?
Solved

Difficult ActiveDirectory (on W2K) Question: Many points available ....

Posted on 2005-03-23
78
Medium Priority
?
836 Views
Last Modified: 2007-12-19
Hi,
Wonder if anyone can help at all.

We had an AD primary domain controller running W2K. This was the dc
for our (internal-only) domain NETWORK, i.e. for network.ourdomain.com.
Call this machine SERVER_A.

This machine recently died.

We have another machine, SERVER_B, also running W2K. On this machine I'd done dcpromo
before SERVER_A died, and I thought I had set it up as another DC for our domain
NETWORK in case SERVER_A died.

I've now rebuilt SERVER_A as another W2K server. And I now want it to be a DC for our
NETWORK domain.

So, on SERVER_A I've run dcpromo - told it to be "Additional domain controller for an existing domain".
On entering network.ourdomain.com, I get:

"The domain network.ourdomain.com is not an Active Directory domain, or an Active Directory domain controller for the domain could be contacted"

Now, the weird thing is: if I get onto SERVER_B, and run "Active Directory Users and Computers", I get the error:
"Naming information cannot be located because: The specified domain either does not exist or could not be contacted.
Contact your system administrator to verify that your domain is properly configured and is currently online".

So - at this point I click OK. Stay with me here. On the "Active Directory Users and Computers" window that then appears,
I right-click on "Active Directory Users and Computers" and choose "Connect to Domain Controller" and enter: SERVER_B.

I get the message: "Domain controller SERVER_B is in domain network.ourdomain.com. You are currently administering domain  .Do you want to administer network.ourdomain.com by using domain controller SERVER_B". If I then type Yes, I wait a while ... and
then .... Bingo, all my computers, users etc appear.

So, in summary:
- SERVER_A died.
- SERVER_B had had dcpromo run on it.
- SERVER_A is now rebuilt.
- If I run dcpromo on SERVER_A to try to make it a DC for network.ourdomain.com - I can't.
- On SERVER_B I can get hold of our original domain details.

Question: What do I do to get SERVER_A a dc again for network.ourdomain.com?

Thanks for any help,
Ben.

0
Comment
Question by:bcops
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 38
  • 38
  • +1
78 Comments
 
LVL 18

Expert Comment

by:luv2smile
ID: 13612610
Sounds like this could be a DNS issue. Have you verified that DNS is setup correctly? Are there any errors in the event logs?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13612739
Hi Ben,

First thing you need to check is where your FSMO roles are. These are vital to your network and are pretty unlikely to be running correctly if your main server failed.

So... Log on with a user account that is a member of Domain Admins and Schema Admins, then:

Open Start and Run
Type ntdsutil and press enter

This will bring up a lovely black box with a command prompt.

Type the following (enter after each):

Roles
Connections
Connect to Server <ServerB>
Quit
Select Operation Target
List Roles for Connected Server

This will dump all 5 of the current roles and which server is in charge of them:

Schema - CN=NTDS Settings,CN=<Server in charge of the Role>

If any of these are ServerA you need to move them. Back to that window and type:

Quit

This puts you back at FSMO maintenance. It's really really really important to know that the next step is not reversible. If you intend on any level to recover ServerA without rebuilding it you cannot do this. Otherwise, each of the roles not already on ServerB needs to be seized:

Seize PDC
Seize RID Master
Seize Schema Master
Seize Domain Naming Master
Seize Infrastructure Master

This has moved all the Roles across to ServerB. For reference, to move the roles with ServerA running on the network normally you would use Transfer <Role Name> instead of Seize.

That's all for NTDSUtil.

Quit
Quit

Will quit the application.

You need to make sure the DNS service is running on ServerB and working correctly (and that ServerB refers to it). Restart the NetLogon Service and ensure no errors appear in the Event Log for DNS.

You also need to ensure ServerB is a Global Catalog, to check that open Active Directory Sites and Services, select your site, then ServerB, and open the properties for NTDS Settings. Global Catalog is just a little tick box there.

Let me know how that goes.

HTH

Chris
0
 

Author Comment

by:bcops
ID: 13613061
Hi Chris-Dent,

I'll give all that  whirl shortly ... however, one thing you should know: the DNS server on SERVER_B is a secondary DNS server, secondary to the DNS on SERVER_A as was.

I'm guessing this makes quite a difference.
Thanks, Ben.

0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 71

Expert Comment

by:Chris Dent
ID: 13613122

If both servers used AD Integrated zones then you should be okay. Of course ServerB should be made the first DNS server it checks (since ServerA isn't there).

ServerA will also need to have ServerB as it's first DNS because it'll be the only one that knows about Active Directory as a whole.

All records for domain controllers, authentication servers etc etc are stored in DNS.
0
 

Author Comment

by:bcops
ID: 13613198
I made SERVER_B a secondary DNS of SERVER_B : whether that means it uses AD Integrated zones not sure.
I do that it doesn't allow me to edit/change any DNS entries. I can read, but cannot change.




0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13613512

Okay, if it's Read Only it's most likely a Slave (MS call that Secondary) zone. It must be running a Master zone for DNS to work well enough for AD to function.

Open the Properties for the zone (inside DNS Manager) and press the Change button next to type. You should be able to change the zone to Master (and MS call that one Primary) there. Ideally you should also store the zone in Active Directory.

Let me know how that goes.

0
 

Author Comment

by:bcops
ID: 13619447
Hi Chris-Dent,

Many thanks for this - I'm not in now until next Tuesday, so I'll have to try this then.
Thanks, Ben.

0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13620258
Let us know if not solved. Would like to jump to this thread. Interesting one for me :-)
0
 

Author Comment

by:bcops
ID: 13661061
Hi Chris-Dent,

I'm finally back in the office, and I've finally looked at this.
I've followed all your steps above Chris, they all seemed to go fine - thanks - they were fantastic steps.

However, when I now get onto Server_A again, type dcpromo and tell SERVER_A to be "Additional domain controller for an existing domain" I still get:

"The domain network.ourdomain.com is not an Active Directory domain, or an Active Directory domain controller for the domain could be contacted"

Which is most peculiar.
Any ideas?

Thanks, Ben.


0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13661086

Hi Ben,

Can you confirm that Server_A uses Server_B as it's preferred DNS Server?

You might also check that Server_B uses itself as preferred DNS.

If they are all set like that restart the NetLogon Service on Server_B and run "ipconfig /registerdns" from the command prompt.  Then check the DNS Logs (Event Viewer) and System Logs for DNS Errors.

Let me know how you get on.
0
 

Author Comment

by:bcops
ID: 13661301
I can confirm that:
--- Server_A uses Server_B as its' preferred DNS server.
--- Server_B uses itself as preferred DNS.

Restarted NetLogon service:
- DNS log: no errors
- Directory Service: Error: NTDS General: Unable to establish connection with global catalog.
- Application log: Rather alarming message: Windows cannot determine the user or computer name.

Did notice that the file replication service was running - there was a message in the file replication service log stating that whilst this was running this server could not become a domain controller. So, I stopped this.



0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13661570

In Active Directory Sites and Services, if you find Server_B and open the Properties for it's NTDS Settings... it's definately set as a Global Catalog?

Of course, if DNS isn't behaving itself you also wouldn't be able to connect to the Global Catalog... But if you confirm the first bit...
0
 

Author Comment

by:bcops
ID: 13661733
Yup, it is most definitely set as Global catalog.

However, I was just about to email the following: I've just followed the following instructions: http://support.microsoft.com/kb/842208

So, I typed: nltest /dsgetdc:Domain_name /server:Server_Name, and then press ENTER.
And it does advertise itself as a global catalog server i.e.: lists following flags:
 Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE

However - I've just had the most peculiar behaviour.

I've typed that command again, say 10 mins later - and I get:
"DsGetDcName failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN"

Most peculiar. A few moments ago this was definitely returning sensible results.

System log is also reporting:
w32time: EventID: 62: This Machine is a PDC at the root of the forest. Configure to sync from External time source using the net command: 'net time /setsntp:<server name>'. Reason I mention this is because the following URL: http://www.eventid.net/display.asp?eventid=1126&eventno=656&source=NTDS%20General&phase=1 contains a post where the "Unable to Establish Connection with the Global Catalog " error happens because I quote:

"Shawn Westerhoff
This can be caused by clocks on AD controllers being out of sync."

Ben.
















0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13661790

The external time source is pretty easy to fix. Personally I use one of the stratum 2 servers from this list:

http://ntp.isc.org/bin/view/Servers/StratumTwoTimeServers

However, since you only have one domain controller it's not all that likely to be the cause.

