Solved

DNS not working and AD users can't login.  Any DNS experts out there??

Posted on 2010-08-19
60
1,131 Views
Last Modified: 2012-05-10
Ok, so my original plan was to demote this server and promote it but it won't let me demote!! It says it can''t find the domain.  I have 3 dc all on one domain.  Everything was working fine until the primary domain controller ran out of space on the C: drive and that's where all my problems started.  I made some room so now there's plenty of free space.  After running a DCDIAG /TEST:DNS, I confirmed that i'm have DNS issues.  My forward zones disappeared and i can't recreate them.  Here is the results to that test:  

C:\Documents and Settings\administrator.GUSD>dcdiag /test:dns

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\GUSD1
      Starting test: Connectivity
         The host 2b37136e-a92f-429b-9928-21a06a481062._msdcs.gonzales.k12.ca.us
 could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (2b37136e-a92f-429b-9928-21a06a481062._msdcs.gonzales.k12.ca.us)
         couldn't be resolved, the server name (GUSD1.gonzales.k12.ca.us)
         resolved to the IP address (172.16.47.8) and was pingable.  Check that
         the IP address is registered correctly with the DNS server.
         ......................... GUSD1 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\GUSD1

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : gonzales

   Running enterprise tests on : gonzales.k12.ca.us
      Starting test: DNS
         Test results for domain controllers:

            DC: GUSD1.gonzales.k12.ca.us
            Domain: gonzales.k12.ca.us


               TEST: Basic (Basc)
                  Error: No LDAP connectivity
                  Warning: adapter [00000007] Broadcom BCM5708C NetXtreme II Gig
E (NDIS VBD Client) has invalid DNS server: 172.16.47.8 (<name unavailable>)
                  Error: all DNS servers are invalid
                  Error: The A record for this DC was not found
                  Warning: The Active Directory zone on this DC/DNS server was n
ot found (probably a misconfiguration)

            TEST: Records registration (RReg)
               Error: Record registrations cannot be found for all the network a
dapters

         Summary of test results for DNS servers used by the above domain contro
llers:

            DNS server: 172.16.47.8 (<name unavailable>)
               1 test failure on this DNS server
               Name resolution is not functional. _ldap._tcp.gonzales.k12.ca.us.
 failed on the DNS server 172.16.47.8

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: gonzales.k12.ca.us
               GUSD1                        PASS FAIL PASS n/a  PASS FAIL n/a

         ......................... gonzales.k12.ca.us failed test DNS


PLEASE help, i'm desperate!!!  The kids just started school and they can't login :(
0
Comment
Question by:rj831
  • 31
  • 27
  • +1
60 Comments
 
LVL 4

Expert Comment

by:Jamie_Wilson
ID: 33480853
Do you have a dns suffix set on the connection?
0
 

Author Comment

by:rj831
ID: 33480867
DNS suffix?  Well, when it was working, it was set as GUSD1.gonzales.k12.ca.us.
0
 
LVL 117
ID: 33480893
okay, check the replication between domain controllers, repadmin /replsum, install from the resource kit, lets see what's happening here, it looks like one DC is causing issues.
0
 
LVL 117
ID: 33480900
anything in the event logs of the DC's? Replication issues?
0
 
LVL 117
ID: 33480921
i'd also like to understand the toplogy, three DC's, what roles are on each etc

Until the Primary Domain Controller? do you mean the DC holding the PDC emulator role?
0
 
LVL 117
ID: 33480927
what the state of disk on the server now? do you have system state backups?
0
 
LVL 117
ID: 33480939

Try repadmin /showrepl * /csv > c:\repadmin.csv

Open this up in Excel and hopefully you will find some error info
0
 
LVL 117
ID: 33480954
follow this article as well

http://support.microsoft.com/kb/321046
0
 

Author Comment

by:rj831
ID: 33480976
hanccocka, it is just one server that's causing the issue and it's the primary.  the other two are fine ( i can see the zones on those servers).  The primary doesn't look like it's replicating with the other two. The other two are talking just fine between themselves.  I'll run that tool right now!  Yes, event logs are giving me errors : 4000, 4007, 4015  (all DNS errors).
0
 

Author Comment

by:rj831
ID: 33481000
I ran that DNSlint test and it came up with: "DNSLint will attempt to verify the
DNS entries used in AD replication

Using 169.254.32.1 for LDAP
Starting with 169.254.10.22 for DNS

This process may take several minutes to complete.........
LDAP query to speficied LDAP server on TCP port 389 failed
Server Down


LDAP query to speficied LDAP server on TCP port 389 failed
LDAP server specified appears to be down

Specify a different LDAP server and run the command again"
0
 
LVL 117
ID: 33481010
there is no primary domain controller in an AD environment, do you mean the DC which holds the PDC emulator role?

does the BAD DC contain any data or other network roles, because if it's not working correctly or replcating, I'd seize the roles and transfer them to the other DCs, and then turn off that DC.
0
 
LVL 117
ID: 33481013
and make sure you do not connect back to network.
0
 

Author Comment

by:rj831
ID: 33481014
Also ran that tool you talked about and got this:  C:\Documents and Settings\administrator.GUSD>repadmin /showrepl * /csv > c:\repa
dmin.csv
[d:\nt\ds\ds\src\util\repadmin\repbind.c, 154] LDAP error 81 (Server Down) Win32
 Err 58.
[d:\nt\ds\ds\src\util\repadmin\repbind.c, 154] LDAP error 81 (Server Down) Win32
 Err 58.
0
 
LVL 117

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE)
Andrew Hancock (VMware vExpert / EE MVE) earned 500 total points
ID: 33481018
http://support.microsoft.com/kb/255504 good article here to follow, and this works, I had a DC go bad, because it had been off for several days (failed) and never replicated again properly. and I couldn't demote it using dcpromo!
0
 
LVL 117
ID: 33481025
run it on the other DCs not the bad one.
0
 
LVL 117
ID: 33481029
and post the contents of the CSV here
0
 

Author Comment

by:rj831
ID: 33481032
Well, the server with issues is the first I set up on AD which makes it the schema master? if i'm not mistaken. That's what i meant by primary
:)

0
 
LVL 117
ID: 33481052
okay, so it probably has all the roles defined. Okay Primary = First DC in your site!

does it perform any other roles other than DC?

