?
Solved

DNS & DHCP won't start after promotion to DC

Posted on 2006-04-20
20
Medium Priority
?
999 Views
Last Modified: 2010-05-18
I just managed to promote a secondary W2K3 R2 DC. The primary is W2K3. The event log has this to say about DNS:

 Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4000
Date:            4/20/2006
Time:            5:28:24 AM
User:            N/A
Computer:      AFC-SERVER02
Description:
The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: f5 25 00 00               õ%..    

DHCP events:

Event Type:      Error
Event Source:      DhcpServer
Event Category:      None
Event ID:      1008
Date:            4/20/2006
Time:            5:20:49 AM
User:            N/A
Computer:      AFC-SERVER02
Description:
The DHCP service is shutting down due to the following error:
The directory service was unable to allocate a relative identifier.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 10 20 00 00               . ..    


Thanks in advance!
0
Comment
Question by:melevy
  • 9
  • 9
18 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16497840
Hi melevy,

i take it you ran the adprep tools from the R2 disk? all three? forestprep, domainprep and gpprep

can you confirm where the RID master role is? and have you recently made any DC changes?

Cheers!
0
 

Author Comment

by:melevy
ID: 16498292
/forestprep ran & made changes, but /domainprep & /gpprep said that the changes had already been made. All of the operations masters are on the original (previously stand-alone) DC.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16503160
can you run dcdiag please,

just want to see whats kicking that RID master error
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 

Author Comment

by:melevy
ID: 16504236
Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\AFC-SERVER02
      Starting test: Connectivity
         The directory service on AFC-SERVER02 has not finished initializing.
          In order for the directory service to consider itself synchronized,
         it must attempt an initial synchronization with at least one replica
         of this server's writeable domain.  It must also obtain Rid
         information from the Rid FSMO holder.
          The directory service has not signalled the event which lets other
         services know that it is ready to accept requests. Services such as
         the Key Distribution Center, Intersite Messaging Service, and NetLogon
         will not consider this system as an eligible domain controller.
         ......................... AFC-SERVER02 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\AFC-SERVER02
      Starting test: Replications
         [Replications Check,AFC-SERVER02] A recent replication attempt failed:
            From AFC-SERVER01 to AFC-SERVER02
            Naming Context: DC=anklenfoot,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2006-04-20 21:02.54.
            The last success occurred at (never).
            159 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         REPLICATION LATENCY WARNING
         AFC-SERVER02: A full synchronization is in progress
            from AFC-SERVER01 to AFC-SERVER02
            Replication of new changes along this path will be delayed.
            The full sync is 0.00% complete.
         [Replications Check,AFC-SERVER02] A recent replication attempt failed:
            From AFC-SERVER01 to AFC-SERVER02
            Naming Context: CN=Configuration,DC=anklenfoot,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2006-04-20 20:56.36.
            The last success occurred at 2006-04-20 05:06.14.
            41 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,AFC-SERVER02] A recent replication attempt failed:
            From AFC-SERVER01 to AFC-SERVER02
            Naming Context: CN=Schema,CN=Configuration,DC=anklenfoot,DC=com
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2006-04-20 20:57.36.
            The last success occurred at 2006-04-20 05:05.46.
            17 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         ......................... AFC-SERVER02 passed test Replications
      Starting test: NCSecDesc
         ......................... AFC-SERVER02 passed test NCSecDesc
      Starting test: NetLogons
         ......................... AFC-SERVER02 passed test NetLogons
      Starting test: Advertising
         Warning: the directory service on AFC-SERVER02 has not completed initia
l synchronization.
         Other services will be delayed.
         Verify that the server can replicate.
         Warning: DsGetDcName returned information for \\AFC-SERVER01.anklenfoot
.com, when we were trying to reach AFC-SERVER02.
         Server is not responding or is not considered suitable.
         ......................... AFC-SERVER02 failed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... AFC-SERVER02 passed test KnowsOfRoleHolders
      Starting test: RidManager
         Warning: attribute rIdSetReferences missing from CN=AFC-SERVER02,OU=Dom
ain Controllers,DC=anklenfoot,DC=com
         Could not get Rid set Reference :failed with 8481: The search failed to
 retrieve attributes from the database.
         ......................... AFC-SERVER02 failed test RidManager
      Starting test: MachineAccount
         ......................... AFC-SERVER02 passed test MachineAccount
      Starting test: Services
            RPCLOCATOR Service is stopped on [AFC-SERVER02]
            TrkWks Service is stopped on [AFC-SERVER02]
            TrkSvr Service is stopped on [AFC-SERVER02]
            Could not open IISADMIN Service on [AFC-SERVER02]:failed with 1060:
The specified service does not exist as an installed service.
            Could not open SMTPSVC Service on [AFC-SERVER02]:failed with 1060: T
he specified service does not exist as an installed service.
         ......................... AFC-SERVER02 failed test Services
      Starting test: ObjectsReplicated
         ......................... AFC-SERVER02 passed test ObjectsReplicated
      Starting test: frssysvol
         Error: No record of File Replication System, SYSVOL started.
         The Active Directory may be prevented from starting.
         There are errors after the SYSVOL has been shared.
         The SYSVOL can prevent the AD from starting.
         ......................... AFC-SERVER02 passed test frssysvol
      Starting test: kccevent
         ......................... AFC-SERVER02 passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 04/20/2006   21:01:41
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 04/20/2006   21:01:42
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 04/20/2006   21:01:42
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 04/20/2006   21:01:44
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 04/20/2006   21:01:45
            (Event String could not be retrieved)
         ......................... AFC-SERVER02 failed test systemlog

