DNS not working and AD users can't login. Any DNS experts out there??

Do you have a dns suffix set on the connection?

DNS suffix?  Well, when it was working, it was set as GUSD1.gonzales.k12.ca.us.

okay, check the replication between domain controllers, repadmin /replsum, install from the resource kit, lets see what's happening here, it looks like one DC is causing issues.

anything in the event logs of the DC's? Replication issues?

i'd also like to understand the toplogy, three DC's, what roles are on each etc

Until the Primary Domain Controller? do you mean the DC holding the PDC emulator role?

what the state of disk on the server now? do you have system state backups?

Try repadmin /showrepl * /csv > c:\repadmin.csv

Open this up in Excel and hopefully you will find some error info

follow this article as well

http://support.microsoft.com/kb/321046

hanccocka, it is just one server that's causing the issue and it's the primary.  the other two are fine ( i can see the zones on those servers).  The primary doesn't look like it's replicating with the other two. The other two are talking just fine between themselves.  I'll run that tool right now!  Yes, event logs are giving me errors : 4000, 4007, 4015  (all DNS errors).

I ran that DNSlint test and it came up with: "DNSLint will attempt to verify the
DNS entries used in AD replication

Using 169.254.32.1 for LDAP
Starting with 169.254.10.22 for DNS

This process may take several minutes to complete.........
LDAP query to speficied LDAP server on TCP port 389 failed
Server Down


LDAP query to speficied LDAP server on TCP port 389 failed
LDAP server specified appears to be down

Specify a different LDAP server and run the command again"

there is no primary domain controller in an AD environment, do you mean the DC which holds the PDC emulator role?

does the BAD DC contain any data or other network roles, because if it's not working correctly or replcating, I'd seize the roles and transfer them to the other DCs, and then turn off that DC.

and make sure you do not connect back to network.

Also ran that tool you talked about and got this:  C:\Documents and Settings\administrator.GUSD>repadmin /showrepl * /csv > c:\repa
dmin.csv
[d:\nt\ds\ds\src\util\repadmin\repbind.c, 154] LDAP error 81 (Server Down) Win32
 Err 58.
[d:\nt\ds\ds\src\util\repadmin\repbind.c, 154] LDAP error 81 (Server Down) Win32
 Err 58.

run it on the other DCs not the bad one.

and post the contents of the CSV here

Well, the server with issues is the first I set up on AD which makes it the schema master? if i'm not mistaken. That's what i meant by primary
:)

okay, so it probably has all the roles defined. Okay Primary = First DC in your site!

does it perform any other roles other than DC?

DHCP, DNS (probably does this), File Server, Print Server, ISA etc....

i would transfer ALL the AD roles this server has to other servers.

FSMO, Schema, Domain Naming Master, PDC      , RID, Infrastructure, and GC

to other servers.

Ran this on my working server:  C:\Program Files\Support Tools>repadmin /showrepl * /csv > c:\repadmin.csv
[d:\nt\ds\ds\src\util\repadmin\repbind.c, 154] LDAP error 81 (Server Down) Win32
 Err 58.
[d:\nt\ds\ds\src\util\repadmin\repbind.c, 154] LDAP error 81 (Server Down) Win32
 Err 58.

AD is brand new at our district and all we had were students authenticating so they can save their stuff to folders.  How do I transfer all of that over? So whichever server I transfer all this stuff to would be our new schema master right?  So how do i take down the other server? lol...I still cant demote it :/

can you do a dcdiag /v on all three DCs and post here, i'd attach them as text files

do you have firewalls enabled ny any chance?

Thanks for your help man, i appreciate it!! I already left work but i'll post those text files first thing tomorrow.

Also, no firewalls are in place.  :)

okay, no problems, we usually work through the night on these issues. he he!

I'm back with a vengeance!!!

dcdiag / v for all 3 servers:


GUSD1:

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine GUSD1, is a DC.
   * Connecting to directory service on server GUSD1.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 3 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\GUSD1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         The host 2b37136e-a92f-429b-9928-21a06a481062._msdcs.gonzales.k12.ca.us
 could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (2b37136e-a92f-429b-9928-21a06a481062._msdcs.gonzales.k12.ca.us)
         couldn't be resolved, the server name (GUSD1.gonzales.k12.ca.us)
         resolved to the IP address (172.16.47.8) and was pingable.  Check that
         the IP address is registered correctly with the DNS server.
         ......................... GUSD1 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\GUSD1
      Skipping all tests, because server GUSD1 is
      not responding to directory service requests
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: VerifyReplicas
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : gonzales
      Starting test: CrossRefValidation
         ......................... gonzales passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... gonzales passed test CheckSDRefDom

