Solved

Active Directory Replication

Posted on 2010-11-25
176
1,949 Views
Last Modified: 2012-05-10
We have a new Windows 2008 Server (Winserver8) which is to take over from the old 2003 server. The old windows 2003 server (winserver11) also had exchange 2003. I (believe) have moved all the FSMO roles from this machine and transferred Exchange to the New 2008 Server with a view to retiring the 2003 server at some point. There is also another DC (Winserver13).

We recently had a problem where outlook clients could not connect to exchange, the problem seemed to be linked to Active Directory Replication, as when a replication was forced the Outlook clients could connect. I a previous question I was told to run

dcdiag /fix

and see what errors I got, below is the output from my New 2008 server (Winserver8)

Can anyone help rectify these problems?

Output fron dcdiag /fix on Winserver8:

 
Directory Server Diagnosis





Performing initial setup:



   Trying to find home server...



   Home Server = WINSERVER8



   * Identified AD Forest. 

   Ldap search capabality attribute search failed on server WINSERVER13, return



   value = 81

   Got error while checking if the DC is using FRS or DFSR. Error:



   Win32 Error 81The VerifyReferences, FrsEvent and DfsrEvent tests might fail



   because of this error. 



   Done gathering initial info.





Doing initial required tests



   

   Testing server: Default-First-Site-Name\WINSERVER8



      Starting test: Connectivity



         ......................... WINSERVER8 passed test Connectivity







Doing primary tests



   

   Testing server: Default-First-Site-Name\WINSERVER8



      Starting test: Advertising



         Warning: DsGetDcName returned information for



         \\winserver11.Diplomat.local, when we were trying to reach WINSERVER8.



         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.



         ......................... WINSERVER8 failed test Advertising



      Starting test: FrsEvent



         There are warning or error events within the last 24 hours after the



         SYSVOL has been shared.  Failing SYSVOL replication problems may cause



         Group Policy problems. 

         ......................... WINSERVER8 passed test FrsEvent



      Starting test: DFSREvent



         ......................... WINSERVER8 passed test DFSREvent



      Starting test: SysVolCheck



         ......................... WINSERVER8 passed test SysVolCheck



      Starting test: KccEvent



         ......................... WINSERVER8 passed test KccEvent



      Starting test: KnowsOfRoleHolders



         [WINSERVER13] DsBindWithSpnEx() failed with error 1722,



         The RPC server is unavailable..

         Warning: WINSERVER13 is the Infrastructure Update Owner, but is not



         responding to DS RPC Bind.



         Warning: WINSERVER13 is the Infrastructure Update Owner, but is not



         responding to LDAP Bind.



         ......................... WINSERVER8 failed test KnowsOfRoleHolders



      Starting test: MachineAccount



         ......................... WINSERVER8 passed test MachineAccount



      Starting test: NCSecDesc



         ......................... WINSERVER8 passed test NCSecDesc



      Starting test: NetLogons



         Unable to connect to the NETLOGON share! (\\WINSERVER8\netlogon)



         [WINSERVER8] An net use or LsaPolicy operation failed with error 67,



         The network name cannot be found..



         ......................... WINSERVER8 failed test NetLogons



      Starting test: ObjectsReplicated



         ......................... WINSERVER8 passed test ObjectsReplicated



      Starting test: Replications



         ......................... WINSERVER8 failed test Replications



      Starting test: RidManager



         ......................... WINSERVER8 passed test RidManager



      Starting test: Services



         ......................... WINSERVER8 passed test Services



      Starting test: SystemLog



         A warning event occurred.  EventID: 0x000003F6



            Time Generated: 11/25/2010   12:47:28



            Event String:



            Name resolution for the name dns.msftncsi.com timed out after none of the configured DNS servers responded.



