• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 47075
  • Last Modified:

primary domain controller (PDC) emulator cannot be contacted

When I attempt to check my trusts by right clicking on my AD Domain, I get the error: "you cannot modify domain or trust information because a primary domain controller (PDC) emulator cannot be contacted. Please verify that the PDC emulator and the network are both online and functioning properly."
 I am not sure what is causing this. I don't know if this is the same issue or not, but I also don't know if I have a global catalog server or not, or how to make my DC a GC. Thanks for any help.
1
Rock996
Asked:
Rock996
  • 14
  • 13
  • 3
  • +1
1 Solution
 
Chris DentPowerShell DeveloperCommented:

To check if you have a PDC Emulator do this lot:

Start
Run
ntdsutil

This brings up a lovely black screen with the ntdsutil prompt. Typing the following will tell you where all the FSMO roles are (including the PDC emulator):

Roles
Connections
Connect to Server <Then the name of any of your Domain Controllers>
Quit
Select Operation Target
List Roles for Connected Server

And you get a screen full of data telling where each of the roles are, the line you want looks something like this:

PDC - CN=NTDS Settings,CN=<The Name of the Server That is PDC Goes here>

Followed by the rest of the ADS path (which you don't need to worry about too much). Make sure that server exists though - the PDC Emulator is quite important.

If the server is the right one then just type Quit until NTDSUtil exits. If not post again and it can be fixed.

To check something is a Global Catalog open Active Directory Sites and Services and find your server in the tree. Underneath it you should see NTDS Settings, right click on there and select properties and there will be a little tick box for Global Catalog. That's all you have to do to make somehting a GC.

Hope this helps so far.

Chris
0
 
Rock996Author Commented:
Thanks Chris, that helped a lot. I have gotten the info from the ntdsutil. It looks like I have the correct name loaded for the PDC: "PDC - CN=NTDS Settings\0ADEL:8daa7e71-2851-4a59-ab91-706930738b97,CN=CCI_DC".
The server name is CCI_DC but I still get the error I mentioned earlier. Is it possible to reregister CCI_DC as the PDC? If I haven't given enough info, please let me know, and thank you for the help so far.

Eric
0
 
mikeleebrlaCommented:
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Chris DentPowerShell DeveloperCommented:

This bit:

\0ADEL:8daa7e71-2851-4a59-ab91-706930738b97

Doesn't look too helpful - did you have a domain controller fail at some point? Are any of the other FSMO roles displaying like that?

To make sure your CCI_DC is the PDC do:

Start
Run
ntdsutil

Roles
Connections
Connect to Server CCI_DC
Quit

Then first try:

Transfer PDC

If that fails try:

Seize PDC

We're pretty safe doing this with the PDC without making absolutely sure that the server that holds it is never coming back. But most of the other roles seizing is a pretty serious step.
0
 
Rock996Author Commented:
Okay, I seized the PDc and it is now listing it correctly in the ntdsutil. "PDC - CN=NTDS Settings,CN=CCI_DC" But, the problem still exists when I try and check the properties of the AD. Am I missing something still?
0
 
Chris DentPowerShell DeveloperCommented:

Do this little lot from the command line and try again:

ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon

It's possible it just isn't registered in DNS, those commands should make it check everything has been registered properly.
0
 
mikeleebrlaCommented:
also run dcdiag and netdiag on your DCs from command line... these are two tests that test to see if your domain is setup correctly.  If you dont have these tools installed you can install them from MS's website for free.

0
 
Rock996Author Commented:
I am still getting the same error. I have the correct machine listed in NTDSUTIL, but I am unable to check Trusts because it says the PDC does not exist. I also get this error when I attempt to check Group Policies: "Domain controller not Found. The Domain Controller for Group Policy operations is not available"
0
 
Chris DentPowerShell DeveloperCommented:

Can you drop in the full output from ntdsutil above for where it thinks the roles are assigned. And dcdiag / netdiag as Mike suggests would be good.
0
 
Rock996Author Commented:
I get a lot of test failures when I run DCDIAG. When I run DCDIAG it also seems to still be holding that \0ADEL:8daa7e71-2851-4a59-ab91-706930738b97 as the domain controller instead of the name. That no longer shows up during a check of the PDC in the NTdiagUtil. Here are some of the errors.............
 Warning: CCI_DC is not advertising as a time server.
         ......................... CCI_DC failed test Advertising
      Starting test: KnowsOfRoleHolders
         Warning: CN=NTDS Settings\0ADEL:8daa7e71-2851-4a59-ab91-706930738b97,CN
=CCI_DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=us,DC
=ccius,DC=com is the Rid Owner, but is deleted.
         ......................... CCI_DC failed test KnowsOfRoleHolders
      Starting test: RidManager
         Warning: FSMO Role Owner is deleted.
         Warning: attribute rIdSetReferences missing from CN=CCI_DC,OU=Domain Co
ntrollers,DC=us,DC=ccius,DC=com
The last one says: Warning: DcGetDcName(PDC_Required) call failed, error 1355 A Primary Domain Controller Could not be located. The server holding the PDC role is down


0
 
Rock996Author Commented:
Okay, this is a lot of text, but here is the full txt from both tests:  

