** URGENT ** Event ID:1126 Active directory was unable to establish a connection with the Global catalog

here is the scenario
DC1 (AD & DNS) 2003 srv as PDC
DC2 (AD & DNS) 2003 srv as ADC

we built a 3rd DC as (AD & DNS) 2008 src as ADC

however, when we changed roles FSMO on 2008 DC3 to act as PDC all active directory authentications failed and all users are unable to login.

due to panic... we demoted DC3 and we configured back the FSMO on DC1 as PDC but we started receiving error EVENT ID: 1126
 
Event Type:	Error
Event Source:	NTDS General
Event Category:	Global Catalog 
Event ID:	1126
Date:		10/5/2010
Time:		4:22:17 PM
User:		NT AUTHORITY\ANONYMOUS LOGON
Computer:	SAIF
Description:
Active Directory was unable to establish a connection with the global catalog. 
 
Additional Data 
Error value:
1355 The specified domain either does not exist or could not be contacted. 
Internal ID:
3200c89 
 
User Action: 
Make sure a global catalog is available in the forest, and is reachable from this domain controller.  You may use the nltest utility to diagnose this problem.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Open in new window


we have even demoted DC2 just to clean and keep only one single PDC hoping that users will authenticate

we are now left with one DC but no one can authenticate with same error registered.

the command "netdom query fsmo" shows
Schema owner                SAIF.munajem.com
Domain role owner           SAIF.munajem.com
PDC role                    SAIF.munajem.com
RID pool manager            SAIF.munajem.com
Infrastructure owner        SAIF.munajem.com

The command completed successfully.

I am attaching also the DcDiag report which does not look good at all
 
Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\SAIF
      Starting test: Connectivity
         The host c220a86e-3b60-4ab2-865d-625d9ce10a11._msdcs.munajem.com could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name

         (c220a86e-3b60-4ab2-865d-625d9ce10a11._msdcs.munajem.com) couldn't be

         resolved, the server name (SAIF.munajem.com) resolved to the IP

         address (192.1.1.19) and was pingable.  Check that the IP address is

         registered correctly with the DNS server. 
         ......................... SAIF failed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\SAIF

DNS Tests are running and not hung. Please wait a few minutes...
   
   Running partition tests on : ForestDnsZones
   
   Running partition tests on : DomainDnsZones
   
   Running partition tests on : Schema
   
   Running partition tests on : Configuration
   
   Running partition tests on : munajem
   
   Running enterprise tests on : munajem.com
      Starting test: DNS
         Test results for domain controllers:
            
            DC: SAIF.munajem.com
            Domain: munajem.com

                  
               TEST: Basic (Basc)
                  Error: No LDAP connectivity
                  
               TEST: Forwarders/Root hints (Forw)
                  Error: Root hints list has invalid root hint server: a.root-servers.net. (198.41.0.4)
                  Error: Root hints list has invalid root hint server: b.root-servers.net. (192.228.79.201)
                  Error: Root hints list has invalid root hint server: c.root-servers.net. (192.33.4.12)
                  Error: Root hints list has invalid root hint server: d.root-servers.net. (128.8.10.90)
                  Error: Root hints list has invalid root hint server: e.root-servers.net. (192.203.230.10)
                  Error: Root hints list has invalid root hint server: f.root-servers.net. (192.5.5.241)
                  Error: Root hints list has invalid root hint server: g.root-servers.net. (192.112.36.4)
                  Error: Root hints list has invalid root hint server: h.root-servers.net. (128.63.2.53)
                  Error: Root hints list has invalid root hint server: i.root-servers.net. (192.36.148.17)
                  Error: Root hints list has invalid root hint server: j.root-servers.net. (192.58.128.30)
                  
               TEST: Dynamic update (Dyn)
                  Error: Dynamic update is not enabled on the zone munajem.com.
                  
