tomorrow, but thanks for your assistance so far, it's much appreciated.
Best Wishes
Colin
I tend to agree with you, however I was thinking in two lines of thought, but I am steering towards a DNS issue.
the first is that in the beginning I was getting IPSEC errors, and simple service such as Time which was working started to fail stating no authentication protocol available along with numerous others giving me the same idea.
However after removing AD, DNS and Wins, and re-installing only AD, everything was working fine using the 2K DNS server. Once I added DNS onto the 2K3 box it all went horribly wrong again.
Once again remove DNS , fine added it problems. After analyzing all of this I found that the first error was a Net Logon, stating no DC could be found, obviously after that all the event logs started filling up.
At the moment I have checked and removed every last bit of the old DC that I could find in DNS,Wins and AD, but thinking about it, there is a trust relationship with an Office in NY where WINS may have been replicated too and a very well might still have a ref to the old DC.
Other than that, yes DNS is configured properly and will resolve absolutely everything both local, over the trust and on the net, with each servers dns pointing at itself.
I will have to carry on tomorrow, but thanks for your assistance so far, it's much appreciated.
Best Wishes
Colin
Point the DNS to itself only
Delete the _zones restart net logon service and KDC refresh DNS and see if the _zones got recreated. Flip the forward lookup zone to Primary and do not store in AD.
open AD users and computers in adv view and go to system-> micrsoftDNS and see if there is no zone if it is delete it.
Flip the Primary DNS to AD integrated restart the box and see if you still have an error.
Make sure that you have all the FSMO roles on the network.
Delete the _zones restart net logon service and KDC refresh DNS and see if the _zones got recreated. Flip the forward lookup zone to Primary and do not store in AD.
open AD users and computers in adv view and go to system-> micrsoftDNS and see if there is no zone if it is delete it.
Flip the Primary DNS to AD integrated restart the box and see if you still have an error.
Make sure that you have all the FSMO roles on the network.
ASKER
Sorry I ment to add not only a Wins server in the NY office but a DNS server with a copy of the zone.
ASKER
I am going to close this Q? as it "seems" like the problem has been resolved. I must say that I am still not to certain exactly what was causing it, and after forcing the domain naming service on to the 2k3 server again using ntdsutil, it seems to have worked. Besides for that nothinng else was changed
The only change made from the previous attempt was chaning the domain from mixed mode to native. How this made a diff I am not certain but that is all I can put it down too.
Thanks to you both for your assistance.
Regards
Colin
Simon your Q? on the mixed mode I think solved this one for me, thanks!
The only change made from the previous attempt was chaning the domain from mixed mode to native. How this made a diff I am not certain but that is all I can put it down too.
Thanks to you both for your assistance.
Regards
Colin
Simon your Q? on the mixed mode I think solved this one for me, thanks!
ASKER
I think the domain is still in mixed mode, but need to check, will be going onsite in a min or two, and yes again the client removed a 2K DC but never took it off the domain before, flattening the server and rebuilding it.(dcpromo was run)
Bizarre thing is I removed the AD off the 2003 box, as well as DNS and WINS, re-installed ADS and everything worked fine.
However when I put DNS back on everything stopped working correctly, even the time service was no able to contact the 2000 DC stating no authentication protocol available.
I am wondering if there is some sort of IPSEC or similar policy being inforced for DC to DC traffic which is causing this issue.
Otherwise DNS seems to be working fine on both servers, which is the bizarre thing!
Your help will be appreciated.
Best Wishes
Colin