SusanSB
asked on
Unable to open AD, Unable to communicate with GC, DNS failing
Server 3 & Server 4 are Win2000, latest SP and patches, their own domain. They were set up several months ago, both DC's and both having copies of the GC, and everything was working. DNS is AD-integrated, and was working with no errors. Up till last week dcdiag and netdiag showed no errors. Users could log on and did log on as tests. Literally, everything was going smooth and I was starting to think they were ready for production, and suddenly one morning, all heck broke loose on Server 3.
Here seem to be the relevant events:
1655 NTDS General - Unable to communicate with the Global Catalog, access is denied
1126 NTDS General - Unable to establish a connection with the Global Catalog
4013 DNS - Unable to open the AD
4000 DNS server was unable to open the AD
13562 NTFRS Could not bind to the domain controller
1000 Userenv - Cannot determine the user or computer name., Return value (5)
560 Security Logon failure \BaseNamed Objects\RasPBFile (numerous)
If I open DFS in the Admin tools and try to display the existing DFS Root - RPC Server is unavailable
If I try to display an existing root - "Unable to update the password. The value provided ar the current password is incorrect."
NTFRSUTL DS Server3 -
Binding to the DS_ldap.connect: Server3 ERROR ldap error 00000031 = invalid credentials. - Tried
dcdiag - Testing server: Default-First-Site-Name\se
Also in dcdiag - Testing server: Default-first-site-name\se
netdiag --
DNS test failed - DNS entries for this DC are not registered. No DNS servers have the DNS records for this DC
Also in netdiag - ldap test- Passed. Warning: Failed to query SPN registration.
If I try to re-add the AD-integrated Forward lookup Zone in DNS, I get "Zone cannot be created. The AD service is not available"
It is an endless loop and all I am doing at this point is going in circles. The DNS can't load because the AD can't load, and the AD can't load because the DNS is not loading the Forward Lookup Zone. I have tried all the Technet suggestions I could find for these events, which are woefully few. I also tried adding a primary lookup zone (non AD-integrated) for Server3, which loads, but doesn't solve the problem, or even change anything. It appears a password is bad somewhere, but nothing really tells what password is bad. I see no services that should be starting that are not. RPC and RPC locator services are started. Events on Server4 seem normal. Nothing was installed recently, hardware or software, though obviously I did something that caused it. Can anyone suggest a new direction?
Here seem to be the relevant events:
1655 NTDS General - Unable to communicate with the Global Catalog, access is denied
1126 NTDS General - Unable to establish a connection with the Global Catalog
4013 DNS - Unable to open the AD
4000 DNS server was unable to open the AD
13562 NTFRS Could not bind to the domain controller
1000 Userenv - Cannot determine the user or computer name., Return value (5)
560 Security Logon failure \BaseNamed Objects\RasPBFile (numerous)
If I open DFS in the Admin tools and try to display the existing DFS Root - RPC Server is unavailable
If I try to display an existing root - "Unable to update the password. The value provided ar the current password is incorrect."
NTFRSUTL DS Server3 -
Binding to the DS_ldap.connect: Server3 ERROR ldap error 00000031 = invalid credentials. - Tried
dcdiag - Testing server: Default-First-Site-Name\se
Also in dcdiag - Testing server: Default-first-site-name\se
netdiag --
DNS test failed - DNS entries for this DC are not registered. No DNS servers have the DNS records for this DC
Also in netdiag - ldap test- Passed. Warning: Failed to query SPN registration.
If I try to re-add the AD-integrated Forward lookup Zone in DNS, I get "Zone cannot be created. The AD service is not available"
It is an endless loop and all I am doing at this point is going in circles. The DNS can't load because the AD can't load, and the AD can't load because the DNS is not loading the Forward Lookup Zone. I have tried all the Technet suggestions I could find for these events, which are woefully few. I also tried adding a primary lookup zone (non AD-integrated) for Server3, which loads, but doesn't solve the problem, or even change anything. It appears a password is bad somewhere, but nothing really tells what password is bad. I see no services that should be starting that are not. RPC and RPC locator services are started. Events on Server4 seem normal. Nothing was installed recently, hardware or software, though obviously I did something that caused it. Can anyone suggest a new direction?
ASKER
Yes, Server3 and Server4 are in the Domain Controllers OU, and I have not done anything to policies that I know of in the past few weeks. But yes, I am at least aware I must have done something that I am not remembering, I assume something that I thought was insignificant. I honestly can't remember changing anything other than applying WinUpdates when they become available.
Could you run DCDiag /e /c /v /f:Report.log
That will (as it suggests) create a Report.log file with the output from DCDiag. The particular command runs through all of the configuration and lists and problems.
Just in case you want to know what they are...
/e - Tests all the servers in the Enterprise
/c - Comprehensive Tests
/v - Verbose
The Default Domain Controller Policy can be restored using this tool if necessary (but don't run it unless nothing else seems to be helping):
http://www.microsoft.com/downloads/details.aspx?FamilyID=b5b685ae-b7dd-4bb5-ab2a-976d6873129d&DisplayLang=en
For the error above "Server3's GUID could not be resolved to and IP address", this appears in DNS as a Alias entry under the _msdcs folder in your Domain (DNS Manager). The Data field should have the name of Server3 in it. Can you verify if it's there or not?
Chris
ASKER
DCDiag /e /c /v /F:report.log
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine server3, is a DC.
* Connecting to directory service on server server3.
* Collecting site info.
* Identifying all servers.
* Found 2 DC(s). Testing 2 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\se
Starting test: Connectivity
* Active Directory LDAP Services Check
server3's server GUID DNS name could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name (5eb1c26b-9f6a-4d72-9e7c-5
......................... server3 failed test Connectivity
Testing server: Default-First-Site-Name\se
Starting test: Connectivity
* Active Directory LDAP Services Check
server4's server GUID DNS name could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
......................... server4 failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\se
Skipping all tests, because server server3 is
not responding to directory service requests
Testing server: Default-First-Site-Name\se
Skipping all tests, because server server4 is
not responding to directory service requests
Running enterprise tests on : sighting.org
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments provided.