Can you try running the command line tool DCDiag on your server and see what that comes back with?
0
 

Author Comment

by:bcops
ID: 13661900
Hi Chris,
Output attached below:

--------- START OF OUTPUT:------------------------------

DC Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial non skippeable tests
   
   Testing server: Default-First-Site-Name\SERVER_B
      Starting test: Connectivity
         ......................... SERVER_B passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\SERVER_B
      Starting test: Replications
         ......................... SERVER_B passed test Replications
      Starting test: NCSecDesc
         ......................... SERVER_B passed test NCSecDesc
      Starting test: NetLogons
         ......................... SERVER_B passed test NetLogons
      Starting test: Advertising
         Fatal Error:DsGetDcName (SERVER_B) call failed, error 1355
         The Locator could not find the server.
         ......................... SERVER_B failed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... SERVER_B passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... SERVER_B passed test RidManager
      Starting test: MachineAccount
         ......................... SERVER_B passed test MachineAccount
      Starting test: Services
            NtFrs Service is stopped on [SERVER_B]
            SMTPSVC Service is stopped on [SERVER_B]
         ......................... SERVER_B failed test Services
      Starting test: ObjectsReplicated
         ......................... SERVER_B passed test ObjectsReplicated
      Starting test: frssysvol
         Error: No record of File Replication System, SYSVOL started.
         The Active Directory may be prevented from starting.
         There are errors after the SYSVOL has been shared.
         The SYSVOL can prevent the AD from starting.
         ......................... SERVER_B passed test frssysvol
      Starting test: kccevent
         ......................... SERVER_B passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x8000003E
            Time Generated: 03/30/2005   14:49:06
            (Event String could not be retrieved)
         ......................... SERVER_B failed test systemlog
   
   Running enterprise tests on : network.ourdomain.com
      Starting test: Intersite
         ......................... network.ourdomain.com passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
         A KDC could not be located - All the KDCs are down.
         ......................... network.ourdomain.com failed test FsmoCheck

--------- END OF OUTPUT:------------------------------


0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13662266

Can you do this lot again:

Start
Run
ntdsutil
Roles
Connections
Connect to Server Server_B
Quit
Select Operation Target
List Roles for Selected Server

And Confirm that the PDC Role belongs to Server_B?

If it doesn't add the following:

Quit
Seize PDC

Then Re-Run DCDiag.

If it already does have that role I'd like you to try re-creating the DNS Domain details. These may not be behaving correctly which would prevent service advertising from working correctly.

The following steps should be used for this:

http://support.microsoft.com/?kbid=305967

If anything there isn't clear please don't hesitate to ask.

0
 

Author Comment

by:bcops
ID: 13663141
Hi Chris,
Thanks for your continued help.

I re-ran the Seize PDC although the PDC role did belong to Server_B, and re-ran DCDiag - got the same results.

I took a look at:
http://support.microsoft.com/?kbid=305967
It's contents are below: my comments are preceded by BEN:

1.      Change the DNS settings to Standard Primary Zone.
BEN: So this means changing the type of the Active Directory-integrated zone into a standard primary zone? Won't that mean losing all the current settings?

2.      On each domain controller that had DNS, point to the Standard Primary DNS server for DNS resolution.
BEN: What on earth does this mean?

3.      On each domain controller, at a command prompt, type the following commands, pressing ENTER after each command:
ipconfig /flushdns
ipconfig /registerdns
BEN: Er, OK.


4.      On each domain controller, at a command prompt, type the following commands, pressing ENTER after each command:
net stop netlogon
net start netlogon
5.      In the DNS console, delete the DNS zones.
BEN: Right, so delete the zones - remove all entries in the Active Directory-integrated zone?

6.      Delete zones in Active Directory Users and Computers. Click Advanced Options, click System, and then click DNS.
BEN: Click Advanced Options - where?

7.      After the information has been cleared, recreate the DNS zones.
BEN: Manually?!!!

8.      On each domain controller, at a command prompt, type the following commands, pressing ENTER after each command:
ipconfig /flushdns
ipconfig /registerdns
9.      On each domain controller, at a command prompt, type the following commands, pressing ENTER after each command:
net stop netlogon
net start netlogon

BEN: And what about returning the type of the zone to Active Directory-integrated zone type from Standard zone?

Chris - if you can shed any light on these instructions it'd be most welcome.
Thanks.






0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13663359

This entire process is basically designed to remove anything currently stored in DNS and get it all to re-create itself. The hope is that this will fix the problem with services advertising (like the GC).

1. Change the DNS settings to Standard Primary Zone.
BEN: So this means changing the type of the Active Directory-integrated zone into a standard primary zone? Won't that mean losing all the current settings?

Yes to the first bit of the question. Not yet to the second bit... we will be losing them soon!

Don't worry too much about the existing settings ** unless you have a lot of manually created entries in there **

2.     On each domain controller that had DNS, point to the Standard Primary DNS server for DNS resolution.
BEN: What on earth does this mean?

Nothing you need to worry about - you only have one server and it already points to itself.

3.     On each domain controller, at a command prompt, type the following commands, pressing ENTER after each command:
ipconfig /flushdns
ipconfig /registerdns
BEN: Er, OK.

Makes sure it has nothing in it's local DNS Cache, then attempts to re-register it's own records in DNS.

4.     On each domain controller, at a command prompt, type the following commands, pressing ENTER after each command:
net stop netlogon
net start netlogon

This one re-registers all the Service Records in DNS - those _msdcs, _ldap etc entries.

At this point we'll take a backup of the Zone File so there's always something to fall back on. Go to %SystemRoot%\System32 and open the DNS folder, copy the file which will have a name something like yourdomain.com.dns.

5.     In the DNS console, delete the DNS zones.
BEN: Right, so delete the zones - remove all entries in the Active Directory-integrated zone?

They aren't AD Integrated anymore, and it's time for them to leave so we can start with a nice clean copy.

6.     Delete zones in Active Directory Users and Computers. Click Advanced Options, click System, and then click DNS.
BEN: Click Advanced Options - where?

View - Advanced Options.
Expand System and you should see MicrosoftDNS.
Under there is a list of the zones - this is where they get stored in AD.

7.     After the information has been cleared, recreate the DNS zones.
BEN: Manually?!!!

Recreating them is pretty easy if you only have dynamically registered records. You just add the zone (right click in the Forward Lookup Zone) and continue with the steps below. This zone should be created as Active Directory Integrated - which it isn't clear on.

8.     On each domain controller, at a command prompt, type the following commands, pressing ENTER after each command:
ipconfig /flushdns
ipconfig /registerdns

Re-registers the A records for your server in DNS.

9.     On each domain controller, at a command prompt, type the following commands, pressing ENTER after each command:
net stop netlogon
net start netlogon
BEN: And what about returning the type of the zone to Active Directory-integrated zone type from Standard zone?

Re-registers the _msdcs, _ldap, _kerberos, _gc, _kpasswd entries.

Any thoughts on that lot?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13663520

Oh I should have remembered earlier...

Before you do the DNS bit... if you could do this bit:

Run:

DCDiag /fix

Wait for an hour and rerun DCDiag to see if it's reporting the same problems.
0
 

Author Comment

by:bcops
ID: 13670004
Hi Chris-Dent,
Thanks for the continued posts ....

Below are the results from DCDIAG /fix. I've run it twice!

************ START OF DCDIAG /fix ************************

DC Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial non skippeable tests
   
   Testing server: Default-First-Site-Name\SERVER_B
      Starting test: Connectivity
         ......................... SERVER_B passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\SERVER_B
      Starting test: Replications
         ......................... SERVER_B passed test Replications
      Starting test: NCSecDesc
         ......................... SERVER_B passed test NCSecDesc
      Starting test: NetLogons
         ......................... SERVER_B passed test NetLogons
      Starting test: Advertising
         Fatal Error:DsGetDcName (SERVER_B) call failed, error 1355
         The Locator could not find the server.
         ......................... SERVER_B failed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... SERVER_B passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... SERVER_B passed test RidManager
      Starting test: MachineAccount
         ......................... SERVER_B passed test MachineAccount
      Starting test: Services
            NtFrs Service is stopped on [SERVER_B]
            SMTPSVC Service is stopped on [SERVER_B]
         ......................... SERVER_B failed test Services
      Starting test: ObjectsReplicated
         ......................... SERVER_B passed test ObjectsReplicated
      Starting test: frssysvol
         Error: No record of File Replication System, SYSVOL started.
         The Active Directory may be prevented from starting.
         There are errors after the SYSVOL has been shared.
         The SYSVOL can prevent the AD from starting.
         ......................... SERVER_B passed test frssysvol
      Starting test: kccevent
         ......................... SERVER_B passed test kccevent
      Starting test: systemlog
         ......................... SERVER_B passed test systemlog
   
   Running enterprise tests on : network.ourdomain.com
      Starting test: Intersite
         ......................... network.ourdomain.com passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
         A KDC could not be located - All the KDCs are down.
         ......................... network.ourdomain.com failed test FsmoCheck

************ END OF DCDIAG /FIX ************************

Do I really need the NtFrs and SMTP services running for AD to fully work?
Unless you've got any other insights Chris, I'll try the DNS ammendments later on today.

Thanks, Ben.






