?
Solved

Unable to open AD, Unable to communicate with GC, DNS failing

Posted on 2005-04-20
23
Medium Priority
?
1,593 Views
Last Modified: 2008-01-09
Server 3 & Server 4 are Win2000, latest SP and patches, their own domain.  They were set up several months ago, both DC's and both having copies of the GC, and everything was working. DNS is AD-integrated, and was working with no errors.  Up till last week dcdiag and netdiag showed no errors. Users could log on and did log on as tests. Literally, everything was going smooth and I was starting to think they were ready for production, and suddenly one morning, all heck broke loose on Server 3.

Here seem to be the relevant events:

1655 NTDS General - Unable to communicate with the Global Catalog, access is denied
1126 NTDS General -  Unable to establish a connection with the Global Catalog
4013 DNS - Unable to open the AD
4000 DNS server was unable to open the AD
13562 NTFRS Could not bind to the domain controller
1000 Userenv - Cannot determine the user or computer name., Return value (5)
560 Security Logon failure \BaseNamed Objects\RasPBFile (numerous)

If I open DFS in the Admin tools and try to display the existing DFS Root - RPC Server is unavailable
If I try to display an existing root - "Unable to update the password. The value provided ar the current password is incorrect."

NTFRSUTL DS Server3 -
Binding to the DS_ldap.connect: Server3 ERROR ldap error 00000031 = invalid credentials. - Tried
dcdiag - Testing server: Default-First-Site-Name\server3 Fails connectivity test - Server3's GUID could not be resolved to and IP address...although the server name, Server3, resolved to an IP address and was pingable
Also in dcdiag - Testing server: Default-first-site-name\server3. Skipping because Server3 is not responding to directory service requests

netdiag --
DNS test failed - DNS entries for this DC are not registered. No DNS servers have the DNS records for this DC
Also in netdiag - ldap test- Passed. Warning: Failed to query SPN registration.

If I try to re-add the AD-integrated Forward lookup Zone in DNS, I get "Zone cannot be created. The AD service is not available"

It is an endless loop and all I am doing at this point is going in circles.  The DNS can't load because the AD can't load, and the AD can't load because the DNS is not loading the Forward Lookup Zone.  I have tried all the Technet suggestions I could find for these events, which are woefully few.  I also tried adding a primary lookup zone (non AD-integrated) for Server3, which loads, but doesn't solve the problem, or even change anything. It appears a password is bad somewhere, but nothing really tells what password is bad.  I see no services that should be starting that are not.  RPC and RPC locator services are started.  Events on Server4 seem normal.  Nothing was installed recently, hardware or software, though obviously I did something that caused it. Can anyone suggest a new direction?  
0
Comment
Question by:SusanSB
  • 12
  • 11
23 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13825456
Hi,

Are both Server 3 and 4 in the Domain Controllers OU in Active Directory?

Have any changes been made to the Default Domain Controllers Policy?

Chris
0
 

Author Comment

by:SusanSB
ID: 13825816
Yes, Server3 and Server4 are in the Domain Controllers OU, and I have not done anything to policies that I know of in the past few weeks.  But yes, I am at least aware I must have done something that I am not remembering, I assume something that I thought was insignificant.  I honestly can't remember changing anything other than applying WinUpdates when they become available.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13826290

Could you run DCDiag /e /c /v /f:Report.log

That will (as it suggests) create a Report.log file with the output from DCDiag. The particular command runs through all of the configuration and lists and problems.

Just in case you want to know what they are...

/e - Tests all the servers in the Enterprise
/c - Comprehensive Tests
/v - Verbose

The Default Domain Controller Policy can be restored  using this tool if necessary (but don't run it unless nothing else seems to be helping):

http://www.microsoft.com/downloads/details.aspx?FamilyID=b5b685ae-b7dd-4bb5-ab2a-976d6873129d&DisplayLang=en

For the error above "Server3's GUID could not be resolved to and IP address", this appears in DNS as a Alias entry under the _msdcs folder in your Domain (DNS Manager). The Data field should have the name of Server3 in it. Can you verify if it's there or not?

