?
Solved

Removed domain controller from network, Now I have tons of errors in event viewer

Posted on 2006-04-17
23
Medium Priority
?
932 Views
Last Modified: 2007-12-19
Hello,

I recently setup a new server and made it a domain controller.  Everything was working great until i removed the old domain controller from the network.  Now I notice the new server takes a very long time to boot up.  It seems to hang at preparing network connections.  I looked in the even viewer and found serveral errors.  The error below is the one I think i need to deal with.

Event Type:      Error
Event Source:      NTDS Replication
Event Category:      DS RPC Client
Event ID:      2087
Date:            4/17/2006
Time:            10:13:12 AM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      KURTWS2
Description:
Active Directory could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
 
Source domain controller:
 kurtws1
Failing DNS host name:
 bfcf1df6-939d-4c1d-9008-af3d91802aa0._msdcs.KURTWS1.local
 
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1:
 
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
 
User Action:
 <b>
 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
 </b>
 2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
 
 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns 
 
  dcdiag /test:dns
 
 4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
 
  dcdiag /test:dns
 
 5) For further analysis of DNS error failures see KB 824449:
   http://support.microsoft.com/?kbid=824449
 
Additional Data
Error value:
 11004 The requested name is valid, but no data of the requested type was found.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
Comment
Question by:Kurt4949
  • 14
  • 9
23 Comments
 
LVL 7

Author Comment

by:Kurt4949
ID: 16470276
kurtws1 is the old domain controller and it no longer exists!  Was I supposed to do something before I disconnected it from the network?

I think this is what I need to do

"If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe"  but it seems confusing.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 16470316
Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1054
Date:            4/17/2006
Time:            12:29:57 PM
User:            NT AUTHORITY\SYSTEM
Computer:      KURTWS2
Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 16470322
Event Type:      Error
Event Source:      DhcpServer
Event Category:      None
Event ID:      1059
Date:            4/16/2006
Time:            9:59:33 PM
User:            N/A
Computer:      KURTWS2
Description:
The DHCP service failed to see a directory server for authorization.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 3a 20 00 00               : ..    
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 7

Author Comment

by:Kurt4949
ID: 16470346
I also have errors in the Directory Service, DNS Server, and File Replication Service errors.  I belive this server was working perfectly until I removed the old one from the network.  Whats the deal??

Thanks,
Kurt
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16470433
How exactly did you remove this domain controller from the network?

Did you DCPROMO it out?
If not, then the domain will still think it is there.

Have you checked that the roles have been moved correctly?

If not, then install the Windows system tools on to a server, then type

netdom query fsmo

and ensure that none of the roles are being held by the server that you removed.

Simon.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 16470831
I just unplugged it and I don't have it to plug back in.  I guess I was supposed to run DCPROMO.  If the server died I would have this same problem anyway.  Seems like there would be an easy way to remove it from the domain even if it died or is gone.

How do I check the roles?  Do I install the system tools from the cd?

Thanks
0
 
LVL 104

Accepted Solution

by:
Sembee earned 1500 total points
ID: 16470934
I said how to check the roles.
Install the Windows Support tools and then run the command that I indicated.

If there are roles on the non-existent server then you will have to seize them.
http://support.microsoft.com/default.aspx?kbid=255504

Also take a look at this article:
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Simon.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 16471445
Ok, I installed and ran the netdom query fsmo command.  Some of the roles were for sure stuck on the old server.  I went through that article and now all the roles are on the new server.

Preparing network connections still seems to take a long time and I'm still getting this error.

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1054
Date:            4/17/2006
Time:            2:54:47 PM
User:            NT AUTHORITY\SYSTEM
Computer:      KURTWS2
Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16471861
DNS is the next thing to check.
Ensure that every machine on the network is pointing to domain controllers ONLY for DNS. No external DNS servers should be in the configuration anywhere.
The DCs themselves should pointing at themselves for primary and another DC for secondary.
If you need to use external DNS for effective name resolution (and this is something I do anyway), then configure the DNS server applet on each domain controller to use your ISPs DNS servers as forwarders.

It can take a while to filter through the roles being changed. Also ensure that you have at least one global catalog available. You can have more than one of those.

Simon.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 16472096
It looks like DNS is stil setup propery.  I had already set it up as you described.  I do have this error but I think the problem has to do with active directory or the domain controller.  Its like it can't find the domin but it is supposed to be the domain controller!

Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4015
Date:            4/17/2006
Time:            3:01:49 PM
User:            N/A
Computer:      KURTWS2
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "000020DE: SvcErr: DSID-030F00E4, problem 5001 (BUSY), data 0". The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 33 00 00 00               3...    
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16472110
Have you cycled the machine since the roles were changed?

Simon.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 16472171
Yes, I'll reboot it again though.  It may be a global catalog problem.  I do have this error

Event Type:      Error
Event Source:      NTDS General
Event Category:      Global Catalog
Event ID:      1126
Date:            4/17/2006
Time:            4:03:16 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      KURTWS2
Description:
Active Directory was unable to establish a connection with the global catalog.
 
Additional Data
Error value:
1355 The specified domain either does not exist or could not be contacted.
Internal ID:
3200cd1
 
User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller.  You may use the nltest utility to diagnose this problem.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16472238
Have you enabled any other servers as global catalogs?

Simon.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 16472376
I'm not even sure how to enable global catalogs or how to check them.  This is the only server on the network.  
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 16472431
The global catalog checkbox is not checked.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16473222
That would be the problem then. If this is the only domain controller on the network, and the global catalog is not set, then you have a problem. You need to enable the global catalog role, then wait a while.

Simon.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 16479149
I'm still getting the error.  I tried to to demote domain controller and I get an error saying something about the domain cannot be deleted because this domain has a child directory.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16479208
Can you post the EXACT text of the error message you get when you try to remove the dead domain controller.

Simon.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 16482092
This is actually the good server I was trying to demote then promote again.  Here is the error.


The operation failed because:
Active Directory could not be removed on this domain controller because this is the last domain controller in the domain, and the domain has a child directory partition DC=DomainDnsZones,DC=KURTWS1,DC=local.

"The requested delete operation could not be performed."
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16482363
Is the server the last domain controller in the domain? If it is, then you will get that error message and the domain will be gone.

Simon.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 16482446
Yes it is the last server in the domain.  I get that error but the domain is not gone.  It still thinks its a domain controller and I can not remove it.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 16482452
I'm about ready to just wipe it out and reinstall.  I thought the point of having two domain controllers was in case one fails but one failed and now they are both messed up.
Kurt
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16482480
If it is the last domain controller in the domain, then why bother try to DCPROMO it out. Simply wipe the thing and start again.

Simon.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Loops Section Overview
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question