• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 977
  • Last Modified:

Loss of Global Catalog

I've read through previuous answers and tried lots of things - but no luck.  Any help VERY gratefully received:

Network

server01 - w2k SP4 - running Exchange2000 - this was the original sole server in the network
server04 - w2kSP4
server06 - w2k3 - running exchnage2003

I want to get rid of server01 so bought an new machine (server06) and installed Exchage2003, transferred mailboxes, setup DNS etc etc.  Everything working great.

I started to run dcpromo on server01 to demote it and get the message about Global Catalogs.  So abort demotion and tick the "global catalog" boxes on server04 and server06 and leave the whole thing for a day or so.

Then untick "global catalog" on server01 in preparation for demoting the server - and that's where the problems start - logon problems, exchange services not starting etc etc.

Having looked though all I can I realise that ldp shows that isGlobalCatalogReady as FALSE and presume that this is the root of all my problems

Go back and try and reset everything as it was - no joy.

Try following:-

http://techrepublic.com.com/5100-6268_11-1048225-3.html as there is no gc entry in _msdcs but can't see how you can add a "subfolder" GC - if I add a srv record it goes in as a subfolder _tcp

As I say - any suggestions most gratefully received

Thanks - Tom Smith
0
taksmith
Asked:
taksmith
  • 22
  • 13
  • 11
  • +1
6 Solutions
 
WeHeCommented:
can you set the gc flag for server06 in AD Sites and Services?
0
 
taksmithAuthor Commented:
Yes - seemingly no problem - I've set it now but have previously had it in both states (when trying to get back to server01 being the only GC)
0
 
map000Commented:
check if you have configured DNS server as dynamic DNS
if it's ok, than run ipconfig /registerdns on server4 and server6 and the gc entries shoul apear
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
taksmithAuthor Commented:
DNS was - but  had been changed to secure only - pro temp I've set it back to secure and non secure and run ipconfig - will wait 15 minutes to see what happens.

many thanks
0
 
taksmithAuthor Commented:
Not appeared, and still isGlocalCatalogReady is FALSE

Tom
0
 
map000Commented:
do you have replicated the servers?
0
 
taksmithAuthor Commented:
I think so - how do I tell?  I've gone into AD sites & settings->sites->Default-first-site->servers... then NTDS Settings and "replicate now" them all and get "Active Directory has replicated the connections" message - or do you mean replicate DNS (if so how) - the domain is AD integrated and appears on all thge servers OK

Sorry for the ignorance.
0
 
map000Commented:
no, it's about replicating the AD; if there are Active Directory Integrated DNS servers, dns it's replicated using active directory
can tell me again if there are AD integreted zones (in DNS)?
0
 
taksmithAuthor Commented:
All the zones in DNS are AD integrated
0
 
map000Commented:
maybe will work after a restart
if you have AD integreted, the servers should record their dns names in the DNS server zone
0
 
map000Commented:
have you moved the other roles: PDC, Infrastructer Master ....to the new server?
0
 
taksmithAuthor Commented:
These are all moved to server06 but I have read

http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/sag_adGcInfFSMO.htm

which says

"Unless there is only one domain controller in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so will never replicate any changes to the other domain controllers in the domain.
If all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does not matter which domain controller holds the infrastructure master role."

So i thought as long as I moved them off server01, and ticked all the "global catalog" boxes on server04 and server06 I'd be alright??

Thanks so far - not solved, but certainly getting there I hope

Tom
0
 
map000Commented:
yes, indeed, if they are the only 2 dc in your domain it's recomended 1 to keep the IM role and one the GC role
0
 
taksmithAuthor Commented:
OK IM is on server06 and PDC is on server04 (had to think about that one because I couldn't do it from server06 because I couldn't connect to server04 - permission denied - resumably because the global catalog was down - chicken and egg problem!

Would you suggest now rebooting the servers in order - presumably server04 then server06??

Thanks
0
 
crissandCommented:
Run

dcdiag /test:fsmocheck /s:domain-controller-name

or, if you run it on a domain controller the /s switch can miss.
0
 
taksmithAuthor Commented:
OK get the following when run on server06

...  server04 passed test Connectivity

...