Chris
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 

Author Comment

by:SusanSB
ID: 13826513
DCDiag /e /c /v /F:report.log

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine server3, is a DC.
   * Connecting to directory service on server server3.
   * Collecting site info.
   * Identifying all servers.
   * Found 2 DC(s). Testing 2 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\server3
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         server3's server GUID DNS name could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name (5eb1c26b-9f6a-4d72-9e7c-5b1e091d293f._msdcs.sighting.org) couldn't be resolved, the server name (server3.sighting.org)  resolved to the IP address (192.168.1.150) and was pingable.  Check that the IP address is registered correctly with the DNS server.
         ......................... server3 failed test Connectivity
   
   Testing server: Default-First-Site-Name\server4
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         server4's server GUID DNS name could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         ......................... server4 failed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\server3
      Skipping all tests, because server server3 is
      not responding to directory service requests
   
   Testing server: Default-First-Site-Name\server4
      Skipping all tests, because server server4 is
      not responding to directory service requests
   
   Running enterprise tests on : sighting.org
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments provided.
         ......................... sighting.org passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\server3.sighting.org
         Locator Flags: 0xe00003fd
         PDC Name: \\server3.sighting.org
         Locator Flags: 0xe00003fd
         Time Server Name: \\server3.sighting.org
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\server3.sighting.org
         Locator Flags: 0xe00003fd
         KDC Name: \\server3.sighting.org
         Locator Flags: 0xe00003fd
         ......................... sighting.org passed test FsmoCheck


As for the Alias in _msdcs, Server 4 has it, but Server3 has no Forward Lookup Zone and no _msdcs because it is "unable to contact AD."
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13826572

In the IP Configuration for each set them up to user Server4 as Preferred DNS.

Does that server seem to have the most accurate record of where everything is on the Domain?

Does DCDiag produce the same output after the changes have been made to the TCP/IP settings?
0
 

Author Comment

by:SusanSB
ID: 13827612
Some progress maybe.  Still getting all the same events on Server3, but dcdiag and netdiag look considerably different.  I still can't get Server3 to load the Forward lookup Zone.  Interestingly, if I go to Sites and Services and force replication on Server 3, it says it replicated the connection, but if I force it for Server 4, is returns "access is denied". Also, if I do NTFRSUTL DS Server3, I get "invalid credentials".  Still getting lots opf bad username or password events and most of the same events as before on Server3. Still ripping hair out.

C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis
Performing initial setup:
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site-Name\server3
      Starting test: Connectivity
         ......................... server3 passed test Connectivity
Doing primary tests

   Testing server: Default-First-Site-Name\server3
      Starting test: Replications
         ......................... server3 passed test Replications
      Starting test: NCSecDesc
         ......................... server3 passed test NCSecDesc
      Starting test: NetLogons
         ......................... server3 passed test NetLogons
      Starting test: Advertising
         ......................... server3 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... server3 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... server3 passed test RidManager
      Starting test: MachineAccount
         ......................... server3 passed test MachineAccount
      Starting test: Services
         ......................... server3 passed test Services
      Starting test: ObjectsReplicated
         ......................... server3 passed test ObjectsReplicated
      Starting test: frssysvol
         Error: No record of File Replication System, SYSVOL started.
         The Active Directory may be prevented from starting.
         There are errors after the SYSVOL has been shared.
         The SYSVOL can prevent the AD from starting.
         ......................... server3 passed test frssysvol
      Starting test: kccevent
         ......................... server3 passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0xC000000F
            Time Generated: 04/20/2005   13:26:59
            Event String: No adapter is configured to be the default
         An Error Event occured.  EventID: 0xC0000021
            Time Generated: 04/20/2005   13:27:58
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0001B6E
            Time Generated: 04/20/2005   13:29:34
            Event String: The DNS Server service hung on starting.
         An Error Event occured.  EventID: 0xC000000F
            Time Generated: 04/20/2005   14:05:26
            Event String: No adapter is configured to be the default
         An Error Event occured.  EventID: 0xC0000021
            Time Generated: 04/20/2005   14:06:13
            (Event String could not be retrieved)
         ......................... server3 failed test systemlog

   Running enterprise tests on : sighting.org
      Starting test: Intersite
         ......................... sighting.org passed test Intersite
      Starting test: FsmoCheck
         ......................... sighting.org passed test FsmoCheck

C:\Program Files\Support Tools>netdiag

....................................

    Computer Name: server3
    DNS Host Name: server3.sighting.org
    System info : Windows 2000 Server (Build 2195)
    Processor : x86 Family 6 Model 8 Stepping 6, GenuineIntel
 
Netcard queries test . . . . . . . : Passed

Per interface results:
    Adapter : Local Area Connection
        Netcard queries test . . . : Passed
        Host Name. . . . . . . . . : server3
        IP Address . . . . . . . . : 192.168.1.150
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 192.168.1.1
        Dns Servers. . . . . . . . : 192.168.1.155

        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{7A85862F-4D73-4180-B7E0-3CD65FE520FB}
    1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '192.168.1.15
5' and other DCs also have some of the names registered.

Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{7A85862F-4D73-4180-B7E0-3CD65FE520FB}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{7A85862F-4D73-4180-B7E0-3CD65FE520FB}
    The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Skipped

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped
    No active remote access connections.

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
    IPSec policy service is active, but no policy is assigned.

