Failed DC Restored - not trusted
Hi, I have two domain controllers, One had a hard disk crash and has been brought back to life. Since then, we have also done a system state restore to return the server to a working state.
The problem:
- The DC's don't trust each other.
- I can not even DCPROMO the server that failed back down to a memner server.
Here is a net diag from the machine that experienced the failure:
..........................
Computer Name: SVR-MAIL
DNS Host Name: svr-mail.pigroup.co.za
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 3, GenuineIntel
List of installed hotfixes :
long list - been removed
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : 1GB TOP
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : svr-mail
IP Address . . . . . . . . : 192.168.30.15
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.30.254
Primary WINS Server. . . . : 192.168.30.30
Dns Servers. . . . . . . . : 192.168.30.30
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Passed
Global results:
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC.
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{7586C4D4-818A
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Failed
[FIX] re-register DC DNS entry 'pigroup.co.za.' on DNS server '192.168.30.30' succeed.
FIX PASS - netdiag re-registered missing DNS entries for this DC successfully on DNS server '192.168.30.30'.
[FATAL] No DNS servers have the DNS records for this DC registered.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{7586C4D4-818A
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{7586C4D4-818A
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'PIGROUP' is broken. [ERROR_ACCESS_DENIED]
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for host/svr-mail.pigroup.co.z
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
If you need, I can send you the Netdiag from the other side.
Regardsm
M
The problem:
- The DC's don't trust each other.
- I can not even DCPROMO the server that failed back down to a memner server.
Here is a net diag from the machine that experienced the failure:
..........................
Computer Name: SVR-MAIL
DNS Host Name: svr-mail.pigroup.co.za
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 3, GenuineIntel
List of installed hotfixes :
long list - been removed
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : 1GB TOP
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : svr-mail
IP Address . . . . . . . . : 192.168.30.15
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.30.254
Primary WINS Server. . . . : 192.168.30.30
Dns Servers. . . . . . . . : 192.168.30.30
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Passed
Global results:
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC.
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{7586C4D4-818A
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Failed
[FIX] re-register DC DNS entry 'pigroup.co.za.' on DNS server '192.168.30.30' succeed.
FIX PASS - netdiag re-registered missing DNS entries for this DC successfully on DNS server '192.168.30.30'.
[FATAL] No DNS servers have the DNS records for this DC registered.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{7586C4D4-818A
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{7586C4D4-818A
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'PIGROUP' is broken. [ERROR_ACCESS_DENIED]
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for host/svr-mail.pigroup.co.z
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
If you need, I can send you the Netdiag from the other side.
Regardsm
M
ASKER
I have had no sleep for 36 hours now because of this server. Please help.
This server appears to have more than one NIC. Move the internal (LAN - side) NIC to the top of the binding order.
You might want to take a look at this - http://support.microsoft.com/default.aspx?scid=kb;en-us;329860
Is the dnsdiag showing everything ok? Are all your srv records ok? When you did the system state restore did you do a non-authoritive restore?
Is the dnsdiag showing everything ok? Are all your srv records ok? When you did the system state restore did you do a non-authoritive restore?
ASKER
No... it is also complaining... it can not replicate from the other server... it does not even show the zone that it should have.... I have pointed this server's DNS address to the working server.
ASKER
DNS Event log error:
The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
Did you check the binding order? Services bound to the wrong NIC will cause all kinds of errors.
ASKER
Yes... No change... the problem is that this server crashed and I had to restore a system state of a few days ago. The server is running fine, but not communicating correctly with the other DC on the network.
THe server's second nic is disabled.
THe server's second nic is disabled.
Is the time now synchronized with the other server?
A backup from a few days out shouldn't be a big deal. Make sure you have everything pointing to your good DNS server. Replication should do the rest.
Where are all the FSMO roles? Were they on this box?
How about the Global Catalog?
A backup from a few days out shouldn't be a big deal. Make sure you have everything pointing to your good DNS server. Replication should do the rest.
Where are all the FSMO roles? Were they on this box?
How about the Global Catalog?
ASKER
mass2612, I followed the KB you sent and all the settings were in place as they should have been. The server was and always was in the DC OU. The calue in ADSI was as expected and then the kicker... I got an access denied when I ran the nltest utill... so no changes were made.
NOW what....
NOW what....
