asked on
Domain Cannot Be Found
Tremendous thanks in advance,
Auto
ASKER
ASKER
Then, go to the troubled client and type IPconfig /release and IPconfig /renew.
I am going to add to what dariusq recommended:
Go into DHCP scope options and remove the new server's IP address as a DNS server.
Then, go to the troubled client and type IPconfig /release and IPconfig /renew.
ASKER
Secondly,DNs is configured of helath DC as preferred dns.
Thirdly,promote new server as an ADC using DCpromo.
Fourthly,look client is not getting IP of dhcp from new server,so you can expire the lease.
Fifth, Look is it if not problem with switch or router.
Also, run dcdiag & post the results.
ASKER
You must update the schema before adding this server to the domain please read link below.
https://www.experts-exchange.com/questions/23665224/Windows-2008-Server-Migration-From-Server-2003.html
ASKER
dcdiag.txt
ASKER
ASKER
"without using dcpromo" at all, I made my new, 2008 server, an alternate DC and allowed everything to replicate
When you look at AD Sites and Services do you see 2 DCs?
ASKER
ASKER
Without switches meaning a clean dcdiag command? For what it's worth, I ran echo %logonserver% and it shows everyone using the old server still, which confuses me further.
ASKER
Server1 wouldn't run dcdiag, btw...
dcdiag-server2.txt.txt
ipconfig-all.txt.txt
Remove the 127.0.0.1. If you have Ipv6 enable uncheck it so it will be disabled. Make sure you disable all NICs that aren't being used in servers with more then one NIC. Run ipconfig /flushdns, ipconfig /registerdns, and dcdiag /fix.
ASKER
When you say, "without switches," do you mean without "/a, /e, /x, etc." or physical switches?
ASKER
ASKER
ASKER
dcdiag2-server2.txt.txt
ASKER
ipconfig-all-both-servers.txt
Disable IPv6. Remove 127.0.0.1 put the actual IP address of the server for DNS run ipconfig /flushdns, ipconfig /registerdns, and dcdiag /fix.
ASKER
ASKER
@dariusq - Do I run those commands with both servers on? Do I run them on both or the new one?
ASKER
ASKER
Please post results.
ASKER
ASKER
On server1 run a netdiag.
ASKER
ASKER
http://www.petri.co.il/del
Would this be something I should pursue?
So, Server1 passes all tests except for having a functioning default gateway which isn't a problem.
ASKER
@ChiefIT:
Let me give you my story then:
DC1 = Charlie (Server1 running 2003)
DC2 = Bob (Server2 running 2008)
Charlie was the only DC until Bob came along. Before Bob, Charlie had AD, DNS, and SQL (I think). Every client on Charlie's network is using static IP addresses and were all looking at Charlie for DNS. Bob needed to replace Charlie because he was better and faster, but their Administrator didn't do it the way it should have been done, using dcpromo. Bob was made "Operations Master" and GC, but the clients still don't see him as these.
Now they sit on the network together still, except Bob now shows as a DC and had AD, DNS, and DHCP. Bob and Charlie have swapped IP addresses, too, so everyone should be looking at Bob for DNS. Bob's IPv6 is disabled and DNS matches his own IP with no Alternate DNS.
I hope this helps...
Thank you for sticking with me,
Auto
ASKER
ASKER
ASKER
Once you have done all this try promoting again.
ASKER
ASKER
ASKER
DCPROMO wouldn't work either. Says it's NOT the last DC on the domain, which is causing me to believe that I did NOT create two domains with the same name.
ASKER
1. I cleaned up Server2, deleting it as DC and deleting its NTDS Settings on both servers (not sure if that matters). Rebooted.
2. Made sure I had the schema extended with forestprep, domainprep, and gdprep.
3. DCpromo worked and I made Server2 a DC in the domain with Global Catalog.
4. Then I transfered all FSMO roles via AD Schema; Domains and Trusts; and Users and Computers, following this: http://support.microsoft.c
What's next? DCpromo on Server1 to demote? I ran a DCdiag and will post shortly... It doesn't look good. It looks like a DNS problem at this point...
ASKER
dcdiag.txt.txt
ASKER
I'm really getting sick of this. I've done everything I've been suggested to do and things seemed to have transfered smoothly. All roles have been given to Server2. Server2 is the GC. Server2 has DNS configured. Still, the clients look to Server1 when logging in. I take Server1 off the network and Server2 still doesn't seem to play DC. I'm getting fed up with this. What am I doing wrong?
ASKER
To fix this, perform a metadata cleanup. This would include DNS and FRS. I see that it is looking for a replication partner in your DCdiag report. That partner no longer exists.
To perform a metadata cleanup, follow this article. It explains how to clean up AD, DNS and FRS metadata.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Once that is complete we should evaluate the current status of the remaining DC. Perform a IPconfig /all as well as a DCdiag /v. Provide that information.
I am thinking you may have the old DNS server remaining as a preferred DNS server on that remaining DC. If so, I could see problems. I also want to make sure we are not looking at problems with IPv6 as well as problems with any metadata. After the metadata cleanup, removing that old DC out of the preferred DNS server list, and making sure IPv6 is good, you should have a clean foundation to build upon.
ASKER
ASKER
ASKER
ASKER
ASKER
ASKER
Server1.PDF
On Server1 are you getting any errors in the Event logs?
ASKER
ASKER
ASKER
Server1 you want to just remove the records.
ASKER
ASKER
ASKER
-Server1 dcdiag:
Connectivity
Replications
NCSecDesc
NetLogons
Advertising
KnowsOfRoleHolders
RidManager
MachineAccount
Services
ObjectsReplicated
frsysvol
frsevent
kccevent
systemlog
VerifyReferences
(TAPI3Directory)
CrossRefValidation
CheckSDRefDom
(ForestDnsZones)
CrossRefVal
CheckSDRefDom
(DomainDnsZones)
CrossRefVal
CheckSDRefDom
(Schema)
Cross
Check
(Configuration)
Cross
Check
(classified.genet)
Intersite
FsmoCheck
///ALL PASSED///
-Server1 ipconfig /all
Ethernet adapter
IP Address.......... 114.14.14.23
Subnet Mask......... 255.255.255.0
DNS Servers......... 114.14.14.23
Primary WINS Server. 114.14.14.21
-Server2 dcdiag
Trying to find home server...
***ERROR: geserver2 is not a Directory Server.
-Server2 ipconfig /all
Ethernet adapter
IP Address..........114.14.14
Subnet Mask......... 255.255.255.0
DNS Servers......... 114.14.14.23
Primary WINS Server. 114.14.14.23
Tunnel adapter Local Area Connection* 8
IPv6................ 2002:720e:e1e::720e:e1e
DNS Servers......... 114.14.14.23
(I'm not sure why there is a IPv6 address, when I've disabled it. Usual?)
I've also attached this info...
Server1---2.txt
WELL DONE:
Was all FRS metadata removed with the AD demotion. It appears like things are splendid and we can ensure DC2 has AD removed and is ready to be promoted back into the domain.
Remember we have a mixed domain with a 2003 server and a 2008 server. So we have to prep the current PDCe for a mixed domain. Hopefully you are more experienced in preping a DC to become a mixed domain than I am. I always use two of the same. meaning 2003 standard. When I upgraded, I have two 2003 R2 and now two 2008 servers.
What I would do PRIOR to promoting the second DC in there is run DHCPloc.exe to make sure there is NO chance of a rogue DHCP server, Hence a rogue DNS server in the mix. I still have suspicions that we do have a rogue DHCP/DNS server in there.
IPv6 is enabled on server 2. I recommend you disable it.
IPv6 is a tunneling routing protocol. In other words, your router has to be compatible with IPv6. Your router will have to also be configured to use an IPv6 routing protocol. I don't believe this is the case for you. So, you are creating extra networking by having IPv6 enabled.