The command completed successfully
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13827696

That looks a little more promising...

Could you run DCDiag /e /c /v, that produces rather more detail than DCDiag alone.  The comprehensive tests will produce quite a huge amount of data (/f:<FileName> redirects the output to a file), so it may be better to only post tests that failed (or everything if you're not quite sure).

It looks like the servers are out of sync, but figuring out which one is wrong has to be the first thing to do.

Which server has the FSMO roles?

This bit of implies there is a problem with the network configuration:

Event String: No adapter is configured to be the default

And the DNS server hanging might explain why it's not being too helpful on that front.
0
 

Author Comment

by:SusanSB
ID: 13832417
Here is the expanded netdiag (edited, but still copious).  I have not yet digested all of it.

Domain Controller Diagnosis.
   * Found 2 DC(s). Testing 2 of them.
   Testing server: Default-First-Site-Name\server3
         ......................... server3 passed test Connectivity
   Testing server: Default-First-Site-Name\server4
         ......................... server4 passed test Connectivity
         ......................... server3 passed test Replications
         ......................... server3 passed test Topology
         ......................... server3 passed test CutoffServers
         ......................... server3 passed test NCSecDesc
         ......................... server3 passed test NetLogons
         ......................... server3 passed test Advertising
         ......................... server3 passed test KnowsOfRoleHolders
         ......................... server3 passed test RidManager
         ......................... server3 passed test MachineAccount
         ......................... server3 passed test Services
         ......................... server3 passed test OutboundSecureChannels
      Starting test: ObjectsReplicated
         server3 is in domain DC=insight,DC=org
         Checking for CN=server3,OU=Domain Controllers,DC=insight,DC=org in domain DC=insight,DC=org on 2 servers
            Authoritative attribute dBCSPwd on server3 (writeable)
               usnLocalChange = 39053
               LastOriginatingDsa = server3
               usnOriginatingChange = 39053
               timeLastOriginatingChange = 2005-04-08 05:55.11
               VersionLastOriginatingChange = 9
            Out-of-date attribute dBCSPwd on server4 (writeable)
               usnLocalChange = 18388
               LastOriginatingDsa = server3
               usnOriginatingChange = 31949
               timeLastOriginatingChange = 2005-03-08 06:08.08
               VersionLastOriginatingChange = 8
            Authoritative attribute lmPwdHistory on server3 (writeable)
               usnLocalChange = 39053
               LastOriginatingDsa = server3
               usnOriginatingChange = 39053
               timeLastOriginatingChange = 2005-04-08 05:55.11
               VersionLastOriginatingChange = 9
            Out-of-date attribute lmPwdHistory on server4 (writeable)
               usnLocalChange = 18388
               LastOriginatingDsa = server3
               usnOriginatingChange = 31949
               timeLastOriginatingChange = 2005-03-08 06:08.08
               VersionLastOriginatingChange = 8
            Authoritative attribute ntPwdHistory on server3 (writeable)
               usnLocalChange = 39053
               LastOriginatingDsa = server3
               usnOriginatingChange = 39053
               timeLastOriginatingChange = 2005-04-08 05:55.11
               VersionLastOriginatingChange = 9
            Out-of-date attribute ntPwdHistory on server4 (writeable)
               usnLocalChange = 18388
               LastOriginatingDsa = server3
               usnOriginatingChange = 31949
               timeLastOriginatingChange = 2005-03-08 06:08.08
               VersionLastOriginatingChange = 8
            Authoritative attribute pwdLastSet on server3 (writeable)
               usnLocalChange = 39053
               LastOriginatingDsa = server3
               usnOriginatingChange = 39053
               timeLastOriginatingChange = 2005-04-08 05:55.11
               VersionLastOriginatingChange = 9
            Out-of-date attribute pwdLastSet on server4 (writeable)
               usnLocalChange = 18388
               LastOriginatingDsa = server3
               usnOriginatingChange = 31949
               timeLastOriginatingChange = 2005-03-08 06:08.08
               VersionLastOriginatingChange = 8
            Authoritative attribute supplementalCredentials on server3 (writeable)
               usnLocalChange = 39053
               LastOriginatingDsa = server3
               usnOriginatingChange = 39053
               timeLastOriginatingChange = 2005-04-08 05:55.11
               VersionLastOriginatingChange = 8
            Out-of-date attribute supplementalCredentials on server4 (writeable)
               usnLocalChange = 18388
               LastOriginatingDsa = server3
               usnOriginatingChange = 31949
               timeLastOriginatingChange = 2005-03-08 06:08.08
               VersionLastOriginatingChange = 7
            Authoritative attribute unicodePwd on server3 (writeable)
               usnLocalChange = 39053
               LastOriginatingDsa = server3
               usnOriginatingChange = 39053
               timeLastOriginatingChange = 2005-04-08 05:55.11
               VersionLastOriginatingChange = 9
            Out-of-date attribute unicodePwd on server4 (writeable)
               usnLocalChange = 18388
               LastOriginatingDsa = server3
               usnOriginatingChange = 31949
               timeLastOriginatingChange = 2005-03-08 06:08.08
               VersionLastOriginatingChange = 8
         Checking for CN=NTDS Settings,CN=server3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=insight,DC=org in domain CN=Configuration,DC=insight,DC=org on 2 servers
            Object is up-to-date on all servers.
         ......................... server3 failed test ObjectsReplicated

