Solved

Newly promoted DC has errors and cannot connect to other DC's to replicate AD.

Posted on 2008-09-29
11
521 Views
Last Modified: 2012-05-05
I had a Server 2000 machine that was the secondary DC for our domain starting to fail so I purchased and configured a new machine.  As this was also the file server for our organization as well as a minor app I had to name the new machine the same as the old.

I demoted the old server and took it offline. I also renamed it before bring it back into the network.
 I promoted the new server which is Server 2003 and it all appeared to be fine however upon reviewing the event logs I am seeing the following as well as the individual errors for the exact other DC's.

Event Type:      Error
Event Source:      NETLOGON
Event Category:      None
Event ID:      5721
Date:            9/29/2008
Time:            8:16:47 AM
User:            N/A
Computer:      ATECH01
Description:
The session setup to the Windows NT or Windows 2000 Domain Controller \\atech02.atech.local for the domain A_TECH_DOMAIN failed because the Domain Controller did not have an account ATECH01$ needed to set up the session by this computer ATECH01.  

ADDITIONAL DATA
If this computer is a member of or a Domain Controller in the specified domain, the aforementioned account is a computer account for this computer in the specified domain. Otherwise, the account is an interdomain trust account with the specified domain.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 8b 01 00 c0               ?..À    

and this one:

Event Type:      Information
Event Source:      DnsApi
Event Category:      None
Event ID:      11156
Date:            9/29/2008
Time:            10:05:38 AM
User:            N/A
Computer:      ATECH01
Description:
The system failed to register pointer (PTR) resource records (RRs) for network adapter
with settings:

   Adapter Name : {18579CF1-B793-4BC1-B866-AD763DCFEE15}
   Host Name : atech01
   Adapter-specific Domain Suffix : atech.local
   DNS server list :
           10.1.1.22, 10.3.3.10
   Sent update to server : 255.255.255.255
   IP Address : 10.1.1.20

 The reason that the system could not register these RRs was because the update request that was sent to the specified DNS server timed out. This is probably because the authoritative DNS server for the name being registered is not running.

 You can manually retry DNS registration of the network adapter and its settings by typing "ipconfig /registerdns" at the command prompt. If problems still persist, contact your DNS server or network systems administrator. For specific error code information, see the record data displayed below.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: b4 05 00 00               ´...    


and this :

Event Type:      Error
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1311
Date:            9/29/2008
Time:            10:56:09 AM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      ATECH01
Description:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
 
Directory partition:
CN=Configuration,DC=atech,DC=local
 
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.
 
User Action
Use Active Directory Sites and Services to perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.
 
If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


I also noticed that the primary DC has the old server with the new name in the Domain Controllers group in AD but the new server does not exist in it.  I am unable to delete the old server from this group.

We are able to browse to the shared folders on the new DC so connectivity is there.

Any help with this is greatly appreciated!
0
Comment
Question by:kxcrazy
  • 7
  • 2
  • 2
11 Comments
 
LVL 3

Expert Comment

by:R_Janssen
ID: 22597269
The error is quite self-explanatory...
The session setup to the Windows NT or Windows 2000 Domain Controller \\atech02.atech.local for the domain A_TECH_DOMAIN failed because the Domain Controller did not have an account ATECH01$ needed to set up the session by this computer ATECH01                      
-
The servers can't connect to it because the user doesn't exist or doesn't have appropriate rights.
0
 

Author Comment

by:kxcrazy
ID: 22597293
Should this acccount not have set itself when I promoted the server to a DC and joined the domain?

If not, where do I create this account?
0
 
LVL 3

Expert Comment

by:R_Janssen
ID: 22597392
Should.. but it can happen that it doesn't. The account should be local. $ sign is important.
 
0
 

Author Comment

by:kxcrazy
ID: 22597483
OK...I must be dense or something cuz I am drawing a blank on exactly where I create atech01$ account?

Also why would the old renamed server still appear under domain controllers in AD and I cannot delete it?


Thanks!
0
 

Author Comment

by:kxcrazy
ID: 22597516
When I attempt to delete the object oldatech01 I get the message:

The DSA object cannot be deleted.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 24

Accepted Solution

by:
ryansoto earned 500 total points
ID: 22598102
Run a metadata clean up to remove the old server
http://technet.microsoft.com/en-us/library/cc736378.aspx
0
 

Author Comment

by:kxcrazy
ID: 22598206
I have tried the utilty and the server that is listed in the domain controllers group does not appear through the utiity.
0
 

Author Comment

by:kxcrazy
ID: 22598500
Well I tried deleting on another 2003 server DC, the old server / new name that is appearing in the domain controllers container in AD.  It was successful as it gives a gui interface where you can pick that ther server is offline and cannot be demoted.  However I am now getting this error on my other DC's:

Event Type:      Warning
Event Source:      NtFrs
Event Category:      None
Event ID:      13562
Date:            9/29/2008
Time:            1:00:44 PM
User:            N/A
Computer:      ATECH02
Description:
Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller atech02.atech.local for FRS replica set configuration information.
 
 The nTFRSMember object cn=atech01,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=atech,dc=local has a invalid value for the attribute frsComputerReference.

 Looks like somehow the old server / new name was tied to the new server.  I am wondering if I should simply demote atech01, clean the metadata, allow replication to take place through AD and then try promoting it again?
 

 
 


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 22598591
Your plan would work fine
0
 

Author Comment

by:kxcrazy
ID: 22613859
Well I tried to remote the new atech01 server and it cannot be gracefully demoteed as it cannot contact another domain controller.

I will have to force demote it.  Does this plane of steps sound reasonable?

1)  Verify I can successfully start in Directory Services Restore Mode on atech01
2)  Force demote atech01
3)  Allow demotion replication through domain
4)  Perform a metadata cleanup from an existing 2003 Server domain controller which according to the articles I have read will also remove the NTDSA or NTDS Setting subject, remove inbound ad connection objects, remove the computer account, removes FRS member object, and removes FRS subscriber objects.
5) Allow to replicate through domain
6)  I would then also need to verify and perform as necessary
a)Remove computer account from domain
b)Remove DNS records
c)Remove any remaining FRS member objects
d)Remove from any security groups
e)Remove any DFS references
7)  Allow to replicate through domain
8)  Prmote atech01 again

Is there anything else I should be lookign at?

Thanks!
0
 

Author Comment

by:kxcrazy
ID: 22679511
Well I did the steps in my post above and the old DC is now all out of AD.

I did not promote the replacement server to a DC status.  It is now simply a member server in the domain as a file server.

Thanks for all the help!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now