2003 R2 server will not update replication partners

I've been trying to DCpromo a 2003 R2 server, but I keep getting a DNS error.  It looks like it upgrades all of the SRV and CNAME guid records, but no matter what I do, I keep getting the following error in DNS on the new DC.  I've even renamed the server and given it a fresh IP - still no luck.  Help!  I need to get this server replicating soon. How can I get this resolved?  See error below:

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "000020B5: AtrErr: DSID-03152392, #1:
      0: 000020B5: DSID-03152392, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9067d (msDS-NC-Replica-Locations)". The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
marksheeksAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Darius GhassemCommented:
Can you do an nediag on your current PDC Emulator then post results? Make sure when you are dcpromoing that you only point to a functioning DNS server for your internal network. Don't point it to itself until replication is fully done.
0
marksheeksAuthor Commented:
Sure - I am pointing at the PDC emulator when I promo it.  I think you mean a "netdiag", so I'll get that shortly.  
0
Darius GhassemCommented:
Yes netdiag sorry typo. Are you getting any errors on the actual functioning DC and DNS server?
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

marksheeksAuthor Commented:
Dariusq,

Here's the netdiag. Have a ball.  Thanks for the rapid response.  This one's got pressure on me and I have to get it solved.  Note - at the current time the proposed DC is not promoted.  I installed a patch from MS and am going to try again at 12:30.  So in the NetDiag you'll see that all DC's show up but this one has been demoted until I can clear these errors.

Mark

C:\Documents and Settings\msheeks>netdiag

.........................................

    Computer Name: DC-C-SH1
    DNS Host Name: dc-c-sh1.crista.net
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 15 Model 2 Stepping 4, GenuineIntel
    List of installed hotfixes :
        KB911564
        KB921503
        KB925398_WMP64
        KB925902
        KB926122
        KB927891
        KB928090-IE7
        KB929123
        KB929969
        KB930178
        KB931784
        KB931836
        KB932168
        KB933360
        KB933566-IE7
        KB933729
        KB933854
        KB935839
        KB935840
        KB935966
        KB936021
        KB936357
        KB936782
        KB938127-IE7
        KB938464
        KB939653-IE7
        KB941202
        KB941568
        KB941569
        KB941644
        KB941672
        KB941693
        KB942763
        KB942830
        KB942831
        KB943055
        KB943460
        KB943484
        KB943485
        KB944653
        KB945553
        KB946026
        KB947864-IE7
        KB948496
        KB948590
        KB948745
        KB948881
        KB949014
        KB950759-IE7
        KB950760
        KB950762
        KB950974
        KB951066
        KB951072-v2
        KB951698
        KB951746
        KB951748
        KB952954
        KB953838-IE7
        KB953839
        KB958644
        Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Broadcom NetXtreme Gigabit Ethernet Adapter - Onboard - Link A

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : dc-c-sh1
        IP Address . . . . . . . . : 192.168.10.7
        Subnet Mask. . . . . . . . : 255.255.255.128
        Default Gateway. . . . . . : 192.168.10.1
        Primary WINS Server. . . . : 192.168.10.7
        Secondary WINS Server. . . : 10.1.1.7
        Dns Servers. . . . . . . . : 192.168.10.7
                                     10.1.1.7


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Passed


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{EE083624-AAA4-4AE6-B64E-FADE9DFD1CEF}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '192.168.10.7
' and other DCs also have some of the names registered.
    PASS - All the DNS entries for DC are registered on DNS server '10.1.1.7' an
d other DCs also have some of the names registered.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{EE083624-AAA4-4AE6-B64E-FADE9DFD1CEF}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{EE083624-AAA4-4AE6-B64E-FADE9DFD1CEF}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully

C:\Documents and Settings\msheeks>
0
marksheeksAuthor Commented:
Darius - to answer your question, when I promote the DC, AD loads just fine.  Soon after that I get the message from DNS that I posted.  Then I start getting the SCECLI  1202 errors right away.  I'll post a couple of these errors and you can look at them.  I pretty much comes down to the fact that its not getting added as a replication parter upon DCPROMO'ing.  You can go right to that location in the first error I posted, with ADSI edit, and see that it hasn't added dc-c-cs2 as a rep partner.  Anyways, error codes to follow:
ecurity policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".

Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID.  This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO.  To resolve this event, contact an administrator in the domain to perform the following actions:

1.      Identify accounts that could not be resolved to a SID:

From the command prompt, type: FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

The string following "Cannot find" in the FIND output identifies the problem account names.

Example: Cannot find JohnDough.

In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").

2.      Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts:

a.      Start -> Run -> RSoP.msc
b.      Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.
c.      For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled "Source GPO". Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors.

3.      Remove unresolved accounts from Group Policy

a.      Start -> Run -> MMC.EXE
b.      From the File menu select "Add/Remove Snap-in..."
c.      From the "Add/Remove Snap-in" dialog box select "Add..."
d.      In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
e.      In the "Select Group Policy Object" dialog box click the "Browse" button.
f.      On the "Browse for a Group Policy Object" dialog box choose the "All" tab
g.      For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2. These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.

For more information, see Help and Support Center at
0
Darius GhassemCommented:
Try the burflag method to get the server to become a DC.

http://support.microsoft.com/kb/315457/
0
marksheeksAuthor Commented:
Darius - Ok, my latest attempt was to patch it and retry - still no good. It not that its not picking up AD upon DCPromo - it does. And you can authenticate to it, pick up GP'S, etc.  But additional replication is not happening.  Here's the latest error when I just promo'd it.

This is a 4513 error right after I promo'd it.
------------------------------------------------------------------------------------------------------
he DNS server detected that it is not enlisted in the replication scope of the directory partition ForestDnsZones.crista.net. This prevents the zones that should be replicated to all DNS servers in the crista.net forest from replicating to this DNS server.
 
To create or repair the forest-wide DNS directory partition, open the the DNS  console. Right-click the applicable DNS server, and then click 'Create Default Application Directory Partitions'. Follow the instructions to create the default DNS application directory partitions. For more information, see 'To create the default DNS application directory partitions' in Help and Support.
 
The error was 9002.

For more information, see Help and Support Center at

0
marksheeksAuthor Commented:
Darius - right after the 4513, I get a 4515 error as shown below. Will the burflag method help with these dns errors?
---------------------------------------------------------------------------------------------------------------------
he DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "000020B5: AtrErr: DSID-03152392, #1:
      0: 000020B5: DSID-03152392, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9067d (msDS-NC-Replica-Locations)". The event data contains the error.

For more information, see Help and Support Center at
0
marksheeksAuthor Commented:
Darius - I've read all of this previously.  The curious thing is that  we just added another DC 2 weeks ago and it went in fine - no problems.  But this is a 64-bit R2 (the other was a 32-bit R2).  That's all I can figure out thats different.

Mark
0
Darius GhassemCommented:
Did you run through the solutions? Have you tried them. I don't know if the burflag method would work in the situtation but it might.
0
marksheeksAuthor Commented:
Dariusq - here's the final solution to this that I found.  It had nothing to do with any of that.  I didn't have the .net2 patch loaded.  I downloaded the 64-bit .net2 and that solved the problem .  Not really rocket science and something you should check first thing.  I'm going to give you 25 points for the expert advice and a great effort.

Mark Sheeks
0
Darius GhassemCommented:
Wow! That was it just .Net. How did you find that out? That's great!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.