      Starting test: frssysvol
         * The File Replication Service Event log test
         Error: No record of File Replication System, SYSVOL started.
         The Active Directory may be prevented from starting.
         There are errors after the SYSVOL has been shared.
         The SYSVOL can prevent the AD from starting.
         An Warning Event occured.  EventID: 0x800034FA
            Time Generated: 04/21/2005   06:21:26
            Event String: Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller server3.insight.org for FRS replica set configuration information.     Could not bind to a Domain Controller. Will try again at next polling cycle.
         ......................... server3 passed test frssysvol

      Starting test: kccevent
         * The KCC Event log test
         An Warning Event occured.  EventID: 0x80000677
            Time Generated: 04/21/2005   06:32:24
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x80000677
            Time Generated: 04/21/2005   06:32:24
            (Event String could not be retrieved)
         ......................... server3 failed test kccevent

      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0xC000000F
            Time Generated: 04/21/2005   06:17:02
            Event String: No adapter is configured to be the default adapter. Appletalk was not initialized on any adapter. Services over AppleTalk e.g. Print Server, File Server etc. will not be  functional unless a default adapter is specified.
         An Error Event occured.  EventID: 0xC0001B6E
            Time Generated: 04/21/2005   06:19:38
            Event String: The DNS Server service hung on starting.
         ......................... server3 failed test systemlog
   
   Testing server: Default-First-Site-Name\server4
      Starting test: Replications
         * Replications Check
         [Replications Check,server4] A recent replication attempt failed:
            From server3 to server4
            Naming Context: CN=Schema,CN=Configuration,DC=insight,DC=org
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2005-04-21 06:35.14.
            The last success occurred at 2005-04-04 14:55.55.
            70 failures have occurred since the last success.
         [Replications Check,server4] A recent replication attempt failed:
            From server3 to server4
            Naming Context: CN=Configuration,DC=insight,DC=org
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2005-04-21 06:35.14.
            The last success occurred at 2005-04-04 14:55.55.
            86 failures have occurred since the last success.
         [Replications Check,server4] A recent replication attempt failed:
            From server3 to server4
            Naming Context: DC=insight,DC=org
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2005-04-21 06:35.14.
            The last success occurred at 2005-04-04 14:55.55.
            90 failures have occurred since the last success.
         ......................... server4 passed test Replications
         ......................... server4 passed test Topology
         ......................... server4 passed test CutoffServers
         ......................... server4 passed test NCSecDesc
         ......................... server4 passed test NetLogons
         ......................... server4 passed test Advertising
         ......................... server4 passed test KnowsOfRoleHolders
         ......................... server4 passed test RidManager
         ......................... server4 passed test MachineAccount
         ......................... server4 passed test Services
          Starting test: ObjectsReplicated
         server4 is in domain DC=insight,DC=org
         Checking for CN=server4,OU=Domain Controllers,DC=insight,DC=org in domain DC=insight,DC=org on 2 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=server4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=insight,DC=org in domain CN=Configuration,DC=insight,DC=org on 2 servers
            Authoritative attribute options on server3 (writeable)
               usnLocalChange = 39314
               LastOriginatingDsa = server3
               usnOriginatingChange = 39314
               timeLastOriginatingChange = 2005-04-19 07:18.30
               VersionLastOriginatingChange = 1
            Out-of-date attribute options on server4 (writeable)
               usnLocalChange = 24286
               LastOriginatingDsa = server4
               usnOriginatingChange = 24286
               timeLastOriginatingChange = 2005-04-19 07:14.01
               VersionLastOriginatingChange = 1
         ......................... server4 failed test ObjectsReplicated
 
     Starting test: frssysvol
         * The File Replication Service Event log test
         The SYSVOL has been shared, and the AD is no longer
         prevented from starting by the File Replication Service.
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 04/21/2005   06:01:58
            Event String: The File Replication Service is having trouble enabling replication from server3 to server4 for c:\winnt\sysvol\domain using the DNS name server3.insight.org. FRS will keep retrying.   Following are some of the reasons you would see this warning.     [1] FRS can not correctly resolve the DNS name server3.insight.org from this computer.   [2] FRS is not running on server3.insight.org.   [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.     This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
         ......................... server4 passed test frssysvol
         ......................... server4 passed test kccevent

      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x00000C18
            Time Generated: 04/21/2005   05:59:39
            Event String: The Windows NT domain controller for this domain could not be located.
         ......................... server4 failed test systemlog
   
   Running enterprise tests on : insight.org
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments provided.
         ......................... insight.org passed test Intersite
         ......................... insight.org passed test FsmoCheck
0
 

Author Comment

by:SusanSB
ID: 13832467
Also Server 3 is fsmo.  