DHCP, DNS (probably does this), File Server, Print Server, ISA etc....

i would transfer ALL the AD roles this server has to other servers.

FSMO, Schema, Domain Naming Master, PDC      , RID, Infrastructure, and GC

to other servers.
0
 

Author Comment

by:rj831
ID: 33481107
Ran this on my working server:  C:\Program Files\Support Tools>repadmin /showrepl * /csv > c:\repadmin.csv
[d:\nt\ds\ds\src\util\repadmin\repbind.c, 154] LDAP error 81 (Server Down) Win32
 Err 58.
[d:\nt\ds\ds\src\util\repadmin\repbind.c, 154] LDAP error 81 (Server Down) Win32
 Err 58.
0
 

Author Comment

by:rj831
ID: 33481114
AD is brand new at our district and all we had were students authenticating so they can save their stuff to folders.  How do I transfer all of that over? So whichever server I transfer all this stuff to would be our new schema master right?  So how do i take down the other server? lol...I still cant demote it :/
0
 
LVL 117

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE) earned 500 total points
ID: 33481195
you don't demote the bad server. It looks like it stuffed (technical term!).

you sieze the roles from it using the ndsutil, see Microsoft Technet Article above, and the new server you transfer the roles to becomes the new FSMO, Schema, Domain Naming Master, PDC      , RID, Infrastructure, and GC.

once this is done, your AD should be working again correctly, and users should be able to authenticate.

then you shutdown this server and rebuild, in the future, if you need it to be a DC again, use dcpromo etc.

But before you shutdown and rebuild, you need to ensure it doesn't perform any useful roles, like file server, print server, dhcp etc DNS should be running on the other two servers correct?

where are the folders stored and shared?

(interesting we also had the same issue at a school!)


0
 
LVL 117
ID: 33481203
can you do a dcdiag /v on all three DCs and post here, i'd attach them as text files
0
 
LVL 117
ID: 33481209
do you have firewalls enabled ny any chance?
0
 

Author Comment

by:rj831
ID: 33481418
Thanks for your help man, i appreciate it!! I already left work but i'll post those text files first thing tomorrow.
0
 

Author Comment

by:rj831
ID: 33481427
Also, no firewalls are in place.  :)
0
 
LVL 117
ID: 33481432
okay, no problems, we usually work through the night on these issues. he he!
0
 

Author Comment

by:rj831
ID: 33486615
I'm back with a vengeance!!!

dcdiag / v for all 3 servers:


GUSD1:

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine GUSD1, is a DC.
   * Connecting to directory service on server GUSD1.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 3 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\GUSD1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         The host 2b37136e-a92f-429b-9928-21a06a481062._msdcs.gonzales.k12.ca.us
 could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (2b37136e-a92f-429b-9928-21a06a481062._msdcs.gonzales.k12.ca.us)
         couldn't be resolved, the server name (GUSD1.gonzales.k12.ca.us)
         resolved to the IP address (172.16.47.8) and was pingable.  Check that
         the IP address is registered correctly with the DNS server.
         ......................... GUSD1 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\GUSD1
      Skipping all tests, because server GUSD1 is
      not responding to directory service requests
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: VerifyReplicas
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : gonzales
      Starting test: CrossRefValidation
         ......................... gonzales passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... gonzales passed test CheckSDRefDom

   Running enterprise tests on : gonzales.k12.ca.us
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... gonzales.k12.ca.us passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\GUSD1.gonzales.k12.ca.us
         Locator Flags: 0xe00003fd
         PDC Name: \\GUSD1.gonzales.k12.ca.us
         Locator Flags: 0xe00003fd
         Time Server Name: \\GUSD1.gonzales.k12.ca.us
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\GUSD1.gonzales.k12.ca.us
         Locator Flags: 0xe00003fd
         KDC Name: \\GUSD1.gonzales.k12.ca.us
         Locator Flags: 0xe00003fd
         ......................... gonzales.k12.ca.us passed test FsmoCheck
      Test omitted by user request: DNS

GUSD2:

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine GUSD2, is a DC.
   * Connecting to directory service on server GUSD2.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 3 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\GUSD2
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         The host 1cc4025f-8eee-4211-a01e-0e8557630489._msdcs.gonzales.k12.ca.us
 could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (1cc4025f-8eee-4211-a01e-0e8557630489._msdcs.gonzales.k12.ca.us)
         couldn't be resolved, the server name (GUSD2.gonzales.k12.ca.us)
         resolved to the IP address (172.16.47.4) and was pingable.  Check that
         the IP address is registered correctly with the DNS server.
         ......................... GUSD2 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\GUSD2
      Skipping all tests, because server GUSD2 is
      not responding to directory service requests
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: VerifyReplicas
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : gonzales
      Starting test: CrossRefValidation
         ......................... gonzales passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... gonzales passed test CheckSDRefDom

   Running enterprise tests on : gonzales.k12.ca.us
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... gonzales.k12.ca.us passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Time Server Name: \\GUSD2.gonzales.k12.ca.us
         Locator Flags: 0xe00001f8
         Preferred Time Server Name: \\GUSD2.gonzales.k12.ca.us
         Locator Flags: 0xe00001f8
         KDC Name: \\GUSD2.gonzales.k12.ca.us
         Locator Flags: 0xe00001f8
         ......................... gonzales.k12.ca.us failed test FsmoCheck
      Test omitted by user request: DNS