         ......................... WINSERVER8 passed test SystemLog



      Starting test: VerifyReferences



         ......................... WINSERVER8 passed test VerifyReferences



   

   

   Running partition tests on : ForestDnsZones



      Starting test: CheckSDRefDom



         ......................... ForestDnsZones passed test CheckSDRefDom



      Starting test: CrossRefValidation



         ......................... ForestDnsZones passed test



         CrossRefValidation



   

   Running partition tests on : DomainDnsZones



      Starting test: CheckSDRefDom



         ......................... DomainDnsZones passed test CheckSDRefDom



      Starting test: CrossRefValidation



         ......................... DomainDnsZones passed test



         CrossRefValidation



   

   Running partition tests on : Schema



      Starting test: CheckSDRefDom



         ......................... Schema passed test CheckSDRefDom



      Starting test: CrossRefValidation



         ......................... Schema passed test CrossRefValidation



   

   Running partition tests on : Configuration



      Starting test: CheckSDRefDom



         ......................... Configuration passed test CheckSDRefDom



      Starting test: CrossRefValidation



         ......................... Configuration passed test CrossRefValidation



   

   Running partition tests on : Diplomat



      Starting test: CheckSDRefDom



         ......................... Diplomat passed test CheckSDRefDom



      Starting test: CrossRefValidation



         ......................... Diplomat passed test CrossRefValidation



   

   Running enterprise tests on : Diplomat.local



      Starting test: LocatorCheck



         ......................... Diplomat.local passed test LocatorCheck



      Starting test: Intersite



         ......................... Diplomat.local passed test Intersite

Open in new window

0
Comment
Question by:Fubschuk
  • 88
  • 87
176 Comments
 
LVL 22

Expert Comment

by:65td
ID: 34212728
Is the "TCP\IP Netbios helper" service running?
0
 

Author Comment

by:Fubschuk
ID: 34212966
Yes TCP/IP NetBIOS Helper is running - set to Automatic
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34214483
At a first glanze, it looks like you got a DNS problems. ("dcdiag /fix" does nothing else then to write back the SPN used for replication).

Do you have three domain controllers at the moment?

1. Run and post: netdom query dc

2. Run and post: repadmin /replsum

3. Run and post: ipconfig /all (on all DCs listed in #1)



0
 

Author Comment

by:Fubschuk
ID: 34218059
1...................
C:\>netdom query dc
List of domain controllers with accounts in the domain:

WINSERVER11
WINSERVER13
WINSERVER8
The command completed successfully.

2....................
C:\>repadmin /replsum
Replication Summary Start Time: 2010-11-26 15:12:00

Beginning data collection for replication summary, this may take awhile:
  ......


Source DSA          largest delta    fails/total %%   error
 WINSERVER11               23m:58s    0 /  10    0
 WINSERVER13               21m:20s    0 /  10    0
 WINSERVER8                23m:58s    0 /  10    0


Destination DSA     largest delta    fails/total %%   error
 WINSERVER11               20m:14s    0 /  10    0
 WINSERVER13               23m:59s    0 /  10    0
 WINSERVER8                21m:21s    0 /  10    0

3................

Winserver8
 
Windows IP Configuration



   Host Name . . . . . . . . . . . . : WINSERVER8

   Primary Dns Suffix  . . . . . . . : Diplomat.local

   Node Type . . . . . . . . . . . . : Hybrid

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

   DNS Suffix Search List. . . . . . : Diplomat.local



Ethernet adapter Local Area Connection 2:



   Connection-specific DNS Suffix  . : 

   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client) #2

   Physical Address. . . . . . . . . : 84-2B-2B-18-2B-07

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

   Link-local IPv6 Address . . . . . : fe80::849e:afd4:9d7d:814d%13(Preferred) 

   IPv4 Address. . . . . . . . . . . : 10.0.254.9(Preferred) 

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 10.0.254.240

   DHCPv6 IAID . . . . . . . . . . . : 310651691

   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-EF-85-1F-84-2B-2B-18-2B-08

   DNS Servers . . . . . . . . . . . : 10.0.254.8

   NetBIOS over Tcpip. . . . . . . . : Disabled



Ethernet adapter Local Area Connection:



   Connection-specific DNS Suffix  . : 

   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client)

   Physical Address. . . . . . . . . : 84-2B-2B-18-2B-08

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

   Link-local IPv6 Address . . . . . : fe80::4da9:550a:833b:4a2f%11(Preferred) 

   IPv4 Address. . . . . . . . . . . : 10.0.254.8(Preferred) 