0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13670150

Yes you need NTFRS - while you only have one DC it's not going to break anything by being stopped. But it controls replication of things like system policies and logon scripts.

There's an MS Article on it here:

http://support.microsoft.com/kb/296183

Can you also try running DCDiag with these switches:

DCDiag /c /e /v

Which will run comprehensive tests on all DCs and print out extended information. If there's too much on the screen you might want to make that:

DCDiag /c /e /v /f:DCDiag.log

If you can run those before the DNS changes tests that would be useful.

Cheers,

Chris
0
 

Author Comment

by:bcops
ID: 13670277
Hi Chris,
Output from DCDIAG below as requested:

FYI: I've now re-started the File Replication Server
Thanks, Ben.

******** OUTPUT FROM  DCDiag /c /e /v /f:DCDiag.log STARTS ********
DC Diagnosis

Performing initial setup:
   * Verifing that the local machine SERVER_B, is a DC.
   * Connecting to directory service on server SERVER_B.
   * Collecting site info.
   * Identifying all servers.
   * Found 1 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial non skippeable tests
   
   Testing server: Default-First-Site-Name\SERVER_B
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... SERVER_B passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\SERVER_B
      Starting test: Replications
         * Replications Check
         ......................... SERVER_B passed test Replications
      Starting test: Topology
         * Configuration Topology Integrity Check
         * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=network,DC=ourdomain,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for CN=Configuration,DC=network,DC=ourdomain,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=network,DC=ourdomain,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ......................... SERVER_B passed test Topology
      Starting test: CutoffServers
         * Configuration Topology Aliveness Check
         * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=network,DC=ourdomain,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for CN=Configuration,DC=network,DC=ourdomain,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=network,DC=ourdomain,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ......................... SERVER_B passed test CutoffServers
      Starting test: NCSecDesc
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=network,DC=ourdomain,DC=com
         * Security Permissions Check for
           CN=Configuration,DC=network,DC=ourdomain,DC=com
         * Security Permissions Check for
           DC=network,DC=ourdomain,DC=com
         ......................... SERVER_B passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         ......................... SERVER_B passed test NetLogons
      Starting test: Advertising
         Fatal Error:DsGetDcName (SERVER_B) call failed, error 1355
         The Locator could not find the server.
         ......................... SERVER_B failed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=SERVER_B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=network,DC=ourdomain,DC=com
         Role Domain Owner = CN=NTDS Settings,CN=SERVER_B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=network,DC=ourdomain,DC=com
         Role PDC Owner = CN=NTDS Settings,CN=SERVER_B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=network,DC=ourdomain,DC=com
         Role Rid Owner = CN=NTDS Settings,CN=SERVER_B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=network,DC=ourdomain,DC=com
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=SERVER_B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=network,DC=ourdomain,DC=com
         ......................... SERVER_B passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 2620 to 1073741823
         * SERVER_B.network.ourdomain.com is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1608 to 2107
         * rIDNextRID: 1610
         * rIDPreviousAllocationPool is 1608 to 2107
         ......................... SERVER_B passed test RidManager
      Starting test: MachineAccount
         * SPN found :LDAP/SERVER_B.network.ourdomain.com/network.ourdomain.com
         * SPN found :LDAP/SERVER_B.network.ourdomain.com
         * SPN found :LDAP/SERVER_B
         * SPN found :LDAP/SERVER_B.network.ourdomain.com/NETWORK
         * SPN found :LDAP/3bc107fa-88a7-40f9-b870-b7db6389bcec._msdcs.network.ourdomain.com
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/3bc107fa-88a7-40f9-b870-b7db6389bcec/network.ourdomain.com
         * SPN found :HOST/SERVER_B.network.ourdomain.com/network.ourdomain.com
         * SPN found :HOST/SERVER_B.network.ourdomain.com
         * SPN found :HOST/SERVER_B
         * SPN found :HOST/SERVER_B.network.ourdomain.com/NETWORK
         * SPN found :GC/SERVER_B.network.ourdomain.com/network.ourdomain.com
         ......................... SERVER_B passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: RPCLOCATOR
         * Checking Service: w32time
         * Checking Service: TrkWks
         * Checking Service: TrkSvr
         * Checking Service: NETLOGON
         * Checking Service: Dnscache
         * Checking Service: NtFrs
            SMTPSVC Service is stopped on [SERVER_B]
         ......................... SERVER_B failed test Services
      Starting test: OutboundSecureChannels
         * The Outbound Secure Channels test
         ** Did not run Outbound Secure Channels test
         because /testdomain: was not entered
         ......................... SERVER_B passed test OutboundSecureChannels
      Starting test: ObjectsReplicated
         SERVER_B is in domain DC=network,DC=ourdomain,DC=com
         Checking for CN=SERVER_B,OU=Domain Controllers,DC=network,DC=ourdomain,DC=com in domain DC=network,DC=ourdomain,DC=com on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=SERVER_B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=network,DC=ourdomain,DC=com in domain CN=Configuration,DC=network,DC=ourdomain,DC=com on 1 servers
            Object is up-to-date on all servers.
         ......................... SERVER_B passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service Event log test
         Error: No record of File Replication System, SYSVOL started.
         The Active Directory may be prevented from starting.
         There are errors after the SYSVOL has been shared.
         The SYSVOL can prevent the AD from starting.
         An Warning Event occured.  EventID: 0x800034FE
            Time Generated: 03/31/2005   11:41:19
            Event String: File Replication Service is scanning the data in

the system volume. Computer SERVER_B cannot

become a domain controller until this process is

complete. The system volume will then be shared

as SYSVOL.

 

To check for the SYSVOL share, at the command

prompt, type:

net share

 

When File Replication Service completes the

scanning process, the SYSVOL share will appear.

 

The initialization of the system volume can take

some time. The time is dependent on the amount of

data in the system volume.
         ......................... SERVER_B passed test frssysvol
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minutes.
         ......................... SERVER_B passed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x8000003E
            Time Generated: 03/31/2005   11:10:19
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x8000003E
            Time Generated: 03/31/2005   11:12:06
            (Event String could not be retrieved)
         ......................... SERVER_B failed test systemlog
   
   Running enterprise tests on : network.ourdomain.com
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope

         provided by the command line arguments provided.
         ......................... network.ourdomain.com passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         PDC Name: \\SERVER_B.network.ourdomain.com
         Locator Flags: 0xe00001fd
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
         A KDC could not be located - All the KDCs are down.
         ......................... network.ourdomain.com failed test FsmoCheck
******** OUTPUT FROM  DCDiag /c /e /v /f:DCDiag.log ENDS ********


0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13670302

It's looking increasinly like a fault in DNS. It would be worth seeing if the SYSVOL share appears - it shouldn't take all that long ( net share from the command line).

I suspect re-running DCDiag after that will produce pretty much the same output.

Let me know how you get on with the DNS changes. I'll see if I can think of any other way to test it in the meantime.

Cheers,

Chris
0
 

Author Comment

by:bcops
ID: 13670328
OK Chris - thanks.
I'll wait for the SYSVOL to appear. It is an old slow machine SERVER_B so I'll see if that appears.

Then: I'll have a crack at the DNS alterations ......


0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13670395

No problem, just let me know if you run into anything unexpected.
0
 

Author Comment

by:bcops
ID: 13671003
OK, so no sign of SYSVOL. Some I'm wondering whether there's something wrong with File Replication.
Any way of finding how far it's got?


0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13671081

You're probably okay ignoring that one - looks like it only fires up if you have more than one DC.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13671381

Here's an article with steps on troubleshooting the NTFRS service:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q257338

It would be well worth running through the steps in this. Steps 1 and 2 are Replication specific and should be ignored for the single domain controller.

Be careful when checking the Default Domain Controller Policy as described in Step 4. You'll get to this by opening Active Directory Users and Computers, right clicking on the Domain Controllers OU and selecting Properties then the Group Policy Tab.

Do not delete the Default Domain Controllers Policy. Do not make any changes to the policy except those described. in the article.
0
 

Author Comment

by:bcops
ID: 13671557
Hi Chris,
Thanks for this. I've some questions on the DNS instructions first. My comments/questions are preceded by *** below:

I've re-written some of these instructions to be more precise. Any chance you could check them and correct where wrong, and answer my queries ......


-------------------- START OF DNS INSTRUCTIONS --------------------
1.      Change the DNS settings to Standard Primary Zone.
Start/Administrative Tools/DNS
Find network.ourdomain.com in the DNS snap-in
Right-click, choose properties - this domain is currently of Active Directory-integrated type
Click Change, choose Standard Primary


2. On each domain controller, at a command prompt, type the following commands, pressing ENTER after each command:
ipconfig /flushdns
ipconfig /registerdns
Makes sure it has nothing in it's local DNS Cache, then attempts to re-register it's own records in DNS.

3. On each domain controller, at a command prompt, type the following commands, pressing ENTER after each command:
net stop netlogon
net start netlogon

This one re-registers all the Service Records in DNS - those _msdcs, _ldap etc entries.
*** But I haven't deleted anything yet - so what is it re-registering service records in?

