TokyoBrit
asked on
A Primary Domain Controller could not be located
I had a single Windows 2003 R2 domain controller for our 2003 Active Directory domain. All servers are 2003 SP2 (either vanilla or R2) and all desktops are XP SP2.
I then added a replica domain controller to the domain and confirmed everything was correct, including DNS and replication, then moved the new DC to a new office.
I then created a site and subnet for the new office using the MMC Active Directory Sites and Services snap-in, and moved the new DC to be under the new site object.
Everything was still working, or so I thought.
I then transfered the FSMO roles to the new DC, leaving the old DC as just a GC.
That's when everything started going wrong, and now I'm left with non-functioning replication and a whole heap of issues, the main one being -
Running enterprise tests on : domain.com
Test omitted by user request: Intersite
Starting test: FsmoCheck
GC Name: \\2-DC1.domain.com
Locator Flags: 0xe00003fc
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Time Server Name: \\2-DC1.domain.com
Locator Flags: 0xe00003fc
Preferred Time Server Name: \\2-DC1.domain.com
Locator Flags: 0xe00003fc
KDC Name: \\2-DC1.domain.com
Locator Flags: 0xe00003fc
......................... domain.com failed test FsmoCheck
Ran DCDIAG again -
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=2-DC1,CN=Serve rs,CN=Prim ary,CN
=Sites,CN=Configuration,DC =domain,DC =com
Role Domain Owner = CN=NTDS Settings,CN=2-DC1,CN=Serve rs,CN=Prim ary,CN
=Sites,CN=Configuration,DC =domain,DC =com
Role PDC Owner = CN=NTDS Settings,CN=2-DC1,CN=Serve rs,CN=Prim ary,CN=Si
tes,CN=Configuration,DC=do main,DC=co m
Role Rid Owner = CN=NTDS Settings,CN=2-DC1,CN=Serve rs,CN=Prim ary,CN=Si
tes,CN=Configuration,DC=do main,DC=co m
Role Infrastructure Update Owner = CN=NTDS Settings,CN=2-DC1,CN=Serve rs
,CN=Primary,CN=Sites,CN=Co nfiguratio n,DC=domai n,DC=com
......................... 2-DC1 passed test KnowsOfRoleHolders
So the domain controller that believes it is the PDC cannot locate the PDC. This is almost always a DNS issue, so I checked that.
The PDC service record is missing from DNS for both DNS servers. Stopping and restarting NETLOGON did nothing. Rebooting the new DC did nothing. I tried creating the pdc SRV record manually, still fails.
I'm at my wits end, again. I can't remove the zone and recreate it as it contains all the DNS records for our company - over 200 objects. And I'm not even sure if doing that will resolve the problem.
Any pointers?
I then added a replica domain controller to the domain and confirmed everything was correct, including DNS and replication, then moved the new DC to a new office.
I then created a site and subnet for the new office using the MMC Active Directory Sites and Services snap-in, and moved the new DC to be under the new site object.
Everything was still working, or so I thought.
I then transfered the FSMO roles to the new DC, leaving the old DC as just a GC.
That's when everything started going wrong, and now I'm left with non-functioning replication and a whole heap of issues, the main one being -
Running enterprise tests on : domain.com
Test omitted by user request: Intersite
Starting test: FsmoCheck
GC Name: \\2-DC1.domain.com
Locator Flags: 0xe00003fc
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Time Server Name: \\2-DC1.domain.com
Locator Flags: 0xe00003fc
Preferred Time Server Name: \\2-DC1.domain.com
Locator Flags: 0xe00003fc
KDC Name: \\2-DC1.domain.com
Locator Flags: 0xe00003fc
......................... domain.com failed test FsmoCheck
Ran DCDIAG again -
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=2-DC1,CN=Serve
=Sites,CN=Configuration,DC
Role Domain Owner = CN=NTDS Settings,CN=2-DC1,CN=Serve
=Sites,CN=Configuration,DC
Role PDC Owner = CN=NTDS Settings,CN=2-DC1,CN=Serve
tes,CN=Configuration,DC=do
Role Rid Owner = CN=NTDS Settings,CN=2-DC1,CN=Serve
tes,CN=Configuration,DC=do
Role Infrastructure Update Owner = CN=NTDS Settings,CN=2-DC1,CN=Serve
,CN=Primary,CN=Sites,CN=Co
......................... 2-DC1 passed test KnowsOfRoleHolders
So the domain controller that believes it is the PDC cannot locate the PDC. This is almost always a DNS issue, so I checked that.
The PDC service record is missing from DNS for both DNS servers. Stopping and restarting NETLOGON did nothing. Rebooting the new DC did nothing. I tried creating the pdc SRV record manually, still fails.
I'm at my wits end, again. I can't remove the zone and recreate it as it contains all the DNS records for our company - over 200 objects. And I'm not even sure if doing that will resolve the problem.
Any pointers?
My suggestion is to seize the FSMO roles back to the original DC.
Once you have done this I would demote the new DC and then re-promote it in situ. Moving DC's is often a tricky business if you don't get it spot on, I always prefer to build them in their intended location.
Once you have done this I would demote the new DC and then re-promote it in situ. Moving DC's is often a tricky business if you don't get it spot on, I always prefer to build them in their intended location.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Will check that the 43 servers at the new site would still be able to access the old DC prior to demoting the new one. Last thing I want is for all our services to fail.
Problem was, I did the original setup using the same subnet as the new location, so I didn't have any DNS or IP address changes to deal with... Obviously something slipped through the net, and it's never easy tracking down the problem, even if the solution is a simple one.
Problem was, I did the original setup using the same subnet as the new location, so I didn't have any DNS or IP address changes to deal with... Obviously something slipped through the net, and it's never easy tracking down the problem, even if the solution is a simple one.
ASKER
Hmm. Well. DNS is no longer in sync between the domain controllers. In fact, the domain zone is missing from DNS on the old DC. It's only working as all workstations and servers are setup with both DNS servers.
I'll recreate the primary zone once I've seized the roles and hope that I can get DNS working again.
I'll recreate the primary zone once I've seized the roles and hope that I can get DNS working again.
ASKER
Is there a tool that compares zone information stored in the .DNS file with what might be stored in AD? And that also allows me to create a zone on a DNS server from either source?
ASKER
Seizing the roles was only half the battle. Some manual changes to DNS had to be made.
ASKER
Seizing the roles back resolved the problem with not finding the PDC, which allowed replication to start working again, and eventually everything was back into DNS. Thank you.
ASKER
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '192.168.x.x' and other DCs also have some of the names registered.
Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'DOMAIN' is broken. [ERROR_NO_LOGON_SERVERS]
DCDIAG /fix still shows the same error as before -
Starting test: FsmoCheck
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
......................... domain.com failed test FsmoCheck
And the netlogon.dns file doesn't contain a record for PDC.