I get events now that the  DNS failed on server 3 (it says it hung).  It seems to be started, and I can stop it an restart it.  Events are logged for "unable to open the Active Directory" and "DNS did not detect any primary or secondary zones".
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13832558

Provided neither server refers to it (Preferred DNS setting) you shouldn't need the DNS on Server3.

For the Access Denied errors it's coverd by this Microsoft document:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd12.mspx

The Troubleshooting Access Denied Replication Errors is the bit you need and the Glossary has all the commands listed (it links to the glossary when you click on a command) that need to be run.

Chris
0
 

Author Comment

by:SusanSB
ID: 13832904
One question before I go off into new territory.  In the instructions for "Access Denied Replication Errors", it says to reset the computer account password on the PDC emulator.  Does it mean to type the * in the command, or to give it a new password?  
0
 

Author Comment

by:SusanSB
ID: 13833424
Interesting, got through the step for resetting password (interesting since the AD Operations Guide has TWO misspellings on the command).  Now, the next step says to "synchronize the domain naming context of the replication partner to creat a replication link".  I have no idea what that means for me to do.  
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13833562

Microsoft guides... aren't they fun...

What you need to type is under step 9 (it's really not at all clear about that):

1. In Active Directory Sites and Services, expand the Sites container, expand the site of the domain controller to which you want to synchronize replication, expand the Servers container, and expand the server object of the domain controller, and then click NTDS Settings.

2. In the From Server column in the details pane, locate the connection object that shows the name of the source domain controller.

3. Right-click the appropriate connection object and then click Replicate Now.

4. Click OK to close the Replicate Now message box.

Hope that makes sense...
0
 

Author Comment

by:SusanSB
ID: 13836121
I completed the whole process on Server3 and I seem to be in the exact same place as before.  The only problem I had was in step 7, the sync.  If I read you right, I could force replication from AD Sites and Services in Step 7.  However, I had to start the KDC service to get AD Sites and Services to load, which meant I started it out of order from the what the procedure said, and, as before, Server3 said it replicated and server 4 said access denied. I tried to go through the procedure again, but it would not reset the password the second time.  It did not like the username the second time through (the same username as the first time). All in all, pretty discouraging.

Here is the edited dcdiag /e /c /v /f:report after I completed the process for "Access denied" errors (Note: does "Out-of-date attribute supplementalCredentials on server4" indicate anything useful?):