Running enterprise tests on : office.davas.co.uk
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed error 5
A Global catalog Server could not be located - All GC's are down.
Warning DcGetDcName(PDC_REQUIRED) call failed, error 5
APrimary Domain Controller could not be located
The server holding the PDC role is down

Same for

TIME_SERVER
GOOD_TIME_SERVER_PREFERRED
KDC_REQUIRED

all error 5

so not suprisingly..... failed test FsmoCheck


0
 
WeHeCommented:
do you have the gc._msdcs.DnsForestName A record(s)?
if not, why don't you create them?
you have to create an A record, no SRV record.
0
 
taksmithAuthor Commented:
Created this A record and being an AD integrated domain I can see it on all the machines but if I run dcdiag I still get the same response as above.  Do I have to leave it for a while to allow AD replication???

0
 
taksmithAuthor Commented:
Can happily ping gc._msdcs.office.davas.co.uk from a workstation and it resolves.  Is this record what

http://techrepublic.com.com/5100-6268_11-1048225-3.html 

is aluding to - they seem to suggest it is a folder not an a record, and that it contains a srv record?
0
 
WeHeCommented:
do you have a _msdc.office.davas.co.uk AD-Integrated Zone?
can you look, if all records listed here: %systemroot%\System32\Config\Netlogon.dns are registered in dns.

0
 
taksmithAuthor Commented:
WeHe

There is a _msdc.office.davas.co.uk AD-integrated zone

I think all those records are in dns

Looking at the recent event logs on server04 I have an NTDS information NTDS Replication - saying that promotion of the server will be delayed for 30 minutes so that the required partitions can me made ready etc....  It also suggests a regsitry change to hkls\system\CCS\services\ntds\parameters\Global Catalog Delay Advertisement (sec) to 0 to force promotion on the next attempt - but I have at least 3 sets of these errors 30 minutes apart so something is failing somewhere.
0
 
WeHeCommented:
so he is knowing he should be a GC, but did not replicate all partitions from another GC.
which servers has actually set to be GC's atm ?

the ms standard configuration is to have a own zone for _msdcs.office.davas.co.uk
in your office.davas.co.uk zone you delegate this zone to your own (the same) dns server (right click on zone ->add delegation).
in this delegated zone, you have to create the server srv records (this should be done by "ipconfig /registerdns").

but i believe, your problem is, that no new GC can replicate from your old GC.
can you post the result of "nltest /dsgetdc:office.davas.co.uk /server:server04" and the same for server06?
0
 
taksmithAuthor Commented:
Thanks

Each server (server01 server04 and server06 has "global catalog" checked - should this only be 01 and 04?

I've delegated the zone and run ipconfig /registerdns

************

OK - for server04

 DC: \\server04.office.davas.co.uk
      Address: \\192.168.20.134
     Dom Guid: b8ea4209-cd5f-4bb9-a5e4-7cd4a416b6e7
     Dom Name: office.davas.co.uk
  Forest Name: office.davas.co.uk
 Dc Site Name: Default-First-Site
Our Site Name: Default-First-Site
        Flags: PDC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE
The command completed successfully

**********

For server06

      DC: \\SERVER06.office.davas.co.uk
      Address: \\192.168.20.136
     Dom Guid: b8ea4209-cd5f-4bb9-a5e4-7cd4a416b6e7
     Dom Name: office.davas.co.uk
  Forest Name: office.davas.co.uk
 Dc Site Name: Default-First-Site
Our Site Name: Default-First-Site
        Flags: DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE
The command completed successfully


******

For completeness Server01 is

DC: \\server01.office.davas.co.uk
      Address: \\192.168.20.121
     Dom Guid: b8ea4209-cd5f-4bb9-a5e4-7cd4a416b6e7
     Dom Name: office.davas.co.uk
  Forest Name: office.davas.co.uk
 Dc Site Name: Default-First-Site
Our Site Name: Default-First-Site
        Flags: DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE
The command completed successfully


Thanks

Tom
0
 
taksmithAuthor Commented:
Another look at the event log having set the delay to 0 gives

The KCC will retry adding the replica

So maybe getting somewhere?  OK - realy ignorant - what is KCC?

