Imtiyazma
asked on
Unable to establish connection with global catalog in win2k server
Hi,
I have two windows 2k servers in my network. one is Domain Controller with Acitve directory installed on it and the other is Exchange 2000 server installed on win2k server.
yesterday, we got installed new firewall in our network at gateway to replace my ISA server. For the firewall installation we have done some changes on DNS on DC server and Exchange server. After some time I found that my Active Directory is not working and is giving some error when I am trying to create any object(users).
"Windows cannot create object because: The directory servcie has exhausted the pool of relative identifiers."
Now my email server is also not working with the following error
" Naming information cannot be located because: The specified domain either does not exist or calud not be contacted".
Kindly give me some suggession to resolve my issue, as this is happened on my live servers.
Thanks you for your advice
Imtiyaz.
I have two windows 2k servers in my network. one is Domain Controller with Acitve directory installed on it and the other is Exchange 2000 server installed on win2k server.
yesterday, we got installed new firewall in our network at gateway to replace my ISA server. For the firewall installation we have done some changes on DNS on DC server and Exchange server. After some time I found that my Active Directory is not working and is giving some error when I am trying to create any object(users).
"Windows cannot create object because: The directory servcie has exhausted the pool of relative identifiers."
Now my email server is also not working with the following error
" Naming information cannot be located because: The specified domain either does not exist or calud not be contacted".
Kindly give me some suggession to resolve my issue, as this is happened on my live servers.
Thanks you for your advice
Imtiyaz.
ASKER
Hi,
I have only one DC from the begining and even today. I have tried to add ADC, which are now no more. Those servers I have formatted and used for other things.
Now, I could able to rectify my DNS problem. Now I can Nslookup, which is giving proper reslut. but I have noticed one strange thing, once I restart my DC then I can open my Active Directory, but after some time its not opening and giving the following error.
" Naming information cannot be located because:
The specified domain either does not exist or could not be contacted."
Note : if i restart my DC then my Active Directory will open with out this error.
On DC system log its giving event id : Souce - SAM Event id - 16645
The maximum account identifier allocated to this domain controller has been assigned. The domain controller has failed to obtain a new identifier pool. A possible reason for this is that the domain controller has been unable to contact the master domain controller. Account creation on this controller will fail until a new pool has been allocated. There may be network or connectivity problems in the domain, or the master domain controller may be offline or missing from the domain. Verify that the master domain controller is running and connected to the domain.
and on Directory Service log : error - NTDS General - 1126
" Unable to establish connection with global catalog".
Please help me to resolve this.
Thanks for your help.
imtiyaz
I have only one DC from the begining and even today. I have tried to add ADC, which are now no more. Those servers I have formatted and used for other things.
Now, I could able to rectify my DNS problem. Now I can Nslookup, which is giving proper reslut. but I have noticed one strange thing, once I restart my DC then I can open my Active Directory, but after some time its not opening and giving the following error.
" Naming information cannot be located because:
The specified domain either does not exist or could not be contacted."
Note : if i restart my DC then my Active Directory will open with out this error.
On DC system log its giving event id : Souce - SAM Event id - 16645
The maximum account identifier allocated to this domain controller has been assigned. The domain controller has failed to obtain a new identifier pool. A possible reason for this is that the domain controller has been unable to contact the master domain controller. Account creation on this controller will fail until a new pool has been allocated. There may be network or connectivity problems in the domain, or the master domain controller may be offline or missing from the domain. Verify that the master domain controller is running and connected to the domain.
and on Directory Service log : error - NTDS General - 1126
" Unable to establish connection with global catalog".
Please help me to resolve this.
Thanks for your help.
imtiyaz
Can you run dcdiag and netdiag on the DC? These are tools available on the Windows 2003 CD under the support tools cab file.
What service pack are you running?
What service pack are you running?
ASKER
DCDIAG OUTPUT.
C:\>dcdiag
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\BI
Starting test: Connectivity
......................... BILDC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\BI
Starting test: Replications
[Replications Check,BILDC] A recent replication attempt failed:
From SITETESTSERVER to BILDC
Naming Context: CN=Schema,CN=Configuration
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
The failure occurred at 2006-07-16 11:50.12.
The last success occurred at 2003-01-26 22:22.13.
30444 failures have occurred since the last success.
The guid-based DNS name a6cc409d-530f-441c-8bb8-f3
Bukhatir.ae
is not registered on one or more DNS servers.
[SITETESTSERVER] DsBind() failed with error 1722,
The RPC server is unavailable..
[Replications Check,BILDC] A recent replication attempt failed:
From BILWEB to BILDC
Naming Context: CN=Schema,CN=Configuration
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
The failure occurred at 2006-07-16 11:50.12.
