[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Global Catalogue Server failing in Windows 2000 AD

Posted on 2004-11-15
18
Medium Priority
?
371 Views
Last Modified: 2010-04-12
Hi all,

Have got a Windows 2000 Domain with two DC's, two app servers, two database servers and a bunch of work stations.  I also have a test domain that sits as a child domain of the production network and a two way trust exists between the two domains

I have configured one of the DC's to act as PDC/Operations Master and to run the Infrastructure Master service.  I have configured the other DC to act as a Global Catalogue Server.

Recently I've noticed a couple of issues with various directory functions (such as Security Events not being recorded in the event log and changes to Group Policy not propogating across the network.  Have run dcdiag.exe on the PDC/Ops Master and got the folloeing error:

   Running enterprise tests on : dealers.coopbank
      Starting test: Intersite
         ......................... dealers.coopbank passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         ......................... dealers.coopbank failed test FsmoCheck

I've double-checked the configuration to make sure it's as I intended, and rebooted both DC's, but the error still persists.  I'm not overly familiar with GC, but have a suspiscion that all of the problems I'm encountering are related.

Any advice gratefully received
0
Comment
Question by:tobesteruk
  • 14
  • 4
18 Comments
 
LVL 4

Expert Comment

by:tengage
ID: 12583757
This article may help.  It doesn't sound like your specific symptom (do you have a happy netlogon directory?), but the error from DCDIAG is a match.  You may want to attempt the resolution.  It says that there may be some invalid FRS replication partners.

http://support.microsoft.com/default.aspx?scid=kb;en-us;316790
0
 
LVL 4

Expert Comment

by:tengage
ID: 12583774
I would also like to see what your directory service event log says.  Are there any GC errors in there?  It wouldn't hurt to add the GC to your first domain controller to see if that helps anything.  It is not recommended however that your Infrastructure master and GC reside on the same server.  Your site doesn't sound like it would have any replication problems with running two.
0
 
LVL 4

Expert Comment

by:tengage
ID: 12583794
If you want to become a GC expert (I haven't read any of them yet)

257203 Common Default Attributes Set for Active Directory and Global Catalog
http://support.microsoft.com/kb/257203/EN-US/
232517 Global Catalog Attributes and Replication Properties
http://support.microsoft.com/kb/232517/EN-US/
229662 How to Control What Data Is Stored in the Global Catalog
http://support.microsoft.com/kb/229662/EN-US/
248717 How to Modify Attributes That Replicate to the Global Catalog
http://support.microsoft.com/kb/248717/EN-US/
199174 Directory Replication Basics for Windows 2000
http://support.microsoft.com/kb/199174/EN-US/
0
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

 
LVL 4

Expert Comment

by:tengage
ID: 12583812
What happens if you run this at a command line

dcdiag.exe /test:fsmocheck

Have you had any DC promo or demo problems?  Have any DCs been demoted?  Have any Died?
0
 
LVL 4

Expert Comment

by:tengage
ID: 12583880
Try running a dcdiag.exe /v on your "failing" dc

What does the "advertising" section say?

Starting test: Advertising
   The DC ADBitch1 is advertising itself as a DC and having a DS.
   The DC ADBitch1 is advertising as an LDAP server
   The DC ADBitch1 is advertising as having a writeable directory
   The DC ADBitch1 is advertising as a Key Distribution Center
   The DC ADBitch1 is advertising as a time server
   The DS ADBitch1 is advertising as a GC.
0
 

Author Comment

by:tobesteruk
ID: 12591259
Whoa!!!  Thanks for quick responses.  Have worked through the suggestions so far and:

Sysvol and Netlogon Shares are fine.

dcdiag.exe /test:fsmocheck produces the following results:

