tobesteruk
asked on
Global Catalogue Server failing in Windows 2000 AD
Hi all,
Have got a Windows 2000 Domain with two DC's, two app servers, two database servers and a bunch of work stations. I also have a test domain that sits as a child domain of the production network and a two way trust exists between the two domains
I have configured one of the DC's to act as PDC/Operations Master and to run the Infrastructure Master service. I have configured the other DC to act as a Global Catalogue Server.
Recently I've noticed a couple of issues with various directory functions (such as Security Events not being recorded in the event log and changes to Group Policy not propogating across the network. Have run dcdiag.exe on the PDC/Ops Master and got the folloeing error:
Running enterprise tests on : dealers.coopbank
Starting test: Intersite
......................... dealers.coopbank passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQU
A Global Catalog Server could not be located - All GC's are down.
......................... dealers.coopbank failed test FsmoCheck
I've double-checked the configuration to make sure it's as I intended, and rebooted both DC's, but the error still persists. I'm not overly familiar with GC, but have a suspiscion that all of the problems I'm encountering are related.
Any advice gratefully received
Have got a Windows 2000 Domain with two DC's, two app servers, two database servers and a bunch of work stations. I also have a test domain that sits as a child domain of the production network and a two way trust exists between the two domains
I have configured one of the DC's to act as PDC/Operations Master and to run the Infrastructure Master service. I have configured the other DC to act as a Global Catalogue Server.
Recently I've noticed a couple of issues with various directory functions (such as Security Events not being recorded in the event log and changes to Group Policy not propogating across the network. Have run dcdiag.exe on the PDC/Ops Master and got the folloeing error:
Running enterprise tests on : dealers.coopbank
Starting test: Intersite
......................... dealers.coopbank passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQU
A Global Catalog Server could not be located - All GC's are down.
......................... dealers.coopbank failed test FsmoCheck
I've double-checked the configuration to make sure it's as I intended, and rebooted both DC's, but the error still persists. I'm not overly familiar with GC, but have a suspiscion that all of the problems I'm encountering are related.
Any advice gratefully received
I would also like to see what your directory service event log says. Are there any GC errors in there? It wouldn't hurt to add the GC to your first domain controller to see if that helps anything. It is not recommended however that your Infrastructure master and GC reside on the same server. Your site doesn't sound like it would have any replication problems with running two.
If you want to become a GC expert (I haven't read any of them yet)
257203 Common Default Attributes Set for Active Directory and Global Catalog
http://support.microsoft.com/kb/257203/EN-US/
232517 Global Catalog Attributes and Replication Properties
http://support.microsoft.com/kb/232517/EN-US/
229662 How to Control What Data Is Stored in the Global Catalog
http://support.microsoft.com/kb/229662/EN-US/
248717 How to Modify Attributes That Replicate to the Global Catalog
http://support.microsoft.com/kb/248717/EN-US/
199174 Directory Replication Basics for Windows 2000
http://support.microsoft.com/kb/199174/EN-US/
257203 Common Default Attributes Set for Active Directory and Global Catalog
http://support.microsoft.com/kb/257203/EN-US/
232517 Global Catalog Attributes and Replication Properties
http://support.microsoft.com/kb/232517/EN-US/
229662 How to Control What Data Is Stored in the Global Catalog
http://support.microsoft.com/kb/229662/EN-US/
248717 How to Modify Attributes That Replicate to the Global Catalog
http://support.microsoft.com/kb/248717/EN-US/
199174 Directory Replication Basics for Windows 2000
http://support.microsoft.com/kb/199174/EN-US/
What happens if you run this at a command line
dcdiag.exe /test:fsmocheck
Have you had any DC promo or demo problems? Have any DCs been demoted? Have any Died?
dcdiag.exe /test:fsmocheck
Have you had any DC promo or demo problems? Have any DCs been demoted? Have any Died?
Try running a dcdiag.exe /v on your "failing" dc
What does the "advertising" section say?
Starting test: Advertising
The DC ADBitch1 is advertising itself as a DC and having a DS.
The DC ADBitch1 is advertising as an LDAP server
The DC ADBitch1 is advertising as having a writeable directory
The DC ADBitch1 is advertising as a Key Distribution Center
The DC ADBitch1 is advertising as a time server
The DS ADBitch1 is advertising as a GC.