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 10.0.254.241

   DHCPv6 IAID . . . . . . . . . . . : 243542827

   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-EF-85-1F-84-2B-2B-18-2B-08

   DNS Servers . . . . . . . . . . . : ::1

                                       10.0.254.8

                                       127.0.0.1

   NetBIOS over Tcpip. . . . . . . . : Enabled



Tunnel adapter isatap.{E184EFF1-5BF9-4878-BCF9-0FFC4BE0B5F9}:



   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . : 

   Description . . . . . . . . . . . : Microsoft ISATAP Adapter

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes



Tunnel adapter isatap.{245E2C8F-3ED4-412D-9ECC-8E8732DD3D91}:



   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . : 

   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes



Tunnel adapter Local Area Connection* 12:



   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . : 

   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

Open in new window

Winserver11
 
Windows IP Configuration







   Host Name . . . . . . . . . . . . : winserver11



   Primary Dns Suffix  . . . . . . . : Diplomat.local



   Node Type . . . . . . . . . . . . : Hybrid



   IP Routing Enabled. . . . . . . . : No



   WINS Proxy Enabled. . . . . . . . : No



   DNS Suffix Search List. . . . . . : Diplomat.local







Ethernet adapter Intel Pro 1000 MT Gigabit Ethernet Adapter - Onboard:







   Connection-specific DNS Suffix  . : 



   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection



   Physical Address. . . . . . . . . : 00-11-43-D1-19-C7



   DHCP Enabled. . . . . . . . . . . : No



   IP Address. . . . . . . . . . . . : 10.0.254.10



   Subnet Mask . . . . . . . . . . . : 255.255.255.0



   IP Address. . . . . . . . . . . . : 10.0.254.11



   Subnet Mask . . . . . . . . . . . : 255.255.255.0



   Default Gateway . . . . . . . . . : 10.0.254.241



   DNS Servers . . . . . . . . . . . : 10.0.254.11



   Primary WINS Server . . . . . . . : 10.0.254.11

Open in new window

Winserver13
 
Windows IP Configuration







   Host Name . . . . . . . . . . . . : Winserver13



   Primary Dns Suffix  . . . . . . . : Diplomat.local



   Node Type . . . . . . . . . . . . : Unknown



   IP Routing Enabled. . . . . . . . : No



   WINS Proxy Enabled. . . . . . . . : No



   DNS Suffix Search List. . . . . . : Diplomat.local







Ethernet adapter Local Area Connection:







   Connection-specific DNS Suffix  . : 



   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection



   Physical Address. . . . . . . . . : 00-11-43-D1-17-8D



   DHCP Enabled. . . . . . . . . . . : No



   IP Address. . . . . . . . . . . . : 10.0.254.13



   Subnet Mask . . . . . . . . . . . : 255.255.255.0



   Default Gateway . . . . . . . . . : 10.0.254.240



   DNS Servers . . . . . . . . . . . : 10.0.254.13

Open in new window

0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34218907
Replication is ok (strangely), but:

Any reason you got two NICs in the same IP-scope on Winserver8?

Any reason you got two IP-addresses on Winserver11?

Is your DNS AD-integrated?

0
 

Author Comment

by:Fubschuk
ID: 34228450
Winserve8 is using SMTP connectors on differnent ports as was Winserver11.

I did find that DNS was not running on Winserver13 and had recently rebooted after a Windows update. None of the other servers are set to automatic on Windows update so that might have been the cause of my problems, have turned off auto update now.

I am still getting errors when I run DCdiag /fix which i would like to get to the bottom of, see below....
 
Directory Server Diagnosis





Performing initial setup:



   Trying to find home server...



   Home Server = WINSERVER8



   * Identified AD Forest. 

   Done gathering initial info.





Doing initial required tests



   

   Testing server: Default-First-Site-Name\WINSERVER8



      Starting test: Connectivity



         ......................... WINSERVER8 passed test Connectivity







Doing primary tests



   

   Testing server: Default-First-Site-Name\WINSERVER8



      Starting test: Advertising



         Warning: DsGetDcName returned information for



         \\winserver11.Diplomat.local, when we were trying to reach WINSERVER8.



         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.



