DNS & DHCP won't start after promotion to DC

I just managed to promote a secondary W2K3 R2 DC. The primary is W2K3. The event log has this to say about DNS:

 Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4000
Date:            4/20/2006
Time:            5:28:24 AM
User:            N/A
Computer:      AFC-SERVER02
Description:
The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: f5 25 00 00               õ%..    

DHCP events:

Event Type:      Error
Event Source:      DhcpServer
Event Category:      None
Event ID:      1008
Date:            4/20/2006
Time:            5:20:49 AM
User:            N/A
Computer:      AFC-SERVER02
Description:
The DHCP service is shutting down due to the following error:
The directory service was unable to allocate a relative identifier.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 10 20 00 00               . ..    


Thanks in advance!
melevyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jay_Jay70Commented:
Hi melevy,

i take it you ran the adprep tools from the R2 disk? all three? forestprep, domainprep and gpprep

can you confirm where the RID master role is? and have you recently made any DC changes?

Cheers!
0
melevyAuthor Commented:
/forestprep ran & made changes, but /domainprep & /gpprep said that the changes had already been made. All of the operations masters are on the original (previously stand-alone) DC.
0
Jay_Jay70Commented:
can you run dcdiag please,

just want to see whats kicking that RID master error
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

melevyAuthor Commented:
Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\AFC-SERVER02
      Starting test: Connectivity
         The directory service on AFC-SERVER02 has not finished initializing.
          In order for the directory service to consider itself synchronized,
         it must attempt an initial synchronization with at least one replica
         of this server's writeable domain.  It must also obtain Rid
         information from the Rid FSMO holder.
          The directory service has not signalled the event which lets other
         services know that it is ready to accept requests. Services such as
         the Key Distribution Center, Intersite Messaging Service, and NetLogon
         will not consider this system as an eligible domain controller.
         ......................... AFC-SERVER02 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\AFC-SERVER02
      Starting test: Replications
         [Replications Check,AFC-SERVER02] A recent replication attempt failed:
            From AFC-SERVER01 to AFC-SERVER02
            Naming Context: DC=anklenfoot,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2006-04-20 21:02.54.
            The last success occurred at (never).
            159 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         REPLICATION LATENCY WARNING
         AFC-SERVER02: A full synchronization is in progress
            from AFC-SERVER01 to AFC-SERVER02
            Replication of new changes along this path will be delayed.
            The full sync is 0.00% complete.
         [Replications Check,AFC-SERVER02] A recent replication attempt failed:
            From AFC-SERVER01 to AFC-SERVER02
            Naming Context: CN=Configuration,DC=anklenfoot,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2006-04-20 20:56.36.
            The last success occurred at 2006-04-20 05:06.14.
            41 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,AFC-SERVER02] A recent replication attempt failed:
            From AFC-SERVER01 to AFC-SERVER02
            Naming Context: CN=Schema,CN=Configuration,DC=anklenfoot,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2006-04-20 20:57.36.
            The last success occurred at 2006-04-20 05:05.46.
            17 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         ......................... AFC-SERVER02 passed test Replications
      Starting test: NCSecDesc
         ......................... AFC-SERVER02 passed test NCSecDesc
      Starting test: NetLogons
         ......................... AFC-SERVER02 passed test NetLogons
      Starting test: Advertising
         Warning: the directory service on AFC-SERVER02 has not completed initia
l synchronization.
         Other services will be delayed.
         Verify that the server can replicate.
         Warning: DsGetDcName returned information for \\AFC-SERVER01.anklenfoot
.com, when we were trying to reach AFC-SERVER02.
         Server is not responding or is not considered suitable.
         ......................... AFC-SERVER02 failed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... AFC-SERVER02 passed test KnowsOfRoleHolders
      Starting test: RidManager
         Warning: attribute rIdSetReferences missing from CN=AFC-SERVER02,OU=Dom
ain Controllers,DC=anklenfoot,DC=com
         Could not get Rid set Reference :failed with 8481: The search failed to
 retrieve attributes from the database.
         ......................... AFC-SERVER02 failed test RidManager
      Starting test: MachineAccount
         ......................... AFC-SERVER02 passed test MachineAccount
      Starting test: Services
            RPCLOCATOR Service is stopped on [AFC-SERVER02]
            TrkWks Service is stopped on [AFC-SERVER02]
            TrkSvr Service is stopped on [AFC-SERVER02]
            Could not open IISADMIN Service on [AFC-SERVER02]:failed with 1060:
The specified service does not exist as an installed service.
            Could not open SMTPSVC Service on [AFC-SERVER02]:failed with 1060: T
he specified service does not exist as an installed service.
         ......................... AFC-SERVER02 failed test Services
      Starting test: ObjectsReplicated
         ......................... AFC-SERVER02 passed test ObjectsReplicated
      Starting test: frssysvol
         Error: No record of File Replication System, SYSVOL started.
         The Active Directory may be prevented from starting.
         There are errors after the SYSVOL has been shared.
         The SYSVOL can prevent the AD from starting.
         ......................... AFC-SERVER02 passed test frssysvol
      Starting test: kccevent
         ......................... AFC-SERVER02 passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 04/20/2006   21:01:41
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 04/20/2006   21:01:42
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 04/20/2006   21:01:42
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 04/20/2006   21:01:44
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 04/20/2006   21:01:45
            (Event String could not be retrieved)
         ......................... AFC-SERVER02 failed test systemlog

