[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Domain Controller/Active Directory behaving weird, what's the issue?

Posted on 2009-12-27
13
Medium Priority
?
707 Views
Last Modified: 2012-05-08
I am inexperienced with administering Active Directory and domain controllers, but I know enough that there is some weird behavior going on with one of the servers. I don't know what it is though.

I inherited this setup. We have two W2k3 domain controllers. First one we'll call Ex, second one we'll call Pr.

Now, Ex is the primary one I've been using, but something isn't right.

Here is what I'm noticing:
I have a Buffalo Terastation NAS that will not pull the users from this Ex DC.
I have McAfee ePolicy Orchestrator that will browse the tree, but not sync the list of computers.
If I point the ePO software to the Pr server it pulls via LDAP just fine.
IMAP services on Ex (which is running Exchange 2003) will not load correctly on boot unless the Pr server is running.
When I do a DSQuery | DSGet on the Ex server I get the error: "dsquery failed:A referral was returned from the server."

If I load up Active Directory Users and Computers on Ex, I can browse and make changes to computers, add users, distribution lists, etc. It lists all the latest computers and users.

What's the deal? Let me know if I can provide you with more information.
0
Comment
Question by:sweetseater
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 39

Expert Comment

by:ChiefIT
ID: 26129390
Run DCdiag /v at the command prompt and look for errors.

We will need to pinpoint the problem. Sounds like a DNS problem.

EPO uses netbios to find and list computers, then it is a sql server database that lists local users. However, it can query the AD database if you let it.

Buffalo terastations also use netbios to connect to file shares. However, you can join the domain with the terastation.

Since both seem to be having issues, this could be a netbios problem. Or it could be a DNS problem on DC1.

Also, go into the DNS snapin on DC1 and look at the MSDCS file folders to see if any are greyed out. Those will be in your DNS forward lookup zones. Any Event log errors and DCdiag reports would be helpful.
0
 
LVL 1

Expert Comment

by:jane_doe
ID: 26130479
hi

DCdiag and Netdiag are your best guesses, it also could be a problem with replication, you can trouble replication between domain controllers by using replmon and repadmin ( all of the tools me and CheifIT are talking about are in the suptools folder on the installation cd, and they are also available to download from the microsoft website).

in regarding of your exchange not working properly with one dc shut down , exchange is working tightly with a thing called global catalog, and its possible that the dc you're shutting down is a global catalog, you should try to see if when you enable global catalog on both DCs the problem is solved. global catalog can be enabled from the Sites and services console.

Roy
0
 

Author Comment

by:sweetseater
ID: 26135322
You guys are awesome. A couple of things I have found:

On DC1:

1. dcdiag /v produces no errors.
2. dcdiag /c /q /a produces:

** Did not run Outbound Secure Channels test
because /testdomain: was not entered
An Error Event occured.  EventID: 0xC0002719
   Time Generated: 12/28/2009   17:31:15
   (Event String could not be retrieved)
An Error Event occured.  EventID: 0xC0002719
   Time Generated: 12/28/2009   17:31:57
   (Event String could not be retrieved)
......................... DC1 failed test systemlog

Test results for domain controllers:
   DC: DC2.mydomain.com
   Domain: mydomain.com

      TEST: Basic (Basc)
         Error: No WMI connectivity

Summary of DNS test results:

                                   Auth Basc Forw Del  Dyn  RReg Ext
      ________________________________________________________________
   Domain: mydomain.com
      dc2                       PASS FAIL n/a  n/a  n/a  n/a  n/a

......................... mydomain.com failed test DNS

and on DC2:

1. dcdiag /v produces no errors.
2. dcdiag /c /q /a produces:

** Did not run Outbound Secure Channels test
because /testdomain: was not entered
An Error Event occured.  EventID: 0xC0002719
   Time Generated: 12/28/2009   17:31:15
   (Event String could not be retrieved)
An Error Event occured.  EventID: 0xC0002719
   Time Generated: 12/28/2009   17:31:57
   (Event String could not be retrieved)
......................... DC1 failed test systemlog

Test results for domain controllers:

   DC: DC1.mydomain.com
   Domain: mydomain.com


      TEST: Basic (Basc)
         Error: No WMI connectivity

Summary of DNS test results:

                                   Auth Basc Forw Del  Dyn  RReg Ext
      ________________________________________________________________
   Domain: mydomain.com
      dc1                       PASS FAIL n/a  n/a  n/a  n/a  n/a

......................... mydomain.com failed test DNS

AND

on DC1 in the Event viewer filtered for DNS events showed this:

Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4015
Date:            10/10/2009
Time:            11:31:02 AM
User:            N/A
Computer:      DC1
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug

Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4004
Date:            10/10/2009
Time:            11:31:02 AM
User:            N/A
Computer:      DC1
Description:
The DNS server was unable to complete directory service enumeration of zone ..  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.

and this:

Event Type:      Warning
Event Source:      DNS
Event Category:      None
Event ID:      4515
Date:            11/8/2009
Time:            5:31:28 PM
User:            N/A
Computer:      DC1
Description:
The zone mydomain.com was previously loaded from the directory partition MicrosoftDNS but another copy of the zone has been found in directory partition DomainDnsZones.mydomain.com. The DNS Server will ignore this new copy of the zone. Please resolve this conflict as soon as possible.
 
