Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Problems with first Windows 2008 domain controller in Windows 2000 native forest

Posted on 2010-09-20
36
Medium Priority
?
2,205 Views
Last Modified: 2012-05-10
Hi, please assist with this domain controller issue.  We have a Win2000 native mode domain with 2003 and 2000 boxes, and we have just installed our first 2008 domain controller.  The installation went OK, but now we have the below errors in dcdiag, and you cannot access the netlogon share on the new DC.

Testing server: Our-Site\DC-SITE_A
  Starting test: Advertising
     Warning: DsGetDcName returned information for \\DC1.ourdomain.co.uk
     DC-A.
     SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
     ......................... DC-A failed test Advertising

  Starting test: FrsEvent
     There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
     replication problems may cause Group Policy problems.
     ......................... DC-A failed test FrsEvent
  Starting test: DFSREvent

 Starting test: NCSecDesc
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
       Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=ForestDnsZones,DC=ourdomain,DC=co,DC=uk
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
       Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=DomainDnsZones,DC=ourdomain,DC=co,DC=uk
    ......................... DC-A failed test NCSecDesc
 Starting test: NetLogons
    Unable to connect to the NETLOGON share! (\\DC-A\netlogon)
    [DC-A] An net use or LsaPolicy operation failed with error 67, Win32 Error 67.

      Starting test: Replications
         [Replications Check,DC-A] DsReplicaGetInfo(PENDING_OPS, NULL) failed, error 0x2105
         "Win32 Error 8453"
         ......................... DC-A failed test Replications

      Starting test: Services
            Could not open NTDS Service on DC-A, error 0x5 "Win32 Error 5"
         ......................... DC-A failed test Services

         An Warning Event occurred.  EventID: 0x8000A001
            Time Generated: 09/20/2010   10:40:39
            Event String:
            The Security System could not establish a secured connection with the server LDAP/dc2.ourdomain.co.uk/ourdomain.co.uk@ourdomain.CO.UK. No authentication protocol was available.
         An Error Event occurred.  EventID: 0x000003EE
            Time Generated: 09/20/2010   10:45:31
            Event String:
            The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
         ......................... DC-A failed test SystemLog

There is an MS KB article

http://support.microsoft.com/kb/939820/en-us

  that describes the same errors, but the causes don't seem the same.  It mentions a hotfix, but I am loathe to apply it everywhere unnecessarily.
0
Comment
Question by:support_ferret
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 20
  • 13
  • 3
36 Comments
 
LVL 7

Expert Comment

by:maze-uk
ID: 33715756
did you perform a domainprep?
0
 
LVL 7

Expert Comment

by:maze-uk
ID: 33715769
Windows Server 2008 ADPREP: http://www.petri.co.il/windows-server-2008-adprep.htm

I suggest you demote, adprep/domainprep, then repromote your w2008 machine
0
 
LVL 1

Author Comment

by:support_ferret
ID: 33715921
thank you for your quick reply - we did run adprep and domainprep before promoting the server.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 7

Expert Comment

by:maze-uk
ID: 33716045
It's not a RODC, is it?
Can you check netdiag too?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33716197
Well seems to be that your 2008 box didn't promote all the way. Make sure this DC is pointing to an existing DC for DNS only there should not be any external DNS servers listed in the TCP\IP properties.

Demote the server.
Run metadata cleanup on existing DC http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Delete all DNS records for this DC.

Disable any third-party antivirus software and firewall.

Run dcdiag on existing DC to check for errors if there are none then proceed to promote the 2008 DC again.
0
 
LVL 1

Author Comment

by:support_ferret
ID: 33716875
When demoting I saw an interesting error - it said you do not have permissions to remove DNS delegations for the zone "co.uk" - contact an administrator to manually remove.