4. Take a backup of the Zone File so there's always something to fall back on:
Go to %SystemRoot%\System32 and open the DNS folder, copy the file which will have a
name something like network.yourdomain.com.dns.

*** There's nothing there that looks like network.yourdomain.com.dns. So, I've exported the information
on the whole zone.

5.     In the DNS console, delete the DNS zones.
They aren't AD Integrated anymore, and it's time for them to leave so we can start with a nice clean copy.
*** So - in the DNS snap-in, what _exactly_ do I delete? network.yourdomain.com? The whole zone?
So - right-click on the whole zone and delete?


6.     Delete zones in Active Directory Users and Computers:
*** Start/Programs/Administrative Tools/Active Directory Users and Computers
*** Expand network.yourdomain.com
*** View/Advanced Options - ensure it is ticked.
*** Expand System
*** Expand MicrosoftDNS
*** Right-click network.yourdomain.com and delete?
***


7.     After the information has been cleared, recreate the DNS zones:
*** In the DNS snap-in? In Active Directory Users and Computers? Where?

Recreating them is pretty easy if you only have dynamically registered records.
You just add the zone (right click in the Forward Lookup Zone) and continue with the steps below.
This zone should be created as Active Directory Integrated - which it isn't clear on.

*** What steps? I right click Forward Lookup Zone - then - what? New Zone?
*** What "New Active Directory-Integrated?" Do I enter the same name as before? e.g. network.yourdomain.com?

8.     On each domain controller, at a command prompt, type the following commands, pressing ENTER after each command:
ipconfig /flushdns
ipconfig /registerdns

Re-registers the A records for your server in DNS.


9.     On each domain controller, at a command prompt, type the following commands, pressing ENTER after each command:
net stop netlogon
net start netlogon
Re-registers the _msdcs, _ldap, _kerberos, _gc, _kpasswd entries.
------------ END OF DNS INSTRUCTIONS ------------------

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13671815

Hi Ben,

Before the bits below... one thing did occur to me... Server_A, it wasn't Small Business Server was it?

If not, I hope this covers everything above:

3. ...

*** But I haven't deleted anything yet - so what is it re-registering service records in?

I'm not all that clear on the inclusion of this step either. But it's possible that NetLogon needs to let go of the AD Integrated zone.


4. ...

*** There's nothing there that looks like network.yourdomain.com.dns. So, I've exported the information
on the whole zone.

This won't appear until you've changed the type. I assume you already did that though? It may be worth doing a quick search for all .dns files on the PC and taking a copy of them. Just to have a copy more than anything else. Having a copy of this isn't critical.

5.     ....

*** So - in the DNS snap-in, what _exactly_ do I delete? network.yourdomain.com? The whole zone?
So - right-click on the whole zone and delete?

The Zones are the sections directly underneath Forward (or Reverse) Lookup Zones. Delete the whole zone - but make sure you don't have lots of manually added entries (like www etc etc) I don't want to break it for you.

6.     ...
*** Start/Programs/Administrative Tools/Active Directory Users and Computers
*** Expand network.yourdomain.com
*** View/Advanced Options - ensure it is ticked.
*** Expand System
*** Expand MicrosoftDNS
*** Right-click network.yourdomain.com and delete?

Yes. That removes the old zone that was stored in Active Directory.

7.  ...
*** In the DNS snap-in? In Active Directory Users and Computers? Where?

In the DNS Snap-In.

*** What steps? I right click Forward Lookup Zone - then - what? New Zone?
*** What "New Active Directory-Integrated?" Do I enter the same name as before? e.g. network.yourdomain.com?

Right click forward lookup zones.
Select New Zone
<Next>
Active Directory Integrated <Next>

The name should be the same as before, so if it was network.ourdomain.com then it should be that again. Basically this matches your Active Directory Domain Name.

<Next> and <Finish> will complete creating the zone.

After running "ipconfig /flushdns" and "ipconfig /registerdns" you should see an A (Address) record appear for your server in that zone in DNS Manager.

After restarting the Netlogon service you should see all the service records appear - those will look like subfolders.
0
 

Author Comment

by:bcops
ID: 13672017
Hi Chris,

RE: the DNS instructions - got it - seems clear now.
I'll give it a whirl first thing tomorrow AM so I've got a good run at it.

Many *many* thanks for all the help getting this far. Fingers crossed for tomorrow.
Thanks, Ben.

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13672045

No problem Ben, I'll keep an eye on this thread anyway so hopefully respond to anything quite quickly
0
 

Author Comment

by:bcops
ID: 13681178
Hi Chris,

So, I've run the DNS changes, and have now run the "DCDiag /c /e /v /f:DCDiag.log" command. Output below. Looks like the advertising is now working, but we still get the "      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
" error.

So some progres ........

--------------- START OF DCDIAG output ----------------------------------

DC Diagnosis

Performing initial setup:
   * Verifing that the local machine SERVER_B, is a DC.
   * Connecting to directory service on server SERVER_B.
   * Collecting site info.
   * Identifying all servers.
   * Found 1 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial non skippeable tests
   
   Testing server: Default-First-Site-Name\SERVER_B
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... SERVER_B passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\SERVER_B
      Starting test: Replications
         * Replications Check
         ......................... SERVER_B passed test Replications
      Starting test: Topology
         * Configuration Topology Integrity Check
         * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=network,DC=ourdomain,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for CN=Configuration,DC=network,DC=ourdomain,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=network,DC=ourdomain,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ......................... SERVER_B passed test Topology
      Starting test: CutoffServers
         * Configuration Topology Aliveness Check
         * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=network,DC=ourdomain,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for CN=Configuration,DC=network,DC=ourdomain,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=network,DC=ourdomain,DC=com.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ......................... SERVER_B passed test CutoffServers
      Starting test: NCSecDesc
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=network,DC=ourdomain,DC=com
         * Security Permissions Check for
           CN=Configuration,DC=network,DC=ourdomain,DC=com
         * Security Permissions Check for
           DC=network,DC=ourdomain,DC=com
         ......................... SERVER_B passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         ......................... SERVER_B passed test NetLogons
      Starting test: Advertising
         The DC SERVER_B is advertising itself as a DC and having a DS.
         The DC SERVER_B is advertising as an LDAP server
         The DC SERVER_B is advertising as having a writeable directory
         The DC SERVER_B is advertising as a Key Distribution Center
         The DC SERVER_B is advertising as a time server
         The DS SERVER_B is advertising as a GC.
         ......................... SERVER_B passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=SERVER_B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=network,DC=ourdomain,DC=com
         Role Domain Owner = CN=NTDS Settings,CN=SERVER_B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=network,DC=ourdomain,DC=com
         Role PDC Owner = CN=NTDS Settings,CN=SERVER_B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=network,DC=ourdomain,DC=com
         Role Rid Owner = CN=NTDS Settings,CN=SERVER_B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=network,DC=ourdomain,DC=com
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=SERVER_B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=network,DC=ourdomain,DC=com
         ......................... SERVER_B passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 2620 to 1073741823
         * SERVER_B.network.ourdomain.com is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1608 to 2107
         * rIDNextRID: 1610
         * rIDPreviousAllocationPool is 1608 to 2107
         ......................... SERVER_B passed test RidManager
      Starting test: MachineAccount
         * SPN found :LDAP/SERVER_B.network.ourdomain.com/network.ourdomain.com
         * SPN found :LDAP/SERVER_B.network.ourdomain.com
         * SPN found :LDAP/SERVER_B
         * SPN found :LDAP/SERVER_B.network.ourdomain.com/NETWORK
         * SPN found :LDAP/3bc107fa-88a7-40f9-b870-b7db6389bcec._msdcs.network.ourdomain.com
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/3bc107fa-88a7-40f9-b870-b7db6389bcec/network.ourdomain.com
         * SPN found :HOST/SERVER_B.network.ourdomain.com/network.ourdomain.com
         * SPN found :HOST/SERVER_B.network.ourdomain.com
         * SPN found :HOST/SERVER_B
         * SPN found :HOST/SERVER_B.network.ourdomain.com/NETWORK
         * SPN found :GC/SERVER_B.network.ourdomain.com/network.ourdomain.com
         ......................... SERVER_B passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: RPCLOCATOR
         * Checking Service: w32time
         * Checking Service: TrkWks
         * Checking Service: TrkSvr
         * Checking Service: NETLOGON
         * Checking Service: Dnscache
         * Checking Service: NtFrs
            SMTPSVC Service is stopped on [SERVER_B]
         ......................... SERVER_B failed test Services
      Starting test: OutboundSecureChannels
         * The Outbound Secure Channels test
         ** Did not run Outbound Secure Channels test
         because /testdomain: was not entered
         ......................... SERVER_B passed test OutboundSecureChannels
      Starting test: ObjectsReplicated
         SERVER_B is in domain DC=network,DC=ourdomain,DC=com
         Checking for CN=SERVER_B,OU=Domain Controllers,DC=network,DC=ourdomain,DC=com in domain DC=network,DC=ourdomain,DC=com on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=SERVER_B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=network,DC=ourdomain,DC=com in domain CN=Configuration,DC=network,DC=ourdomain,DC=com on 1 servers
            Object is up-to-date on all servers.
         ......................... SERVER_B passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service Event log test
         Error: No record of File Replication System, SYSVOL started.
         The Active Directory may be prevented from starting.
         There are errors after the SYSVOL has been shared.
         The SYSVOL can prevent the AD from starting.
         An Warning Event occured.  EventID: 0x800034FE
            Time Generated: 04/01/2005   15:08:03
            Event String: File Replication Service is scanning the data in

the system volume. Computer SERVER_B cannot

become a domain controller until this process is

complete. The system volume will then be shared

as SYSVOL.