   Running enterprise tests on : gonzales.k12.ca.us
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... gonzales.k12.ca.us passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\GUSD1.gonzales.k12.ca.us
         Locator Flags: 0xe00003fd
         PDC Name: \\GUSD1.gonzales.k12.ca.us
         Locator Flags: 0xe00003fd
         Time Server Name: \\GUSD1.gonzales.k12.ca.us
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\GUSD1.gonzales.k12.ca.us
         Locator Flags: 0xe00003fd
         KDC Name: \\GUSD1.gonzales.k12.ca.us
         Locator Flags: 0xe00003fd
         ......................... gonzales.k12.ca.us passed test FsmoCheck
      Test omitted by user request: DNS

GUSD2:

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine GUSD2, is a DC.
   * Connecting to directory service on server GUSD2.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 3 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\GUSD2
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         The host 1cc4025f-8eee-4211-a01e-0e8557630489._msdcs.gonzales.k12.ca.us
 could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (1cc4025f-8eee-4211-a01e-0e8557630489._msdcs.gonzales.k12.ca.us)
         couldn't be resolved, the server name (GUSD2.gonzales.k12.ca.us)
         resolved to the IP address (172.16.47.4) and was pingable.  Check that
         the IP address is registered correctly with the DNS server.
         ......................... GUSD2 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\GUSD2
      Skipping all tests, because server GUSD2 is
      not responding to directory service requests
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: VerifyReplicas
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : gonzales
      Starting test: CrossRefValidation
         ......................... gonzales passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... gonzales passed test CheckSDRefDom

   Running enterprise tests on : gonzales.k12.ca.us
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... gonzales.k12.ca.us passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Time Server Name: \\GUSD2.gonzales.k12.ca.us
         Locator Flags: 0xe00001f8
         Preferred Time Server Name: \\GUSD2.gonzales.k12.ca.us
         Locator Flags: 0xe00001f8
         KDC Name: \\GUSD2.gonzales.k12.ca.us
         Locator Flags: 0xe00001f8
         ......................... gonzales.k12.ca.us failed test FsmoCheck
      Test omitted by user request: DNS

GUSD3:

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine GUSD3, is a DC.
   * Connecting to directory service on server GUSD3.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 3 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\GUSD3
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         The host a822b2c4-659c-48d9-9aa8-8a6bbe194cb4._msdcs.gonzales.k12.ca.us
 could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (a822b2c4-659c-48d9-9aa8-8a6bbe194cb4._msdcs.gonzales.k12.ca.us)
         couldn't be resolved, the server name (GUSD3.gonzales.k12.ca.us)
         resolved to the IP address (172.16.47.28) and was pingable.  Check
         that the IP address is registered correctly with the DNS server.
         ......................... GUSD3 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\GUSD3
      Skipping all tests, because server GUSD3 is
      not responding to directory service requests
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: VerifyReplicas
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : gonzales
      Starting test: CrossRefValidation
         ......................... gonzales passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... gonzales passed test CheckSDRefDom

   Running enterprise tests on : gonzales.k12.ca.us
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... gonzales.k12.ca.us passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\GUSD3.gonzales.k12.ca.us
         Locator Flags: 0xe00001fc
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Time Server Name: \\GUSD3.gonzales.k12.ca.us
         Locator Flags: 0xe00001fc
         Preferred Time Server Name: \\GUSD3.gonzales.k12.ca.us
         Locator Flags: 0xe00001fc
         KDC Name: \\GUSD3.gonzales.k12.ca.us
         Locator Flags: 0xe00001fc
         ......................... gonzales.k12.ca.us failed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS

GUSD1 is the one with all the problems which is the schema master.  The student folders are on GUSD3 which is our newest server.

which servers are hosting DNS?

I assume that GUSD1 is a DNS server, and the other servers GUSD2, GUSD3 have it in their config as the Primary DNS?

YES you are correct.   GUSD1 is pointing to itself and the other 2 are pointing to GUSD1.

ah, this is not quite correct for an AD install, and I don't set them up like that.

GUSD1 DNS setup

Primary DNS 127.0.0.1 (or 172.16.47.8)
Secondary DNS 172.16.47.4
Tietary DNS 172.16.47.28

GUSD2 DNS setup

Primary DNS 127.0.0.1 (or 172.16.47.8)
Secondary DNS 172.16.47.4
Tietary DNS 172.16.47.28

GUSD3 DNS setup

Primary DNS 127.0.0.1 (or 172.16.47.28 172.16.47.8)
Secondary DNS 172.16.47.4
Tietary DNS 172.16.47.8

anyway, each DC should refer it itself in DNS as the primary, whether you need to have a third published (up to you) always good idea to have a spare updating, just in case you need to replace.

but as GUSD1 is foo baa, I think I would be inclined to remove it from the DNS for the moment, get DNS working on GUSD2 and GUSD3, drop GUSD1 DNS.

re-run dcdiag /v test to get DNS working correctly. and then we will proceed with seizure.

DNS is started and running on them ALL?

Ok, how do I get DNS going on the other 2? I believe DNS is running on all of them.  I attached some screenshots of the of GUSD2 and GUSD3
GUSD2-DNS.JPG
GUSD3-DNS.JPG

So I should remove DNS COMPLETELY from GUSD1?

don't change anything on GUSD1 at present.