Doing initial required tests
   
   Testing server: Default-First-Site-Name\server3
         ......................... server3 passed test Connectivity
   Testing server: Default-First-Site-Name\server4
         ......................... server4 passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\server3
         ......................... server3 passed test Replications
         ......................... server3 passed test Topology
         ......................... server3 passed test CutoffServers
         ......................... server3 passed test NCSecDesc
         ......................... server3 passed test NetLogons
         ......................... server3 passed test Advertising
         ......................... server3 passed test KnowsOfRoleHolders
         ......................... server3 passed test RidManager
         ......................... server3 passed test MachineAccount
         ......................... server3 passed test Services
         ......................... server3 passed test OutboundSecureChannels
      Starting test: ObjectsReplicated
         server3 is in domain DC=insight,DC=org
         Checking for CN=server3,OU=Domain Controllers,DC=insight,DC=org in domain DC=insight,DC=org on 2 servers
            Authoritative attribute dBCSPwd on server3 (writeable)
               usnLocalChange = 40620
               LastOriginatingDsa = server3
               usnOriginatingChange = 40620
               timeLastOriginatingChange = 2005-04-21 09:21.16
               VersionLastOriginatingChange = 11
            Out-of-date attribute dBCSPwd on server4 (writeable)
               usnLocalChange = 18388
               LastOriginatingDsa = server3
               usnOriginatingChange = 31949
               timeLastOriginatingChange = 2005-03-08 06:08.08
               VersionLastOriginatingChange = 8
            Authoritative attribute lmPwdHistory on server3 (writeable)
               usnLocalChange = 40620
               LastOriginatingDsa = server3
               usnOriginatingChange = 40620
               timeLastOriginatingChange = 2005-04-21 09:21.16
               VersionLastOriginatingChange = 11
            Out-of-date attribute lmPwdHistory on server4 (writeable)
               usnLocalChange = 18388
               LastOriginatingDsa = server3
               usnOriginatingChange = 31949
               timeLastOriginatingChange = 2005-03-08 06:08.08
               VersionLastOriginatingChange = 8
            Authoritative attribute ntPwdHistory on server3 (writeable)
               usnLocalChange = 40620
               LastOriginatingDsa = server3
               usnOriginatingChange = 40620
               timeLastOriginatingChange = 2005-04-21 09:21.16
               VersionLastOriginatingChange = 11
            Out-of-date attribute ntPwdHistory on server4 (writeable)
               usnLocalChange = 18388
               LastOriginatingDsa = server3
               usnOriginatingChange = 31949
               timeLastOriginatingChange = 2005-03-08 06:08.08
               VersionLastOriginatingChange = 8
            Authoritative attribute pwdLastSet on server3 (writeable)
               usnLocalChange = 40620
               LastOriginatingDsa = server3
               usnOriginatingChange = 40620
               timeLastOriginatingChange = 2005-04-21 09:21.16
               VersionLastOriginatingChange = 11
            Out-of-date attribute pwdLastSet on server4 (writeable)
               usnLocalChange = 18388
               LastOriginatingDsa = server3
               usnOriginatingChange = 31949
               timeLastOriginatingChange = 2005-03-08 06:08.08
               VersionLastOriginatingChange = 8
            Authoritative attribute supplementalCredentials on server3 (writeable)
               usnLocalChange = 40620
               LastOriginatingDsa = server3
               usnOriginatingChange = 40620
               timeLastOriginatingChange = 2005-04-21 09:21.16
               VersionLastOriginatingChange = 10
            Out-of-date attribute supplementalCredentials on server4 (writeable)
               usnLocalChange = 18388
               LastOriginatingDsa = server3
               usnOriginatingChange = 31949
               timeLastOriginatingChange = 2005-03-08 06:08.08
               VersionLastOriginatingChange = 7
            Authoritative attribute unicodePwd on server3 (writeable)
               usnLocalChange = 40620
               LastOriginatingDsa = server3
               usnOriginatingChange = 40620
               timeLastOriginatingChange = 2005-04-21 09:21.16
               VersionLastOriginatingChange = 11
            Out-of-date attribute unicodePwd on server4 (writeable)
               usnLocalChange = 18388
               LastOriginatingDsa = server3
               usnOriginatingChange = 31949
               timeLastOriginatingChange = 2005-03-08 06:08.08
               VersionLastOriginatingChange = 8
         Checking for CN=NTDS Settings,CN=server3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=insight,DC=org in domain CN=Configuration,DC=insight,DC=org on 2 servers
            Object is up-to-date on all servers.
         ......................... server3 failed test ObjectsReplicated
         ......................... server3 passed test frssysvol
         ......................... server3 passed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0xC000000F
            Time Generated: 04/21/2005   12:13:53
            Event String: No adapter is configured to be the default adapter. Appletalk was not initialized on any adapter. Services over AppleTalk e.g. Print Server, File Server etc. will not be  functional unless a default adapter is specified.
         An Error Event occured.  EventID: 0xC0000021
            Time Generated: 04/21/2005   12:14:59
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0001B6E
            Time Generated: 04/21/2005   12:16:27
            Event String: The DNS Server service hung on starting.
         ......................... server3 failed test systemlog
   