 

To check for the SYSVOL share, at the command

prompt, type:

net share

 

When File Replication Service completes the

scanning process, the SYSVOL share will appear.

 

The initialization of the system volume can take

some time. The time is dependent on the amount of

data in the system volume.
         ......................... SERVER_B passed test frssysvol
      Starting test: kccevent
         * The KCC Event log test
         An Error Event occured.  EventID: 0xC0000466
            Time Generated: 04/01/2005   15:23:04
            (Event String could not be retrieved)
         ......................... SERVER_B failed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x800009CF
            Time Generated: 04/01/2005   15:07:28
            Event String: The server service was unable to recreate the

share emergency_folder because the directory

C:\emergency_folder no longer exists.
         ......................... SERVER_B failed test systemlog
   
   Running enterprise tests on : network.ourdomain.com
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope

         provided by the command line arguments provided.
         ......................... network.ourdomain.com passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         PDC Name: \\SERVER_B.network.ourdomain.com
         Locator Flags: 0xe00001fd
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
         A KDC could not be located - All the KDCs are down.
         ......................... network.ourdomain.com failed test FsmoCheck
--------------- END OF DCDIAG output ----------------------------------

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13681784

Could you try running DCDiag /fix again?

Just to confirm, Server_A wasn't Small Business Server was it?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13681797

Can you also post and errors from the Directory Service Logs?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13681908

A few more things.... can you download Sonar from:

http://www.microsoft.com/windows2000/techinfo/reskit/tools/new/sonar-o.asp

And get it to monitor your domain. This should report and problems and the status of the FRS service. It takes a minute or two to get started. Set it to All Columns and Refresh to 1 minute.

We may have to run through the steps in:

http://support.microsoft.com/default.aspx?scid=kb;en-us;315457

Which as you will see is quite a complex procedure.
0
 

Author Comment

by:bcops
ID: 13682039
Hi Chris,


1. Output from DCDiag /fix
---- STARTS ----
DC Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial non skippeable tests
   
   Testing server: Default-First-Site-Name\SERVER_B
      Starting test: Connectivity
         ......................... SERVER_B passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\SERVER_B
      Starting test: Replications
         ......................... SERVER_B passed test Replications
      Starting test: NCSecDesc
         ......................... SERVER_B passed test NCSecDesc
      Starting test: NetLogons
         ......................... SERVER_B passed test NetLogons
      Starting test: Advertising
         Fatal Error:DsGetDcName (SERVER_B) call failed, error 1355
         The Locator could not find the server.
         ......................... SERVER_B failed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... SERVER_B passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... SERVER_B passed test RidManager
      Starting test: MachineAccount
         ......................... SERVER_B passed test MachineAccount
      Starting test: Services
            SMTPSVC Service is stopped on [SERVER_B]
         ......................... SERVER_B failed test Services
      Starting test: ObjectsReplicated
         ......................... SERVER_B passed test ObjectsReplicated
      Starting test: frssysvol
         Error: No record of File Replication System, SYSVOL started.
         The Active Directory may be prevented from starting.
         There are errors after the SYSVOL has been shared.
         The SYSVOL can prevent the AD from starting.
         ......................... SERVER_B passed test frssysvol
      Starting test: kccevent
         ......................... SERVER_B passed test kccevent
      Starting test: systemlog
         ......................... SERVER_B passed test systemlog
   
   Running enterprise tests on : network.ourdomain.com
      Starting test: Intersite
         ......................... network.ourdomain.com passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
         A KDC could not be located - All the KDCs are down.
         ......................... network.ourdomain.com failed test FsmoCheck
--- ENDS -----


2. SERVER_A was not SBS - it was W2K Advanced Server


3. Errors from Directory Service logs ....
Type      Date      Time      Source      Category      Event      User      Computer
Error      01/04/2005      16:23:19      NTDS General      (18)      1126      Everyone      SERVER_B
Error      01/04/2005      15:23:04      NTDS General      (18)      1126      Everyone      SERVER_B
Information      01/04/2005      15:23:02      NTDS ISAM      Online Defragmentation       701      N/A      SERVER_B
Information      01/04/2005      15:22:49      NTDS ISAM      Online Defragmentation       700      N/A      SERVER_B
Information      01/04/2005      15:07:28      NTDS General      (12)      1394      Everyone      SERVER_B
Information      01/04/2005      15:07:27      NTDS General      (12)      1000      Everyone      SERVER_B
Information      01/04/2005      15:07:18      NTDS ISAM      General       100      N/A      SERVER_B
Information      01/04/2005      14:59:38      NTDS General      (12)      1004      N/A      SERVER_B
Information      01/04/2005      14:59:37      NTDS ISAM      General       101      N/A      SERVER_B
Error      01/04/2005      14:38:50      NTDS General      (18)      1126      Everyone      SERVER_B
Error      01/04/2005      13:38:35      NTDS General      (18)      1126      Everyone      SERVER_B
Information      01/04/2005      13:26:23      NTDS ISAM      Online Defragmentation       701      N/A      SERVER_B
Information      01/04/2005      13:26:20      NTDS ISAM      Online Defragmentation       700      N/A      SERVER_B
Error      01/04/2005      12:38:20      NTDS General      (18)      1126      Everyone      SERVER_B
Error      01/04/2005      11:38:05      NTDS General      (18)      1126      Everyone      SERVER_B
Error      01/04/2005      10:37:50      NTDS General      (18)      1126      Everyone      SERVER_B
Error      01/04/2005      09:37:35      NTDS General      (18)      1126      Everyone      SERVER_B
Error      01/04/2005      08:37:20      NTDS General      (18)      1126      Everyone      SERVER_B
Error      01/04/2005      07:37:04      NTDS General      (18)      1126      Everyone      SERVER_B
Error      01/04/2005      06:36:49      NTDS General      (18)      1126      Everyone      SERVER_B
Error      01/04/2005      05:36:34      NTDS General      (18)      1126      Everyone      SERVER_B
Error      01/04/2005      04:36:19      NTDS General      (18)      1126      Everyone      SERVER_B
Error      01/04/2005      03:36:04      NTDS General      (18)      1126      Everyone      SERVER_B
Error      01/04/2005      02:35:49      NTDS General      (18)      1126      Everyone      SERVER_B
Error      01/04/2005      01:35:34      NTDS General      (18)      1126      Everyone      SERVER_B
Information      01/04/2005      01:26:23      NTDS ISAM      Online Defragmentation       701      N/A      SERVER_B
Information      01/04/2005      01:26:19      NTDS ISAM      Online Defragmentation       700      N/A      SERVER_B
Error      01/04/2005      00:35:19      NTDS General      (18)      1126      Everyone      SERVER_B
Error      31/03/2005      23:35:04      NTDS General      (18)      1126      Everyone      SERVER_B


The 1126 error reads ......:
Unable to establish connection with global catalog.


4. RE: Sonar: I've installed it. Where do I find the All Columns and Refresh to 1 minute options? Which application?

5. RE: that support URL ..... : I'll take a look next week ....... if you think this is still worthwhile following all the above info.


Thanks - yet - again
Ben.

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13682385

Start, Run and Sonar should bring that one up if it's registered as a system path.

If not, it normally hides out under %ProgramFiles\Windows Resource Kits\Tools.
0
 

Author Comment

by:bcops
ID: 13697302
Hi Chris,

1. RE: Sonar - it's installed, running as you requested. Have to say I don't notice anything out of the ordinary. It does say under the SYSVOL column: "Not shared"

2. RE: http://support.microsoft.com/default.aspx?scid=kb;en-us;315457. Yes, complicated, and hard to follow.
First few things I've noticed:

a)
\SYSVOL\domain\Policies
\SYSVOL\domain\scripts

These don't exist. What does exist is:
C:\ActiveDirectoryFolder\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory

Also - noticed another: "DO_NOT_REMOVE etc " folder in:
C:\ActiveDirectoryFolder\SYSVOL\sysvol\network.ourdomain.com\DO_NOT_REMOVE_NtFrs_PreInstall_Directory

So that's the first glaring difference.

b) Step 6: In the right pane of Active Directory Users and Computers, all the Group Policy objects (GPOs) in Active Directory are listed. There should be a one-to-one mapping between valid GPOs in Active Directory with Group Policy folders in the SYSVOL tree.