......................... sighting.org passed test Intersite
Starting test: FsmoCheck
GC Name: \\server3.sighting.org
Locator Flags: 0xe00003fd
PDC Name: \\server3.sighting.org
Locator Flags: 0xe00003fd
Time Server Name: \\server3.sighting.org
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\server3.sighting.org
Locator Flags: 0xe00003fd
KDC Name: \\server3.sighting.org
Locator Flags: 0xe00003fd
......................... sighting.org passed test FsmoCheck
As for the Alias in _msdcs, Server 4 has it, but Server3 has no Forward Lookup Zone and no _msdcs because it is "unable to contact AD."
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine server3, is a DC.
* Connecting to directory service on server server3.
* Collecting site info.
* Identifying all servers.
* Found 2 DC(s). Testing 2 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\se
Starting test: Connectivity
* Active Directory LDAP Services Check
server3's server GUID DNS name could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name (5eb1c26b-9f6a-4d72-9e7c-5
......................... server3 failed test Connectivity
Testing server: Default-First-Site-Name\se
Starting test: Connectivity
* Active Directory LDAP Services Check
server4's server GUID DNS name could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
......................... server4 failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\se
Skipping all tests, because server server3 is
not responding to directory service requests
Testing server: Default-First-Site-Name\se
Skipping all tests, because server server4 is
not responding to directory service requests
Running enterprise tests on : sighting.org
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments provided.
......................... sighting.org passed test Intersite
Starting test: FsmoCheck
GC Name: \\server3.sighting.org
Locator Flags: 0xe00003fd
PDC Name: \\server3.sighting.org
Locator Flags: 0xe00003fd
Time Server Name: \\server3.sighting.org
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\server3.sighting.org
Locator Flags: 0xe00003fd
KDC Name: \\server3.sighting.org
Locator Flags: 0xe00003fd
......................... sighting.org passed test FsmoCheck
As for the Alias in _msdcs, Server 4 has it, but Server3 has no Forward Lookup Zone and no _msdcs because it is "unable to contact AD."
In the IP Configuration for each set them up to user Server4 as Preferred DNS.
Does that server seem to have the most accurate record of where everything is on the Domain?
Does DCDiag produce the same output after the changes have been made to the TCP/IP settings?
ASKER
Some progress maybe. Still getting all the same events on Server3, but dcdiag and netdiag look considerably different. I still can't get Server3 to load the Forward lookup Zone. Interestingly, if I go to Sites and Services and force replication on Server 3, it says it replicated the connection, but if I force it for Server 4, is returns "access is denied". Also, if I do NTFRSUTL DS Server3, I get "invalid credentials". Still getting lots opf bad username or password events and most of the same events as before on Server3. Still ripping hair out.
C:\Program Files\Support Tools>dcdiag
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\se
Starting test: Connectivity
......................... server3 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\se
Starting test: Replications
......................... server3 passed test Replications
Starting test: NCSecDesc
......................... server3 passed test NCSecDesc
Starting test: NetLogons
......................... server3 passed test NetLogons
Starting test: Advertising
......................... server3 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... server3 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... server3 passed test RidManager
Starting test: MachineAccount
......................... server3 passed test MachineAccount
Starting test: Services
......................... server3 passed test Services
Starting test: ObjectsReplicated
......................... server3 passed test ObjectsReplicated
Starting test: frssysvol
Error: No record of File Replication System, SYSVOL started.
The Active Directory may be prevented from starting.
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... server3 passed test frssysvol
Starting test: kccevent
......................... server3 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0xC000000F
Time Generated: 04/20/2005 13:26:59
Event String: No adapter is configured to be the default
An Error Event occured. EventID: 0xC0000021
Time Generated: 04/20/2005 13:27:58
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0001B6E
Time Generated: 04/20/2005 13:29:34
Event String: The DNS Server service hung on starting.
An Error Event occured. EventID: 0xC000000F
Time Generated: 04/20/2005 14:05:26
Event String: No adapter is configured to be the default
An Error Event occured. EventID: 0xC0000021
Time Generated: 04/20/2005 14:06:13
(Event String could not be retrieved)
......................... server3 failed test systemlog
Running enterprise tests on : sighting.org
Starting test: Intersite
......................... sighting.org passed test Intersite
Starting test: FsmoCheck
......................... sighting.org passed test FsmoCheck
C:\Program Files\Support Tools>netdiag
..........................
Computer Name: server3
DNS Host Name: server3.sighting.org
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 6 Model 8 Stepping 6, GenuineIntel
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : server3
IP Address . . . . . . . . : 192.168.1.150
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.1.1
Dns Servers. . . . . . . . : 192.168.1.155
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{7A85862F-4D73
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '192.168.1.15
5' and other DCs also have some of the names registered.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{7A85862F-4D73
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{7A85862F-4D73
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.
The command completed successfully
C:\Program Files\Support Tools>dcdiag
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\se
Starting test: Connectivity
......................... server3 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\se
Starting test: Replications
......................... server3 passed test Replications
Starting test: NCSecDesc
......................... server3 passed test NCSecDesc
Starting test: NetLogons
......................... server3 passed test NetLogons
Starting test: Advertising
......................... server3 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... server3 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... server3 passed test RidManager
Starting test: MachineAccount
......................... server3 passed test MachineAccount
Starting test: Services
......................... server3 passed test Services
Starting test: ObjectsReplicated
......................... server3 passed test ObjectsReplicated
Starting test: frssysvol
Error: No record of File Replication System, SYSVOL started.
The Active Directory may be prevented from starting.
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... server3 passed test frssysvol
Starting test: kccevent
......................... server3 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0xC000000F
Time Generated: 04/20/2005 13:26:59
Event String: No adapter is configured to be the default
An Error Event occured. EventID: 0xC0000021
Time Generated: 04/20/2005 13:27:58
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0001B6E
Time Generated: 04/20/2005 13:29:34
Event String: The DNS Server service hung on starting.
An Error Event occured. EventID: 0xC000000F
Time Generated: 04/20/2005 14:05:26
Event String: No adapter is configured to be the default
An Error Event occured. EventID: 0xC0000021
Time Generated: 04/20/2005 14:06:13
(Event String could not be retrieved)
......................... server3 failed test systemlog
Running enterprise tests on : sighting.org
Starting test: Intersite
......................... sighting.org passed test Intersite
Starting test: FsmoCheck
......................... sighting.org passed test FsmoCheck
C:\Program Files\Support Tools>netdiag
..........................
