kxcrazy
asked on
Newly promoted DC has errors and cannot connect to other DC's to replicate AD.
I had a Server 2000 machine that was the secondary DC for our domain starting to fail so I purchased and configured a new machine. As this was also the file server for our organization as well as a minor app I had to name the new machine the same as the old.
I demoted the old server and took it offline. I also renamed it before bring it back into the network.
I promoted the new server which is Server 2003 and it all appeared to be fine however upon reviewing the event logs I am seeing the following as well as the individual errors for the exact other DC's.
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5721
Date: 9/29/2008
Time: 8:16:47 AM
User: N/A
Computer: ATECH01
Description:
The session setup to the Windows NT or Windows 2000 Domain Controller \\atech02.atech.local for the domain A_TECH_DOMAIN failed because the Domain Controller did not have an account ATECH01$ needed to set up the session by this computer ATECH01.
ADDITIONAL DATA
If this computer is a member of or a Domain Controller in the specified domain, the aforementioned account is a computer account for this computer in the specified domain. Otherwise, the account is an interdomain trust account with the specified domain.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 8b 01 00 c0 ?..À
and this one:
Event Type: Information
Event Source: DnsApi
Event Category: None
Event ID: 11156
Date: 9/29/2008
Time: 10:05:38 AM
User: N/A
Computer: ATECH01
Description:
The system failed to register pointer (PTR) resource records (RRs) for network adapter
with settings:
Adapter Name : {18579CF1-B793-4BC1-B866-A
Host Name : atech01
Adapter-specific Domain Suffix : atech.local
DNS server list :
10.1.1.22, 10.3.3.10
Sent update to server : 255.255.255.255
IP Address : 10.1.1.20
The reason that the system could not register these RRs was because the update request that was sent to the specified DNS server timed out. This is probably because the authoritative DNS server for the name being registered is not running.
You can manually retry DNS registration of the network adapter and its settings by typing "ipconfig /registerdns" at the command prompt. If problems still persist, contact your DNS server or network systems administrator. For specific error code information, see the record data displayed below.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: b4 05 00 00 ´...
and this :
Event Type: Error
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1311
Date: 9/29/2008
Time: 10:56:09 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: ATECH01
Description:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
CN=Configuration,DC=atech,
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.
User Action
Use Active Directory Sites and Services to perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.
If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I also noticed that the primary DC has the old server with the new name in the Domain Controllers group in AD but the new server does not exist in it. I am unable to delete the old server from this group.
We are able to browse to the shared folders on the new DC so connectivity is there.
Any help with this is greatly appreciated!
I demoted the old server and took it offline. I also renamed it before bring it back into the network.
I promoted the new server which is Server 2003 and it all appeared to be fine however upon reviewing the event logs I am seeing the following as well as the individual errors for the exact other DC's.
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5721
Date: 9/29/2008
Time: 8:16:47 AM
User: N/A
Computer: ATECH01
Description:
The session setup to the Windows NT or Windows 2000 Domain Controller \\atech02.atech.local for the domain A_TECH_DOMAIN failed because the Domain Controller did not have an account ATECH01$ needed to set up the session by this computer ATECH01.
ADDITIONAL DATA
If this computer is a member of or a Domain Controller in the specified domain, the aforementioned account is a computer account for this computer in the specified domain. Otherwise, the account is an interdomain trust account with the specified domain.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 8b 01 00 c0 ?..À
and this one:
Event Type: Information
Event Source: DnsApi
Event Category: None
Event ID: 11156
Date: 9/29/2008
Time: 10:05:38 AM
User: N/A
Computer: ATECH01
Description:
The system failed to register pointer (PTR) resource records (RRs) for network adapter
with settings:
Adapter Name : {18579CF1-B793-4BC1-B866-A
Host Name : atech01
Adapter-specific Domain Suffix : atech.local
DNS server list :
10.1.1.22, 10.3.3.10
Sent update to server : 255.255.255.255
IP Address : 10.1.1.20
The reason that the system could not register these RRs was because the update request that was sent to the specified DNS server timed out. This is probably because the authoritative DNS server for the name being registered is not running.
You can manually retry DNS registration of the network adapter and its settings by typing "ipconfig /registerdns" at the command prompt. If problems still persist, contact your DNS server or network systems administrator. For specific error code information, see the record data displayed below.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: b4 05 00 00 ´...
and this :
Event Type: Error
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1311
Date: 9/29/2008
Time: 10:56:09 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: ATECH01
Description:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
CN=Configuration,DC=atech,
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.