This is clearly a bit tricky for us given that there are *no* group policy folders in teh SYSVOL tree.


What did occur to me is that perhaps the installation of FRS is a bit screwed - and is there perhaps a way of just re-installing it?
Thanks, Ben.









0
 

Author Comment

by:bcops
ID: 13697434
Chris,
I've just noticed the following:

I stopped and restarted FRS.
I took at look at C:\WINNT\Debug\NtFrs_0005.log and found the following (probably best to view this in some editor, the formatting here is terrible.

This *still* contains a reference to SERVER_A.
i.e.

<NtFrsApi_Rpc_BindEx:           1432:  1245: S0: 14:32:29> ++ ERROR - Resolving binding for SERVER_A.network.OURDOMAIN.com;  WStatus: RPC_S_SERVER_UNAVAILABLE

See below:


<DbsDBInitialize:               2104:  3690: S1: 14:32:26> FrsOpenTable (ConfigTable) success
<DbsInitJrnlFilters:            2104:  1731: S0: 14:32:27> ++ DOMAIN SYSTEM VOLUME (SYSVOL SHARE) - New dir filter: NtFrs_PreExisting___See_EventLog,DO_NOT_REMOVE_NtFrs_PreInstall_Directory,
<DbsOpenReplicaSet:             2104:  2032: S0: 14:32:27> ***** JOINED    DOMAIN SYSTEM VOLUME (SYSVOL SHARE)\SERVER_B\<Jrnl Cxtion> <- <Jrnl Cxtion> JrnlCxt
<DbsOpenReplicaSet:             2104:  2049: S1: 14:32:27> :X: The Jrnl Cxtion DOMAIN SYSTEM VOLUME (SYSVOL SHARE)\SERVER_B\<Jrnl Cxtion> <- <Jrnl Cxtion> JrnlCxt
<DBService:                     2104:  3925: S0: 14:32:27> DataBase has started.
<OutLogProcess:                 2172:  2468: S0: 14:32:27> Outbound log processor has started.
<JrnlCommand:                   2164:  5397: S0: 14:32:27> Journal has started.
<ChgOrdAccept:                   688:  1020: S0: 14:32:27> ChangeOrder Thread is starting.
<ChgOrdAccept:                   688:  1116: S0: 14:32:28> ChangeOrder Thread has started.
<RcsMain:                       2148: 10423: S0: 14:32:28> :S: Replica subsystem has started.
<JrnlPrepareService1:           2164:  6116: S1: 14:32:29> :S: WARNING: Setting FrsVsn - Current system Time has moved backwards from value in config record.
<JrnlPrepareService1:           2164:  6120: S1: 14:32:29> :S: WARNING: CurrentTime is          (01c5391a bfc2f2e0)  Mon Apr  4, 2005 14:32:29
<JrnlPrepareService1:           2164:  6124: S1: 14:32:29> :S: WARNING: ConfigRecord->FrsVsn is (01c5391d 05bee740)  Mon Apr  4, 2005 14:48:46
<ChgOrdRetrySubmit:             1432: 14633: S1: 14:32:29> ++ ChgOrdRetryCS: submit for Replica DOMAIN SYSTEM VOLUME (SYSVOL SHARE)
<NtFrsApi_Rpc_BindEx:           1432:  1245: S0: 14:32:29> ++ ERROR - Resolving binding for SERVER_A.network.OURDOMAIN.com;  WStatus: RPC_S_SERVER_UNAVAILABLE
<RcsCreateSeedingCxtion:        1432:  7087: S0: 14:32:30> ERROR - binding  WStatus: RPC_S_SERVER_UNAVAILABLE


Rgds, Ben.



0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13697958

Hi Ben,

That looks very much like it's still attempting to replicate the contents of sysvol from Server_A. If that is the case making it believe it has the master copy (instructions in that last MS article) might allow the NTFRS service to start correctly.

The Time error in that log is slightly odd. I take it the server does have the correct time?

A few things to check then. Before these please make sure you have a backup of the server (specifically the System State) - This next lot involves a lot of messing around with AD.

We're going to check for, and remove and references to Server_A on the domain. Hopefully this might kick Server_B in the right direction.

1. NTDSUtil Steps:

Start
Run
ntdsutil

Then:

Metadata Cleanup
Connections
Connect to Server Server_B
Quit
Select Operation Target
List Domains

This command displays a list of domains and the domain number.

Select Domain <The number from the list>
List Sites

Again this produces a numbered list of sites in the domain. Select the number of your site (probably only one of them anyway)

Select Site <The number from the list>
List Servers in Site

Another numbered list. This will probably display two servers, one for Server_A and one for Server_B. We need to select Server_A here, it's the one we want to remove

Select Server <Number of Server_A>
Quit
Remove Selected Server

If you see the error:

Error 8419 (0x20E3)
The DSA object could not be found

Then the NTDS settings for the server have already been removed from the site.

Type "Quit" until you exit the program.
Open Active Directory Sites and Services:

We've already cleaned up DNS so we don't need to perform that step again. But a few checks need to be made...

2. DNS Manager Steps

Under the Forward Lookup Zone for your Domain Name confirm that there are no entries for Server_A.

Expand the _msdc folder. Under there you may see a CNAME record pointing to Server_A. If so, delete it (CNAME Record only).

3. ADSIEdit Steps

Before these you may need to install the Support Tools from your Windows 2000 Server CD. They hide under the Support\Tools folder as suptools.msi.

Start
Run
ADSIEdit.msc

Expand Domain NC
Expand DC=<your domain>, DC=<Domain Suffix>
Expand OU=Domain Controllers
Right Click on CN=SERVER_A and select Delete

Go back to DC=<your domain>, DC=<Domain Suffix>
Expand CN=System
Expand CN=File Replication Service
Expand CN=Domain System Volume (SYSVOL share)
Right Click on Server_A and select Delete

4. Open Active Directory Sites and Services

Expand Sites
Expand your Site
Expand Server
If Server_A is present there right click on it and select Delete.

All done...

As always, don't hesitate to ask if you have questions on this lot... there's rather a lot there.
0
 

Author Comment

by:bcops
ID: 13698215
Hi Chris,

Thanks.
Followed all the above steps - no mention of Server_A could be found in any of the above.

One thing I did notice - in ntdsutil: after each of Select Domain <The number from the list>, and Select Site <The number from the list> I got:

No current server
No current Naming Context


Ben.


0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13698384

Did you List Servers in Site at that point? It won't fill in the server and context until you select a server, so if Server_A was never there then it doesn't matter too much.

A couple more things then...

First can you open AD Users and Computers, Right Click on the Domain Controllers OU and select Group Policies. Then open the Default Domain Controller Policy - just to make sure it doesn't flag any errors trying to do that.

Then, can you run through the steps in the NTFRS article above (http://support.microsoft.com/default.aspx?scid=kb;en-us;315457)?

Would like to try and make Server_B believe it has the master copy of the Domain volume information.
0
 

Author Comment

by:bcops
ID: 13698456
Hi Chris,

RE: listservers - yes I did that.

RE: opening AD Users and Computers, right-click on Domain Controllers OU and select Group Policies - I get a small dialog box saying:

"The domain controller for group policy operations is not available. You may cancel this operation for this session,  or retry using one of the following domain controller choices:

- The one with the Operations Master token for the PDC emulator.
- The one used by Active Directory snap-ins.
- Use any avaialble Domain Conroller.

Ben.

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13698673

I thought it might do that.

I take it Server_B wasn't up long before Server_A crashed? It doesn't look much like it completed replication - although you probably figured that out.

I think you'll have to try running through making Server_B believe it has a complete and accurate copy of everything in SYSVOL.

It's possible to restore default domain policies if those don't function afterwards generally you'll see this in the form of lots of access denied type errors or just a complete inability to access anything at all on the server. The tool to do that is available through:

http://support.microsoft.com/?kbid=830062
0
 

Author Comment

by:bcops
ID: 13698757
Hi Chris,

What would happen if rather than running the tool you kindly pointed me to, I chose
"The one used by Active Directory snap-ins." in the dialog box that appeared when I tried to access "select Group Policies" ?

Rgds, Ben.

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13698806

There's not much point in trying to select the policies until you can actually access them correctly.

The error message you're recieving implies they didn't finish replicating. And the tool provided should only be used if you run into specific errors after everything else is operating correctly.

Basically... NTFRS must be fixed before you do anything with the policies themselves.
0
 

Author Comment

by:bcops
ID: 13698949
Hi Chris,

OK. Thanks.
I'm OOF now until Wednesday, so will try this then.