Computer Name: server3
DNS Host Name: server3.sighting.org
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 6 Model 8 Stepping 6, GenuineIntel
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : server3
IP Address . . . . . . . . : 192.168.1.150
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.1.1
Dns Servers. . . . . . . . : 192.168.1.155
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{7A85862F-4D73
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '192.168.1.15
5' and other DCs also have some of the names registered.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{7A85862F-4D73
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{7A85862F-4D73
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.
The command completed successfully
That looks a little more promising...
Could you run DCDiag /e /c /v, that produces rather more detail than DCDiag alone. The comprehensive tests will produce quite a huge amount of data (/f:<FileName> redirects the output to a file), so it may be better to only post tests that failed (or everything if you're not quite sure).
It looks like the servers are out of sync, but figuring out which one is wrong has to be the first thing to do.
Which server has the FSMO roles?
This bit of implies there is a problem with the network configuration:
Event String: No adapter is configured to be the default
And the DNS server hanging might explain why it's not being too helpful on that front.
ASKER
Here is the expanded netdiag (edited, but still copious). I have not yet digested all of it.
Domain Controller Diagnosis.
* Found 2 DC(s). Testing 2 of them.
Testing server: Default-First-Site-Name\se
......................... server3 passed test Connectivity
Testing server: Default-First-Site-Name\se
......................... server4 passed test Connectivity
......................... server3 passed test Replications
......................... server3 passed test Topology
......................... server3 passed test CutoffServers
......................... server3 passed test NCSecDesc
......................... server3 passed test NetLogons
......................... server3 passed test Advertising
......................... server3 passed test KnowsOfRoleHolders
......................... server3 passed test RidManager
......................... server3 passed test MachineAccount
......................... server3 passed test Services
......................... server3 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
server3 is in domain DC=insight,DC=org
Checking for CN=server3,OU=Domain Controllers,DC=insight,DC=
Authoritative attribute dBCSPwd on server3 (writeable)
usnLocalChange = 39053
LastOriginatingDsa = server3
usnOriginatingChange = 39053
timeLastOriginatingChange = 2005-04-08 05:55.11
VersionLastOriginatingChan
Out-of-date attribute dBCSPwd on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Authoritative attribute lmPwdHistory on server3 (writeable)
usnLocalChange = 39053
LastOriginatingDsa = server3
usnOriginatingChange = 39053
timeLastOriginatingChange = 2005-04-08 05:55.11
VersionLastOriginatingChan
Out-of-date attribute lmPwdHistory on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Authoritative attribute ntPwdHistory on server3 (writeable)
usnLocalChange = 39053
LastOriginatingDsa = server3
usnOriginatingChange = 39053
timeLastOriginatingChange = 2005-04-08 05:55.11
VersionLastOriginatingChan
Out-of-date attribute ntPwdHistory on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Authoritative attribute pwdLastSet on server3 (writeable)
usnLocalChange = 39053
LastOriginatingDsa = server3
usnOriginatingChange = 39053
timeLastOriginatingChange = 2005-04-08 05:55.11
VersionLastOriginatingChan
Out-of-date attribute pwdLastSet on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Authoritative attribute supplementalCredentials on server3 (writeable)
usnLocalChange = 39053
LastOriginatingDsa = server3
usnOriginatingChange = 39053
timeLastOriginatingChange = 2005-04-08 05:55.11
VersionLastOriginatingChan
Out-of-date attribute supplementalCredentials on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Authoritative attribute unicodePwd on server3 (writeable)
usnLocalChange = 39053
LastOriginatingDsa = server3
usnOriginatingChange = 39053
timeLastOriginatingChange = 2005-04-08 05:55.11
VersionLastOriginatingChan
Out-of-date attribute unicodePwd on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Checking for CN=NTDS Settings,CN=server3,CN=Ser
Object is up-to-date on all servers.
......................... server3 failed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service Event log test
Error: No record of File Replication System, SYSVOL started.
The Active Directory may be prevented from starting.
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
An Warning Event occured. EventID: 0x800034FA
Time Generated: 04/21/2005 06:21:26
Event String: Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller server3.insight.org for FRS replica set configuration information. Could not bind to a Domain Controller. Will try again at next polling cycle.
......................... server3 passed test frssysvol
Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x80000677
Time Generated: 04/21/2005 06:32:24
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x80000677
Time Generated: 04/21/2005 06:32:24
(Event String could not be retrieved)
......................... server3 failed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0xC000000F
Time Generated: 04/21/2005 06:17:02
Event String: No adapter is configured to be the default adapter. Appletalk was not initialized on any adapter. Services over AppleTalk e.g. Print Server, File Server etc. will not be functional unless a default adapter is specified.
An Error Event occured. EventID: 0xC0001B6E
Time Generated: 04/21/2005 06:19:38
Event String: The DNS Server service hung on starting.
......................... server3 failed test systemlog
Testing server: Default-First-Site-Name\se
Starting test: Replications
* Replications Check
[Replications Check,server4] A recent replication attempt failed:
From server3 to server4
Naming Context: CN=Schema,CN=Configuration
The replication generated an error (5):
Access is denied.
The failure occurred at 2005-04-21 06:35.14.
The last success occurred at 2005-04-04 14:55.55.
70 failures have occurred since the last success.
[Replications Check,server4] A recent replication attempt failed:
From server3 to server4
Naming Context: CN=Configuration,DC=insigh
The replication generated an error (5):
Access is denied.
The failure occurred at 2005-04-21 06:35.14.
The last success occurred at 2005-04-04 14:55.55.
86 failures have occurred since the last success.
[Replications Check,server4] A recent replication attempt failed:
From server3 to server4
Naming Context: DC=insight,DC=org
The replication generated an error (5):
Access is denied.
The failure occurred at 2005-04-21 06:35.14.
The last success occurred at 2005-04-04 14:55.55.
90 failures have occurred since the last success.