It should be removing from ourdomain.co.uk rather than co.uk I guess?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33716896
That is correct. Post ipconfig /all
Are you sure you are only pointing to internal DNS servers?
0
 
LVL 1

Author Comment

by:support_ferret
ID: 33717274
We are only pointing to internal servers, but I noticed that we had some extra entries under our main DNS zone for AD.  It must have been there for testing of some kind - was a "uk" folder, with a "co" folder in it, plus an "ourdomain" within that.  I have removed it now and will try to promote the server again.
0
 
LVL 1

Author Comment

by:support_ferret
ID: 33717362
I changed DNS on the NIC just now to point only to the main DNS DC for ourdomain.co.uk and have pasted the output.  Notice how it is also using co.uk as a suffix search list!


   Host Name . . . . . . . . . . . . : DC-A
   Primary Dns Suffix  . . . . . . . : ourdomain.co.uk
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : ourdomain.co.uk
                                       co.uk

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : ourdomain.co.uk
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-11-85-C5-7C-7F
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 172.20.0.32(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.20.0.254
   DNS Servers . . . . . . . . . . . : 172.19.1.4
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection*:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : ourdomain.co.uk
   Description . . . . . . . . . . . : isatap.ourdomain.co.uk
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33717491
Remove the co.uk as suffix
0
 
LVL 1

Author Comment

by:support_ferret
ID: 33717565
I have removed  the suffix, and just kicked off DCPromo again...

Here is the error I get when I try to promote the server to a DC
DNS-error.bmp
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33717601
That is fine.

Do you have a msdcs.domain.com zone? Is your msdcs folder under your domain.com zone grayed out?
0
 
LVL 1

Author Comment

by:support_ferret
ID: 33717659
According to MS - this shouldn't be a show stopper.  Our domain name for AD is the same as our external Internet domain name (yep!). So the KB article I found suggests this is just a warning about this..

I will continue for now.
0
 
LVL 1

Author Comment

by:support_ferret
ID: 33717677
We do have that msdcs.domain.com zone.  It is not grayed out  right now.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33717690
is the msdcs folder under your domain.com zone grayed out?
0
 
LVL 1

Author Comment

by:support_ferret
ID: 33717748
no it is not grayed out - what would that indicate?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33717848
So, if you have the msdcs.domain.com zone and your msdcs folder is not grayed out then you need to delete the msdcs.domain.com zone
0
 
LVL 1

Author Comment

by:support_ferret
ID: 33718187
While I can see what you are getting at with the zone (it is automatically created apparently) - I cannot make such a major change during this session.

We have progress in other respects - I found that our DNS was only allowing transfers to named servers, so I added the new DC in just now and rebooted it.  The netlogon share is now available, which didn't happen before.

There are two records that are failing to be registered in DNS,  in the MSDCS and the ForestDNSZones.  I am looking into adding these manually, at least as a test.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33718231
Ok. Here is the issue when you have a msdcs.domain.com zone and non-delegated (not grayed out) msdcs folder the system doesn't know where to update. You must choose with a delegated zone or not I recommend not unless you must.

http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html
0
 
LVL 1

Author Comment

by:support_ferret
ID: 33718519
I am not sure I fully understand yet, but it appears this process has revealed problems with our DNS.  There are many missing entries for exisiting DCs in the zone folders, not just the 2008 DC we jsut created.

Thank you for your help so far - I will continue tomorrow and update here.
0
 
LVL 1

Author Comment

by:support_ferret
ID: 33734236
It became apparent that we had been having problems with 6 remote Windows 2000 DCs since the schema was extended for Windows 2008!

These were resolved last night with a reboot.  AD had stopped responding and was having replication issues on each box.  

The boss is not keen for me to delete that zone though, at least until we understand the situation better.  Your link to the other EE question doesn't advise on how the thing functions, which I think is what we need.  I will try promoting the Win2008 box again now the errors have cleared, and let you know the result.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33734325
If you have a delegated zone of the msdcs folder then y our msdcs folder should be grayed out. Now if you have both your deletgated zone and your msdcs folder functioning then the DNS servers do not know which is correct and which should be updated with the proper records
0
 
LVL 1

Author Comment

by:support_ferret
ID: 33734968
Thank you for the information - I failed to read your previous posts properly - sorry about that!  We only have the _msdcs folder, and do not have the zone present at all.  I used the term zone and folder interchangably, so my bad!

