Solved

Domain Controller (FSMO role) Rebooted un gracefully - Now can not replicate with other DCs, DNS not working locally etc.

Posted on 2008-06-19
24
236 Views
Last Modified: 2010-04-18
Ok i am not sure what happened, but I believe there was a  power failure or something. System rebooted back up just fine.

But now it is not replicating with any one in the domain. DNS wont stary b.c AD wont start here is what i am getting.

In the application logs i am getting: error: 1053 - Windows cannot determine the user or computer name (the system detected a possible attempt to compromise security)...

Error 1054: Windows cannot contain the domain controller name for your computer. group policy processing aborted.

Directory service logs: domain controller will not be advertised by the domain controller locator service as an available domain controller until it has compeleted an intial synchronication of each writable directory partition that it holds.

I cant access DNS, Sites and Services, AD users and Computers, I am under the gun her its 8:17pm and i need this up by morning.

Thanks you,.

0
Comment
Question by:jaesoul
  • 12
  • 7
  • 5
24 Comments
 
LVL 24

Expert Comment

by:ryansoto
ID: 21828234
Your other DC's should be working OK.  For DNS they should all be pointing to themselves for DNS (TCPIP properties of the LAN connection)
Then in DNS console there shoudl be a forwarder to your ISP.

Try accessing DNS on another server, just because the one dc is down all should be just fine.
Also one of the other DC's is a global catalog right?

The main goal at the moment is to get authentication working for clients.  Then we can see whats up more in detail on the server
0
 
LVL 2

Expert Comment

by:thor_08
ID: 21828237
hello man, quiet I will try to help

It is the only domain controller that tapeworms?
There are backup system of the state of that server?
when is this backup?
0
 

Author Comment

by:jaesoul
ID: 21828266
yes there is a backup of the system state: ran one last night at 11am
other DCs seem ok.


0
 
LVL 2

Expert Comment

by:thor_08
ID: 21828324
First, as is said ryansoto, we must ensure access for customers.
if you got other domain controllers that are DNS and are able to authenticate you should not have problems to ensure authentication to customers.
Make sure that the other domain controllers are taken as dns servers themselves
0
 

Author Comment

by:jaesoul
ID: 21828370
YEs they can login.. seems that DNS is functioning on other DCs.
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21828386
OK so half the battle is done.
Now is the server in question.  Clear the event logs, reboot the machine and post what errors come back up.
0
 

Author Comment

by:jaesoul
ID: 21828429
ok here is what i got:
error code: 1053, Error 1054, 1925, 1311
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21828465
Error code 1053 - what service is it referencing that didnt start?

Error code 1054 - Normally a dns issue of some sort
http://support.microsoft.com/kb/272294
Does this machine have 2 nic cards?  Disbale one and test.
Also run a dcdiag /fix on this machine then run a dcdiag and see what errors are produced.

1925 and 1322 both seem to be dns related.

WHen you logged onto the server after rebooting did it log on successfully using your credentials or the admin credentials?  And you logged on to the domain not locally...

run a dcdiag and netdiag and see what fails.

Also on this server DNS points to itself (tcpip properties)
0
 
LVL 2

Expert Comment

by:thor_08
ID: 21828473
well,

Event ID 1054, looks the preferred DNS server ip, have to be pointing to it. and as a secondary server must have a DNS server on the same site or if any of the nearest site in the topology.
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21828474
Also if something fails the dcdiag run a dcdiag /fix
0
 
LVL 2

Expert Comment

by:thor_08
ID: 21828480
1311 regarding the mistake, we must check the topology of the network.

http://technet2.microsoft.com/windowsserver/en/library/062e8eaa-27e0-4c5e-bc2b-2913ecce24b81033.mspx?mfr=true
0
 
LVL 2

Expert Comment

by:thor_08
ID: 21828497
for the 1053 event, look

http://www.eventid.net/display.asp?eventid=1053&eventno=1584&source=Userenv&phase=1

this all quite related to DNS, once resolved the issues DNS, everything is going to take more color
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21828506
The 1311 error could be because of the main issue with seems to be something DNS related.
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21828525
Worst case if you can still oog into the server on the domain then you can uninstall DNS on this particular server and then reinstall it and all configs will be updated automatically by active directory.  You will need to still configure forwarders for the server as this is not stored in AD but its a machine value.
http://support.microsoft.com/kb/323380
0
 