......................... server4 passed test Replications
......................... server4 passed test Topology
......................... server4 passed test CutoffServers
......................... server4 passed test NCSecDesc
......................... server4 passed test NetLogons
......................... server4 passed test Advertising
......................... server4 passed test KnowsOfRoleHolders
......................... server4 passed test RidManager
......................... server4 passed test MachineAccount
......................... server4 passed test Services
Starting test: ObjectsReplicated
server4 is in domain DC=insight,DC=org
Checking for CN=server4,OU=Domain Controllers,DC=insight,DC=
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=server4,CN=Ser
Authoritative attribute options on server3 (writeable)
usnLocalChange = 39314
LastOriginatingDsa = server3
usnOriginatingChange = 39314
timeLastOriginatingChange = 2005-04-19 07:18.30
VersionLastOriginatingChan
Out-of-date attribute options on server4 (writeable)
usnLocalChange = 24286
LastOriginatingDsa = server4
usnOriginatingChange = 24286
timeLastOriginatingChange = 2005-04-19 07:14.01
VersionLastOriginatingChan
......................... server4 failed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service Event log test
The SYSVOL has been shared, and the AD is no longer
prevented from starting by the File Replication Service.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 04/21/2005 06:01:58
Event String: The File Replication Service is having trouble enabling replication from server3 to server4 for c:\winnt\sysvol\domain using the DNS name server3.insight.org. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name server3.insight.org from this computer. [2] FRS is not running on server3.insight.org. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
......................... server4 passed test frssysvol
......................... server4 passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x00000C18
Time Generated: 04/21/2005 05:59:39
Event String: The Windows NT domain controller for this domain could not be located.
......................... server4 failed test systemlog
Running enterprise tests on : insight.org
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments provided.
......................... insight.org passed test Intersite
......................... insight.org passed test FsmoCheck
Domain Controller Diagnosis.
* Found 2 DC(s). Testing 2 of them.
Testing server: Default-First-Site-Name\se
......................... server3 passed test Connectivity
Testing server: Default-First-Site-Name\se
......................... server4 passed test Connectivity
......................... server3 passed test Replications
......................... server3 passed test Topology
......................... server3 passed test CutoffServers
......................... server3 passed test NCSecDesc
......................... server3 passed test NetLogons
......................... server3 passed test Advertising
......................... server3 passed test KnowsOfRoleHolders
......................... server3 passed test RidManager
......................... server3 passed test MachineAccount
......................... server3 passed test Services
......................... server3 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
server3 is in domain DC=insight,DC=org
Checking for CN=server3,OU=Domain Controllers,DC=insight,DC=
Authoritative attribute dBCSPwd on server3 (writeable)
usnLocalChange = 39053
LastOriginatingDsa = server3
usnOriginatingChange = 39053
timeLastOriginatingChange = 2005-04-08 05:55.11
VersionLastOriginatingChan
Out-of-date attribute dBCSPwd on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Authoritative attribute lmPwdHistory on server3 (writeable)
usnLocalChange = 39053
LastOriginatingDsa = server3
usnOriginatingChange = 39053
timeLastOriginatingChange = 2005-04-08 05:55.11
VersionLastOriginatingChan
Out-of-date attribute lmPwdHistory on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Authoritative attribute ntPwdHistory on server3 (writeable)
usnLocalChange = 39053
LastOriginatingDsa = server3
usnOriginatingChange = 39053
timeLastOriginatingChange = 2005-04-08 05:55.11
VersionLastOriginatingChan
Out-of-date attribute ntPwdHistory on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Authoritative attribute pwdLastSet on server3 (writeable)
usnLocalChange = 39053
LastOriginatingDsa = server3
usnOriginatingChange = 39053
timeLastOriginatingChange = 2005-04-08 05:55.11
VersionLastOriginatingChan
Out-of-date attribute pwdLastSet on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Authoritative attribute supplementalCredentials on server3 (writeable)
usnLocalChange = 39053
LastOriginatingDsa = server3
usnOriginatingChange = 39053
timeLastOriginatingChange = 2005-04-08 05:55.11
VersionLastOriginatingChan
Out-of-date attribute supplementalCredentials on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Authoritative attribute unicodePwd on server3 (writeable)
usnLocalChange = 39053
LastOriginatingDsa = server3
usnOriginatingChange = 39053
timeLastOriginatingChange = 2005-04-08 05:55.11
VersionLastOriginatingChan
Out-of-date attribute unicodePwd on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Checking for CN=NTDS Settings,CN=server3,CN=Ser
Object is up-to-date on all servers.
......................... server3 failed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service Event log test
Error: No record of File Replication System, SYSVOL started.
The Active Directory may be prevented from starting.
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
An Warning Event occured. EventID: 0x800034FA
Time Generated: 04/21/2005 06:21:26
Event String: Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller server3.insight.org for FRS replica set configuration information. Could not bind to a Domain Controller. Will try again at next polling cycle.
......................... server3 passed test frssysvol
Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x80000677
Time Generated: 04/21/2005 06:32:24
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x80000677
Time Generated: 04/21/2005 06:32:24
(Event String could not be retrieved)
......................... server3 failed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0xC000000F
Time Generated: 04/21/2005 06:17:02
Event String: No adapter is configured to be the default adapter. Appletalk was not initialized on any adapter. Services over AppleTalk e.g. Print Server, File Server etc. will not be functional unless a default adapter is specified.
An Error Event occured. EventID: 0xC0001B6E
Time Generated: 04/21/2005 06:19:38
Event String: The DNS Server service hung on starting.
......................... server3 failed test systemlog
Testing server: Default-First-Site-Name\se
Starting test: Replications
* Replications Check
[Replications Check,server4] A recent replication attempt failed:
From server3 to server4
Naming Context: CN=Schema,CN=Configuration
The replication generated an error (5):
Access is denied.
The failure occurred at 2005-04-21 06:35.14.
The last success occurred at 2005-04-04 14:55.55.
70 failures have occurred since the last success.
[Replications Check,server4] A recent replication attempt failed:
From server3 to server4
Naming Context: CN=Configuration,DC=insigh
The replication generated an error (5):
Access is denied.
The failure occurred at 2005-04-21 06:35.14.
The last success occurred at 2005-04-04 14:55.55.
86 failures have occurred since the last success.
[Replications Check,server4] A recent replication attempt failed:
From server3 to server4
Naming Context: DC=insight,DC=org
The replication generated an error (5):
Access is denied.
The failure occurred at 2005-04-21 06:35.14.
The last success occurred at 2005-04-04 14:55.55.
90 failures have occurred since the last success.
