Solved

Problems with first Windows 2008 domain controller in Windows 2000 native forest

Posted on 2010-09-20
36
2,174 Views
Last Modified: 2012-05-10
Hi, please assist with this domain controller issue.  We have a Win2000 native mode domain with 2003 and 2000 boxes, and we have just installed our first 2008 domain controller.  The installation went OK, but now we have the below errors in dcdiag, and you cannot access the netlogon share on the new DC.

Testing server: Our-Site\DC-SITE_A
  Starting test: Advertising
     Warning: DsGetDcName returned information for \\DC1.ourdomain.co.uk
     DC-A.
     SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
     ......................... DC-A failed test Advertising

  Starting test: FrsEvent
     There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
     replication problems may cause Group Policy problems.
     ......................... DC-A failed test FrsEvent
  Starting test: DFSREvent

 Starting test: NCSecDesc
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
       Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=ForestDnsZones,DC=ourdomain,DC=co,DC=uk
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
       Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=DomainDnsZones,DC=ourdomain,DC=co,DC=uk
    ......................... DC-A failed test NCSecDesc
 Starting test: NetLogons
    Unable to connect to the NETLOGON share! (\\DC-A\netlogon)
    [DC-A] An net use or LsaPolicy operation failed with error 67, Win32 Error 67.

      Starting test: Replications
         [Replications Check,DC-A] DsReplicaGetInfo(PENDING_OPS, NULL) failed, error 0x2105
         "Win32 Error 8453"
         ......................... DC-A failed test Replications

      Starting test: Services
            Could not open NTDS Service on DC-A, error 0x5 "Win32 Error 5"
         ......................... DC-A failed test Services

         An Warning Event occurred.  EventID: 0x8000A001
            Time Generated: 09/20/2010   10:40:39
            Event String:
            The Security System could not establish a secured connection with the server LDAP/dc2.ourdomain.co.uk/ourdomain.co.uk@ourdomain.CO.UK. No authentication protocol was available.
         An Error Event occurred.  EventID: 0x000003EE
            Time Generated: 09/20/2010   10:45:31
            Event String:
            The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
         ......................... DC-A failed test SystemLog

There is an MS KB article

http://support.microsoft.com/kb/939820/en-us

  that describes the same errors, but the causes don't seem the same.  It mentions a hotfix, but I am loathe to apply it everywhere unnecessarily.
0
Comment
Question by:support_ferret
  • 20
  • 13
  • 3
36 Comments
 
LVL 7

Expert Comment

by:maze-uk
Comment Utility
did you perform a domainprep?
0
 
LVL 7

Expert Comment

by:maze-uk
Comment Utility
Windows Server 2008 ADPREP: http://www.petri.co.il/windows-server-2008-adprep.htm

I suggest you demote, adprep/domainprep, then repromote your w2008 machine
0
 
LVL 1

Author Comment

by:support_ferret
Comment Utility
thank you for your quick reply - we did run adprep and domainprep before promoting the server.
0
 
LVL 7

Expert Comment

by:maze-uk
Comment Utility
It's not a RODC, is it?
Can you check netdiag too?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Well seems to be that your 2008 box didn't promote all the way. Make sure this DC is pointing to an existing DC for DNS only there should not be any external DNS servers listed in the TCP\IP properties.

Demote the server.
Run metadata cleanup on existing DC http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Delete all DNS records for this DC.

Disable any third-party antivirus software and firewall.

Run dcdiag on existing DC to check for errors if there are none then proceed to promote the 2008 DC again.
0
 
LVL 1

Author Comment

by:support_ferret
Comment Utility
When demoting I saw an interesting error - it said you do not have permissions to remove DNS delegations for the zone "co.uk" - contact an administrator to manually remove.