What does the "advertising" section say?
Starting test: Advertising
The DC ADBitch1 is advertising itself as a DC and having a DS.
The DC ADBitch1 is advertising as an LDAP server
The DC ADBitch1 is advertising as having a writeable directory
The DC ADBitch1 is advertising as a Key Distribution Center
The DC ADBitch1 is advertising as a time server
The DS ADBitch1 is advertising as a GC.
ASKER
Whoa!!! Thanks for quick responses. Have worked through the suggestions so far and:
Sysvol and Netlogon Shares are fine.
dcdiag.exe /test:fsmocheck produces the following results:
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine dealsrv2, is a DC.
* Connecting to directory service on server dealsrv2.
* Collecting site info.
* Identifying all servers.
* Found 3 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DE
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... DEALSRV2 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DE
Test omitted by user request: Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: Advertising
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: RidManager
Test omitted by user request: MachineAccount
Test omitted by user request: Services
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: ObjectsReplicated
Test omitted by user request: frssysvol
Test omitted by user request: kccevent
Test omitted by user request: systemlog
Running enterprise tests on : dealers.coopbank
Test omitted by user request: Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQU
A Global Catalog Server could not be located - All GC's are down.
PDC Name: \\dealsrv1.dealers.coopban
Locator Flags: 0xe00001f9
Time Server Name: \\dealsrv2.dealers.coopban
Locator Flags: 0xe00001f8
Preferred Time Server Name: \\dealsrv2.dealers.coopban
Locator Flags: 0xe00001f8
KDC Name: \\dealsrv2.dealers.coopban
Locator Flags: 0xe00001f8
......................... dealers.coopbank failed test FsmoCheck
dcdiag.exe /v on failing GC Server produces the following results for the advertising section:
Starting test: Advertising
The DC DEALSRV2 is advertising itself as a DC and having a DS.
The DC DEALSRV2 is advertising as an LDAP server
The DC DEALSRV2 is advertising as having a writeable directory
The DC DEALSRV2 is advertising as a Key Distribution Center
The DC DEALSRV2 is advertising as a time server
Warning: DEALSRV2 has not finished promoting to be a GC.
Check the event log for domains that cannot be replicated.
Warning: DEALSRV2 is not advertising as a global catalog.
Check that server finished GC promotion.
Check the event log on server that enough source replicas for the GC are available.
......................... DEALSRV2 failed test Advertising
Had no DC Promo/Demo issues at all
Sysvol and Netlogon Shares are fine.
dcdiag.exe /test:fsmocheck produces the following results:
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine dealsrv2, is a DC.
* Connecting to directory service on server dealsrv2.
* Collecting site info.
* Identifying all servers.
* Found 3 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DE
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... DEALSRV2 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DE
Test omitted by user request: Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: Advertising
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: RidManager
Test omitted by user request: MachineAccount
Test omitted by user request: Services
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: ObjectsReplicated
Test omitted by user request: frssysvol
Test omitted by user request: kccevent
Test omitted by user request: systemlog
Running enterprise tests on : dealers.coopbank
Test omitted by user request: Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQU
A Global Catalog Server could not be located - All GC's are down.
PDC Name: \\dealsrv1.dealers.coopban
Locator Flags: 0xe00001f9
Time Server Name: \\dealsrv2.dealers.coopban
Locator Flags: 0xe00001f8
Preferred Time Server Name: \\dealsrv2.dealers.coopban
Locator Flags: 0xe00001f8
KDC Name: \\dealsrv2.dealers.coopban
Locator Flags: 0xe00001f8
......................... dealers.coopbank failed test FsmoCheck
dcdiag.exe /v on failing GC Server produces the following results for the advertising section:
Starting test: Advertising
The DC DEALSRV2 is advertising itself as a DC and having a DS.
The DC DEALSRV2 is advertising as an LDAP server
The DC DEALSRV2 is advertising as having a writeable directory
The DC DEALSRV2 is advertising as a Key Distribution Center
The DC DEALSRV2 is advertising as a time server
Warning: DEALSRV2 has not finished promoting to be a GC.
Check the event log for domains that cannot be replicated.
Warning: DEALSRV2 is not advertising as a global catalog.
Check that server finished GC promotion.
Check the event log on server that enough source replicas for the GC are available.