......................... server4 passed test Replications
......................... server4 passed test Topology
......................... server4 passed test CutoffServers
......................... server4 passed test NCSecDesc
......................... server4 passed test NetLogons
......................... server4 passed test Advertising
......................... server4 passed test KnowsOfRoleHolders
......................... server4 passed test RidManager
......................... server4 passed test MachineAccount
......................... server4 passed test Services
Starting test: ObjectsReplicated
server4 is in domain DC=insight,DC=org
Checking for CN=server4,OU=Domain Controllers,DC=insight,DC=
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=server4,CN=Ser
Authoritative attribute options on server3 (writeable)
usnLocalChange = 39314
LastOriginatingDsa = server3
usnOriginatingChange = 39314
timeLastOriginatingChange = 2005-04-19 07:18.30
VersionLastOriginatingChan
Out-of-date attribute options on server4 (writeable)
usnLocalChange = 24286
LastOriginatingDsa = server4
usnOriginatingChange = 24286
timeLastOriginatingChange = 2005-04-19 07:14.01
VersionLastOriginatingChan
......................... server4 failed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service Event log test
The SYSVOL has been shared, and the AD is no longer
prevented from starting by the File Replication Service.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 04/21/2005 06:01:58
Event String: The File Replication Service is having trouble enabling replication from server3 to server4 for c:\winnt\sysvol\domain using the DNS name server3.insight.org. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name server3.insight.org from this computer. [2] FRS is not running on server3.insight.org. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
......................... server4 passed test frssysvol
......................... server4 passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x00000C18
Time Generated: 04/21/2005 05:59:39
Event String: The Windows NT domain controller for this domain could not be located.
......................... server4 failed test systemlog
Running enterprise tests on : insight.org
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments provided.
......................... insight.org passed test Intersite
......................... insight.org passed test FsmoCheck
ASKER
Also Server 3 is fsmo.
I get events now that the DNS failed on server 3 (it says it hung). It seems to be started, and I can stop it an restart it. Events are logged for "unable to open the Active Directory" and "DNS did not detect any primary or secondary zones".
I get events now that the DNS failed on server 3 (it says it hung). It seems to be started, and I can stop it an restart it. Events are logged for "unable to open the Active Directory" and "DNS did not detect any primary or secondary zones".
Provided neither server refers to it (Preferred DNS setting) you shouldn't need the DNS on Server3.
For the Access Denied errors it's coverd by this Microsoft document:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd12.mspx
The Troubleshooting Access Denied Replication Errors is the bit you need and the Glossary has all the commands listed (it links to the glossary when you click on a command) that need to be run.
Chris
ASKER
One question before I go off into new territory. In the instructions for "Access Denied Replication Errors", it says to reset the computer account password on the PDC emulator. Does it mean to type the * in the command, or to give it a new password?
ASKER
Interesting, got through the step for resetting password (interesting since the AD Operations Guide has TWO misspellings on the command). Now, the next step says to "synchronize the domain naming context of the replication partner to creat a replication link". I have no idea what that means for me to do.
Microsoft guides... aren't they fun...
What you need to type is under step 9 (it's really not at all clear about that):
1. In Active Directory Sites and Services, expand the Sites container, expand the site of the domain controller to which you want to synchronize replication, expand the Servers container, and expand the server object of the domain controller, and then click NTDS Settings.
2. In the From Server column in the details pane, locate the connection object that shows the name of the source domain controller.
3. Right-click the appropriate connection object and then click Replicate Now.
4. Click OK to close the Replicate Now message box.
Hope that makes sense...
ASKER
I completed the whole process on Server3 and I seem to be in the exact same place as before. The only problem I had was in step 7, the sync. If I read you right, I could force replication from AD Sites and Services in Step 7. However, I had to start the KDC service to get AD Sites and Services to load, which meant I started it out of order from the what the procedure said, and, as before, Server3 said it replicated and server 4 said access denied. I tried to go through the procedure again, but it would not reset the password the second time. It did not like the username the second time through (the same username as the first time). All in all, pretty discouraging.
Here is the edited dcdiag /e /c /v /f:report after I completed the process for "Access denied" errors (Note: does "Out-of-date attribute supplementalCredentials on server4" indicate anything useful?):
Doing initial required tests
Testing server: Default-First-Site-Name\se
......................... server3 passed test Connectivity
Testing server: Default-First-Site-Name\se
......................... server4 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\se
......................... server3 passed test Replications
......................... server3 passed test Topology
......................... server3 passed test CutoffServers
......................... server3 passed test NCSecDesc
......................... server3 passed test NetLogons
......................... server3 passed test Advertising
......................... server3 passed test KnowsOfRoleHolders
......................... server3 passed test RidManager
......................... server3 passed test MachineAccount
......................... server3 passed test Services
......................... server3 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
server3 is in domain DC=insight,DC=org
Checking for CN=server3,OU=Domain Controllers,DC=insight,DC=
Authoritative attribute dBCSPwd on server3 (writeable)
usnLocalChange = 40620
LastOriginatingDsa = server3
usnOriginatingChange = 40620
timeLastOriginatingChange = 2005-04-21 09:21.16
VersionLastOriginatingChan
Out-of-date attribute dBCSPwd on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Authoritative attribute lmPwdHistory on server3 (writeable)
usnLocalChange = 40620
LastOriginatingDsa = server3
usnOriginatingChange = 40620
timeLastOriginatingChange = 2005-04-21 09:21.16
VersionLastOriginatingChan
Out-of-date attribute lmPwdHistory on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Authoritative attribute ntPwdHistory on server3 (writeable)
usnLocalChange = 40620
LastOriginatingDsa = server3
usnOriginatingChange = 40620
timeLastOriginatingChange = 2005-04-21 09:21.16
VersionLastOriginatingChan
Out-of-date attribute ntPwdHistory on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Authoritative attribute pwdLastSet on server3 (writeable)
usnLocalChange = 40620
LastOriginatingDsa = server3
usnOriginatingChange = 40620
timeLastOriginatingChange = 2005-04-21 09:21.16
VersionLastOriginatingChan
Out-of-date attribute pwdLastSet on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Authoritative attribute supplementalCredentials on server3 (writeable)
usnLocalChange = 40620
LastOriginatingDsa = server3
usnOriginatingChange = 40620
timeLastOriginatingChange = 2005-04-21 09:21.16
VersionLastOriginatingChan
Out-of-date attribute supplementalCredentials on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Authoritative attribute unicodePwd on server3 (writeable)
usnLocalChange = 40620
LastOriginatingDsa = server3
usnOriginatingChange = 40620
timeLastOriginatingChange = 2005-04-21 09:21.16
VersionLastOriginatingChan
Out-of-date attribute unicodePwd on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Checking for CN=NTDS Settings,CN=server3,CN=Ser
Object is up-to-date on all servers.