IPv6 will not allow routing of netbios broadcast data without a WINS connection, (which you have). IPv6 is primarily used for EGP routing, (Exterior Gateway Protocol) routing, to overcome the lack of IPs in public IPv4 IPs.
IPv6 is not recommended for a Private LAN. However, I see it appears you are on a public LAN. That's something you should discuss with your Networking engineers. Many services can be routed through a corporate router, like Email and network shares.
So, think about this question: DO YOU NEED TO BE ON A PUBLIC LAN?
A bit about IPv6 and how it changed from IPv4:
http://www.menog.net/meetings/menog2/presentations/philip-smith-routing-changes.pdf
ASKER
We're not going to use IPv6. This IS a private LAN. I'll verify I have IPv6 disabled, but where do we go from here? How does it seem we're on a public LAN? Excuse my noobiness...
Once you disabled IPv6, reboot server 2 and then go to the command prompt and see if you see this information:
The below two lines shouldn't be in your IPconfig.
IP Address..........114.14.14
Subnet Mask......... 255.255.255.0
DNS Servers......... 114.14.14.23
Primary WINS Server. 114.14.14.23
Tunnel adapter Local Area Connection* 8 <<<<<<<<<IP V6 information about the tunnel:
IPv6................ 2002:720e:e1e::720e:e1e <<<<<<<<<IPv6 IP address
DNS Servers......... 114.14.14.23
ASKER
I want to make sure you don't have a rogue node providing DHCP to your network, that will also provide DNS.
The problem with a rogue DHCP server is that rogue DHCP server will by default provide DNS as well. The problem with that is, your SRV records will not be saved on a rogue DNS server. These SRV records are used for replciation, Domain authentication, and pointing the way to your Domain controllers. I think this may have been one of your problems when joining the other server to the domain and promoting it.
I think you will find you have a solid domain, right now. So, we are about ready to bring DC2 back on line. Make sure there are no rogue DHCP servers, and also make sure DC2 has IPv6 removed. Then, let's make sure DC2 is ready to be brought into the domain.
So, complete:
1) the look for a rogue DHCP server
2) removal of IPv6
3) get back in touch with us and let's prepare you for bringing DC2 back on line.
ASKER
IPv6 leads to DNS and Netbios issues throughout the domain. This is probably one of your original problems.
ASKER
ASKER
So, then I ran dhcploc in cmd (Server1) in the format it prompted after I just typed "dhcploc". I used -p, -a, and -i with Server1's IP address (114.14.14.23).
Anyway, it came back with this IP: 114.14.14.31
That IP address belonged to the disabled NIC on Server2. Is this our rogue DHCP server? If so, how in the hell?
I also checked IPv4's NetBios and it is set to "Default" on both servers.
__________________________
Yes, this is most likely your conflicting DHCP server. It appears that your two DHCP servers are conflicting with one another. Since they were both Microsoft servers, they had to be manually authorized. So, two DHCP servers may be by design. See below for details.
With DHCPloc.exe, you should see DHCP offers from both DHCP servers. If within the same scope and dishing out within the same address pool, they will conflict with one another. If you ONLY see one server offering DHCP, that is your ONLY DHCP server.
You can have two DHCP servers on the same scope. BUT, they can NOT be dishing out from the same address pool.
Check the scope and address pool of both.
__________________________
As and example, this is what I like to do:
--For the scope, I use the entire set of IPs.
--with the address poo I use a 50/50 basisl:
FYI **Microsoft recommends a 75/25 matchup.
Here's my typical configuration of the address pool on two servers on a /24 subnet, (which you are on).
xxx.xxx.xxx.1 -xxx.xxx.xxx.50 NOT configured and are used for fixed IPs
xxx.xxx.xxx.51-xxx.xxx.xxx
xxx.xxx.xxx.153-xxx.xxx.xx
So, your fixed IP's are coverd and you have 100 IPs on each server for a redundant DHCP server if one fails.
ASKER
So, here is how you fix this.
You can have one server provide DHCP, or you can have a second server provide DHCP, but it can not provide the same IPs as the other server.
On server 1:
1) install the DHCP role, (if not already installed)
2) configure the scope to be your entire IP space 114.....
3) configure your address pool to be about a hundred IPs.
4) Make sure your fixed IP addresses have exceptions to any of those IPs within the address pool being assigned.
On Server 2:
1) DHCP is already installed.
2) configure your scope to be your entire IP space 114..
3) configure a DIFFERENT address pool of about 100 IPs
4) Make sure your fixed IP addresses have exceptions to any of those IPs within the address pool being assigned.
As an example:
I have two servers:
>>10.1.2.0 to 10.1.2.254 is my scope on both servers
My address pool is divided between them and also has a group of IPs that are not configured for FIXED IPs, like my servers:
Here's my typical configuration of the address pool on two servers on a /24 subnet, (which you are on).
Now for my address pool:
NOTE configured: (used for fixed IPs)
xxx.xxx.xxx.1 -xxx.xxx.xxx.50
DHCP server 1:
xxx.xxx.xxx.51-xxx.xxx.xxx
DHCP server 2:
xxx.xxx.xxx.153-xxx.xxx.xx
Definitions:
Scope is the entire list of IPs for that network. Sometimes this can be on different subnets. That's called a superscope:
Address pool is a list of IPs that DHCP server has to provide to its clients.
Exemptions are tags that tell the DHCP server NOT to assign that IP address.
Reservations, reserve that IP for a specific client or server. This reservation will tag the specified IP for a DHCP lease, (NOT a fixed IP).
IMPORTANT:
>>DHCP SCOPE OPTIONS- is where you configure IPs of your network that are passed down to your DHCP clients for WINS, DNS, Time Servers, and Gateway/routers. (NOTE, DNS means YOUR DNS servers not outside DNS servers)
So, after configuring your DHCP scope and address pools for each server, go into DHCP scope options and configure those to point to important nodes on YOUR network.
ASKER
ASKER
ASKER
When I try to map to some network drives, it only shows Server2's shared drives. I went ahead and set up the DHCP on Server2 so that the address pools don't conflict/overlap having reconfigured Server1's properly. It was a bit messy. Do I need to include exceptions with Server2 even if my machines do not have static IPs withing its range (xxx.151 - xxx.250)? Then I turned it on, just to see if dhcploc would pick it up and it did. It showed xxx.xxx.xxx.23 (Server1) and xxx.xxx.xxx.30 (Server2) which should be correct.
DNS on Server2 is still pointing at Server1. It's just not using it to logon, I guess (not running it's scripts)... Everything on Server1 is running great still. I don't believe I've screwed anything up there yet.
Deleted the WINS service, too.
ASKER
ASKER
To clarify, it sounds like Server 2 is a member server at this point, without the DNS or active directory role. Is that correct????
ASKER
Do you want to take over? I don't often work promote into mixed domains. Your experience with mixed domains is probably much better than mine.
I think we are ready:
@ Autophobic:
Maybe a triple check with a good DCdiag /v on server 1, prior to promoting Server 2.
ASKER
ASKER
Also, setting the scope sets the pool also, it seemed. I noticed it when "Address Pool" showed as encompassing the same range of IPs on both servers. I changed that, so now they're at xxx.1 to xxx.150 on Server1 and xxx.151 to xxx.250 on Server2 with exception to xxx.1 to xxx.50 on Server1. Ran dhcploc and the results reflect these changes.
How do I fix this frsevent failure? I see that there is frsdiag.exe provided by Microsoft, but I can't download it here.
The problem you are seeing with FRS is your PDCe is seeing Server 2 as a replication partner. So, this has to be some metadata.
The metadata cleanup article should resolve this issue.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Here is another method, from microsoft: http://support.microsoft.com/kb/216498
Use ADSIEdit to delete the FRS member object. To do this, follow these steps:
1. Click Start, click Run, type adsiedit.msc in the Open box, and then click OK
2. Expand the Domain NC container.
3. Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
4. Expand CN=System.
5. Expand CN=File Replication Service.
6. Expand CN=Domain System Volume (SYSVOL share).
7. Right-click the domain controller you are removing, and then click Delete.
ASKER
ASKER
PREP this domain if you are going into a mixed domain environment.