GUSD3:

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine GUSD3, is a DC.
   * Connecting to directory service on server GUSD3.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 3 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\GUSD3
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         The host a822b2c4-659c-48d9-9aa8-8a6bbe194cb4._msdcs.gonzales.k12.ca.us
 could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (a822b2c4-659c-48d9-9aa8-8a6bbe194cb4._msdcs.gonzales.k12.ca.us)
         couldn't be resolved, the server name (GUSD3.gonzales.k12.ca.us)
         resolved to the IP address (172.16.47.28) and was pingable.  Check
         that the IP address is registered correctly with the DNS server.
         ......................... GUSD3 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\GUSD3
      Skipping all tests, because server GUSD3 is
      not responding to directory service requests
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: VerifyReplicas
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : gonzales
      Starting test: CrossRefValidation
         ......................... gonzales passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... gonzales passed test CheckSDRefDom

   Running enterprise tests on : gonzales.k12.ca.us
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... gonzales.k12.ca.us passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\GUSD3.gonzales.k12.ca.us
         Locator Flags: 0xe00001fc
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Time Server Name: \\GUSD3.gonzales.k12.ca.us
         Locator Flags: 0xe00001fc
         Preferred Time Server Name: \\GUSD3.gonzales.k12.ca.us
         Locator Flags: 0xe00001fc
         KDC Name: \\GUSD3.gonzales.k12.ca.us
         Locator Flags: 0xe00001fc
         ......................... gonzales.k12.ca.us failed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS

0
 

Author Comment

by:rj831
ID: 33486656
GUSD1 is the one with all the problems which is the schema master.  The student folders are on GUSD3 which is our newest server.
0
 
LVL 117
ID: 33486721
which servers are hosting DNS?

I assume that GUSD1 is a DNS server, and the other servers GUSD2, GUSD3 have it in their config as the Primary DNS?
0
 

Author Comment

by:rj831
ID: 33486815
YES you are correct.   GUSD1 is pointing to itself and the other 2 are pointing to GUSD1.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 117
ID: 33487055
ah, this is not quite correct for an AD install, and I don't set them up like that.

GUSD1 DNS setup

Primary DNS 127.0.0.1 (or 172.16.47.8)
Secondary DNS 172.16.47.4
Tietary DNS 172.16.47.28

GUSD2 DNS setup

Primary DNS 127.0.0.1 (or 172.16.47.8)
Secondary DNS 172.16.47.4
Tietary DNS 172.16.47.28

GUSD3 DNS setup

Primary DNS 127.0.0.1 (or 172.16.47.28 172.16.47.8)
Secondary DNS 172.16.47.4
Tietary DNS 172.16.47.8

anyway, each DC should refer it itself in DNS as the primary, whether you need to have a third published (up to you) always good idea to have a spare updating, just in case you need to replace.

but as GUSD1 is foo baa, I think I would be inclined to remove it from the DNS for the moment, get DNS working on GUSD2 and GUSD3, drop GUSD1 DNS.

re-run dcdiag /v test to get DNS working correctly. and then we will proceed with seizure.

DNS is started and running on them ALL?

0
 

Author Comment

by:rj831
ID: 33487210
Ok, how do I get DNS going on the other 2? I believe DNS is running on all of them.  I attached some screenshots of the of GUSD2 and GUSD3
GUSD2-DNS.JPG
GUSD3-DNS.JPG
0
 

Author Comment

by:rj831
ID: 33487220
So I should remove DNS COMPLETELY from GUSD1?
0
 
LVL 117
ID: 33487332
don't change anything on GUSD1 at present.

DNS is running on GUSD2 and GUSD3, so just change the network settings on GUSD2 and GUSD3, you may want to wait for some downtime to do this, because changing network settings, often blips the network interface, if you've got clients access each server GUSD2 and GUSD3.
0
 

Author Comment

by:rj831
ID: 33487424
Ok, yeah I'll to wait for about 1.5 hours for this.  What network settings shall I change?
0
 
LVL 117
ID: 33487534
--> DNS <--
0
 

Author Comment

by:rj831
ID: 33487607
So since I'm moving everything to GUSD3, GUSD3 should be the new primary DNS and GUSD 2 will be secondary DNS?   SOOO GUSD3 will be pointing to itself with GUSD2 as secondary DNS.  GUSD2 server will be pointing to GUSD3 as primary and itself as secondary.  Right? Sorry i'm a total noobie at this. :/
0
 
LVL 117
ID: 33487790
try to forget primarys secondarys and tietary.

Everything should be master and backup, so all servers AD and DNS, will contain the same information.

Correct in your case.
0
 

Author Comment

by:rj831
ID: 33488591
Ok, so I totally took off DNS off of GUSD1  (removed through Add/Remove Programs).  And made the network changes on GUSD2 and GUSD3.  Here are the dcdiag /v results.