DNS is running on GUSD2 and GUSD3, so just change the network settings on GUSD2 and GUSD3, you may want to wait for some downtime to do this, because changing network settings, often blips the network interface, if you've got clients access each server GUSD2 and GUSD3.

Ok, yeah I'll to wait for about 1.5 hours for this.  What network settings shall I change?

--> DNS <--

So since I'm moving everything to GUSD3, GUSD3 should be the new primary DNS and GUSD 2 will be secondary DNS?   SOOO GUSD3 will be pointing to itself with GUSD2 as secondary DNS.  GUSD2 server will be pointing to GUSD3 as primary and itself as secondary.  Right? Sorry i'm a total noobie at this. :/

try to forget primarys secondarys and tietary.

Everything should be master and backup, so all servers AD and DNS, will contain the same information.

Correct in your case.

Ok, so I totally took off DNS off of GUSD1  (removed through Add/Remove Programs).  And made the network changes on GUSD2 and GUSD3.  Here are the dcdiag /v results.

GUSD1:  Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine GUSD1, is a DC.
   * Connecting to directory service on server GUSD1.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 3 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\GUSD1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         The host 2b37136e-a92f-429b-9928-21a06a481062._msdcs.gonzales.k12.ca.us
 could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (2b37136e-a92f-429b-9928-21a06a481062._msdcs.gonzales.k12.ca.us)
         couldn't be resolved, the server name (GUSD1.gonzales.k12.ca.us)
         resolved to the IP address (172.16.47.8) and was pingable.  Check that
         the IP address is registered correctly with the DNS server.
         ......................... GUSD1 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\GUSD1
      Skipping all tests, because server GUSD1 is
      not responding to directory service requests
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: VerifyReplicas
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : gonzales
      Starting test: CrossRefValidation
         ......................... gonzales passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... gonzales passed test CheckSDRefDom

   Running enterprise tests on : gonzales.k12.ca.us
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... gonzales.k12.ca.us passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\GUSD1.gonzales.k12.ca.us
         Locator Flags: 0xe00003fd
         PDC Name: \\GUSD1.gonzales.k12.ca.us
         Locator Flags: 0xe00003fd
         Time Server Name: \\GUSD1.gonzales.k12.ca.us
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\GUSD1.gonzales.k12.ca.us
         Locator Flags: 0xe00003fd
         KDC Name: \\GUSD1.gonzales.k12.ca.us
         Locator Flags: 0xe00003fd
         ......................... gonzales.k12.ca.us passed test FsmoCheck
      Test omitted by user request: DNS


GUSD2:  (couldn't get all results)

            NumberOfParameters is 1
            Unicode string: 2b37136e-a92f-429b-9928-21a06a481062._msdcs.gonzales
.k12.ca.us
         [GUSD3] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         Printing RPC Extended Error Info:
         Error Record 1, ProcessID is 3592 (DcDiag)
            System Time is: 8/20/2010 19:53:50:693
            Generating component is 8 (winsock)
            Status is 1722: The RPC server is unavailable.
            Detection location is 322
         Error Record 2, ProcessID is 3592 (DcDiag)
            System Time is: 8/20/2010 19:53:50:693
            Generating component is 8 (winsock)
            Status is 11001: No such host is known.
            Detection location is 320
            NumberOfParameters is 1
            Unicode string: a822b2c4-659c-48d9-9aa8-8a6bbe194cb4._msdcs.gonzales
.k12.ca.us
         [Replications Check,GUSD2] A recent replication attempt failed:
            From GUSD1 to GUSD2
            Naming Context: DC=DomainDnsZones,DC=gonzales,DC=k12,DC=ca,DC=us
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
            The failure occurred at 2010-08-20 12:51:58.
            The last success occurred at 2010-08-13 17:51:43.
            184 failures have occurred since the last success.
         [Replications Check,GUSD2] A recent replication attempt failed:
            From GUSD1 to GUSD2
            Naming Context: CN=Schema,CN=Configuration,DC=gonzales,DC=k12,DC=ca,
DC=us
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2010-08-20 12:51:58.
            The last success occurred at 2010-08-13 17:51:43.
            163 failures have occurred since the last success.
         [Replications Check,GUSD2] A recent replication attempt failed:
            From GUSD1 to GUSD2
            Naming Context: CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2010-08-20 12:51:58.
            The last success occurred at 2010-08-13 17:51:43.
            165 failures have occurred since the last success.
         [Replications Check,GUSD2] A recent replication attempt failed:
            From GUSD1 to GUSD2
            Naming Context: DC=gonzales,DC=k12,DC=ca,DC=us
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2010-08-20 12:51:58.
            The last success occurred at 2010-08-13 17:53:16.
            4285 failures have occurred since the last success.
         * Replication Latency Check
         REPLICATION-RECEIVED LATENCY WARNING
         GUSD2:  Current time is 2010-08-20 12:53:50.
            DC=ForestDnsZones,DC=gonzales,DC=k12,DC=ca,DC=us
               Last replication recieved from GUSD1 at 2010-08-14 03:52:34.
            DC=DomainDnsZones,DC=gonzales,DC=k12,DC=ca,DC=us
               Last replication recieved from GUSD1 at 2010-08-14 03:52:34.
            CN=Schema,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
               Last replication recieved from GUSD1 at 2010-08-14 03:52:34.
            CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
               Last replication recieved from GUSD1 at 2010-08-14 03:52:34.
            DC=gonzales,DC=k12,DC=ca,DC=us
               Last replication recieved from GUSD1 at 2010-08-14 04:12:40.
         ......................... GUSD2 passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC GUSD2.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=gonzales,DC=k12,DC=ca,DC=us
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=gonzales,DC=k12,DC=ca,DC=us
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=gonzales,DC=k12,DC=ca,DC=us
            (Domain,Version 2)
         ......................... GUSD2 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\GUSD2\netlogon
         Verified share \\GUSD2\sysvol
         ......................... GUSD2 passed test NetLogons
      Starting test: Advertising
         The DC GUSD2 is advertising itself as a DC and having a DS.
         The DC GUSD2 is advertising as an LDAP server
         The DC GUSD2 is advertising as having a writeable directory
         The DC GUSD2 is advertising as a Key Distribution Center
         The DC GUSD2 is advertising as a time server
         ......................... GUSD2 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=GUSD1,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
         Warning: GUSD1 is the Schema Owner, but is not responding to DS RPC Bin
d.
         RPC Extended Error Info not available. Use group policy on the local ma
chine at "Computer Configuration/Administrative Templates/System/Remote Procedur
e Call" to enable it.
         [GUSD1] LDAP search failed with error 58,
         The specified server cannot perform the requested operation..
         Warning: GUSD1 is the Schema Owner, but is not responding to LDAP Bind.

