DC issues in remote offices no longer replicate

ok.  First thing I would do is make a backup.  (I also hope you have one from when it was ok).

Next I would verify that the DNS configuration is correct.  Your "primary" domain controller should be pointing to itself for DNS resolution.  You can determine who is it pointing to by running IPCONFIG /ALL.  It should point to itself and no other computer.  Once that is verified, you should run DCDIAG.  

How do you determine that one is a backup and one is a primary?  In Win2k and above, all DCs are the same except for a few special roles that can be spread around.  You should verify that all the "FSMO" roles are accounted for on DCs (there should be 5 if there is only 1 domain), and that one of your DCs is a Global Catalog Server.  You can find this info in the Active Directory Sites and Services mmc snap-in under the NTDS settings for your site.

You should also check your event log for indications of what might have gone wrong.  

That should be enough to get you started.  Please report back with any findings.

Did this happen to coincide with any changes or events that may seem unrelated?

I am not able to run anything on the "primary" dc.  command prompt does not come up to type in IPCONFIG/ALL  I only have a back up of the data from when it was ok, not the registry.  I am not able to open the DNS console.  This did coincide with a change I had made.  On Sunday I found the Netlogon Service on the DC (that is not responding) was paused and was filling up the temp folder every 30 seconds, I started the service and Monday is when the world started to collapse.

Hi North323,

so nothing at all runs no appz at all

i would boot into safe mode and see if you can locate anything funny going on in the event viewer

also from there run any virus scans that you can and run the system file checker sfc /scannow

see if appz that arent working will run in safe mode

Cheers!

this has become a hot issue.  i need to demote this dc, promote the win2k dc, rebuild the server and then add it back to the forest..  now.....whats the fastest way to do this?

North323,

your 2k server is already a DC it will look after itself

if you are going to rebuild the machine, then run dcpromo on the server and demote it properly   make sure you power have all the other jobs setup on the other server   DHCP   DNS etc

I must warn you to be careful though.  If this Domain Controller contains FSMO roles (probably does if you call it the Primary) and you are unable to replicate, then the roles will not transfers when you demote the DC and that can make your domain unstable.  It sounds to me like you have a corruption in AD or possibly a malicious piece of software.  Yoiu'll have to seize all 5 roles on the Windows 2000 DC and then make sure they are functioning.  Once you do this, you can never bring the Win2k3 DC back online.

Have you tried the directory service restore mode? or some other form of safe mode?

I will be starting the dc up in safe mode 4/12.  how do i transfer the FSMO roles to the other dc (win2k).  that was the primary dc at one point so all the dns should remain but the roles i know have been moved to the win2k3.  it seems that the win2k3 server does not respond to a lot of commands.  when i run dcdiag command, the command window opens, runs, and shuts down.  i am not able to open any of the admin tools.  can i transfer the FSMO roles by logging onto the win2k server and promote that using dcpromo?

you said previously that your 2k machine was already a DC...... am i missing something here?

you have to make sure the roles arent on the machine you are demoting as adam said, the dcpromo process usually transfers but its buggy and if you having connectivity issues its gonna get interesting

http://www.petri.co.il/transferring_fsmo_roles.htm

http://www.petri.co.il/seizing_fsmo_roles.htm

http://support.microsoft.com/default.aspx?scid=kb;en-us;255690

Good Links.  Yeah, you should try to transfer the roles.  If you can't, then you may have to seize them on the Win2k Server.   I know you are in a time-crunch, but I still would suggest you troubeshoot the Win2k3 server.  Running DCDiag from Start-Run will open a command prompt, run the program, and then close the command prompt.  You can change this behaivor by modifying the properties of CMD.exe.  Normally you open a command prompt first, then run the program, but you say that you can't run a command prompt, correct?  What about Start->Run->CMD?

i agree with adam, role seizing is last resort!

i did have to seize the roles, the win2k3 was not willing to give them up.  after doing so i rebooted the box and now i am not able to log into workstations around the office.  so now im in a real jam.  getting this win2k3 box out of the forest so that i can rebuild it.  any help??