The last success occurred at 2003-08-25 09:56.00.
25383 failures have occurred since the last success.
The guid-based DNS name ec3ee6b0-eee9-4ef5-9579-71
Bukhatir.ae
is not registered on one or more DNS servers.
[BILWEB] DsBind() failed with error 1722,
The RPC server is unavailable..
[Replications Check,BILDC] A recent replication attempt failed:
From SITETESTSERVER to BILDC
Naming Context: CN=Configuration,DC=Bukhat
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
The failure occurred at 2006-07-16 11:50.12.
The last success occurred at 2003-01-26 22:29.01.
30444 failures have occurred since the last success.
The guid-based DNS name a6cc409d-530f-441c-8bb8-f3
Bukhatir.ae
is not registered on one or more DNS servers.
[Replications Check,BILDC] A recent replication attempt failed:
From BILWEB to BILDC
Naming Context: CN=Configuration,DC=Bukhat
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
The failure occurred at 2006-07-16 11:50.12.
The last success occurred at 2003-08-25 10:37.18.
25383 failures have occurred since the last success.
The guid-based DNS name ec3ee6b0-eee9-4ef5-9579-71
Bukhatir.ae
is not registered on one or more DNS servers.
[Replications Check,BILDC] A recent replication attempt failed:
From SITETESTSERVER to BILDC
Naming Context: DC=Bukhatir,DC=ae
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
The failure occurred at 2006-07-16 11:50.12.
The last success occurred at 2003-01-26 22:28.31.
30444 failures have occurred since the last success.
The guid-based DNS name a6cc409d-530f-441c-8bb8-f3
Bukhatir.ae
is not registered on one or more DNS servers.
[Replications Check,BILDC] A recent replication attempt failed:
From BILWEB to BILDC
Naming Context: DC=Bukhatir,DC=ae
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
The failure occurred at 2006-07-16 11:50.12.
The last success occurred at 2003-08-25 10:40.20.
25383 failures have occurred since the last success.
The guid-based DNS name ec3ee6b0-eee9-4ef5-9579-71
Bukhatir.ae
is not registered on one or more DNS servers.
......................... BILDC passed test Replications
Starting test: NCSecDesc
......................... BILDC passed test NCSecDesc
Starting test: NetLogons
......................... BILDC passed test NetLogons
Starting test: Advertising
Fatal Error:DsGetDcName (BILDC) call failed, error 1355
The Locator could not find the server.
......................... BILDC failed test Advertising
Starting test: KnowsOfRoleHolders
......................... BILDC passed test KnowsOfRoleHolders
Starting test: RidManager
......................... BILDC passed test RidManager
Starting test: MachineAccount
......................... BILDC passed test MachineAccount
Starting test: Services
Could not open IISADMIN Service on [BILDC]:failed with 1060: The spe
cified service does not exist as an installed service.
Could not open SMTPSVC Service on [BILDC]:failed with 1060: The spec
ified service does not exist as an installed service.
......................... BILDC failed test Services
Starting test: ObjectsReplicated
......................... BILDC passed test ObjectsReplicated
Starting test: frssysvol
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... BILDC passed test frssysvol
Starting test: kccevent
......................... BILDC passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00004105
Time Generated: 07/16/2006 10:53:48
(Event String could not be retrieved)
An Error Event occured. EventID: 0x8000003E
Time Generated: 07/16/2006 11:06:14
(Event String could not be retrieved)
An Error Event occured. EventID: 0x8000003E
Time Generated: 07/16/2006 11:51:29
(Event String could not be retrieved)
......................... BILDC failed test systemlog
Running enterprise tests on : Bukhatir.ae
Starting test: Intersite
......................... Bukhatir.ae passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQU
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... Bukhatir.ae failed test FsmoCheck
**************************
Netdiag Output...........
