AD Operations Master: ERROR

From within Active Directory Users and Computers right click at the top of the tree and select connect to domain controller, select you Windows 2008 Domain Controller.

Close Active Director Users and Computers and re-open, do you get the same error?

Have you decomissioned your old server?  If so check DNS to make sure there are no old entries there especially in the sections under the _msdcs

Thanks for the quick response.

Yes, if I connect to it, it then looks fine, but when I close and re-open, I get the same error.

No, I havent decommissioned since when I take it offline the users cant get to any network resources. I need to resolve this error so the new server will handle the authentication before I can decommision the old one.

What DNS server is the old server set to use?  Should be new one I think.  Try having them use each other for DNS?

Can you also confirm the new server is a global catalogue server (this will make sure it gets used for authentication) in Active Directory Site and Services expand the new server name and right click on NTDS settings properties and then check the box for Global Catalogue, do the same on your old server and make sure it isn't a checked.

Can you post ipconfig /all from both servers?

They are both GC's. Even though it's not my goal, in theory, both of them should be able to be GC's, so if one's not available, the other would take over, right?

Here's the IPConfig /all

New:
Windows IP Configuration
   Host Name . . . . . . . . . . . . : W2K8
   Primary Dns Suffix  . . . . . . . : whatever.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : whatever.com

Ethernet adapter Local Area Connection 2:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 PT Server Adapter
   Physical Address. . . . . . . . . : 00-15-17-80-1C-80
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.110(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.110
                                       209.63.0.6
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 9:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{7AC6AAA8-81D4-429A-B2D3-190BC35A1E81}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Old:

Windows 2000 IP Configuration
      Host Name . . . . . . . . . . . . : W2K
      Primary DNS Suffix  . . . . . . . : whatever.com
      Node Type . . . . . . . . . . . . : Broadcast
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : whatever.com

Ethernet adapter Local Area Connection:
      Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network Connection
      Physical Address. . . . . . . . . : 00-0E-A6-F0-70-8D
      DHCP Enabled. . . . . . . . . . . : No
      IP Address. . . . . . . . . . . . : 192.168.0.103
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . : 192.168.0.1
      DNS Servers . . . . . . . . . . . : 209.63.0.6
                                          204.130.255.3

forgot to say to add the forwarders of your ISP DNS servers to DNS in the DNS console right click on your server name and select the forwarders tab.

Enter the DNS entries in here, I am assuming they are: 209.63.0.6 and 204.130.255.3

I don't know if this is going to work. I don't see Domain prep or sysprep run on either of these to prepare them for a mixed domain. If you have an AD database on the 2008 server, you may want to remove the 2000 server from the network, remove the 2000 metadata off the 2008 server, and then seize the 5 fsmo roles.

good point Chief, it doesn't mention that in the original post!

Thot of that already but figured the 2008 server would have complained if the domain hadn't been prep'd before promo.

ChiefIT, yes, I ran domain prep and sysprep on the W2K server from the W2K8 dvd. Without doing that, I wouldnt be this far.

Datedman, I took your advice of assigning the new server as the Primary DNS for the old server. After doing that, I could then connect to the new server from the old server in the ADUC without getting the RPC error.

In addition, I no longer got the ERROR  message in the RID Operations Master box.

The final test is to see if the users can login and connect to the network shares with the old server offline.

I'll let you know.

Make sure the new server has Global Catalog as demazter mentioned. :)

Sorry for the long delay, Its been a busy couple weeks, but here's the updated status of things:

After my last post the users could still not connect to network shares with the old server offline, getting the attempt to compromise security error. Since I had some other fires burning and this client was technically able to still work, I put it on the back burner. But then the old server crashed. So now I really need to get this figured out.

With the old server down, the users can login to their pc's and they have internet access but like I said, they cant access networked drives. However, if I map the drives using my administrator id and password, it connects just fine.

I have made the DNS changes that dematzer suggested, and I have performed the metadata cleanup to remove the old server as ChiefIT suggested. When I look at NTDSUtil, the new server knows about all 5 roles. In addition the new server has a Type of Global Catalog and the Global Catalog check box is checked. But as ChiefIT said, it seems as if the new server doesnt see itself as GC or Domain Controller.

On the server, when I first login, if I try to open any of the AD tools (Users and Computers, etc...) I get a message saying naming information cannot be located, the specified domain could not be contacted. However, if I open ADSI Edit, and connect to the default domain of the server it works, and I can then open the other AD snap-ins without problems.

In addition, there are some errors and warnings in the Application, System, DNS Server, Directory Service and Microsoft-Windows-GroupPolicy/Operational logs. I've attached a text file that has the details of these errors and warnings.

My guess is its a dns issue because all the settings in AD (once i can connect) look right. With the old server now dead, would it be a good idea to uninstall/reinstall the DNS service?

Again, any help will be greatly appreciated.
serverevents.txt

Could be a very bad time to remove DNS IMO.  This *is* an active-directory integrated zone, right?  You could just reload the zone...

Here's a big question:  this is a .com domain?  Is your server possibly not authoritative for that domain?  Is it connected to the Net?  It might be going out to the Net and trying to register itself in DNS and failing (don't see your DNS log errors in the attachment.)   ...maybe it thinks the Internet DNS server is authoritative for AD?

