Domain membership test ...... Failed
Hi.
I'm in the process of remplacing an old Active directory server (Windows 2003 SP1) with new hardware. My environement contain a single DC on a single domain.
I got my new server loaded with Windows Server 2003 R2 x64 and updated my schema using ADPREP. Everything went good on this point.
Then I followed the steps at http://support.microsoft.com/kb/555549/en-us . I joined the new server to my domain, promoted it to a domain controler in an existing domain, promoted it to a global catalog server and rebooted it. I installed DNS server and replication of DNS zones took place. I switched the 5 FSMO roles. I changed the DCHP DNS server address to my new DNS server. Everything went well at this point.
When I tried to remove the global catalog from the old server, I did not got any error messages but about 30 minutes later a got a call from a user saying that he was not able to connect to the Exchanger server (2007) so I checked back the mark for my old server to be a global catalog server ans I start to investigate.
The netdiag /fix give me only one FAIL
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the local
machine. This machine is not working properly as a DC.
I did try to manually force replication in Active Directory sites and Services -- First site by default -- Server name -- NTDS Settings and I did Replicate now. Even after doing that, the netdiag /fix still give me the same error.
I would appreciate any help with this issue.
-Martin
Just to avoid any confusion, both the new server and the old server does not have the same computer name. Also, After promoting the new server to a domain controler, I did not make sure that replication has took place before switching the 5 FSMO roles (if this can be an issue)
I'm in the process of remplacing an old Active directory server (Windows 2003 SP1) with new hardware. My environement contain a single DC on a single domain.
I got my new server loaded with Windows Server 2003 R2 x64 and updated my schema using ADPREP. Everything went good on this point.
Then I followed the steps at http://support.microsoft.com/kb/555549/en-us . I joined the new server to my domain, promoted it to a domain controler in an existing domain, promoted it to a global catalog server and rebooted it. I installed DNS server and replication of DNS zones took place. I switched the 5 FSMO roles. I changed the DCHP DNS server address to my new DNS server. Everything went well at this point.
When I tried to remove the global catalog from the old server, I did not got any error messages but about 30 minutes later a got a call from a user saying that he was not able to connect to the Exchanger server (2007) so I checked back the mark for my old server to be a global catalog server ans I start to investigate.
The netdiag /fix give me only one FAIL
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the local
machine. This machine is not working properly as a DC.
I did try to manually force replication in Active Directory sites and Services -- First site by default -- Server name -- NTDS Settings and I did Replicate now. Even after doing that, the netdiag /fix still give me the same error.
I would appreciate any help with this issue.
-Martin
Just to avoid any confusion, both the new server and the old server does not have the same computer name. Also, After promoting the new server to a domain controler, I did not make sure that replication has took place before switching the 5 FSMO roles (if this can be an issue)
Have the machines replicated overnight?
Some microsoft NTFRS updating only occurs in the early hours of the morning, so some changes would not be visible ultil the following day..
Some microsoft NTFRS updating only occurs in the early hours of the morning, so some changes would not be visible ultil the following day..
ASKER
the new DC as been added 18 hours ago.
Dcdiag gives me the following errors:
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\newserver\netlogon)
[newserver] An net use or LsaPolicy operation failed with error 1203, Win32 Error 1203.
......................... newserver failed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for \\oldserver.umcb.local, when we were trying to reach DC1. Server is not responding or is not considered suitable.
......................... newserver failed test Advertising
Starting test: frsevent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
......................... newserver failed test frsevent
Dcdiag gives me the following errors:
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\newserver\netlogon)
[newserver] An net use or LsaPolicy operation failed with error 1203, Win32 Error 1203.
......................... newserver failed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for \\oldserver.umcb.local, when we were trying to reach DC1. Server is not responding or is not considered suitable.
......................... newserver failed test Advertising
Starting test: frsevent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
......................... newserver failed test frsevent
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Both Server are using the same DNS server wich is the "newserver"
Both Server can ping each other using ip, name and name@domain.com
Both Server can connect to a share on the other
Still nothing. The SYSVOL on the newserver is empty.
when doing nslookup I get the following:
DNS request timed out.
timout was 2 seconds.
*** Can't find server name for address 10.10.10.7: Timed Out
Default Server: Unknow
Address: 10.10.10.7
Both Server can ping each other using ip, name and name@domain.com
Both Server can connect to a share on the other
Still nothing. The SYSVOL on the newserver is empty.
when doing nslookup I get the following:
DNS request timed out.
timout was 2 seconds.
*** Can't find server name for address 10.10.10.7: Timed Out
Default Server: Unknow
Address: 10.10.10.7
your issue is dns. i am not sure where, but one of them is not resolving names.
is there a firewall between them?
is there a firewall between them?
you might want to try to ipconfig /flushdns
ipconfig /registerdns.
ipconfig /registerdns.
ASKER
I do get errors on the new server:
Application Log
Automatic certificate enrollment for local system failed to enroll for one Directory Email Replication certificate (0x800706ba). The RPC server is unavailable.
Directory Service Log
Active Directory was unable to establish a connection with the global catalog.