Dariusq, can you help with properly prepping the domain.
I never uses mixed mode on the 22 sites I work on. So, I am not skilled at what ...prep command is used in what situation. I just know it needs to be prepped if the operating systems are different, or if you are using one with R2 and one is not, or if one is an SBS machine and you are trying to bring a second on line.
ASKER
ASKER
So, I ran dcpromo on Server2. Left the Global Catalog option checked and unchecked DNS. I'd rather configure that when I've successfully added Server to as a DC. I have the following warnings and errors:
Event ID 13508: The File Replication Service is having trouble enabling replication from server1 to server2 for d:\windows\sysvol\domain using the DNS name server1. FRS will keep retrying.
Event ID 2506: The value named %1 in the server's registry key %2 was not valid, and was ignored. If you want to change the value, change it to one that is the correct type and is within the acceptable range, or delete the value to use the default. This value might have been set up by an older program that did not use the correct boundaries.
Event ID 2886: The security of this directory server can be significantly enhanced by
configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or
Digest) LDAP binds that do not request signing (integrity verification) and
LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted)
connection. Even if no clients are using such binds, configuring the server
to reject them will improve the security of this server.
Event ID 12366: An unhandled exception was encountered while processing a VSS writer event callback method. The VSS writer infrastructure is in an unstable state. Restart the service or application that hosts the writer.
Also, just to preview the dcpromo process on Server1, I went through the wizard to see if it would see Server2, and I got the error saying no other active directory domain controllers for that domain could be contacted.
ASKER
5781: Dynamic registration or deregistration of one or more DNS records failed because no DNS servers are available.
1059: The DHCP service failed to see a directory server for authorization.
4: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server <computer name>$. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (<domain name>), and the client realm. Please contact your system administrator.
22: The time provider NtpServer encountered an error while digitally signing the NTP response for peer <IP>:<port>. NtpServer cannot provide secure (signed) time to the client and will ignore the request. The error was: <error>. (<error code>)
1411: The Directory Service failed to construct a mutual authentication Service
Principal Name (SPN) for server SERVERNAME. The call is denied.
2092: This server is the owner of the following FSMO role but does not consider it valid. For the partition which contains the FSMO this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
7062: DNS Server encountered a packet addresses to itself -- IP address <ip address>. The DNS server should never be sending a packet to itself. This situation usually indicates a configuration error.
3000: The DNS server is logging numerous run-time events. For information about these events, see previous DNS Server event log entries. To prevent the DNS Server from clogging server logs, further logging of this event and other events with higher Event IDs will now be suppressed.
6702: DNS Server has updated its own host (A) records. In order to insure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update. An error was encountered during this update, the record data is the error code.
13568: The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.
Replica set name is : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
Replica root path is : "c:\winnt\sysvol\domain"
Replica root volume is : "\\.\C:"
A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons.
ipconfigall.PDF
ASKER
ASKER
domain.com zone had A records for all, but in the DNS folder there was a record only for Server2. I changed it to Server1... No, the msdcs folder was not grayed out, either.
ASKER
First and formost: make sure each of the DC's nics has itself as the primary DNS server, and the other DNS server as the secondary. MAKE sure both servers have fixed IPs, and are not getting IPs from the DHCP server.
Then, go to both DC's command prompt and type.
IPconfig /flushdns
IPconfig /registerdns
Net Stop Netlogon
Net Start Netlogon.
Now Force replicate between the two servers and then PDC1 should have DC2's SRV records on board. After that, run a DCdiag /v on both DCs and let's look at the progress.
To force replicate, go into AD sites and services and follow this procedure.
To force replicate, and save yourself time:
a) go to the Active Directory Sites and Services Snapin
b) navigate to Default First Site>>Servers
c)Pick the server you want to replicate TO and expand it
d)right click what is showing (NTDS site?) and select "replicate now"
You are running into Journal wrap, time service problems, and authentication problems because DC1, (that is your PDCe FSMO role holder), doesn't see the SRV records for DC2.
Don't worry. This is pretty easy.
If you get lost, you can see how to on this article:
https://www.experts-exchange.com/questions/23356031/There-are-currently-no-logon-servers-available-to-service-the-logon-request.html
ASKER
Under msdcs\_pdc\_tcp folder, it still shows only Server1. Since the replication I've received the following errors:
SERVER1:
1030: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.
1058: Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945
7062: DNS Server encountered a packet addresses to itself -- IP address <ip address>. The DNS server should never be sending a packet to itself. This situation usually indicates a configuration error.
SERVER2:
1000: The DNS server could not open the file %1. Check that the file exists in the %SystemRoot%\System32\Dns directory and that it contains valid data. The event data is the error code.
6: I don't remember which this was...
15: Don't remember either. If these are important I could go pull it real quick...
6702: DNS Server has updated its own host (A) records. In order to insure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update. An error was encountered during this update, the record data is the error code. (This might have been corrected, though.)
The scanner is being used, but here is some dcdiag results:
SERVER1:
"Found 2 DCs. Testing 1 of them."
Passed connectivity.
Ignored ForestDnsZones, DomainDnsZones, Schema, Config
"Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc."
Passed Rep Site Latency Check, NCSecDesc, NetLogons, Advertising, KnowsOfRoleHolders, RidManager, MachineAccount, Services, ObjectsReplicated, frssysvol, frsevent, kccevent
Failed systemlog
Passed the rest.
SERVER2:
"Value named GESERVER in the server's reg key OptionalNames was not valid, and was ignored."
Then it said Server1 could not be registered on Server2. Server2's ip address cannot be claimed by Server1.
Then a few KRB_AP_ERR_MODIFIED errors from Server2.
Failed Group Policy processing and print spooler.
Terminal server cannot register 'TERMSRV' Service Principal Name.
DNS Server service terminated unexpectedly.
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection.
Passed everything else except LocatorCheck.
One folder will be its own forward lookup zone, the second will be under your domain's forward lookup zone.
In fact, this is exactly how it looks like and what dariusq recommended to me to fix the same exact problem.
https://www.experts-exchange.com/questions/24349599/URGENT-MSDCS-records-registering-directly-under-FWD-lookup-zone-not-under-FQDN-name-space.html
__________________________
After that, go to the command prompt and restart the netlogon service again. They will recreate the MSDCS file folder ONLY under your forward lookup zone.
__________________________
After restarting the netlogon service, then force replicate.
__________________________
I think dariusq was, at one time, under the impression that 1030 and 1058 errors are not caused by DNS. I am about to show him that these domain controllers replicate the sysvol and netlogon shares then share these out using MUPcache.
__________________________
Let me explain what's going on for you:
The domain controller's DNS servers carry SRV records. These records include the authentication server pointer, FRS partners and a number of other services. FRS is used to replicate a number of different things. This inculdes the Sysvol and Netlogon share. The sysvol file folder holds your Group Policies.
The greyed out folder is a delegation record. It is created on your 1st domain server in the forest. Microsoft, designed it like that, to allow replication to forest servers or trusted top-level domain servers within the forest. It doesnt' need to be this way. For you, you can delete both of your MSDCS file folders. Upon restarting the netlogon service, they will recreate themselves as one record, (under your forward lookiup zone, and hold your SRV records.
The problem with these delegation records, as Chris Dent and Dariusq points out, is they don't update.
DNS is the cause of all your issue, including FRS, domain authentication, and Group policies. Since this one delegation record timed out, Nothing knows where domain services are. So, DNS is causing a Domino effect.
1) delete the MSDCS file folders on both DNS servers
2) restart the netlogon service on both servers
3) force replicate between the two servers
4) check your DCdiag reports again for any other discrepancies that we can help with.