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine dealsrv2, is a DC.
   * Connecting to directory service on server dealsrv2.
   * Collecting site info.
   * Identifying all servers.
   * Found 3 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DEALSRV2
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... DEALSRV2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DEALSRV2
      Test omitted by user request: Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Test omitted by user request: NCSecDesc
      Test omitted by user request: NetLogons
      Test omitted by user request: Advertising
      Test omitted by user request: KnowsOfRoleHolders
      Test omitted by user request: RidManager
      Test omitted by user request: MachineAccount
      Test omitted by user request: Services
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: ObjectsReplicated
      Test omitted by user request: frssysvol
      Test omitted by user request: kccevent
      Test omitted by user request: systemlog

   Running enterprise tests on : dealers.coopbank
      Test omitted by user request: Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         PDC Name: \\dealsrv1.dealers.coopbank
         Locator Flags: 0xe00001f9
         Time Server Name: \\dealsrv2.dealers.coopbank
         Locator Flags: 0xe00001f8
         Preferred Time Server Name: \\dealsrv2.dealers.coopbank
         Locator Flags: 0xe00001f8
         KDC Name: \\dealsrv2.dealers.coopbank
         Locator Flags: 0xe00001f8
         ......................... dealers.coopbank failed test FsmoCheck


dcdiag.exe /v on failing GC Server produces the following results for the advertising section:
     
Starting test: Advertising
         The DC DEALSRV2 is advertising itself as a DC and having a DS.
         The DC DEALSRV2 is advertising as an LDAP server
         The DC DEALSRV2 is advertising as having a writeable directory
         The DC DEALSRV2 is advertising as a Key Distribution Center
         The DC DEALSRV2 is advertising as a time server
         Warning: DEALSRV2 has not finished promoting to be a GC.
         Check the event log for domains that cannot be replicated.
         Warning: DEALSRV2 is not advertising as a global catalog.
         Check that server finished GC promotion.
         Check the event log on server that enough source replicas for the GC are available.
         ......................... DEALSRV2 failed test Advertising

Had no DC Promo/Demo issues at all
0
 

Author Comment

by:tobesteruk
ID: 12592029
Have now worked through the list of articles you sent and have found the answer; promotion of the "BDC" to GC Server was being prevented because of a requirement to hold a copy of a partition for a defunct test domain that died some time ago:

Event 1559

A request has been made to promote this DSA to a Global Catalog (GC). A precondition to becoming a GC is that this server host a read-only copy of all partitions in the enterprise.  This server should hold a copy of partition DC=dealers-test,DC=coopbank but it does not. This system will not be promoted to a GC until this condition is met.

Any idea how I can purge all records of this domain from my AD?
0
 
LVL 4

Expert Comment

by:tengage
ID: 12594380
I could summarize, but you should read this entirely.  I think it could help.

http://support.microsoft.com/kb/230306
0
 
LVL 4

Accepted Solution

by:
tengage earned 1400 total points
ID: 12594399
1. Determine the domain controller that holds the Domain Naming Master Flexible Single Master Operations (FSMO) role. To identify the server holding this role:a.  Start the Active Directory Domains and Trusts Microsoft Management Console (MMC) snap-in from the Administrative Tools menu.
b.  Right-click the root node in the left pane titled Active Directory Domains and Trusts, and then click Operations Master.
c.  The domain controller that currently holds this role is identified in the Current Operations Master frame.NOTE: If this changed recently, not all computer may have received this change yet due to replication.

For additional information about FSMO roles, click the article number below to view the article in the Microsoft Knowledge Base:
197132 Windows 2000 Active Directory FSMO Roles  
 