User Action
Use Active Directory Sites and Services to perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.
If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I also noticed that the primary DC has the old server with the new name in the Domain Controllers group in AD but the new server does not exist in it. I am unable to delete the old server from this group.
We are able to browse to the shared folders on the new DC so connectivity is there.
Any help with this is greatly appreciated!
ASKER
Should this acccount not have set itself when I promoted the server to a DC and joined the domain?
If not, where do I create this account?
If not, where do I create this account?
Should.. but it can happen that it doesn't. The account should be local. $ sign is important.
ASKER
OK...I must be dense or something cuz I am drawing a blank on exactly where I create atech01$ account?
Also why would the old renamed server still appear under domain controllers in AD and I cannot delete it?
Thanks!
Also why would the old renamed server still appear under domain controllers in AD and I cannot delete it?
Thanks!
ASKER
When I attempt to delete the object oldatech01 I get the message:
The DSA object cannot be deleted.
The DSA object cannot be deleted.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have tried the utilty and the server that is listed in the domain controllers group does not appear through the utiity.
ASKER
Well I tried deleting on another 2003 server DC, the old server / new name that is appearing in the domain controllers container in AD. It was successful as it gives a gui interface where you can pick that ther server is offline and cannot be demoted. However I am now getting this error on my other DC's:
Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13562
Date: 9/29/2008
Time: 1:00:44 PM
User: N/A
Computer: ATECH02
Description:
Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller atech02.atech.local for FRS replica set configuration information.
The nTFRSMember object cn=atech01,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=atech
Looks like somehow the old server / new name was tied to the new server. I am wondering if I should simply demote atech01, clean the metadata, allow replication to take place through AD and then try promoting it again?
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13562
Date: 9/29/2008
Time: 1:00:44 PM
User: N/A
Computer: ATECH02
Description:
Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller atech02.atech.local for FRS replica set configuration information.
The nTFRSMember object cn=atech01,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=atech
Looks like somehow the old server / new name was tied to the new server. I am wondering if I should simply demote atech01, clean the metadata, allow replication to take place through AD and then try promoting it again?
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Your plan would work fine
ASKER
Well I tried to remote the new atech01 server and it cannot be gracefully demoteed as it cannot contact another domain controller.
I will have to force demote it. Does this plane of steps sound reasonable?
1) Verify I can successfully start in Directory Services Restore Mode on atech01
2) Force demote atech01
3) Allow demotion replication through domain
4) Perform a metadata cleanup from an existing 2003 Server domain controller which according to the articles I have read will also remove the NTDSA or NTDS Setting subject, remove inbound ad connection objects, remove the computer account, removes FRS member object, and removes FRS subscriber objects.
5) Allow to replicate through domain
6) I would then also need to verify and perform as necessary
a)Remove computer account from domain
b)Remove DNS records
c)Remove any remaining FRS member objects
d)Remove from any security groups
e)Remove any DFS references
7) Allow to replicate through domain
8) Prmote atech01 again
Is there anything else I should be lookign at?
Thanks!
I will have to force demote it. Does this plane of steps sound reasonable?
1) Verify I can successfully start in Directory Services Restore Mode on atech01
2) Force demote atech01
3) Allow demotion replication through domain
4) Perform a metadata cleanup from an existing 2003 Server domain controller which according to the articles I have read will also remove the NTDSA or NTDS Setting subject, remove inbound ad connection objects, remove the computer account, removes FRS member object, and removes FRS subscriber objects.
5) Allow to replicate through domain
6) I would then also need to verify and perform as necessary
a)Remove computer account from domain
b)Remove DNS records
c)Remove any remaining FRS member objects
d)Remove from any security groups
e)Remove any DFS references
7) Allow to replicate through domain
8) Prmote atech01 again
Is there anything else I should be lookign at?
Thanks!
ASKER
Well I did the steps in my post above and the old DC is now all out of AD.
I did not promote the replacement server to a DC status. It is now simply a member server in the domain as a file server.
Thanks for all the help!
I did not promote the replacement server to a DC status. It is now simply a member server in the domain as a file server.
Thanks for all the help!
The session setup to the Windows NT or Windows 2000 Domain Controller \\atech02.atech.local for the domain A_TECH_DOMAIN failed because the Domain Controller did not have an account ATECH01$ needed to set up the session by this computer ATECH01
-
The servers can't connect to it because the user doesn't exist or doesn't have appropriate rights.