You want to have a domain.com zone then deletegated zone for you is to much I don't like that MS automatically does this.
ASKER
After deleting them, make sure BOTH DNS servers hold no MSDCS file folders. Then, restart netlogon. Then, force replicate. Then, DCdiag.
Ethernet adapter
IP Address.......... 114.14.14.23
Subnet Mask......... 255.255.255.0
DNS Servers......... 114.14.14.23<<<<<<<PRIMARY
......... 114.14.14.30<<<<<< ALTERNATE
Server2
Ethernet adapter
IP Address..........114.14.14
Subnet Mask......... 255.255.255.0
DNS Servers......... 114.14.14.30<<<<<<<<<<<<<<
......... 114.14.14.23<<<<<<<<<<<<<<
Prior to replicating and after deleting the MSDCS file folders in DNS, we need you to pay particular attention to the NIC configurations, especially DNS.
Both servers should set THEMSELVES as primary and the other server as alternate, as shown above.
Also, while restarting the netlogon service, also flush your DNS cache and re-register the HOST A.
So, your steps should be in this exact order:
1) Delete your MSDCS file folders on BOTH SERVERS.
2) Check and make sure your NIC configuration are like the above for primary and alternate DNS servers.
3) Go to the command prompt and type these four commands in order:
IPconfig /flushdns
IPconfig /registerdns
Net stop Netlogon
Net start Netlogon
4) Force replicate:
ASKER
a) go to the Active Directory Sites and Services Snapin
b) navigate to Default First Site>>Servers
c)Pick the server you want to replicate TO and expand it
d)right click what is showing (NTDS site?) and select "replicate now"
5) DCdiag and provide any errors.
-----
DCdiag is going to show us any FRS errors. You may be in journal wrap. This means you have a partial data set of replicated data between the two DCs. To overcome journal wrap, you may need to use the burflag method. Or you can try some less invasive procedures first.
1) Try to force replicate again
2)Restart the FRS service on both DCs
3) Use the Burflag method to reset your FRS replication> This will require guidance.
Journal wrap will be easily spotted by continuing event errors of 1030 and 1058 Group policies, as well as errors in the 13000's for FRS events. Those errors can be seen on this article I wrote (How to diagnose and fix errors 1030 and 1058):
https://www.experts-exchange.com/articles/OS/Microsoft_Operating_Systems/Server/2003_Server/Diagnosing-and-repairing-Events-1030-and-1058.html
ASKER
Server2's DNS events also had a 6702 Error followed by Infos 4 and 2. Server2's FRS events had 13508 and 13565 Errors, but Server1 had zero events. It made me wonder if Server1 had FRS or if logging was just off.
So, I did go into Server1's AD Sites snap in and click Replicate on Server1. I'm sure that made my efforts moot, requiring me to do this all again. When I try to access Server2's AD Sites, I get this error message: "Naming information cannot be located because: Access is denied."
Breif dcdiag /v, Server1:
Ignored those tests first few tests again (as I posted above).
Passed all until it skipped Intersite "Skipping Default-First-Site, this site is outside the scope provided by the command line arguments provided."
Passed the rest. No failures.
Brief dcdiag (no verbose because the Kerberos errors were so many that I couldn't c&p all results) Server2:
Failed test Advertising
Passed all until error in NCSecDesc "Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=classified, DC=genet.
Failed NCSecDesc.
Failed NetLogons, too "Unable to connect to NETLOGON share! An net use or LsaPolicy operation failed with error 67, The network name cannot be found.
Passed all again until Kerberos client errors and Group Policy processing failures.
Failed test SystemLog.
Passed the rest.
ASKER
"2003 Server R2 and newer should never use the BurFlag method because of the enhanced features of DFSR (Distributive File Share Replication) over FRS (File replication service)."
Do you have the netlogon folder shared?
Dcdiag /test:netlogons
ASKER
Also, it seems my SYSVOL is inside a sysvol... Could this be a problem? I think I saw in Chief's article that it was.
Server1 dcdiag /test:netlogons:
Testing server: Default-First-Site\Server1
Server2 dcdiag /test:netlogons:
Testing server: Default-First-Site\Server2
Thought I have stated in my article that DFSR will unhose itself while in journal wrap, there are certain files that are not members of the Distibutive File Share replication. Sysvol, and Netlogon are examples.
Your connectivity appears good. This should mean DNS is fixed. However, it appears like you have a partial data set in the Netlogon share. This will probably lead to LSA errors. I always wondered where DFSR picks up and FRS leaves off.
Let's first confirm that we have ALL DNS errors fixed. Use DCdiag /v to look for any DNS errors.
If no DNS errors, lets use the burflag NON-Authoritative restore to reset File replication.
Both, the non-authoritative and authoritative restores are provided on this article. Please choose NON-AUTHORITATIVE if this is NOT your FSMO role holder:
http://support.microsoft.com/kb/290762
ASKER
ASKER
Post DCdiag /v failures afterwards on both servers.
ASKER
Server1 dcdiag /v:
Passed all.
Server2 dcdiag /v:
Failed Advertising "Unable to reach Server2. SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE."
Then a few more identical messages about how FRS is having trouble enabling replication from Server1 to Server2 for "c:\windows\sysvol\domain.
Is it because of its SYSVOL\sysvol?
Then Passed FrsEvent, DFSREvent, SysvolCheck, and everything else until
Failed NCSecDesc and NetLogons.
Passed all after that.
http://support.microsoft.com/kb/910204
ASKER
I read the article and the two other articles it referenced. I'm gonna follow this particular set of instructions and look for these Event IDs:
Event ID 1559, 1578, 1801
After you promote the domain controller to a global catalog server, domain partitions in the forest will be replicated to the new global catalog server. When all partitions have successfully replicated to the new global catalog server, event ID 1119 will be logged in the Directory Services log on the domain controller. The event description states that the computer is now advertising itself as a global catalog server.
To confirm that the domain controller is a global catalog server, follow these steps:
1. Click Start, click Run, type cmd, and then click OK.
2. Type nltest /dsgetdc: Domain_name /server: Server_Name, and then press ENTER.
3. Verify that the server is advertising the "GC" (global catalog) flag. For example, when you type the command in step 2, you will receive a message that is similar to the following if the GC flag is present:
DC: \\ Server_Name
Address: \\ IP Address
Dom Guid: 47bc7d87-309e-4a2a-bac3-c9
Dom Name: Domain_name
Forest Name: Domain_name .com
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE The command completed successfully
Sound good?
ASKER
Something interesting; I looked at Server2 in AD Users and Computers > Domain Controllers > then NTDS Settings Properties and it was showing Replicate from: Server1 / Replicate to: Server1. Could that be the result of when I clicked "Replicate now" on Server1 first?
Anyway, Server1 still has all roles and both servers were checked as GC.
Darius, out of those events in the article you posted, I've only received error 1006.
ASKER
So, now in your DNS you only have domain.com zone on both servers right? You have msdcs folder not grayed out.
ASKER
ASKER
Server1 has Forward Lookup, Reverse Lookup, and Event Viewer.
Under Forward Lookup I have _msdcs.domain.com \ domain \ domain.com \ dns.domain.com \ FE-12 (which is a project name)
Server2 has Forward Lookup, Reverse Lookup, Conditional Forwarders, and Global Logs
Under Forward Lookup I have _msdcs.domain.com \ domain \ domain.com \ dns.domain.com \ FE-12 (which is a project name)
Nothing is grayed out, but it looks like there may be some orphan domains?
ASKER
You should only have domain.com with the msdcs folder listed under the domain.com zone where you can click on the folder and view records.
What do you think about scratching DNS on DC2 and redoing it. In other words, prevent if from being a global catalog, remove the DNS role. Reinstall the DNS role, restart the netlogon service and flushing DNS cache and registering the Host A, and finally reinstating the Global catalog?
Yah, because I am seeing unusual errors in DNS. Whe already went down the path of deleting the MSDCS file folders, and they just came back.
