nbass668
asked on
** URGENT ** Event ID:1126 Active directory was unable to establish a connection with the Global catalog
here is the scenario
DC1 (AD & DNS) 2003 srv as PDC
DC2 (AD & DNS) 2003 srv as ADC
we built a 3rd DC as (AD & DNS) 2008 src as ADC
however, when we changed roles FSMO on 2008 DC3 to act as PDC all active directory authentications failed and all users are unable to login.
due to panic... we demoted DC3 and we configured back the FSMO on DC1 as PDC but we started receiving error EVENT ID: 1126
we have even demoted DC2 just to clean and keep only one single PDC hoping that users will authenticate
we are now left with one DC but no one can authenticate with same error registered.
the command "netdom query fsmo" shows
Schema owner SAIF.munajem.com
Domain role owner SAIF.munajem.com
PDC role SAIF.munajem.com
RID pool manager SAIF.munajem.com
Infrastructure owner SAIF.munajem.com
The command completed successfully.
I am attaching also the DcDiag report which does not look good at all
We seem screwed up our DC and we have major downtime across all company :( plz help
DC1 (AD & DNS) 2003 srv as PDC
DC2 (AD & DNS) 2003 srv as ADC
we built a 3rd DC as (AD & DNS) 2008 src as ADC
however, when we changed roles FSMO on 2008 DC3 to act as PDC all active directory authentications failed and all users are unable to login.
due to panic... we demoted DC3 and we configured back the FSMO on DC1 as PDC but we started receiving error EVENT ID: 1126
Event Type: Error
Event Source: NTDS General
Event Category: Global Catalog
Event ID: 1126
Date: 10/5/2010
Time: 4:22:17 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SAIF
Description:
Active Directory was unable to establish a connection with the global catalog.
Additional Data
Error value:
1355 The specified domain either does not exist or could not be contacted.
Internal ID:
3200c89
User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
we have even demoted DC2 just to clean and keep only one single PDC hoping that users will authenticate
we are now left with one DC but no one can authenticate with same error registered.
the command "netdom query fsmo" shows
Schema owner SAIF.munajem.com
Domain role owner SAIF.munajem.com
PDC role SAIF.munajem.com
RID pool manager SAIF.munajem.com
Infrastructure owner SAIF.munajem.com
The command completed successfully.
I am attaching also the DcDiag report which does not look good at all
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SAIF
Starting test: Connectivity
The host c220a86e-3b60-4ab2-865d-625d9ce10a11._msdcs.munajem.com could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(c220a86e-3b60-4ab2-865d-625d9ce10a11._msdcs.munajem.com) couldn't be
resolved, the server name (SAIF.munajem.com) resolved to the IP
address (192.1.1.19) and was pingable. Check that the IP address is
registered correctly with the DNS server.
......................... SAIF failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SAIF
DNS Tests are running and not hung. Please wait a few minutes...
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : munajem
Running enterprise tests on : munajem.com
Starting test: DNS
Test results for domain controllers:
DC: SAIF.munajem.com
Domain: munajem.com
TEST: Basic (Basc)
Error: No LDAP connectivity
TEST: Forwarders/Root hints (Forw)
Error: Root hints list has invalid root hint server: a.root-servers.net. (198.41.0.4)
Error: Root hints list has invalid root hint server: b.root-servers.net. (192.228.79.201)
Error: Root hints list has invalid root hint server: c.root-servers.net. (192.33.4.12)
Error: Root hints list has invalid root hint server: d.root-servers.net. (128.8.10.90)
Error: Root hints list has invalid root hint server: e.root-servers.net. (192.203.230.10)
Error: Root hints list has invalid root hint server: f.root-servers.net. (192.5.5.241)
Error: Root hints list has invalid root hint server: g.root-servers.net. (192.112.36.4)
Error: Root hints list has invalid root hint server: h.root-servers.net. (128.63.2.53)
Error: Root hints list has invalid root hint server: i.root-servers.net. (192.36.148.17)
Error: Root hints list has invalid root hint server: j.root-servers.net. (192.58.128.30)
TEST: Dynamic update (Dyn)
Error: Dynamic update is not enabled on the zone munajem.com.