   Running enterprise tests on : anklenfoot.com
      Starting test: Intersite
         ......................... anklenfoot.com passed test Intersite
      Starting test: FsmoCheck
         ......................... anklenfoot.com passed test FsmoCheck
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16504253
   Starting test: RidManager
         Warning: attribute rIdSetReferences missing from CN=AFC-SERVER02,OU=Dom
ain Controllers,DC=anklenfoot,DC=com
         Could not get Rid set Reference :failed with 8481: The search failed to
 retrieve attributes from the database.
         ......................... AFC-SERVER02 failed test RidManager
'
this worries me the most,

can you flush dns for me and disable any additional NIC's on the server
0
 

Author Comment

by:melevy
ID: 16504268
Did ipconfig /flushdns. There is only one NIC on the machine. Dcdiag still shows the same error you excerpted above.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16504281
try running dcdiag /fix
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16504282
and netdiag /fix
0
 

Author Comment

by:melevy
ID: 16504336
dcdiag /fix didn't seem to do anything; the error above persists. I can't seem to find netdiag. Where can I get it?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16504345
0
 

Author Comment

by:melevy
ID: 16504385
C:\Program Files\Support Tools>netdiag

......................................

    Computer Name: AFC-SERVER02
    DNS Host Name: afc-server02.anklenfoot.com
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 15 Model 2 Stepping 7, GenuineIntel
    List of installed hotfixes :
        KB890046
        KB893756
        KB896358
        KB896422
        KB896424
        KB896428
        KB898715
        KB899587
        KB899588
        KB899589
        KB899591
        KB900725
        KB901017
        KB901214
        KB902400
        KB904706
        KB905414
        KB908519
        KB908531
        KB910437
        KB911562
        KB911567
        KB911927
        KB912812
        KB912919
        KB913446
        Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : afc-server02
        IP Address . . . . . . . . : 192.168.2.25
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 192.168.2.254
        Primary WINS Server. . . . : 192.168.1.10
        Dns Servers. . . . . . . . : 192.168.1.10


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Passed


Global results:


Domain membership test . . . . . . : Failed
    [WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC.

NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{4113C3D6-36DB-4412-955A-1FCE13D26EBF}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '192.168.1.10' and other DCs also
 have some of the names registered.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{4113C3D6-36DB-4412-955A-1FCE13D26EBF}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{4113C3D6-36DB-4412-955A-1FCE13D26EBF}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Passed
    Secure channel for domain 'ANKLENFOOT' is to '\\AFC-SERVER01.anklenfoot.com'.


