We help IT Professionals succeed at work.

Win 2003, domain controller (PDC) emulator cannot be contacted.

4,964 Views
Last Modified: 2012-06-27
We have two win 2003 domain controllers. When I attempt to check my trusts by right clicking on my AD Domain, I get the error: "you cannot modify domain or trust information because a primary domain controller (PDC) emulator cannot be contacted. Please verify that the PDC emulator and the network are both online and functioning properly."
 I am not sure what is causing this. I have seen the same issue authored by Rock996 and Chris Dent has worked through the problem. However our servers do not have the same problem of \0ADEL:8daa7e71-2851-4a59-ab91-706930738b9 being diplayed within ntdsutil. Could you please help?
Comment
Watch Question

Brian PiercePhotographer
CERTIFIED EXPERT
Awarded 2007
Top Expert 2008

Commented:
Check the DNS settings first. Make sure that both domain controllers have there preferred DNS server set to themselves and that the alternate DNS server is either blank, or points to the other DC.

Commented:
Is this a 2000 or NT client?

Author

Commented:
Both domains are pointing to themsleves.

Answer to elaniyan: This is a win 2003 server, with xp clients connecting to them
CERTIFIED EXPERT

Commented:

For checking replication / FSMO roles I like using Replmon (part of support tools.)

Add a server ( the DC you are running replmon on.)
Then right click and select properties, you will see FSMO roles as a tab.

Mark

Author

Commented:
I can't find replmon as part of the support tools. I can see repadmin

Author

Commented:
I ran dcdiag /fix and all tests passed except for FsmoCheck.

Response:

Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355 A Global Catalog Server could not be located - All GC's are down.
CERTIFIED EXPERT

Commented:

Author

Commented:
Discovery: Replmon exists as part of win 2003 32bit, does not appear in 64bit version.

Therefore installed the 32 bit version on a remote xp server

Author

Commented:
Within Replmon:

Have included both servers.

Have run FSMO roles and have clicked the query button on both servers. All queries test OK.

Author

Commented:
I have looked further into the situation. Both servers coexist as Default first site in Active Directory Sites and Services. Should this be true? Ideally we would like one server to be the main primary domain controller and the second one to take over if the first one should ever fail.

Please assist. Thank you

Author

Commented:
Let me elaborate on the situation:

I run ntdsutil

roles
connections
connect to server abc
quit
select operation target
list roles for connected server

output:

select operation target: list roles for connected server
Server "abc" knows about 5 roles
Schema - CN=NTDS Settings,CN=abc,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=colo3,DC=encoded,DC=co,DC=uk
Domain - CN=NTDS Settings,CN=abc,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=colo3,DC=encoded,DC=co,DC=uk
PDC - CN=NTDS Settings,CN=abc,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=colo3,DC=encoded,DC=co,DC=uk
RID - CN=NTDS Settings,CN=abc,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=colo3,DC=encoded,DC=co,DC=uk
Infrastructure - CN=NTDS Settings,CN=abc,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=colo3,DC=encoded,DC=co,DC=uk


I then repeat the same role for other server (backup server):

output for server xyz:

select operation target: list roles for connected server
Server "xyz" knows about 5 roles
Schema - CN=NTDS Settings,CN=abc,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=colo3,DC=encoded,DC=co,DC=uk
Domain - CN=NTDS Settings,CN=abc,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=colo3,DC=encoded,DC=co,DC=uk
PDC - CN=NTDS Settings,CN=abc,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=colo3,DC=encoded,DC=co,DC=uk
RID - CN=NTDS Settings,CN=abc,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=colo3,DC=encoded,DC=co,DC=uk
Infrastructure - CN=NTDS Settings,CN=abc,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=colo3,DC=encoded,DC=co,DC=uk
select operation target:

When we try to make a trusted connection from another thrid remote domain controller. Therefore abc and xyz are part of the domain:

abc.coloA.company.co.uk
xyz.coloA.company.co.uk

Another domain controller in coloB

fred.coloB.company.co.uk

In fred, when I go to Active Directory Domain and trusts

right click properties
trusts
(incoming trusts)
      click on coloA domain
     Properties
           Validate
           enter in coloA Administrator password

Output:The trust cannot be validated for the following reasons:

The secure channel (SC) reset on domain controller \\xyz.coloA.company.co.uk of domain coloA.company.co.uk to domain coloB.company.co.uk failed with error: There are currently no logon servers available to service the logon request.

==> Firstly the connection should be going to abc.coloA.company.co.uk not xyz.

Next I agree to reset the trust passwords

Output:

Windows cannot find a primary domain controller for the coloA.company.co.uk domain. Verify the PDC is functioning and then try again.

Is there something I missing out on the abc and xyz??

Please help. Thanks again

Commented:
Try creating secondary zone of coloA in coloB and a secondary zone of coloB in coloA.  Then re-try verifying the trust or re-establishing the trust.

Commented:
Please forgive me if you already did this and I missed it. But can you ping by host name a DC in the target domain?

Also anything in the event viewer on the failing machine?

What server has the PDC FSMO role for each server?
here is how to find them http://support.microsoft.com/kb/324801

Author

Commented:
I have fixed the problem now everyone. Thanks. Even though when you type list roles for connected server on both the primarr y and secondary domain controller, the output showed the correct domain as the PDC. However, when I went to another colo and attempted to set up a trust the dc in the other colo simply said can not establish connection with PDC, make sure it is working properly.

So I thought it couldn't hurt. I went to the pdc in the first colo and transferred the PDC. I reattempted to set trust and the problem was solved.

Therefore I recommend if you have problems connecting to the PDC when you have a secondary DC, re-attempt to transfer PDC, and things may realign again.

Once again thanks for all your help again
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.