         ......................... WINSERVER8 failed test Advertising



      Starting test: FrsEvent



         ......................... WINSERVER8 passed test FrsEvent



      Starting test: DFSREvent



         ......................... WINSERVER8 passed test DFSREvent



      Starting test: SysVolCheck



         ......................... WINSERVER8 passed test SysVolCheck



      Starting test: KccEvent



         ......................... WINSERVER8 passed test KccEvent



      Starting test: KnowsOfRoleHolders



         ......................... WINSERVER8 passed test KnowsOfRoleHolders



      Starting test: MachineAccount



         ......................... WINSERVER8 passed test MachineAccount



      Starting test: NCSecDesc



         ......................... WINSERVER8 passed test NCSecDesc



      Starting test: NetLogons



         Unable to connect to the NETLOGON share! (\\WINSERVER8\netlogon)



         [WINSERVER8] An net use or LsaPolicy operation failed with error 67,



         The network name cannot be found..



         ......................... WINSERVER8 failed test NetLogons



      Starting test: ObjectsReplicated



         ......................... WINSERVER8 passed test ObjectsReplicated



      Starting test: Replications



         ......................... WINSERVER8 passed test Replications



      Starting test: RidManager



         ......................... WINSERVER8 passed test RidManager



      Starting test: Services



         ......................... WINSERVER8 passed test Services



      Starting test: SystemLog



         ......................... WINSERVER8 passed test SystemLog



      Starting test: VerifyReferences



         ......................... WINSERVER8 passed test VerifyReferences



   

   

   Running partition tests on : ForestDnsZones



      Starting test: CheckSDRefDom



         ......................... ForestDnsZones passed test CheckSDRefDom



      Starting test: CrossRefValidation



         ......................... ForestDnsZones passed test



         CrossRefValidation



   

   Running partition tests on : DomainDnsZones



      Starting test: CheckSDRefDom



         ......................... DomainDnsZones passed test CheckSDRefDom



      Starting test: CrossRefValidation



         ......................... DomainDnsZones passed test



         CrossRefValidation



   

   Running partition tests on : Schema



      Starting test: CheckSDRefDom



         ......................... Schema passed test CheckSDRefDom



      Starting test: CrossRefValidation



         ......................... Schema passed test CrossRefValidation



   

   Running partition tests on : Configuration



      Starting test: CheckSDRefDom



         ......................... Configuration passed test CheckSDRefDom



      Starting test: CrossRefValidation



         ......................... Configuration passed test CrossRefValidation



   

   Running partition tests on : Diplomat



      Starting test: CheckSDRefDom



         ......................... Diplomat passed test CheckSDRefDom



      Starting test: CrossRefValidation



         ......................... Diplomat passed test CrossRefValidation



   

   Running enterprise tests on : Diplomat.local



      Starting test: LocatorCheck



         ......................... Diplomat.local passed test LocatorCheck



      Starting test: Intersite



         ......................... Diplomat.local passed test Intersite

Open in new window

0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34228946
Is your domain/forest zone AD-integrated?
0
 

Author Comment

by:Fubschuk
ID: 34229148
I belive so....



 
Enumerated zone list:

	Zone count = 3



 Zone name                      Type       Storage         Properties



 .                              Cache      AD-Domain       

 _msdcs.Diplomat.local          Primary    AD-Forest       Secure Aging 

 Diplomat.local                 Primary    AD-Domain       Secure Aging 





Command completed successfully.

Open in new window

0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34229221
Are all three DCs listed in the Name server tab on the zone?

If so, I would make things a little more easy during troubleshooting.

Configure that all three DCs uses 10.0.254.8 as primary DNS and itself as secondary.

On all DCs run:

ipconfig /flushdns
ipconfig /registerdns (to register the A-record)

Restart the netlogon service (to register SRV records)

0
 

Author Comment

by:Fubschuk
ID: 34229277
Ok done that all 3 DC were listed in the Name server tab on the zone
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34229301
Run "dcdiag /test:dns /v > dnsdiag.txt".

Please attach the file.
0
 

Author Comment

by:Fubschuk
ID: 34229466
Here you go dnsdiag.txt
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34230209
DNS looking good on Winserver8.