......................... server3 failed test ObjectsReplicated
......................... server3 passed test frssysvol
......................... server3 passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0xC000000F
Time Generated: 04/21/2005 12:13:53
Event String: No adapter is configured to be the default adapter. Appletalk was not initialized on any adapter. Services over AppleTalk e.g. Print Server, File Server etc. will not be functional unless a default adapter is specified.
An Error Event occured. EventID: 0xC0000021
Time Generated: 04/21/2005 12:14:59
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0001B6E
Time Generated: 04/21/2005 12:16:27
Event String: The DNS Server service hung on starting.
......................... server3 failed test systemlog
Testing server: Default-First-Site-Name\se
Starting test: Replications
* Replications Check
[Replications Check,server4] A recent replication attempt failed:
From server3 to server4
Naming Context: CN=Schema,CN=Configuration
The replication generated an error (5):
Access is denied.
The failure occurred at 2005-04-21 12:52.38.
The last success occurred at 2005-04-04 14:55.55.
80 failures have occurred since the last success.
[Replications Check,server4] A recent replication attempt failed:
From server3 to server4
Naming Context: CN=Configuration,DC=insigh
The replication generated an error (5):
Access is denied.
The failure occurred at 2005-04-21 12:52.38.
The last success occurred at 2005-04-04 14:55.55.
146 failures have occurred since the last success.
[Replications Check,server4] A recent replication attempt failed:
From server3 to server4
Naming Context: DC=insight,DC=org
The replication generated an error (5):
Access is denied.
The failure occurred at 2005-04-21 12:52.38.
The last success occurred at 2005-04-04 14:55.55.
130 failures have occurred since the last success.
......................... server4 passed test Replications
......................... server4 passed test Topology
......................... server4 passed test CutoffServers
......................... server4 passed test NCSecDesc
......................... server4 passed test NetLogons
......................... server4 passed test Advertising
......................... server4 passed test KnowsOfRoleHolders
......................... server4 passed test RidManager
......................... server4 passed test MachineAccount
......................... server4 passed test Services
......................... server4 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
server4 is in domain DC=insight,DC=org
Checking for CN=server4,OU=Domain Controllers,DC=insight,DC=
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=server4,CN=Ser
Authoritative attribute options on server3 (writeable)
usnLocalChange = 39314
LastOriginatingDsa = server3
usnOriginatingChange = 39314
timeLastOriginatingChange = 2005-04-19 07:18.30
VersionLastOriginatingChan
Out-of-date attribute options on server4 (writeable)
usnLocalChange = 24286
LastOriginatingDsa = server4
usnOriginatingChange = 24286
timeLastOriginatingChange = 2005-04-19 07:14.01
VersionLastOriginatingChan
......................... server4 failed test ObjectsReplicated
......................... server4 passed test frssysvol
......................... server4 passed test kccevent
......................... server4 passed test systemlog
......................... insight.org passed test Intersite
Starting test: FsmoCheck
GC Name: \\server3.insight.org
Locator Flags: 0xe00003fd
PDC Name: \\server3.insight.org
Locator Flags: 0xe00003fd
Time Server Name: \\server3.insight.org
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\server3.insight.org
Locator Flags: 0xe00003fd
KDC Name: \\server3.insight.org
Locator Flags: 0xe00003fd
......................... insight.org passed test FsmoCheck
Here is the edited dcdiag /e /c /v /f:report after I completed the process for "Access denied" errors (Note: does "Out-of-date attribute supplementalCredentials on server4" indicate anything useful?):
Doing initial required tests
Testing server: Default-First-Site-Name\se
......................... server3 passed test Connectivity
Testing server: Default-First-Site-Name\se
......................... server4 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\se
......................... server3 passed test Replications
......................... server3 passed test Topology
......................... server3 passed test CutoffServers
......................... server3 passed test NCSecDesc
......................... server3 passed test NetLogons
......................... server3 passed test Advertising
......................... server3 passed test KnowsOfRoleHolders
......................... server3 passed test RidManager
......................... server3 passed test MachineAccount
......................... server3 passed test Services
......................... server3 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
server3 is in domain DC=insight,DC=org
Checking for CN=server3,OU=Domain Controllers,DC=insight,DC=
Authoritative attribute dBCSPwd on server3 (writeable)
usnLocalChange = 40620
LastOriginatingDsa = server3
usnOriginatingChange = 40620
timeLastOriginatingChange = 2005-04-21 09:21.16
VersionLastOriginatingChan
Out-of-date attribute dBCSPwd on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Authoritative attribute lmPwdHistory on server3 (writeable)
usnLocalChange = 40620
LastOriginatingDsa = server3
usnOriginatingChange = 40620
timeLastOriginatingChange = 2005-04-21 09:21.16
VersionLastOriginatingChan
Out-of-date attribute lmPwdHistory on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Authoritative attribute ntPwdHistory on server3 (writeable)
usnLocalChange = 40620
LastOriginatingDsa = server3
usnOriginatingChange = 40620
timeLastOriginatingChange = 2005-04-21 09:21.16
VersionLastOriginatingChan
Out-of-date attribute ntPwdHistory on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Authoritative attribute pwdLastSet on server3 (writeable)
usnLocalChange = 40620
LastOriginatingDsa = server3
usnOriginatingChange = 40620
timeLastOriginatingChange = 2005-04-21 09:21.16
VersionLastOriginatingChan
Out-of-date attribute pwdLastSet on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Authoritative attribute supplementalCredentials on server3 (writeable)
usnLocalChange = 40620
LastOriginatingDsa = server3
usnOriginatingChange = 40620
timeLastOriginatingChange = 2005-04-21 09:21.16
VersionLastOriginatingChan
Out-of-date attribute supplementalCredentials on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Authoritative attribute unicodePwd on server3 (writeable)
usnLocalChange = 40620
LastOriginatingDsa = server3
usnOriginatingChange = 40620
timeLastOriginatingChange = 2005-04-21 09:21.16
VersionLastOriginatingChan
Out-of-date attribute unicodePwd on server4 (writeable)
usnLocalChange = 18388
LastOriginatingDsa = server3
usnOriginatingChange = 31949
timeLastOriginatingChange = 2005-03-08 06:08.08
VersionLastOriginatingChan
Checking for CN=NTDS Settings,CN=server3,CN=Ser
Object is up-to-date on all servers.