TEST: Records registration (RReg)
Network Adapter [00000001] Intel(R) PRO/1000 MB Dual Port Network Connection:
Error: Missing CNAME record at DNS server 192.1.1.19 :
c220a86e-3b60-4ab2-865d-625d9ce10a11._msdcs.munajem.com
Error: Missing DC SRV record at DNS server 192.1.1.19 :
_ldap._tcp.dc._msdcs.munajem.com
Error: Missing PDC SRV record at DNS server 192.1.1.19 :
_ldap._tcp.pdc._msdcs.munajem.com
Error: Record registrations cannot be found for all the network adapters
Summary of test results for DNS servers used by the above domain controllers:
DNS server: 128.63.2.53 (h.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
DNS server: 128.8.10.90 (d.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
DNS server: 192.112.36.4 (g.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.112.36.4
DNS server: 192.203.230.10 (e.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10
DNS server: 192.228.79.201 (b.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.228.79.201
DNS server: 192.33.4.12 (c.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12
DNS server: 192.36.148.17 (i.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17
DNS server: 192.5.5.241 (f.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241
DNS server: 192.58.128.30 (j.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30
DNS server: 198.41.0.4 (a.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
________________________________________________________________
Domain: munajem.com
SAIF PASS FAIL FAIL PASS FAIL FAIL n/a
......................... munajem.com failed test DNS
We seem screwed up our DC and we have major downtime across all company :( plz help
ASKER
@JP64
this article applies to Server 2008... my only available DC now is 2003
so I am unable to follow this article
this article applies to Server 2008... my only available DC now is 2003
so I am unable to follow this article
IS DNS service running? was it active Directory integrated DNS before you started?
Hi,
I don't know why you look after PDC role problem as obviously all the error messages you have are talking about GC !
Don't take care about PDC because it's not the real problem. Take a look at the GC servers. Global Catalog is not a FSMO role.
To check if a DC is also GC you msut go in the "Active Directory Sites and Services" console, deploy your site branch, deploy "servers", deploy you DC branch and make a right on object "NTDS Settings" under your DC. In the properties of this object there's a checkbox that should be checked to make that DC a GC.
Don't loose time about decisions for which DC should be GC or not... Just enable GC on every DCs of your domain.
After that, your should be back to a running situation, and then you can go ahead about playing with your PDC role and put it on the new DC and proceed with your migration...
By the way, PDC role is NEVER required by client computers in the domain. They don't care about that. PDC role is involved in trust relationships with non active directory domains, is involved in time synchronization between DCs in the domain, but missing of PDC role for a while wil not crash a domain and wil not disturb clients computers.
I suppose that people are afraid with PDC role because of history : at the time of windows NT 4 the PDC role was CRITICAL... it's no more critical.
The Global Catalog function is much more critical than PDC role in an Active Directory domain.
Have a good day.
I don't know why you look after PDC role problem as obviously all the error messages you have are talking about GC !
Don't take care about PDC because it's not the real problem. Take a look at the GC servers. Global Catalog is not a FSMO role.
To check if a DC is also GC you msut go in the "Active Directory Sites and Services" console, deploy your site branch, deploy "servers", deploy you DC branch and make a right on object "NTDS Settings" under your DC. In the properties of this object there's a checkbox that should be checked to make that DC a GC.
Don't loose time about decisions for which DC should be GC or not... Just enable GC on every DCs of your domain.
After that, your should be back to a running situation, and then you can go ahead about playing with your PDC role and put it on the new DC and proceed with your migration...
By the way, PDC role is NEVER required by client computers in the domain. They don't care about that. PDC role is involved in trust relationships with non active directory domains, is involved in time synchronization between DCs in the domain, but missing of PDC role for a while wil not crash a domain and wil not disturb clients computers.
I suppose that people are afraid with PDC role because of history : at the time of windows NT 4 the PDC role was CRITICAL... it's no more critical.
The Global Catalog function is much more critical than PDC role in an Active Directory domain.
Have a good day.
I agree with PaciB.
That is where my link was pointing at. Regardless if it's windows 2008. It should give you insigt in what problem you are facing.