It should be removing from ourdomain.co.uk rather than co.uk I guess?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
That is correct. Post ipconfig /all
Are you sure you are only pointing to internal DNS servers?
0
 
LVL 1

Author Comment

by:support_ferret
Comment Utility
We are only pointing to internal servers, but I noticed that we had some extra entries under our main DNS zone for AD.  It must have been there for testing of some kind - was a "uk" folder, with a "co" folder in it, plus an "ourdomain" within that.  I have removed it now and will try to promote the server again.
0
 
LVL 1

Author Comment

by:support_ferret
Comment Utility
I changed DNS on the NIC just now to point only to the main DNS DC for ourdomain.co.uk and have pasted the output.  Notice how it is also using co.uk as a suffix search list!


   Host Name . . . . . . . . . . . . : DC-A
   Primary Dns Suffix  . . . . . . . : ourdomain.co.uk
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : ourdomain.co.uk
                                       co.uk

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : ourdomain.co.uk
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-11-85-C5-7C-7F
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 172.20.0.32(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.20.0.254
   DNS Servers . . . . . . . . . . . : 172.19.1.4
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection*:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : ourdomain.co.uk
   Description . . . . . . . . . . . : isatap.ourdomain.co.uk
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Remove the co.uk as suffix
0
 
LVL 1

Author Comment

by:support_ferret
Comment Utility
I have removed  the suffix, and just kicked off DCPromo again...

Here is the error I get when I try to promote the server to a DC
DNS-error.bmp
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
That is fine.

Do you have a msdcs.domain.com zone? Is your msdcs folder under your domain.com zone grayed out?
0
 
LVL 1

Author Comment

by:support_ferret
Comment Utility
According to MS - this shouldn't be a show stopper.  Our domain name for AD is the same as our external Internet domain name (yep!). So the KB article I found suggests this is just a warning about this..

I will continue for now.
0
 
LVL 1

Author Comment

by:support_ferret
Comment Utility
We do have that msdcs.domain.com zone.  It is not grayed out  right now.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
is the msdcs folder under your domain.com zone grayed out?
0
 
LVL 1

Author Comment

by:support_ferret
Comment Utility
no it is not grayed out - what would that indicate?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
So, if you have the msdcs.domain.com zone and your msdcs folder is not grayed out then you need to delete the msdcs.domain.com zone
0
 
LVL 1

Author Comment

by:support_ferret
Comment Utility
While I can see what you are getting at with the zone (it is automatically created apparently) - I cannot make such a major change during this session.

We have progress in other respects - I found that our DNS was only allowing transfers to named servers, so I added the new DC in just now and rebooted it.  The netlogon share is now available, which didn't happen before.

There are two records that are failing to be registered in DNS,  in the MSDCS and the ForestDNSZones.  I am looking into adding these manually, at least as a test.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Ok. Here is the issue when you have a msdcs.domain.com zone and non-delegated (not grayed out) msdcs folder the system doesn't know where to update. You must choose with a delegated zone or not I recommend not unless you must.

http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html
0
 
LVL 1

Author Comment

by:support_ferret
Comment Utility
I am not sure I fully understand yet, but it appears this process has revealed problems with our DNS.  There are many missing entries for exisiting DCs in the zone folders, not just the 2008 DC we jsut created.

Thank you for your help so far - I will continue tomorrow and update here.
0
 
LVL 1

Author Comment

by:support_ferret
Comment Utility
It became apparent that we had been having problems with 6 remote Windows 2000 DCs since the schema was extended for Windows 2008!

These were resolved last night with a reboot.  AD had stopped responding and was having replication issues on each box.  

The boss is not keen for me to delete that zone though, at least until we understand the situation better.  Your link to the other EE question doesn't advise on how the thing functions, which I think is what we need.  I will try promoting the Win2008 box again now the errors have cleared, and let you know the result.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
If you have a delegated zone of the msdcs folder then y our msdcs folder should be grayed out. Now if you have both your deletgated zone and your msdcs folder functioning then the DNS servers do not know which is correct and which should be updated with the proper records
0
 
LVL 1

Author Comment

by:support_ferret
Comment Utility
Thank you for the information - I failed to read your previous posts properly - sorry about that!  We only have the _msdcs folder, and do not have the zone present at all.  I used the term zone and folder interchangably, so my bad!