If an administrator has moved this zone from one directory partition to another this may be a harmless transient condition. In this case, no action is necessary. The deletion of the original copy of the zone should soon replicate to this server.
 
If there are two copies of this zone in two different directory partitions but this is not a transient caused by a zone move operation then one of these copies should be deleted as soon as possible to resolve this conflict.
 
To change the replication scope of an application directory partition containing DNS zones and for more details on storing DNS zones in the application directory partitions, please see Help and Support.

on DC2 I get the same first three errors.

Nothing is grayed out in the msdcs file folders on DC1. Global Catalog is enabled for both DCs. There is no query policy selected, but I think that's default.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 39

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 26135402
4004 and 4015:
Those errors can be caused upon bootup and if so can be safely ignored. These errors happen when AD starts prior to DNS upon boot up. Now if you see a bunch of them after logging on, you probably have a problem:

4515:
4515, sounds like you have a stub zone within DNS. In your forward lookup zone, do you see this stub zone ( a zone within itself).

I am going to have to research this a bit more:

DCdiag error 0xC0002719:
This sometimes means the 2003 server tools are the incorrect version for the OS you are currently on. You could be running 2000 server diagnostic tools on a 2003 machine, or 2003 server x32 bit on a x64 bit machine. usually this error comes with a bunch of DNS errors as well.

I think we are looking in the wrong spot for problems.

Let's look at Netbios health:
Go to "my network places" and see if you have a full list of computers there. If so, netbios broadcasts are reaching the server and populating the browselist. Also look for event log errors in the 8000's like 8032 and 8021.(check both the domain server and your server that holds EPO.

The dead givaway will be a full or parital list of computers in My network places.
0
 
LVL 1

Assisted Solution

by:jane_doe
jane_doe earned 500 total points
ID: 26136714
a fix to netbios problem would be pretty simple.
start >> run >> ncpa.cpl >> double click network card >> properties >> in general tab look for internet protocal and double click it >> advanced tab >> wins tab , just make sure that you have the first radiobox checked on the lower part of the screen, and if you dont have a wins server in your network(i'd like to believe you dont .. ) remove any wins server.
just to be clear , the first option starts with " default " 

thats the whole deal in netbios enablation ( not a word , but you get what i mean )

just to make sure its not about netbios
netdiag /test:nbtnm
netdiag /fix /verbose

the problem imo seems much likely to deal with replication of partitions

a general and penetrative solution to this could be to depromote the  PR ( this is the one who will answer queries from ldap ).
before you do this you need to make sure that the other(remining) dc is a global catalog and that information is is replicated

repadmin /syncall server1 dc=microsoft,dc=com (where server name is your dc )
do this from both dcs and name the other dc
this command basiclly tells your dc, sync all of the directory partitions from that domain controller

before you depromote your dc please consult here again

Roy

0
 
LVL 1

Expert Comment

by:jane_doe
ID: 26136743
addition to my last post
if and after you depromote the bad dc(sit dc .. sit), the purpose is to create it as a dc and hopefully to solve the problem.

imo .. the main problem is that the dc is not able to query itself via ldap .. ldap is just a service, hopefully upon uninstalling and reinstalling that service it will come back to life again
another interesting thing you can try is to go no command prompt and see if the bad dc is even listening on the ldap port ( 389 ) by using netstat -nao , hopefully you're familier with the output you will get , its kinda straight forward :)

Roy

0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 27638980
demazter:

Hard to tell the scopes of the problems. I'll bet the author google searched the DNS issues and fixed it.

There were certainly DNS and a Domain master browser conflict that we discovered using DCdiag and netdiag.

To completely fix the author needed just a wee bit more participation.

Netbios & DNS troubleshooting was certainly a great start and probably led to a solution.

I say split points evenly across the board and let's hope the author butts in.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 27638991
Changing CV recommendation for a split of points between comment ID: http:#26135402 and http:#26136714
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 27641305
Did I hit object??

Sorry about that. I didnt' mean to.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 27641422
No, I did :-)
Based on your last statement :-)
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question