Thanks, Ben.
0
 

Author Comment

by:bcops
ID: 13714970
Hi Chris,
So, I've now run that tool - recreatedefpol.exe - what would you like me to look at next?
I've logged out and back in, not rebooted.

If I look at: AD Users and Computers, right-click on Domain Controllers OU and select Group Policies - I still get a small dialog box saying:

"The domain controller for group policy operations is not available. You may cancel this operation for this session,  or retry using one of the following domain controller choices:

- The one with the Operations Master token for the PDC emulator.
- The one used by Active Directory snap-ins.
- Use any avaialble Domain Conroller.

Thanks, Ben.


0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13715000

The NTFRS article if possible. A bit of a long one:

http://support.microsoft.com/default.aspx?scid=kb;en-us;315457

Make sure you remember to take a copy of the contents of SYSVOL - it's in the list of steps, but just to be safe...
0
 

Author Comment

by:bcops
ID: 13715455
Hi Chris,

Woo! Major progress!
Part way through the NTFRS article I noticed that sysvol was sharing, and indeed "net share" showed that SYSVOL is now sharing properly .....

DCDIAG now shows no problems.
And .... on SERVER_C (another W2K sever), dcpromo is now picking up NETWORK.OURDOMAIN.COM.

Thank you Chris .......

OK, so, now please bear with me here .... SERVER_B is an old, crappy, donkey machine. SERVER_C and SERVER_A are more modern.

So - what I would like to do is:
- Make SERVER_C & SERVER_A both DC's for NETWORK.OURDOMAIN.COM.
- Then get rid of SERVER_B having *anything* to do with AD.

Any chance you could tell me what the best steps are for this? SERVER_C SERVER_A have no AD installed, no DNS, nothing ...... is it:

1. dcpromo on both machines
2. ntdsutil and transfer to one of SERVER_C or SERVER_A?

Thanks again,
Ben.


















0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13715695

Glad that's up and running properly now.

Okay... for Server_A and Server_C this is what I recommend you do (I think you know it anyway):

Promote to Domain Controllers

For this each should have Server_B as the Preferred DNS

 - Install the DNS Service on Server_A
 - Install the DNS Service on Server_C
 - Run DCPromo on Server_A
 - Allow replication to complete, check SYSVOL and NETLOGON share correctly
 - Run DCPromo on Server_C
 - Allow replication to complete, check SYSVOL and NETLOGON share correctly

Configure DNS

 - Open DNS Manager on Server_A
 - Add a new Forward Lookup Zone as Active Directory Integrated with your normal Domain Name
 - Add a new Reverse Lookup Zone as Active Directory Integrated with your IP Range
 - Check that Server_A and Server_B have roughly the same records in each zone
 - Change the Preferred DNS Server to Server_A and the Alternate to Server_C
 - Then:
 -- ipconfig /flushdns
 -- ipconfig /registerdns
 -- Restart NetLogon
 - Check DNS log for errors (Event Viewer)
 

 - Open DNS Manager on Server_C
 - Add a new Forward Lookup Zone as Active Directory Integrated with your normal Domain Name
 - Add a new Reverse Lookup Zone as Active Directory Integrated with your IP Range
 - Check that Server_C and Server_B have roughly the same records in each zone
 - Change the Preferred DNS Server to Server_C and the Alternate to Server_A
 - Then:
 -- ipconfig /flushdns
 -- ipconfig /registerdns
 -- Restart NetLogon
 - Check DNS log for errors (Event Viewer)

Configure Global Catalog

 - Open Active Directory Sites and Services
 - Find Server_A and open the Properties for the NTDS Settings
 - Tick the Global Catalog box
 - Find Server_C and open the Properties for the NTDS Settings
 - Tick the Global Catalog box

Reconfigure DHCP or Clients

 - Change Preferred DNS to Server_A and Alternate to Server_C

Move FSMO Roles

We'll split the FSMO roles up a bit.

 - Start, Run, ntdsutil
 - Roles
 - Connections
 - Connect to Server Server_A
 - Quit
 - Transfer PDC
 - Transfer Domain Naming Master
 - Transfer Infrastructure Master
 - Connections
 - Connect to Server Server_C
 - Quit
 - Transfer RID Master
 - Transfer Schema Master
 - Select Operation Target
 - List Roles for Connected Server

Verify that none of the roles are on Server_B

Set Time Sync on Server_A

Because Server_A is the PDC Emulator it is in charge of keeping time synchronised for the domain. This step is optional, but it's a good idea to give it an external time source to check with.

You can find a list of Stratum 2 servers here:

http://ntp.isc.org/bin/view/Servers/StratumTwoTimeServers

Pick one of the OpenAccess ones.

 - Select a Server to synchronise with
 - Open the Command Prompt
 - Type:
 -- net time /setsntp:<Public Time Server Address>

All other clients and servers on the domain will synchronise with Server_A

Uninstall AD from Server_B

 - Run DCPromo
 - Follow the prompts to AD from Server_B to demote it to a Member Server
 - Check everything still works
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13715711

Typo at the end...

 - Follow the prompts to AD from Server_B to demote it to a Member Server

Should read:

 - Follow the prompts to remove AD from Server_B and demote it to a Member Server
0
 

Author Comment

by:bcops
ID: 13717231
Hi Chris,
Many thanks for this. Going well so far. One or two things slightly different from what you suggested:

•      Add a new Forward Lookup Zone as Active Directory Integrated with your normal Domain Name
This already seemed to be steup.

•      Add a new Reverse Lookup Zone as Active Directory Integrated with your IP Range
Not quite sure what to enter here.

Done SERVER_C apart from the above. Now thinking about SERVER_A. Once done both, then look at moving roles ....
Thanks, Ben.





0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13717829

As long as the Forward Lookup Zone is present and looks correct that's all that matters :)

For the Reverse Lookup Zone go through the new zone wizard and it'll ask you for the Network ID.
If you use 192.168.0.0 internally then the ID is 192.168.0.
0
 

Author Comment

by:bcops
ID: 13725854
Hi Chris,

Am now upto demoting SERVER_B. During this process get an error message :

"The operation failed because: The attempt to configure the machine account SERVER_B$ on server SERVER_C.network.ourdomain.com failed.  "Access is denied. "

Eh? Any suggestions? I'm logged in as administrator ......
Thanks, Ben.

0
 

Author Comment

by:bcops
ID: 13726182
Chris,
Output of dcpromoui.log below:

--------- START OF LOG -------------
04/07 12:51:23 [INFO] Request for demotion of domain controller
04/07 12:51:23 [INFO] DnsDomainName  (NULL)
04/07 12:51:23 [INFO]       ServerRole  1
04/07 12:51:23 [INFO]       Account network.ourdomain.com\administrator       Options  128
04/07 12:51:23 [INFO]       LastDcInDomain  FALSE
04/07 12:51:23 [INFO]       Forced Demote  
04/07 12:51:23 [INFO] Start the worker task
04/07 12:51:23 [INFO] Request for demotion returning 0
04/07 12:51:23 [INFO] Reading domain policy from the local machine

04/07 12:51:23 [INFO] Searching for a domain controller for the domain network.ourdomain.com

04/07 12:51:23 [INFO] Searching for a domain controller for the domain network.ourdomain.com that contains the account server_b$

04/07 12:51:23 [INFO] Located domain controller server_a.network.ourdomain.com for domain network.ourdomain.com

04/07 12:51:23 [INFO] Support Dc in network.ourdomain.com is server_a.network.ourdomain.com
04/07 12:51:23 [INFO] Located domain controller server_a.network.ourdomain.com for domain network.ourdomain.com

04/07 12:51:23 [INFO] Preparing the directory service for demotion

04/07 12:51:24 [INFO] Transferring  enterprise wide FSMO roles held locally to other Domain
Controllers in the enterprise.
04/07 12:51:24 [INFO] Searching for server to replicate off changes
04/07 12:51:24 [INFO] Replicating off local changes to server server_a.network.ourdomain.com.
04/07 12:51:37 [INFO] Stopping service NETLOGON

04/07 12:52:37 [INFO] Configuring service NETLOGON to 1 returned 0
04/07 12:52:37 [INFO] Stopping service RPCLOCATOR

04/07 12:54:08 [INFO] Configuring service RPCLOCATOR to 33 returned 0
04/07 12:54:08 [INFO] Stopping service IsmServ

04/07 12:54:23 [INFO] Configuring service IsmServ to 65 returned 0
04/07 12:54:23 [INFO] Stopping service kdc

04/07 12:54:33 [INFO] Configuring service kdc to 65 returned 0
04/07 12:54:33 [INFO] Stopping service TrkSvr

04/07 12:55:04 [INFO] Configuring service TrkSvr to 33 returned 0
04/07 12:55:04 [INFO] Stopping service NETLOGON

04/07 12:55:04 [INFO] Configuring service NETLOGON to 273 returned 0
04/07 12:55:04 [INFO] Uninstalling the Directory Service

04/07 12:55:04 [INFO] Invoking NtdsDemote
04/07 12:55:04 [INFO] Starting to prepare the SAM and the Directory Service for demotion
04/07 12:55:04 [INFO] Validating the demotion of this server in the context of the enterprise
04/07 12:55:04 [INFO] Authenticating supplied credentials
04/07 12:55:04 [INFO] Creating new local account information for the SAM and the LSA
04/07 12:55:04 [INFO] Creating a new local account database for SAM
04/07 12:55:05 [INFO] Setting the new local account information in the LSA
04/07 12:55:06 [INFO] Removing Directory Service objects referring to the local server from the remote server server_a.network.ourdomain.com
04/07 12:55:06 [INFO] Error - The attempt to configure the machine account server_b$ on server server_a.network.ourdomain.com failed. (5)
04/07 12:55:07 [INFO] NtdsDemote returned 5
04/07 12:55:07 [INFO] DsRolepDemoteDs returned 5
04/07 12:55:07 [ERROR] Failed to demote the directory service (5)
--------- END OF LOG ---------------

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13726425

Figures...

