Active Directory HELP, Can't add any DC's to new Domain, Directory Binding Error -2146892976,
Posted on 2006-11-24
Hello, I need some help!
Today we begin our domain upgrade from NT4 to 2003R2, We went thru ALL the motions testing EVERYTHING prior to this. All hardware etc, DNS services and so on.
So we ran the upgrade and it worked quite well, No errors reported or anything like that, Here is the process I went thru. We bought all new hardware to act as our new DC which will also run Wins, DHCP, DNS, AD. Installed 2003R2 for 64 bit and also setup our DNS server on this unit, we then switched the whole domain over to that DNS server. We then setup an older unit in the NT4 domain promoted to PDC and upgraded in place. NO issues whatsoever, Active directory Mixed mode and also had the NT4emulator just in case we needed to go backwards to NT4 if it didnt' work. So with everything up and working we moved onto step two.
Which would be adding another DC. Specifically the new hardware, We planned to add that as a DC then transfer all services and rolls to it. This is where it gets troublesome, So I try to add the service with the server manager, and I get to the authentication screen and bam, error. It lists that is is able to get the DC from DNS just fine. But then goes on to say this may be either caused by missing A records or the DC is not connected to the network, neither of which, i don't believe, is correct anyway. TO test this I used NSlookup with both IP and Name of the DC and it resolved it fine. So i'm stumped.
I then go to another one of our server 2003 boxes and try to make it a DC just in case it was the new hardware, nope same issue and same error mesage during authentication.
I ran DCdiag and have the following errors. I have tried to find info on them but find very little so far.
During initial setup it trys to connect to the directory service and gives me the following warning.
Warning: could not confirm the identity of this server in the directory versus the names returned by the DNS server. If there are problems accessing this directory server then you may need to check that this server is correctly registered with DNS.
Directory Binding Error -2146892976 The system detected a possible attempt to compromise security. Please make sure you can contact the server that authenticated you.
Then it moves on to the actual test (above was gathering info stage of DCDIAG)
Active directory LDAP services.. Check
Active directory RPC services,, Check
[servername]DSBINDWITHSPNEX() failed with error -2146892976 The system detected a possible attempt to compromise security. Please make sure you can contact the server that authenticated you.
Failed test connectivity
Doing primary tests
Testing server: Default-first-site-name /servername
skipping all tests because the server (servername) is not responding to directory service requests.
Those are my results from the DCDIAG.exe. (this was truncated to only show the errors. Other items were there and did pass but it didn't come close to running all the tests) Doesn't sound good to me. I am unsure what to do next.
So my other helper said lets setup the DNS on the same server we upgraded making it active directory integrated DNS and see if that helps our cause. SO we stop the DNS server and delete that DNS setup. Setup DNS on the upgraded DC and pointed everything to that DNS server now instead.
Went back to the new hardware and tried to make the DC again but no dice. Same errors as before.
SOmething is causing me a major pain and I am not sure where to go next.
The clients seem to be logging on OK and DHCP is working correctly as well. SO there seemed to be no issue with the DC other than the fact I can't move my services to the new hardware. At least so far... Maybe not soon...
The only real option I can think of is taking the upgraded DC offline and setup the WHOLE domain again which is no small undertaking. I have 10 servers and about 70 clients so doing this would mean touching each machine as opposed to using the upgrade process where I wouldn't need to touch any of them.
could I move any of that active directory info to my other machine to rebuild it or something?
any help is GREATLY appreciated. Hopefully a suggestion on what I should do would be helpful
Lastly going back to NT4 really ISN'T an option for reasons I can't get into to! SO please think in terms of saving what I have so far etc.