you already seized the roles?  ok.. well now, you will need to start the NetLogin service, enable DHCP, set the DHCP scope to handout the Win2k Server as the DNS server, make sure its a global catalog server, reboot, and run dcdiag.  Were you able to verify thte location of all 5 roles now?

dumb question...i am a wan guy.  how do i verify it is a global catalog server?  how do i verify all 5 roles?  here are the results of dcdiag:
Doing primary tests

   Testing server: Shaker\XXXX-SVR1
      Starting test: Replications
         [Replications Check,XXXX-SVR1] A recent replication attempt failed:
            From XXXSHAKER to XXXX-SVR1
            Naming Context: CN=Schema,CN=Configuration,DC=xxxx,DC=office
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2006-04-12 10:24.56.
            The last success occurred at 2006-01-29 13:18.21.
            6995 failures have occurred since the last success.
         [XXXSHAKER] DsBind() failed with error -2146893022,
         The target principal name is incorrect..
         [Replications Check,XXXX-SVR1] A recent replication attempt failed:
            From XXXWILLO to XXXX-SVR1
            Naming Context: CN=Schema,CN=Configuration,DC=xxxx,DC=office
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2006-04-12 10:24.58.
            The last success occurred at 2006-04-10 06:32.54.
            426 failures have occurred since the last success.
         [Replications Check,XXXX-SVR1] A recent replication attempt failed:
            From XXXSHAKER to XXXX-SVR1
            Naming Context: CN=Configuration,DC=xxxx,DC=office
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2006-04-12 10:24.56.
            The last success occurred at 2006-01-29 13:21.19.
            6995 failures have occurred since the last success.
         [Replications Check,XXXX-SVR1] A recent replication attempt failed:
            From XXXWILLO to XXXX-SVR1
            Naming Context: CN=Configuration,DC=xxxx,DC=office
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2006-04-12 10:24.57.
            The last success occurred at 2006-04-10 06:32.54.
            426 failures have occurred since the last success.
         [Replications Check,XXXX-SVR1] A recent replication attempt failed:
            From XXXSHAKER to XXXX-SVR1
            Naming Context: DC=xxxx,DC=office
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2006-04-12 10:24.55.
            The last success occurred at 2006-01-29 13:25.01.
            7438 failures have occurred since the last success.
         [Replications Check,XXXX-SVR1] A recent replication attempt failed:
            From XXXWILLO to XXXX-SVR1
            Naming Context: DC=xxxx,DC=office
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2006-04-12 10:24.57.
            The last success occurred at 2006-04-10 06:32.54.
            427 failures have occurred since the last success.
         ......................... XXXX-SVR1 passed test Replications
      Starting test: NCSecDesc
         ......................... XXXX-SVR1 passed test NCSecDesc
      Starting test: NetLogons
         ......................... XXXX-SVR1 passed test NetLogons
      Starting test: Advertising
         ......................... XXXX-SVR1 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... XXXX-SVR1 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... XXXX-SVR1 passed test RidManager
      Starting test: MachineAccount
         ......................... XXXX-SVR1 passed test MachineAccount
      Starting test: Services
         ......................... XXXX-SVR1 passed test Services
      Starting test: ObjectsReplicated
         ......................... XXXX-SVR1 passed test ObjectsReplicated
      Starting test: frssysvol
         There are errors after the SYSVOL has been shared.
         The SYSVOL can prevent the AD from starting.
         ......................... XXXX-SVR1 passed test frssysvol
      Starting test: kccevent
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 04/12/2006   10:29:55
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 04/12/2006   10:29:55
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 04/12/2006   10:29:55
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 04/12/2006   10:29:55
            (Event String could not be retrieved)
         ......................... XXXX-SVR1 failed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0xC0001F60
            Time Generated: 04/12/2006   09:33:11
            Event String: The browser service has failed to retrieve the
         An Error Event occured.  EventID: 0xC00010DF
            Time Generated: 04/12/2006   09:38:12
            Event String: A duplicate name has been detected on the TCP
         An Error Event occured.  EventID: 0x0000166D
            Time Generated: 04/12/2006   09:38:12
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000C19
            Time Generated: 04/12/2006   09:38:12
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC00010DF
            Time Generated: 04/12/2006   09:51:30
            Event String: A duplicate name has been detected on the TCP
         An Error Event occured.  EventID: 0x00001669
            Time Generated: 04/12/2006   10:06:25
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x0000166D
            Time Generated: 04/12/2006   10:10:13
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC00010DF
            Time Generated: 04/12/2006   10:10:13
            Event String: A duplicate name has been detected on the TCP
         An Error Event occured.  EventID: 0x00000C19
            Time Generated: 04/12/2006   10:10:30
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC00010DF
            Time Generated: 04/12/2006   10:10:30
            Event String: A duplicate name has been detected on the TCP
         An Error Event occured.  EventID: 0xC00010DF
            Time Generated: 04/12/2006   10:10:30
            Event String: A duplicate name has been detected on the TCP
         An Error Event occured.  EventID: 0x80001770
            Time Generated: 04/12/2006   10:10:46
            Event String: The Application log file is full.
         An Error Event occured.  EventID: 0xC00010DF
            Time Generated: 04/12/2006   10:25:35
            Event String: A duplicate name has been detected on the TCP
         ......................... XXXX-SVR1 failed test systemlog

