Solved

AD Operations Master: ERROR

Posted on 2009-06-30
34
5,376 Views
Last Modified: 2013-12-05
Environment: Small office, 5 -10 users. One Windows 2000 server.

Problem: The Windows 2000 server needed to be retired. So we purchased a new server, Windows 2008. Went through the process of setting up AD, DHCP, DNS, etc... Transferred the 5 FMSO roles, no problem, no errors. However, if we open AD Users and Computers, and view the Operations Master for RID, PDC and Infrastructure, it shows "ERROR". In addition, at the top of the tree in the left panel, it shows the old server name, not the new one.

If we open the other AD components (Domains, Trusts, Sites, etc...) it shows the new server name, and the Operations Master shows correctly. Also, if I use ntdutil to try to transfer the role, it says its not necessary as the new server knows about the 5 roles.

If I try to change the Operations Master from the W2K server, I can see the new server in the list, but when I select it, it gives me an error about the RPC Server being unvailable.

Lastly, if I disconnect the old server from the network, the users can login to their pc's, but they cant open any network drives, saying it detected a possible attempt to compromise security, meaning that the old server is still handling the authentication.

Everything I've found so far on the web states I need to seize the roles, but since ntdutil shows that the new server already has those roles, I dont think that will help.

Any help would be greatly appreciated.
0
Comment
Question by:krogden
  • 15
  • 12
  • 5
  • +1
34 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24750360
From within Active Directory Users and Computers right click at the top of the tree and select connect to domain controller, select you Windows 2008 Domain Controller.

Close Active Director Users and Computers and re-open, do you get the same error?

Have you decomissioned your old server?  If so check DNS to make sure there are no old entries there especially in the sections under the _msdcs
0
 

Author Comment

by:krogden
ID: 24750551
Thanks for the quick response.

Yes, if I connect to it, it then looks fine, but when I close and re-open, I get the same error.

No, I havent decommissioned since when I take it offline the users cant get to any network resources. I need to resolve this error so the new server will handle the authentication before I can decommision the old one.
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24750883
What DNS server is the old server set to use?  Should be new one I think.  Try having them use each other for DNS?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24751558
Can you also confirm the new server is a global catalogue server (this will make sure it gets used for authentication) in Active Directory Site and Services expand the new server name and right click on NTDS settings properties and then check the box for Global Catalogue, do the same on your old server and make sure it isn't a checked.

Can you post ipconfig /all from both servers?
0
 

Author Comment

by:krogden
ID: 24751649
They are both GC's. Even though it's not my goal, in theory, both of them should be able to be GC's, so if one's not available, the other would take over, right?

Here's the IPConfig /all

New:
Windows IP Configuration
   Host Name . . . . . . . . . . . . : W2K8
   Primary Dns Suffix  . . . . . . . : whatever.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : whatever.com

Ethernet adapter Local Area Connection 2:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 PT Server Adapter
   Physical Address. . . . . . . . . : 00-15-17-80-1C-80
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.110(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.110
                                       209.63.0.6
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 9:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{7AC6AAA8-81D4-429A-B2D3-190BC35A1E81}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Old:

Windows 2000 IP Configuration
      Host Name . . . . . . . . . . . . : W2K
      Primary DNS Suffix  . . . . . . . : whatever.com
      Node Type . . . . . . . . . . . . : Broadcast
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : whatever.com

Ethernet adapter Local Area Connection:
      Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network Connection
      Physical Address. . . . . . . . . : 00-0E-A6-F0-70-8D
      DHCP Enabled. . . . . . . . . . . : No
      IP Address. . . . . . . . . . . . : 192.168.0.103
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . : 192.168.0.1
      DNS Servers . . . . . . . . . . . : 209.63.0.6
                                          204.130.255.3
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 150 total points
ID: 24751671
The DNS on the Windows 2000 server should be the IP address of your WIndows 2008 server (assuming this is the one that has DNS on it?)

The DNS entries that are in the Windows 2000 server I am assuming are your ISP DNS servers?
If so these should be entered as forwarders on your forward DNS zone on the WIndows 2008 server.

Also the DNS entries on your Windows 2008 server, there is no need for the loopback address to be in there, and is the 209.63.0.6 your ISP DNS server again?  There should be no need for this entry in the server NIC, this should be specified in DNS forwarders.

Make those changes and run IPCONFIG /REGISTERDNS and run DCDIAG /FIX from both DC's
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24751753
forgot to say to add the forwarders of your ISP DNS servers to DNS in the DNS console right click on your server name and select the forwarders tab.

Enter the DNS entries in here, I am assuming they are: 209.63.0.6 and 204.130.255.3
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 24752192
I don't know if this is going to work. I don't see Domain prep or sysprep run on either of these to prepare them for a mixed domain. If you have an AD database on the 2008 server, you may want to remove the 2000 server from the network, remove the 2000 metadata off the 2008 server, and then seize the 5 fsmo roles.