         Role Domain Owner = CN=NTDS Settings,CN=GUSD1,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
         Warning: GUSD1 is the Domain Owner, but is not responding to DS RPC Bin
d.
         RPC Extended Error Info not available. Use group policy on the local ma
chine at "Computer Configuration/Administrative Templates/System/Remote Procedur
e Call" to enable it.
         Warning: GUSD1 is the Domain Owner, but is not responding to LDAP Bind.

         Role PDC Owner = CN=NTDS Settings,CN=GUSD1,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
         Warning: GUSD1 is the PDC Owner, but is not responding to DS RPC Bind.
         RPC Extended Error Info not available. Use group policy on the local ma
chine at "Computer Configuration/Administrative Templates/System/Remote Procedur
e Call" to enable it.
         Warning: GUSD1 is the PDC Owner, but is not responding to LDAP Bind.
         Role Rid Owner = CN=NTDS Settings,CN=GUSD1,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
         Warning: GUSD1 is the Rid Owner, but is not responding to DS RPC Bind.
         RPC Extended Error Info not available. Use group policy on the local ma
chine at "Computer Configuration/Administrative Templates/System/Remote Procedur
e Call" to enable it.
         Warning: GUSD1 is the Rid Owner, but is not responding to LDAP Bind.
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=GUSD1,CN=Servers
,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,D
C=us
         Warning: GUSD1 is the Infrastructure Update Owner, but is not respondin
g to DS RPC Bind.
         RPC Extended Error Info not available. Use group policy on the local ma
chine at "Computer Configuration/Administrative Templates/System/Remote Procedur
e Call" to enable it.
         Warning: GUSD1 is the Infrastructure Update Owner, but is not respondin
g to LDAP Bind.
         ......................... GUSD2 failed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 3613 to 1073741823
         * GUSD1.gonzales.k12.ca.us is the RID Master
         ......................... GUSD2 failed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC GUSD2 on DC GUSD2.
         * SPN found :LDAP/GUSD2.gonzales.k12.ca.us/gonzales.k12.ca.us
         * SPN found :LDAP/GUSD2.gonzales.k12.ca.us
         * SPN found :LDAP/GUSD2
         * SPN found :LDAP/GUSD2.gonzales.k12.ca.us/GUSD
         * SPN found :LDAP/1cc4025f-8eee-4211-a01e-0e8557630489._msdcs.gonzales.
k12.ca.us
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/1cc4025f-8eee-4211-a0
1e-0e8557630489/gonzales.k12.ca.us
         * SPN found :HOST/GUSD2.gonzales.k12.ca.us/gonzales.k12.ca.us
         * SPN found :HOST/GUSD2.gonzales.k12.ca.us
         * SPN found :HOST/GUSD2
         * SPN found :HOST/GUSD2.gonzales.k12.ca.us/GUSD
         * SPN found :GC/GUSD2.gonzales.k12.ca.us/gonzales.k12.ca.us
         ......................... GUSD2 passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... GUSD2 passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         GUSD2 is in domain DC=gonzales,DC=k12,DC=ca,DC=us
         Checking for CN=GUSD2,OU=Domain Controllers,DC=gonzales,DC=k12,DC=ca,DC
=us in domain DC=gonzales,DC=k12,DC=ca,DC=us on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=GUSD2,CN=Servers,CN=Default-First-Site
-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us in domain CN=Conf
iguration,DC=gonzales,DC=k12,DC=ca,DC=us on 1 servers
            Object is up-to-date on all servers.
         ......................... GUSD2 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... GUSD2 passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 08/20/2010   12:49:10
            (Event String could not be retrieved)
         ......................... GUSD2 failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minut
es.
         ......................... GUSD2 passed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 08/20/2010   12:51:58
            Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/gusd1.gonzales.k12.ca.us.  The target name
used was . This indicates that the password used
to encrypt the kerberos service ticket is
different than that on the target server.
Commonly, this is due to identically named
machine accounts in the target realm
(GONZALES.K12.CA.US), and the client realm.
Please contact your system administrator.
         ......................... GUSD2 failed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=GUSD2,OU=Domain Controllers,DC=gonzales,DC=k12,DC=ca,DC=us and
         backlink on
         CN=GUSD2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio
n,DC=gonzales,DC=k12,DC=ca,DC=us
         are correct.
         The system object reference (frsComputerReferenceBL)
         CN=GUSD2,CN=Domain System Volume (SYSVOL share),CN=File Replication Ser
vice,CN=System,DC=gonzales,DC=k12,DC=ca,DC=us
         and backlink on
         CN=GUSD2,OU=Domain Controllers,DC=gonzales,DC=k12,DC=ca,DC=us are
         correct.
         The system object reference (serverReferenceBL)
         CN=GUSD2,CN=Domain System Volume (SYSVOL share),CN=File Replication Ser
vice,CN=System,DC=gonzales,DC=k12,DC=ca,DC=us
         and backlink on
         CN=NTDS Settings,CN=GUSD2,CN=Servers,CN=Default-First-Site-Name,CN=Site
s,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
         are correct.
         ......................... GUSD2 passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : gonzales
      Starting test: CrossRefValidation
         ......................... gonzales passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... gonzales passed test CheckSDRefDom

