[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

2003 DC Errors (DFS

Posted on 2005-04-21
6
Medium Priority
?
8,745 Views
Last Modified: 2011-08-18
I have a small network with 2 DCs.  On the primry DCI am getting a large number of errors.  I recently cleared the logs and restarted the machine so I could track down the cause(s).

SystemEventLog:
Error: DFS could not contact any DC for Domain DFS operations. This operation will be retried periodically.  (MS Help Center has no additional information on the error.)
Warning: DFS Root DFSRoot failed during initialization. The root will not be available.
Information: DFS has finished building all namespaces.  

[This might look timing related]

Shortly thereafter:
Warning: The Security System detected an authentication error for the server LDAP/DENEB.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".
Warning: The Security System could not establish a secured connection with the server LDAP/DENEB.  No authentication protocol was available.
Error: The PrintQueue Container could not be found because the DNS Domain name could not be retrieved.  Error: 54b

And the application log has been showing errors such as:
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=continuum,DC=SoftwareDesign,DC=com. The file must be present at the location <\\domainname.SoftwareDesign.com\sysvol\domainname.SoftwareDesign.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.

I must admit, I am at a loss to even begin trouble shooting this.

Any sage advice?
0
Comment
Question by:Robert_A_
  • 2
  • 2
  • 2
6 Comments
 
LVL 20

Assisted Solution

by:Lazarus
Lazarus earned 1000 total points
ID: 13839753
What is your EVENT ID: code given in your logs for those errors?

DFS uses the PDC operations master for any updates necessary to the DFS metadata. If the PDC does not exist, the error reported back to DFS is usually "System error 1355 has occurred. The specified domain either does not exist or could not be contacted."

This is the error that DFS reports back to the administrator.

Solution
Make sure the PDC operations master exists, and that information about the current PDC is available on the client. To report this information on the client, use:

Nltest /dsgetdc:domainname /pdc

Look here for other info: http://www.microsoft.com/windows2000/techinfo/administration/fileandprint/dfsbp.asp

If you can give me the actual EVENT ID though that would help us further along
0
 

Author Comment

by:Robert_A_
ID: 13840007
SystemLog
Event ID 14523 [Error] DFS could not contact any DC for Domain DFS operations (Source = DFSSVC)
Event ID 14534 [Warning] DFS Root DFSRoot failed during initialization (Source = DFSSVC)
Event ID 14533 [Information] DFS has finished building all namespaces  (Source = DFSSVC)
...
Event ID 40960 [Error] The Security System detected an authentication error (Source = LSASRV)
Event ID 40961 [Error] The Security System could not establish a secured connection (Source = LSASRV)
...
Event ID 33 [Error] The PrintQueue Container could not be found because the DNS Domain name could not be retrieved (Source = Print)

ApplicationLog:
Event ID 1058 [Error] Windows cannot access the file gpt.ini for GPO ... (Source=Userenv)

nltest seemed to indicate that everything is fine: All of the names and addresses were correct.

I have two suspicions about the cause of these errors:
  1.  The DC was renamed; I followed the MS KB article, but I don't trust coincidences...
  2.  I added USB 2.0 PCI controller that is NOT on the WHC list (couldn't find or afford the WHC ones).  The card is working correctly, but it did blue screen on my first attempt to install drivers.

It may be time to re-sys the machine... (I don't really have the time right now though).

Thanks
0
 
LVL 20

Assisted Solution

by:Lazarus
Lazarus earned 1000 total points
ID: 13840039
I doubt that your Driver has anyhting to do with it but that would be easy to test by removing it.
But the Renaming issue is of great concern. That is a big problem.
I've look at all of your error codes and those are some very difficult ones, that I just can find nothing of real help on at all. Sorry to say.
Have your run DCDIAG /FIX and NETDIAG /FIX yet? They maybe of some help, but I'm thinking you might be pretty well up that brown creek we all here about. LOL
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 1

Accepted Solution

by:
jonsey5090 earned 1000 total points
ID: 13841639
I think since renaming your DC has to be the problem, expecially if it was the main Operations Master. As Lazarus pointed out, make sure that your PDC emulator is correct, this can be done through ADUC - right click on your domain and click operations mastsers. Make sure that all your operations masters are correct, if they aren't you can either try and move the roles from within ADUC or seize the roles using NTDSUtil.

Another problem that can occur when you change the name of a DC is that your DNS resource records do not get updated, you could try running DCPromo to automatically update your stale DNS records or manually go through DNS finding all resource records with the old name of your DC and ammeding them. I imagine that this is the problem as the old name of your DC is stated in the event log.

I suggest you go through every resource record in DNS, especially Kerberos and LDAP services.

Good luck. Jonesy.
0
 
LVL 1

Expert Comment

by:jonsey5090
ID: 13841665
P.s. this:

Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=continuum,DC=SoftwareDesign,DC=com. The file must be present at the location <\\domainname.SoftwareDesign.com\sysvol\domainname.SoftwareDesign.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.

looks like there is an out of date SID (security Identifier for a user account) or computer account, try resetting the computer account for your DC, this would make sense as computer accounts are based on a hardware footprint, and you have recently changed your hardware.

What was the old name of your DC and what is the new name?
0
 

Author Comment

by:Robert_A_
ID: 13844187
DC was Midgaard; now Deneb.
Domain is/was continuum (I had changed the listing above to "domainname" for anonymity/security, but I missed at least one).

Everything looks fine from the diagnostics (nltest, dcdiag, netdiag); my experience is that it can often be significantly more costly to fix something rather than just redo it; the only thing missing was the consensus of others (which I know have).

Last thing to do before I retire this instance of the OS installation is to plan out what is the best way to "recycle" the machine:

  1.  I want to make sure that the domain is correct.  Deneb (server is question) is the PDC emulator, so what should I do to retire the DC from the domain?
      1a.  Should I move the PDC master to my secondary DC?
      1b.  Should I demote Deneb from the DC role and remove it from the authorized DNS and DHCP server lists?
      1c.  Is there anything else I should do?

  2. When I re-install the OS, is it safe to use the same machine name?

  3. Is there any way of preserving and/or automating network share creation?

  4. Is there anything else I can do to speed up the process of getting back to where I was, functionally?

  5. Can a save the DCHP resrvations so I don't need to re-enter them by hand?

In the mean time, I'll get out the brown-creek paddle and rubber gloves (that lazarus98, I had a good laugh on that one too - and very much needed, I might add).

As soon as I can get a good plan of action, I will get these points awarded; you have all been fantastically helpful in confirming my original suspicions.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question