   Running enterprise tests on : xxxx.office
      Starting test: Intersite
         ......................... xxxx.office passed test Intersite
      Starting test: FsmoCheck
         Error: The server returned by DsGetDcName() did not match DsListRoles()
 for the PDC
         ......................... xxxx.office passed test FsmoCheck

Also, do you mean that you rebooted the Win2k3 server after you seized the roles on the Win2k server?  I had mentioned to you that if you seize the roles, you can never bring your Win2k3 server back online.  You should actually have seized the roles while the server was already disconnected.  Did you follow the links that Jay_Jay70 provided?

i seized roles while the win2k3 server was on the network.  am i screwed?  logging onto the win2k box i see that it does hold all the roles now.  can i shut off the wink23 box and try to log on?

yes, get the win2k3 box out of there if you seized the roles.  Also make sure that the Win2k server points to itself for DNS.  How did you verify where all the roles are?  Did you use Active Directory Users and Computers, etc...?  Goto into Active Directory Sites and Services and then right-click "NTDS settings" for the sever and verify that its a global catalog server.

Make sure that all the clients aren't pointing to the win2k3 box for DHCP or DNS.  they should now be pointing to the win2k box, but this may require that you enable DHCP on the win2k server and change the scope options.  

Also, when the win2k3 Domain Controller was added, did you run the necessary commands to extend the active directory schema?  They would be "adprep /forestprep" and "adprep /domainprep"?

win2k3 is shut down and users are able to log onto the network.  the win2k box is the only global catalog.  the users in the remote site (win2k3) are not to use resources on the newly promoted win2k box.  there was a dfs share between the sites replicating between the win2k3 boxes, this does not exist on the win2k box.  users in the remote office can still not access that server's shared resources now.  i know i know....why did i even get into this mess?

hehe...  Its ok.  Users are logging in and that's a good start.  You're a wan guy?  good.  How are the remote offices accessing?  Is it dial-up, hardware vpn, software vpn?  are the remote clients domain members?  can they ping the internal IP of the server?  what about its name?  are they issued an IP address on the internal subnet normally?  who issued it?

ok  by wan guy i mean routers......there is another win2k3 server in the remote office.  offices are connected using a router to router vpn.  remote clients are domain members (ad replicated to remote server)  they can ping the internal ip and can get to the internet.  the dns of the remote server is the win2k server.  they are issued an ip from the router, not the server.  i only want to share the my docs folder off that remote server and it says that they do not have permissions to access

