support_ferret
asked on
Problems with first Windows 2008 domain controller in Windows 2000 native forest
Hi, please assist with this domain controller issue. We have a Win2000 native mode domain with 2003 and 2000 boxes, and we have just installed our first 2008 domain controller. The installation went OK, but now we have the below errors in dcdiag, and you cannot access the netlogon share on the new DC.
Testing server: Our-Site\DC-SITE_A
Starting test: Advertising
Warning: DsGetDcName returned information for \\DC1.ourdomain.co.uk
DC-A.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... DC-A failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... DC-A failed test FrsEvent
Starting test: DFSREvent
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=ourdo
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=ourdo
......................... DC-A failed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\DC-A\netlogon)
[DC-A] An net use or LsaPolicy operation failed with error 67, Win32 Error 67.
Starting test: Replications
[Replications Check,DC-A] DsReplicaGetInfo(PENDING_O
"Win32 Error 8453"
......................... DC-A failed test Replications
Starting test: Services
Could not open NTDS Service on DC-A, error 0x5 "Win32 Error 5"
......................... DC-A failed test Services
An Warning Event occurred. EventID: 0x8000A001
Time Generated: 09/20/2010 10:40:39
Event String:
The Security System could not establish a secured connection with the server LDAP/dc2.ourdomain.co.uk/o
An Error Event occurred. EventID: 0x000003EE
Time Generated: 09/20/2010 10:45:31
Event String:
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
......................... DC-A failed test SystemLog
There is an MS KB article
http://support.microsoft.com/kb/939820/en-us
that describes the same errors, but the causes don't seem the same. It mentions a hotfix, but I am loathe to apply it everywhere unnecessarily.
Testing server: Our-Site\DC-SITE_A
Starting test: Advertising
Warning: DsGetDcName returned information for \\DC1.ourdomain.co.uk
DC-A.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... DC-A failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... DC-A failed test FrsEvent
Starting test: DFSREvent
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=ourdo
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=ourdo
......................... DC-A failed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\DC-A\netlogon)
[DC-A] An net use or LsaPolicy operation failed with error 67, Win32 Error 67.
Starting test: Replications
[Replications Check,DC-A] DsReplicaGetInfo(PENDING_O
"Win32 Error 8453"
......................... DC-A failed test Replications
Starting test: Services
Could not open NTDS Service on DC-A, error 0x5 "Win32 Error 5"
......................... DC-A failed test Services
An Warning Event occurred. EventID: 0x8000A001
Time Generated: 09/20/2010 10:40:39
Event String:
The Security System could not establish a secured connection with the server LDAP/dc2.ourdomain.co.uk/o
An Error Event occurred. EventID: 0x000003EE
Time Generated: 09/20/2010 10:45:31
Event String:
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
......................... DC-A failed test SystemLog
There is an MS KB article
http://support.microsoft.com/kb/939820/en-us
that describes the same errors, but the causes don't seem the same. It mentions a hotfix, but I am loathe to apply it everywhere unnecessarily.
did you perform a domainprep?
Windows Server 2008 ADPREP: http://www.petri.co.il/windows-server-2008-adprep.htm
I suggest you demote, adprep/domainprep, then repromote your w2008 machine
I suggest you demote, adprep/domainprep, then repromote your w2008 machine
ASKER
thank you for your quick reply - we did run adprep and domainprep before promoting the server.
It's not a RODC, is it?
Can you check netdiag too?
Can you check netdiag too?
Well seems to be that your 2008 box didn't promote all the way. Make sure this DC is pointing to an existing DC for DNS only there should not be any external DNS servers listed in the TCP\IP properties.
Demote the server.
Run metadata cleanup on existing DC http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Delete all DNS records for this DC.
Disable any third-party antivirus software and firewall.
Run dcdiag on existing DC to check for errors if there are none then proceed to promote the 2008 DC again.
Demote the server.
Run metadata cleanup on existing DC http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Delete all DNS records for this DC.
Disable any third-party antivirus software and firewall.
Run dcdiag on existing DC to check for errors if there are none then proceed to promote the 2008 DC again.
ASKER
When demoting I saw an interesting error - it said you do not have permissions to remove DNS delegations for the zone "co.uk" - contact an administrator to manually remove.
It should be removing from ourdomain.co.uk rather than co.uk I guess?
It should be removing from ourdomain.co.uk rather than co.uk I guess?
That is correct. Post ipconfig /all
Are you sure you are only pointing to internal DNS servers?
Are you sure you are only pointing to internal DNS servers?
ASKER
We are only pointing to internal servers, but I noticed that we had some extra entries under our main DNS zone for AD. It must have been there for testing of some kind - was a "uk" folder, with a "co" folder in it, plus an "ourdomain" within that. I have removed it now and will try to promote the server again.