Yes its an AD integrated zone. Havent tried reloading the zone specifically, but I have restarted the DNS service a few times...does it reload when I restart the service?

Yes its a .com domain and its connected to the Net. How do I check to see if its the Authoritative for that domain?

There is only one warning in the DNS log and it only shows up when I restart the service. It is in the file I attached but here it is again:

Log Name:      DNS Server
Source:        Microsoft-Windows-DNS-Server-Service
Date:          7/14/2009 2:21:50 AM
Event ID:      4013
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      SIERRASQL.sierratitleservice.com
Description:
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-DNS-Server-Service" Guid="{71A551F5-C893-4849-886B-B5EC8502641E}" EventSourceName="DNS" />
    <EventID Qualifiers="32768">4013</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2009-07-14T09:21:50.000Z" />
    <EventRecordID>209</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>DNS Server</Channel>
    <Computer>SIERRASQL.sierratitleservice.com</Computer>
    <Security />
  </System>
  <EventData Name="DNS_EVENT_DS_OPEN_WAIT">
  </EventData>
</Event>

Hmm actually i don't see your domain (if that's it above) as *being registered* maybe you should hoof it over to Godaddy ASAP and register it before someone grabs it and holds it hostage. :)

I think if the other server's definitely not coming back up, you need to remove the other server from AD using metadata cleanup of ntdsutil and also adsiedit:  http://www.petri.co.il/delete_failed_dcs_from_ad.htm looks like what you need.

Sorry I feel dumb, I misunderstood your question. Its a .com domain in the sense thats what we named it and its on the Net meaning I have internet. Theres no need to register it with Godaddy or anything.

I have already performed the metadata cleanup using ntsdutl and removed it using adsiedit. I actually used that exact same link as a guide the other day.

I'd register it just in case, only costs like $10/year.

Haven't ever seen a situ where someone named a domain with .com but didn't use it for e-mail or whatever.  Normally an internet-connected machine will go out to the .com root server and try to find the SOA for the domain from there.

BTW what is the dns server at 192.168.0.6? (old server's IPCONFIG)  And why do you have DNS on .110 and also on the loopback for the server?  I would also remove the Internet DNS server from DNS in TCP/IP config and put it in as a forwarder on the DNS server instead.

Oh also your desktop machines need to all have the server as their only DNS if possible, or at least primary.  Personally I also use WINS, not sure exactly why at this point. :)

I inherited this setup so I'm not sure why they used .com in the name, but it is what it is.

Did you mean 209.63.0.6 on the old server? Thats the ISP dns server.

The new servers IP address is 192.168.0.110. I have that set as the only dns server on the Servers nic. The ISP dns servers (209.63.0.6 and 204.130.255.3) have been added as forwarders and are no longer in the nic's dns settings. So I think I have that covered.

The desktop machines are detecting dns automatically. I would change it but when I do an IPConfig on the desktop machines it shows the 110 as their dns server. I guess I can try specifcally setting it and see what happens.

I dont have WINS enabled. I've wondered if I should. Supposedly its not necessary. Should I enable it? Is that as simple as checking the Use WINS Forward Lookup on the WINS tab of the zone properties?

Here's what ipconfig /all on the new server looks like now:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : SIERRASQL
   Primary Dns Suffix  . . . . . . . : sierratitleservice.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : sierratitleservice.com

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : sierratitleservice.com
   Description . . . . . . . . . . . : Intel(R) PRO/1000 PT Server Adapter
   Physical Address. . . . . . . . . : 00-15-17-80-1C-80
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.110(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.110
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : sierratitleservice.com
   Description . . . . . . . . . . . : isatap.{7AC6AAA8-81D4-429A-B2D3-190BC35A1E81}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

What I meant was that the "Obtain DNS server address automatically" option is selected on the properties of the clients network adapter.

No, SYSVOL does not show up when I type NET SHARE.

There are few different shares and the ones I am trying to connect to do show up in the NET SHARE list. But the warning about the SYSVOL has me concerned. What would cause the File Replicaton Service to not complete?

Yeah, being able to connect with the admin id/pw confuses me. Yes, they are logging in as domain users. I cant get to it right this second, but I'm pretty certain that in the client's event log there are errors about not being able to contact the domain when they login.

I found this regarding the FRS and SYSVOL:

http://support.microsoft.com/kb/290762

Should I consider doing this?

Or this: http://support.microsoft.com/default.aspx?scid=kb;en-us;315457

Logged in as just a domain user when i type net view \\servername (replacing servername with actual servername) I get access denied.

When I login as the domain admin to the same pc and do net view, i get the list of shares.

Interesting update:

Researching the Access denied error message led me to use the gpresult command on the client. In the output it shows that the last group policy was applied from the old server! Which of course isn't available. So how do I go about fixing where the group policy is pulled from?

Plus, the windows\sysvol folder structure is there on the server, but there's nothing in any of the folders.

Hey I got it fixed!!!

I did an Authoritative FRS restore. This fixed the SYSVOL problem and I could then access network shares!

I was still getting GPO errors, saying the gpt.ini file was missing, so I did a DCGPOFIX to create a fresh new copy of the group policies and viola!

Thanks for all your help. The last resort stuff worked.

Excellent, I seem to remember doing that myself once in a similar situation.  This stuff can be irritating. :)