GUSD1:  Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine GUSD1, is a DC.
   * Connecting to directory service on server GUSD1.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 3 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\GUSD1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         The host 2b37136e-a92f-429b-9928-21a06a481062._msdcs.gonzales.k12.ca.us
 could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (2b37136e-a92f-429b-9928-21a06a481062._msdcs.gonzales.k12.ca.us)
         couldn't be resolved, the server name (GUSD1.gonzales.k12.ca.us)
         resolved to the IP address (172.16.47.8) and was pingable.  Check that
         the IP address is registered correctly with the DNS server.
         ......................... GUSD1 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\GUSD1
      Skipping all tests, because server GUSD1 is
      not responding to directory service requests
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: VerifyReplicas
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : gonzales
      Starting test: CrossRefValidation
         ......................... gonzales passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... gonzales passed test CheckSDRefDom

   Running enterprise tests on : gonzales.k12.ca.us
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... gonzales.k12.ca.us passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\GUSD1.gonzales.k12.ca.us
         Locator Flags: 0xe00003fd
         PDC Name: \\GUSD1.gonzales.k12.ca.us
         Locator Flags: 0xe00003fd
         Time Server Name: \\GUSD1.gonzales.k12.ca.us
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\GUSD1.gonzales.k12.ca.us
         Locator Flags: 0xe00003fd
         KDC Name: \\GUSD1.gonzales.k12.ca.us
         Locator Flags: 0xe00003fd
         ......................... gonzales.k12.ca.us passed test FsmoCheck
      Test omitted by user request: DNS


GUSD2:  (couldn't get all results)

            NumberOfParameters is 1
            Unicode string: 2b37136e-a92f-429b-9928-21a06a481062._msdcs.gonzales
.k12.ca.us
         [GUSD3] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         Printing RPC Extended Error Info:
         Error Record 1, ProcessID is 3592 (DcDiag)
            System Time is: 8/20/2010 19:53:50:693
            Generating component is 8 (winsock)
            Status is 1722: The RPC server is unavailable.
            Detection location is 322
         Error Record 2, ProcessID is 3592 (DcDiag)
            System Time is: 8/20/2010 19:53:50:693
            Generating component is 8 (winsock)
            Status is 11001: No such host is known.
            Detection location is 320
            NumberOfParameters is 1
            Unicode string: a822b2c4-659c-48d9-9aa8-8a6bbe194cb4._msdcs.gonzales
.k12.ca.us
         [Replications Check,GUSD2] A recent replication attempt failed:
            From GUSD1 to GUSD2
            Naming Context: DC=DomainDnsZones,DC=gonzales,DC=k12,DC=ca,DC=us
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
            The failure occurred at 2010-08-20 12:51:58.
            The last success occurred at 2010-08-13 17:51:43.
            184 failures have occurred since the last success.
         [Replications Check,GUSD2] A recent replication attempt failed:
            From GUSD1 to GUSD2
            Naming Context: CN=Schema,CN=Configuration,DC=gonzales,DC=k12,DC=ca,
DC=us
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2010-08-20 12:51:58.
            The last success occurred at 2010-08-13 17:51:43.
            163 failures have occurred since the last success.
         [Replications Check,GUSD2] A recent replication attempt failed:
            From GUSD1 to GUSD2
            Naming Context: CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2010-08-20 12:51:58.
            The last success occurred at 2010-08-13 17:51:43.
            165 failures have occurred since the last success.
         [Replications Check,GUSD2] A recent replication attempt failed:
            From GUSD1 to GUSD2
            Naming Context: DC=gonzales,DC=k12,DC=ca,DC=us
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2010-08-20 12:51:58.
            The last success occurred at 2010-08-13 17:53:16.
            4285 failures have occurred since the last success.
         * Replication Latency Check
         REPLICATION-RECEIVED LATENCY WARNING
         GUSD2:  Current time is 2010-08-20 12:53:50.
            DC=ForestDnsZones,DC=gonzales,DC=k12,DC=ca,DC=us
               Last replication recieved from GUSD1 at 2010-08-14 03:52:34.
            DC=DomainDnsZones,DC=gonzales,DC=k12,DC=ca,DC=us
               Last replication recieved from GUSD1 at 2010-08-14 03:52:34.
            CN=Schema,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
               Last replication recieved from GUSD1 at 2010-08-14 03:52:34.
            CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
               Last replication recieved from GUSD1 at 2010-08-14 03:52:34.
            DC=gonzales,DC=k12,DC=ca,DC=us
               Last replication recieved from GUSD1 at 2010-08-14 04:12:40.
         ......................... GUSD2 passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC GUSD2.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=gonzales,DC=k12,DC=ca,DC=us
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=gonzales,DC=k12,DC=ca,DC=us
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=gonzales,DC=k12,DC=ca,DC=us
            (Domain,Version 2)
         ......................... GUSD2 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\GUSD2\netlogon
         Verified share \\GUSD2\sysvol
         ......................... GUSD2 passed test NetLogons
      Starting test: Advertising
         The DC GUSD2 is advertising itself as a DC and having a DS.
         The DC GUSD2 is advertising as an LDAP server
         The DC GUSD2 is advertising as having a writeable directory
         The DC GUSD2 is advertising as a Key Distribution Center
         The DC GUSD2 is advertising as a time server
         ......................... GUSD2 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=GUSD1,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
         Warning: GUSD1 is the Schema Owner, but is not responding to DS RPC Bin
d.
         RPC Extended Error Info not available. Use group policy on the local ma
chine at "Computer Configuration/Administrative Templates/System/Remote Procedur
e Call" to enable it.
         [GUSD1] LDAP search failed with error 58,
         The specified server cannot perform the requested operation..
         Warning: GUSD1 is the Schema Owner, but is not responding to LDAP Bind.

         Role Domain Owner = CN=NTDS Settings,CN=GUSD1,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
         Warning: GUSD1 is the Domain Owner, but is not responding to DS RPC Bin
d.
         RPC Extended Error Info not available. Use group policy on the local ma
chine at "Computer Configuration/Administrative Templates/System/Remote Procedur
e Call" to enable it.
         Warning: GUSD1 is the Domain Owner, but is not responding to LDAP Bind.