Run and attach:

dcdiag /v /e /c /f:dcdiag.txt

0
 

Author Comment

by:Fubschuk
ID: 34230297
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34230429
On Winserver8 you should check the _msdcs DNS zone for inactive/orphaned CNAME registration. Delete incorrect registrations.

You'll find the DC's GUID by running ie. "repadmin /showrepl" on each DC.

ie.
SITE\DC-name
DC object GUID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx

On Winserver11 it looks like the RPC service is not running in shared mode:

Run this on Winserver11: sc config rpcss type=share


Run a new "dcdiag /v /e /f:dcdiag2.txt" (skip the /c)
0
 

Author Comment

by:Fubschuk
ID: 34230891
Not having any luck running sc config rpcss type=share on Winserver11

I get this:
DESCRIPTION:
        Modifies a service entry in the registry and Service Database.
USAGE:
        sc <server> config [service name] <option1> <option2>...

OPTIONS:
NOTE: The option name includes the equal sign.
 type= <own|share|interact|kernel|filesys|rec|adapt>
 start= <boot|system|auto|demand|disabled>
 error= <normal|severe|critical|ignore>
 binPath= <BinaryPathName>
 group= <LoadOrderGroup>
 tag= <yes|no>
 depend= <Dependencies(separated by / (forward slash))>
 obj= <AccountName|ObjectName>
 DisplayName= <display name>
 password= <password>
0
 
LVL 21

Accepted Solution

by:
snusgubben earned 500 total points
ID: 34231819
Try: sc config rpcss type= share

(space between = and share)
0
 

Author Comment

by:Fubschuk
ID: 34236934
That worked here is dcdiag2.txt
 dcdiag2.txt
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34237015
You need to start the NTFRS service on Winserver11.

You are still having issues that Winserver11 is returned when trying to get Winserver13. This can be a pain when using multihomed Domain Controllers (as you should avoid it). Did you verify that you don't have any outdated A-records (for the DCs) and CNAME'S?
0
 

Author Comment

by:Fubschuk
ID: 34256464
Winserver11 is having problems, I rebooted it today as it suggested in the dcdiag text but I'm now having problems connection Outlook and logging on to machines. I get the error when trying to replicate. I have also noticed that there is no DNS information in the forward lookup zones on Winserver11

 Relpication Error
The CNAME's seem to be ok:

 CNAME's
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34257180
Can you take a screenshot of the _msdcs subdomin located under the forward lookup zone Diplomat.local?

It looks like it has been delegated.
0
 

Author Comment

by:Fubschuk
ID: 34264914
It's  not getting any better, it seems as though Winserver11 has a hold over the domain unless that is up nothing can login, but is does seem to be referenced by 8 and 13, I would like to get 11 off the domain so there is no further dependance on it.
 _msdc
0
 

Author Comment

by:Fubschuk
ID: 34265124
Running dcdiag run on each machine (dcdiag /v /e /f:dcdiag2.txt)
Winserver11:
 DCDiag1-11.txt
Winserver13:
 DCDiag1-13.txt
Winserver8:
 DCDiag1-8.txt
0
 

Author Comment

by:Fubschuk
ID: 34265538
When you go into ADSI Edit on Winserver8 the default settings are pointing to Winserver11?? ADSI from Winserver8
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 500 total points
ID: 34265658
Are all DC's in the same site?

Are all DC's in sync regarding time/date?

If Yes on both, I would delete both the delegated _msdcs zone (greyed out folder) and the _msdcs.diplomat.local zone. (off hours if you can wait. This task is done within 5 minutes)

Delete those on all DC's if replication don't do it (it a timely manner).

Restart the netlogon service on all three DC's:

cmd > net stop netlogon && net start netlogon

Force a replication:

repadmin /syncall /A /P /e

The _msdcs sub domain will be recreated automatically under the "diplomat.local" zone with all needed SRV records once netlogon is restarted.

If any DC has more than one NIC, make sure the bindings order is correct on the NICs.
0
 

Author Comment

by:Fubschuk
ID: 34265782
All DC are at the same site.
WINSERVER11 time is not in sync with the others it been out by about 1 hour since it was re-booted yesterday
0
 

Author Comment

by:Fubschuk
ID: 34265844
Also WINSERVER11 is not showing anything for the forwarders in DNS it's all empty so i won't be able to delete anthing from there.

