Solved

Failed DC Restored - not trusted

Posted on 2006-06-22
18
490 Views
Last Modified: 2010-04-18
Hi,  I have two domain controllers,  One had a hard disk crash and has been brought back to life.  Since then, we have also done a system state restore to return the server to a working state.

The problem:
- The DC's don't trust each other.
- I can not even DCPROMO the server that failed back down to a memner server.

Here is a net diag from the machine that experienced the failure:

.......................................

    Computer Name: SVR-MAIL
    DNS Host Name: svr-mail.pigroup.co.za
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 15 Model 4 Stepping 3, GenuineIntel
    List of installed hotfixes :
long list - been removed

Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : 1GB TOP

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : svr-mail
        IP Address . . . . . . . . : 192.168.30.15
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 192.168.30.254
        Primary WINS Server. . . . : 192.168.30.30
        Dns Servers. . . . . . . . : 192.168.30.30


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Passed


Global results:


Domain membership test . . . . . . : Failed
    [WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC.


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{7586C4D4-818A-41A1-AAC1-03CC95420498}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Failed
    [FIX] re-register DC DNS entry 'pigroup.co.za.' on DNS server '192.168.30.30' succeed.
    FIX PASS - netdiag re-registered missing DNS entries for this DC successfully on DNS server '192.168.30.30'.
    [FATAL] No DNS servers have the DNS records for this DC registered.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{7586C4D4-818A-41A1-AAC1-03CC95420498}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{7586C4D4-818A-41A1-AAC1-03CC95420498}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Failed
    [FATAL] Secure channel to domain 'PIGROUP' is broken. [ERROR_ACCESS_DENIED]


Kerberos test. . . . . . . . . . . : Failed
        [FATAL] Kerberos does not have a ticket for host/svr-mail.pigroup.co.za.


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully

If you need, I can send you the Netdiag from the other side.

Regardsm
M
0
Comment
Question by:itcoza
18 Comments
 
LVL 13

Author Comment

by:itcoza
ID: 16965282
Here is the DC DIAG from the same server:


Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: People-Integrated-Midrand\SVR-MAIL
      Starting test: Connectivity
         ......................... SVR-MAIL passed test Connectivity