I think its time to unhose DNS indefinately.
You game for taking him through the steps of unhosing DNS?
ASKER
ASKER
Please look over link that I posted.
ASKER
ASKER
I have a lot of 1030 and 1058 errors on Server1 and 1058 and 1006 errors on Server2. Server 2 also has a lot of 4 warnings.
And when I open up AD, I get an error popup saying Failed to open Group Policy Objects due to lack of appropriate rights.
ASKER
ASKER
ASKER
Server1 dcdiag /fix
Failed connectivity test
Skipped all Default-First-Site\Server1
Passed everything else.
Server2 dcdiag /fix
Failed connectivity test
Skipped all Default-First-Site\Server2
Passed all until DcGetDcName(GC_SERVER_REQU
Failed LocatorCheck test
Passed Intersite test
ASKER
Scan10001.JPG
ASKER
Scan10001.JPG
ASKER
ASKER
ASKER
ASKER
ASKER
ASKER
ASKER
ASKER
Both servers are GCs.
From Server2, I cannot open AD Sites.
Now, attached are the dcdiag /fix results.
dcdiag.docx
ASKER
ASKER
ASKER
ASKER
ASKER
ASKER
If you removed server 2 from ANY nic confiburation, put it back.
So, on the NIC configurations, they should look like this:
On server 1:
Preferred DNS serverlist: Primary is DC1's IP address, Alternate is DC2's IP address
On server 2:
Preferred DNS server.list: Primary is DC2's IP address, Alternate is DC1's IP address
STEP 2)
Go to both server's command prompt and type the following:
IPcofnig /flushdns
IPconfig /registerDNS
Net Stop Netlogon
Net Start Netlogon
That will re-register the SRV records and allow for AD authentication.
You deleted the MSDCS file folders, Those folders carry the SRV records, Upon scratching those folders you need to rebuild the SRV records.
Once you rebuild the records, try DCdiag /v to see if you have any errors on both servers.
STEP3)
If you have a pretty clean DNS, Force replicate between the servers.
ASKER
1) But, make sure BOTH servers are on the NIC configurations of BOTHS servers.
2) Then Run the DNS registration gauntlet of commands.
3) After that, check DNS with DCdiag.
If all looks good for DNS, FORCE replicate.
ASKER
When you and Chris Dent helped me with the greyed out MSDCS delegation folder, I had to recreate the SRV records by restarting the netlogon services.
These records, of course, include a pointer to the authentication servers, (the AD server). They also point the way to FRS replication partners.
I believe your not seeing the GC servers, event themselves, because of DNS. I do agree.
ASKER
On 11/13/09 07:50 AM you had me configure my NICs and run flush and register already, then force rep.
ASKER
It was on:
ID:25740383Author:ChiefITD
ASKER
ASKER
ASKER
Dariusq and I had this discussion before..
I am no sure if DCdiag /fix or even DCdiag /fix:DNS registers the SRV records. I do know that restarting the netlogon does.
I am pretty sure dariusq is probably right, but I have always used the netlogon service restart for SRV records.
It doesn't hurt to do both
ASKER
Server2 results start with the many Kerberos and Group Policy errors.
dcdiag1-2.docx
ASKER
ASKER
ASKER
ASKER
ASKER
I cannot acces Server1's shared drives either. I can't even access Server1 through \\server1\
I can ping Server1 though.
In ipconfig /all the results on both servers show no DHCP enabled. I checked both DHCP services and they're "Active" with accurate, non-conflicting address pools and exceptions.
It's also showing WINS service when I know I removed it.
S1S2.doc
You can ping Server1 by name or just IP address?
Post ipconfig /all in this windows not in another attach document.
ASKER
ASKER
ipconfig-001.zip
I am thinking the IP stack may be corrupt. I think we might fix it by researching and removing the corrupt reg keys from IPv6.
First off, let's try the command prompt uninstall process:
netsh interface ipv6 uninstall
At any time, you will want to see if you are successful. To do so, let's go to the command prompt and type IPconfig /all.
If you see anything that pertains to ""Teredo Tunneling"" or see a base 16 IP address, we were unsuccessful in removing or uninstalling IPv6.
Now, IP V6 can also cause problems with the computers routing table as well as DNS!!!
These things should also be looked at prior to promoting the second DC.
DO NOT PROMOTE IF THERE IS ANY RESIDUE OF IPV6. LET'S CALL IT IPV6 METADATA.
ASKER
ASKER
Kerberos and that stupid Symantec Endpoint Protection crap (which, for some reason, is not accepting my credentials anymore) is giving a lot of errors. I'm about to be in panic mode... All of these things I'm doing is seeming to make my network even more buggy. I have users who cannot access their profiles (permissions), some are still looking to sync with Server2, some are being prompted for the NAS username and password (where all the data is) within command prompt, Server2 cannot see Server1. This is insane...
Please give me something. At least advice on how I should go about creating a new domain.
ASKER
Are you in Seattle?
I do understand your feelings I am not going to read all this again
I think now you have 2 DC and due to some reason it is not working properly
Still you have 2003 DC Online? , if yes
Transfer all the FSMO role to 2003 server first
Again conform with netdom /query fsmo
For netdom you have install support tools from windows CD
And run the command from c:\program files\support tools\ folder
You should see the 5 roles owner should be the 2003 server
shutdown all other DC's
Once done
Check the TCP /IP configuration
Disable(uninstall or remove ) all the teaming and unused interface including any VPN keep only one with IP address ( once configured we configure the teaming )
Assume you 2003 DC Ip address is 192.168.1.53
IP Address. . . . . . . . . . . . : 192.168.1.53<< Your IP here
Subnet Mask . . . . . . . . . . . : 255.255.255.0
DNS Servers . . . . . . . . . . . : 192.168.1.53 << this should be the IP address of the same 2003 DC Server
Once done
1) Reregister the IPS
Ipconfig /registerdns
Ipconfig /flushdns
2) Restart DNS server
Net stop dns && net start dns
3) Restart the netlogon service
In command prompt type nslookup
Default Server: DC.domain.com
Address: xxx.xxx.xxx.xxx The out put should be like this
if you are getting
Default Server: default server
check the Tcp/Ip address configuration and see the IP address is there
Once finish go to any client IP assign a static IP and while configuring the DNS give your 2003 DCs IP address eg:- 192.168.1.53 dont give any other IPS like ISP's DNS
From the client take CMD and try to ping your domain name (only domain name eg:- domain.com ) you should get the replay from 192.168.1.53 if not go to the DNS in DC and delete the all entry other than your 2003 DC , ( In the A record , name server TAB etc&.)
Once everything is Under control we can continue the installation of 2nd DC
Once done Please let me know how I can help on this issue
I think we have been duking it out with Symantec Endpoint Protection. It has prevented us from using DNS as we wished. For that reason, we have been demoting and promoting back into the system.
Once we disable SEP and follow the same steps we have been giving the author over a hundred times over, I think life will be dandy.
ASKER
1. Remove SEP and LiveUpdate.
2. Ensure I give all roles back to Server1 and (hopefully) restore its healthy state.
3. Follow Sarithvs's instructions (yes, these are exactly the same instructions Chief and darius have been giving me, but SEP must have been in the way).
3.1 Laugh in maniacally.
4. Report back with what?
ASKER
ASKER
Nslookup:
Default Server: unknown
Address: xxx.xxx.xxx.xxx (correct IP)
Nslookup server1:
Default Server: server1.domain.com
Address: xxx.xxx.xxx.xxx (still correct)
From client I pinged, by name, Server1, Server2, and our NAS and all gave reply.
I tried to demote Server2 again, but:
"The operation failed because: Managing the network session with server1.domain.com failed. 'Logon Failure: The target account name is incorrect."