         Role PDC Owner = CN=NTDS Settings,CN=GUSD1,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
         Warning: GUSD1 is the PDC Owner, but is not responding to DS RPC Bind.
         RPC Extended Error Info not available. Use group policy on the local ma
chine at "Computer Configuration/Administrative Templates/System/Remote Procedur
e Call" to enable it.
         Warning: GUSD1 is the PDC Owner, but is not responding to LDAP Bind.
         Role Rid Owner = CN=NTDS Settings,CN=GUSD1,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
         Warning: GUSD1 is the Rid Owner, but is not responding to DS RPC Bind.
         RPC Extended Error Info not available. Use group policy on the local ma
chine at "Computer Configuration/Administrative Templates/System/Remote Procedur
e Call" to enable it.
         Warning: GUSD1 is the Rid Owner, but is not responding to LDAP Bind.
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=GUSD1,CN=Servers
,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,D
C=us
         Warning: GUSD1 is the Infrastructure Update Owner, but is not respondin
g to DS RPC Bind.
         RPC Extended Error Info not available. Use group policy on the local ma
chine at "Computer Configuration/Administrative Templates/System/Remote Procedur
e Call" to enable it.
         Warning: GUSD1 is the Infrastructure Update Owner, but is not respondin
g to LDAP Bind.
         ......................... GUSD2 failed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 3613 to 1073741823
         * GUSD1.gonzales.k12.ca.us is the RID Master
         ......................... GUSD2 failed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC GUSD2 on DC GUSD2.
         * SPN found :LDAP/GUSD2.gonzales.k12.ca.us/gonzales.k12.ca.us
         * SPN found :LDAP/GUSD2.gonzales.k12.ca.us
         * SPN found :LDAP/GUSD2
         * SPN found :LDAP/GUSD2.gonzales.k12.ca.us/GUSD
         * SPN found :LDAP/1cc4025f-8eee-4211-a01e-0e8557630489._msdcs.gonzales.
k12.ca.us
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/1cc4025f-8eee-4211-a0
1e-0e8557630489/gonzales.k12.ca.us
         * SPN found :HOST/GUSD2.gonzales.k12.ca.us/gonzales.k12.ca.us
         * SPN found :HOST/GUSD2.gonzales.k12.ca.us
         * SPN found :HOST/GUSD2
         * SPN found :HOST/GUSD2.gonzales.k12.ca.us/GUSD
         * SPN found :GC/GUSD2.gonzales.k12.ca.us/gonzales.k12.ca.us
         ......................... GUSD2 passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... GUSD2 passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         GUSD2 is in domain DC=gonzales,DC=k12,DC=ca,DC=us
         Checking for CN=GUSD2,OU=Domain Controllers,DC=gonzales,DC=k12,DC=ca,DC
=us in domain DC=gonzales,DC=k12,DC=ca,DC=us on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=GUSD2,CN=Servers,CN=Default-First-Site
-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us in domain CN=Conf
iguration,DC=gonzales,DC=k12,DC=ca,DC=us on 1 servers
            Object is up-to-date on all servers.
         ......................... GUSD2 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... GUSD2 passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 08/20/2010   12:49:10
            (Event String could not be retrieved)
         ......................... GUSD2 failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minut
es.
         ......................... GUSD2 passed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 08/20/2010   12:51:58
            Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/gusd1.gonzales.k12.ca.us.  The target name
used was . This indicates that the password used
to encrypt the kerberos service ticket is
different than that on the target server.
Commonly, this is due to identically named
machine accounts in the target realm
(GONZALES.K12.CA.US), and the client realm.
Please contact your system administrator.
         ......................... GUSD2 failed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=GUSD2,OU=Domain Controllers,DC=gonzales,DC=k12,DC=ca,DC=us and
         backlink on
         CN=GUSD2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio
n,DC=gonzales,DC=k12,DC=ca,DC=us
         are correct.
         The system object reference (frsComputerReferenceBL)
         CN=GUSD2,CN=Domain System Volume (SYSVOL share),CN=File Replication Ser
vice,CN=System,DC=gonzales,DC=k12,DC=ca,DC=us
         and backlink on
         CN=GUSD2,OU=Domain Controllers,DC=gonzales,DC=k12,DC=ca,DC=us are
         correct.
         The system object reference (serverReferenceBL)
         CN=GUSD2,CN=Domain System Volume (SYSVOL share),CN=File Replication Ser
vice,CN=System,DC=gonzales,DC=k12,DC=ca,DC=us
         and backlink on
         CN=NTDS Settings,CN=GUSD2,CN=Servers,CN=Default-First-Site-Name,CN=Site
s,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
         are correct.
         ......................... GUSD2 passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : gonzales
      Starting test: CrossRefValidation
         ......................... gonzales passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... gonzales passed test CheckSDRefDom

   Running enterprise tests on : gonzales.k12.ca.us
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... gonzales.k12.ca.us passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Time Server Name: \\GUSD2.gonzales.k12.ca.us
         Locator Flags: 0xe00001f8
         Preferred Time Server Name: \\GUSD2.gonzales.k12.ca.us
         Locator Flags: 0xe00001f8
         KDC Name: \\GUSD2.gonzales.k12.ca.us
         Locator Flags: 0xe00001f8
         ......................... gonzales.k12.ca.us failed test FsmoCheck
      Test omitted by user request: DNS


GUSD3:    (couldn't get all either)

