DNS issues

Yes you can, but doing so may not help.

Are the zones completely empty? Or do you have NS and SOA records in there?

How have you configured your TCP/IP settings? Which DNS servers does everything refer to?

Chris

Hi,

If the zones for your AD Domain exist, but are empty, and you've confirmed DNS is up and running, you can repoplulate the AD info into the DNS zones this way:

Set the Zones Security to allow unsecure updates.  Then on the DC, bring up a command prompt and run this:

netdiag /fix

This will repopulate the AD stuff into the zones.  You may need to load the netdiag utility from the tools folder on the Windows 2003 install media.

Once you get everything back, be sure to get a good backup of this box and the system state so you can just restore if this happens again.

Good Luck,
- gurutc

Hello Gurutc,

DNS service is running, but in the DNS Management I have seen both forward & reverse lookup zones.But they are empty.When I right click on forward lookup  & create new zone  its give error at last.

DNS
-------------------------
The zone cannot be replicated to all DNS servers in the (null) Active Directory domain because the required application directory partition does not exist. Only Enterprise Administrators have the appropriate permissions to create an application directory partition.

To store this zone in a domain container until the partition is created, close this message, and then click Replicate to All Domain Controllers in the Active Directory Domain option.

For more information about creating DNS application partitions and storing zones in domain containers, see Help.
-------------------------
OK.

Since this is happening from yesterday.When I was trying to add linux machine in windows domain.
Thanks        

Hello Chris,

This is a domain controller Active directory with DNS.TCP IP settings already there. Both zones are empty.When I add new zones from Forward look up, its give me error.Since this is happening from yesterday when I was trying to add Linux machine in windows Domain Controller.

DNS Error :
-------------------------
The zone cannot be replicated to all DNS servers in the (null) Active Directory domain because the required application directory partition does not exist. Only Enterprise Administrators have the appropriate permissions to create an application directory partition.

To store this zone in a domain container until the partition is created, close this message, and then click Replicate to All Domain Controllers in the Active Directory Domain option.

For more information about creating DNS application partitions and storing zones in domain containers, see Help.
-------------------------
OK        Please Help

Okay, that makes sense then.

First lets deal with the zone.

Does it let you delete the zone in the DNS console? If it does, please do that now.

Then create a new Forward Lookup Zone with your domain name, when it asks for a replication scope choose "All Domain Controllers in the AD Domain". Permit Secure Dynamic Updates on the zone.

Once done, on your DC run "ipconfig /registerdns" and "net stop netlogon && net start netlogon" or restart the netlogon service through the Administrative Tools\Services.

Then, after making sure you're an Enterprise Administrator, right click on the DNS server in the console and select "Create Default Application Directory Partitions". Please let me / us know if that throws back an error message.

Chris

Thanks for quick reply. I am sending screen shots of  DNS management console.Please let me know, what I do ?

Thanks    
Dnsmgmt.JPG
dnsmgmt1.JPG

I receive this error after this

error :
DNS
-------------------------
The zone cannot be created.
The data is invalid.
-------------------------
OK

When do you see the DNS error generated above? When you start the console?

Chris

CHRIS...

Let Me clear you
Win2003 server Domain controller with Active Directory integrated with DNS and also one more server configured as Additional Domain controller configured on the Network as a BDC and its name is
benchmarknew.nbits.com

Server name is :- Bigbase
Full Computer Name is : bigbase.nbits.com
Domain : nbits.com

Now from Last night we tried to join the centos linux pc to this bigbase Active Directory and yes its not added to this windows server.

From today we are receiving the errors from source system/application and DNS .Its event id's are

Source  DNS : 4000 & 4007
Source Application : userenv :1053

and all server resources are not accessible ,file server is also configured on this server.
Users can login to this domain but sometimes shared folders are accessible and sometimes not
and internet browsing is slow..yes of-course DNS server is crash and as per given screen shots.

I also tried to create new forward and reverse lookup zone it gives the error as above comment.


Please help ,we are in crunch now...

Regards,
Tushar

Work-around first then...

1. New Zone
2. Primary, *not* Active Directory Integrated
3. Enter the name of your AD Domain
4. Permit Dynamic Updates (Secure and Non-Secure)

Run the commands on each DC as above.

Can you let me know if that works?

Chris

Using this process I got an error

DNS
-------------------------
The zone cannot be created.
The data is invalid.
-------------------------
OK

OR

You want to say delete the server name from DNS management console ?or what ? Let me know clearly.

Thanks
 

Hi,

I'm thinking removing DNS Server and reinstalling it may be part of a solution.  We haven't done that yet, right?

- gurutc

No harm in it at this stage, if you have the time, go for it.

I think it's messed up the directory partitions and that reinstalling DNS won't help (but I'm not saying you shouldn't do it). Can you run this from the command line on the DNS server (before or after re-install, doesn't matter which unless it starts working again first):

dnscmd /EnumDirectoryPartitions

I want to know if it thinks they're still present.

Chris

This is the output

C:\Program Files\Support Tools>dnscmd /EnumDirectoryPartitions
Enumerated directory partition list:

        Directory partition count = 0

Command completed successfully

Okay, are you in the Enterprise Administrators group? If so, please run:

dnscmd /CreateBuiltinDirectoryPartitions

And let me know if that throws back an error?

Chris

Yes, We are in the Enterprise Administrator Groups

When I run this command, I received the following error

C:\Program Files\Support Tools>DnsCmd bigbase.nbits.com /CreateBuiltinDirectoryP
artitions /Domain

Create built-in directory partitions failed
    status = 13 (0x0000000d)

Command failed:  ERROR_INVALID_DATA     13  (0000000d)
 

Which is why it's failing when trying to create the zone.

Your choices are limited here, you have one of two:

1. We attempt to delete the directory partitions and then recreate them
2. Call Microsoft

The second option is here because deletion of those partitions is *not* supported by MS, if that's important to you then you'll need to call MS.

Otherwise I can tell you how to check for and delete the existing partitions.

