Global Catalogue Server failing in Windows 2000 AD

Hi all,

Have got a Windows 2000 Domain with two DC's, two app servers, two database servers and a bunch of work stations.  I also have a test domain that sits as a child domain of the production network and a two way trust exists between the two domains

I have configured one of the DC's to act as PDC/Operations Master and to run the Infrastructure Master service.  I have configured the other DC to act as a Global Catalogue Server.

Recently I've noticed a couple of issues with various directory functions (such as Security Events not being recorded in the event log and changes to Group Policy not propogating across the network.  Have run dcdiag.exe on the PDC/Ops Master and got the folloeing error:

   Running enterprise tests on : dealers.coopbank
      Starting test: Intersite
         ......................... dealers.coopbank passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         ......................... dealers.coopbank failed test FsmoCheck

I've double-checked the configuration to make sure it's as I intended, and rebooted both DC's, but the error still persists.  I'm not overly familiar with GC, but have a suspiscion that all of the problems I'm encountering are related.

Any advice gratefully received
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

This article may help.  It doesn't sound like your specific symptom (do you have a happy netlogon directory?), but the error from DCDIAG is a match.  You may want to attempt the resolution.  It says that there may be some invalid FRS replication partners.;en-us;316790
I would also like to see what your directory service event log says.  Are there any GC errors in there?  It wouldn't hurt to add the GC to your first domain controller to see if that helps anything.  It is not recommended however that your Infrastructure master and GC reside on the same server.  Your site doesn't sound like it would have any replication problems with running two.
If you want to become a GC expert (I haven't read any of them yet)

257203 Common Default Attributes Set for Active Directory and Global Catalog
232517 Global Catalog Attributes and Replication Properties
229662 How to Control What Data Is Stored in the Global Catalog
248717 How to Modify Attributes That Replicate to the Global Catalog
199174 Directory Replication Basics for Windows 2000
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

What happens if you run this at a command line

dcdiag.exe /test:fsmocheck

Have you had any DC promo or demo problems?  Have any DCs been demoted?  Have any Died?
Try running a dcdiag.exe /v on your "failing" dc

What does the "advertising" section say?

Starting test: Advertising
   The DC ADBitch1 is advertising itself as a DC and having a DS.
   The DC ADBitch1 is advertising as an LDAP server
   The DC ADBitch1 is advertising as having a writeable directory
   The DC ADBitch1 is advertising as a Key Distribution Center
   The DC ADBitch1 is advertising as a time server
   The DS ADBitch1 is advertising as a GC.
tobesterukAuthor Commented:
Whoa!!!  Thanks for quick responses.  Have worked through the suggestions so far and:

Sysvol and Netlogon Shares are fine.

dcdiag.exe /test:fsmocheck produces the following results:

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine dealsrv2, is a DC.
   * Connecting to directory service on server dealsrv2.
   * Collecting site info.
   * Identifying all servers.
   * Found 3 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DEALSRV2
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... DEALSRV2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DEALSRV2
      Test omitted by user request: Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Test omitted by user request: NCSecDesc
      Test omitted by user request: NetLogons
      Test omitted by user request: Advertising
      Test omitted by user request: KnowsOfRoleHolders
      Test omitted by user request: RidManager
      Test omitted by user request: MachineAccount
      Test omitted by user request: Services
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: ObjectsReplicated
      Test omitted by user request: frssysvol
      Test omitted by user request: kccevent
      Test omitted by user request: systemlog

   Running enterprise tests on : dealers.coopbank
      Test omitted by user request: Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         PDC Name: \\dealsrv1.dealers.coopbank
         Locator Flags: 0xe00001f9
         Time Server Name: \\dealsrv2.dealers.coopbank
         Locator Flags: 0xe00001f8
         Preferred Time Server Name: \\dealsrv2.dealers.coopbank
         Locator Flags: 0xe00001f8
         KDC Name: \\dealsrv2.dealers.coopbank
         Locator Flags: 0xe00001f8
         ......................... dealers.coopbank failed test FsmoCheck

dcdiag.exe /v on failing GC Server produces the following results for the advertising section:
Starting test: Advertising
         The DC DEALSRV2 is advertising itself as a DC and having a DS.
         The DC DEALSRV2 is advertising as an LDAP server
         The DC DEALSRV2 is advertising as having a writeable directory
         The DC DEALSRV2 is advertising as a Key Distribution Center
         The DC DEALSRV2 is advertising as a time server
         Warning: DEALSRV2 has not finished promoting to be a GC.
         Check the event log for domains that cannot be replicated.
         Warning: DEALSRV2 is not advertising as a global catalog.
         Check that server finished GC promotion.
         Check the event log on server that enough source replicas for the GC are available.
         ......................... DEALSRV2 failed test Advertising

Had no DC Promo/Demo issues at all
tobesterukAuthor Commented:
Have now worked through the list of articles you sent and have found the answer; promotion of the "BDC" to GC Server was being prevented because of a requirement to hold a copy of a partition for a defunct test domain that died some time ago:

Event 1559

A request has been made to promote this DSA to a Global Catalog (GC). A precondition to becoming a GC is that this server host a read-only copy of all partitions in the enterprise.  This server should hold a copy of partition DC=dealers-test,DC=coopbank but it does not. This system will not be promoted to a GC until this condition is met.