Thanks
0
 
taksmithAuthor Commented:
And now - miracle of Miracles I get in ldp

 isGlobalCatalogReady: TRUE;

I'll leave it overnight to replicate etc - and see what it does in the morning!  Off to bed!

0
 
WeHeCommented:
KCC is the Knowledge Consistency Checker.
KCC is calculating connections between DC's for replication and deleting/creating NC's and such things.
no one of your servers is showing a GC flag, thats bad.
can you give more details of eventlog entries? id, source, data, ...
what is repadmin and dcdiag showing ?

is it possible to restore the full server01 as a authorative restore? you loose any changes in ad you made since them.
but if you have no gc, it is not possible to make a new one, as any new wants to replicate from an active gc.
maybe uncheck all GC's and recheck on server01 will help, but its dangerous.
maybe demoting server1 and promote it again (after a few hours of replication) will help. but thats dangerous too.
0
 
taksmithAuthor Commented:
OK running nltest on server04 now gives

  DC: \\server04.office.davas.co.uk
      Address: \\192.168.20.134
     Dom Guid: b8ea4209-cd5f-4bb9-a5e4-7cd4a416b6e7
     Dom Name: office.davas.co.uk
  Forest Name: office.davas.co.uk
 Dc Site Name: Default-First-Site
Our Site Name: Default-First-Site
        Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE
The command completed successfully

so I guess that's a positive move.  However on server06 and server01 there is no GC showing
0
 
map000Commented:
now the users can login, Exchange works ...?
if you have GC on server04, it's enough
0
 
WeHeCommented:
you can now give them gc if you want, but you do not need to.
keep care to not set the Infrastructure Master role on a GC, unless all DC's are GC's.
i would make a 2nd GC for redundancy.
0
 
map000Commented:
WeHe, he wants to keep only 2 DC, so his only solution is to put the GC on server04 and IM on server06
I would keep the other roles on server04 (PDC, ...)
0
 
WeHeCommented:
but why not make all DC's a GC?
if one dies, the other is still avail.
0
 
taksmithAuthor Commented:
Yes

users can log in
Exchange works

Hair less grey and not being pulled out......

IM is on server06
GC is on server04

So - thanks to all for various help and final questions

I unticked "global catalog" on every machine except server04 - it sounds to me as though when I've scrapped server01 I ought to have another server on the network and make it also a GC - is this sensible or if I make server04 and server06 GCs then can IM reside on server06  (or is this just a bad thing to do anyway?)

Thanks again for all you help
0
 
map000Commented:
WeHe, it can't because it shouldn't have IM and GC on the same server
0
 
WeHeCommented:
it's ok to make a GC the IM, if ALL DC's are GC's.
read the documentation about this map000.
0
 
taksmithAuthor Commented:
Sorry guys - is there a definative MS answer to this on MS's site that you can point me to?  (or is that asking too much)

All I'm wary of is making server06 a GC and then having the whole thing crashing round my ears again.
0
 
map000Commented:
ok WeHe, you're right
didn't make my homework :)
0
 
WeHeCommented:
no problem. look here: http://support.microsoft.com/default.aspx?scid=kb;en-us;223346 (its for 2000 but it applies to 2003 too)
but i know it's no problem, if all dc's are gc's, because in this case, the IM has no work as all DC's have all infrastructure data.

in ms words:
As a general rule, the infrastructure master should be located on a nonglobal catalog server that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site. Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold.

Two exceptions to the "do not place the infrastructure master on a global catalog server" rule are:

• Single domain forest:
In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain.

• Multidomain forest where every domain controller holds the global catalog:
If every domain controller in the domain also hosts the global catalog, then there are no phantoms or work for the infrastructure master to do. The infrastructure master may be placed on any domain controller in the domain.
0
 
map000Commented:
I just read from Designing Active Directory 2003 book; they say you can use a IM as a GC (if all DC are GC)
actually, there are problems in a multi-domain network; in your single domain net, you can use (but probably it's not absolute neccesary)
0
 
crissandCommented:
Have you checked the fsmo roles now?
Run
netdom query fsmo

I think netdom utility you've already installed. The initial problem was the missing of PDC emulator too, not only the GC. Now, that you have a PDC emulator, you can force replication and see what eror messages you get.
0
 
WeHeCommented:
the initial problem was a missing _msdc delegation in his domain dns zone
0
 
taksmithAuthor Commented:
DC Diagnosis

results of test on server04

****************

Performing initial setup:
   Done gathering initial info.