Netdiag:
All passed except:
WINS skipped, Trust relationship skipped, Gateway failed (no gateway configed anyway), WAN config skipped, IP Security skipped
Dcdiag:
All passed except:
Replication failed, frsevent failed, systemlog failed
Also posted errors:
Failed replication from Server2 to Server1 (expected?)
Dynamic registration of DNS record errors.
I have 3 questions
What is our plan? Migration of active directory from 2003 to 2008 is it?
For that we need one working Active directory , in that server we need to do
1) Adprep /forestprep (you have to put the 2008 CD in the old windows 2003 and run the command ) I think you already finished this step this will do the the schema up gradation
2) Install a new windows 2008 new server ,join it to the domain as member server
3) Do the DCPROMO and create a additional domain controller for existing domain
This Is it , very simple
So we can start troubleshooting
Please dont install any AV software with network protection in the Active directory (while testing )
""From client I pinged, by name, Server1, Server2, and our NAS and all gave reply.""
What is this NAS ? is it a server or server name ? or domain controller ?
Which server is giving this answer ?
Default Server: unknown
Address: xxx.xxx.xxx.xxx (correct IP)
Can you please check the 1st DNS preference of that server it should be the same server IP , if it is same that server is missing PTR record pointing to it
ASKER
"From client I pinged, by name, Server1, Server2, and our NAS and all gave reply."
Ok, forget NAS. It's our network storage.
The plan is to migrate from Server1 (2003) to Server2 (2008).
Server1 is giving the "unknown" answer with IP when I run nslookup and "server1.domain.com" answer with IP when I run nslookup server1.
I cannot demote Server2! When I run dcpromo on it, it asks me for a password and is not accepting the one I input.
@darius:
I have removed Server2 and am ready to just reinstall the OS incase it's absolutely shot.
Metadata cleanup while Server2 is online?
ASKER
Ok, what now?
See if your network behaves correctly now without Server2. Make sure server1 and no clients point to server2 for DNS. Let's get the network back to the begining before promotion of server2. I want to make sure all works.
ASKER
ASKER
From AD Sites, I deleted Server2's NTDS Settings, but cannot delete the container: "Do not delete Server2 cotainer object. Server2 contains objects representing domain controller Server2 and possibly other domain controllers. To delete these objects, demote the domain controllers using the AD Install Wizard (DCPROMO). If the DC represented by these objects are permanently offline and can no longer be demoted using DCPROMO, you must delete them one at a time."
I ran dcdiag again on Server1:
Failed frsevent only.
For that take the Properties for NTDS remove the tick mark and wait for 15 mint
Server1 is giving the "unknown" answer with IP when I run nslookup and "server1.domain.com" answer with IP when I run nslookup server1.
I dont understand, you are getting the correct answer or not?
Please make sure the DNS is working fine while doing nslookup you should get server1.domain.com
you need to test the same from client PC. Also do a ping test you should get the replay from server1 IP address this will help up to delete the orphan enters from DNS
Please post the output of netdom
netdom /query fsmo
netdom /query dc
no need to run dcdiag every time it will not fix the issue
ASKER
I deleted the NTDS Settings under Server2 in the DNS console.
Tell me the first preferred DNS is local server IP address ?
If yes can you check the reveres DNS is configured ?
If yes can you please check that PTR for the same server is created ?
After that you need to ping from client PC do a ping you should get the replay from server1 IP address this will help up to delete the orphan enters from DNS
Please post the output of netdom
netdom /query fsmo
netdom /query dc
Run metadata cleanup on Server1 to remove all lingering objects for Server2.
ASKER
I ran nslookup again from a couple clients and server:
"DNS request timed out. Can't find server name for address xxx.xxx.xxx.23
Default server: Unknown
Address: xxx.xxx.xxx.23"
One client was looking at Server2 when I ran nslookup:
"DNS request timed out. Can't find server name for address xxx.xxx.xxx.23
Default server: Unknown
Address: xxx.xxx.xxx.30"
I fixed that.
Netdom /query fsmo: Schema, Domain, PDC, RID, Infra (all belong to Server1)
Netdom /query gc: Server1 and Server2
I then ran metadata cleanup again with Server2 still on the network. Then I disconnected it and deleted it from AD Sites (it allowed me to delete the object this time).
Ran netdom /query dc again: Server1 (only)
So, in AD Sites, it showed Server1 and Server2 replicating from each other. I'm guessing this was causing Server2 records to be recreated in DNS. I went back through DNS and deleted Server2 records that were recreated in the GC, DomainDNSZones, and ForestDNSZones folders.
Now, from what I just posted, how should I proceed?
ASKER
ASKER
If Server1 still show Server2 as a replication partner then you most likley have some objects that haven't been cleaned in AD.
ASKER
Please reinstall the server 2 with windows 2008 and keep it ready , don't add it to the domain I will advice you when we are ready
I fixed that . mean now you are geting the correct server1 insted of Unknown is it ?
Ran netdom /query dc again: Server1 (only)
Very Good
yes now we can proceed to next setup
which is cleaning Up old server entrys
check active directory users and computer OU make sure there is only one DC
I am sure because netdom is give correct
ok
next step go to ad site and delete the connector from both DCs
carefully !!!
delete NTDS from server 2
delete the server 2 object
Also please check this KB
How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/kb/216498
once done
do a system state ntbackup
ASKER
I've deleted Server2 from AD Users \ Domain Controllers
I've deleted Server2's NTDS Settings and Object from AD Sites
I'll do the rest of what you posted.
test From client PC, ping domain.com and make sure you are getting response from server 1
This is the time for dcdiag
ASKER
Ok, so I ran metadata cleanup (again) - same results. Actually, I didn't follow through since Server2 no longer exists as a server during metadata. I also deleted all records of Server2 from DNS (they reappeared in ForestDNSZones). The kb also mentions deleting the CNAME in _msdcs.root domain of forest zone in DNS. So, I did delete the CNAME record under the _msdcs folder.
dcdiag: Default-First-Site\Server1
Starting test: Connectivity
The
ASKER
Passed all else.
ipconfig /registerdns
ipconfig /flushdns
netdiag /fix
http://support.microsoft.com/kb/241515
http://support.microsoft.com/kb/241505
ASKER
Sarithvs, I will run those again in a few.
ASKER
Active Directory creates its SRV records in the following folders:
_msdcs/dc/_sites/default-f
_msdcs/dc/_tcp
I have _ldap._tcp.domain in:
%SystemRoot%\System32\Conf
Nslookup shows the same thing:
Server: Unknown
Address: xxx.xxx.xxx.23
Netdiag /fix:
All Passed except Skipped Trust Relationships and IP Security
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039
though you have gone into ADD/REMOVE programs symantec leaves metadata in registry and application data, enough to run SEP. You have to remove that.
SEP may still be causing you fits.
Run this tool on BOTH DCs.
ASKER
ASKER
ASKER
How does DCdiag look on DC1?
Can you perform NSlookup from "soon to be" DC2 to DC1?
Are you seeing any intermittent time outs on the network?
Tell us a little bit about DC2's DNS status.
Is DC1 listed as the preferred DNS server on DC2's NIC conifguration.
ASKER
Want to to pull another dcdiag off of DC1?
Nslookup from DC2 (it's actually just Server2 [no longer a DC]) still?
I'll make sure Server2 looks to DC1 for DNS once I get these answered :)
ASKER
ASKER
Server2 (xxx.xxx.xxx.30) is now SERVER2008 (xxx.xxx.xxx.16)
I ensured SERVER2008 had IPv6 disabled on both NICS (even while disabled one NIC entirely) before I even joined it to the domain and clicked the box telling it to register it in DNS.
I reserved SERVER2008's IP in Server1's DHCP then joined the domain with the name SERVER2008.
Once I joined the domain, I see its record created in DNS for IPv4 AND IPv6. It's that persistent? Anyway, I don't know how to get rid of it...
Also, SERVER2008 did not run any login scripts. This is where I'm at now.
