[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1411
  • Last Modified:

AD problems

hi
I have 3 servers running 2003 sp2.
192.168.0.10 is my DC
192.168.0.15 is my exchange
192.168.0.20 is my SQL

On my DC box in event viewer i have the following errors.:

Event# 1168 Source NTDS General
Internal error: An Active Directory error has occurred.
 Additional Data
Error value (decimal):
1053
Error value (hex):
41d
Internal ID:
30004f4

Event# 1913 Source NTDS Backup
Internal error: The Active Directory backup and restore operation encountered an unexpected error.
 Backup or restore will not succeed until this is corrected.  
 Additional Data
Error value:
1084 This service cannot be started in Safe Mode
Internal ID:
160200fa


Event# 2087 Source: NTDS Replication
Active Directory could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
 
Source domain controller:
 black
Failing DNS host name:
 376b8df3-5530-4b24-b6b6-9acd2c92cd1a._msdcs.aucklandnz.local
 
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1:
 
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
 
User Action:
 
 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
 
 2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
 
 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns 
 
  dcdiag /test:dns
 
 4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
 
  dcdiag /test:dns
 
 5) For further analysis of DNS error failures see KB 824449:
   http://support.microsoft.com/?kbid=824449
 
Additional Data
Error value:
 11004 The requested name is valid, but no data of the requested type was found.


event# 1238 Source: LDAP Inteface

Internal error: Active Directory was unable to initialize network connections for incoming LDAP requests.
 
Additional Data
Error value:
0

Event# 1168  Source: Internal processing
Internal error: An Active Directory error has occurred.
 
Additional Data
Error value (decimal):
-1073741823
Error value (hex):
c0000001
Internal ID:
300051e


and event warning
event # 2088 Source DS RPC Client
Active Directory could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.
 
Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory forest, including logon authentication or access to network resources.
 
You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.
 
Alternate server name:
 black
Failing DNS host name:
 376b8df3-5530-4b24-b6b6-9acd2c92cd1a._msdcs.aucklandnz.local
 
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1:
 
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
 
User Action:
 
 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
 
 2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
 
 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns 
 
  dcdiag /test:dns
 
 4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
 
  dcdiag /test:dns
 
 5) For further analysis of DNS error failures see KB 824449:
   http://support.microsoft.com/?kbid=824449
 
Additional Data
Error value:
 11004 The requested name is valid, but no data of the requested type was found.


event# 2092 Source: Replication
This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
 
FSMO Role: CN=Schema,CN=Configuration,DC=aucklandnz,DC=local
 
User Action:
 
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
 
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

I have run dcdiag and im getting the following :
Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\MY_DC
      Starting test: Connectivity
         ......................... MY_DC passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\MY_DC
      Starting test: Replications
         ......................... MY_DC passed test Replications
      Starting test: NCSecDesc
         ......................... MY_DC passed test NCSecDesc
      Starting test: NetLogons
         ......................... MY_DC passed test NetLogons
      Starting test: Advertising
         ......................... MY_DC passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... MY_DC passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... MY_DC passed test RidManager
      Starting test: MachineAccount
         ......................... MY_DC passed test MachineAccount
      Starting test: Services
         ......................... MY_DC passed test Services
      Starting test: ObjectsReplicated
         ......................... MY_DC passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... MY_DC passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... MY_DC failed test frsevent
      Starting test: kccevent
         ......................... MY_DC passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x40000005
            Time Generated: 10/16/2007   13:03:55
            Event String: The kerberos client received a KRB_AP_ERR_TKT_NYV
         ......................... MY_DC failed test systemlog
      Starting test: VerifyReferences
         ......................... MY_DC passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : my_domain
      Starting test: CrossRefValidation
         ......................... my_domain passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... my_domain passed test CheckSDRefDom

   Running enterprise tests on : my_domain.local
      Starting test: Intersite
         ......................... my_domain.local passed test Intersite
      Starting test: FsmoCheck
         ......................... my_domain.local passed test FsmoCheck