ASKER
I changed DNS on the NIC just now to point only to the main DNS DC for ourdomain.co.uk and have pasted the output. Notice how it is also using co.uk as a suffix search list!
Host Name . . . . . . . . . . . . : DC-A
Primary Dns Suffix . . . . . . . : ourdomain.co.uk
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ourdomain.co.uk
co.uk
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : ourdomain.co.uk
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : 00-11-85-C5-7C-7F
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.20.0.32(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.20.0.254
DNS Servers . . . . . . . . . . . : 172.19.1.4
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection*:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : ourdomain.co.uk
Description . . . . . . . . . . . : isatap.ourdomain.co.uk
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Host Name . . . . . . . . . . . . : DC-A
Primary Dns Suffix . . . . . . . : ourdomain.co.uk
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ourdomain.co.uk
co.uk
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : ourdomain.co.uk
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : 00-11-85-C5-7C-7F
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.20.0.32(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.20.0.254
DNS Servers . . . . . . . . . . . : 172.19.1.4
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection*:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : ourdomain.co.uk
Description . . . . . . . . . . . : isatap.ourdomain.co.uk
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Remove the co.uk as suffix
ASKER
I have removed the suffix, and just kicked off DCPromo again...
Here is the error I get when I try to promote the server to a DC
DNS-error.bmp
Here is the error I get when I try to promote the server to a DC
DNS-error.bmp
That is fine.
Do you have a msdcs.domain.com zone? Is your msdcs folder under your domain.com zone grayed out?
Do you have a msdcs.domain.com zone? Is your msdcs folder under your domain.com zone grayed out?
ASKER
According to MS - this shouldn't be a show stopper. Our domain name for AD is the same as our external Internet domain name (yep!). So the KB article I found suggests this is just a warning about this..
I will continue for now.
I will continue for now.
ASKER
We do have that msdcs.domain.com zone. It is not grayed out right now.
is the msdcs folder under your domain.com zone grayed out?
ASKER
no it is not grayed out - what would that indicate?
So, if you have the msdcs.domain.com zone and your msdcs folder is not grayed out then you need to delete the msdcs.domain.com zone
ASKER
While I can see what you are getting at with the zone (it is automatically created apparently) - I cannot make such a major change during this session.
We have progress in other respects - I found that our DNS was only allowing transfers to named servers, so I added the new DC in just now and rebooted it. The netlogon share is now available, which didn't happen before.
There are two records that are failing to be registered in DNS, in the MSDCS and the ForestDNSZones. I am looking into adding these manually, at least as a test.
We have progress in other respects - I found that our DNS was only allowing transfers to named servers, so I added the new DC in just now and rebooted it. The netlogon share is now available, which didn't happen before.
There are two records that are failing to be registered in DNS, in the MSDCS and the ForestDNSZones. I am looking into adding these manually, at least as a test.
Ok. Here is the issue when you have a msdcs.domain.com zone and non-delegated (not grayed out) msdcs folder the system doesn't know where to update. You must choose with a delegated zone or not I recommend not unless you must.
https://www.experts-exchange.com/questions/24349599/URGENT-MSDCS-records-registering-directly-under-FWD-lookup-zone-not-under-FQDN-name-space.html
https://www.experts-exchange.com/questions/24349599/URGENT-MSDCS-records-registering-directly-under-FWD-lookup-zone-not-under-FQDN-name-space.html
ASKER
I am not sure I fully understand yet, but it appears this process has revealed problems with our DNS. There are many missing entries for exisiting DCs in the zone folders, not just the 2008 DC we jsut created.
Thank you for your help so far - I will continue tomorrow and update here.
Thank you for your help so far - I will continue tomorrow and update here.
ASKER
It became apparent that we had been having problems with 6 remote Windows 2000 DCs since the schema was extended for Windows 2008!
These were resolved last night with a reboot. AD had stopped responding and was having replication issues on each box.
The boss is not keen for me to delete that zone though, at least until we understand the situation better. Your link to the other EE question doesn't advise on how the thing functions, which I think is what we need. I will try promoting the Win2008 box again now the errors have cleared, and let you know the result.
These were resolved last night with a reboot. AD had stopped responding and was having replication issues on each box.
The boss is not keen for me to delete that zone though, at least until we understand the situation better. Your link to the other EE question doesn't advise on how the thing functions, which I think is what we need. I will try promoting the Win2008 box again now the errors have cleared, and let you know the result.
If you have a delegated zone of the msdcs folder then y our msdcs folder should be grayed out. Now if you have both your deletgated zone and your msdcs folder functioning then the DNS servers do not know which is correct and which should be updated with the proper records
ASKER
Thank you for the information - I failed to read your previous posts properly - sorry about that! We only have the _msdcs folder, and do not have the zone present at all. I used the term zone and folder interchangably, so my bad!