Doing primary tests
   
   Testing server: People-Integrated-Midrand\SVR-MAIL
      Starting test: Replications
         [Replications Check,SVR-MAIL] A recent replication attempt failed:
            From SVR-ENT to SVR-MAIL
            Naming Context: DC=ForestDnsZones,DC=pigroup,DC=co,DC=za
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2006-06-23 02:58:24.
            The last success occurred at 2006-06-15 11:48:26.
            13 failures have occurred since the last success.
         [Replications Check,SVR-MAIL] A recent replication attempt failed:
            From SVR-ENT to SVR-MAIL
            Naming Context: DC=DomainDnsZones,DC=pigroup,DC=co,DC=za
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2006-06-23 02:58:24.
            The last success occurred at 2006-06-15 11:48:26.
            13 failures have occurred since the last success.
         [Replications Check,SVR-MAIL] A recent replication attempt failed:
            From SVR-ENT to SVR-MAIL
            Naming Context: CN=Schema,CN=Configuration,DC=pigroup,DC=co,DC=za
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2006-06-23 02:58:25.
            The last success occurred at 2006-06-15 11:48:26.
            13 failures have occurred since the last success.
         [Replications Check,SVR-MAIL] A recent replication attempt failed:
            From SVR-ENT to SVR-MAIL
            Naming Context: CN=Configuration,DC=pigroup,DC=co,DC=za
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2006-06-23 02:58:24.
            The last success occurred at 2006-06-15 12:26:12.
            13 failures have occurred since the last success.
         [Replications Check,SVR-MAIL] A recent replication attempt failed:
            From SVR-ENT to SVR-MAIL
            Naming Context: DC=pigroup,DC=co,DC=za
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2006-06-23 02:58:24.
            The last success occurred at 2006-06-15 12:31:19.
            13 failures have occurred since the last success.
         REPLICATION-RECEIVED LATENCY WARNING
         SVR-MAIL:  Current time is 2006-06-23 03:18:26.
            DC=ForestDnsZones,DC=pigroup,DC=co,DC=za
               Last replication recieved from SVR-ENT at 2006-06-15 11:48:26.
            DC=DomainDnsZones,DC=pigroup,DC=co,DC=za
               Last replication recieved from SVR-ENT at 2006-06-15 11:48:26.
            CN=Schema,CN=Configuration,DC=pigroup,DC=co,DC=za
               Last replication recieved from SVR-ENT at 2006-06-15 11:48:26.
            CN=Configuration,DC=pigroup,DC=co,DC=za
               Last replication recieved from SVR-ENT at 2006-06-15 12:26:11.
            DC=pigroup,DC=co,DC=za
               Last replication recieved from SVR-ENT at 2006-06-15 12:31:19.
         ......................... SVR-MAIL passed test Replications
      Starting test: NCSecDesc
         ......................... SVR-MAIL passed test NCSecDesc
      Starting test: NetLogons
         ......................... SVR-MAIL passed test NetLogons
      Starting test: Advertising
         Warning: DsGetDcName returned information for \\svr-ent.pigroup.co.za, when we were trying to reach SVR-MAIL.
         Server is not responding or is not considered suitable.
         ......................... SVR-MAIL failed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... SVR-MAIL passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... SVR-MAIL passed test RidManager
      Starting test: MachineAccount
         ......................... SVR-MAIL passed test MachineAccount
      Starting test: Services
         ......................... SVR-MAIL passed test Services
      Starting test: ObjectsReplicated
         ......................... SVR-MAIL passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... SVR-MAIL passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... SVR-MAIL failed test frsevent
      Starting test: kccevent
         ......................... SVR-MAIL passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0xC25A001D
            Time Generated: 06/23/2006   02:20:35
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC25A001D
            Time Generated: 06/23/2006   02:39:19
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC25A001D
            Time Generated: 06/23/2006   02:47:08
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 06/23/2006   02:56:52
            Event String: The kerberos client received a

         An Error Event occured.  EventID: 0x00000C8A
            Time Generated: 06/23/2006   03:02:28
            Event String: This computer could not authenticate with

         An Error Event occured.  EventID: 0xC25A001D
            Time Generated: 06/23/2006   03:05:53
            (Event String could not be retrieved)
         ......................... SVR-MAIL failed test systemlog
      Starting test: VerifyReferences
         ......................... SVR-MAIL passed test VerifyReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : pigroup
      Starting test: CrossRefValidation
         ......................... pigroup passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... pigroup passed test CheckSDRefDom
   
   Running enterprise tests on : pigroup.co.za
      Starting test: Intersite
         ......................... pigroup.co.za passed test Intersite
      Starting test: FsmoCheck
         ......................... pigroup.co.za passed test FsmoCheck
0
 
LVL 13

Author Comment

by:itcoza
ID: 16965286
I have had no sleep for 36 hours now because of this server.  Please help.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16965305
This server appears to have more than one NIC.  Move the internal (LAN - side) NIC to the top of the binding order.

0
 
LVL 29

Expert Comment

by:mass2612
ID: 16965318
You might want to take a look at this - http://support.microsoft.com/default.aspx?scid=kb;en-us;329860

Is the dnsdiag showing everything ok? Are all your srv records ok? When you did the system state restore did you do a non-authoritive restore?

0
 
LVL 13

Author Comment

by:itcoza
ID: 16965326
No... it is also complaining... it can not replicate from the other server... it does not even show the zone that it should have.... I have pointed this server's DNS address to the working server.
0
 
LVL 13

Author Comment

by:itcoza
ID: 16965332
DNS Event log error:

The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16965354
Did you check the binding order?  Services bound to the wrong NIC will cause all kinds of errors.

