[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

2003 R2 server will not update replication partners

Posted on 2008-11-10
14
Medium Priority
?
1,789 Views
Last Modified: 2012-05-05
I've been trying to DCpromo a 2003 R2 server, but I keep getting a DNS error.  It looks like it upgrades all of the SRV and CNAME guid records, but no matter what I do, I keep getting the following error in DNS on the new DC.  I've even renamed the server and given it a fresh IP - still no luck.  Help!  I need to get this server replicating soon. How can I get this resolved?  See error below:

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "000020B5: AtrErr: DSID-03152392, #1:
      0: 000020B5: DSID-03152392, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9067d (msDS-NC-Replica-Locations)". The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
Comment
Question by:marksheeks
  • 7
  • 7
14 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22924516
Can you do an nediag on your current PDC Emulator then post results? Make sure when you are dcpromoing that you only point to a functioning DNS server for your internal network. Don't point it to itself until replication is fully done.
0
 

Author Comment

by:marksheeks
ID: 22924943
Sure - I am pointing at the PDC emulator when I promo it.  I think you mean a "netdiag", so I'll get that shortly.  
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22925009
Yes netdiag sorry typo. Are you getting any errors on the actual functioning DC and DNS server?
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 

Author Comment

by:marksheeks
ID: 22925040
Dariusq,

Here's the netdiag. Have a ball.  Thanks for the rapid response.  This one's got pressure on me and I have to get it solved.  Note - at the current time the proposed DC is not promoted.  I installed a patch from MS and am going to try again at 12:30.  So in the NetDiag you'll see that all DC's show up but this one has been demoted until I can clear these errors.

Mark

C:\Documents and Settings\msheeks>netdiag

.........................................

    Computer Name: DC-C-SH1
    DNS Host Name: dc-c-sh1.crista.net
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 15 Model 2 Stepping 4, GenuineIntel
    List of installed hotfixes :
        KB911564
        KB921503
        KB925398_WMP64
        KB925902
        KB926122
        KB927891
        KB928090-IE7
        KB929123
        KB929969
        KB930178
        KB931784
        KB931836
        KB932168
        KB933360
        KB933566-IE7
        KB933729
        KB933854
        KB935839
        KB935840
        KB935966
        KB936021
        KB936357
        KB936782
        KB938127-IE7
        KB938464
        KB939653-IE7
        KB941202
        KB941568
        KB941569
        KB941644
        KB941672
        KB941693
        KB942763
        KB942830
        KB942831
        KB943055
        KB943460
        KB943484
        KB943485
        KB944653
        KB945553
        KB946026
        KB947864-IE7
        KB948496
        KB948590
        KB948745
        KB948881
        KB949014
        KB950759-IE7
        KB950760
        KB950762
        KB950974
        KB951066
        KB951072-v2
        KB951698
        KB951746
        KB951748
        KB952954
        KB953838-IE7
        KB953839
        KB958644
        Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Broadcom NetXtreme Gigabit Ethernet Adapter - Onboard - Link A

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : dc-c-sh1
        IP Address . . . . . . . . : 192.168.10.7
        Subnet Mask. . . . . . . . : 255.255.255.128
        Default Gateway. . . . . . : 192.168.10.1
        Primary WINS Server. . . . : 192.168.10.7
        Secondary WINS Server. . . : 10.1.1.7
        Dns Servers. . . . . . . . : 192.168.10.7
                                     10.1.1.7


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Passed


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{EE083624-AAA4-4AE6-B64E-FADE9DFD1CEF}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '192.168.10.7
' and other DCs also have some of the names registered.
    PASS - All the DNS entries for DC are registered on DNS server '10.1.1.7' an
d other DCs also have some of the names registered.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{EE083624-AAA4-4AE6-B64E-FADE9DFD1CEF}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{EE083624-AAA4-4AE6-B64E-FADE9DFD1CEF}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully

C:\Documents and Settings\msheeks>
0
 

Author Comment

by:marksheeks
ID: 22925135
Darius - to answer your question, when I promote the DC, AD loads just fine.  Soon after that I get the message from DNS that I posted.  Then I start getting the SCECLI  1202 errors right away.  I'll post a couple of these errors and you can look at them.  I pretty much comes down to the fact that its not getting added as a replication parter upon DCPROMO'ing.  You can go right to that location in the first error I posted, with ADSI edit, and see that it hasn't added dc-c-cs2 as a rep partner.  Anyways, error codes to follow:
ecurity policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".

Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID.  This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO.  To resolve this event, contact an administrator in the domain to perform the following actions:

1.      Identify accounts that could not be resolved to a SID:

From the command prompt, type: FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

The string following "Cannot find" in the FIND output identifies the problem account names.

Example: Cannot find JohnDough.

In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").

2.      Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts:

a.      Start -> Run -> RSoP.msc
b.      Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.
c.      For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled "Source GPO". Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors.

3.      Remove unresolved accounts from Group Policy

a.      Start -> Run -> MMC.EXE
b.      From the File menu select "Add/Remove Snap-in..."
c.      From the "Add/Remove Snap-in" dialog box select "Add..."
d.      In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
e.      In the "Select Group Policy Object" dialog box click the "Browse" button.
f.      On the "Browse for a Group Policy Object" dialog box choose the "All" tab
g.      For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2. These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.

For more information, see Help and Support Center at
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22925172
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22925182
Try the burflag method to get the server to become a DC.

http://support.microsoft.com/kb/315457/
0
 

Author Comment

by:marksheeks
ID: 22925507
Darius - Ok, my latest attempt was to patch it and retry - still no good. It not that its not picking up AD upon DCPromo - it does. And you can authenticate to it, pick up GP'S, etc.  But additional replication is not happening.  Here's the latest error when I just promo'd it.

This is a 4513 error right after I promo'd it.
------------------------------------------------------------------------------------------------------
he DNS server detected that it is not enlisted in the replication scope of the directory partition ForestDnsZones.crista.net. This prevents the zones that should be replicated to all DNS servers in the crista.net forest from replicating to this DNS server.
 
To create or repair the forest-wide DNS directory partition, open the the DNS  console. Right-click the applicable DNS server, and then click 'Create Default Application Directory Partitions'. Follow the instructions to create the default DNS application directory partitions. For more information, see 'To create the default DNS application directory partitions' in Help and Support.
 
The error was 9002.

For more information, see Help and Support Center at

0
 

Author Comment

by:marksheeks
ID: 22925624
Darius - right after the 4513, I get a 4515 error as shown below. Will the burflag method help with these dns errors?
---------------------------------------------------------------------------------------------------------------------
he DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "000020B5: AtrErr: DSID-03152392, #1:
      0: 000020B5: DSID-03152392, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9067d (msDS-NC-Replica-Locations)". The event data contains the error.

For more information, see Help and Support Center at
0
 

Author Comment

by:marksheeks
ID: 22925774
Darius - I've read all of this previously.  The curious thing is that  we just added another DC 2 weeks ago and it went in fine - no problems.  But this is a 64-bit R2 (the other was a 32-bit R2).  That's all I can figure out thats different.

Mark
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22925921
Did you run through the solutions? Have you tried them. I don't know if the burflag method would work in the situtation but it might.
0
 

Author Comment

by:marksheeks
ID: 23124800
Dariusq - here's the final solution to this that I found.  It had nothing to do with any of that.  I didn't have the .net2 patch loaded.  I downloaded the 64-bit .net2 and that solved the problem .  Not really rocket science and something you should check first thing.  I'm going to give you 25 points for the expert advice and a great effort.

Mark Sheeks
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 2000 total points
ID: 23124834
Wow! That was it just .Net. How did you find that out? That's great!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question