Emergency! Can't logon to DC!

Posted on 2009-02-10
Last Modified: 2012-05-06
Hi all,

I have a massive problem - users are no longer able to logon to the domain, and I can no longer log on to the primary DC!

One particular error is weird:

Event Type:      Error
Event Source:      NTDS Replication
Event Category:      DS RPC Client
Event ID:      2087
Date:            11/02/2009
Time:            12:42:55 PM
Computer:      DOMAIN-BKP-SVR-1
Active Directory could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
Source domain controller:
Failing DNS host name:
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1:
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
User Action:
 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
 2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on
  dcdiag /test:dns
 4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
  dcdiag /test:dns
 5) For further analysis of DNS error failures see KB 824449:
Additional Data
Error value:
 11004 The requested name is valid, but no data of the requested type was found.

For more information, see Help and Support Center at

The following DC

Source domain controller:

Has been gone from the domain for over a year? Should I remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498?

Question by:the-waves
    LVL 57

    Assisted Solution

    by:Mike Kline
    More on your error here
    If domain-server1 has been gone from the domain for a year and you still see traces of it in AD then yes a metadata cleanup is a good idea.
    That 216498 article is how to do it.
    Daniel Petri also has directions here:
    It is 2am here so I'm going to get some sleep but some of the guys from Europe will be on soon to help.  I'll be back in a few hours.
    LVL 3

    Assisted Solution

    If the DC "domain-server1 " is no longer there you should do metadata cleanup and remove that server.
    Do you have any additional DC in which you can login??
    login to any of the client with local admin credentials and run following commands
    nslookup>set q=srv
    >_ldap._tcp.<FQDN of domain Name>
    >_kerberos._tcp.<FQDN of domain Name>
    >_gc._tcp..<FQDN of domain Name>
    The above command should give the IPs of all Ur DCs
    If it fails then it's DNS issue.Point to another DNS and check same thing
    let me know the status aftethis check

    LVL 3

    Expert Comment

    by:chrishudson123 --->For metadata cleanup
    LVL 38

    Accepted Solution

    How are things progressing?

    Removing the metadata of any servers that no longer exist is a good idea. However, you should still be able to boot to DC1.

    How many DCs do you currently have that can log onto, and what do your backups look like?

    You might consider disconnecting DC1 from the LAN, then moving the FSMO roles to DC2 until we can fix DC1.

    Author Comment

    This is now looking pretty good - will award points at end of week if everything is OK.

    Author Closing Comment

    It's all looking good - phew!

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    Suggested Solutions

    Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
    [b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now