How do I set the Order of the bindings, Winserver 8 uses 2 NICs?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34266366
If Winserver11 is more than 5 minutes off sync with the others, it will not replicate (kereros auth. will fail). AD integrated DNS is in the application NC and will be affected by this.

Winserver11 should sync its time with the PDC holder.

Here's how I like to setup the domain time: http://adfordummiez.com/?p=67

Binding order: http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34266374
Typo: *kerberos auth. will fail
0
 

Author Comment

by:Fubschuk
ID: 34269728
Winserver11time now in sync and have removed and replicated the msdc zone in 8 and 13.

Winserver11 did not replicate

Also

Looking at AD sites and service in Winserver11 you get this
 AD Replication Winserver11
Looking at Ad Sites and services on Winserver 8 you get this
 AD Replication Winserver8
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34270152
Have you tried to demote winserver11 and the process failed?

Is the winserver11 in use anymore? If you want to remove it you have to run a force removal + MD cleanup if there are any traces.

 



0
 

Author Comment

by:Fubschuk
ID: 34272985
I tried to remove winserver11 yesterday and it failed, I would like to remove it as a DC but looks like its lost its way.

Can't logon on the 11 or 13 now


0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34273178
So #11 has no role in you domain?

Who holdes the FSMO's? "netdom query fsmo"
Transfer or sieze any from FSMO from #11.

If you tried to demote it but it failed, you have to run "dcpromo /forceremoval" on #11, and run a MD Cleanup from a working DC. http://www.petri.co.il/delete_failed_dcs_from_ad.htm


Are 8 and 13 Global Catalogs? cmd > "dsquery server -isgc"
If they are not GC, promote them to GCs.

All DCs uses #8 as primary DNS. Correct? Are your clients also using this as primary (DHCP scopes)?

Where is your Exchange located?
Is this a 2003 Exchange? -> Yes -> Verify that the Recipient Update Service is pointing to the correct DC.
http://www.msexchange.org/tutorials/MF017.html

0
 

Author Comment

by:Fubschuk
ID: 34281269
Typing netdom query on any of the 3 servers results in the same:

"The specified domain either does not exist or could not be contacted"

If I run "dcpromo /forceremoval" on #11 it warns that it is a GC

I went through the MD cleanup and that showed no trace of #11

But when you run  "dsquery server -isgc" it show that only Winserver13 is the GC

Exchange(2010) is on #8, #11 usede to be Exchange2003 untill we got the new machine #8

Nor sure what to do now
0
 

Author Comment

by:Fubschuk
ID: 34281308
Stangley i just ran the "netdom query fsmo2 on#8 and got a result back (I didn't the first time)

C:\Users\Administrator.DIPLOMAT0>netdom query fsmo
Schema master               WINSERVER8.Diplomat.local
Domain naming master        WINSERVER8.Diplomat.local
PDC                         WINSERVER8.Diplomat.local
RID pool manager            WINSERVER8.Diplomat.local
Infrastructure master       WINSERVER8.Diplomat.local
The command completed successfully.
0
 

Author Comment

by:Fubschuk
ID: 34281329
Could the problem be that #11 used to be GC but #13 has not/never updated as GC which is why we can't logon?

C:\>dsquery server -isgc
"CN=WINSERVER13,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration, DC=Diplomat,DC=local"
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34281354
If you don't have a GC, users can login.

Try to promote #8 to a GC.