               TEST: Records registration (RReg)
                  Network Adapter [00000001] Intel(R) PRO/1000 MB Dual Port Network Connection:
                     Error: Missing CNAME record at DNS server 192.1.1.19 :
                     c220a86e-3b60-4ab2-865d-625d9ce10a11._msdcs.munajem.com
                     
                     Error: Missing DC SRV record at DNS server 192.1.1.19 :
                     _ldap._tcp.dc._msdcs.munajem.com
                     
                     Error: Missing PDC SRV record at DNS server 192.1.1.19 :
                     _ldap._tcp.pdc._msdcs.munajem.com
                     
               Error: Record registrations cannot be found for all the network adapters
         
         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 128.63.2.53 (h.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
               
            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
               
            DNS server: 192.112.36.4 (g.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.112.36.4
               
            DNS server: 192.203.230.10 (e.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10
               
            DNS server: 192.228.79.201 (b.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.228.79.201
               
            DNS server: 192.33.4.12 (c.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12
               
            DNS server: 192.36.148.17 (i.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17
               
            DNS server: 192.5.5.241 (f.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241
               
            DNS server: 192.58.128.30 (j.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30
               
            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
               
         Summary of DNS test results:
         
                                            Auth Basc Forw Del  Dyn  RReg Ext  
               ________________________________________________________________
            Domain: munajem.com
               SAIF                         PASS FAIL FAIL PASS FAIL FAIL n/a  
         
         ......................... munajem.com failed test DNS

Open in new window


We seem screwed up our DC and we have major downtime across all company :( plz help
LVL 1
nbass668Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jack van DeurApplication EngineerCommented:
Hi,

check this page out:

http://technet.microsoft.com/en-us/library/cc756476(WS.10).aspx

Kind regards,

JP
nbass668Author Commented:
@JP64

this article applies to Server 2008... my only available DC now is 2003

so I am unable to follow this article
MonajiCommented:
IS DNS service running? was it active Directory integrated DNS before you started?
5 Ways Acronis Skyrockets Your Data Protection

Risks to data security are risks to business continuity. Businesses need to know what these risks look like – and where they can turn for help.
Check our newest E-Book and learn how you can differentiate your data protection business with advanced cloud solutions Acronis delivers

Bruno PACIIT ConsultantCommented:
Hi,

I don't know why you look after PDC role problem as obviously all the error messages you have are talking about GC !
Don't take care about PDC because it's not the real problem. Take a look at the GC servers. Global Catalog is not a FSMO role.
To check if a DC is also GC you msut go in the "Active Directory Sites and Services" console, deploy your site branch, deploy "servers", deploy you DC branch and make a right on object "NTDS Settings" under your DC. In the properties of this object there's a checkbox that should be checked to make that DC a GC.

Don't loose time about decisions for which DC should be GC or not... Just enable GC on every DCs of your domain.

After that, your should be back to a running situation, and then you can go ahead about playing with your PDC role and put it on the new DC and proceed with your migration...

By the way, PDC role is NEVER required by client computers in the domain. They don't care about that. PDC role is involved in trust relationships with non active directory domains, is involved in time synchronization between DCs in the domain, but missing of PDC role for a while wil not crash a domain and wil not disturb clients computers.

I suppose that people are afraid with PDC role because of history : at the time of windows NT 4 the PDC role was CRITICAL... it's no more critical.

The Global Catalog function is much more critical than PDC role in an Active Directory domain.

Have a good day.
Jack van DeurApplication EngineerCommented:
I agree with PaciB.

That is where my link was pointing at. Regardless if it's windows 2008. It should give you insigt in what problem you are facing.

Regards,

JP
nbass668Author Commented:
@PaciB:

Thanks for the heads up but my DC is indeed set as GC and right now its the only DC in the domain!! after we demoted others

cant I run this single DC with GC on it?

please advice
Bruno PACIIT ConsultantCommented:
Hi again,

Ok so if you unique DC is GC also and problem still occurs that points you to a DNS resolution error.

First, ensure that your client computers interrogates the good DNS server.

Then go on that DNS server and open the DNS console.

Your domain is named "munajem.com". So in the forward lookup zone you should fine a sub-zone name "_msdcs.munajem.com". That sub zone must exist. DNS records to locate GC servers are stored in this zone so IT MUST exist.