ASKER
FSMO's are all on the other box...
this box was mail server and the other SQL (ENT) server
Both servers are GC's
this box was mail server and the other SQL (ENT) server
Both servers are GC's
Ok, that much is good.
I suspect that SYSVOL has not yet shared out since it should have detected that it's out of date. What types of errors are in the Event Logs - netdiag and Dcdiag are fine when there is little wrong, but when there is bigger problems it fails on just about everything - giving you the impression that there are many issues when there might only be one.
Post some of the errors from Application and System.
I suspect that SYSVOL has not yet shared out since it should have detected that it's out of date. What types of errors are in the Event Logs - netdiag and Dcdiag are fine when there is little wrong, but when there is bigger problems it fails on just about everything - giving you the impression that there are many issues when there might only be one.
Post some of the errors from Application and System.
ASKER
System Log
Event ID 29 => w32time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time.
**************************
FRS LOG
Event ID 13565
File Replication Service is initializing the system volume with data from another domain controller. Computer SVR-MAIL cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type:
net share
**************************
DNS Log
Event ID 4000
The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
**************************
Directory Service Log
Event ID: 1864
This is the replication status for the following directory partition on the local domain controller.
Directory partition:
DC=ForestDnsZones,DC=pigro
The local domain controller has not recently received replication information from a number of domain controllers. The count of domain controllers is shown, divided into the following intervals.
More than 24 hours:
1
More than a week:
1
More than one month:
0
More than two months:
0
More than a tombstone lifetime:
0
Tombstone lifetime (days):
60
Domain controllers that do not replicate in a timely manner may encounter errors. It may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
To identify the domain controllers by name, install the support tools included on the installation CD and run dcdiag.exe.
You can also use the support tool repadmin.exe to display the replication latencies of the domain controllers in the forest. The command is "repadmin /showvector /latency <partition-dn>".
**************************
Application Log
Event ID: 1053
Windows cannot determine the user or computer name. (Access is denied. ). Group Policy processing aborted.
**************************
Event ID 29 => w32time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time.
**************************
FRS LOG
Event ID 13565
File Replication Service is initializing the system volume with data from another domain controller. Computer SVR-MAIL cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type:
net share
**************************
DNS Log
Event ID 4000
The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
**************************
Directory Service Log
Event ID: 1864
This is the replication status for the following directory partition on the local domain controller.
Directory partition:
DC=ForestDnsZones,DC=pigro
The local domain controller has not recently received replication information from a number of domain controllers. The count of domain controllers is shown, divided into the following intervals.
More than 24 hours:
1
More than a week:
1
More than one month:
0
More than two months:
0
More than a tombstone lifetime:
0
Tombstone lifetime (days):
60
Domain controllers that do not replicate in a timely manner may encounter errors. It may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
To identify the domain controllers by name, install the support tools included on the installation CD and run dcdiag.exe.
You can also use the support tool repadmin.exe to display the replication latencies of the domain controllers in the forest. The command is "repadmin /showvector /latency <partition-dn>".
**************************
Application Log
Event ID: 1053
Windows cannot determine the user or computer name. (Access is denied. ). Group Policy processing aborted.
**************************
Was the system state you restored older than 2 weeks? If so, the server is tombstoned (=kicked off the domain because it's not reported back too long). Rather than seeing this on the recovered server, you should hunt for errors on the remaining DC's.
When it turns out the recovered server has been tombstoned, you'll need to reinstall the DC (and manually remove references to the old dc from AD)
When it turns out the recovered server has been tombstoned, you'll need to reinstall the DC (and manually remove references to the old dc from AD)
OK, like I thought, the SYSVOL is not yet shared. This will throw all sorts of errors until it is.
I also mentioned about the time on those servers. Make sure they are correctly set - once they are, replication should start.
I also mentioned about the time on those servers. Make sure they are correctly set - once they are, replication should start.
ASKER
T's OK, I have solve the problem with the following MS KB
http://support.microsoft.com/kb/315457/en-us
Thanx for the help anyway.
Regards
M
:)
http://support.microsoft.com/kb/315457/en-us
Thanx for the help anyway.
Regards
M
:)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: People-Integrated-Midrand\
Starting test: Connectivity
......................... SVR-MAIL passed test Connectivity
Doing primary tests
Testing server: People-Integrated-Midrand\
Starting test: Replications
[Replications Check,SVR-MAIL] A recent replication attempt failed:
From SVR-ENT to SVR-MAIL
Naming Context: DC=ForestDnsZones,DC=pigro
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2006-06-23 02:58:24.