......................... DEALSRV2 failed test Advertising
Had no DC Promo/Demo issues at all
ASKER
Have now worked through the list of articles you sent and have found the answer; promotion of the "BDC" to GC Server was being prevented because of a requirement to hold a copy of a partition for a defunct test domain that died some time ago:
Event 1559
A request has been made to promote this DSA to a Global Catalog (GC). A precondition to becoming a GC is that this server host a read-only copy of all partitions in the enterprise. This server should hold a copy of partition DC=dealers-test,DC=coopban
Any idea how I can purge all records of this domain from my AD?
Event 1559
A request has been made to promote this DSA to a Global Catalog (GC). A precondition to becoming a GC is that this server host a read-only copy of all partitions in the enterprise. This server should hold a copy of partition DC=dealers-test,DC=coopban
Any idea how I can purge all records of this domain from my AD?
I could summarize, but you should read this entirely. I think it could help.
http://support.microsoft.com/kb/230306
http://support.microsoft.com/kb/230306
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, nearly there...
Got rid of the orphaned Domain and the "BDC" is now running and advertising itself as a GC. Only problem left to iron out is a replication issue between the two DC's. Have run up AD Replication Monitor and it shows the following error between the PDC and BDC:
<PDC>
CN=Schema,CN=Configuration
Default-First-Site-Name\<B
>> Direct Replication Partner Data <<
Server is current through Property Update USN: 772791
Replication Failure: Changes have not been successfully replicated from <BDC> for 2 attempt(s)
Replication Failure: The reason is: The DSA operation is unable to proceed because of a DNS lookup failure.
Replication Failure: The last replication attempt was: mm/dd/yyyy hh:mm:ss (local)
Have checked DNS of both DCs through nslookup and both resolve OK. Any more ideas...?
I realise this evolved a bit since my original query so I'm increasing the points....
Cheers
Got rid of the orphaned Domain and the "BDC" is now running and advertising itself as a GC. Only problem left to iron out is a replication issue between the two DC's. Have run up AD Replication Monitor and it shows the following error between the PDC and BDC:
<PDC>
CN=Schema,CN=Configuration
Default-First-Site-Name\<B
>> Direct Replication Partner Data <<
Server is current through Property Update USN: 772791
Replication Failure: Changes have not been successfully replicated from <BDC> for 2 attempt(s)
Replication Failure: The reason is: The DSA operation is unable to proceed because of a DNS lookup failure.
Replication Failure: The last replication attempt was: mm/dd/yyyy hh:mm:ss (local)
Have checked DNS of both DCs through nslookup and both resolve OK. Any more ideas...?
I realise this evolved a bit since my original query so I'm increasing the points....
Cheers
Does active directory sites and services look happy? You may just need to wait, but I would go to sites and services and look at NTDS. It sounds like you have a single site. Do you have <automatically generated> connections between the domain controllers? Kick off the KCC by right clicking one of the NTDS settings branches and clicking "check topology"
Run REPLMON.EXE and add both of the domain controllers to the monitored servers list. Do you see the same errors?
Run REPLMON.EXE and add both of the domain controllers to the monitored servers list. Do you see the same errors?
If you try to manually sync with the repl partner, do you get the same errors? Are there any other IDs in the event viewer for either DC?
when you ran NSLOOKUP, did you try the server both qualified and unqualified? Is WIN2000 the only DNS server in your site?
try running NETDIAG.EXE from both of the DCs, do they both pass?
somewhere down the list of NETDIAG.EXE test results is a "DNS Test". I have a feeling that your DNS is happy and the error you're getting is somewhat generic. To rule out DNS altoghether, you might try adding entries to the host file on each DC (qualified) to point to the other DC. This would at least eliminate DNS as our issue.
Here is a great article on DCDIAG and NETDIAG. If you do really have DNS related replication issues, these tools will show them to you.
http://support.microsoft.com/kb/265706/EN-US/
http://support.microsoft.com/kb/265706/EN-US/
one more thing and I'll shut up. Can you perform an NSLOOKUP on your domain DEALERS.COOPBANK?
ASKER
Patience was the key. Left the DCs over night and when I checked them this morning all replication pairs were working fine.
Thanks for all your help
Thanks for all your help
http://support.microsoft.com/default.aspx?scid=kb;en-us;316790