   Running enterprise tests on : gonzales.k12.ca.us
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... gonzales.k12.ca.us passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Time Server Name: \\GUSD2.gonzales.k12.ca.us
         Locator Flags: 0xe00001f8
         Preferred Time Server Name: \\GUSD2.gonzales.k12.ca.us
         Locator Flags: 0xe00001f8
         KDC Name: \\GUSD2.gonzales.k12.ca.us
         Locator Flags: 0xe00001f8
         ......................... gonzales.k12.ca.us failed test FsmoCheck
      Test omitted by user request: DNS


GUSD3:    (couldn't get all either)

         The RPC server is unavailable..
         Printing RPC Extended Error Info:
         Error Record 1, ProcessID is 5004 (DcDiag)
            System Time is: 8/20/2010 19:57:21:452
            Generating component is 8 (winsock)
            Status is 1722: The RPC server is unavailable.
            Detection location is 322
         Error Record 2, ProcessID is 5004 (DcDiag)
            System Time is: 8/20/2010 19:57:21:452
            Generating component is 8 (winsock)
            Status is 11001: No such host is known.
            Detection location is 320
            NumberOfParameters is 1
            Unicode string: 2b37136e-a92f-429b-9928-21a06a481062._msdcs.gonzales
.k12.ca.us
         [Replications Check,GUSD3] A recent replication attempt failed:
            From GUSD1 to GUSD3
            Naming Context: DC=DomainDnsZones,DC=gonzales,DC=k12,DC=ca,DC=us
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
            The failure occurred at 2010-08-20 12:50:29.
            The last success occurred at 2010-08-14 03:52:34.
            166 failures have occurred since the last success.
         [Replications Check,GUSD3] A recent replication attempt failed:
            From GUSD1 to GUSD3
            Naming Context: CN=Schema,CN=Configuration,DC=gonzales,DC=k12,DC=ca,
DC=us
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2010-08-20 12:50:29.
            The last success occurred at 2010-08-14 03:52:34.
            154 failures have occurred since the last success.
         [Replications Check,GUSD3] A recent replication attempt failed:
            From GUSD1 to GUSD3
            Naming Context: CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2010-08-20 12:50:29.
            The last success occurred at 2010-08-14 03:52:34.
            155 failures have occurred since the last success.
         [Replications Check,GUSD3] A recent replication attempt failed:
            From GUSD1 to GUSD3
            Naming Context: DC=gonzales,DC=k12,DC=ca,DC=us
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2010-08-20 12:50:29.
            The last success occurred at 2010-08-14 04:12:40.
            4110 failures have occurred since the last success.
         * Replication Latency Check
         REPLICATION-RECEIVED LATENCY WARNING
         GUSD3:  Current time is 2010-08-20 12:57:21.
            DC=ForestDnsZones,DC=gonzales,DC=k12,DC=ca,DC=us
               Last replication recieved from GUSD1 at 2010-08-14 03:52:34.
            DC=DomainDnsZones,DC=gonzales,DC=k12,DC=ca,DC=us
               Last replication recieved from GUSD1 at 2010-08-14 03:52:34.
            CN=Schema,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
               Last replication recieved from GUSD1 at 2010-08-14 03:52:34.
            CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
               Last replication recieved from GUSD1 at 2010-08-14 03:52:34.
            DC=gonzales,DC=k12,DC=ca,DC=us
               Last replication recieved from GUSD1 at 2010-08-14 04:12:40.
         ......................... GUSD3 passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC GUSD3.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=gonzales,DC=k12,DC=ca,DC=us
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=gonzales,DC=k12,DC=ca,DC=us
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=gonzales,DC=k12,DC=ca,DC=us
            (Domain,Version 2)
         ......................... GUSD3 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\GUSD3\netlogon
         Verified share \\GUSD3\sysvol
         ......................... GUSD3 passed test NetLogons
      Starting test: Advertising
         The DC GUSD3 is advertising itself as a DC and having a DS.
         The DC GUSD3 is advertising as an LDAP server
         The DC GUSD3 is advertising as having a writeable directory
         The DC GUSD3 is advertising as a Key Distribution Center
         The DC GUSD3 is advertising as a time server
         The DS GUSD3 is advertising as a GC.
         ......................... GUSD3 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=GUSD1,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
         Warning: GUSD1 is the Schema Owner, but is not responding to DS RPC Bin
d.
         RPC Extended Error Info not available. Use group policy on the local ma
chine at "Computer Configuration/Administrative Templates/System/Remote Procedur
e Call" to enable it.
         [GUSD1] LDAP search failed with error 58,
         The specified server cannot perform the requested operation..
         Warning: GUSD1 is the Schema Owner, but is not responding to LDAP Bind.