         The RPC server is unavailable..
         Printing RPC Extended Error Info:
         Error Record 1, ProcessID is 5004 (DcDiag)
            System Time is: 8/20/2010 19:57:21:452
            Generating component is 8 (winsock)
            Status is 1722: The RPC server is unavailable.
            Detection location is 322
         Error Record 2, ProcessID is 5004 (DcDiag)
            System Time is: 8/20/2010 19:57:21:452
            Generating component is 8 (winsock)
            Status is 11001: No such host is known.
            Detection location is 320
            NumberOfParameters is 1
            Unicode string: 2b37136e-a92f-429b-9928-21a06a481062._msdcs.gonzales
.k12.ca.us
         [Replications Check,GUSD3] A recent replication attempt failed:
            From GUSD1 to GUSD3
            Naming Context: DC=DomainDnsZones,DC=gonzales,DC=k12,DC=ca,DC=us
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
            The failure occurred at 2010-08-20 12:50:29.
            The last success occurred at 2010-08-14 03:52:34.
            166 failures have occurred since the last success.
         [Replications Check,GUSD3] A recent replication attempt failed:
            From GUSD1 to GUSD3
            Naming Context: CN=Schema,CN=Configuration,DC=gonzales,DC=k12,DC=ca,
DC=us
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2010-08-20 12:50:29.
            The last success occurred at 2010-08-14 03:52:34.
            154 failures have occurred since the last success.
         [Replications Check,GUSD3] A recent replication attempt failed:
            From GUSD1 to GUSD3
            Naming Context: CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2010-08-20 12:50:29.
            The last success occurred at 2010-08-14 03:52:34.
            155 failures have occurred since the last success.
         [Replications Check,GUSD3] A recent replication attempt failed:
            From GUSD1 to GUSD3
            Naming Context: DC=gonzales,DC=k12,DC=ca,DC=us
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2010-08-20 12:50:29.
            The last success occurred at 2010-08-14 04:12:40.
            4110 failures have occurred since the last success.
         * Replication Latency Check
         REPLICATION-RECEIVED LATENCY WARNING
         GUSD3:  Current time is 2010-08-20 12:57:21.
            DC=ForestDnsZones,DC=gonzales,DC=k12,DC=ca,DC=us
               Last replication recieved from GUSD1 at 2010-08-14 03:52:34.
            DC=DomainDnsZones,DC=gonzales,DC=k12,DC=ca,DC=us
               Last replication recieved from GUSD1 at 2010-08-14 03:52:34.
            CN=Schema,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
               Last replication recieved from GUSD1 at 2010-08-14 03:52:34.
            CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
               Last replication recieved from GUSD1 at 2010-08-14 03:52:34.
            DC=gonzales,DC=k12,DC=ca,DC=us
               Last replication recieved from GUSD1 at 2010-08-14 04:12:40.
         ......................... GUSD3 passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC GUSD3.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=gonzales,DC=k12,DC=ca,DC=us
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=gonzales,DC=k12,DC=ca,DC=us
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=gonzales,DC=k12,DC=ca,DC=us
            (Domain,Version 2)
         ......................... GUSD3 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\GUSD3\netlogon
         Verified share \\GUSD3\sysvol
         ......................... GUSD3 passed test NetLogons
      Starting test: Advertising
         The DC GUSD3 is advertising itself as a DC and having a DS.
         The DC GUSD3 is advertising as an LDAP server
         The DC GUSD3 is advertising as having a writeable directory
         The DC GUSD3 is advertising as a Key Distribution Center
         The DC GUSD3 is advertising as a time server
         The DS GUSD3 is advertising as a GC.
         ......................... GUSD3 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=GUSD1,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
         Warning: GUSD1 is the Schema Owner, but is not responding to DS RPC Bin
d.
         RPC Extended Error Info not available. Use group policy on the local ma
chine at "Computer Configuration/Administrative Templates/System/Remote Procedur
e Call" to enable it.
         [GUSD1] LDAP search failed with error 58,
         The specified server cannot perform the requested operation..
         Warning: GUSD1 is the Schema Owner, but is not responding to LDAP Bind.

         Role Domain Owner = CN=NTDS Settings,CN=GUSD1,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
         Warning: GUSD1 is the Domain Owner, but is not responding to DS RPC Bin
d.
         RPC Extended Error Info not available. Use group policy on the local ma
chine at "Computer Configuration/Administrative Templates/System/Remote Procedur
e Call" to enable it.
         Warning: GUSD1 is the Domain Owner, but is not responding to LDAP Bind.