Doing initial non skippeable tests

   Testing server: Default-First-Site\SERVER04
      Starting test: Connectivity
         An error that is usually temporary occured during DNS host loo
         Please try again later.
         Although the Guid DNS name
         (9c67315f-defa-4fd9-aca8-69705c65983d._msdcs.office.davas.co.u
         couldn't be resolved, the server name (server04.office.davas.c
         resolved to the IP address (192.168.20.134) and was pingable.
         that the IP address is registered correctly with the DNS serve
         ......................... SERVER04 failed test Connectivity


Doing primary tests

   Testing server: Default-First-Site\SERVER04

   Running enterprise tests on : office.davas.co.uk
      Starting test: FsmoCheck
         ......................... office.davas.co.uk passed test FsmoCheck

**********

server06

DC Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial non skippeable tests

   Testing server: Default-First-Site\SERVER06
      Starting test: Connectivity
         An error that is usually temporary occured during DNS host lookup,
         Please try again later.
         Although the Guid DNS name
         (0d72f4dc-fdc5-430b-a433-1007f3b5852a._msdcs.office.davas.co.uk)
         couldn't be resolved, the server name (SERVER06.office.davas.co.uk)
         resolved to the IP address (192.168.20.136) and was pingable.  Check
         that the IP address is registered correctly with the DNS server.
         ......................... SERVER06 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site\SERVER06

   Running enterprise tests on : office.davas.co.uk
      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         ......................... office.davas.co.uk failed test FsmoCheck

*******

So...

Do I manually make a DNS record?

Thanks
0
 
WeHeCommented:
not a good idea to make them manual.
try:
"ipconfig /registerdns"
or
restart netlogon service
or
or reboot the servers.

any of the above should reregister these records, if your dns servers allows dynamic updates
0
 
taksmithAuthor Commented:
netdom query fsmo gives

Schema owner                server01.office.davas.co.uk
Domain role owner           server01.office.davas.co.uk
PDC role                    server04.office.davas.co.uk
RID pool manager            server04.office.davas.co.uk
Infrastructure owner        SERVER06.office.davas.co.uk
The command completed successfully.


so I presume I need to somehow (?) move the schema owner and the domain role owner to server04?
0
 
taksmithAuthor Commented:
Wehe

From your comments above I delegated the zone to server04

"the ms standard configuration is to have a own zone for _msdcs.office.davas.co.uk
in your office.davas.co.uk zone you delegate this zone to your own (the same) dns server (right click on zone ->add delegation).
in this delegated zone, you have to create the server srv records (this should be done by "ipconfig /registerdns")."

and now in DNS of course the _msdsc zone is delegated and contains no entries - however things are working!
0
 
map000Commented:
active directory domain and trusts
right click, operation master roles, and transfer the role to server04 (do this from server 04)
for moving schema you should run the schema master console (mmc, add schema snap-in)
if you do not find it, you should register it before (ask if problems)
you don't have yet updated records in dns?
0
 
crissandCommented:
Lots of the problems generated in Active directory, from my experience, are from the fsmo machines. Don't forget that PDC is the primary clock also for the domain.
0
 
taksmithAuthor Commented:
trying to transfer the operations master (from server04) I get

The current operations master is offline.  The role cannot be transferred

Trying on server01 to connect to server04 to do the transfer there I get

The domain controller server04.office.davas.co.uk was not validated because:  The RPC is unavailable

And I couldn't log on to server01 using my normal credentials - had to log on as administrator - I presume the two are related
0
 
crissandCommented:
The servers are not synchronized:

http://support.microsoft.com/?kbid=305476
0
 
map000Commented:
where do you want to transfer ... from server04?
you should transfer TO server04
0
 
taksmithAuthor Commented:
To server04 - but I can't do it either when logged on to server01 or server04

Thanks for all your help - hope it helps others in the future too

Tom
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 22
  • 13
  • 11
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now