• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 351
  • Last Modified:

Windows 2000 Domain Controller Problem

We have a domain with 3 WIN2K DCs.  One DC was hosting all the Master roles and DNS.  The others were backup DCs  The HDD on the main one failed, so I binned it and seized the Master roles to one of the others (which also had DNS on it)  The roles all transferred correctly (seemingly) but DNS is not working correctly.  When I tried to DCPROMO a clean install of WIN2K server, it told me the Wizard could not access the list of domains in the forest and refused to continue.  However, I can PING and NSLOOKUP from machines already on the domain, and all reports correctly.  Please can someone shed any light on this?
0
BobPetty
Asked:
BobPetty
1 Solution
 
bkellyboulderitCommented:
0
 
BobPettyAuthor Commented:
DCDIAG reports no errors on either DC
0
 
bkellyboulderitCommented:
You're saying that the machine you want to promo joined the domain ok, with no errors? Sorry if it is redundant...
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
BobPettyAuthor Commented:
No, DCDIAG reports no errors on either DC.  I cannot join a new PC to the domain, or promo a server to a DC.  It fails with the message above.
0
 
BobPettyAuthor Commented:
Further to above comment/reply, this is running DCDIAGS at the individual DC console.  If DCDIAGS is run from a workstation NETLOGONS fails with Error 53 (a Net Use or LSAPOLICY operation failed) and the Machine Account fails with Network Path Not found.  Other failures occur because of an apparent network problem.  However, the DCs can be pinged from any PC and replies are instataneous.  Similarly NSLOOKUP resolves correctly using the DC as the DNS server
0
 
DarylxCommented:
Are the SRV records present in DNS?  It could be that the A records are there so nslookup works but if your SRV records are screwed up, the clients (or other servers) won't recognise the DCs as DCs.
0
 
bkellyboulderitCommented:
BTW, Have you changed DHCP for the PC's to get their DNS from the new DC's?
0
 
BobPettyAuthor Commented:
Sorry, should have said.  All machines use fixed IP addressing, DHCP is only used for wireless connections so that is not an issue, and the DHCP server is the ADSL router, not the DC.  I will double-check the SRV entries on Monday morning and get back to you.  (I'm in the UK 6 hours in front of PDT)  Thanks for your help so far.
0
 
BobPettyAuthor Commented:
Hi everyone.  Have checked the SRV records, and they all look fine.  There follows the result of DCDIAG with the A and V switches.  Note that I can PING and NSLOOKUP to both DCs without error

Domain Controller Diagnosis

Performing initial setup:
   * Connecting to directory service on server domserv2.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 2 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\DOMSERV2
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... DOMSERV2 passed test Connectivity
   
   Testing server: Default-First-Site-Name\DOMSERV
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         The clock difference between the home server DOMSERV2 and target

         server DOMSERV is greater than one minute. This may cause Kerberos

         authentication failures. Please check that the time service is working

         properly. You may need to resynchonize the time between these servers.

         ......................... DOMSERV passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\DOMSERV2
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
         The replications latency check is not available on this DC.
         * Replication Site Latency Check
         ......................... DOMSERV2 passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC DOMSERV2.
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=pgserver,DC=com
            (Schema,Version 1)
         * Security Permissions Check for
           CN=Configuration,DC=pgserver,DC=com
            (Configuration,Version 1)
         * Security Permissions Check for
           DC=pgserver,DC=com
            (Domain,Version 1)
         ......................... DOMSERV2 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         [DOMSERV2] An net use or LsaPolicy operation failed with error 53, Win32 Error 53.
         ......................... DOMSERV2 failed test NetLogons
      Starting test: Advertising
         Fatal Error:DsGetDcName (DOMSERV2) call failed, error 1722
         The Locator could not find the server.
         Printing RPC Extended Error Info:
         Error Record 1, ProcessID is 3984 (DcDiag)        
            System Time is: 10/22/2007 8:21:26:861
            Generating component is 2 (RPC runtime)
            Status is 1722: The RPC server is unavailable.

            Detection location is 193
         Error Record 2, ProcessID is 3984 (DcDiag)        
            System Time is: 10/22/2007 8:21:26:861
            Generating component is 5 (redirector)
            Status is 51: Windows cannot find the network path. Verify that the network path is correct and the destination computer is not busy or turned off. If Windows still cannot find the network path, contact your network administrator.