0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33735689
Good.
0
 
LVL 1

Author Comment

by:support_ferret
ID: 33735999
The domain controller was promoted and we now have much fewer errors on completion.  There are two repeating errors in the DNS event log:

They both are informing that the sever is not included in the replication scope of ForestDnsZones.ourdomain.co.uk and DomainDnsZones.ourdomain.co.uk

I have tried enlisting the server from a 2003 DC using

dnscmd ournewdc /EnlistDirectoryPartition ForestDnsZones.ourdomain.co.uk

but it throws an error : RCODE_SERVER_FAILURE     9002  (0000232a)

I have read that we may need to create the default application directory partitions in DNS, but I haven't found suitable instructions yet for doing this.
0
 
LVL 1

Author Comment

by:support_ferret
ID: 33736345
I have just tried to add the two partitions as replicas on the new DC using the  commands in this article:

http://technet.microsoft.com/en-us/library/cc778798(WS.10).aspx

It looks like the replicas have successfully taken - I have restarted the DNS server on the new DC and so far no errors.  I cannot yet see the DC itself as entries in the two partitions, but will reboot and check later.
0
 
LVL 1

Author Comment

by:support_ferret
ID: 33736518
Still have one issue left to overcome - it is not registering entries for itself in those partitions.  It says bad DNS key.

If I try to force registration using nltest.exe /dsregdns it gives an access denied error.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33737449
What if you point the server some where else does it register?
0
 
LVL 1

Author Comment

by:support_ferret
ID: 33738376
I will try pointing it to a Win2000 DC in a different site.  It doesn't work if I point it to the 2 Win2003 DCs in the local site.

Another EE article leads to a hotfix that matches the errors, but not the scenario exactly.  The hotfix only applies to Win2003 servers, whereas we have many 2000 boxes.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33738486
Post the errors you were getting.

0
 
LVL 1

Author Comment

by:support_ferret
ID: 33738882
We get a lot of these logged regualrly:

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

The Security System could not establish a secured connection with the server LDAP/NEW-DC.ourdomain.co.uk/ourdomain.co.uk@ourdomain.CO.UK. No authentication protocol was available.

The above errors start after a few records fail to register in DNS when NETLOGON starts - below is one of the five or so that fail.


The dynamic registration of the DNS record '_ldap._tcp.DomainDnsZones.ourdomain.co.uk. 600 IN SRV 0 100 389 NEW-DC.ourdomain.co.uk.' failed on the following DNS server:  

DNS server IP address: 172.19.1.1
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain controller, this record must be registered in DNS.  

USER ACTION  
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain  controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
  Or, you can manually add this record to DNS, but it is not recommended.  

ADDITIONAL DATA
Error Value: DNS bad key.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33739404
Could be that Netlogon is starting before DNS.

http://support.microsoft.com/kb/259277

When run dcdiag /fix what errors if any do you get.

Do you have secure updates only on forward lookup? If you do put secure and non secure for test http://support.microsoft.com/kb/316239

Make sure DHCP client service is started
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 2000 total points
ID: 33739423
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/0507f7cc-c426-439b-a0c6-d36cda2dfee8

Disable all unsed NICs you should only have one enabled.

Go to Network Connections Clicked Advanced Settings make sure your primary nic is listed first in the Network Binding order
0
 
LVL 1

Author Comment

by:support_ferret
ID: 33744016
It looks like the errors cleared about 03:30 this morning!  The DNS records have appeared in the the two partitions they were missing from.  I don't know what was key in that happening?

I think the adding of the replicas manually maybe an effect, plus of course the replication issues in entire domain may have taken time to clear.

I am confused as to what the primary DNS settings should be on the 2008 DC though.  I had always thought it should point to itself as a primary, but some articles now suggest otherwise.  What would you advise?

Thank you for all your help - will award the points now.
0
 
LVL 1

Author Closing Comment

by:support_ferret
ID: 33744034
solution came about through following all the steps
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

671 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question