Author Comment

by:jaesoul
ID: 21828527
Yea looks DNS related .... here is the short of the long message I am getting in support tools...
DC DIAG

directory service has not finished initializing. It order for the directory service to consider it self syncrhonized it must attempt an intial synchronization.
0
 
LVL 24

Accepted Solution

by:
ryansoto earned 500 total points
ID: 21828534
IMO I would uninstall DNS and reinstall it for time constraints instead of trying to fix it.
While I enjoy a challenge of trying to fix somethig broken you need to get items restored to order.
Uninstall and reinstall the service.

Also make sure that in the TCPIP properties on this server that the first DNS server is itself and second is another good DNS machine.
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21828543
To uninstall just go into add/remove and windows components and then untick DNS and then finish.  Once done
http://www.petri.co.il/install_and_configure_windows_2003_dns_server.htm
0
 

Author Comment

by:jaesoul
ID: 21828583
ok  doing now
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21828656
How we doing?
0
 

Author Comment

by:jaesoul
ID: 21828819
Ryan... Thank you... I have not reinstalled DNS yet, I am exhausting all options and will probably do that tommorrow night if nothing works.

Get this. DNS has seemingly started to function when I temporarily added 4.2.2.2 into the DNS settings to allow interet access, and temporary remote access from one of my partners. About 5 minutes later, I could access AD, DNS, Sites and Services, as opposed to before. So I took i 4.2.2.2 and ran an nslookup to ensure it was resolving using the local DNS server and it was. Now DNS seems to be functioning, and I can connect to other DNS servers on the domain.

WEIRD! So I rebooted to see if the issue resolved it self. Well it didnt it went back to the old erros and issues... so i repeated the previous, and it worked AGAIN!

Something is very screwy... needless to say this issue is not resolved, but I think I can get a sleep in.

Ryan, I would be grateful if you stayed with me throughout this issue, your time spent has been appreciated. I will be back on it tommorrow night, and through the weekend untill this server is funcyion right.

ANY ideas why it seems the 4.2.2.2 dns is kick starting my DNS?

TY.
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21833124
Well,

When you say DNS settings where exactly are you talking about?  You reboot and then you have to reenter 4.2.2.2 where are you doing this?

Essentially it should funcction lilke this

All DNS servers in the company -
In TCPIP properties of the lan connection preferred DNS should be itself.  So you would input the IP of that server.  The secondary should be another internal DNS.
Then in DNS console for this server right click and go to properties.  Now go to the tab that says forwarders.
In there you can IP more IP's.  This will be the IP's of your ISP's DNS machines.
Check another server to get the IP.
Thats all that is really needs to be configured for DNS in respect to an individual machine.
The rest of DNS is hosted in Active directory.
0
 

Author Comment

by:jaesoul
ID: 21833194
Yea, here is what was strange.

Previously all DC/DNS names were set locally.

So on the server which was having issues the DNS was pointing to  itself which was :
IP:192.168.1.2
GW: 192.168.1.254
SN: 255.255.255.0
DNS: 192.168.1.2

For what ever the reason when reboothing this server, I am not able to connect to its DNS, nor are any of the client machines.

Also, this server can not advertise it self as a AD DC because it can not connect to its own DNS (doest know where itself  it is I assume)

So... B/c i wanted a friend to look at this machine, and it did not have internet with the current settings (bc DNS was not working) I had to add a public DNS so it can route to the internet and my friend could take a look remotely,

Well within 3 minutes of this time, the local DNS (192.168.1.2) became active, AD started working again. I then took out the 4.2.2.2 public Ip and it continued to work and works unto this morning, but I know if i reboot it will have the same issues again.

Any idea why adding and taking a way a public DNS record on a server would "kick start the DNS"

WEIRD. I will be on the box tonite to troubleshoote it again.


0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21834701
dcdiag /fix then run a dcdiag and see what errors come up.
Same with netdiag
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21847376
Whats the status on this?
0

Join & Write a Comment

Suggested Solutions

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now