Additional Data
Error value:
1355 The specified domain either does not exist or could not be contacted.
Internal ID:
3200cf3
User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.
There's not error on the DNS
File Replication Service Log
The File Replication Service is having trouble enabling replication from LASERVEUSE to DC1 for c:\windows\sysvol\domain using the DNS name laserveuse.umcb.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name laserveuse.umcb.local from this computer.
[2] FRS is not running on laserveuse.umcb.local.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
Application Log
Automatic certificate enrollment for local system failed to enroll for one Directory Email Replication certificate (0x800706ba). The RPC server is unavailable.
Directory Service Log
Active Directory was unable to establish a connection with the global catalog.
Additional Data
Error value:
1355 The specified domain either does not exist or could not be contacted.
Internal ID:
3200cf3
User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.
There's not error on the DNS
File Replication Service Log
The File Replication Service is having trouble enabling replication from LASERVEUSE to DC1 for c:\windows\sysvol\domain using the DNS name laserveuse.umcb.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name laserveuse.umcb.local from this computer.
[2] FRS is not running on laserveuse.umcb.local.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
your issue is dns related i wil bet on it. is there a firewall between the two server, or between one of them and the dns server?
ASKER
OK most of you said it's about DNS so I'll go with that. I have a DNS problem, How can I check if the DNS server have proper record about my domain controler ?
1 check the dns server(s) for the resource records for your DCs
http://technet.microsoft.com/en-us/library/cc778452.aspx
2. verify that each server can contact the dns server and resolve names
from a command prompt type nslookup
type the name of each server. it should answer with the ip address.
this will get you started.
http://technet.microsoft.com/en-us/library/cc778452.aspx
2. verify that each server can contact the dns server and resolve names
from a command prompt type nslookup
type the name of each server. it should answer with the ip address.
this will get you started.
ASKER
When I run the NSLOOKUP command from the DNS server I get:
C:\Documents and Settings\mlebel\nslookup
DNS request timed out.
Timeout was 2 seconds.
*** Unable to find the name of the server for address 10.10.10.2 : Timed out
Default Server: Unknow
Address: 10.10.10.2
DHCP configuration on the router push 10.10.10.2 as a DNS server for clients. I'm able to join computers to the domain, I'm able to contact computers using FQDN. When I manually change an IP address of a client, the DNS server update the records automatically.
On the Event Viewer I get nothing under the DNS server log
On the new server I get :
##########################
Event Type: Information
Event Source: NTDS General
Event Category: Global Catalog
Event ID: 1869
Date: 11/20/2008
Time: 2:35:06 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC1
Description: Active Directory has located a global catalog in the following site.
Global catalog: \\laserveuse.umcb.local
Site: Premier-Site-par-defaut
##########################
##########################
Event Type: Warning
Event Source: NTDS Replication
Event Category: DS RPC Client
Event ID: 2088
Date: 11/20/2008
Time: 8:45:58 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC1
Description:
Active Directory could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.
Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory forest, including logon authentication or access to network resources.
You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.
Alternate server name:
laserveuse.umcb.local
Failing DNS host name:
dcc21f39-a1fe-467b-ac1e-42
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:
Registry Path:
HKLM\System\CurrentControl
User Action:
1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns
dcdiag /test:dns
4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
dcdiag /test:dns
5) For further analysis of DNS error failures see KB 824449:
http://support.microsoft.com/?kbid=824449
Additional Data
Error value: 11004 The requested name is valid, but no data of the requested type was found.
##########################
C:\Documents and Settings\mlebel\nslookup
DNS request timed out.
Timeout was 2 seconds.
*** Unable to find the name of the server for address 10.10.10.2 : Timed out
Default Server: Unknow
Address: 10.10.10.2
DHCP configuration on the router push 10.10.10.2 as a DNS server for clients. I'm able to join computers to the domain, I'm able to contact computers using FQDN. When I manually change an IP address of a client, the DNS server update the records automatically.
On the Event Viewer I get nothing under the DNS server log
On the new server I get :
##########################
Event Type: Information
Event Source: NTDS General
Event Category: Global Catalog
Event ID: 1869
Date: 11/20/2008
Time: 2:35:06 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC1
Description: Active Directory has located a global catalog in the following site.
Global catalog: \\laserveuse.umcb.local
Site: Premier-Site-par-defaut
##########################
##########################
Event Type: Warning
Event Source: NTDS Replication
Event Category: DS RPC Client
Event ID: 2088
Date: 11/20/2008
Time: 8:45:58 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC1
Description:
Active Directory could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.
Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory forest, including logon authentication or access to network resources.
You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.
Alternate server name:
laserveuse.umcb.local
Failing DNS host name:
dcc21f39-a1fe-467b-ac1e-42
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:
Registry Path:
HKLM\System\CurrentControl
User Action:
1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns
dcdiag /test:dns
4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
dcdiag /test:dns
5) For further analysis of DNS error failures see KB 824449:
http://support.microsoft.com/?kbid=824449
Additional Data
Error value: 11004 The requested name is valid, but no data of the requested type was found.
##########################
also check that dns is working correctly, and that both servers are registered with the dns servers that run your domain.