0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24752206
good point Chief, it doesn't mention that in the original post!
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24753865
Thot of that already but figured the 2008 server would have complained if the domain hadn't been prep'd before promo.
0
 

Author Comment

by:krogden
ID: 24755876
ChiefIT, yes, I ran domain prep and sysprep on the W2K server from the W2K8 dvd. Without doing that, I wouldnt be this far.

Datedman, I took your advice of assigning the new server as the Primary DNS for the old server. After doing that, I could then connect to the new server from the old server in the ADUC without getting the RPC error.

In addition, I no longer got the ERROR  message in the RID Operations Master box.

The final test is to see if the users can login and connect to the network shares with the old server offline.

I'll let you know.
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 100 total points
ID: 24756485
However, you should fix demazter's DNS edits first. Your DC may not see itself as a DC, (as odd as that may seem). If you plan on removing the 2000 DC, you may remove it as a preferred DNS server, Remove it from DHCP scope options, and then remove the metadata from the 2000 server off the 2008 server, and after all that Seize the roles.

0
 
LVL 10

Expert Comment

by:Datedman
ID: 24757057
Make sure the new server has Global Catalog as demazter mentioned. :)
0
 

Author Comment

by:krogden
ID: 24861907
Sorry for the long delay, Its been a busy couple weeks, but here's the updated status of things:

After my last post the users could still not connect to network shares with the old server offline, getting the attempt to compromise security error. Since I had some other fires burning and this client was technically able to still work, I put it on the back burner. But then the old server crashed. So now I really need to get this figured out.

With the old server down, the users can login to their pc's and they have internet access but like I said, they cant access networked drives. However, if I map the drives using my administrator id and password, it connects just fine.

I have made the DNS changes that dematzer suggested, and I have performed the metadata cleanup to remove the old server as ChiefIT suggested. When I look at NTDSUtil, the new server knows about all 5 roles. In addition the new server has a Type of Global Catalog and the Global Catalog check box is checked. But as ChiefIT said, it seems as if the new server doesnt see itself as GC or Domain Controller.

On the server, when I first login, if I try to open any of the AD tools (Users and Computers, etc...) I get a message saying naming information cannot be located, the specified domain could not be contacted. However, if I open ADSI Edit, and connect to the default domain of the server it works, and I can then open the other AD snap-ins without problems.

In addition, there are some errors and warnings in the Application, System, DNS Server, Directory Service and Microsoft-Windows-GroupPolicy/Operational logs. I've attached a text file that has the details of these errors and warnings.

My guess is its a dns issue because all the settings in AD (once i can connect) look right. With the old server now dead, would it be a good idea to uninstall/reinstall the DNS service?

Again, any help will be greatly appreciated.
serverevents.txt
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24862905
Could be a very bad time to remove DNS IMO.  This *is* an active-directory integrated zone, right?  You could just reload the zone...

Here's a big question:  this is a .com domain?  Is your server possibly not authoritative for that domain?  Is it connected to the Net?  It might be going out to the Net and trying to register itself in DNS and failing (don't see your DNS log errors in the attachment.)   ...maybe it thinks the Internet DNS server is authoritative for AD?
0
 

Author Comment

by:krogden
ID: 24863111
Yes its an AD integrated zone. Havent tried reloading the zone specifically, but I have restarted the DNS service a few times...does it reload when I restart the service?

Yes its a .com domain and its connected to the Net. How do I check to see if its the Authoritative for that domain?

There is only one warning in the DNS log and it only shows up when I restart the service. It is in the file I attached but here it is again:

Log Name:      DNS Server
Source:        Microsoft-Windows-DNS-Server-Service
Date:          7/14/2009 2:21:50 AM
Event ID:      4013
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      SIERRASQL.sierratitleservice.com
Description:
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-DNS-Server-Service" Guid="{71A551F5-C893-4849-886B-B5EC8502641E}" EventSourceName="DNS" />
    <EventID Qualifiers="32768">4013</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2009-07-14T09:21:50.000Z" />
    <EventRecordID>209</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>DNS Server</Channel>
    <Computer>SIERRASQL.sierratitleservice.com</Computer>
    <Security />
  </System>
  <EventData Name="DNS_EVENT_DS_OPEN_WAIT">
  </EventData>
</Event>
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24863224
Hmm actually i don't see your domain (if that's it above) as *being registered* maybe you should hoof it over to Godaddy ASAP and register it before someone grabs it and holds it hostage. :)
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 10

Expert Comment

by:Datedman
ID: 24863294
I think if the other server's definitely not coming back up, you need to remove the other server from AD using metadata cleanup of ntdsutil and also adsiedit:  http://www.petri.co.il/delete_failed_dcs_from_ad.htm looks like what you need.
0
 

Author Comment

by:krogden
ID: 24863344
Sorry I feel dumb, I misunderstood your question. Its a .com domain in the sense thats what we named it and its on the Net meaning I have internet. Theres no need to register it with Godaddy or anything.

I have already performed the metadata cleanup using ntsdutl and removed it using adsiedit. I actually used that exact same link as a guide the other day.
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24863508
I'd register it just in case, only costs like $10/year.

Haven't ever seen a situ where someone named a domain with .com but didn't use it for e-mail or whatever.  Normally an internet-connected machine will go out to the .com root server and try to find the SOA for the domain from there.