NTDSUTIL:

fsmo maintenance: transfer PDC
Server "CCI_DC" knows about 5 roles
Schema - CN=NTDS Settings,CN=JEDI,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=us,DC=ccius,DC=com
Domain - CN=NTDS Settings,CN=CCI_DC,CN=Servers,CN=Default-First-Site-Name,CN=Sit
es,CN=Configuration,DC=us,DC=ccius,DC=com
PDC - CN=NTDS Settings,CN=CCI_DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=us,DC=ccius,DC=com
RID - CN=NTDS Settings\0ADEL:8daa7e71-2851-4a59-ab91-706930738b97,CN=CCI_DC,CN=S
ervers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=us,DC=ccius,DC=co
m
Infrastructure - CN=NTDS Settings,CN=JEDI,CN=Servers,CN=Default-First-Site-Name,
CN=Sites,CN=Configuration,DC=us,DC=ccius,DC=com
fsmo maintenance: quit
ntdsutil: quit

DCDIAG:

C:\Documents and Settings\Administrator.CCIUS>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\CCI_DC
      Starting test: Connectivity
         ......................... CCI_DC passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\CCI_DC
      Starting test: Replications
         ......................... CCI_DC passed test Replications
      Starting test: NCSecDesc
         ......................... CCI_DC passed test NCSecDesc
      Starting test: NetLogons
         ......................... CCI_DC passed test NetLogons
      Starting test: Advertising
         Warning: CCI_DC is not advertising as a time server.
         ......................... CCI_DC failed test Advertising
      Starting test: KnowsOfRoleHolders
         Warning: CN=NTDS Settings\0ADEL:8daa7e71-2851-4a59-ab91-706930738b97,C
=CCI_DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=us,D
=ccius,DC=com is the Rid Owner, but is deleted.
         ......................... CCI_DC failed test KnowsOfRoleHolders
      Starting test: RidManager
         Warning: FSMO Role Owner is deleted.
         Warning: attribute rIdSetReferences missing from CN=CCI_DC,OU=Domain C
ntrollers,DC=us,DC=ccius,DC=com
         Could not get Rid set Reference :failed with 8481: The search failed t
 retrieve attributes from the database.
         ......................... CCI_DC failed test RidManager
      Starting test: MachineAccount
         ......................... CCI_DC passed test MachineAccount
      Starting test: Services
         ......................... CCI_DC passed test Services
      Starting test: ObjectsReplicated
         ......................... CCI_DC passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... CCI_DC passed test frssysvol
      Starting test: frsevent
         Error 5 opening FRS eventlog \\CCI_DC:File Replication Service:
 Access is denied.
         ......................... CCI_DC failed test frsevent
      Starting test: kccevent
         Error 5 opening FRS eventlog \\CCI_DC:Directory Service:
 Access is denied.
         Failed to enumerate event log records, error Access is denied.
         ......................... CCI_DC failed test kccevent
      Starting test: systemlog
         Error 5 opening FRS eventlog \\CCI_DC:System:
 Access is denied.
         Failed to enumerate event log records, error Access is denied.
         ......................... CCI_DC failed test systemlog
      Starting test: VerifyReferences
         ......................... CCI_DC passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidatio

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidatio

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : us
      Starting test: CrossRefValidation
         ......................... us passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... us passed test CheckSDRefDom

   Running enterprise tests on : us.ccius.com
      Starting test: Intersite
         ......................... us.ccius.com passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 13
5
         A Good Time Server could not be located.
         ......................... us.ccius.com failed test FsmoCheck

C:\Documents and Settings\Administrator.CCIUS>PDC - CN=NTDS Settings,CN=CCI_DC




0
 
mikeleebrlaCommented:
you have more than 1 DC right?  i would transfer all the roles to one, wait 20 min or so and then run the tests again.
0
 
Chris DentPowerShell DeveloperCommented:

The RID Master role needs to be moved to a server that is alive... this will do it:

Start
Run
ntdsutil
Roles
Connections
Connect to Server CCI_DC
Quit
Seize RID Master

Seize for this role is acceptable since the DC it is hosted on has been deleted.

Give it 20 minutes, then rerun dcdiag again...
0
 
Rock996Author Commented:
I waited about a half hour after seizing the PDC and RID roles for the server called CCI_DC I still got the same error. I then took my back up controller and transfered the roles to it. I still get the same error. I can not get a PDC recognized by either DC.
0
 
Chris DentPowerShell DeveloperCommented:

Silly one first, can you check the Windows Time service is started on CCI_DC.

Fun stuff... it doesn't look like they are registering ownership of the services in DNS correctly. Now this isn't too surprising actually because by default DNS does not support names with underscores in.