Server1
Is it having static IP ? Nslookup is giving correct ? I think you already answered yes
Now we are going to promote 2nd DC
SERVER2008
1) It is strongly recommended that you should format reinstsall this server before starting
2) Disable IPV6
3) You should Configure static ( it is not at all recommended to keep AD server as a DHCP client )
IP address <<== New IP address (must exclude from DHCP )
GW<<= (if needed )
DNS<<= (should be the server 1 IP address )
4) Add server 2008 as a member server in the old domain
5) Logon as domain\administrator
6) Install DNS servers
Administrative tools >> Server Manager.>> click Roles.>>results pane click Add Roles>> Before You Begin page click Next.>>select the DNS service & Active Directory Domain Services
7) Install active directory using DC promo
8) Existing forest >>add domain controller to an existing domain
9) Once finish restart the server
ASKER
IPv6 has been disabled.
Static IP is new configured and has a reserved IP in Server1's DHCP Address pool. Should I remove it from reserved?
Added SERVER2008 as a member - this is where DNS registered it's IPv6 address.
Will install AD with DNS when promoting SERVER2008 (?) or install DNS before I install AD (?), but is the IPv6 going to be a problem? It's very persistent...
ASKER
IP Address...................
Sub Mask......................
DHCP......................
DNS.......................
I did have multiple errors logged, though:
Application: 1015
DNS: 7062
System: 3019
ASKER
DNS<<= (should be the server 1 IP address )
4) Add server 2008 as a member server in the old domain
5) Logon as domain\administrator
6) Install DNS servers
Administrative tools >> Server Manager.>> click Roles.>>results pane click Add Roles>> Before You Begin page click Next.>>select the DNS service & Active Directory Domain Services
ASKER
ASKER
DNS
Server1
- Forward Lookup Zones
-- domain.com
---- _msdcs------ dc
-------- _sites
---------- Default-First-Site
------------ _tcp
-------- _tcp (under dc)
------ domains (under _msdcs)
-------- 125e186d-4546-xxxx-xxxx-xx
---------- _tcp
------ gc (under _msdcs)
-------- _sites
---------- Def-First-Site
------------ _tcp
-------- _tcp (under gc)
-----+ pdc (under _msdcs)
---+ _sites (under domain.com)
---+ _tcp
---+ _udp
---+ DomainDnsZones
---+ForestDnsZones
---+TAPI3Directory
+ Reverse Lookup Zones
-Event Viewer
-- DNS Events
And with _msdcs highlighted, it shows 5 records:
dc (folder)
domains (folder)
gc (folder)
pdc (folder)
fd72f436-xxxx-xxxx-xxxx-xx
ASKER
DNS
Server1
- Forward Lookup Zones
-- domain.com
---- _msdcs
------ dc
-------- _sites
---------- Default-First-Site
------------ _tcp
-------- _tcp (under dc)
------ domains (under _msdcs)
-------- 125e186d-4546-xxxx-xxxx-xx
---------- _tcp
------ gc (under _msdcs)
-------- _sites
---------- Def-First-Site
------------ _tcp
-------- _tcp (under gc)
-----+ pdc (under _msdcs)
---+ _sites (under domain.com)
---+ _tcp
---+ _udp
---+ DomainDnsZones
---+ForestDnsZones
---+TAPI3Directory
+ Reverse Lookup Zones
-Event Viewer
-- DNS Events
And with _msdcs highlighted, it shows 5 records:
dc (folder)
domains (folder)
gc (folder)
pdc (folder)
fd72f436-xxxx-xxxx-xxxx-xx
ASKER
Server: Unknown
Address: xxx.xxx.xxx.23
I ping Server1 from the client using Server1 IP and name "Server1" and get replies just fine, though.
ASKER
ASKER
Here's how it looks:
- Forward Lookup Zones
--- .(root)
----- com
------- domain (grayed out, but includes NS record for the server)
ASKER
ASKER
Forward Lookup/domain.com has two records:
(Same as parent folder)..... xxx.xxx.xxx.23
Server1...................
Weird because my other network has these same records in the Forward/domain.com folder, except the record with "(Same as parent folder)" has the GUID instead of IP.
DomainDnsZones:
(Same as parent... )........... xxx.xxx.xxx.23
Forest and TAPI3Dir show the same as Domain DnsZones
ASKER
Server1's ForwardLookup/domain.com folder does have two, though, so what I posted about that is accurate.
ASKER
ASKER
"I have assumed that you plan to install a forward lookup zone, but what about the reverse lookup zone? It only takes a minute to install the reverse lookup zone and without it utilities like DNSLint and NSLookup will not function."
http://www.computerperformance.co.uk/w2k3/services/DNS_install_zones.htm
ASKER
ASKER
Nslookup will not resolve the server name, but will show the IP.
Some clients are not accessing SYSVOL or NETLOGON (which ever the case is). Server1 has both, where I'm guessing it should only have one or the other.
IPv6 is persistent.
The clients that do run the logon scripts are being prompted to enter admin credentials before remapping drives (I'm thinking I can just place a copy of user.bat on the local machine).
SERVER2008 is a member server and I'm not sure what else to do to make Server1's DNS happy, but maybe it's ready for a new DC and a demotion. I'll install AD on SERVER2008 with DNS and configure that to point at Server1, then DCPROMO into the existing domain. I'll then go into DNS and make Server1 replicate to SERVER2008. I'll transfer all roles to it, copy user profiles over using robocopy (when I figure out how to), edit scripts to point to SERVER2008, and test it's functionality with ipconfig, dcdiag, netdiag, dnslint, etc. then run to some client PC and do more validation. I'm running out of options and fear people are giving up...
ASKER
I just created a Reverse Lookup Zone with the network's xxx.xxx.xxx IP and followed the configuration advice from the article I posted. Now...
Nslookup from Server1, SERVER2008, and clients:
Server: Server1
Address: xxx.xxx.xxx.23
DNSLint:
UDP Port 53: YES
TCP Port 53: NOT TESTED
Authoritatively: YES
**DNS may the root server, but no DNS records for the domain exists
SOA record data from server:
Authoritative: Unknown
Hostmaster: Unknown
Zone serial: Unknown
Zone expires: Unknown
Refresh: Unknown
Retry: Unknown
Default TTL: Unknown
*S*OA records are unavailable or there are missing DNS servers
The SOA record entries on Server1 did not match those in my other, working network. The only difference was that Hostmaster showed only Hostmaster and not Hostmaster.doman.com Adding "domain.com" did not change the DNSLint results, though. Not even after flushing, reregistering, stopping, and starting DNS. So far, all I've fixed was nslookup results.
ASKER
Server1 points to itself for DNS, yes.
Nslookup works now, but only after I added Reverse Lookup.
Calling MS is out of the question - this is a secure LAN.
I'll run netdiag /fix now and post.
ASKER
ASKER
netdiag /fix:
Passed all
Skipped WINS, WAN Config, IP Security
Failed Gateway
I ran ipconfig /all and saw IP Routing Enabled....... No
Normal?
Ran dnslint /d domain.com /s xxx.xxx.xxx.23 again and it seemed to have found two DNS servers. The only difference is that one is answering authoritatively (server1.domain.com) and the other is not (server1). I'm thinking it's just the way I queried, but what do I know?
dnslint /d domain.com /s xxx.xxx.xxx.23:
DNS server: server1
IP Address: xxx.xxx.xxx.23
UDP Port 53: YES
TCP Port 53: Not tested
Authoritatively: NO
SOA record data from server:
Authoritative: server1.domain.com
Hostmaster: hostmaster.domain.com
Zone serial: 1027
Zone expires: 1.00 day(s)
Refresh: 900 seconds
Retry: 600 seconds
Default TTL: 3600 seconds
Additional authorative (NS) records from server:
server1.domain.com xxx.xxx.xxx.23
Host (A) records for domain from server:
xxx.xxx.xxx.23
Mail Exchange (MX):
None found
__________________________
DNS server: server1.domain.com
IP Address: xxx.xxx.xxx.23
UDP Port 53: YES
TCP Port 53: Not tested
Authoritatively: YES
SOA record data from server:
Authoritative: server1.domain.com
Hostmaster: hostmaster.domain.com
Zone serial: 1027
Zone expires: 1.00 day(s)
Refresh: 900 seconds
Retry: 600 seconds
Default TTL: 3600 seconds
Additional authorative (NS) records from server:
server1.domain.com xxx.xxx.xxx.23
Host (A) records for domain from server:
xxx.xxx.xxx.23
Mail Exchange (MX):
None found
ASKER
I also added Server1 and its IP to the Hosts file:
%SYSTEMROOT%\System32\driv
xxx.xxx.xxx.23 Server1
So, are you having any other problems?