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16504410
Domain membership test . . . . . . : Failed
    [WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC.

http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21751185.html

have a look at that see if it helps

i am worried about those netbinds
0
 

Author Comment

by:melevy
ID: 16513286
I did what that page suggested to no avail. I also demoted and re-promoted the machine with the same results. I'm a little mystified why DCDIAG reports "Could not find the domain controller for this domain" when it was a member server before promotion, and DCPROMO completed.
0
 

Author Comment

by:melevy
ID: 16513360
I ram DCDIAG on the original DC and found some interesting things:

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\AFC-SERVER01
      Starting test: Connectivity
         ......................... AFC-SERVER01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\AFC-SERVER01
      Starting test: Replications
         REPLICATION LATENCY WARNING
         AFC-SERVER01: This replication path was preempted by higher priority work.
            from AFC-SERVER02 to AFC-SERVER01
            Reason: The replication operation failed because of a schema mismatch between the servers involved.
            The last success occurred at 2006-04-21 08:11:04.
            Replication of new changes along this path will be delayed.
         REPLICATION LATENCY WARNING
         AFC-SERVER01: This replication path was preempted by higher priority work.
            from AFC-SERVER02 to AFC-SERVER01
            Reason: The replication operation failed because of a schema mismatch between the servers involved.
            The last success occurred at 2006-04-21 08:11:04.
            Replication of new changes along this path will be delayed.
         REPLICATION-RECEIVED LATENCY WARNING
         AFC-SERVER01:  Current time is 2006-04-21 22:17:17.
            CN=Configuration,DC=anklenfoot,DC=com
               Last replication recieved from AFC-SERVER02 at 2006-04-21 08:11:04.
         ......................... AFC-SERVER01 passed test Replications
      Starting test: NCSecDesc
         ......................... AFC-SERVER01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... AFC-SERVER01 passed test NetLogons
      Starting test: Advertising
         ......................... AFC-SERVER01 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... AFC-SERVER01 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... AFC-SERVER01 passed test RidManager
      Starting test: MachineAccount
         ......................... AFC-SERVER01 passed test MachineAccount
      Starting test: Services
         ......................... AFC-SERVER01 passed test Services
      Starting test: ObjectsReplicated
         ......................... AFC-SERVER01 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... AFC-SERVER01 passed test frssysvol
      Starting test: frsevent
         ......................... AFC-SERVER01 passed test frsevent
      Starting test: kccevent
         ......................... AFC-SERVER01 passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x0000044E
            Time Generated: 04/21/2006   22:16:56
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x0000044E
            Time Generated: 04/21/2006   22:16:56
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x0000044E
            Time Generated: 04/21/2006   22:16:58
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x0000044E
            Time Generated: 04/21/2006   22:17:01
            (Event String could not be retrieved)
         ......................... AFC-SERVER01 failed test systemlog
      Starting test: VerifyReferences
         ......................... AFC-SERVER01 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : anklenfoot
      Starting test: CrossRefValidation
         ......................... anklenfoot passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... anklenfoot passed test CheckSDRefDom

   Running enterprise tests on : anklenfoot.com
      Starting test: Intersite
         ......................... anklenfoot.com passed test Intersite
      Starting test: FsmoCheck
         ......................... anklenfoot.com passed test FsmoCheck



How do I go about matching up the schemas?

0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16513387
mismatched shemas! hmmmmm

you confirmed that your an forestprep on the first DC and it confirmed.......

check sites and services, have you got multi sites setup and are DC's registered in the correct sites?
0
 

Author Comment

by:melevy
ID: 16513403
Yes, I've checked that. Only one site, and it lists both DC's

Here's what I get when I run ADPREP on the original DC:

ADPREP WARNING:

Before running adprep, all Windows 2000 domain controllers in the forest should
be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows
2000 SP2 (or later).

QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent poten
tial domain controller corruption.

For more information about preparing your forest and domain see KB article Q3311
61 at http://support.microsoft.com.

Running /domainprep & /gpprep give the same results.

[User Action]
If ALL your existing Windows 2000 domain controllers meet this requirement, type
 C and then press ENTER to continue. Otherwise, type any other key and press ENT
ER to quit.


c
Forest-wide information has already been updated.
[Status/Consequence]
Adprep did not attempt to rerun this operation.

0
 

Author Comment

by:melevy
ID: 16513407
I should mention that this version of ADPREP was obtained from disk2 of the W2K3 R2 CD set.
0
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 1000 total points
ID: 16513426
clear all your event viewers for me

then run the diag again

if the mismatch error comes again read this and see if it looks famiiar...
http://support.microsoft.com/default.aspx?scid=kb;en-us;307323
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Integration Management Part 2
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question