Any idea how I can purge all records of this domain from my AD?
I could summarize, but you should read this entirely.  I think it could help.
1. Determine the domain controller that holds the Domain Naming Master Flexible Single Master Operations (FSMO) role. To identify the server holding this role:a.  Start the Active Directory Domains and Trusts Microsoft Management Console (MMC) snap-in from the Administrative Tools menu.
b.  Right-click the root node in the left pane titled Active Directory Domains and Trusts, and then click Operations Master.
c.  The domain controller that currently holds this role is identified in the Current Operations Master frame.NOTE: If this changed recently, not all computer may have received this change yet due to replication.

For additional information about FSMO roles, click the article number below to view the article in the Microsoft Knowledge Base:
197132 Windows 2000 Active Directory FSMO Roles  
2. Verify that all servers for the domain have been demoted.
3. Click Start, point to Programs, point to Accessories, and then click Command Prompt.
4. At the command prompt, type: ntdsutil.
5. Type: metadata cleanup, and then press ENTER.  
6. Type: connections, and then press ENTER. This menu is used to connect to the specific server on which the changes will occur. If the currently logged-on user is not a member of the Enterprise Admins group, alternate credentials can be supplied by specifying the credentials to use before making the connection. To do so, type: set creds domainname username password , and then press ENTER. For a null password, type: null for the password parameter.
7. Type: connect to server servername (where servername is the name of the domain controller holding the Domain Naming Master FSMO Role), and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and that the credentials you supplied have administrative permissions on the server.
8. Type: quit, and then press ENTER. The Metadata Cleanup menu is displayed.
9. Type: select operation target, and then press ENTER.
10. Type: list domains, and then press ENTER. A list of domains in the forest is displayed, each with an associated number.
11. Type: select domain number, and then press ENTER, where number is the number associated with the domain to be removed.
12. Type: quit, and then press ENTER. The Metadata Cleanup menu is displayed.
13. Type: remove selected domain, and then press ENTER. You should receive confirmation that the removal was successful. If an error occurs, please refer to the Microsoft Knowledge Base for articles on specific error messages.
14. Type: quit at each menu to quit the NTDSUTIL tool. You should receive confirmation that the connection disconnected successfully.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tobesterukAuthor Commented:
OK, nearly there...

Got rid of the orphaned Domain and the "BDC" is now running and advertising itself as a GC.  Only problem left to iron out is a replication issue between the two DC's.  Have run up AD Replication Monitor and it shows the following error between the PDC and BDC:


                 >> Direct Replication Partner Data <<
                  Server is current through Property Update USN: 772791
                  Replication Failure: Changes have not been successfully replicated from <BDC> for 2 attempt(s)
                  Replication Failure: The reason is: The DSA operation is unable to proceed because of a DNS lookup failure.
                  Replication Failure: The last replication attempt was: mm/dd/yyyy hh:mm:ss (local)

Have checked DNS of both DCs through nslookup and both resolve OK.  Any more ideas...?

I realise this evolved a bit since my original query so I'm increasing the points....


Does active directory sites and services look happy?  You may just need to wait, but I would go to sites and services and look at NTDS.  It sounds like you have a single site.  Do you have <automatically generated> connections between the domain controllers?  Kick off the KCC by right clicking one of the NTDS settings branches and clicking "check topology"

Run REPLMON.EXE and add both of the domain controllers to the monitored servers list.  Do you see the same errors?
If you try to manually sync with the repl partner, do you get the same errors?  Are there any other IDs in the event viewer for either DC?
when you ran NSLOOKUP, did you try the server both qualified and unqualified?  Is WIN2000 the only DNS server in your site?
try running NETDIAG.EXE from both of the DCs, do they both pass?
somewhere down the list of NETDIAG.EXE test results is a "DNS Test".  I have a feeling that your DNS is happy and the error you're getting is somewhat generic.  To rule out DNS altoghether, you might try adding entries to the host file on each DC (qualified) to point to the other DC.  This would at least eliminate DNS as our issue.
Here is a great article on DCDIAG and NETDIAG.  If you do really have DNS related replication issues, these tools will show them to you.
one more thing and I'll shut up.  Can you perform an NSLOOKUP on your domain DEALERS.COOPBANK?
tobesterukAuthor Commented:
Patience was the key.  Left the DCs over night and when I checked them this morning all replication pairs were working fine.  

Thanks for all your help
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.