......................... server3 failed test ObjectsReplicated
......................... server3 passed test frssysvol
......................... server3 passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0xC000000F
Time Generated: 04/21/2005 12:13:53
Event String: No adapter is configured to be the default adapter. Appletalk was not initialized on any adapter. Services over AppleTalk e.g. Print Server, File Server etc. will not be functional unless a default adapter is specified.
An Error Event occured. EventID: 0xC0000021
Time Generated: 04/21/2005 12:14:59
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0001B6E
Time Generated: 04/21/2005 12:16:27
Event String: The DNS Server service hung on starting.
......................... server3 failed test systemlog
Testing server: Default-First-Site-Name\se
Starting test: Replications
* Replications Check
[Replications Check,server4] A recent replication attempt failed:
From server3 to server4
Naming Context: CN=Schema,CN=Configuration
The replication generated an error (5):
Access is denied.
The failure occurred at 2005-04-21 12:52.38.
The last success occurred at 2005-04-04 14:55.55.
80 failures have occurred since the last success.
[Replications Check,server4] A recent replication attempt failed:
From server3 to server4
Naming Context: CN=Configuration,DC=insigh
The replication generated an error (5):
Access is denied.
The failure occurred at 2005-04-21 12:52.38.
The last success occurred at 2005-04-04 14:55.55.
146 failures have occurred since the last success.
[Replications Check,server4] A recent replication attempt failed:
From server3 to server4
Naming Context: DC=insight,DC=org
The replication generated an error (5):
Access is denied.
The failure occurred at 2005-04-21 12:52.38.
The last success occurred at 2005-04-04 14:55.55.
130 failures have occurred since the last success.
......................... server4 passed test Replications
......................... server4 passed test Topology
......................... server4 passed test CutoffServers
......................... server4 passed test NCSecDesc
......................... server4 passed test NetLogons
......................... server4 passed test Advertising
......................... server4 passed test KnowsOfRoleHolders
......................... server4 passed test RidManager
......................... server4 passed test MachineAccount
......................... server4 passed test Services
......................... server4 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
server4 is in domain DC=insight,DC=org
Checking for CN=server4,OU=Domain Controllers,DC=insight,DC=
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=server4,CN=Ser
Authoritative attribute options on server3 (writeable)
usnLocalChange = 39314
LastOriginatingDsa = server3
usnOriginatingChange = 39314
timeLastOriginatingChange = 2005-04-19 07:18.30
VersionLastOriginatingChan
Out-of-date attribute options on server4 (writeable)
usnLocalChange = 24286
LastOriginatingDsa = server4
usnOriginatingChange = 24286
timeLastOriginatingChange = 2005-04-19 07:14.01
VersionLastOriginatingChan
......................... server4 failed test ObjectsReplicated
......................... server4 passed test frssysvol
......................... server4 passed test kccevent
......................... server4 passed test systemlog
......................... insight.org passed test Intersite
Starting test: FsmoCheck
GC Name: \\server3.insight.org
Locator Flags: 0xe00003fd
PDC Name: \\server3.insight.org
Locator Flags: 0xe00003fd
Time Server Name: \\server3.insight.org
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\server3.insight.org
Locator Flags: 0xe00003fd
KDC Name: \\server3.insight.org
Locator Flags: 0xe00003fd
......................... insight.org passed test FsmoCheck
Server4 is a long way out of date as I'm sure you've noticed. It's time to figure out which of Server3 and Server4 is going to be the most useful for getting it all working again.
Do you need AppleTalk on there? If not, remove the protocol.
Okay... first I think it would be a good idea to get DNS working on Server3 - Server3 is the boss after all. All of this is very much a case of "if it will let you".
Check the DNS Service is started on Server3
First setup DNS so it can respond to requests:
Open DNS Manager
Select Forward Lookup Zones
Create a new zone (right click, new zone) with the same name as your current Domain Name
The zone should be Primary Active Directory Integrated
If it lets you create it select the Properties for the the zone ensure that Dynamic Updates is set to Secure Only
Select Reverse Lookup Zones
Create a new zone, the name should be like your IP Range (e.g. 192.168.0.x)
This zone should also be Primary Active Directory Integrated
Again, check the zone properties to ensure that Dynamic Updates is set to Secure Only
If it let you get that far change the Preferred DNS Server on Server3 to itself.
At the command line run:
C:\> ipconfig /flushdns
C:\> ipconfig /registerdns
C:\> net stop netlogon
C:\> net start netlogon
Then:
C:\> nslookup
This should respond with the name and IP of Server3 since NSLookup attaches you to the Preferred DNS on your server. Check it can resolve other queries:
> www.google.com
If it refuses to do any of that in DNS go to Add / Remove Programs, Windows Components, remove the DNS Service, Reboot then and re-add it. Then see if it still won't let you.
If all of that does what it's supposed to then it's time to move on... if not, we can try picking on Server4 instead let me know either way though and I'll post some more.
Chris
ASKER
Nope, no go "The forward lookup zone cannot be added, The Active Directory Service is not available." "The reverse lookup zone cannot be added. The AD Service is not available." It was still loading the reverse lookup zone prior to removing DNS. From the DNS on server3, I can connect to Server 4 and see the forward lookup zone (AD integrated) on it.
I am still getting Event 13562 NTFRS Gen: Could not Bind to a DC .
And if I do NTFRSUTL ds server3, it returns
NTFRS CONFIGURATION IN THE DS
FRS DomainControllerName: (null)
Computer name: Server3
ComputerDNS Name: server3.insight.org
ldap_connect: server3.insight.org
ERROR - ldap_bind_s(servver3): ldap error 00000031 = invalid credentials.
It all seems to point to getting the two servers synced so AD can start and replication can begin. Syncing servers should not be this hard!
I am still getting Event 13562 NTFRS Gen: Could not Bind to a DC .