ASKER
The only other problem I'm having is with clients not running logon scripts. They don't seem to be looking into SYSVOL or NETLOGON for them.
ASKER
What are the current issues you are experiencing?
So just as a quick tip on troubleshooting the log on scripts - Run an RSoP (logging mode) on any machine against a user account that is not running the script successfully. More often than not, the results of the RSoP will point to why the script isn't running (it gives a reason for failure to apply any policies that are correctly linked to the accounts you run the RSoP session on).
Your clients will look to SYSVOL (and need to be able to access the SYSVOL share - i.e. Authenticated Users should have Read permissions to it) to get all their policy information, including scripts etc (assuming the scripts are in the SYSVOL share). NETLOGON is for legacy clients and is not normally used anymore.
SYSVOL is accessed by looking to \\DomainName\SYSVOL, which in your case should basically be \\DCName\SYSVOL, as you currently only have 1 DC - However if there is any residual weirdness in DNS that may end up pointing \\DomainName\SYSVOL to a DC that doesn't technically exist anymore, the script and/or any other policies may well fail.
Ensure permissions are set correctly to this share, and if you can, try connecting to \\DomainName - Right-click the SYSVOL share, and check the DFS tab - Ensure there are no other servers in the referal list than this DC...
Pete
ASKER
Will do and these problems Pete addressed are my only remaining ones, I believe. I'll be back with results.
Pete,
Thanks for jumping in.
Ok, I'll run RSoP in Logging Mode. Just to be sure, I'm running this from my server, against the user who's not running the scripts. It might be an issue for everyone, actually. When I added SERVER2008 to the domain, it didn't run my user.bat or admin.bat scripts. It didn't load the wallpaper, either, but it did display the User Agreement popup...
Yea, I remember reading about NETLOGON not being used anymore and I did make sure Authenticated Users has read/write/execute. I even added Everyone to permissions with read/write/execute.
ASKER
Ran RSoP snap in, but I don't know what I'm looking for. I have the HTML printout in front of me, but it's for Server1. What now?
This usually then tells you why that particular policy isn't applying, be it that 'Group Policy Infrastructure Failed' or whatever (with more details), which gives you a starting point to look at. Basically just post the error information back here.
Also, knowing the actual scope of the problem would be helpful - Can you confirm who/what it is affecting? All client machines regardless of whos logged on? All users but only from certain machines? All on All? etc...
Did you check the DFS tab of the SYSVOL share too?
The computer also needs to be switched on at the time... :) Then it should produce the RSoP console (looks much like what you see when you're editing a GPO) but only displays the settings that have been configured - Any particular aspects of the 'tree' that are failing should have those X's against them...
Take a look and let me know if all looks good there or not?
Pete
ASKER
I'll verify the scope, check DFS tab, and rerun RSoP on client, then post. Thanks.
ASKER
First off, some FYI:
sysvol\sysvol is shared as "SYSVOL"
sysvol\sysvol\domain.com\s
Yes, there are both sysvol and NETLOGON folders and they synchronize with each other.
"DFS tab" I couldn't find, but I did look in the DFS service and didn't see SYSVOL.
I ran RSoP on Server1, SERVER2008, and a few clients. On these I logged in as Domain Admin and and RSoP for the machine and pretty much all users. I printed the problem user and found nothing in red. I looked at all users' Local Policies (User and Security) and found that they are all receiving the Default GP that Server1 is employing. Server1 does not abide by Default GP, correct?
All machines with all clients seemed to be running the scripts afterall. The problem was with SERVER2008. Stupid thing was that I had been logging in as SERVER2008\Administrator instead of domain\Administrator. Once I logged in as domain\admin, scripts ran, but still no wallpaper.
Summary of RSoP:
From Server1, logged in as domain\Administrator:
RSoP of
Same machine\Administrator - different set of policies
Same machine\older user - Default GP
Same machine\new user - Default GP
From SERVER2008, logged in as domain\Administrator:
RSoP of
Same machine\Administrator - Default GP
Same machine\older user - Default GP
Same machine\new user - Default GP
From client PCs, logged in as domain\Administrator:
RSoP of
Same machine\Administrator - Default GP
Same machine\older user - Default GP
Same machine\new user - Default GP
Seem healthy now?
ASKER
Where we are? Now we have issue with DNS or out DC ?
I already ask you to create PTR record again after 10 days you are asking we need to create reverse record yes it is a good practice and it should be like that .
1) Never create a host record in active directory DNS is much enough
Nslookup from the server 1
If you are getting
Default Server: server1.domain.com
Address: xxx.xxx.xxx.23 < === same server address
Yes done your DNS is working with reverse entry
If you getting unknown server
1) May be Server firewall is enabled
2) It will be an issue with windows firewall
3) AV software net firewall
If you are trying from another PC ping with domain name not the IP address
So you can confirm you are reaching to the correct domain
Please let me know you need further assistance
Any other policies etc? If they're applying where you want them (i.e. to everything in the tree below where they are linked) then all is good, and you can move on to doing whatever you have planned next. :)
Pete
ASKER
Do I still need to create them if nslookup from server and client looks like this?
Default Server: server1.domain.com
Address: xxx.xxx.xxx.23 < === same server address
I can also successfully ping with domain name from server and clients.
@Pete - My GP seems to be working fine, thanks. So, am I ready to promote now?
ASKER
ASKER
netsh int ipv6 uninstall
ASKER
ASKER
Event ID: 13508 - Verify remote procedure call (RPC) connectivity between Computer A and Computer B. An appropriate test may be to open Event Viewer on Computer B from Computer A (which uses RPC). Check FRS event logs on both computers. If Event ID 13508 is present, there may be a problem with the RPC service on either computer or with creating a secure connection between Computer A and Computer B.
I'm going to check this out, but it could be because it's still replicating, I'm guessing?
ASKER
There are no more errors or warnings so far. What next? DNS?
ASKER
ASKER
ASKER
dcdiag Server1: All passed
I looked up this error and this is what I've gathered:
"NCSecDesc in DCDIAG is to check that the security descriptors on the application directory partition heads have appropriate permissions for replication.
It is an expected issue when you promote a Windows Server 2008 domain controller in a Windows Server 2003 domain without preparing RODC (read-only domain controller) in the forest by running 'adprep /rodcprep'. If you do not plan to add an RODC to the forest, it is safe to ignore it. Otherwise, please run 'adprep /rodcprep.'"
ASKER
ASKER
ASKER
Serv1 has been demoted and is now a member server.
Ran dcdiag on Serv2 and no failures.
Event logs look good except for a couple warnings:
Source: Time-Server - Event ID 131
Source: Time-Server - Event ID 12
Source: Kerberos - Event ID 29
This post should help you out on doing this.
https://www.experts-exchange.com/questions/24952625/Windows-Server-2008-set-time-with-server.html?cid=1573&anchorAnswerId=25976367#a25976367
ASKER
ASKER
http://support.microsoft.com/kb/816042
ASKER
Everything seems to be working fine. Any other problems I run into I'll start a new question for, if needed. Thanks, everyone! Especially Chief and darius!