Chris

Now what is the next step ,please tell me
we already called to microsoft but no proper support from them....:)

How can i reinstall the DNS  on this win2003 server...OR
Can i firstly try with delete this bigbase server from the DNS Mgmt console and try to reconfigure or

required to run DCpromo...? Demote and promote the server with Domain controller Active directory integrated with DNS.

And one more thing on that additional domain controller (benchmarknew.nbits.com) as i mentioned earlier...can i configure the DNS server or required to promote to Primary domain controller...but i wants this bigbase Main server should be up.



Regards,

Tusahr

And DNS partition count is 0 then how can we delete and recreate them..
Now if we go for DCPROMO and create the  domain(AD+DNS) and
how can we import the AD users and required all Desktop client Machines should be add again to domain...?



Regards,
Tushar

None of the above.

One moment.

Chris

I run this command.This is the output.


C:\Program Files\Support Tools>ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: q
fsmo maintenance: q
ntdsutil: domain management
domain management: connections
server connections: connect to your server bigbase
Error 80070057 parsing input - illegal syntax?
server connections: connect to server bigbase.nbits.com
Binding to bigbase.nbits.com ...
Connected to bigbase.nbits.com using credentials of locally logged on user.
server connections: quit
domain management: select operation target
select operation target: list naming contexts
Found 6 Naming Context(s)
0 - CN=Configuration,DC=nbits,DC=com
1 - DC=nbits,DC=com
2 - CN=Schema,CN=Configuration,DC=nbits,DC=com
3 - DC=DomainDnsZones,DC=nbits,DC=com
4 - DC=ForestDnsZones,DC=nbits,DC=com
5 - DC=bits,DC=com
select operation target:


Now  ??

Thanks.

Now we want to delete DomainDnsZones and ForestDnsZones. So from where you are (the first quit takes you back to Domain Management):

quit
Delete NC DC=DomainDnsZones,DC=nbits,DC=com
Delete NC DC=ForestDnsZones,DC=nbits,DC=com

Again, let me know if that produces an error message of any kind.

If it removes them successfully enter "quit" until you are out of ntdsutil.

Are all your DCs within the same site in AD Sites and Services? If so, please allow 5 minutes for replication then rerun:

dnscmd /CreateBuiltinDirectoryPartitions

This will create both Domain and Forest partitions, replacing those we have just deleted. You can verify that by using NTDSUtil (up to List Naming Contexts) if you wish.

Restart the DNS service and verify that it starts without error, then attempt to create your Forward Lookup Zone again.

Chris

Please check this error messages when I run the delete domain zone commands.

select operation target: quit
domain management: Delete NC DC=DomainDnsZones,DC=nbits,DC=com

Error Message :

ldap_delete_ext_sW error 0x33(51 (Busy).
Ldap extended error message is 000021A2: SvcErr: DSID-030A09F3, problem 5001 (BU
SY), data 0

Win32 error returned is 0x21a2(The FSMO role ownership could not be verified bec
ause its directory partition has not replicated successfully with atleast one re
plication partner.)
)

2nd command also shows the error message :

domain management: Delete NC DC=ForestDnsZones,DC=nbits,DC=com

ldap_delete_ext_sW error 0x33(51 (Busy).
Ldap extended error message is 000021A2: SvcErr: DSID-030A09F3, problem 5001 (BU
SY), data 0

Win32 error returned is 0x21a2(The FSMO role ownership could not be verified bec
ause its directory partition has not replicated successfully with atleast one re
plication partner.)
)


Regards,
Tushar

Back to NTDSUtil, the output from this please:

Start, Run, ntdsutil

Roles
Connections
Connect To Server YourDC
Quit
Select Operation Target
List Roles for Connected Server

Chris

By the way, do you have any other servers there? Any member servers we can temporarily install the DNS service on while this is fixed?

Chris

Please check :

C:\Program Files\Support Tools>ntdsutil
ntdsutil: Roles
fsmo maintenance: connections
server connections: connect to server bigbase.nbits.com
Binding to bigbase.nbits.com ...
Connected to bigbase.nbits.com using credentials of locally logged on user.
server connections: Quit
fsmo maintenance: Select Operation Target
select operation target: List Roles for connected servers
Error 80070057 parsing input - illegal syntax?
select operation target: List Roles For Connected Server
Server "bigbase.nbits.com" knows about 5 roles
Schema - CN=NTDS Settings,CN=BIGBASE,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=nbits,DC=com
Domain - CN=NTDS Settings,CN=BIGBASE,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=nbits,DC=com
PDC - CN=NTDS Settings,CN=BIGBASE,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=nbits,DC=com
RID - CN=NTDS Settings,CN=BIGBASE,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=nbits,DC=com
Infrastructure - CN=NTDS Settings,CN=BIGBASE,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=nbits,DC=com
select operation target:


Tushar

Thanks, the output there is good.

I'd like to get a DNS server running, but it does rely on you having somewhere to put it. Any other debugging we do is going to be too troubled by DNS at the moment. Anywhere it can go? It won't go on a DC at the moment, but the home does only need to be temporary.

Chris

Yes we have three Servers

1.>Bigbase : bigbase.nbits.com ..........>PDC
2.>Benchmarknew : benchmarknew.nbits.com.............>Additional Domain Controller
3.>eserver : eserver.bits.com ..........................>this server configured in bigbase forest as a  tree

I think we cant use additional domain controller.........right ? coz we have to promote this server as a PDC.

And one more thing can we use eserver ( eserver.bits.com) .On this server AD + DNS is already configured and all AD users and in DNS Mgmt Console :
In Forward lookup zones :msdcs.nbits.com & bits.com and in reverse lookup zones all desktop entries are there.

Pls find this image attachment.

Regards,
Tushar




DNS-MGMT-bits.JPG

> coz we have to promote this server as a PDC.

No such thing as PDC and BDC for AD, they're equal partners. Unfortunately that means they're likely to be suffering from the same problem.