Check properties of the "munajem.com" DNS zone. It should be Active Directory Integrated (that's better) and Dynamic registering must be enabled for "secured updates".

After these checks, on your Windows DC run the command netdiag /fix.
That should force the server the register DNS records in the zone. It will create missing records if any.


You can run a unique DC with GC on it, but it's not a best practice. The best practice is to have at least 2 DCs with GC enabled on each so that your domain stay alive if a server fails.

GC is critical (if it's missing users can't logon, only administrator can), so you should always have at least 2 GC servers in your domain. There is no problem to make all your DCs to be GC, except in a really HUGE organization with hundreds of DCs all over the world. For almost all "normal" organizations with 1 to 50 DCs you don't have to mind about optimizing network bandwith and replication traffic and a good practice is to make all your DCs to be GC also. In the future, if you add new DCs I propose you to make them GC also.

Have a good day.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nbass668Author Commented:
I dont have "_msdcs.munajem.com" records or _gc records!!!

you are correct it looks like a DNS issue.

how to go about fixing this?? and get back the msdcs folder and _gc records?
nbass668Author Commented:
Computer Name: SAIF
    DNS Host Name: SAIF.munajem.com
    System info : Microsoft Windows Server 2003 (Build 3790)
    Processor : EM64T Family 15 Model 4 Stepping 8, GenuineIntel
    List of installed hotfixes :
        Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : SAIF
        IP Address . . . . . . . . : 192.1.1.19
        Subnet Mask. . . . . . . . : 255.255.254.0
        Default Gateway. . . . . . : 192.1.1.1
        Dns Servers. . . . . . . . : 192.1.1.19


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
            No names have been found.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{CD0ABD4C-A050-45C2-9703-84172D689DFA}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Failed
    [FATAL] Could not open file C:\WINDOWS\system32\config\netlogon.dns for reading.
    [FATAL] No DNS servers have the DNS records for this DC registered.


Redir and Browser test . . . . . . : Failed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{CD0ABD4C-A050-45C2-9703-84172D689DFA}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{CD0ABD4C-A050-45C2-9703-84172D689DFA}
    The browser is bound to 1 NetBt transport.
    [FATAL] Cannot send mailslot message to 'MUNAJEM_DOMAIN*' via browser. [ERROR_INVALID_FUNCTION]


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Failed
    [FATAL] Cannot lookup package Kerberos.
    The error occurred was: (null)


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully
Bruno PACIIT ConsultantCommented:
Hi,

As I can see your "munajem.com" DNS zone is not configured to accept Dynamic registering:

               TEST: Dynamic update (Dyn)
                  Error: Dynamic update is not enabled on the zone munajem.com.


That's why your DC can not create its needed records. So except if you want to create manually ALL the requires DNS records (please don't ask us to list you all the needed records it's too long and some of them are GUID) you MUST configure your DNS zone to accept Dynamic DNS registering.

Go in your DNS console on your DC and verify properties of the "munajem.com" DNS zone. Ensure that it is enabled for Dynamic registering. To enable Dynamic registering securely you should have a Directory Integrated DNS zone. Change the zone type to AD integrated and choose dynamic registering as "secured".

Then, create a new forward DNS zone named "_msdcs.munajem.com" on the same DNS server. Again, this zone should AD integrated and accept dynamic registering (which is the default when you create an AD integrated zone).

After that, use NETDIAG /FIX command, or restart your DC to make it recreate all its needed records.

Let us know...

Have a good day.
nbass668Author Commented:
@PaciB

Enabling Dynamic registration has indeed fixed the records and we also resolved the hint roots and finally our GC is detected and all back to normal after DC reboot.

thank you very your precise diagnostics
hugonietoCommented:
Hi guys!! I have a similar issue as nbass668!! the only difference is that in my case everything you mentioned above is correct in my case but still one of my servers can't communicate with the GC and can't replicate..... Here is the link of my post! Do you think you can give me a hand?


http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28007396.html#a38815319




Thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.