Hope you can help me to resolve this

Thanks in advance
0
aucklandnz
Asked:
aucklandnz
  • 8
  • 7
1 Solution
 
thecomputerdocsCommented:
Are you sture 192.168.0.10 is the only domain controller? There is references to replication, indicating another DC on your network.
What might be easiest is to go to AD sites and services and see what replication partners you have.....
Sometimes it's easiest to run dcpromo and remove the other DC's from the network and add them back in one by one until you get rid of the problem. I"ve had luck many time by removing a DC and rejoining it.
That's an easy & "dirty" way to do it....
Let me know what else you find in the way of DC's on the network.
0
 
aucklandnzAuthor Commented:
in active directory under Domain controllers i have :
192.168.0.10 and 192.168.0.20 but we only use 192.168.0.10 as a DC. if i will delete 192.168.0.20 from the list will it cause any problems ?

thanks
0
 
thecomputerdocsCommented:
Don't' delete it.....on the 20 box, run dcpromo and select remove....
be careful not to tell it that it's the last dc in the domain..
Good luck....let us know how it works...
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
aucklandnzAuthor Commented:
i have removed .20 but when i run dcdiag on my DC im still getting the same rusults

Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... MY_DC failed test frsevent
      Starting test: kccevent
         ......................... MY_DC passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x40000005
            Time Generated: 10/16/2007   13:03:55
            Event String: The kerberos client received a KRB_AP_ERR_TKT_NYV
         ......................... MY_DC failed test systemlog


thanks
0
 
thecomputerdocsCommented:
Check to make sure the server is set in the right time zone...that's a common problem.
0
 
aucklandnzAuthor Commented:
it is ( but day light saving tick is unticked) if i tick it it goes one hour forward.
0
 
thecomputerdocsCommented:
At the client machines, go to a command prompt
type:
net time \\MY_PDC /set /yes

note: my_pdc = your servername

If this works, you can put it into your login script.
All clients need to be on a synchronized time as the server.
Here's the link that tells more...doesn't need to be as extensive as this.
net time \\MY_PDC /set /yes

Many of my clients have two line login scripts....but this is always at the top, since it's so important.
My guess is that there is some time sync issue going on.
Keep in touch and let me know if you do this and what the result may be....
You also may want to restart your DC, to generate new event log entries. Since the demotion of .20 from the AD, you can "flush it out" and see how it behaves after a reboot.
0
 
aucklandnzAuthor Commented:
when i run net time command on the clients it says that time has been updated succesfully but the time on the machine is still one hour forward, it will be correct time once i untick day light saving in time zone tab.

Thanks
0
 
thecomputerdocsCommented:
Try to tick it, then change the time...then resync the workstations....
Did you restart it yet?
0
 
aucklandnzAuthor Commented:
i have ticked day light saving and run the command. (the time is ok on all machines now) i have restarted DC and event viewer is not showing the previous errors :) and when i run dcdiag the errors i was getting before are gone but i have new once.


 Starting test: systemlog
    An Error Event occured.  EventID: 0x40000005
       Time Generated: 10/16/2007   16:43:59
       Event String: The kerberos client received a KRB_AP_ERR_TKT_NYV
    An Error Event occured.  EventID: 0xC0001B58
       Time Generated: 10/16/2007   17:15:35
       (Event String could not be retrieved)
    An Error Event occured.  EventID: 0xC0001B6E
       Time Generated: 10/16/2007   17:15:35
       (Event String could not be retrieved)
    An Error Event occured.  EventID: 0xC0001B6E
       Time Generated: 10/16/2007   17:16:25
       (Event String could not be retrieved)
    An Error Event occured.  EventID: 0xC0001B72
       Time Generated: 10/16/2007   17:16:25
       (Event String could not be retrieved)
    ......................... MY_DC failed test systemlog


any ideas ?

Thx
0
 
thecomputerdocsCommented:
Do this one more time for me.....
in your event logs, clear all events by right clicking the system and application logs...clear the events....then restart the server.
Once you've retarted it again, look at the event logs and tell me what you see for red lights.
I'm wondering if the errors you have stated are still showing up when you run the dcdiag due to the fact that there are previous errors listed in the log. Clearing them and restarting then running again might make them go away.
Anxious to find out how it works...we're getting closer to the end....
0
 
thecomputerdocsCommented:
Just checking, how is it coming along?
0
 
aucklandnzAuthor Commented:
im waiting until everyone will finish so i can restart DC.

Thanks
0
 
aucklandnzAuthor Commented:
Hi,

It fixed the problesms

Thanks a lot, you r the man.

Cheers
0
 
thecomputerdocsCommented:
Thanks for working with me and sticking with it. We turned water into wine on this one!!!!

0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now