Here is the method to clean it up manually:

http://support.microsoft.com/?kbid=216498

Make sure you're getting no Directory Service errors or any problems with the other servers.

Chris
0
 

Author Comment

by:bcops
ID: 13727471
Hi Chris,
Thanks. Close but no cigar yet .....

I've run adsiedit and followed the instructions there. SERVER_B doesn't appear in this any more.

However - SERVER_B keeps reappearing in Active Directory Sites and Services. So, I follow the instructions re: ntdsutil, delete the server, then delete it from AD Sites and Services. But it keeps re-appearing.

Also - once I've finally done this, how can I get rid of all the "AD" menu options from SERVER_B?
Sorry to keep this going ......

Thanks Ben
0
 

Author Comment

by:bcops
ID: 13727615
And ... when it does re-appera in AD Sites and Services and I try to delete it - I get "The DSA object cannot be deleted".
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13727631

Removing the menu options should just be a case of uninstalling the support tools.

If Server_B doesn't believe it's a domain controller you could try removing it from the domain, cleaning up AD, then readding it.
0
 

Author Comment

by:bcops
ID: 13727762
Hi Chris,

Nice idea - unfortunately - it still thinks it's a domain controller. MyComputer/Properties/System Properties/Network Identification - can't remove it from the domain as it is a dc.

:(

Ben.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13727877

I take it "DCDiag /c /e /v" is still reporting no errors? If it is, running DCDiag /fix would be a good plan.

Do you get any errors in the Directory Service logs on the DCs? And if you create a new user on one DC do the others all see it correctly?
0
 

Author Comment

by:bcops
ID: 13728089
Hi Chris,
If I run "DCDIAG /c /e /v on SERVER_C or SERVER_A I get:

------------------------------------------------------------------------------------------------------------------------
   Testing server: Default-First-Site-Name\SERVER_B
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         3bc107fa-88a7-40f9-b870-b7db6389bcec._msdcs.network.ourdomain.com's server GUID DNS name could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name

         (3bc107fa-88a7-40f9-b870-b7db6389bcec._msdcs.network.ourdomain.com)

         couldn't be resolved, the server name (SERVER_B.network.ourdomain.com)

         resolved to the IP address (192.168.0.9) and was pingable.  Check that

         the IP address is registered correctly with the DNS server.
         ......................... SERVER_B failed test Connectivity
------------------------------------------------------------------------------------------------------------------------
   
I could and probably should delete SERVER_B from network.ourdomain.com in the DNS, but - people actually need to use that machine. So - if I do so - from each of the two servers (A & C) surely people won't be able to view that machine?

And - how do I persuade SERVER_B that it is no longer a DC?

Ben.







0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13729672

When you were trying to delete it from AD Sites and Services did you try and delete the NTDS Settings first?

This is a slightly different version of the manual remove instructions - it might be a little more useful:

http://www.petri.co.il/fix_unsuccessful_demotion.htm

Can you also check the permissions set on the Computer Account for Server_B?
0
 

Author Comment

by:bcops
ID: 13731045
Hi Chris,
Thanks - as ever.

- I always did the NTDS settings first.
- I'll take a look at those instructions
- Check the permissions - where and on which server?

- Also: what did you think about my concerns about deleting the A record in the DNS for SERVER_B on servers A & C given that people need to access SERVER_B .....? IF I delete the A reconrd in network.ourdomain.com in DNS surely they won't find it?

Thanks, Ben.

0
 

Author Comment

by:bcops
ID: 13731050
Oh sorry - and - how will I eventually persuade SERVER_B that it isn't a DC any more?
B..
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13731124

You're right that deleting the A record will stop the clients finding the server - not an ideal situation.

For the permissions I meant on the Computer Account itself in AD.

Still not sure how to convince it that it doesn't want to be a DC if the MS / Petri articles don't work. The last method is a bit extreme since it involves reinstalling the OS.

One thing that might be worth checking... the registry flag for the NTFRS service... If that's still set to D4 then it's possible it's overwriting your attempts to remove it from AD.
0
 

Author Comment

by:bcops
ID: 13734367
Hi Chris,

Progress I think. We've now no longer got SERVER_B appearing in ntdsutil and metadatacleanup, not appearing in AD Sites and Services and not in ADSIEdit.msc. Removing the A records might have helped, and cleaning out any mention of SERVER B in DNS on SERVER A and C probably helped too.

Bizarrely people can still do \\SERVER_B and see it. However, once I'm on SERVER C or SERVE R A  \\SERVER_B doesn't work. So perhaps DNS changes are taking a while to work through.

Did notice this message on SERVER_C in EventViewer:

---------------------------------------------------------------------------------------------------------------------
Event Type:      Information
Event Source:      NTDS KCC
Event Category:      (1)
Event ID:      1104
Date:            08/04/2005
Time:            10:00:33
User:            N/A
Computer:      NETDEV
Description:
The consistency checker has terminated change notifications for the following:
 
 Partition: CN=Schema,CN=Configuration,DC=network,DC=ourdomain,DC=com
 Destination DSA DN (if available): CN="NTDS Settings
DEL:3bc107fa-88a7-40f9-b870-b7db6389bcec",CN="SERVER_B
DEL:4e4c70e0-7f73-437e-9ce9-5a4659bf3c38",CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=network,DC=ourdomain,DC=com
 Destination DSA Address: 3bc107fa-88a7-40f9-b870-b7db6389bcec._msdcs.network.ourdomain.com
---------------------------------------------------------------------------------------------------------------------

So, I'll leave things for an hour or so, then check SERVERA + SERVERC aren't finding SERVERB reappearing in ntdsutil/AD. If this is all OK, this would imply the only issue remaining is that SERVERB still thinks it's a DC.

One thought I had was of removing DNS from SERVERB - this might force the issue.
Thanks, Ben.








0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13734559

Yep. It would be a good idea to shutdown DNS on Server_B, especially if it's still trying to be AD Integrated.

Clients will possibly still be able to get the name \\server_b by broadcast rather than NS lookup.
0
 

Author Comment

by:bcops
ID: 13736941
Hi Chris,
Looks like finally managed to sort out SERVER_B - it no longer is a DC, and is not mentioned in anyway on SERVERA or C.

Steps were: doing both below on SERVER_B:

1. Looking at:
http://x220.win2ktest.com/forum/topic.asp?TOPIC_ID=612

i.e. :
In HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\ProductOptions
Find ProductType
Change the data value from LanmanNT to ServerNT, using the exact case
Reboot the server
Delete the NTDS folder
Then use ntdsutil to remove the DC’s object from the DS

2. Remove DNS from SERVER_B
3. Remove SERVER_B from NETWORK domain, put it into workgroup WORKGROUP, don't reboot, put it back into NETWORK domain, re-boot.

Chris - What I'd like to do is leave all servers up and running over the weekend and see how things are on Monday morning.
Then - if all is OK, I wil shower you with points. I can award multiple batches of 500 pts, and that's exactly what I'll do on Monday if it all works OK.

At the moment, I cannot thank you enough.
Have a great weekend.

Ben.







0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 13737694

Hi Ben,

Glad it's all working out :)

Enjoy your weekend too.

Chris
0
 

Author Comment

by:bcops
ID: 13751232
Hi Chris,

All seems fine. Your help has been priceless. Thanks very much.
To anyone reading this - Chris Dent - (http://www.experts-exchange.com/M_3452732.html) is a star.

Ben.

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13751246

Hi Ben,

Always happy to help :)

 Chris
0
 

Author Comment

by:bcops
ID: 13751259
Chris,

I've setup two dummy questions. If you put up an answer, I'll award you more points.
See:
1. http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21383795.html
2. http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21383796.html

Ben.



0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13751268

Not sure you're allowed to do that... but I shouldn't worry about it. Generally a thanks is more than enough ;)
0
 

Author Comment

by:bcops
ID: 13751289
I've already been told off :(
I've done this before though, been told I could!

Bah!
Ben.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13751382

lol
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question