            Detection location is 190
            NumberOfParameters is 2
            Long val: 1441792
            Unicode string: \\DOMSERV2\PIPE\NETLOGON
         ......................... DOMSERV2 failed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=DOMSERV2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pgserver,DC=com
         Role Domain Owner = CN=NTDS Settings,CN=DOMSERV2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pgserver,DC=com
         Role PDC Owner = CN=NTDS Settings,CN=DOMSERV2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pgserver,DC=com
         Role Rid Owner = CN=NTDS Settings,CN=DOMSERV2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pgserver,DC=com
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=DOMSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pgserver,DC=com
         ......................... DOMSERV2 passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 3614 to 1073741823
         * domserv2.pgserver.com is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 2102 to 2601
         * rIDNextRID: 2104
         * rIDPreviousAllocationPool is 2102 to 2601
         ......................... DOMSERV2 passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC DOMSERV2 on DC DOMSERV2.
         Could not open pipe with [DOMSERV2]:failed with 53: Win32 Error 53
         Could not get NetBIOSDomainName
         Failed can not test for HOST SPN
         Failed can not test for HOST SPN
         * SPN found :LDAP/domserv2.pgserver.com/pgserver.com
         * SPN found :LDAP/domserv2.pgserver.com
         * SPN found :LDAP/DOMSERV2
         * Missing SPN :(null)
         * SPN found :LDAP/45f819e5-b12a-492f-a6b2-293148025665._msdcs.pgserver.com
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/45f819e5-b12a-492f-a6b2-293148025665/pgserver.com
         * SPN found :HOST/domserv2.pgserver.com/pgserver.com
         * SPN found :HOST/domserv2.pgserver.com
         * SPN found :HOST/DOMSERV2
         * Missing SPN :(null)
         * SPN found :GC/domserv2.pgserver.com/pgserver.com
         ......................... DOMSERV2 failed test MachineAccount
      Starting test: Services
         Could not open Remote ipc to [DOMSERV2]:failed with 53: Win32 Error 53
         ......................... DOMSERV2 failed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         DOMSERV2 is in domain DC=pgserver,DC=com
         Checking for CN=DOMSERV2,OU=Domain Controllers,DC=pgserver,DC=com in domain DC=pgserver,DC=com on 2 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=DOMSERV2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pgserver,DC=com in domain CN=Configuration,DC=pgserver,DC=com on 2 servers
            Object is up-to-date on all servers.
         ......................... DOMSERV2 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         [DOMSERV2] An net use or LsaPolicy operation failed with error 53, Win32 Error 53.
         The registry lookup failed to determine the state of the SYSVOL.  The

         error returned  was 53 (Win32 Error 53).  Check the FRS event log to

         see if the SYSVOL has successfully been shared.
         ......................... DOMSERV2 failed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         ......................... DOMSERV2 failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Failed to enumerate event log records, error Win32 Error 53
         ......................... DOMSERV2 failed test kccevent
      Starting test: systemlog
         * The System Event log test
         Failed to enumerate event log records, error Win32 Error 53
         ......................... DOMSERV2 failed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)

         CN=DOMSERV2,OU=Domain Controllers,DC=pgserver,DC=com and backlink on

         CN=DOMSERV2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pgserver,DC=com

         are correct.
         The system object reference (frsComputerReferenceBL)

         CN=DOMSERV2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=pgserver,DC=com

         and backlink on CN=DOMSERV2,OU=Domain Controllers,DC=pgserver,DC=com

         are correct.
         The system object reference (serverReferenceBL)

         CN=DOMSERV2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=pgserver,DC=com

         and backlink on

         CN=NTDS Settings,CN=DOMSERV2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pgserver,DC=com

         are correct.
         ......................... DOMSERV2 passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError
   
   Testing server: Default-First-Site-Name\DOMSERV
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
         The replications latency check is not available on this DC.
         * Replication Site Latency Check
         ......................... DOMSERV passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC DOMSERV.
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=pgserver,DC=com
            (Schema,Version 1)
         * Security Permissions Check for
           CN=Configuration,DC=pgserver,DC=com
            (Configuration,Version 1)
         * Security Permissions Check for
           DC=pgserver,DC=com
            (Domain,Version 1)
         ......................... DOMSERV passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         [DOMSERV] An net use or LsaPolicy operation failed with error 53, Win32 Error 53.
         ......................... DOMSERV failed test NetLogons
      Starting test: Advertising
         Fatal Error:DsGetDcName (DOMSERV) call failed, error 1722
         The Locator could not find the server.
         Printing RPC Extended Error Info:
         Error Record 1, ProcessID is 3984 (DcDiag)        
            System Time is: 10/22/2007 8:21:33:719
            Generating component is 2 (RPC runtime)
            Status is 1722: The RPC server is unavailable.

            Detection location is 193
         Error Record 2, ProcessID is 3984 (DcDiag)        
            System Time is: 10/22/2007 8:21:33:719
            Generating component is 5 (redirector)
            Status is 51: Windows cannot find the network path. Verify that the network path is correct and the destination computer is not busy or turned off. If Windows still cannot find the network path, contact your network administrator.