0
 
LVL 13

Author Comment

by:itcoza
ID: 16965384
Yes... No change... the problem is that this server crashed and I had to restore a system state of a few days ago.  The server is running fine, but not communicating correctly with the other DC on the network.

THe server's second nic is disabled.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 51

Expert Comment

by:Netman66
ID: 16965397
Is the time now synchronized with the other server?

A backup from a few days out shouldn't be a big deal.  Make sure you have everything pointing to your good DNS server.  Replication should do the rest.

Where are all the FSMO roles?  Were they on this box?  

How about the Global Catalog?

0
 
LVL 13

Author Comment

by:itcoza
ID: 16965400
mass2612,  I followed the KB you sent and all the settings were in place as they should have been.  The server was and always was in the DC OU.  The calue in ADSI was as expected and then the kicker... I got an access denied when I ran the nltest utill... so no changes were made.

NOW what....
0
 
LVL 13

Author Comment

by:itcoza
ID: 16965405
FSMO's are all on the other box...
this box was mail server and the other SQL (ENT) server
Both servers are GC's
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16965420
Ok, that much is good.

I suspect that SYSVOL has not yet shared out since it should have detected that it's out of date.  What types of errors are in the Event Logs - netdiag and Dcdiag are fine when there is little wrong, but when there is bigger problems it fails on just about everything - giving you the impression that there are many issues when there might only be one.

Post some of the errors from Application and System.

0
 
LVL 13

Author Comment

by:itcoza
ID: 16965478
System Log
Event ID 29 => w32time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible.  No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time.
**************************
FRS LOG
Event ID 13565
File Replication Service is initializing the system volume with data from another domain controller. Computer SVR-MAIL cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
 
To check for the SYSVOL share, at the command prompt, type:
net share
**************************
DNS Log
Event ID 4000
The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
**************************
Directory Service Log
Event ID: 1864
This is the replication status for the following directory partition on the local domain controller.
 
Directory partition:
DC=ForestDnsZones,DC=pigroup,DC=co,DC=za
 
The local domain controller has not recently received replication information from a number of domain controllers.   The count of domain controllers is shown, divided into the following intervals.
 
More than 24 hours:
1
More than a week:
1
More than one month:
0
More than two months:
0
More than a tombstone lifetime:
0
Tombstone lifetime (days):
60
 Domain controllers that do not replicate in a timely manner may encounter errors. It may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
 
To identify the domain controllers by name, install the support tools included on the installation  CD and run dcdiag.exe.
You can also use the support tool repadmin.exe to display the replication latencies of the domain controllers in the forest.   The command is "repadmin /showvector /latency <partition-dn>".
**************************
Application Log
Event ID: 1053
Windows cannot determine the user or computer name. (Access is denied. ). Group Policy processing aborted.
**************************
0
 
LVL 16

Expert Comment

by:Redwulf__53
ID: 16967079
Was the system state you restored older than 2 weeks? If so, the server is tombstoned (=kicked off the domain because it's not reported back too long). Rather than seeing this on the recovered server, you should hunt for errors on the remaining DC's.
When it turns out the recovered server has been tombstoned, you'll need to reinstall the DC (and manually remove references to the old dc from AD)
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16967744
OK, like I thought, the SYSVOL is not yet shared.  This will throw all sorts of errors until it is.

I also mentioned about the time on those servers.  Make sure they are correctly set - once they are, replication should start.

0
 
LVL 13

Author Comment

by:itcoza
ID: 16970246
T's OK,  I have solve the problem with the following MS KB
http://support.microsoft.com/kb/315457/en-us
Thanx for the help anyway.

Regards
M
:)
0
 
LVL 1

Accepted Solution

by:
GhostMod earned 0 total points
ID: 17021920
Closed, 500 points refunded.
GhostMod
Community Support Moderator
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now