BTW what is the dns server at 192.168.0.6? (old server's IPCONFIG)  And why do you have DNS on .110 and also on the loopback for the server?  I would also remove the Internet DNS server from DNS in TCP/IP config and put it in as a forwarder on the DNS server instead.
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24863528
Oh also your desktop machines need to all have the server as their only DNS if possible, or at least primary.  Personally I also use WINS, not sure exactly why at this point. :)
0
 

Author Comment

by:krogden
ID: 24863719
I inherited this setup so I'm not sure why they used .com in the name, but it is what it is.

Did you mean 209.63.0.6 on the old server? Thats the ISP dns server.

The new servers IP address is 192.168.0.110. I have that set as the only dns server on the Servers nic. The ISP dns servers (209.63.0.6 and 204.130.255.3) have been added as forwarders and are no longer in the nic's dns settings. So I think I have that covered.

The desktop machines are detecting dns automatically. I would change it but when I do an IPConfig on the desktop machines it shows the 110 as their dns server. I guess I can try specifcally setting it and see what happens.

I dont have WINS enabled. I've wondered if I should. Supposedly its not necessary. Should I enable it? Is that as simple as checking the Use WINS Forward Lookup on the WINS tab of the zone properties?

0
 

Author Comment

by:krogden
ID: 24864008
Here's what ipconfig /all on the new server looks like now:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : SIERRASQL
   Primary Dns Suffix  . . . . . . . : sierratitleservice.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : sierratitleservice.com

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : sierratitleservice.com
   Description . . . . . . . . . . . : Intel(R) PRO/1000 PT Server Adapter
   Physical Address. . . . . . . . . : 00-15-17-80-1C-80
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.110(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.110
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : sierratitleservice.com
   Description . . . . . . . . . . . : isatap.{7AC6AAA8-81D4-429A-B2D3-190BC35A1E81}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
0
 
LVL 10

Assisted Solution

by:Datedman
Datedman earned 250 total points
ID: 24864302
Sorry brainfart on the .6.

Nothing detects DNS automatically, must be the DHCP setup?  

WINS is a separate server like DNS, comes with W2K8 but you have to turn it on then tell the machines to use it (manually or thru DHCP.)

I don't see anything wrong in the IPCONFIG...demazter you still monitoring?

Question: when you type NET SHARE (<enter>) at a CMD prompt, do you see SYSVOL shared?

Oh wait...you can map drives using admin pw?  What is the share they can't map and what are the permissions on it??  They are signing on as domain members right?
0
 

Author Comment

by:krogden
ID: 24864475
What I meant was that the "Obtain DNS server address automatically" option is selected on the properties of the clients network adapter.

No, SYSVOL does not show up when I type NET SHARE.

There are few different shares and the ones I am trying to connect to do show up in the NET SHARE list. But the warning about the SYSVOL has me concerned. What would cause the File Replicaton Service to not complete?

Yeah, being able to connect with the admin id/pw confuses me. Yes, they are logging in as domain users. I cant get to it right this second, but I'm pretty certain that in the client's event log there are errors about not being able to contact the domain when they login.

0
 

Author Comment

by:krogden
ID: 24864664
I found this regarding the FRS and SYSVOL:

http://support.microsoft.com/kb/290762

Should I consider doing this?
0
 

Author Comment

by:krogden
ID: 24864684
0
 
LVL 10

Assisted Solution

by:Datedman
Datedman earned 250 total points
ID: 24864751
That's a last-resort option.

I can't figure out what this is ATM but try typing
NET VIEW \\SERVERNAME
from a workstation while signed on as admin and as someone else please.
0
 

Author Comment

by:krogden
ID: 24865266
Logged in as just a domain user when i type net view \\servername (replacing servername with actual servername) I get access denied.

When I login as the domain admin to the same pc and do net view, i get the list of shares.
0
 

Author Comment

by:krogden
ID: 24865351
Interesting update:

Researching the Access denied error message led me to use the gpresult command on the client. In the output it shows that the last group policy was applied from the old server! Which of course isn't available. So how do I go about fixing where the group policy is pulled from?
0
 

Author Comment

by:krogden
ID: 24865401
Plus, the windows\sysvol folder structure is there on the server, but there's nothing in any of the folders.
0
 
LVL 10

Assisted Solution

by:Datedman
Datedman earned 250 total points
ID: 24865899
Gee that's some serious screwups.  Sounds as if the AD was never propaged.  You have a copy of AD from the other server?  Maybe it's time to try that last resort stuff.
0
 

Author Comment

by:krogden
ID: 24866286
Hey I got it fixed!!!

I did an Authoritative FRS restore. This fixed the SYSVOL problem and I could then access network shares!

I was still getting GPO errors, saying the gpt.ini file was missing, so I did a DCGPOFIX to create a fresh new copy of the group policies and viola!

Thanks for all your help. The last resort stuff worked.
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24866435
Excellent, I seem to remember doing that myself once in a similar situation.  This stuff can be irritating. :)
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now