   Testing server: Default-First-Site-Name\server4
      Starting test: Replications
         * Replications Check
         [Replications Check,server4] A recent replication attempt failed:
            From server3 to server4
            Naming Context: CN=Schema,CN=Configuration,DC=insight,DC=org
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2005-04-21 12:52.38.
            The last success occurred at 2005-04-04 14:55.55.
            80 failures have occurred since the last success.
         [Replications Check,server4] A recent replication attempt failed:
            From server3 to server4
            Naming Context: CN=Configuration,DC=insight,DC=org
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2005-04-21 12:52.38.
            The last success occurred at 2005-04-04 14:55.55.
            146 failures have occurred since the last success.
         [Replications Check,server4] A recent replication attempt failed:
            From server3 to server4
            Naming Context: DC=insight,DC=org
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2005-04-21 12:52.38.
            The last success occurred at 2005-04-04 14:55.55.
            130 failures have occurred since the last success.
         ......................... server4 passed test Replications
         ......................... server4 passed test Topology
         ......................... server4 passed test CutoffServers
         ......................... server4 passed test NCSecDesc
         ......................... server4 passed test NetLogons
         ......................... server4 passed test Advertising
         ......................... server4 passed test KnowsOfRoleHolders
         ......................... server4 passed test RidManager
         ......................... server4 passed test MachineAccount
         ......................... server4 passed test Services
         ......................... server4 passed test OutboundSecureChannels
      Starting test: ObjectsReplicated
         server4 is in domain DC=insight,DC=org
         Checking for CN=server4,OU=Domain Controllers,DC=insight,DC=org in domain DC=insight,DC=org on 2 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=server4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=insight,DC=org in domain CN=Configuration,DC=insight,DC=org on 2 servers
            Authoritative attribute options on server3 (writeable)
               usnLocalChange = 39314
               LastOriginatingDsa = server3
               usnOriginatingChange = 39314
               timeLastOriginatingChange = 2005-04-19 07:18.30
               VersionLastOriginatingChange = 1
            Out-of-date attribute options on server4 (writeable)
               usnLocalChange = 24286
               LastOriginatingDsa = server4
               usnOriginatingChange = 24286
               timeLastOriginatingChange = 2005-04-19 07:14.01
               VersionLastOriginatingChange = 1
         ......................... server4 failed test ObjectsReplicated
         ......................... server4 passed test frssysvol
         ......................... server4 passed test kccevent
         ......................... server4 passed test systemlog
            ......................... insight.org passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\server3.insight.org
         Locator Flags: 0xe00003fd
         PDC Name: \\server3.insight.org
         Locator Flags: 0xe00003fd
         Time Server Name: \\server3.insight.org
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\server3.insight.org
         Locator Flags: 0xe00003fd
         KDC Name: \\server3.insight.org
         Locator Flags: 0xe00003fd
         ......................... insight.org passed test FsmoCheck
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13837116

Server4 is a long way out of date as I'm sure you've noticed. It's time to figure out which of Server3 and Server4 is going to be the most useful for getting it all working again.

Do you need AppleTalk on there? If not, remove the protocol.

Okay... first I think it would be a good idea to get DNS working on Server3 - Server3 is the boss after all. All of this is very much a case of "if it will let you".

Check the DNS Service is started on Server3

First setup DNS so it can respond to requests:

Open DNS Manager
Select Forward Lookup Zones
Create a new zone (right click, new zone) with the same name as your current Domain Name
The zone should be Primary Active Directory Integrated
If it lets you create it select the Properties for the the zone ensure that Dynamic Updates is set to Secure Only

Select Reverse Lookup Zones
Create a new zone, the name should be like your IP Range (e.g. 192.168.0.x)
This zone should also be Primary Active Directory Integrated
Again, check the zone properties to ensure that Dynamic Updates is set to Secure Only

If it let you get that far change the Preferred DNS Server on Server3 to itself.

At the command line run:

C:\> ipconfig /flushdns
C:\> ipconfig /registerdns
C:\> net stop netlogon
C:\> net start netlogon

Then:

C:\> nslookup

This should respond with the name and IP of Server3 since NSLookup attaches you to the Preferred DNS on your server. Check it can resolve other queries:

www.google.com

If it refuses to do any of that in DNS go to Add / Remove Programs, Windows Components, remove the DNS Service, Reboot then and re-add it. Then see if it still won't let you.

If all of that does what it's supposed to then it's time to move on... if not, we can try picking on Server4 instead let me know either way though and I'll post some more.

Chris
0
 

Author Comment

by:SusanSB
ID: 13841876
Nope, no go "The forward lookup zone cannot be added, The Active Directory Service is not available."  "The reverse lookup zone cannot be added. The AD Service is not available."  It was still loading the reverse lookup zone prior to removing DNS.  From the DNS on server3, I can connect to Server 4 and see the forward lookup zone (AD integrated) on it.

I am still getting Event 13562 NTFRS Gen: Could not Bind to a DC .

And if I do NTFRSUTL ds server3, it returns
NTFRS CONFIGURATION IN THE DS
FRS DomainControllerName: (null)
Computer name: Server3
ComputerDNS Name: server3.insight.org
ldap_connect: server3.insight.org
ERROR - ldap_bind_s(servver3): ldap error 00000031 = invalid credentials.

It all seems to point to getting the two servers synced so AD can start and replication can begin.   Syncing servers should not be this hard!
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13842417

You're right it shouldn't...

There's an article on fixing the NTFRS service here:

http://support.microsoft.com/kb/290762

But it may not work in this case as Server3 doesn't seem to be happy enough with it's current job.

How do you feel about trying to make Server4 the boss? The DNS Service is working there, and am I right in thinking you can load the AD tools?