Regards,
JP
That is where my link was pointing at. Regardless if it's windows 2008. It should give you insigt in what problem you are facing.
Regards,
JP
ASKER
@PaciB:
Thanks for the heads up but my DC is indeed set as GC and right now its the only DC in the domain!! after we demoted others
cant I run this single DC with GC on it?
please advice
Thanks for the heads up but my DC is indeed set as GC and right now its the only DC in the domain!! after we demoted others
cant I run this single DC with GC on it?
please advice
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I dont have "_msdcs.munajem.com" records or _gc records!!!
you are correct it looks like a DNS issue.
how to go about fixing this?? and get back the msdcs folder and _gc records?
you are correct it looks like a DNS issue.
how to go about fixing this?? and get back the msdcs folder and _gc records?
ASKER
Computer Name: SAIF
DNS Host Name: SAIF.munajem.com
System info : Microsoft Windows Server 2003 (Build 3790)
Processor : EM64T Family 15 Model 4 Stepping 8, GenuineIntel
List of installed hotfixes :
Q147222
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : SAIF
IP Address . . . . . . . . : 192.1.1.19
Subnet Mask. . . . . . . . : 255.255.254.0
Default Gateway. . . . . . : 192.1.1.1
Dns Servers. . . . . . . . : 192.1.1.19
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
No names have been found.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{CD0ABD4C-A050 -45C2-9703 -84172D689 DFA}
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Failed
[FATAL] Could not open file C:\WINDOWS\system32\config \netlogon. dns for reading.
[FATAL] No DNS servers have the DNS records for this DC registered.
Redir and Browser test . . . . . . : Failed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{CD0ABD4C-A050 -45C2-9703 -84172D689 DFA}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{CD0ABD4C-A050 -45C2-9703 -84172D689 DFA}
The browser is bound to 1 NetBt transport.
[FATAL] Cannot send mailslot message to 'MUNAJEM_DOMAIN*' via browser. [ERROR_INVALID_FUNCTION]
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Cannot lookup package Kerberos.
The error occurred was: (null)
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
DNS Host Name: SAIF.munajem.com
System info : Microsoft Windows Server 2003 (Build 3790)
Processor : EM64T Family 15 Model 4 Stepping 8, GenuineIntel
List of installed hotfixes :
Q147222
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : SAIF
IP Address . . . . . . . . : 192.1.1.19
Subnet Mask. . . . . . . . : 255.255.254.0
Default Gateway. . . . . . : 192.1.1.1
Dns Servers. . . . . . . . : 192.1.1.19
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
No names have been found.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{CD0ABD4C-A050
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Failed
[FATAL] Could not open file C:\WINDOWS\system32\config
[FATAL] No DNS servers have the DNS records for this DC registered.
Redir and Browser test . . . . . . : Failed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{CD0ABD4C-A050
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{CD0ABD4C-A050
The browser is bound to 1 NetBt transport.
[FATAL] Cannot send mailslot message to 'MUNAJEM_DOMAIN*' via browser. [ERROR_INVALID_FUNCTION]
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Cannot lookup package Kerberos.
The error occurred was: (null)
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@PaciB
Enabling Dynamic registration has indeed fixed the records and we also resolved the hint roots and finally our GC is detected and all back to normal after DC reboot.
thank you very your precise diagnostics
Enabling Dynamic registration has indeed fixed the records and we also resolved the hint roots and finally our GC is detected and all back to normal after DC reboot.
thank you very your precise diagnostics
Hi guys!! I have a similar issue as nbass668!! the only difference is that in my case everything you mentioned above is correct in my case but still one of my servers can't communicate with the GC and can't replicate..... Here is the link of my post! Do you think you can give me a hand?
https://www.experts-exchange.com/questions/28007396/Windows-server-2008-R2-Event-ID-1126.html?anchorAnswerId=38815319#a38815319
Thanks!
https://www.experts-exchange.com/questions/28007396/Windows-server-2008-R2-Event-ID-1126.html?anchorAnswerId=38815319#a38815319
Thanks!
check this page out:
http://technet.microsoft.com/en-us/library/cc756476(WS.10).aspx
Kind regards,
JP