The last success occurred at 2006-06-15 11:48:26.
13 failures have occurred since the last success.
[Replications Check,SVR-MAIL] A recent replication attempt failed:
From SVR-ENT to SVR-MAIL
Naming Context: DC=DomainDnsZones,DC=pigro
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2006-06-23 02:58:24.
The last success occurred at 2006-06-15 11:48:26.
13 failures have occurred since the last success.
[Replications Check,SVR-MAIL] A recent replication attempt failed:
From SVR-ENT to SVR-MAIL
Naming Context: CN=Schema,CN=Configuration
The replication generated an error (5):
Access is denied.
The failure occurred at 2006-06-23 02:58:25.
The last success occurred at 2006-06-15 11:48:26.
13 failures have occurred since the last success.
[Replications Check,SVR-MAIL] A recent replication attempt failed:
From SVR-ENT to SVR-MAIL
Naming Context: CN=Configuration,DC=pigrou
The replication generated an error (5):
Access is denied.
The failure occurred at 2006-06-23 02:58:24.
The last success occurred at 2006-06-15 12:26:12.
13 failures have occurred since the last success.
[Replications Check,SVR-MAIL] A recent replication attempt failed:
From SVR-ENT to SVR-MAIL
Naming Context: DC=pigroup,DC=co,DC=za
The replication generated an error (5):
Access is denied.
The failure occurred at 2006-06-23 02:58:24.
The last success occurred at 2006-06-15 12:31:19.
13 failures have occurred since the last success.
REPLICATION-RECEIVED LATENCY WARNING
SVR-MAIL: Current time is 2006-06-23 03:18:26.
DC=ForestDnsZones,DC=pigro
Last replication recieved from SVR-ENT at 2006-06-15 11:48:26.
DC=DomainDnsZones,DC=pigro
Last replication recieved from SVR-ENT at 2006-06-15 11:48:26.
CN=Schema,CN=Configuration
Last replication recieved from SVR-ENT at 2006-06-15 11:48:26.
CN=Configuration,DC=pigrou
Last replication recieved from SVR-ENT at 2006-06-15 12:26:11.
DC=pigroup,DC=co,DC=za
Last replication recieved from SVR-ENT at 2006-06-15 12:31:19.
......................... SVR-MAIL passed test Replications
Starting test: NCSecDesc
......................... SVR-MAIL passed test NCSecDesc
Starting test: NetLogons
......................... SVR-MAIL passed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for \\svr-ent.pigroup.co.za, when we were trying to reach SVR-MAIL.
Server is not responding or is not considered suitable.
......................... SVR-MAIL failed test Advertising
Starting test: KnowsOfRoleHolders
......................... SVR-MAIL passed test KnowsOfRoleHolders
Starting test: RidManager
......................... SVR-MAIL passed test RidManager
Starting test: MachineAccount
......................... SVR-MAIL passed test MachineAccount
Starting test: Services
......................... SVR-MAIL passed test Services
Starting test: ObjectsReplicated
......................... SVR-MAIL passed test ObjectsReplicated
Starting test: frssysvol
......................... SVR-MAIL passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... SVR-MAIL failed test frsevent
Starting test: kccevent
......................... SVR-MAIL passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0xC25A001D
Time Generated: 06/23/2006 02:20:35
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC25A001D
Time Generated: 06/23/2006 02:39:19
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC25A001D
Time Generated: 06/23/2006 02:47:08
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 06/23/2006 02:56:52
Event String: The kerberos client received a
An Error Event occured. EventID: 0x00000C8A
Time Generated: 06/23/2006 03:02:28
Event String: This computer could not authenticate with
An Error Event occured. EventID: 0xC25A001D
Time Generated: 06/23/2006 03:05:53
(Event String could not be retrieved)
......................... SVR-MAIL failed test systemlog
Starting test: VerifyReferences
......................... SVR-MAIL passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : pigroup
Starting test: CrossRefValidation
......................... pigroup passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... pigroup passed test CheckSDRefDom
Running enterprise tests on : pigroup.co.za
Starting test: Intersite
......................... pigroup.co.za passed test Intersite
Starting test: FsmoCheck
......................... pigroup.co.za passed test FsmoCheck