> And one more thing can we use eserver ( eserver.bits.com)

Yes, that would be ideal.

Can you create a Forward Lookup Zone for nbits.com?

You will need to change the TCP/IP settings on everything in nbits to refer to eserver for a while. The DCs in nbits should be done first, then you'll need to run "ipconfig /registerdns" and restart netlogon as above.

eserver is within the same Forest as the other two (just want to confirm)? If so, it should have a copy of ForestDnsZones, can you tell me the replication scope for the existing forward lookup zones on eserver?

Chris

Yes eserver is in the same forest and having the forward lookup zone >msdcs.nbits.com & bits.com
and in reverse lookup zone all are same entries as in nbits.com as in screen-shot shown.

don't understand this question : Can you create a Forward Lookup Zone for nbits.com?

you want to say on bigbase server...?

and how we replicate the existing forward lookup zones to eserver..?

Regards,
Tushar

but how can we up the Bigbase server on network means DNS server...?
Is there no solution for this..?

until we delete the dns zones and recreate the dns application partition ...it wont be up..right?

Regards,
Tushar

> you want to say on bigbase server...?

No, on eserver please, because that server is working and should allow you to add a new Forward Lookup Zone.

I want something up and running, at the moment we don't have the zone so anything is an improvement.

> and how we replicate the existing forward lookup zones to eserver..?

We can't get to them unless you have them somewhere in the DNS console? If we can't get to them we can't replicate or copy them.

AD is dependant on DNS, I want to give it DNS then we can look into the other problems like the application partitions.

Chris

OK

Let me clear on eserver.bits.com there is a already msdcs.nbits.com in forward lookupzone....right
Please see the image as i sent in above comment. And in reverse lookup zone all desktop clients are already registered .

OR do you want say one more forward lookupzone for nbits.com on eserver...?

Now problem is Bigbase is file server , web server ..so how can we access these resources to client using existing logins.

Regards,
Tushar

> OR do you want say one more forward lookupzone for nbits.com on eserver...?

This.

I'm happy with _msdcs and the bits.com zone, but we need to fix nbits, I want to help it along.

> Now problem is Bigbase is file server , web server ..so how can we access these
> resources to client using existing logins.

Those logins still exist, we might lose the DNS database for nbits.com but that's a small price if we can get it fixed.

The two servers on nbits will need their TCP/IP settings changed to point at eserver for DNS. Once you've done that, and done the two steps to make it register records I'd like to take a look at DCDiag from Bigbase.

Chris

Dcdiag from bigbase

C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\BIGBASE
      Starting test: Connectivity
         The host 41540280-a038-4fce-b201-905a2a4edda5._msdcs.nbits.com could no
t be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (41540280-a038-4fce-b201-905a2a4edda5._msdcs.nbits.com) couldn't be
         resolved, the server name (bigbase.nbits.com) resolved to the IP
         address (192.168.1.247) and was pingable.  Check that the IP address
         is registered correctly with the DNS server.
         ......................... BIGBASE failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\BIGBASE
      Skipping all tests, because server BIGBASE is
      not responding to directory service requests

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : nbits
      Starting test: CrossRefValidation
         ......................... nbits passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... nbits passed test CheckSDRefDom

   Running enterprise tests on : nbits.com
      Starting test: Intersite
         ......................... nbits.com passed test Intersite
      Starting test: FsmoCheck
         ......................... nbits.com passed test FsmoCheck

C:\Program Files\Support Tools>


Now you want to say that

one is bigbase server and its ipconfig /all is:

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : bigbase
   Primary Dns Suffix  . . . . . . . : nbits.com
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : nbits.com

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-0D-60-17-6F-B6
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.247
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.247


And for eserver.bits.com ipconfig /all is :

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : eserver
   Primary Dns Suffix  . . . . . . . : bits.com
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : bits.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek RTL8168/8111 PCI-E Gigabit Ethern
et NIC
   Physical Address. . . . . . . . . : 00-1C-C0-87-E1-E3
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.155
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.155

and also on eserver dns management console forwarders are already set to bigbase IP( 192.168.1.247).

So we have to change this forwarders to ISP ip's and set bigbase Primary DNS address to eserver ( 192.168.1.155) using TCP/IP settings and then run the ipconfig /registerdns on bigbase...right?

Conclusion is AD from bigbase and DNS from eserver...right?

Regards,
Tushar

> So we have to change this forwarders to ISP ip's

No, leave the forwarders alone.

> bigbase Primary DNS address to eserver ( 192.168.1.155) using TCP/IP settings and then
> run the ipconfig /registerdns on bigbase...right?

Yes please.

And your conclusion is perfect.

Chris

ok,

Give me 10-15 minute to do this and one more point for desktop clients also we have to change the primary dns address to 192.168.1.155...right?

Regards,
Tushar

Yep, that's it.

Chris

Done this Primary DNS address settings on Bigbase and also run the ipconfig /registerdns and also require to restart netlogon service on bigbase..?
OR required to restart the bigbase server..?

If we didn't change the forwarders from eserver then who will resolve the URL domains or accessing the PC's using Machine names.

Regards,
Tushar

Either is fine, restarting netlogon is quicker though.

Ahh I'm sorry, I misread your description of the forwarder setup. Please do change it to point to your ISPs server.

Chris

yes done the forwarders setting on eserver and restart the netlogon service from bigbase also.

Next step is we have to check on client desktop .....which is we need to resolve...:)

it should be access the resources from bigbase...right?

Regards,
Tushar

Yes, correct. We're only shifting DNS, giving it another place to get names resolved from.

Chris

And its required to stop DNS server service from bigbase..?

Regards,
Tushar

No, it can stay running, even if it's not working.

Chris

When I access shared folders of bigbase server using bigbase.Its give error & when I access this shared folders through IP address of bigbase its open & working  



Windows Explorer
-------------------------
\\Bigbase is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.



Logon Failure: The target account name is incorrect.