         Role PDC Owner = CN=NTDS Settings,CN=GUSD1,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
         Warning: GUSD1 is the PDC Owner, but is not responding to DS RPC Bind.
         RPC Extended Error Info not available. Use group policy on the local ma
chine at "Computer Configuration/Administrative Templates/System/Remote Procedur
e Call" to enable it.
         Warning: GUSD1 is the PDC Owner, but is not responding to LDAP Bind.
         Role Rid Owner = CN=NTDS Settings,CN=GUSD1,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
         Warning: GUSD1 is the Rid Owner, but is not responding to DS RPC Bind.
         RPC Extended Error Info not available. Use group policy on the local ma
chine at "Computer Configuration/Administrative Templates/System/Remote Procedur
e Call" to enable it.
         Warning: GUSD1 is the Rid Owner, but is not responding to LDAP Bind.
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=GUSD1,CN=Servers
,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,D
C=us
         Warning: GUSD1 is the Infrastructure Update Owner, but is not respondin
g to DS RPC Bind.
         RPC Extended Error Info not available. Use group policy on the local ma
chine at "Computer Configuration/Administrative Templates/System/Remote Procedur
e Call" to enable it.
         Warning: GUSD1 is the Infrastructure Update Owner, but is not respondin
g to LDAP Bind.
         ......................... GUSD3 failed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 3613 to 1073741823
         * GUSD1.gonzales.k12.ca.us is the RID Master
         ......................... GUSD3 failed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC GUSD3 on DC GUSD3.
         * SPN found :LDAP/GUSD3.gonzales.k12.ca.us/gonzales.k12.ca.us
         * SPN found :LDAP/GUSD3.gonzales.k12.ca.us
         * SPN found :LDAP/GUSD3
         * SPN found :LDAP/GUSD3.gonzales.k12.ca.us/GUSD
         * SPN found :LDAP/a822b2c4-659c-48d9-9aa8-8a6bbe194cb4._msdcs.gonzales.
k12.ca.us
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/a822b2c4-659c-48d9-9a
a8-8a6bbe194cb4/gonzales.k12.ca.us
         * SPN found :HOST/GUSD3.gonzales.k12.ca.us/gonzales.k12.ca.us
         * SPN found :HOST/GUSD3.gonzales.k12.ca.us
         * SPN found :HOST/GUSD3
         * SPN found :HOST/GUSD3.gonzales.k12.ca.us/GUSD
         * SPN found :GC/GUSD3.gonzales.k12.ca.us/gonzales.k12.ca.us
         ......................... GUSD3 passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... GUSD3 passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         GUSD3 is in domain DC=gonzales,DC=k12,DC=ca,DC=us
         Checking for CN=GUSD3,OU=Domain Controllers,DC=gonzales,DC=k12,DC=ca,DC
=us in domain DC=gonzales,DC=k12,DC=ca,DC=us on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=GUSD3,CN=Servers,CN=Default-First-Site
-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us in domain CN=Conf
iguration,DC=gonzales,DC=k12,DC=ca,DC=us on 1 servers
            Object is up-to-date on all servers.
         ......................... GUSD3 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... GUSD3 passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 08/20/2010   10:00:48
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 08/20/2010   10:43:22
            (Event String could not be retrieved)
         ......................... GUSD3 failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minut
es.
         ......................... GUSD3 passed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 08/20/2010   12:50:29
            Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/gusd1.gonzales.k12.ca.us.  The target name
used was . This indicates that the password used
to encrypt the kerberos service ticket is
different than that on the target server.
Commonly, this is due to identically named
machine accounts in the target realm
(GONZALES.K12.CA.US), and the client realm.
Please contact your system administrator.
         ......................... GUSD3 failed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=GUSD3,OU=Domain Controllers,DC=gonzales,DC=k12,DC=ca,DC=us and
         backlink on
         CN=GUSD3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio
n,DC=gonzales,DC=k12,DC=ca,DC=us
         are correct.
         The system object reference (frsComputerReferenceBL)
         CN=GUSD3,CN=Domain System Volume (SYSVOL share),CN=File Replication Ser
vice,CN=System,DC=gonzales,DC=k12,DC=ca,DC=us
         and backlink on
         CN=GUSD3,OU=Domain Controllers,DC=gonzales,DC=k12,DC=ca,DC=us are
         correct.
         The system object reference (serverReferenceBL)
         CN=GUSD3,CN=Domain System Volume (SYSVOL share),CN=File Replication Ser
vice,CN=System,DC=gonzales,DC=k12,DC=ca,DC=us
         and backlink on
         CN=NTDS Settings,CN=GUSD3,CN=Servers,CN=Default-First-Site-Name,CN=Site
s,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
         are correct.
         ......................... GUSD3 passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : gonzales
      Starting test: CrossRefValidation
         ......................... gonzales passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... gonzales passed test CheckSDRefDom

   Running enterprise tests on : gonzales.k12.ca.us
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... gonzales.k12.ca.us passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\GUSD3.gonzales.k12.ca.us
         Locator Flags: 0xe00001fc
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Time Server Name: \\GUSD3.gonzales.k12.ca.us
         Locator Flags: 0xe00001fc
         Preferred Time Server Name: \\GUSD3.gonzales.k12.ca.us
         Locator Flags: 0xe00001fc
         KDC Name: \\GUSD3.gonzales.k12.ca.us
         Locator Flags: 0xe00001fc
         ......................... gonzales.k12.ca.us failed test FsmoCheck
      Test omitted by user request: DNS
     

0
 
LVL 117
ID: 33489128
Okay, I had said in a previous post not to change anything on GUSD1!

Okay, I think we are going to abandoned GUSD1, disconnect from network and turn if off.

Only if, it does not serve DHCP, File Serving or Print Serving or any other role that's needed on your network.

If and only if your are confident in following the following article, and all roles have been removed from GUSD1, because afterwards you must not switch it back on or connect to the network, you must format and rebuild it.

http://support.microsoft.com/kb/255504

Move all AD roles to GUSD3 using the article and command line tool ndsutil from GUSD1.

Make sure it's GUSD1 is OFF and disconnected from the network.

Once, you completed the above process, leave alone and wait for replication to sort itself out.

Good Luck, but again if you don't feel you have the skill or are confident in above, leave well alone.

Also make sure you have a backup of AD.
0
 

Author Comment

by:rj831
ID: 33489220
Well I shut off DNS on GUSD1 because all of my users are gone.  So you're saying i'm going to have to reformat the GUSD1 server? Can't I just run dcpromo /force removal to take it off the domain?  Also, to be clear, GUSD1 has to be disconnected from the network and turned off BEFORE I start using ndsutil to transfer and seize roles?  Thanks for all your help!!
0
 

Author Comment

by:rj831
ID: 33489406
I'm only asking if GUSD1 has to be shut off first because that article states:  " We recommend that you transfer FSMO roles in the following scenarios:

    * The current role holder is operational and can be accessed on the network by the new FSMO owner.
0
 
LVL 117
ID: 33489580
I think you'll find in ADs current state you'll not be able to run dcpromo /force - but it's worth giving it a try - but I thought from the first opening post this didn't work!

if your forceably sieze the roles from the server, the server does not need to be on, because we are assuming that the server is dead and not responding, and from what I can see yours is not responding well to AD.

okay try the following steps and see which is successful.

1. try dcpromo /force on GUSD1, if it doesn't work proceed to Step 2.

2. use ndsutil to sieze roles from  GUSD1 and transfer them to GUSD3, so run ndsutil on GUSD3.
if this does not work proceed to Step 3.

3. turn off GUSD1, disconnect GUSD1 and run  so run ndsutil on GUSD3.

4. Do not be tempeted to re-connect GUSD1 on the network.

If you need to have a third DC then rebuild, and install AD. But I would personally leave it OFF for few weeks, and see how AD is performing, replicating etc

Then make you mind up, whethere you need a third DC, or use it for something else etc The more DC's the more complicated replication becomes, when it goes wrong.
 