This would mean removing Server3 from the network, Seizing the FSMO roles (which means Server3 would have to be rebuilt), and cleaning up AD before Server3 could come back on.
0
 

Author Comment

by:SusanSB
ID: 13842922
I just spent some time on Server4, and just on a lark tried a repadmin /syncall on it, which returns "Replication suppressed by user request"
If I run repadmin /synchall on Server3, it claims to complete the sync.  

Server4 has almost no bad events, but this one seems interesting, and I am not sure what produced it, since I cannot seem to make it happen again: Event 1000 userenv Windows cannot access the registry information at \\insight.org\sysvol\insight.org\policies\{31B2f...}\Machine\registry.pol with (1327).  Of course, this particular error appears nowhere in technet or google (the 1327).  I am not getting event 1001 which would indicate a time synch problem.  

Actually, I am getting dangerously close to reformatting both of them and starting over from scratch.  

You know what, I am ready to make Server 3 the boss - a last ditch effort.  The DNS is working on it, it is happy.  Can you point me in the right direction? I assume I can't demote Server3, since it cannot access the AD.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13843119

Okay here we go then :)

Make sure server3 is switched off... and ensure it never comes back on without the reformat thing.

After that...

1. Check Server4 is a Global Catalog Server:

Open Active Directory Sites and Services
Find the server and select NTDS Settings
Select Properties and check the box for Global Catalog is ticked

2. FSMO Roles

From your notes above I see Server3 had them all, so this is how to get Server4 to grab them:

Start
Run
ntdsutil

This brings up the NTDSUtil window, in there type:

Roles
Connections
Connect to Server Server4
Quit <drops you back to FSMO Maintenance>

To take over the roles type (this is the point of no return):

Seize PDC
Seize RID Master
Seize Infrastructure Master
Seize Domain Naming Master
Seize Schema Master

Ensure each is taken from Server3 correctly. And you can verify where they all are with:

Select Operation Target
List Roles for Connected Server

Then type Quit until it lets you out.

3. Check DNS Registration

Make sure Server4 updates the entries in DNS from the command prompt with:

ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon

4. Remove references to the old DC

There's a better description than I can fit in for this step here to describe how to remove Server3 from Active Directory:

http://www.petri.co.il/fix_unsuccessful_demotion.htm

5. Check it all works

Check all the event logs, DCDiag and NetDiag, try joining a PC to the domain, and finally, try joining a DC to the domain.

That should cover it all.
0
 

Author Comment

by:SusanSB
ID: 13844869
Off I go with the first problem.  Everything appeared to go well, but something was missed, clearly. I seized roles (it looked to me I was successful), and flushed and registered DNS in ipconfig, stopped and started netlogon.  I got through the instructions for fixing an unsuccessful DC demotion, till I got to the ADSIEdit. When I open ADSI edit, I get an error, "The server is not operational", and then it opens thus

ADSIEdit
DomainNC [Server4.insight.com]
Configuration container [Server4.insight.com]
Schema [Server4.insight.com]
DomainNC [Server4.insight.com]
DomainNC [Server4.insight.com]
DomainNC [Server4.insight.com]
DomainNC [Server3]

I can remove DomainNC [Server3], but it is back next time I open ADSIEdit, so obviously I missed something.   Server 3 is gone from the DNS.  Does anything jump out at you as being what I missed?  I have not rebooted, though I am reluctant to do so till I figure out where Server3 is still hanging in there.
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 13847022

The NTFRS article above may come in handy yet. It might be necessary to make sure the server knows it has a complete copy of the sysvol area.

But I would go with a reboot, need to see what services do (and don't) start. Anything particularly nasty in the event log?
0
 

Author Comment

by:SusanSB
ID: 13858852
Hey Chris -- Rebooted and it is looking good - no events that are troubling and users able to log on with no difficulties.  I believe I can refomat Server3 and promote it and all would be well.  However....

After thinking about it over the weekend, I came up with this:
1)  I am happy this network was not in production and was still in test mode
2) Win2000 will be out of support soon
3) Maybe it is time to think about trashing the whole thing while I can just install 2003 Server without trying to upgrade.  

To that end, I ordered 2003 Server today and will embark on a new adventure later this week, and I will Accept your last post.  Thank you for all your help and your patience, which has been formidable.



0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13858944

Hey,

Understandable concerns, the support for Windows 2000 (Mainstream) should come to an end in June, at least in theory.

Windows 2003 Server is a reasonable upgrade though, generally a lot nicer to work with than 2000 - although in broad terms there isn't really all that much difference.

Otherwise, happy I could help out :)

Chris
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
MSSQL DB-maintenance also needs implementation of multiple activities. However, unprecedented errors can hamper the database management. In that case, deploying Stellar SQL Database Toolkit ensures fast and accurate database and backup repair as wel…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Loops Section Overview
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question