C:\>netdiag
Computer Name: BILDC
DNS Host Name: bildc.Bukhatir.ae
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 6 Model 11 Stepping 1, GenuineIntel
List of installed hotfixes :
KB822343
KB823182
KB823559
KB823980
KB824105
KB824141
KB824146
KB825119
KB826232
KB828028
KB828035
KB828741
KB828749
KB830352
KB832353
KB832359
KB835732
KB837001
KB839643
KB839645
KB840315
KB840987
KB841356
KB841533
KB841872
KB841873
KB842526
KB842773
KB867282-IE501SP4-20050107
KB870763
KB871250
KB873333
KB873339
KB885250
KB885834
KB885835
KB885836
KB888113
KB890046
KB890047
KB890175
KB891711
KB891781
KB893756
KB893803v2
KB896358
KB896422
KB896423
KB896424
KB899587
KB899589
KB899591
KB900725
KB901017
KB901214
KB902400
KB904706
KB905414
KB905749
KB905915-IE501SP4-20051122
KB908519
KB908523
KB908531
KB911280
KB911564
KB911567-OE6SP1-20060316.1
KB912919
KB913580
KB914388
KB914389
KB916281-IE501SP4-20060519
KB917159
KB917736
KB917953
Q147222
Q828026
Update Rollup 1
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : bildc
IP Address . . . . . . . . : 192.168.168.11
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.168.13
Dns Servers. . . . . . . . : 192.168.168.11
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{6E80442D-61C7
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '192.168.168.11'.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{6E80442D-61C7
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{6E80442D-61C7
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
DC '\\bildc.Bukhatir.ae' isn't running the DS. Cannot test LDAP.
[WARNING] Failed to query SPN registration on DC 'bildc.Bukhatir.ae'.
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.
The command completed successfully
C:\>
**************************
In the above DCDIAG you can find SITESERVER AND BILWEB. These servers I have added as ADC, which were not available now....
Thanks for your help.
imtiyaz.
C:\>dcdiag
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\BI
Starting test: Connectivity
......................... BILDC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\BI
Starting test: Replications
[Replications Check,BILDC] A recent replication attempt failed:
From SITETESTSERVER to BILDC
Naming Context: CN=Schema,CN=Configuration
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
The failure occurred at 2006-07-16 11:50.12.
The last success occurred at 2003-01-26 22:22.13.
30444 failures have occurred since the last success.
The guid-based DNS name a6cc409d-530f-441c-8bb8-f3
Bukhatir.ae
is not registered on one or more DNS servers.
[SITETESTSERVER] DsBind() failed with error 1722,
The RPC server is unavailable..
[Replications Check,BILDC] A recent replication attempt failed:
From BILWEB to BILDC
Naming Context: CN=Schema,CN=Configuration
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
The failure occurred at 2006-07-16 11:50.12.
The last success occurred at 2003-08-25 09:56.00.
25383 failures have occurred since the last success.
The guid-based DNS name ec3ee6b0-eee9-4ef5-9579-71
Bukhatir.ae
is not registered on one or more DNS servers.
[BILWEB] DsBind() failed with error 1722,
The RPC server is unavailable..
[Replications Check,BILDC] A recent replication attempt failed:
From SITETESTSERVER to BILDC
Naming Context: CN=Configuration,DC=Bukhat
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
The failure occurred at 2006-07-16 11:50.12.
The last success occurred at 2003-01-26 22:29.01.
30444 failures have occurred since the last success.
The guid-based DNS name a6cc409d-530f-441c-8bb8-f3
Bukhatir.ae
is not registered on one or more DNS servers.
[Replications Check,BILDC] A recent replication attempt failed:
From BILWEB to BILDC
Naming Context: CN=Configuration,DC=Bukhat
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
The failure occurred at 2006-07-16 11:50.12.
The last success occurred at 2003-08-25 10:37.18.
25383 failures have occurred since the last success.
The guid-based DNS name ec3ee6b0-eee9-4ef5-9579-71
Bukhatir.ae
is not registered on one or more DNS servers.
[Replications Check,BILDC] A recent replication attempt failed:
From SITETESTSERVER to BILDC
Naming Context: DC=Bukhatir,DC=ae
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
The failure occurred at 2006-07-16 11:50.12.
The last success occurred at 2003-01-26 22:28.31.
30444 failures have occurred since the last success.
The guid-based DNS name a6cc409d-530f-441c-8bb8-f3
Bukhatir.ae
is not registered on one or more DNS servers.
[Replications Check,BILDC] A recent replication attempt failed:
From BILWEB to BILDC
Naming Context: DC=Bukhatir,DC=ae
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
The failure occurred at 2006-07-16 11:50.12.
The last success occurred at 2003-08-25 10:40.20.
25383 failures have occurred since the last success.
The guid-based DNS name ec3ee6b0-eee9-4ef5-9579-71
Bukhatir.ae
is not registered on one or more DNS servers.
......................... BILDC passed test Replications
Starting test: NCSecDesc
......................... BILDC passed test NCSecDesc
Starting test: NetLogons
......................... BILDC passed test NetLogons
Starting test: Advertising
Fatal Error:DsGetDcName (BILDC) call failed, error 1355
The Locator could not find the server.
......................... BILDC failed test Advertising
Starting test: KnowsOfRoleHolders
......................... BILDC passed test KnowsOfRoleHolders
Starting test: RidManager
......................... BILDC passed test RidManager
Starting test: MachineAccount
......................... BILDC passed test MachineAccount
Starting test: Services
Could not open IISADMIN Service on [BILDC]:failed with 1060: The spe
cified service does not exist as an installed service.