And if I do NTFRSUTL ds server3, it returns
NTFRS CONFIGURATION IN THE DS
FRS DomainControllerName: (null)
Computer name: Server3
ComputerDNS Name: server3.insight.org
ldap_connect: server3.insight.org
ERROR - ldap_bind_s(servver3): ldap error 00000031 = invalid credentials.
It all seems to point to getting the two servers synced so AD can start and replication can begin. Syncing servers should not be this hard!
You're right it shouldn't...
There's an article on fixing the NTFRS service here:
http://support.microsoft.com/kb/290762
But it may not work in this case as Server3 doesn't seem to be happy enough with it's current job.
How do you feel about trying to make Server4 the boss? The DNS Service is working there, and am I right in thinking you can load the AD tools?
This would mean removing Server3 from the network, Seizing the FSMO roles (which means Server3 would have to be rebuilt), and cleaning up AD before Server3 could come back on.
ASKER
I just spent some time on Server4, and just on a lark tried a repadmin /syncall on it, which returns "Replication suppressed by user request"
If I run repadmin /synchall on Server3, it claims to complete the sync.
Server4 has almost no bad events, but this one seems interesting, and I am not sure what produced it, since I cannot seem to make it happen again: Event 1000 userenv Windows cannot access the registry information at \\insight.org\sysvol\insig
Actually, I am getting dangerously close to reformatting both of them and starting over from scratch.
You know what, I am ready to make Server 3 the boss - a last ditch effort. The DNS is working on it, it is happy. Can you point me in the right direction? I assume I can't demote Server3, since it cannot access the AD.
If I run repadmin /synchall on Server3, it claims to complete the sync.
Server4 has almost no bad events, but this one seems interesting, and I am not sure what produced it, since I cannot seem to make it happen again: Event 1000 userenv Windows cannot access the registry information at \\insight.org\sysvol\insig
Actually, I am getting dangerously close to reformatting both of them and starting over from scratch.
You know what, I am ready to make Server 3 the boss - a last ditch effort. The DNS is working on it, it is happy. Can you point me in the right direction? I assume I can't demote Server3, since it cannot access the AD.
Okay here we go then :)
Make sure server3 is switched off... and ensure it never comes back on without the reformat thing.
After that...
1. Check Server4 is a Global Catalog Server:
Open Active Directory Sites and Services
Find the server and select NTDS Settings
Select Properties and check the box for Global Catalog is ticked
2. FSMO Roles
From your notes above I see Server3 had them all, so this is how to get Server4 to grab them:
Start
Run
ntdsutil
This brings up the NTDSUtil window, in there type:
Roles
Connections
Connect to Server Server4
Quit <drops you back to FSMO Maintenance>
To take over the roles type (this is the point of no return):
Seize PDC
Seize RID Master
Seize Infrastructure Master
Seize Domain Naming Master
Seize Schema Master
Ensure each is taken from Server3 correctly. And you can verify where they all are with:
Select Operation Target
List Roles for Connected Server
Then type Quit until it lets you out.
3. Check DNS Registration
Make sure Server4 updates the entries in DNS from the command prompt with:
ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon
4. Remove references to the old DC
There's a better description than I can fit in for this step here to describe how to remove Server3 from Active Directory:
http://www.petri.co.il/fix_unsuccessful_demotion.htm
5. Check it all works
Check all the event logs, DCDiag and NetDiag, try joining a PC to the domain, and finally, try joining a DC to the domain.
That should cover it all.
ASKER
Off I go with the first problem. Everything appeared to go well, but something was missed, clearly. I seized roles (it looked to me I was successful), and flushed and registered DNS in ipconfig, stopped and started netlogon. I got through the instructions for fixing an unsuccessful DC demotion, till I got to the ADSIEdit. When I open ADSI edit, I get an error, "The server is not operational", and then it opens thus
ADSIEdit
DomainNC [Server4.insight.com]
Configuration container [Server4.insight.com]
Schema [Server4.insight.com]
DomainNC [Server4.insight.com]
DomainNC [Server4.insight.com]
DomainNC [Server4.insight.com]
DomainNC [Server3]
I can remove DomainNC [Server3], but it is back next time I open ADSIEdit, so obviously I missed something. Server 3 is gone from the DNS. Does anything jump out at you as being what I missed? I have not rebooted, though I am reluctant to do so till I figure out where Server3 is still hanging in there.
ADSIEdit
DomainNC [Server4.insight.com]
Configuration container [Server4.insight.com]
Schema [Server4.insight.com]
DomainNC [Server4.insight.com]
DomainNC [Server4.insight.com]
DomainNC [Server4.insight.com]
DomainNC [Server3]
I can remove DomainNC [Server3], but it is back next time I open ADSIEdit, so obviously I missed something. Server 3 is gone from the DNS. Does anything jump out at you as being what I missed? I have not rebooted, though I am reluctant to do so till I figure out where Server3 is still hanging in there.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hey Chris -- Rebooted and it is looking good - no events that are troubling and users able to log on with no difficulties. I believe I can refomat Server3 and promote it and all would be well. However....
After thinking about it over the weekend, I came up with this:
1) I am happy this network was not in production and was still in test mode
2) Win2000 will be out of support soon
3) Maybe it is time to think about trashing the whole thing while I can just install 2003 Server without trying to upgrade.
To that end, I ordered 2003 Server today and will embark on a new adventure later this week, and I will Accept your last post. Thank you for all your help and your patience, which has been formidable.
After thinking about it over the weekend, I came up with this:
1) I am happy this network was not in production and was still in test mode
2) Win2000 will be out of support soon
3) Maybe it is time to think about trashing the whole thing while I can just install 2003 Server without trying to upgrade.
To that end, I ordered 2003 Server today and will embark on a new adventure later this week, and I will Accept your last post. Thank you for all your help and your patience, which has been formidable.
Hey,
Understandable concerns, the support for Windows 2000 (Mainstream) should come to an end in June, at least in theory.
Windows 2003 Server is a reasonable upgrade though, generally a lot nicer to work with than 2000 - although in broad terms there isn't really all that much difference.
Otherwise, happy I could help out :)
Chris
Are both Server 3 and 4 in the Domain Controllers OU in Active Directory?
Have any changes been made to the Default Domain Controllers Policy?
Chris