-------------------------
OK  
-------------------------

Please Help

Regards,
Tushar

Can you run:

nslookup bigbase

Make sure it resolves to an IP.

Then can you re-run DCDiag on BigBase and check the Directory Service event log for errors please?

Chris

Dcdiag from bigbase


C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\BIGBASE
      Starting test: Connectivity
         The host 41540280-a038-4fce-b201-905a2a4edda5._msdcs.nbits.com could no
t be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (41540280-a038-4fce-b201-905a2a4edda5._msdcs.nbits.com) couldn't be
         resolved, the server name (bigbase.nbits.com) resolved to the IP
         address (192.168.1.247) and was pingable.  Check that the IP address
         is registered correctly with the DNS server.
         ......................... BIGBASE failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\BIGBASE
      Skipping all tests, because server BIGBASE is
      not responding to directory service requests

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : nbits
      Starting test: CrossRefValidation
         ......................... nbits passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... nbits passed test CheckSDRefDom

   Running enterprise tests on : nbits.com
      Starting test: Intersite
         ......................... nbits.com passed test Intersite
      Starting test: FsmoCheck
         ......................... nbits.com passed test FsmoCheck

C:\Program Files\Support Tools>


Now you want to say that

one is bigbase server and its ipconfig /all is:

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : bigbase
   Primary Dns Suffix  . . . . . . . : nbits.com
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : nbits.com

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-0D-60-17-6F-B6
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.247
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.247


And for eserver.bits.com ipconfig /all is :





2:05
and also on eserver dns managemnt console forwarders are already set to bigbase Ip ( 192.168.1.247).
so we have to change this forwarders to ISP ip's and set bigbase Primary DNS address to eserver ( 192.168.1.155) using
TCP/IP settings and then run the ipconfig /registerdns on bigbase...right?

COnclusion is AD from bigbase and DNS from eserver...right?
2:07
C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\BIGBASE
      Starting test: Connectivity
         The host 41540280-a038-4fce-b201-905a2a4edda5._msdcs.nbits.com could no
t be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (41540280-a038-4fce-b201-905a2a4edda5._msdcs.nbits.com) couldn't be
         resolved, the server name (bigbase.nbits.com) resolved to the IP
         address (192.168.1.247) and was pingable.  Check that the IP address
         is registered correctly with the DNS server.
         ......................... BIGBASE failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\BIGBASE
      Skipping all tests, because server BIGBASE is
      not responding to directory service requests

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : nbits
      Starting test: CrossRefValidation
         ......................... nbits passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... nbits passed test CheckSDRefDom

   Running enterprise tests on : nbits.com
      Starting test: Intersite
         ......................... nbits.com passed test Intersite
      Starting test: FsmoCheck
         ......................... nbits.com passed test FsmoCheck


NSlookup

C:\Program Files\Support Tools>
C:\>nslookup bigbase
Server:  eserver.bits.com
Address:  192.168.1.155

* eserver.bits.com can't find bigbase: Non-existent domain

Can you check the properties for the new nbits.com on eserver? We need to ensure it has Dynamic Updates enabled and set to Secure and NonSecure (it may be set to Secure only).

Then can you re-run "ipconfig /registerdns" on bigbase, then "nslookup bigbase" again?

Chris

Please also check DNS Errors from bigbase:

Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4000
Date:  2/25/2010
Time:  2:39:13 AM
User:  N/A
Computer: BIGBASE
Description:
The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00               -#..    
 3:03


Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4013
Date:  2/25/2010
Time:  3:00:26 AM
User:  N/A
Computer: BIGBASE
Description:
The DNS server was unable to open the Active Directory.  This DNS server is configured to use directory service information and can not operate without access to the directory.  The DNS server will wait for the directory to start.  If the DNS server is started but the appropriate event has not been logged, then the DNS server is still waiting for the directory to start.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00               -#..    
 

Don't worry about those two, we need BigBase to get itself a Host (A) record in the new Forward Lookup Zone for nbits.com on eserver.

Chris

OK set the dynamic update to nonsecure and secure and run the ipconfig /registerdns on bigbase and

For nslookup its giving same error

C:\>nslookup bigbase
Server:  eserver.bits.com
Address:  192.168.1.155

* eserver.bits.com can't find bigbase: Non-existent domain


And required to add host(A) record on eserver forwardlookup zone...? OR bigbase server restart..?

Regards,
Tushar

Restart the server,

If the record doesn't create itself after startup can we create it manually in the new nbits forward lookup zone.

I want to warn you now that I'll be heading off to bed in about half an hour I'm afraid.

Chris

OK no prob , we will communicate tomorrow also.

Now status is we have to add manually host record to eserver forward lookup zone but also its not resolving by name  and yes using IP its giving the quick response.

Thanks Chris for good technical help.

Please let me know....next step...?

DCPROMO or

Clean Format of win2003 server and reconfigure the Domain controller....:)

Regards,

Tushar

DCDiag again first please, need to know if it's going to start responding to directory service requests.

I'll have to check the results in the morning, sleeping now :)

Chris

From Bigbase

C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\BIGBASE
      Starting test: Connectivity
         The host 41540280-a038-4fce-b201-905a2a4edda5._msdcs.nbits.com could no
t be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (41540280-a038-4fce-b201-905a2a4edda5._msdcs.nbits.com) couldn't be
         resolved, the server name (bigbase.nbits.com) resolved to the IP
         address (192.168.1.247) and was pingable.  Check that the IP address
         is registered correctly with the DNS server.
         ......................... BIGBASE failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\BIGBASE
      Skipping all tests, because server BIGBASE is
      not responding to directory service requests

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : nbits
      Starting test: CrossRefValidation
         ......................... nbits passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... nbits passed test CheckSDRefDom

   Running enterprise tests on : nbits.com
      Starting test: Intersite
         ......................... nbits.com passed test Intersite
      Starting test: FsmoCheck
         ......................... nbits.com passed test FsmoCheck


Regards,
Tushar

Good morning,

I still it's still failing to respond, can you run this on BigBase:

repadmin /showreps

And DCDiag on Benchmarknew.