   Running enterprise tests on : anklenfoot.com
      Starting test: Intersite
         ......................... anklenfoot.com passed test Intersite
      Starting test: FsmoCheck
         ......................... anklenfoot.com passed test FsmoCheck
0
Jay_Jay70Commented:
   Starting test: RidManager
         Warning: attribute rIdSetReferences missing from CN=AFC-SERVER02,OU=Dom
ain Controllers,DC=anklenfoot,DC=com
         Could not get Rid set Reference :failed with 8481: The search failed to
 retrieve attributes from the database.
         ......................... AFC-SERVER02 failed test RidManager
'
this worries me the most,

can you flush dns for me and disable any additional NIC's on the server
0
melevyAuthor Commented:
Did ipconfig /flushdns. There is only one NIC on the machine. Dcdiag still shows the same error you excerpted above.
0
Jay_Jay70Commented:
try running dcdiag /fix
0
Jay_Jay70Commented:
and netdiag /fix
0
melevyAuthor Commented:
dcdiag /fix didn't seem to do anything; the error above persists. I can't seem to find netdiag. Where can I get it?
0
melevyAuthor Commented:
C:\Program Files\Support Tools>netdiag

......................................

    Computer Name: AFC-SERVER02
    DNS Host Name: afc-server02.anklenfoot.com
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 15 Model 2 Stepping 7, GenuineIntel
    List of installed hotfixes :
        KB890046
        KB893756
        KB896358
        KB896422
        KB896424
        KB896428
        KB898715
        KB899587
        KB899588
        KB899589
        KB899591
        KB900725
        KB901017
        KB901214
        KB902400
        KB904706
        KB905414
        KB908519
        KB908531
        KB910437
        KB911562
        KB911567
        KB911927
        KB912812
        KB912919
        KB913446
        Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : afc-server02
        IP Address . . . . . . . . : 192.168.2.25
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 192.168.2.254
        Primary WINS Server. . . . : 192.168.1.10
        Dns Servers. . . . . . . . : 192.168.1.10


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Passed


Global results:


Domain membership test . . . . . . : Failed
    [WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC.

NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{4113C3D6-36DB-4412-955A-1FCE13D26EBF}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '192.168.1.10' and other DCs also
 have some of the names registered.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{4113C3D6-36DB-4412-955A-1FCE13D26EBF}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{4113C3D6-36DB-4412-955A-1FCE13D26EBF}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Passed
    Secure channel for domain 'ANKLENFOOT' is to '\\AFC-SERVER01.anklenfoot.com'.