            Detection location is 190
            NumberOfParameters is 2
            Long val: 1441792
            Unicode string: \\DOMSERV\PIPE\NETLOGON
         ......................... DOMSERV failed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=DOMSERV2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pgserver,DC=com
         Role Domain Owner = CN=NTDS Settings,CN=DOMSERV2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pgserver,DC=com
         Role PDC Owner = CN=NTDS Settings,CN=DOMSERV2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pgserver,DC=com
         Role Rid Owner = CN=NTDS Settings,CN=DOMSERV2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pgserver,DC=com
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=DOMSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pgserver,DC=com
         ......................... DOMSERV passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 3614 to 1073741823
         * domserv2.pgserver.com is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 2602 to 3101
         * rIDNextRID: 2604
         * rIDPreviousAllocationPool is 2602 to 3101
         ......................... DOMSERV passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC DOMSERV on DC DOMSERV.
         Could not open pipe with [DOMSERV]:failed with 53: Win32 Error 53
         Could not get NetBIOSDomainName
         Failed can not test for HOST SPN
         Failed can not test for HOST SPN
         * SPN found :LDAP/domserv.pgserver.com/pgserver.com
         * SPN found :LDAP/domserv.pgserver.com
         * SPN found :LDAP/DOMSERV
         * Missing SPN :(null)
         * SPN found :LDAP/8cf80790-f009-4319-b17b-c0e33d5d2600._msdcs.pgserver.com
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/8cf80790-f009-4319-b17b-c0e33d5d2600/pgserver.com
         * SPN found :HOST/domserv.pgserver.com/pgserver.com
         * SPN found :HOST/domserv.pgserver.com
         * SPN found :HOST/DOMSERV
         * Missing SPN :(null)
         * SPN found :GC/domserv.pgserver.com/pgserver.com
         ......................... DOMSERV failed test MachineAccount
      Starting test: Services
         Could not open Remote ipc to [DOMSERV]:failed with 53: Win32 Error 53
         ......................... DOMSERV failed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         DOMSERV is in domain DC=pgserver,DC=com
         Checking for CN=DOMSERV,OU=Domain Controllers,DC=pgserver,DC=com in domain DC=pgserver,DC=com on 2 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=DOMSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pgserver,DC=com in domain CN=Configuration,DC=pgserver,DC=com on 2 servers
            Object is up-to-date on all servers.
         ......................... DOMSERV passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         [DOMSERV] An net use or LsaPolicy operation failed with error 53, Win32 Error 53.
         The registry lookup failed to determine the state of the SYSVOL.  The

         error returned  was 53 (Win32 Error 53).  Check the FRS event log to

         see if the SYSVOL has successfully been shared.
         ......................... DOMSERV failed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         ......................... DOMSERV failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Failed to enumerate event log records, error Win32 Error 53
         ......................... DOMSERV failed test kccevent
      Starting test: systemlog
         * The System Event log test
         Failed to enumerate event log records, error Win32 Error 53
         ......................... DOMSERV failed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)

         CN=DOMSERV,OU=Domain Controllers,DC=pgserver,DC=com and backlink on

         CN=DOMSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pgserver,DC=com

         are correct.
         The system object reference (frsComputerReferenceBL)

         CN=DOMSERV,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=pgserver,DC=com

         and backlink on CN=DOMSERV,OU=Domain Controllers,DC=pgserver,DC=com

         are correct.
         The system object reference (serverReferenceBL)

         CN=DOMSERV,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=pgserver,DC=com

         and backlink on

         CN=NTDS Settings,CN=DOMSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pgserver,DC=com

         are correct.
         ......................... DOMSERV passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : pgserver
      Starting test: CrossRefValidation
         ......................... pgserver passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... pgserver passed test CheckSDRefDom
   
   Running enterprise tests on : pgserver.com
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope

         provided by the command line arguments provided.
         ......................... pgserver.com passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1722
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1722
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1722
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1722
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1722
         A KDC could not be located - All the KDCs are down.
         ......................... pgserver.com failed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS

If anyone can shed any light on why the network path cannot be found I would be much obliged!
0
 
BobPettyAuthor Commented:
Hi everyone

Sorted it!  The problem was that neither of the (previous) additional DCs had "File and Print Sharing for Microsoft Networks" enabled in their LAN cards  Enabling this immediately resolved all NETLOGON and SYSVOL errors.  Thank you everyone who contributed.  The moral of this sorry saga is Look for the Obvious First!  Thanks again
0
 
Vee_ModCommented:
Closed, 500 points refunded.
Vee_Mod
Community Support Moderator
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now