         Role Domain Owner = CN=NTDS Settings,CN=GUSD1,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
         Warning: GUSD1 is the Domain Owner, but is not responding to DS RPC Bin
d.
         RPC Extended Error Info not available. Use group policy on the local ma
chine at "Computer Configuration/Administrative Templates/System/Remote Procedur
e Call" to enable it.
         Warning: GUSD1 is the Domain Owner, but is not responding to LDAP Bind.

         Role PDC Owner = CN=NTDS Settings,CN=GUSD1,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
         Warning: GUSD1 is the PDC Owner, but is not responding to DS RPC Bind.
         RPC Extended Error Info not available. Use group policy on the local ma
chine at "Computer Configuration/Administrative Templates/System/Remote Procedur
e Call" to enable it.
         Warning: GUSD1 is the PDC Owner, but is not responding to LDAP Bind.
         Role Rid Owner = CN=NTDS Settings,CN=GUSD1,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
         Warning: GUSD1 is the Rid Owner, but is not responding to DS RPC Bind.
         RPC Extended Error Info not available. Use group policy on the local ma
chine at "Computer Configuration/Administrative Templates/System/Remote Procedur
e Call" to enable it.
         Warning: GUSD1 is the Rid Owner, but is not responding to LDAP Bind.
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=GUSD1,CN=Servers
,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,D
C=us
         Warning: GUSD1 is the Infrastructure Update Owner, but is not respondin
g to DS RPC Bind.
         RPC Extended Error Info not available. Use group policy on the local ma
chine at "Computer Configuration/Administrative Templates/System/Remote Procedur
e Call" to enable it.
         Warning: GUSD1 is the Infrastructure Update Owner, but is not respondin
g to LDAP Bind.
         ......................... GUSD3 failed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 3613 to 1073741823
         * GUSD1.gonzales.k12.ca.us is the RID Master
         ......................... GUSD3 failed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC GUSD3 on DC GUSD3.
         * SPN found :LDAP/GUSD3.gonzales.k12.ca.us/gonzales.k12.ca.us
         * SPN found :LDAP/GUSD3.gonzales.k12.ca.us
         * SPN found :LDAP/GUSD3
         * SPN found :LDAP/GUSD3.gonzales.k12.ca.us/GUSD
         * SPN found :LDAP/a822b2c4-659c-48d9-9aa8-8a6bbe194cb4._msdcs.gonzales.
k12.ca.us
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/a822b2c4-659c-48d9-9a
a8-8a6bbe194cb4/gonzales.k12.ca.us
         * SPN found :HOST/GUSD3.gonzales.k12.ca.us/gonzales.k12.ca.us
         * SPN found :HOST/GUSD3.gonzales.k12.ca.us
         * SPN found :HOST/GUSD3
         * SPN found :HOST/GUSD3.gonzales.k12.ca.us/GUSD
         * SPN found :GC/GUSD3.gonzales.k12.ca.us/gonzales.k12.ca.us
         ......................... GUSD3 passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... GUSD3 passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         GUSD3 is in domain DC=gonzales,DC=k12,DC=ca,DC=us
         Checking for CN=GUSD3,OU=Domain Controllers,DC=gonzales,DC=k12,DC=ca,DC
=us in domain DC=gonzales,DC=k12,DC=ca,DC=us on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=GUSD3,CN=Servers,CN=Default-First-Site
-Name,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us in domain CN=Conf
iguration,DC=gonzales,DC=k12,DC=ca,DC=us on 1 servers
            Object is up-to-date on all servers.
         ......................... GUSD3 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... GUSD3 passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 08/20/2010   10:00:48
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 08/20/2010   10:43:22
            (Event String could not be retrieved)
         ......................... GUSD3 failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minut
es.
         ......................... GUSD3 passed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 08/20/2010   12:50:29
            Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/gusd1.gonzales.k12.ca.us.  The target name
used was . This indicates that the password used
to encrypt the kerberos service ticket is
different than that on the target server.
Commonly, this is due to identically named
machine accounts in the target realm
(GONZALES.K12.CA.US), and the client realm.
Please contact your system administrator.
         ......................... GUSD3 failed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=GUSD3,OU=Domain Controllers,DC=gonzales,DC=k12,DC=ca,DC=us and
         backlink on
         CN=GUSD3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio
n,DC=gonzales,DC=k12,DC=ca,DC=us
         are correct.
         The system object reference (frsComputerReferenceBL)
         CN=GUSD3,CN=Domain System Volume (SYSVOL share),CN=File Replication Ser
vice,CN=System,DC=gonzales,DC=k12,DC=ca,DC=us
         and backlink on
         CN=GUSD3,OU=Domain Controllers,DC=gonzales,DC=k12,DC=ca,DC=us are
         correct.
         The system object reference (serverReferenceBL)
         CN=GUSD3,CN=Domain System Volume (SYSVOL share),CN=File Replication Ser
vice,CN=System,DC=gonzales,DC=k12,DC=ca,DC=us
         and backlink on
         CN=NTDS Settings,CN=GUSD3,CN=Servers,CN=Default-First-Site-Name,CN=Site
s,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
         are correct.
         ......................... GUSD3 passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : gonzales
      Starting test: CrossRefValidation
         ......................... gonzales passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... gonzales passed test CheckSDRefDom

