Link to home
Start Free TrialLog in
Avatar of 3tproductions
3tproductions

asked on

Group Policy error on one DC after a failed DC was removed and another one added

I have a domain with only 2 DC's in it. The main DC holding all the roles died suddenly the other day so I quickly seized the roles to the other DC, made it a GC and installed DNS which populated itself. I had numerous dcdiag errors which I have managed to fix now. I ran the meta clean up too. The only issues I have now is the domain controller that holds all 5 roles is reporting this error

Source: Userenv
Event ID: 1058
User NT Authority\system

Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=domain,DC=co,DC=uk. The file must be present at the location <\\mydomain.domain.co.uk\sysvol\mydomain.domain.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Logon Failure: The target account name is incorrect. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I cannot figure it out.

I read some where that the roles should ideally be spread out among the DC's is this correct and I read about an issue if the infrastructure master is on the same machine as one of the other roles (which i cant remeber which one it is)

Any ideas on how to solve this?

Thanks

Catherine
Avatar of 3tproductions
3tproductions

ASKER

I noticed that if I try to access

\\mydomain.domain.co.uk\sysvol\

using start run it says the same error Logon Failure: The target account name is incorrect


Any ideas?
Avatar of Netman66
Run a DCDIAG /v > C:\dcdiag.txt on the server that now holds the roles.  Scrub anything you don't want public, but leave the log intact.

Post it here.
You may have to restart the Netlogon service now on that DC to properly register the new SRV records in DNS.

Just an after thought while I wait for the log.
Will run this now, noticed these in the event log too

Kerberos errors

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/server.mydomain.3t.co.uk.  The target name used was cifs/server2.mydomain.3t.co.uk. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (myDOMAIN.domain.CO.UK), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Right the log


Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine SERVER, is a DC.
   * Connecting to directory service on server SERVER.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: MYDOMAIN\SERVER
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... SERVER passed test Connectivity

Doing primary tests
   
   Testing server: MYDOMAIN\SERVER
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=MYDOMAIN,DC=domain,DC=co,DC=uk
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         * Replication Site Latency Check
         ......................... SERVER passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC SERVER.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=MYDOMAIN,DC=domain,DC=co,DC=uk
            (Domain,Version 2)
         ......................... SERVER passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\SERVER\netlogon
         Verified share \\SERVER\sysvol
         ......................... SERVER passed test NetLogons
      Starting test: Advertising
         The DC SERVER is advertising itself as a DC and having a DS.
         The DC SERVER is advertising as an LDAP server
         The DC SERVER is advertising as having a writeable directory
         The DC SERVER is advertising as a Key Distribution Center
         The DC SERVER is advertising as a time server
         The DS SERVER is advertising as a GC.
         ......................... SERVER passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=SERVER,CN=Servers,CN=MYDOMAIN,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
         Role Domain Owner = CN=NTDS Settings,CN=SERVER,CN=Servers,CN=MYDOMAIN,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
         Role PDC Owner = CN=NTDS Settings,CN=SERVER,CN=Servers,CN=MYDOMAIN,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
         Role Rid Owner = CN=NTDS Settings,CN=SERVER,CN=Servers,CN=MYDOMAIN,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=SERVER,CN=Servers,CN=MYDOMAIN,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
         ......................... SERVER passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 5116 to 1073741823
         * SERVER.MYDOMAIN.domain.co.uk is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 3616 to 4115
         * rIDPreviousAllocationPool is 3616 to 4115
         * rIDNextRID: 3761
         ......................... SERVER passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC SERVER on DC SERVER.
         * SPN found :LDAP/SERVER.MYDOMAIN.domain.co.uk/MYDOMAIN.domain.co.uk
         * SPN found :LDAP/SERVER.MYDOMAIN.domain.co.uk
         * SPN found :LDAP/SERVER
         * SPN found :LDAP/SERVER.MYDOMAIN.domain.co.uk/MYDOMAIN
         * SPN found :LDAP/935b7ae2-9360-4025-987f-6a5ab1758dca._msdcs.MYDOMAIN.domain.co.uk
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/935b7ae2-9360-4025-987f-6a5ab1758dca/MYDOMAIN.domain.co.uk
         * SPN found :HOST/SERVER.MYDOMAIN.domain.co.uk/MYDOMAIN.domain.co.uk
         * SPN found :HOST/SERVER.MYDOMAIN.domain.co.uk
         * SPN found :HOST/SERVER
         * SPN found :HOST/SERVER.MYDOMAIN.domain.co.uk/MYDOMAIN
         * SPN found :GC/SERVER.MYDOMAIN.domain.co.uk/MYDOMAIN.domain.co.uk
         ......................... SERVER passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... SERVER passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         SERVER is in domain DC=MYDOMAIN,DC=domain,DC=co,DC=uk
         Checking for CN=SERVER,OU=Domain Controllers,DC=MYDOMAIN,DC=domain,DC=co,DC=uk in domain DC=MYDOMAIN,DC=domain,DC=co,DC=uk on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=SERVER,CN=Servers,CN=MYDOMAIN,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk in domain CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk on 1 servers
            Object is up-to-date on all servers.
         ......................... SERVER passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... SERVER passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         ......................... SERVER passed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minutes.
         ......................... SERVER passed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 10/23/2008   09:03:11
            Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/SERVER.MYDOMAIN.domain.co.uk.  The target name
used was cifs/demoweb.MYDOMAIN.domain.co.uk. This
indicates that the password used to encrypt the
kerberos service ticket is different than that on
the target server. Commonly, this is due to
identically named  machine accounts in the target
realm (MYDOMAIN.domain.CO.UK), and the client
realm.   Please contact your system
administrator.
         ......................... SERVER failed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=SERVER,OU=Domain Controllers,DC=MYDOMAIN,DC=domain,DC=co,DC=uk and
         backlink on
         CN=SERVER,CN=Servers,CN=MYDOMAIN,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
         are correct.
         The system object reference (frsComputerReferenceBL)
         CN=SERVER,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
         and backlink on
         CN=SERVER,OU=Domain Controllers,DC=MYDOMAIN,DC=domain,DC=co,DC=uk are
         correct.
         The system object reference (serverReferenceBL)
         CN=SERVER,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
         and backlink on
         CN=NTDS Settings,CN=SERVER,CN=Servers,CN=MYDOMAIN,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
         are correct.
         ......................... SERVER passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : MYDOMAIN
      Starting test: CrossRefValidation
         ......................... MYDOMAIN passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... MYDOMAIN passed test CheckSDRefDom
   