So head to your DNS Server and follow the instructions in here:

http://www.petri.co.il/naming_convention_in_windows_2000_2003_dns.htm

Once done try:

ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon

Then see if the errors are still in DCDiag.
0
 
Rock996Author Commented:
I wish I could offer more help, but this problem still exists. I have made all of the changes suggested and the problem persists. I think they have had a machine that did not get demoted properly setup as the same name in the past (cci_dc) I think that is may be where the \0ADEL:8daa7e71-2851-4a59-ab91-706930738b97
 characters are coming from. I can't understand why handing all of this off to the Backup DC hasn't resolved it either though. The timer server is running. I checked that after reading the dcdiag. Still shows as not running in the diag though.
0
 
Chris DentPowerShell DeveloperCommented:

It might be worth Transferring the PDC Role to Jedi, just to see if it still reports the same problem.

The steps for that one are:

Start
Run
ntdsutil
Roles
Connections
Connect to Server Jedi
Quit
Transfer PDC

Chris
0
 
Rock996Author Commented:
Sorry, I wasn't more clear. I did transfer it to Jedi and I still have the same problem. The result of this problem is the Trust to our remote site is down. That is why the Urgency to resolve this.
0
 
Chris DentPowerShell DeveloperCommented:

Well it's possible that it's a problem with DNS, happy to go ahead and re-create the DNS zones to see if that has any effect?

I'll go and find out where I left the steps to do it.
0
 
Chris DentPowerShell DeveloperCommented:

Okay... this is the article we need to use, let me know if you have any questions about it:

http://support.microsoft.com/?kbid=305967

This completely deletes any information stored in DNS, and should not be performed without preparation if you have a lot of static records in DNS.

If the records are all dynamically registered you should have no problem.

Chris
0
 
Rock996Author Commented:
I went thru that article and followed the instructions to clear bad data. I am going to give it some time to repopulate and I will recheck the PDC status, an immediate check still failed.
0
 
Rock996Author Commented:
I appreciate all of the help you have given so far, but I am still at a loss here. I still am not able to get past the No PDC message. DCDiag still reports:
 Starting test: FsmoCheck
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.

0
 
Chris DentPowerShell DeveloperCommented:

Okay in theory DNS is advertising the correct server now, but it would be a good idea to make absolutely sure...

Open DNS Manager, expand the _msdcs folder then the _pdc folder and the _tcp folder under that one.

There should be an _ldap record in there and the name of a server which will hopefully match the name of your normal server?

Chris
0
 
Rock996Author Commented:
You are correct, it is advertising the correct name in the _ldap record.
It is also still giving me the error that says no PDC emulator found.
0
 
Rock996Author Commented:
If I have to go into every machine and manually set the PDC and every instance that MS looks I will, Do you have anyother suggestions on forcing the correct machine to be the PDC? I have already done the seize with no change in error messages, Are their any other settings I can manually change or clear?
0
 
Chris DentPowerShell DeveloperCommented:

Sorry for the lack of response... holiday yesterday and stuff.

Okay, if DNS is reporting it correctly then it points more towards something in the AD database being incorrect. You may want to consider following the steps in this article - I'm not sure how far you'll get since the status of the dead server was a bit ambiguous:

http://www.petri.co.il/fix_unsuccessful_demotion.htm

See how that goes to start with if you could.

Chris
0
 
Rock996Author Commented:
No problem Chris, I understand the Holiday, I appreciate the help you've given so far. I read the document yesterday and it reported the correct DC and all of the correct machines, nothings seems wrong using that article, but from it I decided to do a few things. I transfered the PDC role to Jedi (the BDC) last week. I verified that DcDiag saw Jedi as the PDC. I then Demoted CCI_DC (the current DC) to a stand a lone server and then shut it down. I reran the commands in the document you suggested and it still reported correctly, CCI_DC was now gone from the list and just Jedi showed up, authentication was fine, DCDiag still reported no PDC:
 (Starting test: FsmoCheck
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.)
I brought up a new Server (also Server 2003) and promoted it to a DC and then transfered PDC roles to it. The above document and Dcdiag verified the successful transfer but still reported that a the server holding the PDC role is down. so my question is this: If it is being seen as the PDC by DNS, Ntdsutil, most of the tests in DCdiag, where is it looking when it does the FsmoCheck. If I know where that is, maybe I can change that. It seems to have the PDC role correct in most of the locations it should, but whatever the Trust uses and the FsmoCheck uses, it is still advertising an incorrect setting.

thanks again,
Eric
0
 
Chris DentPowerShell DeveloperCommented:

Hi Eric,

Lets try this one first:

dcdiag /fix

On the off chance that repairs the problem.

If not, could you try the more detailed report from dcdiag, if you run it with these switches:

dcdiag /e /c /v /f:logfile.txt

It tests every DC in the network looking for problems and performs pretty much every test it has and write the report to logfile.txt.
0
 
Rock996Author Commented:
The  "dcdiag /e /c /v /f:logfile.txt" gave me enough info to figure it out. It always ends up being something simple and dumb. An old NT server on the network was advertising itself as the PDC. The extended DCDIAG reported that is was advertising. I shut the NT server down and everything started working. Chris, Thank you very much for all the help over the last weeks.

Eric
0
 
Chris DentPowerShell DeveloperCommented:

Pleasure Eric... glad it's all working now.

Chris
0
 
RajneeshchauhanCommented:
***ERROR: There is an inconsistency in the DS, suggest you run dcdiag in a
few moments, perhaps on a different DC.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 14
  • 13
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now