   Running enterprise tests on : gonzales.k12.ca.us
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... gonzales.k12.ca.us passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\GUSD3.gonzales.k12.ca.us
         Locator Flags: 0xe00001fc
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Time Server Name: \\GUSD3.gonzales.k12.ca.us
         Locator Flags: 0xe00001fc
         Preferred Time Server Name: \\GUSD3.gonzales.k12.ca.us
         Locator Flags: 0xe00001fc
         KDC Name: \\GUSD3.gonzales.k12.ca.us
         Locator Flags: 0xe00001fc
         ......................... gonzales.k12.ca.us failed test FsmoCheck
      Test omitted by user request: DNS
     

Okay, I had said in a previous post not to change anything on GUSD1!

Okay, I think we are going to abandoned GUSD1, disconnect from network and turn if off.

Only if, it does not serve DHCP, File Serving or Print Serving or any other role that's needed on your network.

If and only if your are confident in following the following article, and all roles have been removed from GUSD1, because afterwards you must not switch it back on or connect to the network, you must format and rebuild it.

http://support.microsoft.com/kb/255504

Move all AD roles to GUSD3 using the article and command line tool ndsutil from GUSD1.

Make sure it's GUSD1 is OFF and disconnected from the network.

Once, you completed the above process, leave alone and wait for replication to sort itself out.

Good Luck, but again if you don't feel you have the skill or are confident in above, leave well alone.

Also make sure you have a backup of AD.

Well I shut off DNS on GUSD1 because all of my users are gone.  So you're saying i'm going to have to reformat the GUSD1 server? Can't I just run dcpromo /force removal to take it off the domain?  Also, to be clear, GUSD1 has to be disconnected from the network and turned off BEFORE I start using ndsutil to transfer and seize roles?  Thanks for all your help!!

I'm only asking if GUSD1 has to be shut off first because that article states:  " We recommend that you transfer FSMO roles in the following scenarios:

    * The current role holder is operational and can be accessed on the network by the new FSMO owner.

I think you'll find in ADs current state you'll not be able to run dcpromo /force - but it's worth giving it a try - but I thought from the first opening post this didn't work!

if your forceably sieze the roles from the server, the server does not need to be on, because we are assuming that the server is dead and not responding, and from what I can see yours is not responding well to AD.

okay try the following steps and see which is successful.

1. try dcpromo /force on GUSD1, if it doesn't work proceed to Step 2.

2. use ndsutil to sieze roles from  GUSD1 and transfer them to GUSD3, so run ndsutil on GUSD3.
if this does not work proceed to Step 3.

3. turn off GUSD1, disconnect GUSD1 and run  so run ndsutil on GUSD3.

4. Do not be tempeted to re-connect GUSD1 on the network.

If you need to have a third DC then rebuild, and install AD. But I would personally leave it OFF for few weeks, and see how AD is performing, replicating etc

Then make you mind up, whethere you need a third DC, or use it for something else etc The more DC's the more complicated replication becomes, when it goes wrong.
 