Could not open SMTPSVC Service on [BILDC]:failed with 1060: The spec
ified service does not exist as an installed service.
......................... BILDC failed test Services
Starting test: ObjectsReplicated
......................... BILDC passed test ObjectsReplicated
Starting test: frssysvol
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... BILDC passed test frssysvol
Starting test: kccevent
......................... BILDC passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00004105
Time Generated: 07/16/2006 10:53:48
(Event String could not be retrieved)
An Error Event occured. EventID: 0x8000003E
Time Generated: 07/16/2006 11:06:14
(Event String could not be retrieved)
An Error Event occured. EventID: 0x8000003E
Time Generated: 07/16/2006 11:51:29
(Event String could not be retrieved)
......................... BILDC failed test systemlog
Running enterprise tests on : Bukhatir.ae
Starting test: Intersite
......................... Bukhatir.ae passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQU
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... Bukhatir.ae failed test FsmoCheck
**************************
Netdiag Output...........
C:\>netdiag
Computer Name: BILDC
DNS Host Name: bildc.Bukhatir.ae
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 6 Model 11 Stepping 1, GenuineIntel
List of installed hotfixes :
KB822343
KB823182
KB823559
KB823980
KB824105
KB824141
KB824146
KB825119
KB826232
KB828028
KB828035
KB828741
KB828749
KB830352
KB832353
KB832359
KB835732
KB837001
KB839643
KB839645
KB840315
KB840987
KB841356
KB841533
KB841872
KB841873
KB842526
KB842773
KB867282-IE501SP4-20050107
KB870763
KB871250
KB873333
KB873339
KB885250
KB885834
KB885835
KB885836
KB888113
KB890046
KB890047
KB890175
KB891711
KB891781
KB893756
KB893803v2
KB896358
KB896422
KB896423
KB896424
KB899587
KB899589
KB899591
KB900725
KB901017
KB901214
KB902400
KB904706
KB905414
KB905749
KB905915-IE501SP4-20051122
KB908519
KB908523
KB908531
KB911280
KB911564
KB911567-OE6SP1-20060316.1
KB912919
KB913580
KB914388
KB914389
KB916281-IE501SP4-20060519
KB917159
KB917736
KB917953
Q147222
Q828026
Update Rollup 1
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : bildc
IP Address . . . . . . . . : 192.168.168.11
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.168.13
Dns Servers. . . . . . . . : 192.168.168.11
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{6E80442D-61C7
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '192.168.168.11'.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{6E80442D-61C7
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{6E80442D-61C7
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
DC '\\bildc.Bukhatir.ae' isn't running the DS. Cannot test LDAP.
[WARNING] Failed to query SPN registration on DC 'bildc.Bukhatir.ae'.
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.
The command completed successfully
C:\>
**************************
In the above DCDIAG you can find SITESERVER AND BILWEB. These servers I have added as ADC, which were not available now....
Thanks for your help.
imtiyaz.
What do you mean by "ADC"?
ASKER
Additional Domain Controller......
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you Friends,
I have got my problem rectified and now my DC and mail server are working fine and I can also create objects successfully.
I have gone through AD Sites and Servicess and removed old non existing DC's from the list, which I have added long ago. after this I have restarted the server. and my problem got rectified.
Thanks to Mr.mass2612.
Imtiyaz.
I have got my problem rectified and now my DC and mail server are working fine and I can also create objects successfully.
I have gone through AD Sites and Servicess and removed old non existing DC's from the list, which I have added long ago. after this I have restarted the server. and my problem got rectified.
Thanks to Mr.mass2612.
Imtiyaz.
What changes did you make in the DNS and DC config? How many domain controllers do you have? Have you turned any DC's off or disconnected them? It sounds like you have done something that is causing the FSMO roles not to be found. These roles are reponsible for certain functions within AD and are only run on one domain controler per forest or domain.
The RID FSMO role (reliative id master) is responsible for assigning unique ID numbers to objects when they are created in the domain. Now it is theoretically possible to run out of unique id's but this is very rare and you would of recieved an error to the fact that you wer nearly out of id's in the event log. Therefore the first thing you need to do is find which servers are holding these roles - http://www.petri.co.il/determining_fsmo_role_holders.htm
http://support.microsoft.com/kb/255690/
If you need to you can tranfer these roles via NTDSUtil - http://support.microsoft.com/?id=255504. Make sure you understand the concept before seizing any roles as you should only seize a role if you will not be bringing the original holder back on-line.