Good.
ASKER
The domain controller was promoted and we now have much fewer errors on completion. There are two repeating errors in the DNS event log:
They both are informing that the sever is not included in the replication scope of ForestDnsZones.ourdomain.c
I have tried enlisting the server from a 2003 DC using
dnscmd ournewdc /EnlistDirectoryPartition ForestDnsZones.ourdomain.c
but it throws an error : RCODE_SERVER_FAILURE 9002 (0000232a)
I have read that we may need to create the default application directory partitions in DNS, but I haven't found suitable instructions yet for doing this.
They both are informing that the sever is not included in the replication scope of ForestDnsZones.ourdomain.c
I have tried enlisting the server from a 2003 DC using
dnscmd ournewdc /EnlistDirectoryPartition ForestDnsZones.ourdomain.c
but it throws an error : RCODE_SERVER_FAILURE 9002 (0000232a)
I have read that we may need to create the default application directory partitions in DNS, but I haven't found suitable instructions yet for doing this.
ASKER
I have just tried to add the two partitions as replicas on the new DC using the commands in this article:
http://technet.microsoft.com/en-us/library/cc778798(WS.10).aspx
It looks like the replicas have successfully taken - I have restarted the DNS server on the new DC and so far no errors. I cannot yet see the DC itself as entries in the two partitions, but will reboot and check later.
http://technet.microsoft.com/en-us/library/cc778798(WS.10).aspx
It looks like the replicas have successfully taken - I have restarted the DNS server on the new DC and so far no errors. I cannot yet see the DC itself as entries in the two partitions, but will reboot and check later.
ASKER
Still have one issue left to overcome - it is not registering entries for itself in those partitions. It says bad DNS key.
If I try to force registration using nltest.exe /dsregdns it gives an access denied error.
If I try to force registration using nltest.exe /dsregdns it gives an access denied error.
What if you point the server some where else does it register?
ASKER
I will try pointing it to a Win2000 DC in a different site. It doesn't work if I point it to the 2 Win2003 DCs in the local site.
Another EE article leads to a hotfix that matches the errors, but not the scenario exactly. The hotfix only applies to Win2003 servers, whereas we have many 2000 boxes.
Another EE article leads to a hotfix that matches the errors, but not the scenario exactly. The hotfix only applies to Win2003 servers, whereas we have many 2000 boxes.
ASKER
Post the errors you were getting.
ASKER
We get a lot of these logged regualrly:
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
The Security System could not establish a secured connection with the server LDAP/NEW-DC.ourdomain.co.u
The above errors start after a few records fail to register in DNS when NETLOGON starts - below is one of the five or so that fail.
The dynamic registration of the DNS record '_ldap._tcp.DomainDnsZones
DNS server IP address: 172.19.1.1
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain controller, this record must be registered in DNS.
USER ACTION
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
Or, you can manually add this record to DNS, but it is not recommended.
ADDITIONAL DATA
Error Value: DNS bad key.
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
The Security System could not establish a secured connection with the server LDAP/NEW-DC.ourdomain.co.u
The above errors start after a few records fail to register in DNS when NETLOGON starts - below is one of the five or so that fail.
The dynamic registration of the DNS record '_ldap._tcp.DomainDnsZones
DNS server IP address: 172.19.1.1
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain controller, this record must be registered in DNS.
USER ACTION
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
Or, you can manually add this record to DNS, but it is not recommended.
ADDITIONAL DATA
Error Value: DNS bad key.
Could be that Netlogon is starting before DNS.
http://support.microsoft.com/kb/259277
When run dcdiag /fix what errors if any do you get.
Do you have secure updates only on forward lookup? If you do put secure and non secure for test http://support.microsoft.com/kb/316239
Make sure DHCP client service is started
http://support.microsoft.com/kb/259277
When run dcdiag /fix what errors if any do you get.
Do you have secure updates only on forward lookup? If you do put secure and non secure for test http://support.microsoft.com/kb/316239
Make sure DHCP client service is started
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It looks like the errors cleared about 03:30 this morning! The DNS records have appeared in the the two partitions they were missing from. I don't know what was key in that happening?
I think the adding of the replicas manually maybe an effect, plus of course the replication issues in entire domain may have taken time to clear.
I am confused as to what the primary DNS settings should be on the 2008 DC though. I had always thought it should point to itself as a primary, but some articles now suggest otherwise. What would you advise?
Thank you for all your help - will award the points now.
I think the adding of the replicas manually maybe an effect, plus of course the replication issues in entire domain may have taken time to clear.
I am confused as to what the primary DNS settings should be on the 2008 DC though. I had always thought it should point to itself as a primary, but some articles now suggest otherwise. What would you advise?
Thank you for all your help - will award the points now.
ASKER
solution came about through following all the steps