0
 

Author Comment

by:rj831
ID: 33489636
I didn't even know about dcpromo /force!!!  I only tried to remove by entering dcpromo and that is where i got the error.  Anyway, i followed your steps and got this picture!!!!!!  Before I did this, it said I would need to seize the roles after GUSD1 was off AD.  Should I do this next??
DCPromo-forceremove.JPG
0
 

Author Comment

by:rj831
ID: 33489643
Also, I need GUSD1 to be functional because there is a program on that server that the students use (their reading program).  So i need to have that up as well.
0
 
LVL 117
ID: 33489660
yes, now follow Step 2, Step 3. See how you get on. Check the eventlogs.

it would seem it couldn't transfer the roles, you'll need to follow the Microsoft article fully.

well you can try and keep GUSD1 on the network, this is why I asked you to check the roles, because often keeping an OLD DC on the network afterwards may cause issues.

0
 

Author Comment

by:rj831
ID: 33489717
Ok, so AD is removed from GUSD1 and is currently turned off.  I launched Ntdsutil on GUSD3 and typed "roles"  then i typed "connections" and typed "connect to server GUSD3".....I tried to seize the roles but ALL of them failed.  I got this error more or less:

fsmo maintenance: seize rid master
Attempting safe transfer of RID FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-0321092B, problem 5002 (UN
AVAILABLE), data 8524

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of RID FSMO failed, proceeding with seizure ...
Searching for highest rid pool in domain
Server "gusd3" knows about 5 roles
Schema - CN=NTDS Settings,CN=GUSD1,CN=Servers,CN=Default-First-Site-Name,CN=Site
s,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
Domain - CN=NTDS Settings,CN=GUSD3,CN=Servers,CN=Default-First-Site-Name,CN=Site
s,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
PDC - CN=NTDS Settings,CN=GUSD3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
N=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
RID - CN=NTDS Settings,CN=GUSD3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
N=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
Infrastructure - CN=NTDS Settings,CN=GUSD3,CN=Servers,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us

:(
0
 
LVL 117
ID: 33489758
whats happening with replication repadmin /replsum

event log errors?

dcpromo /forceremoval command leave FSMO roles in an invalid state until they are reassigned.

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

follow the above, and remove what we call the failed DC from AD.
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 33489761
That's not a failure, although you have to read the text carefully to determine this.  It's merely saying that the TRANSFER operation failed, which is to be expected.  The seizure then proceeds.  In the text you posted, four of the five FSMOs have been seized by GUSD3.  The only one that remains on GUSD1 is the Schema role, which you have presumably also seized by now.
0
 

Author Comment

by:rj831
ID: 33489765
0
 

Author Comment

by:rj831
ID: 33489785
Good lookin out DrDave!!! and yes, i seized the schema master right after just in case.  ;)   So now what lol?  I presume i can start with ntdsutil /metadata cleanup to fully remove GUSD1 from replication?
0
 
LVL 117
ID: 33489790
also check which roles have been transferred by the wizard if any

netdom query GUSD3 /fsmo

netdom query GUSD3 /pdc
0
 
LVL 117
ID: 33489793
yep, but don't try to rush this, let replication sort itself out.....
0
 
LVL 117
ID: 33489810
you should find hopefully, that all roles have been transaferred to GUSD3 (it own's all the roles).

then have a foos read through the ntdsutil /metadata cleanup and were done.
0
 
LVL 117
ID: 33489815
keep checking event logs, replication, (repadmin /replsum is your friend here), and hopefully errors should eventually stop in the event logs.
0
 

Author Comment

by:rj831
ID: 33489842
I just went to the computer lab to try some logins and........SUCCESS!!!!!!!!   I can now login!!  I tried a few logins that I could remember off the top of my head and they all worked.   Sooooooo....after I do the metadata clean up......do you think I could rejoin GUSD1 to the domain?  OR should I possibly leave it as a WORKGROUP server ( because as I stated, the reading program is on there so it MUST be online)....we prefer to have 3 DCs but I could always add one of our other servers as the 3rd.
0
 

Author Comment

by:rj831
ID: 33489864
The reading program on GUSD1 that I'm talking worked just fine when the server was a workgroup.  I didn't even have to make any changes when i converted the server into a DC when we first started AD.  So I presume nothing will happen to the program if I go back to Workgroup.  THANK YOU HANCCOCKA!!!  You were a great help and I couldn't have done this without you!!!  I would give you a hug if I could dude hahaha!!!  This site is so great, i'm going to continue paying for it after my trial is done.  :D
0
 
LVL 117
ID: 33489959
I would leave GUSD1 for at least 5 days, keep checking event logs and replication is okay.

and then make a decision if you really need three DCs?

remember the more DCs you have the more to go wrong, and it only takes one to go bad, and you get login issues!

the least loaded DC will always respond to requests.

trend carefuly my friend, and be patient.

All the best, glad you got it fixed, and for FREE!
0
 

Author Comment

by:rj831
ID: 33538163
i'm back!  Ok, i've left the server alone and I turned it on today.  Before I did that though, I ran the metadata clean up which worked pretty nice.  I left the machine as a Workgroup server and the program that was on it runs great.  The only issue i'm having now is joining machines to the domain.  It won't let me.  First I tried the server which I had taken down and it didn't let me so I said screw and decided to only have 2 domain controllers.  The BIGGER problem is that i can't join ANY machine to the domain.  AD IS working though as students have been logging in just fine all week.  It's just the joining of new machines that's been a problem.  Help?  I can start a new thread if needed.  
0
 
LVL 117
ID: 33539445
I think this is the subject of a new question, but refer the new question to this old one.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Resolve DNS query failed errors for Exchange
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now