Could they access these shares before?

yes, they were able to before.  it was a dfs between the 2 win2k3 servers that replicated over the router to router vpn

so the data wasn't located on the w2k server?  and now it is?  So this is the first time that the users are trying to access the data in the new location?  Is that right?

need to take a step back....users are able to log into the win2k server but not able to explore and see the other computers on the tree.  i am able to map drive to the server but not able to share any other resources on the domain.  says the list of computers/servers are not availalbe at this time.

data was located on the win2k3 i turned off.  that was replicating with another win2k3 box in the remote office

Do you know if you were running WINS on the 2k3 server?  are the computer configured to access a WINS server?  then you will need to enable WINS on the Windows 2000 server and configure the clients (thru DHCP maybe) to use the Windows 2000 server as thte new WINS server.

Whe you run IPCONFIG /ALL on the clients, do they have any references to the removed server?

About DFS, I don't have much experience with it.  I'l ltry to invite another expert into the conversation.

yes, the clients do reference the old server as a WINS resource.  I do not know where this is coming from

its either hardcoded into each computer or the clients are set to autoconfiguration, which means they are receiving their configuration info from a DHCP server.

ok, it is not hard coded i did a ipconfig/release and renew and there are no more signs of the old server.  however, i am still not able to view the computers on the tree.  

at this point....would it be easier to basically remove the domain controller, rebuild the W2k3 box and start fresh?  this is killing me

no no.  don't do that.  Your problem, honestly, is that you don't understand how alot of this works, and starting from scratch would only make things worse I think.

I keep mentioning DHCP.  Is it active on the Windows 2000 server?  This is what configures the clients.  You will need to set it to enable NetBIOS over TCP/IP on the clients and point them to the existing server as a WINS server.  But then you will need to install WINS on the server.  Then you will need to reboot all the clients (and possibly the server).

here is what i think i have decided and tell me how stupid i am.
in location A, rebuild the new server and create a domainA and have users join this new domain.
in location B, rebuild that server and create a domainB and have users join that domain.
WILL THIS IDEA WORK??

the two locations will not replicate, i will set up some robocopy batch files to send files accross the router to router vpn

unless you want me to give me your phone number (admamrayer) and you can charge me for your time. to walk me through this glop of gunk

and you are right, i do not understand how alot of this works.  this one office worked fine on just the win2000 server, DHCP was the router, complications grew when they added another office and wanted to upgrade hardware

well when you add a win2k3 server to a windows 2000 network, you have to go through certain steps.  I mentioned them above.  Running Adprep, etc...

But unfortunately I am not going to be able to advise you one way or the other about rebuilding the domain from scratch. If you want to pay someone, you should find someone local or use Microsoft Sales and Support.  I'm sorry.  What area are you in?  

i plan on adding the win2k3 server to a new domain where the win2k server will be turned off so the new server will not even see the other DC.  only because the win2k3 server is what we want to use and decomission the 2000 box.  so by turning off the 2000 box and rebuilding the 2003 box, creating a new domain and then have the users join the new domain.  won't that work?

Yes.  but you'll lose all your group policies, domain users, settings, security, etc...  Who setup this network?  was it you or someone else?  Make sure you keep management up to date on what you are doing.  I would really recommend hiring someone to help you who has experience is this particular area.  Installation and Administration can take years to learn, and previous experience is invaluable.  it will save you money in the long run.

i did not set this up.  there are no group policies (why do they have AD?)  can't i back up the ad from the old server and restore to new domain? or i can type in the 20 users....anything to make this go away

i understand.  i will rebuild the server and create a new domain and let you know how that goes.

Looks like I am Day Late and Dollar Short here..  :)

If this is only a 20 user network (site), why not rebuild it to your specifications?  May be the best route to take.....

Good luck and hope better weeks to come!

FE

Thanks for the points and thanks to FE for his involvement.  I'm sorry we couldn't be more of a help to you.