When did this last work? This is quite badly broken, if you have backups of a working directory you should consider a restore because we've yet to find out why this is so upset.

Chris

Very Good Morning..:)

Good news from us is

When i reconfigure the name (nbits.com ) in forward lookup zone on eserver(bits.com) and stop DNS server from bigbase and then its resolving the nslookup bigbase as

C:\>nslookup bigbase
Server:  eserver.bits.com
Address:  192.168.1.155

Name:    bigbase.nbits.com
Address:  192.168.1.247

and also it added the Host record in eserver.bits.com forward lookup zone.

Now Tcp/IP Network settings on bigbase are

IP:- 192.168.1.247
Subnet:-255.255.255.0
Gateway:-192.168.11

DNS Primary :- 192.168.1.155

On Desktop client also Primary address is same of-course 192.168.1.155 and now network browsing speed is good and from client also its accessing the resources

BUT

using IP address no prob to access project folders or web-server and
using Name like start>run>\\bigbase\.its giving the same error as :-

---------------------------
Windows Explorer
---------------------------
\\bigbase is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.

Logon Failure: The target account name is incorrect.

---------------------------
OK  
---------------------------

So please tell me what is the next step to resolve this problem completely...:)

and you said dcdiag from benchmarknew.nbits.com......right?
On that server we didn't change any settings on benchmarknew additional domain controller.


Regards,
Tushar

> On that server we didn't change any settings on benchmarknew additional domain controller.

Can we change it to use eserver for DNS as well then?

We need to see if benchmarknew is showing the same problems as BigBase, if it isn't we stand a much better chance of recovering.

Chris

OK done the DNS server setting on benchmarknew also and restart the server.

And dcdiag from benchmarknew :-

C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\BENCHMARKNEW
      Starting test: Connectivity
         The host 688012f1-241c-4312-adc4-d89c56e37e70._msdcs.nbits.com could no
t be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (688012f1-241c-4312-adc4-d89c56e37e70._msdcs.nbits.com) couldn't be
         resolved, the server name (benchmarknew.nbits.com) resolved to the IP
         address (192.168.1.66) and was pingable.  Check that the IP address is
         registered correctly with the DNS server.
         ......................... BENCHMARKNEW failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\BENCHMARKNEW
      Skipping all tests, because server BENCHMARKNEW is
      not responding to directory service requests

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : nbits
      Starting test: CrossRefValidation
         ......................... nbits passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... nbits passed test CheckSDRefDom

   Running enterprise tests on : nbits.com
      Starting test: Intersite
         ......................... nbits.com passed test Intersite
      Starting test: FsmoCheck
         [BIGBASE] LDAP bind failed with error 8341,
         A directory service error has occurred..
         ......................... nbits.com passed test FsmoCheck

Regards,
Tushar

Did you get a chance to run "repadmin /showreps" on BigBase?

Chris

This is the output from Bigbase for

C:\Program Files\Support Tools>repadmin /showreps
Default-First-Site-Name\BIGBASE
DC Options: IS_GC
Site Options: (none)
DC object GUID: 41540280-a038-4fce-b201-905a2a4edda5
DC invocationID: 41540280-a038-4fce-b201-905a2a4edda5

==== INBOUND NEIGHBORS ======================================

DC=nbits,DC=com
    Default-First-Site-Name\BENCHMARKNEW via RPC
        DC object GUID: 688012f1-241c-4312-adc4-d89c56e37e70
        Last attempt @ 2010-02-25 17:21:22 failed, result 5 (0x5):
            Access is denied.
        32 consecutive failure(s).
        Last success @ 2010-02-24 13:21:23.

CN=Configuration,DC=nbits,DC=com
    Default-First-Site-Name\BENCHMARKNEW via RPC
        DC object GUID: 688012f1-241c-4312-adc4-d89c56e37e70
        Last attempt @ 2010-02-25 17:21:22 failed, result 5 (0x5):
            Access is denied.
        32 consecutive failure(s).
        Last success @ 2010-02-24 13:21:23.

CN=Schema,CN=Configuration,DC=nbits,DC=com
    Default-First-Site-Name\BENCHMARKNEW via RPC
        DC object GUID: 688012f1-241c-4312-adc4-d89c56e37e70
        Last attempt @ 2010-02-25 17:21:22 failed, result 5 (0x5):
            Access is denied.
        32 consecutive failure(s).
        Last success @ 2010-02-24 13:21:23.

Source: Default-First-Site-Name\ESERVER
***** 60 CONSECUTIVE FAILURES since 2010-02-25 03:26:21
Last error: 5 (0x5):
            Access is denied.

Naming Context: DC=bits,DC=com
Source: Default-First-Site-Name\ESERVER
***** WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Schema,CN=Configuration,DC=nbits,DC=com
Source: Default-First-Site-Name\ESERVER
***** WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Configuration,DC=nbits,DC=com
Source: Default-First-Site-Name\ESERVER
***** WARNING: KCC could not add this REPLICA LINK due to error.

Source: Default-First-Site-Name\BENCHMARKNEW
***** 32 CONSECUTIVE FAILURES since 2010-02-24 13:21:23
Last error: 5 (0x5):
            Access is denied.

Regards,
Tushar

Can you confirm that both BigBase and benchmarknew are still in the Domain Controllers OU?

I'm going to need details of all errors in the Directory Service log, that's going to be quite tricky because there are bound to be a lot.

Chris

Yes Bigbase is PDC and benchmarknew is additional domain controller.

BIgbase:- bigbase.nbits.com
benchmarknew:-benchmarknew.nbits.com

And Directory service logs for bigbase

Event id 1126 .source ntds general....

Event Type: Error
Event Source: NTDS General
Event Category: Global Catalog
Event ID: 1126
Date:  2/25/2010
Time:  5:36:22 PM
User:  NT AUTHORITY\ANONYMOUS LOGON
Computer: BIGBASE
Description:
Active Directory was unable to establish a connection with the global catalog.

Additional Data
Error value:
8430 The directory service encountered an internal failure.
Internal ID:
3200c89

User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller.  You may use the nltest utility to diagnose this problem.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Regards,
Tushar

> Yes Bigbase is PDC and benchmarknew is additional domain controller.

Yes, but are they in the Domain Controllers organisational unit in AD Users and Computers?

It's important, they must receive the Default Domain Controllers policy.

> Make sure a global catalog is available in the forest

We should check that.

1. Open AD Sites and Services
2. Expand Sites
3. Expand Default-First-Site-Name
4. Expand Servers
5. Select BigBase
6. Open Properties for NTDS Settings
7. Check the Global Catalog tick box

Repeat the same process for Benchmarknew. Both should be Global Catalog servers in a domain this small.

Chris

Yes Bigbase is global Catalog server but on benchmarknew server >Active Directory sites and services>
Global catalog is not selected.Now i select the same.

And sorry Don't understand this question:-
<Yes, but are they in the Domain Controllers organizational unit in AD Users and Computers?>

Means, on Bigbase- in Active Directory users and computers all users are added and one Organizational unit is configured and same it replicated to benchmarknew.

Regards,
Tushar

I mean the two Domain Controllers should be listed in the OU selected in the attached picture.

Chris
DomainControllers.jpg

oh OK
Please find the image attachments

Regards,
Tushar
bigbase-ad..JPG
benchmarknew.JPG

Excellent, thank you, that looks fine.

I need to know about errors in the Directory Service event log if you could please. Something is deeply unhappy and we still don't know what.

Chris

Yes correct rather applying 100 solutions required to find single problem....:)

 And why this happened before 2 days everything is perfect but with in this 2 days we tried to join the 4 Linux desktops to this bigbase and unsuccessful to configured....Is this is the reason...?

OK Back to work

Already gave you the Directory service  Event  log from Bigbase...Event id 1126 and one warning Message:-

Event Type: Warning
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1925
Date:  2/25/2010
Time:  7:28:02 PM
User:  NT AUTHORITY\ANONYMOUS LOGON
Computer: BIGBASE
Description:
The attempt to establish a replication link for the following writable directory partition failed.

Directory partition:
CN=Schema,CN=Configuration,DC=nbits,DC=com
Source domain controller:
CN=NTDS Settings,CN=ESERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nbits,DC=com
Source domain controller address:
3aea2daa-1dfc-4141-9b3a-37cb27cbfb31._msdcs.nbits.com
Intersite transport (if any):


This domain controller will be unable to replicate with the source domain controller until this problem is corrected.  

User Action
Verify if the source domain controller is accessible or network connectivity is available.

Additional Data
Error value:
5 Access is denied.


Regards,
Tushar

>  And why this happened before 2 days everything is perfect but with in this 2 days we tried to
> join the 4 Linux desktops to this bigbase and unsuccessful to configured....Is this is the reason...?

I can't see how. What did you do to join them to the domain?

How about DCDiag on EServer so we catch anything there?

Chris

yes on eserver some errors are there like its resolving the IP address but not pin-gable.

Pls check the Dcdiag from eserver

C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\ESERVER
      Starting test: Connectivity
         Server ESERVER resolved to this IP address 192.168.1.155,
         but the address couldn't be reached(pinged), so check the network.
         The error returned was: Error due to lack of resources.
         This error more often means that the targeted server is
         shutdown or disconnected from the network
         ......................... ESERVER failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\ESERVER
      Skipping all tests, because server ESERVER is
      not responding to directory service requests

   Running partition tests on : bits
      Starting test: CrossRefValidation
         ......................... bits passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... bits passed test CheckSDRefDom

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running enterprise tests on : nbits.com
      Starting test: Intersite
         ......................... nbits.com passed test Intersite
      Starting test: FsmoCheck
         [BIGBASE] LDAP bind failed with error 8341,
         A directory service error has occurred..
         ......................... nbits.com passed test FsmoCheck

Regards,
Tushar

And one more thing can we use this Backup from :

C:\WINDOWS\system32\dns\backup................three files are there.

_msdcs.nbits.com.dns20:10
cache.dns
nbits.com.dns

Tushar

This one isn't responding either?

   Testing server: Default-First-Site-Name\ESERVER
      Skipping all tests, because server ESERVER is
      not responding to directory service requests

It's difficult to see a way ahead from here. You don't have a single working DC at the moment. EServer is in less trouble, but not considerably less.

You do have backups though don't you?

Chris

i have systemstate backup for bigbase and i have one more server LOTUS.bitsllc.local which different domain server not a member of nbits.com and lotus is working fine.Its also Domain Controller with Active Directory integrated with DNS.

Now for bigbase is it required to run dcpromo or Format and Reinstall,what do you think.?

Tushar

Neither, not yet, too much risk of losing nbits.com entirely. Unless, of course, you want to rebuild the domain :) I worry that this issue is much deeper, can you run DCDiag on Lotus as well if that's part of the same forest?

Would you be willing to give me the System, Application, Directory Service and DNS Service event logs (as event log files)?

Chris

Chris I am leaving now, From last 2 days am in office so i have to go home ,will give you the update tomorrow.

Regards,
Tushar

Okay, no problem :)

Chris

Good  Morning:)

This is the dcdiag Report from Lotus and it passes successfully.

C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site\LOTUS
      Starting test: Connectivity
         ......................... LOTUS passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site\LOTUS
      Starting test: Replications
         ......................... LOTUS passed test Replications
      Starting test: NCSecDesc
         ......................... LOTUS passed test NCSecDesc
      Starting test: NetLogons
         ......................... LOTUS passed test NetLogons
      Starting test: Advertising
         ......................... LOTUS passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... LOTUS passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... LOTUS passed test RidManager
      Starting test: MachineAccount
         ......................... LOTUS passed test MachineAccount
      Starting test: Services
            IsmServ Service is stopped on [LOTUS]
         ......................... LOTUS failed test Services
      Starting test: ObjectsReplicated
         ......................... LOTUS passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... LOTUS passed test frssysvol
      Starting test: frsevent
         ......................... LOTUS passed test frsevent
      Starting test: kccevent
         ......................... LOTUS passed test kccevent
      Starting test: systemlog
         ......................... LOTUS passed test systemlog
      Starting test: VerifyReferences
         ......................... LOTUS passed test VerifyReferences

   Running partition tests on : TAPI3Directory
      Starting test: CrossRefValidation
         ......................... TAPI3Directory passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... TAPI3Directory passed test CheckSDRefDom

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : bitsllc
      Starting test: CrossRefValidation
         ......................... bitsllc passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... bitsllc passed test CheckSDRefDom

   Running enterprise tests on : bitsllc.local
      Starting test: Intersite
         ......................... bitsllc.local passed test Intersite
      Starting test: FsmoCheck
         ......................... bitsllc.local passed test FsmoCheck


Regards,
Tushar

Now nslookup resolving the bigbase then why desktop client not accessing the resources by name..?

And this problem we are facing any due to Windows updates..?
Today we will finish this chapter and come to conclusion...means we don't want to rebuild the nbits.com domain again...:)

Lotus is not the in Bigbase Forest.

Regards,
Tushar

Please check DCdiag of bigbase server


Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>cd\

C:\>cd pro*

C:\Program Files>cd su*

C:\Program Files\Support Tools>nltest.exe /dsregdns
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully

C:\Program Files\Support Tools>nltest
The command completed successfully

C:\Program Files\Support Tools>nltest /dsregdns
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully

C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\BIGBASE
      Starting test: Connectivity
         ......................... BIGBASE passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\BIGBASE
      Starting test: Replications
         [Replications Check,BIGBASE] A recent replication attempt failed:
            From BENCHMARKNEW to BIGBASE
            Naming Context: CN=Schema,CN=Configuration,DC=nbits,DC=com
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2010-02-26 14:21:23.
            The last success occurred at 2010-02-24 13:21:23.
            53 failures have occurred since the last success.
         [Replications Check,BIGBASE] A recent replication attempt failed:
            From BENCHMARKNEW to BIGBASE
            Naming Context: CN=Configuration,DC=nbits,DC=com
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2010-02-26 14:21:23.
            The last success occurred at 2010-02-24 13:21:23.
            53 failures have occurred since the last success.
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source BENCHMARKNEW
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.
         [Replications Check,BIGBASE] A recent replication attempt failed:
            From BENCHMARKNEW to BIGBASE
            Naming Context: DC=nbits,DC=com
            The replication generated an error (5):
            Access is denied.
            The failure occurred at 2010-02-26 14:21:23.
            The last success occurred at 2010-02-24 13:21:23.
            53 failures have occurred since the last success.
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source BENCHMARKNEW
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.
         REPLICATION-RECEIVED LATENCY WARNING
         BIGBASE:  Current time is 2010-02-26 14:56:43.
            CN=Schema,CN=Configuration,DC=nbits,DC=com
               Last replication recieved from BENCHMARKNEW at 2010-02-24 13:21:2
3.
            CN=Configuration,DC=nbits,DC=com
               Last replication recieved from BENCHMARKNEW at 2010-02-24 13:21:2
3.
            DC=nbits,DC=com
               Last replication recieved from BENCHMARKNEW at 2010-02-24 13:21:2
3.
         ......................... BIGBASE passed test Replications
      Starting test: NCSecDesc
         ......................... BIGBASE passed test NCSecDesc
      Starting test: NetLogons
         ......................... BIGBASE passed test NetLogons
      Starting test: Advertising
         ......................... BIGBASE passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... BIGBASE passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... BIGBASE passed test RidManager
      Starting test: MachineAccount
         The account BIGBASE is not trusted for delegation.  It cannot replicate
.
         The account BIGBASE is not a DC account.  It cannot replicate.
         Warning:  Attribute userAccountControl of BIGBASE is: 0x1000 = ( UF_WOR
KSTATION_TRUST_ACCOUNT )
         Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TR
USTED_FOR_DELEGATION )
         This may be affecting replication?
         ......................... BIGBASE failed test MachineAccount
      Starting test: Services
         ......................... BIGBASE passed test Services
      Starting test: ObjectsReplicated
         ......................... BIGBASE passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... BIGBASE passed test frssysvol
      Starting test: frsevent
         ......................... BIGBASE passed test frsevent
      Starting test: kccevent
         ......................... BIGBASE passed test kccevent
      Starting test: systemlog
         ......................... BIGBASE passed test systemlog
      Starting test: VerifyReferences
         ......................... BIGBASE passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : nbits
      Starting test: CrossRefValidation
         ......................... nbits passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... nbits passed test CheckSDRefDom

   Running enterprise tests on : nbits.com
      Starting test: Intersite
         ......................... nbits.com passed test Intersite
      Starting test: FsmoCheck
         ......................... nbits.com passed test FsmoCheck

C:\Program Files\Support Tools>


Regards,
Tushar

Good morning,

I'm glad you ran that:

      Starting test: MachineAccount
         The account BIGBASE is not trusted for delegation.  It cannot replicate.
         The account BIGBASE is not a DC account.  It cannot replicate.
         Warning:  Attribute userAccountControl of BIGBASE is: 0x1000 = ( UF_WORKSTATION_TRUST_ACCOUNT )
         Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )

Do you fancy trying to set the userAccountControl value for BigBase's computer account? It'll need to be done with ADSIEdit.msc, and the decimal value should be 532480 (which is 0x82000).

Can you run the same on BENCHMARKNEW and ESERVER please? I suspect ESERVER is fine but would like to be sure.

Chris

Please check dcdiag of benchmarknew & eserver.

 
benchmarknew-dcdiag-26.02.2010.txt
eserver-dcdiag.txt

Does BigBase do anything else? Or is it's only job Domain Controller?

Are you able to take a backup of your domain controllers in their current state?

We can remove BigBase, take-over the FSMO roles on benchmarknew, and see if it can be encouraged to work properly. If it does, BigBase can (eventually) be rebuilt, returning the second DC.

Chris

Bigbase is the Main server in our company, On Bigbase

Domain Controller
File server
Web server ( Wamp)..All projects are configured in this WWW
Wildfire Chat server and Ticket system.

OK we can stop the chat and Ticket system ..NO prob
And we have to Move wamp also to benchmarknew ...This is also possible but right-now all users are logged into bigbase and to transfer fsmo role and wamp transfer it will take time...right..?

We can do this after 8 PM Today ..We are in IST
When we promote to benchmarknew and rebuild the Bigbase then....?we have to change the fsmo again...right? Because Bigbase is the proper IBM server Hardware and Benchmarknew is normal C-2-D Processor with 2GB Memory.

How to take a backup of domain controller ...?
Do you want to say systemstate backup...? As i told above comment also that we have 2 months old Bigbase systemstate backup.

Regards,
Tushar

We can try FSMO role transfer now, but I suspect we'll have to seize those because BigBase isn't responding. If you want to try the transfer:

ntdsutil
roles
connections
connect to server benchmarknew
quit
transfer PDC

If it will transfer, do the rest:

transfer rid master
transfer domain naming master
transfer schema master
transfer infrastructure master

If it doesn't work wait until BigBase can be turned off before seizing the roles.

Then BigBase will have to be removed from AD (manually), and we have to hope benchmarknew is working properly or we won't be able to add BigBase back as a new DC.

And yes, SystemState backup, given that BigBase is the Schema Master we'll need that for every DC in the forest. Our path back is quite complex if it goes (more) wrong.

Chris

we can move the Bigbase PDC to Benchmarknew but please tell me

Bigbase :-192.168.1.247
Benchmarknew :-192.168.1.66
eserver :- 192.168.1.155

Right-now Bigbase and benchmarknew using the DNS from eserver as Primary DNS :-192.168.1.155
Means is it required to change the Primary DNS to 192.168.1.247(Bigbase IP address) on bigbase and benchmarknew and then transfer all the roles OR using same config we can transfer the roles..?

And if it work the (transfer role procedure) and benchmarknew is working properly then we have to move Wamp server to benchmarknew and DNS address change to 192.168.1.66

Current Status is we can access the Bigbase on IP basis and its working fine when its resolving the nslookup bigbase. So i am thinking that when we try to move the roles from bigbase to benchmarknew
so we have to stop all users also that don't work on bigbase...and then run this transfer procedure,After 8 am today.

Regards,
Tushar

> OR using same config we can transfer the roles..?

We can use the same config, so please leave the DNS server setting as it is for now.

Moving the roles won't impact users on the system, nor users on the network. But it's your network, so if you're happier waiting until 8am then please do.

Chris

Error

C:\Program Files\Support Tools>ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server benchmarknew
Binding to benchmarknew ...
Connected to benchmarknew using credentials of locally logged on user.
server connections: quit
fsmo maintenance: transfer PDC
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-0321051A, problem 5002 (UN
AVAILABLE), data -2146893022

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Server "benchmarknew" knows about 5 roles
Schema - CN=NTDS Settings,CN=BIGBASE,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=nbits,DC=com
Domain - CN=NTDS Settings,CN=BIGBASE,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=nbits,DC=com
PDC - CN=NTDS Settings,CN=BIGBASE,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=nbits,DC=com
RID - CN=NTDS Settings,CN=BIGBASE,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=nbits,DC=com
Infrastructure - CN=NTDS Settings,CN=BIGBASE,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=nbits,DC=com
fsmo maintenance:

Regards,
Tushar

I expected it would do that, but we had to try.

Then you need to Seize the roles (as below), but I strongly recommend you turn off BigBase first, and I would strongly advise you rebuild BigBase before bringing it back onto the network after doing this.

From "fsmo maintenance":

seize pdc
seize rid master
seize domain naming master
seize schema master
seize infrastructure master

This operation is not reversible.

Chris

Means do you want to say seize the all roles from bigbase ...then Shutdown the bigbase server...is it correct..?

Once again Means

Run this Command from bigbase :-

seize pdc
seize rid master
seize domain naming master
seize schema master
seize infrastructure master

And shutdown the bigbase server..?

Then how we rebuild the bigbase server...?
After fsmo maintenance from bigbase what is the next step..?

Regards,
Tushar

Chris Please check this procedure :-

1.> Run all fsmo seize commands from benchmarknew means stop that domain controller.
then

2.>come to bigbase and run the following commands

ntdsutil
metadata cleanup
connections
connect to server benchmarknew
quit
select operation target
list domains
select domain #
list sites
select site #
list servers in site
select server #
quit
remove selected server

After disconnecting the bigbase from AD then RUN the DCPROMO command on bigbase and rebuild the
Domain as Active Directory integrated with DNS server means not required to Format and reinstall IBM server Disk....correct..?

This procedure is correct if advise its not correct.

Regards,
Tushar

No.

1. Turn off BigBase
2. Log on to benchmarknew
3. Seize all FSMO roles as described above
4. Run Metadata Cleanup (logged onto benchmarknew)
5. On benchmarknew: Check AD with: DCDiag, NetDiag, RepAdmin, event logs
6. Rebuild BigBase as a Member Server of the existing domain
7. Run DCPromo on BigBase to make it a DC again
8. On both servers: Check AD with: DCDiag, NetDiag, RepAdmin, event logs

BigBase should be considered dead if we're going to seize it's roles. It cannot and should not be allowed to talk to AD again before it is rebuilt.

Chris

Thanks for Support.We have planned to run DCPROMO on bigbase coming Friday.

Thank You Very Much

Regards,
Tushar Kaskhedikar
     

Coming Friday, we will run DCPROMO on BIgbase server.  

A Truly Epic Thread!

- gurutc