0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Good.
0
 
LVL 1

Author Comment

by:support_ferret
Comment Utility
The domain controller was promoted and we now have much fewer errors on completion.  There are two repeating errors in the DNS event log:

They both are informing that the sever is not included in the replication scope of ForestDnsZones.ourdomain.co.uk and DomainDnsZones.ourdomain.co.uk

I have tried enlisting the server from a 2003 DC using

dnscmd ournewdc /EnlistDirectoryPartition ForestDnsZones.ourdomain.co.uk

but it throws an error : RCODE_SERVER_FAILURE     9002  (0000232a)

I have read that we may need to create the default application directory partitions in DNS, but I haven't found suitable instructions yet for doing this.
0
 
LVL 1

Author Comment

by:support_ferret
Comment Utility
I have just tried to add the two partitions as replicas on the new DC using the  commands in this article:

http://technet.microsoft.com/en-us/library/cc778798(WS.10).aspx

It looks like the replicas have successfully taken - I have restarted the DNS server on the new DC and so far no errors.  I cannot yet see the DC itself as entries in the two partitions, but will reboot and check later.
0
 
LVL 1

Author Comment

by:support_ferret
Comment Utility
Still have one issue left to overcome - it is not registering entries for itself in those partitions.  It says bad DNS key.

If I try to force registration using nltest.exe /dsregdns it gives an access denied error.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
What if you point the server some where else does it register?
0
 
LVL 1

Author Comment

by:support_ferret
Comment Utility
I will try pointing it to a Win2000 DC in a different site.  It doesn't work if I point it to the 2 Win2003 DCs in the local site.

Another EE article leads to a hotfix that matches the errors, but not the scenario exactly.  The hotfix only applies to Win2003 servers, whereas we have many 2000 boxes.
0
 
LVL 1

Author Comment

by:support_ferret
Comment Utility
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Post the errors you were getting.

0
 
LVL 1

Author Comment

by:support_ferret
Comment Utility
We get a lot of these logged regualrly:

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

The Security System could not establish a secured connection with the server LDAP/NEW-DC.ourdomain.co.uk/ourdomain.co.uk@ourdomain.CO.UK. No authentication protocol was available.

The above errors start after a few records fail to register in DNS when NETLOGON starts - below is one of the five or so that fail.


The dynamic registration of the DNS record '_ldap._tcp.DomainDnsZones.ourdomain.co.uk. 600 IN SRV 0 100 389 NEW-DC.ourdomain.co.uk.' failed on the following DNS server:  

DNS server IP address: 172.19.1.1
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain controller, this record must be registered in DNS.  

USER ACTION  
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain  controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
  Or, you can manually add this record to DNS, but it is not recommended.  

ADDITIONAL DATA
Error Value: DNS bad key.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Could be that Netlogon is starting before DNS.

http://support.microsoft.com/kb/259277

When run dcdiag /fix what errors if any do you get.

Do you have secure updates only on forward lookup? If you do put secure and non secure for test http://support.microsoft.com/kb/316239

Make sure DHCP client service is started
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
Comment Utility
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/0507f7cc-c426-439b-a0c6-d36cda2dfee8

Disable all unsed NICs you should only have one enabled.

Go to Network Connections Clicked Advanced Settings make sure your primary nic is listed first in the Network Binding order
0
 
LVL 1

Author Comment

by:support_ferret
Comment Utility
It looks like the errors cleared about 03:30 this morning!  The DNS records have appeared in the the two partitions they were missing from.  I don't know what was key in that happening?

I think the adding of the replicas manually maybe an effect, plus of course the replication issues in entire domain may have taken time to clear.

I am confused as to what the primary DNS settings should be on the 2008 DC though.  I had always thought it should point to itself as a primary, but some articles now suggest otherwise.  What would you advise?

Thank you for all your help - will award the points now.
0
 
LVL 1

Author Closing Comment

by:support_ferret
Comment Utility
solution came about through following all the steps
0

Featured Post

Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now