Domain membership test ...... Failed

Posted on 2008-11-18
Last Modified: 2012-12-11

I'm in the process of remplacing an old Active directory server (Windows 2003 SP1) with new hardware. My environement contain a single DC on a single domain.

I got my new server loaded with Windows Server 2003 R2 x64 and updated my schema using ADPREP. Everything went good on this point.

Then I followed the steps at . I joined the new server to my domain, promoted it to a domain controler in an existing domain, promoted it to a global catalog server and rebooted it. I installed DNS server and replication of DNS zones took place. I switched the 5 FSMO roles. I changed the DCHP DNS server address to my new DNS server. Everything went well at this point.

When I tried to remove the global catalog from the old server, I did not got any error messages but about 30 minutes later a got a call from a user saying that he was not able to connect to the Exchanger server (2007) so I checked back the mark for my old server to be a global catalog server ans I start to investigate.

The netdiag /fix give me only one FAIL
Domain membership test . . . . . . : Failed
    [WARNING] Ths system volume has not been completely replicated to the local
machine. This machine is not working properly as a DC.

I did try to manually force replication in Active Directory sites and Services --­  First site by default -- Server name -- NTDS Settings and I did Replicate now. Even after doing that, the netdiag /fix still give me the same error.

I would appreciate any help with this issue.


Just to avoid any confusion, both the new server and the old server does not have the same computer name. Also, After promoting the new server to a domain controler, I did not make sure that replication has took place before switching the 5 FSMO roles (if this can be an issue)
Question by:martinlebel
    LVL 9

    Expert Comment

    how long has this server been a DC.  even if you force replication it will take a little time.
    also check that dns is working correctly, and that both servers are registered with the dns servers that run your domain.
    LVL 13

    Expert Comment

    Have the machines replicated overnight?
    Some microsoft NTFRS updating only occurs in the early hours of the morning, so some changes would not be visible ultil the following day..

    Author Comment

    the new DC as been added 18 hours ago.

    Dcdiag gives me the following errors:

    Starting test: NetLogons
    Unable to connect to the NETLOGON share! (\\newserver\netlogon)
    [newserver] An net use or LsaPolicy operation failed with error 1203, Win32 Error 1203.
    ......................... newserver failed test NetLogons

    Starting test: Advertising
    Warning: DsGetDcName returned information for \\oldserver.umcb.local, when we were trying to reach DC1. Server is not responding or is not considered suitable.
    ......................... newserver failed test Advertising

    Starting test: frsevent
    There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
    ......................... newserver failed test frsevent
    LVL 9

    Accepted Solution

    i am betting you are dealing with a dns issue.
    check that both servers are using the same dns servers.
    check that both servers can ping each other by name, and ip address
    try to connect to each server by unc name   ie \\server\share
    the answer will be in there somewhere.

    Author Comment

    Both Server are using the same DNS server wich is the "newserver"
    Both Server can ping each other using ip, name and
    Both Server can connect to a share on the other

    Still nothing. The SYSVOL on the newserver is empty.

    when doing nslookup I get the following:

    DNS request timed out.
    timout was 2 seconds.
    *** Can't find server name for address Timed Out
    Default Server: Unknow
    LVL 9

    Expert Comment

    your issue is dns.  i am not sure where, but one of them is not resolving names.
    is there a firewall between them?
    LVL 9

    Expert Comment

    you might want to try to ipconfig /flushdns
    ipconfig /registerdns.

    Author Comment

    I do get errors on the new server:

    Application Log
    Automatic certificate enrollment for local system failed to enroll for one Directory Email Replication certificate (0x800706ba). The RPC server is unavailable.

    Directory Service Log
    Active Directory was unable to establish a connection with the global catalog.

    Additional Data
    Error value:
    1355 The specified domain either does not exist or could not be contacted.
    Internal ID:

    User Action:
    Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.

    There's not error on the DNS

    File Replication Service Log
    The File Replication Service is having trouble enabling replication from LASERVEUSE to DC1 for c:\windows\sysvol\domain using the DNS name laserveuse.umcb.local. FRS will keep retrying.
    Following are some of the reasons you would see this warning.

    [1] FRS can not correctly resolve the DNS name laserveuse.umcb.local from this computer.
    [2] FRS is not running on laserveuse.umcb.local.
    [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.

    This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
    LVL 9

    Expert Comment

    your issue is dns related i wil bet on it.  is there a firewall between the two server, or between one of them and the dns server?

    Author Comment

    OK most of you said it's about DNS so I'll go with that. I have a DNS problem, How can I check if the DNS server have proper record about my domain controler ?
    LVL 9

    Expert Comment

    1 check the dns server(s) for the resource records for your DCs
    2.  verify that each server can contact the dns server and resolve names
    from a command prompt type nslookup
    type the name of each server.  it should answer with the ip address.

    this will get you started.

    Author Comment

    When I run the NSLOOKUP command from the DNS server I get:

    C:\Documents and Settings\mlebel\nslookup
    DNS request timed out.
    Timeout was 2 seconds.
    *** Unable to find the name of the server for address : Timed out
    Default Server: Unknow
    DHCP configuration on the router push as a DNS server for clients. I'm able to join computers to the domain, I'm able to contact computers using FQDN. When I manually change an IP address of a client, the DNS server update the records automatically.

    On the Event Viewer I get nothing under the DNS server log

    On the new server I get :

    Event Type: Information
    Event Source: NTDS General
    Event Category: Global Catalog
    Event ID: 1869
    Date: 11/20/2008
    Time: 2:35:06 PM
    Computer: DC1
    Description: Active Directory has located a global catalog in the following site.
    Global catalog: \\laserveuse.umcb.local
    Site: Premier-Site-par-defaut

    Event Type:      Warning
    Event Source:      NTDS Replication
    Event Category:      DS RPC Client
    Event ID:      2088
    Date:            11/20/2008
    Time:            8:45:58 PM
    Computer:      DC1
    Active Directory could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.
    Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory forest, including logon authentication or access to network resources.
    You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.
    Alternate server name:
    Failing DNS host name:
    NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1:
    Registry Path:
    HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
    User Action:
     1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
     2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
     3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on
      dcdiag /test:dns
     4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
      dcdiag /test:dns
     5) For further analysis of DNS error failures see KB 824449:
    Additional Data
    Error value: 11004 The requested name is valid, but no data of the requested type was found.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Suggested Solutions

    Title # Comments Views Activity
    Exchange Activesync 441 in logs 2 25
    Exchange 2007 13 17
    Windows 10 Direct Access and Home Folders 3 14
    Exchange, office 365 1 3
    Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
    Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
    In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
    The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now