I didn't even know about dcpromo /force!!!  I only tried to remove by entering dcpromo and that is where i got the error.  Anyway, i followed your steps and got this picture!!!!!!  Before I did this, it said I would need to seize the roles after GUSD1 was off AD.  Should I do this next??
DCPromo-forceremove.JPG

Also, I need GUSD1 to be functional because there is a program on that server that the students use (their reading program).  So i need to have that up as well.

yes, now follow Step 2, Step 3. See how you get on. Check the eventlogs.

it would seem it couldn't transfer the roles, you'll need to follow the Microsoft article fully.

well you can try and keep GUSD1 on the network, this is why I asked you to check the roles, because often keeping an OLD DC on the network afterwards may cause issues.

Ok, so AD is removed from GUSD1 and is currently turned off.  I launched Ntdsutil on GUSD3 and typed "roles"  then i typed "connections" and typed "connect to server GUSD3".....I tried to seize the roles but ALL of them failed.  I got this error more or less:

fsmo maintenance: seize rid master
Attempting safe transfer of RID FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-0321092B, problem 5002 (UN
AVAILABLE), data 8524

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of RID FSMO failed, proceeding with seizure ...
Searching for highest rid pool in domain
Server "gusd3" knows about 5 roles
Schema - CN=NTDS Settings,CN=GUSD1,CN=Servers,CN=Default-First-Site-Name,CN=Site
s,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
Domain - CN=NTDS Settings,CN=GUSD3,CN=Servers,CN=Default-First-Site-Name,CN=Site
s,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
PDC - CN=NTDS Settings,CN=GUSD3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
N=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
RID - CN=NTDS Settings,CN=GUSD3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
N=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us
Infrastructure - CN=NTDS Settings,CN=GUSD3,CN=Servers,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=gonzales,DC=k12,DC=ca,DC=us

:(

whats happening with replication repadmin /replsum

event log errors?

dcpromo /forceremoval command leave FSMO roles in an invalid state until they are reassigned.

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

follow the above, and remove what we call the failed DC from AD.

That's not a failure, although you have to read the text carefully to determine this.  It's merely saying that the TRANSFER operation failed, which is to be expected.  The seizure then proceeds.  In the text you posted, four of the five FSMOs have been seized by GUSD3.  The only one that remains on GUSD1 is the Schema role, which you have presumably also seized by now.

OH WAIT!  Maybe it didn't fail?? https://www.experts-exchange.com/questions/21624163/Can't-seize-schema-or-domain-naming-master-FSMO-roles.html

Good lookin out DrDave!!! and yes, i seized the schema master right after just in case.  ;)   So now what lol?  I presume i can start with ntdsutil /metadata cleanup to fully remove GUSD1 from replication?

also check which roles have been transferred by the wizard if any

netdom query GUSD3 /fsmo

netdom query GUSD3 /pdc

yep, but don't try to rush this, let replication sort itself out.....

you should find hopefully, that all roles have been transaferred to GUSD3 (it own's all the roles).

then have a foos read through the ntdsutil /metadata cleanup and were done.

keep checking event logs, replication, (repadmin /replsum is your friend here), and hopefully errors should eventually stop in the event logs.

I just went to the computer lab to try some logins and........SUCCESS!!!!!!!!   I can now login!!  I tried a few logins that I could remember off the top of my head and they all worked.   Sooooooo....after I do the metadata clean up......do you think I could rejoin GUSD1 to the domain?  OR should I possibly leave it as a WORKGROUP server ( because as I stated, the reading program is on there so it MUST be online)....we prefer to have 3 DCs but I could always add one of our other servers as the 3rd.

The reading program on GUSD1 that I'm talking worked just fine when the server was a workgroup.  I didn't even have to make any changes when i converted the server into a DC when we first started AD.  So I presume nothing will happen to the program if I go back to Workgroup.  THANK YOU HANCCOCKA!!!  You were a great help and I couldn't have done this without you!!!  I would give you a hug if I could dude hahaha!!!  This site is so great, i'm going to continue paying for it after my trial is done.  :D

I would leave GUSD1 for at least 5 days, keep checking event logs and replication is okay.

and then make a decision if you really need three DCs?

remember the more DCs you have the more to go wrong, and it only takes one to go bad, and you get login issues!

the least loaded DC will always respond to requests.

trend carefuly my friend, and be patient.

All the best, glad you got it fixed, and for FREE!

i'm back!  Ok, i've left the server alone and I turned it on today.  Before I did that though, I ran the metadata clean up which worked pretty nice.  I left the machine as a Workgroup server and the program that was on it runs great.  The only issue i'm having now is joining machines to the domain.  It won't let me.  First I tried the server which I had taken down and it didn't let me so I said screw and decided to only have 2 domain controllers.  The BIGGER problem is that i can't join ANY machine to the domain.  AD IS working though as students have been logging in just fine all week.  It's just the joining of new machines that's been a problem.  Help?  I can start a new thread if needed.  

I think this is the subject of a new question, but refer the new question to this old one.