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully
0
Jay_Jay70Commented:
Domain membership test . . . . . . : Failed
    [WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC.

http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21751185.html

have a look at that see if it helps

i am worried about those netbinds
0
melevyAuthor Commented:
I did what that page suggested to no avail. I also demoted and re-promoted the machine with the same results. I'm a little mystified why DCDIAG reports "Could not find the domain controller for this domain" when it was a member server before promotion, and DCPROMO completed.
0
melevyAuthor Commented:
I ram DCDIAG on the original DC and found some interesting things:

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\AFC-SERVER01
      Starting test: Connectivity
         ......................... AFC-SERVER01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\AFC-SERVER01
      Starting test: Replications
         REPLICATION LATENCY WARNING
         AFC-SERVER01: This replication path was preempted by higher priority work.
            from AFC-SERVER02 to AFC-SERVER01
            Reason: The replication operation failed because of a schema mismatch between the servers involved.
            The last success occurred at 2006-04-21 08:11:04.
            Replication of new changes along this path will be delayed.
         REPLICATION LATENCY WARNING
         AFC-SERVER01: This replication path was preempted by higher priority work.
            from AFC-SERVER02 to AFC-SERVER01
            Reason: The replication operation failed because of a schema mismatch between the servers involved.
            The last success occurred at 2006-04-21 08:11:04.
            Replication of new changes along this path will be delayed.
         REPLICATION-RECEIVED LATENCY WARNING
         AFC-SERVER01:  Current time is 2006-04-21 22:17:17.
            CN=Configuration,DC=anklenfoot,DC=com
               Last replication recieved from AFC-SERVER02 at 2006-04-21 08:11:04.
         ......................... AFC-SERVER01 passed test Replications
      Starting test: NCSecDesc
         ......................... AFC-SERVER01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... AFC-SERVER01 passed test NetLogons
      Starting test: Advertising
         ......................... AFC-SERVER01 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... AFC-SERVER01 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... AFC-SERVER01 passed test RidManager
      Starting test: MachineAccount
         ......................... AFC-SERVER01 passed test MachineAccount
      Starting test: Services
         ......................... AFC-SERVER01 passed test Services
      Starting test: ObjectsReplicated
         ......................... AFC-SERVER01 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... AFC-SERVER01 passed test frssysvol
      Starting test: frsevent
         ......................... AFC-SERVER01 passed test frsevent
      Starting test: kccevent
         ......................... AFC-SERVER01 passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x0000044E
            Time Generated: 04/21/2006   22:16:56
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x0000044E
            Time Generated: 04/21/2006   22:16:56
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x0000044E
            Time Generated: 04/21/2006   22:16:58
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x0000044E
            Time Generated: 04/21/2006   22:17:01
            (Event String could not be retrieved)
         ......................... AFC-SERVER01 failed test systemlog
      Starting test: VerifyReferences
         ......................... AFC-SERVER01 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : anklenfoot
      Starting test: CrossRefValidation
         ......................... anklenfoot passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... anklenfoot passed test CheckSDRefDom

   Running enterprise tests on : anklenfoot.com
      Starting test: Intersite
         ......................... anklenfoot.com passed test Intersite
      Starting test: FsmoCheck
         ......................... anklenfoot.com passed test FsmoCheck



How do I go about matching up the schemas?

0
Jay_Jay70Commented:
mismatched shemas! hmmmmm

you confirmed that your an forestprep on the first DC and it confirmed.......

check sites and services, have you got multi sites setup and are DC's registered in the correct sites?
0
melevyAuthor Commented:
Yes, I've checked that. Only one site, and it lists both DC's

Here's what I get when I run ADPREP on the original DC:

ADPREP WARNING:

Before running adprep, all Windows 2000 domain controllers in the forest should
be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows
2000 SP2 (or later).

QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent poten
tial domain controller corruption.

For more information about preparing your forest and domain see KB article Q3311
61 at http://support.microsoft.com.

Running /domainprep & /gpprep give the same results.

[User Action]
If ALL your existing Windows 2000 domain controllers meet this requirement, type
 C and then press ENTER to continue. Otherwise, type any other key and press ENT
ER to quit.


c
Forest-wide information has already been updated.
[Status/Consequence]
Adprep did not attempt to rerun this operation.

0
melevyAuthor Commented:
I should mention that this version of ADPREP was obtained from disk2 of the W2K3 R2 CD set.
0
Jay_Jay70Commented:
clear all your event viewers for me

then run the diag again

if the mismatch error comes again read this and see if it looks famiiar...
http://support.microsoft.com/default.aspx?scid=kb;en-us;307323
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.