2. Verify that all servers for the domain have been demoted.
3. Click Start, point to Programs, point to Accessories, and then click Command Prompt.
4. At the command prompt, type: ntdsutil.
5. Type: metadata cleanup, and then press ENTER.  
6. Type: connections, and then press ENTER. This menu is used to connect to the specific server on which the changes will occur. If the currently logged-on user is not a member of the Enterprise Admins group, alternate credentials can be supplied by specifying the credentials to use before making the connection. To do so, type: set creds domainname username password , and then press ENTER. For a null password, type: null for the password parameter.
7. Type: connect to server servername (where servername is the name of the domain controller holding the Domain Naming Master FSMO Role), and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and that the credentials you supplied have administrative permissions on the server.
8. Type: quit, and then press ENTER. The Metadata Cleanup menu is displayed.
9. Type: select operation target, and then press ENTER.
10. Type: list domains, and then press ENTER. A list of domains in the forest is displayed, each with an associated number.
11. Type: select domain number, and then press ENTER, where number is the number associated with the domain to be removed.
12. Type: quit, and then press ENTER. The Metadata Cleanup menu is displayed.
13. Type: remove selected domain, and then press ENTER. You should receive confirmation that the removal was successful. If an error occurs, please refer to the Microsoft Knowledge Base for articles on specific error messages.
14. Type: quit at each menu to quit the NTDSUTIL tool. You should receive confirmation that the connection disconnected successfully.
0
 

Author Comment

by:tobesteruk
ID: 12594688
OK, nearly there...

Got rid of the orphaned Domain and the "BDC" is now running and advertising itself as a GC.  Only problem left to iron out is a replication issue between the two DC's.  Have run up AD Replication Monitor and it shows the following error between the PDC and BDC:

<PDC>
   CN=Schema,CN=Configuration,DC=dealers,DC=coopbank
       Default-First-Site-Name\<BDC>

                 >> Direct Replication Partner Data <<
                  Server is current through Property Update USN: 772791
                  Replication Failure: Changes have not been successfully replicated from <BDC> for 2 attempt(s)
                  Replication Failure: The reason is: The DSA operation is unable to proceed because of a DNS lookup failure.
                  Replication Failure: The last replication attempt was: mm/dd/yyyy hh:mm:ss (local)

Have checked DNS of both DCs through nslookup and both resolve OK.  Any more ideas...?

I realise this evolved a bit since my original query so I'm increasing the points....

Cheers

0
 
LVL 4

Expert Comment

by:tengage
ID: 12595066
Does active directory sites and services look happy?  You may just need to wait, but I would go to sites and services and look at NTDS.  It sounds like you have a single site.  Do you have <automatically generated> connections between the domain controllers?  Kick off the KCC by right clicking one of the NTDS settings branches and clicking "check topology"

Run REPLMON.EXE and add both of the domain controllers to the monitored servers list.  Do you see the same errors?
0
 
LVL 4

Expert Comment

by:tengage
ID: 12595082
If you try to manually sync with the repl partner, do you get the same errors?  Are there any other IDs in the event viewer for either DC?
0
 
LVL 4

Expert Comment

by:tengage
ID: 12595150
when you ran NSLOOKUP, did you try the server both qualified and unqualified?  Is WIN2000 the only DNS server in your site?
0
 
LVL 4

Expert Comment

by:tengage
ID: 12595181
try running NETDIAG.EXE from both of the DCs, do they both pass?
0
 
LVL 4

Expert Comment

by:tengage
ID: 12595215
somewhere down the list of NETDIAG.EXE test results is a "DNS Test".  I have a feeling that your DNS is happy and the error you're getting is somewhat generic.  To rule out DNS altoghether, you might try adding entries to the host file on each DC (qualified) to point to the other DC.  This would at least eliminate DNS as our issue.
0
 
LVL 4

Expert Comment

by:tengage
ID: 12595233
Here is a great article on DCDIAG and NETDIAG.  If you do really have DNS related replication issues, these tools will show them to you.
http://support.microsoft.com/kb/265706/EN-US/
0
 
LVL 4

Expert Comment

by:tengage
ID: 12595280
one more thing and I'll shut up.  Can you perform an NSLOOKUP on your domain DEALERS.COOPBANK?
0
 

Author Comment

by:tobesteruk
ID: 12601766
Patience was the key.  Left the DCs over night and when I checked them this morning all replication pairs were working fine.  

Thanks for all your help
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
MSSQL DB-maintenance also needs implementation of multiple activities. However, unprecedented errors can hamper the database management. In that case, deploying Stellar SQL Database Toolkit ensures fast and accurate database and backup repair as wel…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question