   Running enterprise tests on : MYDOMAIN.domain.co.uk
      Starting test: Intersite
         Skipping site MYDOMAIN, this site is outside the scope provided by
         the command line arguments provided.
         ......................... MYDOMAIN.domain.co.uk passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\SERVER.MYDOMAIN.domain.co.uk
         Locator Flags: 0xe00003fd
         PDC Name: \\SERVER.MYDOMAIN.domain.co.uk
         Locator Flags: 0xe00003fd
         Time Server Name: \\SERVER.MYDOMAIN.domain.co.uk
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\SERVER.MYDOMAIN.domain.co.uk
         Locator Flags: 0xe00003fd
         KDC Name: \\SERVER.MYDOMAIN.domain.co.uk
         Locator Flags: 0xe00003fd
         ......................... MYDOMAIN.domain.co.uk passed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS
This new server, did you name it the same as the old one?

If so, you need to run DCPROMO on it and demote if to a member server - uninstall DNS from it first if you have it.
Next, place it into a Workgroup, then delete all references to it in AD and from AD Sites and Services.
You may also (at this point) do a metadata cleanup using this article: http://support.microsoft.com/kb/216498

Once this has an hour or so to settle down, rerun DCPROMO to bring the new server back into AD.

Let us know.


No what happened was we had 2 DCs, the one that died held all the roles so I just seized them with the other one and installed a fresh DC so we would still have 2.

The DC that took all the roles through the seize has not changed names etc as it runs tons of client web sites so I cant do anything to it really.

I have also just realised that I cannot access this machine from my internal domain (this machine is in the DMZ). We normally access a share called websites using a batch file which runs a net use command. After the reboot the other day (after the server taking all the roles) i get

System Error 64 has occurred.

Also when i try to access the C$ share it opens sooooo slow then it will just close on me.

I can RDC no problems and ping it, just access shares is a no no.

Arghhh
ASKER CERTIFIED SOLUTION
Avatar of 3tproductions
3tproductions

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial