lost all dns records on DNS at my DC

Dear Experts:

I have lost all data in both DC's and I have a backup of the system state of one of the DC DNS servers.

I need your help to restore the state of the DNS server with an easy step by step guide or similar.
diegomirnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:

As in the Forward Lookup Zone is gone? Otherwise exactly what is missing?

If that's all then I shouldn't worry too much, open the DNS Console and create a new version of your zone. Ensure you permit dynamic updates, then run this on your DCs:

ipconfig /registerdns
net stop netlogon && net start netlogon

And this one any other important system:

ipconfig /registerdns

Chris
0
Brian PiercePhotographerCommented:
Is DNS running, can you get into the console?
Can you please fill in some background information.
Is this Active Directoryn Integrated DNS
Single/Multiple Domain ?
Some screen shots would be nice in order to undersand the issue
0
diegomirnerAuthor Commented:
sure, more info:

I cant connect by the DNS console , its says access deny

same errors IDs:

DNS: ID 4000

APlications: 1053 1058 1002

SYSTEM : 40960 , 5781 , 5719

So I have this errors on one of the DC's/DNS servers.

I can see all AD content , but DNS content con the console its empty and also I hve access deny erorr on the DNS console.

DNS in both servers was integrated to AD., on a single domain

Help !!!!
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

FemSteenkampIT managerCommented:
Important to know if DNS was ad integrated or not.

If it was ad integrated you can make an authorative restore of the DNS zones from tha backups.

if it was textfile based, then you can simply restore DNS files from a backup, and replace teh contenct of teh live DNS file.
0
Chris DentPowerShell DeveloperCommented:

What lead up to this?

Can you show us the output from these please:

ipconfig /all
dcdiag

Chris
0
diegomirnerAuthor Commented:
great , I will do the autoritative restore , but , I only have a backup from the secundary DC which its not a Goblal catalog.
So how should I do so ? should I restore on the same DC from where the backup its coming ? becouse this backup was done on a DC with out Gobla Catalog , will work ???
thnaks
0
Chris DentPowerShell DeveloperCommented:

Hmmm I'm not convinced an Authoritative Restore is a good move. You don't know what caused the failure yet.

Chris
0
diegomirnerAuthor Commented:
after lunching a new OSX server , on of the admin has try to integrate it to AD
0
Brian PiercePhotographerCommented:
DONT DO AN AUTHORATIVE RESTORE - no yet at least, this is normally used to recover deleted AD objects and could have unfoseen consequences until we know the root of the issue.

We need to investigate further

Can you provide the results of
dcdiag (you may need to install the windows support tools from the support folder on the Windows CD)

What led up to the current state of affairs ?
0
FemSteenkampIT managerCommented:
it can be one of 2 things,

bug in DNS console.
When launching the DNS console, try and connect to a new DNS server in tje console, and for DNS server name try one of the following:
Ip address of DNS server
Netbiosname of DNA server
FQDN of dns server (i.e. server1.domain.com)
there was some problems in past that one or th otehr didnt work, as i remember try to use th FQDN.

if this still gives access denied, then the ACL's of the DNS partition in AD migh have become corrupted. Use ADSIEDIT to connect to the DNS partionion and make sure that the domain admins 9 or administrating user) has read/write access to the DNS records  If you provide AD OS versions (2000/2003/2008) i can provide teh path to teh DNS for you

 
0
diegomirnerAuthor Commented:
sure , its a Windows 2003 64 R2 Standar
0
Chris DentPowerShell DeveloperCommented:

It can be far more than one of 2 things, especially considering the error messages being thrown.

DCDiag please.
NetDiag as well if it's running 2000 or 2003.

Chris
0
Brian PiercePhotographerCommented:
I fully agree with @Chris-Dent, I think some people are making wild guesses - lets try to approach this in a systematic way please - we need some diagnosicis
0
diegomirnerAuthor Commented:
Dear Chris , there you are.




C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : data5
   Primary Dns Suffix  . . . . . . . : uicc0.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : uicc0.local

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port Network Connection #2
   Physical Address. . . . . . . . . : 00-07-E9-33-23-BC
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.91.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.91.1
   DNS Servers . . . . . . . . . . . : 192.168.92.2
   Primary WINS Server . . . . . . . : 192.168.91.20
   Secondary WINS Server . . . . . . : 192.168.91.2


C:\WINDOWS\ServicePackFiles\amd64>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Frontenex62\DATA5
      Starting test: Connectivity
         The host 20760173-fa7e-4326-bce5-e8329a06390b._msdcs.uicc0.local could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name (20760173-fa7e-4326-bce5-e8329a06390b._msdcs.uicc0.local) couldn't be resolved, the
         server name (data5.uicc0.local) resolved to the IP address (192.168.91.2) and was pingable.  Check that the IP
         address is registered correctly with the DNS server.
         ......................... DATA5 failed test Connectivity

Doing primary tests

   Testing server: Frontenex62\DATA5
      Skipping all tests, because server DATA5 is
      not responding to directory service requests

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : uicc0
      Starting test: CrossRefValidation
         ......................... uicc0 passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... uicc0 passed test CheckSDRefDom

   Running enterprise tests on : uicc0.local
      Starting test: Intersite
         ......................... uicc0.local passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
         A KDC could not be located - All the KDCs are down.
         ......................... uicc0.local failed test FsmoCheck

C:\WINDOWS\ServicePackFiles\amd64>

Open in new window

0
Chris DentPowerShell DeveloperCommented:

> DNS Servers . . . . . . . . . . . : 192.168.92.2

Really 192.168.92.2 is the system you're having problems with?

Have you tried changing that to 192.168.91.2 (the current server) assuming that runs the DNS service?

Chris
0
diegomirnerAuthor Commented:
You right , I made that mistaque wen I was changing dns config on the server.
Now I put it right , and I got this output from dcdiag:

Please advice how to solve it.
C:\WINDOWS\ServicePackFiles\amd64>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Frontenex62\DATA5
      Starting test: Connectivity
         ......................... DATA5 passed test Connectivity

Doing primary tests

   Testing server: Frontenex62\DATA5
      Starting test: Replications
         [Replications Check,DATA5] A recent replication attempt failed:
            From DC0 to DATA5
            Naming Context: DC=DomainDnsZones,DC=uicc0,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2010-04-28 12:47:52.
            The last success occurred at 2010-04-27 16:08:21.
            22 failures have occurred since the last success.
         [DC0] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         [Replications Check,DATA5] A recent replication attempt failed:
            From DC0 to DATA5
            Naming Context: DC=ForestDnsZones,DC=uicc0,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2010-04-28 12:47:52.
            The last success occurred at 2010-04-27 15:46:27.
            22 failures have occurred since the last success.
         [Replications Check,DATA5] A recent replication attempt failed:
            From DC0 to DATA5
            Naming Context: CN=Schema,CN=Configuration,DC=uicc0,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2010-04-28 12:48:01.
            The last success occurred at 2010-04-27 15:46:27.
            22 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,DATA5] A recent replication attempt failed:
            From DC0 to DATA5
            Naming Context: CN=Configuration,DC=uicc0,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2010-04-28 12:47:56.
            The last success occurred at 2010-04-27 16:07:27.
            22 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,DATA5] A recent replication attempt failed:
            From DC0 to DATA5
            Naming Context: DC=uicc0,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2010-04-28 12:47:52.
            The last success occurred at 2010-04-27 16:15:32.
            22 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         REPLICATION-RECEIVED LATENCY WARNING
         DATA5:  Current time is 2010-04-28 12:57:21.
            DC=DomainDnsZones,DC=uicc0,DC=local
               Last replication recieved from DC0 at 2010-04-27 16:08:20.
            DC=ForestDnsZones,DC=uicc0,DC=local
               Last replication recieved from DC0 at 2010-04-27 15:46:27.
            CN=Schema,CN=Configuration,DC=uicc0,DC=local
               Last replication recieved from DC0 at 2010-04-27 15:46:27.
            CN=Configuration,DC=uicc0,DC=local
               Last replication recieved from DC0 at 2010-04-27 16:07:26.
            DC=uicc0,DC=local
               Last replication recieved from DC0 at 2010-04-27 16:15:32.
         ......................... DATA5 passed test Replications
      Starting test: NCSecDesc
         ......................... DATA5 passed test NCSecDesc
      Starting test: NetLogons
         ......................... DATA5 passed test NetLogons
      Starting test: Advertising
         Warning: DATA5 is not advertising as a Key Distribution Center.
         Check that the Directory has started.
         ......................... DATA5 failed test Advertising
      Starting test: KnowsOfRoleHolders
         Warning: DC0 is the Domain Owner, but is not responding to DS RPC Bind.
         [DC0] LDAP search failed with error 58,
         The specified server cannot perform the requested operation..
         Warning: DC0 is the Domain Owner, but is not responding to LDAP Bind.
         Warning: DC0 is the PDC Owner, but is not responding to DS RPC Bind.
         Warning: DC0 is the PDC Owner, but is not responding to LDAP Bind.
         Warning: DC0 is the Rid Owner, but is not responding to DS RPC Bind.
         Warning: DC0 is the Rid Owner, but is not responding to LDAP Bind.
         ......................... DATA5 failed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... DATA5 failed test RidManager
      Starting test: MachineAccount
         ......................... DATA5 passed test MachineAccount
      Starting test: Services
            kdc Service is stopped on [DATA5]
         ......................... DATA5 failed test Services
      Starting test: ObjectsReplicated
         ......................... DATA5 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... DATA5 passed test frssysvol
      Starting test: frsevent
         ......................... DATA5 passed test frsevent
      Starting test: kccevent
         ......................... DATA5 passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0xC25A001D
            Time Generated: 04/28/2010   12:15:52
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC25A001D
            Time Generated: 04/28/2010   12:34:36
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC25A001D
            Time Generated: 04/28/2010   12:53:21
            (Event String could not be retrieved)
         ......................... DATA5 failed test systemlog
      Starting test: VerifyReferences
         ......................... DATA5 passed test VerifyReferences

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : uicc0
      Starting test: CrossRefValidation
         ......................... uicc0 passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... uicc0 passed test CheckSDRefDom

   Running enterprise tests on : uicc0.local
      Starting test: Intersite
         ......................... uicc0.local passed test Intersite
      Starting test: FsmoCheck
         ......................... uicc0.local passed test FsmoCheck

C:\WINDOWS\ServicePackFiles\amd64>

Open in new window

0
Chris DentPowerShell DeveloperCommented:

That's a little better, thank you. Would you be able to run DCDiag against DC0? Might be best to go to DC0 for that.

Chris
0
diegomirnerAuthor Commented:
So , I manage to solve part of the problem , first will gibe you a clear idea about the infraestructure , and them what I have done now and what is the actual error on both servers:

so live it clear, actual infraestructure :

DC0 = DC + GC , DNS ( all records, here I manage to uninstall dns , re install it and got all records from DATA5)

DATA5= DC ( operation master) + DNS ( all records)

Now , I manage to get back all DNS records on DC0 by reinstalling DNS and making it secundary of DATA5 and copy zone information form it.

so , actually I getting the next errors on each server ( look at the code I plubish)

Please help

Event Type:	Error
Event Source:	Kerberos
Event Category:	None
Event ID:	4
Date:		4/28/2010
Time:		1:54:08 PM
User:		N/A
Computer:	DATA5
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/dc0.uicc0.local.  The target name used was cifs/DC0. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (UICC0.LOCAL), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1053
Date:		28/04/2010
Time:		13:42:26
User:		NT AUTHORITY\SYSTEM
Computer:	DC0
Description:
Windows cannot determine the user or computer name. (Access is denied. ). Group Policy processing aborted. 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event Type:	Warning
Event Source:	LSASRV
Event Category:	SPNEGO (Negotiator) 
Event ID:	40960
Date:		28/04/2010
Time:		13:33:03
User:		N/A
Computer:	DC0
Description:
The Security System detected an authentication error for the server cifs/DC0.  The failure code from authentication protocol Kerberos was "The attempted logon is invalid. This is either due to a bad username or authentication information.
 (0xc000006d)".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0               m..À    


Event Type:	Error
Event Source:	DNS
Event Category:	None
Event ID:	4000
Date:		28/04/2010
Time:		13:40:18
User:		N/A
Computer:	DC0
Description:
The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00               -#..    

Open in new window

0
diegomirnerAuthor Commented:
also , here a copy of the dcdiag on ech server DC



:\WINDOWS\ServicePackFiles\amd64>dcdiag

omain Controller Diagnosis

erforming initial setup:
  Done gathering initial info.

oing initial required tests

  Testing server: Frontenex62\DATA5
     Starting test: Connectivity
        ......................... DATA5 passed test Connectivity

oing primary tests

  Testing server: Frontenex62\DATA5
     Starting test: Replications
        [Replications Check,DATA5] A recent replication attempt failed:
           From DC0 to DATA5
           Naming Context: DC=DomainDnsZones,DC=uicc0,DC=local
           The replication generated an error (1256):
           The remote system is not available. For information about network troubleshooting, see Windows Help.
           The failure occurred at 2010-04-28 13:46:28.
           The last success occurred at 2010-04-27 16:08:21.
           23 failures have occurred since the last success.
        [DC0] DsBindWithSpnEx() failed with error -2146893022,
        The target principal name is incorrect..
        [Replications Check,DATA5] A recent replication attempt failed:
           From DC0 to DATA5
           Naming Context: DC=ForestDnsZones,DC=uicc0,DC=local
           The replication generated an error (1256):
           The remote system is not available. For information about network troubleshooting, see Windows Help.
           The failure occurred at 2010-04-28 13:46:28.
           The last success occurred at 2010-04-27 15:46:27.
           23 failures have occurred since the last success.
        [Replications Check,DATA5] A recent replication attempt failed:
           From DC0 to DATA5
           Naming Context: CN=Schema,CN=Configuration,DC=uicc0,DC=local
           The replication generated an error (-2146893022):
           The target principal name is incorrect.
           The failure occurred at 2010-04-28 13:46:28.
           The last success occurred at 2010-04-27 15:46:27.
           23 failures have occurred since the last success.
        [Replications Check,DATA5] A recent replication attempt failed:
           From DC0 to DATA5
           Naming Context: CN=Configuration,DC=uicc0,DC=local
           The replication generated an error (-2146893022):
           The target principal name is incorrect.
           The failure occurred at 2010-04-28 13:46:28.
           The last success occurred at 2010-04-27 16:07:27.
           23 failures have occurred since the last success.
        [Replications Check,DATA5] A recent replication attempt failed:
           From DC0 to DATA5
           Naming Context: DC=uicc0,DC=local
           The replication generated an error (-2146893022):
           The target principal name is incorrect.
           The failure occurred at 2010-04-28 13:46:28.
           The last success occurred at 2010-04-27 16:15:32.
           23 failures have occurred since the last success.
        REPLICATION-RECEIVED LATENCY WARNING
        DATA5:  Current time is 2010-04-28 13:46:13.
           DC=DomainDnsZones,DC=uicc0,DC=local
              Last replication recieved from DC0 at 2010-04-27 16:08:20.
           DC=ForestDnsZones,DC=uicc0,DC=local
              Last replication recieved from DC0 at 2010-04-27 15:46:27.
           CN=Schema,CN=Configuration,DC=uicc0,DC=local
              Last replication recieved from DC0 at 2010-04-27 15:46:27.
           CN=Configuration,DC=uicc0,DC=local
              Last replication recieved from DC0 at 2010-04-27 16:07:26.
           DC=uicc0,DC=local
              Last replication recieved from DC0 at 2010-04-27 16:15:32.
        ......................... DATA5 passed test Replications
     Starting test: NCSecDesc
        ......................... DATA5 passed test NCSecDesc
     Starting test: NetLogons
        ......................... DATA5 passed test NetLogons
     Starting test: Advertising
        Warning: DATA5 is not advertising as a Key Distribution Center.
        Check that the Directory has started.
        ......................... DATA5 failed test Advertising
     Starting test: KnowsOfRoleHolders
        Warning: DC0 is the Domain Owner, but is not responding to DS RPC Bind.
        [DC0] LDAP bind failed with error 8341,
        A directory service error has occurred..
        Warning: DC0 is the Domain Owner, but is not responding to LDAP Bind.
        Warning: DC0 is the PDC Owner, but is not responding to DS RPC Bind.
        Warning: DC0 is the PDC Owner, but is not responding to LDAP Bind.
        Warning: DC0 is the Rid Owner, but is not responding to DS RPC Bind.
        Warning: DC0 is the Rid Owner, but is not responding to LDAP Bind.
        ......................... DATA5 failed test KnowsOfRoleHolders
     Starting test: RidManager
        ......................... DATA5 failed test RidManager
     Starting test: MachineAccount
        ......................... DATA5 passed test MachineAccount
     Starting test: Services
           kdc Service is stopped on [DATA5]
        ......................... DATA5 failed test Services
     Starting test: ObjectsReplicated
        ......................... DATA5 passed test ObjectsReplicated
     Starting test: frssysvol
        ......................... DATA5 passed test frssysvol
     Starting test: frsevent
        ......................... DATA5 passed test frsevent
     Starting test: kccevent
        ......................... DATA5 passed test kccevent
     Starting test: systemlog
        An Error Event occured.  EventID: 0xC25A001D
           Time Generated: 04/28/2010   12:53:21
           (Event String could not be retrieved)
        An Error Event occured.  EventID: 0x40000005
           Time Generated: 04/28/2010   12:57:34
           Event String: The kerberos client received a KRB_AP_ERR_TKT_NYV
        An Error Event occured.  EventID: 0x40000004
           Time Generated: 04/28/2010   12:57:39
           Event String: The kerberos client received a
        An Error Event occured.  EventID: 0x40000005
           Time Generated: 04/28/2010   13:22:49
           Event String: The kerberos client received a KRB_AP_ERR_TKT_NYV
        An Error Event occured.  EventID: 0x40000004
           Time Generated: 04/28/2010   13:37:12
           Event String: The kerberos client received a
        An Error Event occured.  EventID: 0x40000004
           Time Generated: 04/28/2010   13:37:12
           Event String: The kerberos client received a
        An Error Event occured.  EventID: 0x40011006
           Time Generated: 04/28/2010   13:46:03
           (Event String could not be retrieved)
        An Error Event occured.  EventID: 0x40000004
           Time Generated: 04/28/2010   13:50:42
           Event String: The kerberos client received a
        An Error Event occured.  EventID: 0x40000004
           Time Generated: 04/28/2010   13:54:08
           Event String: The kerberos client received a
        An Error Event occured.  EventID: 0x40000004
           Time Generated: 04/28/2010   13:56:18
           Event String: The kerberos client received a
        ......................... DATA5 failed test systemlog
     Starting test: VerifyReferences
        ......................... DATA5 passed test VerifyReferences

  Running partition tests on : DomainDnsZones
     Starting test: CrossRefValidation
        ......................... DomainDnsZones passed test CrossRefValidation
     Starting test: CheckSDRefDom
        ......................... DomainDnsZones passed test CheckSDRefDom

  Running partition tests on : ForestDnsZones
     Starting test: CrossRefValidation
        ......................... ForestDnsZones passed test CrossRefValidation
     Starting test: CheckSDRefDom
        ......................... ForestDnsZones passed test CheckSDRefDom

  Running partition tests on : Schema
     Starting test: CrossRefValidation
        ......................... Schema passed test CrossRefValidation
     Starting test: CheckSDRefDom
        ......................... Schema passed test CheckSDRefDom

  Running partition tests on : Configuration
     Starting test: CrossRefValidation
        ......................... Configuration passed test CrossRefValidation
     Starting test: CheckSDRefDom
        ......................... Configuration passed test CheckSDRefDom

  Running partition tests on : uicc0
     Starting test: CrossRefValidation
        ......................... uicc0 passed test CrossRefValidation
     Starting test: CheckSDRefDom
        ......................... uicc0 passed test CheckSDRefDom

  Running enterprise tests on : uicc0.local
     Starting test: Intersite
        ......................... uicc0.local passed test Intersite
     Starting test: FsmoCheck
        ......................... uicc0.local passed test FsmoCheck

:\WINDOWS\ServicePackFiles\amd64>




C:\WINDOWS\ServicePackFiles\amd64>dcdiag.exe

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Frontenex62\DC0
      Starting test: Connectivity
         ......................... DC0 passed test Connectivity

Doing primary tests

   Testing server: Frontenex62\DC0
      Starting test: Replications
         [Replications Check,DC0] A recent replication attempt failed:
            From DATA5 to DC0
            Naming Context: DC=DomainDnsZones,DC=uicc0,DC=local
            The replication generated an error (1908):
            Win32 Error 1908
            The failure occurred at 2010-04-28 13:37:38.
            The last success occurred at 2010-04-27 16:08:05.
            25 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,DC0] A recent replication attempt failed:
            From DATA5 to DC0
            Naming Context: DC=ForestDnsZones,DC=uicc0,DC=local
            The replication generated an error (1908):
            Win32 Error 1908
            The failure occurred at 2010-04-28 13:37:38.
            The last success occurred at 2010-04-27 15:58:42.
            25 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source DATA5
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.
         [Replications Check,DC0] A recent replication attempt failed:
            From DATA5 to DC0
            Naming Context: CN=Schema,CN=Configuration,DC=uicc0,DC=local
            The replication generated an error (1908):
            Win32 Error 1908
            The failure occurred at 2010-04-28 13:37:38.
            The last success occurred at 2010-04-27 15:58:41.
            25 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,DC0] A recent replication attempt failed:
            From DATA5 to DC0
            Naming Context: CN=Configuration,DC=uicc0,DC=local
            The replication generated an error (1908):
            Win32 Error 1908
            The failure occurred at 2010-04-28 13:37:38.
            The last success occurred at 2010-04-27 16:07:11.
            25 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,DC0] A recent replication attempt failed:
            From DATA5 to DC0
            Naming Context: DC=uicc0,DC=local
            The replication generated an error (1908):
            Win32 Error 1908
            The failure occurred at 2010-04-28 13:37:38.
            The last success occurred at 2010-04-27 16:16:12.
            25 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         REPLICATION-RECEIVED LATENCY WARNING
         DC0:  Current time is 2010-04-28 13:47:21.
            DC=DomainDnsZones,DC=uicc0,DC=local
               Last replication recieved from DATA5 at 2010-04-27 16:08:05.
            DC=ForestDnsZones,DC=uicc0,DC=local
               Last replication recieved from DATA5 at 2010-04-27 15:58:42.
            CN=Schema,CN=Configuration,DC=uicc0,DC=local
               Last replication recieved from DATA5 at 2010-04-27 15:58:41.
            CN=Configuration,DC=uicc0,DC=local
               Last replication recieved from DATA5 at 2010-04-27 16:07:10.
            DC=uicc0,DC=local
               Last replication recieved from DATA5 at 2010-04-27 16:16:12.
         ......................... DC0 passed test Replications
      Starting test: NCSecDesc
         ......................... DC0 passed test NCSecDesc
      Starting test: NetLogons
         ......................... DC0 passed test NetLogons
      Starting test: Advertising
         ......................... DC0 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... DC0 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... DC0 passed test RidManager
      Starting test: MachineAccount
         The account DC0 is not a DC account.  It cannot replicate.
         Warning:  Attribute userAccountControl of DC0 is: 0x81000 = ( UF_WORKST
ATION_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
         Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TR
USTED_FOR_DELEGATION )
         This may be affecting replication?
         ......................... DC0 failed test MachineAccount
      Starting test: Services
         ......................... DC0 passed test Services
      Starting test: ObjectsReplicated
         ......................... DC0 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... DC0 passed test frssysvol
      Starting test: frsevent
         ......................... DC0 passed test frsevent
      Starting test: kccevent
         An Warning Event occured.  EventID: 0x80000677
            Time Generated: 04/28/2010   13:38:18
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000466
            Time Generated: 04/28/2010   13:38:18
            (Event String could not be retrieved)
         ......................... DC0 failed test kccevent
      Starting test: systemlog
         ......................... DC0 passed test systemlog
      Starting test: VerifyReferences
         ......................... DC0 passed test VerifyReferences

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : uicc0
      Starting test: CrossRefValidation
         ......................... uicc0 passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... uicc0 passed test CheckSDRefDom

   Running enterprise tests on : uicc0.local
      Starting test: Intersite
         ......................... uicc0.local passed test Intersite
      Starting test: FsmoCheck
         ......................... uicc0.local passed test FsmoCheck

C:\WINDOWS\ServicePackFiles\amd64>

Open in new window

0
Chris DentPowerShell DeveloperCommented:

This is a bit concerning:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/dc0.uicc0.local

Now it is possible to reset the password DC0 holds on the domain, however we must check for a duplicate account first.

Can you run these please:

dsquery * -Filter "(|(servicePrincipalName=*host/dc0.uicc0.local*)(servicePrincipalName=*cifs/DC0*))"
dsquery computer domaniroot -name dc0

If you could run that on both servers, we need to be absolutely sure it only returns DC0 (the Domain Controller) in all cases.

Chris
0
diegomirnerAuthor Commented:
Yeap I got DC0 on both servers.

0
Chris DentPowerShell DeveloperCommented:
Since DNS is tentatively working, would you run:

nslookup dc0
nslookup 192.168.92.2

I'm assuming the second is the current IP for dc0, if not, please correct it for the test.

Thanks,

Chris
0
diegomirnerAuthor Commented:
nop . its loke this:

DC0 = 192.168.91.20
DATA5: 192.168.91.2

And by the way , I manage to transfer from data5 tio dc0 zones:

uicc0.local
_msdcs.uicc0.local

and also I just done the same for the revers lookup zone.

I just try to run dcdiag from dc0 , but I get acces deny.
0
diegomirnerAuthor Commented:
I manage to run dcdiag from data5 , I'm attaching the content.


dsquery * -Filter "(|(servicePrincipalName=*host/dc0.uicc0.local*)(servicePrincipalName=*cifs/DC0*))"
dsquery computer domaniroot -name dc0

Open in new window

0
diegomirnerAuthor Commented:
sorry , here the dcdiag of data5 output
C:\WINDOWS\ServicePackFiles\amd64>dcdiag.exe

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Frontenex62\DATA5
      Starting test: Connectivity
         ......................... DATA5 passed test Connectivity

Doing primary tests

   Testing server: Frontenex62\DATA5
      Starting test: Replications
         [Replications Check,DATA5] A recent replication attempt failed:
            From DC0 to DATA5
            Naming Context: DC=DomainDnsZones,DC=uicc0,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2010-04-28 13:47:47.
            The last success occurred at 2010-04-27 16:08:21.
            24 failures have occurred since the last success.
         [DC0] DsBindWithSpnEx() failed with error -2146893022,
         The target principal name is incorrect..
         [Replications Check,DATA5] A recent replication attempt failed:
            From DC0 to DATA5
            Naming Context: DC=ForestDnsZones,DC=uicc0,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2010-04-28 13:47:47.
            The last success occurred at 2010-04-27 15:46:27.
            24 failures have occurred since the last success.
         [Replications Check,DATA5] A recent replication attempt failed:
            From DC0 to DATA5
            Naming Context: CN=Schema,CN=Configuration,DC=uicc0,DC=local
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2010-04-28 13:47:47.
            The last success occurred at 2010-04-27 15:46:27.
            24 failures have occurred since the last success.
         [Replications Check,DATA5] A recent replication attempt failed:
            From DC0 to DATA5
            Naming Context: CN=Configuration,DC=uicc0,DC=local
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2010-04-28 13:47:47.
            The last success occurred at 2010-04-27 16:07:27.
            24 failures have occurred since the last success.
         [Replications Check,DATA5] A recent replication attempt failed:
            From DC0 to DATA5
            Naming Context: DC=uicc0,DC=local
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2010-04-28 13:47:47.
            The last success occurred at 2010-04-27 16:15:32.
            24 failures have occurred since the last success.
         REPLICATION-RECEIVED LATENCY WARNING
         DATA5:  Current time is 2010-04-28 14:25:19.
            DC=DomainDnsZones,DC=uicc0,DC=local
               Last replication recieved from DC0 at 2010-04-27 16:08:20.
            DC=ForestDnsZones,DC=uicc0,DC=local
               Last replication recieved from DC0 at 2010-04-27 15:46:27.
            CN=Schema,CN=Configuration,DC=uicc0,DC=local
               Last replication recieved from DC0 at 2010-04-27 15:46:27.
            CN=Configuration,DC=uicc0,DC=local
               Last replication recieved from DC0 at 2010-04-27 16:07:26.
            DC=uicc0,DC=local
               Last replication recieved from DC0 at 2010-04-27 16:15:32.
         ......................... DATA5 passed test Replications
      Starting test: NCSecDesc
         ......................... DATA5 passed test NCSecDesc
      Starting test: NetLogons
         ......................... DATA5 passed test NetLogons
      Starting test: Advertising
         Warning: DATA5 is not advertising as a Key Distribution Center.
         Check that the Directory has started.
         ......................... DATA5 failed test Advertising
      Starting test: KnowsOfRoleHolders
         Warning: DC0 is the Domain Owner, but is not responding to DS RPC Bind.
         [DC0] LDAP bind failed with error 8341,
         A directory service error has occurred..
         Warning: DC0 is the Domain Owner, but is not responding to LDAP Bind.
         Warning: DC0 is the PDC Owner, but is not responding to DS RPC Bind.
         Warning: DC0 is the PDC Owner, but is not responding to LDAP Bind.
         Warning: DC0 is the Rid Owner, but is not responding to DS RPC Bind.
         Warning: DC0 is the Rid Owner, but is not responding to LDAP Bind.
         ......................... DATA5 failed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... DATA5 failed test RidManager
      Starting test: MachineAccount
         ......................... DATA5 passed test MachineAccount
      Starting test: Services
            kdc Service is stopped on [DATA5]
         ......................... DATA5 failed test Services
      Starting test: ObjectsReplicated
         ......................... DATA5 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... DATA5 passed test frssysvol
      Starting test: frsevent
         ......................... DATA5 passed test frsevent
      Starting test: kccevent
         ......................... DATA5 passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 04/28/2010   13:37:12
            Event String: The kerberos client received a
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 04/28/2010   13:37:12
            Event String: The kerberos client received a
         An Error Event occured.  EventID: 0x40011006
            Time Generated: 04/28/2010   13:46:03
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 04/28/2010   13:50:42
            Event String: The kerberos client received a
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 04/28/2010   13:54:08
            Event String: The kerberos client received a
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 04/28/2010   13:56:18
            Event String: The kerberos client received a
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 04/28/2010   13:57:43
            Event String: The kerberos client received a
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 04/28/2010   13:59:54
            Event String: The kerberos client received a
         ......................... DATA5 failed test systemlog
      Starting test: VerifyReferences
         ......................... DATA5 passed test VerifyReferences

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : uicc0
      Starting test: CrossRefValidation
         ......................... uicc0 passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... uicc0 passed test CheckSDRefDom

   Running enterprise tests on : uicc0.local
      Starting test: Intersite
         ......................... uicc0.local passed test Intersite
      Starting test: FsmoCheck
         ......................... uicc0.local passed test FsmoCheck

C:\WINDOWS\ServicePackFiles\amd64>

Open in new window

0
Chris DentPowerShell DeveloperCommented:

How many DCs do you have? Just the two?

> And by the way , I manage to transfer from data5 tio dc0 zones:

This shouldn't have been necessary, but I'm quite happy as long as that component works.

DC0 clearly needs the most attention. The most common causes for the error you have are:

1. Duplicate account (as suggested in the error message)
2. Name / IP are resolving to a different host

Did you get a chance to run the two nslookup commands to see what they return for DC0?

Chris
0
diegomirnerAuthor Commented:
so , here the output

from data5 :
C:\WINDOWS\ServicePackFiles\amd64>nslookup dc0
Server:  data5.uicc0.local
Address:  192.168.91.2

Name:    dc0.uicc0.local
Address:  192.168.91.20

from dc0:
same output

Just same adds:

I find out that in DC0 we are missing ou like system and others , but data5 hass all.

So wy not tomake data5 GC and also the master role, them un install from dc0 the dc role , and re instaled.
Good idea?
0
Chris DentPowerShell DeveloperCommented:

> I find out that in DC0 we are missing ou like system and others , but data5 hass all.

I suspect that's nothing more than View / Advanced Features in AD Users and Computers. System, etc, are not visible by default.

> Good idea?

It's certainly a faster idea, and it's why I was curious how many DCs you have. If you're in a rush to get this fixed it would potentially give you a quicker path.

These are the steps I would take in that instance:

Very first step: Take a System State backup of both DCs (if you can). You need a way back even if the way back is to a broken domain, you certainly don't want to end up with an even-more-broken domain.

1. Make Data5 a GC (as you have above)
2. Turn off DC0 (no demotion yet)
3. Check that your domain is still operational, check that the only problems logged (Event Viewer) are communication with DC0

If the domain is operational you can move onto:

4. Seize FSMO roles (best described here: http://www.petri.co.il/seizing_fsmo_roles.htm)
5. Manually remove DC0 from AD (refer to: http://technet.microsoft.com/en-us/library/cc736378%28WS.10%29.aspx)
6. Verify the domain state: Check all logs, and run DCDiag and NetDiag

Do not turn DC0 back on unless you unplug it from the network. Rebuild it, rejoin it to the domain, then promote it again if you need it back on-line as a Domain Controller.

When it comes to rebuilding, if you can, give DC0 a different name. It shouldn't make the slightest bit of difference but it's nice to have clear lines drawn between old and new.

Chris
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
diegomirnerAuthor Commented:
I manage to change the server config so , now all my servers are point to 192.168.91.2 as DNS

But I seems to have a problem on data5

wen I open the DNS console , its try to connect to DC0 instead of him self.
Any ideA?
0
diegomirnerAuthor Commented:
Hope you can help.

So , I manage to solve the dns console issue.

in same server I'm geting 1219 system error , when I try to logon with the admin domain credential which refuses, but I manage to log on with the local admin . any idea how to solve this ?
I have also problem with exchange 2007 server. will see that latter.
0
Chris DentPowerShell DeveloperCommented:

> when I try to logon with the admin domain credential which refuses, but I manage to log on with the local admin

I thought Data5 was a Domain Controller? Unless you booted into DirectoryService restore mode there's no such thing as Domain Admin.

What changes have you made so far? Only the DNS server?

Chris
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.