I went through the MD cleanup and that showed no trace of #11

Then it's removed from the domain. You just have to make sure that clients don't use this ex DC as a DNS/WINS.
0
 

Author Comment

by:Fubschuk
ID: 34281461
#8 has promoted ok

"CN=WINSERVER13,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration, DC=Diplomat,DC=local"
"CN=WINSERVER8,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration, DC=Diplomat,DC=local"


So how do I make sure that nothing else tries to use #11 as the GC?
I can't logon the the Exchange console on #8 as "specified name is not a forest, ADDC,...."
I can't RDP on to #13 or #11 "Specified domain does not exist..."
I Can't get any emails on Oulook or OWA

It should all be working but it just isn't
0
 

Author Comment

by:Fubschuk
ID: 34281527
It's all behaving very strange I can get on to OWA now but just had this error on Exchange console: Exchange Console Error
Still can't RDP #13 RDP error Winserver13
I can get to files share on domain servers?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34281848
Run a "dcdiag /e /v /f:dcdiag4.txt" on server 8
0
 

Author Comment

by:Fubschuk
ID: 34281905
Results of "dcdiag /e /v /f:dcdiag4.txt"
 dcdiag4.txt
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34281942
Is the firewall enabled on the 2008 server?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34281977
From a previous screen shot of the _msdcs domain:

bcd2bca9-7429-4998-9508-ec7ff154a2c4._msdcs.Diplomat.local = winserver11

Starting test: KccEvent

         * The KCC Event log test
         An error event occurred.  EventID: 0xC0000583

            Time Generated: 12/06/2010   11:32:42

            Event String:

            Active Directory Domain Services failed to

            construct a mutual authentication service

            principal name (SPN) for the following directory

            service.
       

            Directory service:

            bcd2bca9-7429-4998-9508-ec7ff154a2c4._msdcs.Diplomat.local


Make sure that the two CNAME records in _msdcs is correct and that the corresponding A-record also is correct.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34282005
Also run this on #13:

sc config rpcss type= share
(remember space after =)

Is the time between 8 and 13 in sync?

#13 is logging FRS 13565. Have you tried to set the Burflags to D2?
0
 

Author Comment

by:Fubschuk
ID: 34282042
Looks like #11 has crept back in:
 DNS - bcd2bca9
Will i need to delete _msdcs.diplomat.local zone and Force a replication:

repadmin /syncall /A /P /e

0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34282106
Disable the network on 11 or turn it off. Delete the CNAME and other records belonging to 11. (look through the _msdcs tree)

No need to delete the zone.
0
 

Author Comment

by:Fubschuk
ID: 34282222
I have deleted the references to #11 in the _MSDCS Tree there are still references to #11 in _sites _tcp _udp and domain uds zones and forest dns zones should i remove these aswell
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34282511
Yes. All traces in DNS must be deleted
0
 

Author Comment

by:Fubschuk
ID: 34282818
I have removed all trace in DNS on #8 and #13 still no outlook connectivity still cannot RDP onto #13 what is the next step?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34282970
You didn't answer these:

Also run this on #13:

sc config rpcss type= share
(remember space after =)

Is the time between 8 and 13 in sync?

#13 is logging FRS 13565. Have you tried to set the Burflags to D2?

0
 

Author Comment

by:Fubschuk
ID: 34283262
Ok I have run sc config rpcss type= share and
I have set the Burflag to 2 on #13 and restarted ntfrs service
#8 #13 are displaying the same time.

What next?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34283386
I didn't mean you should set the Burflags to D2. The dcdiag log indicated that you had done that, so I just asked you :)

If you're going to set the Burflags to D2, #8 need to share its SYSVOL and be authoritative. When you have DNS/advertising issus you should not set the Burflags.
If you do so #13 will dump its SYSVOL content to the Pre_Existing folder and wait for new content from an upstream partner. It will not find an upstream partner if #8 isn't advertising correctly.

Run a new dcdiag and also include a dnslint report.

dnslint /ad /s 10.0.254.8 /v


0
 

Author Comment

by:Fubschuk
ID: 34283696
DCDIAG5.txt dcdiag5.txt

I can't run dnslint 'not recognised....'

Sorry about the Burflags should I put them back or is it too late #13 had them set to 0?

This depth of AD is beyond me, I only hope with your help  I can fix it, the boss is getting worried it could be game over.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34283812
Get dnslint here: http://support.microsoft.com/kb/321045

The flag will return to 0 once the ntfrs service is started. Is #8 sharing its SYSVOL with content?

I think we'll get your domain back in shape, but it might take some time as this is a "offline" forum. If you're in a hurry you could always contact MS Support.

Please run the dnslint and attach the report. I'll check the dcdiag in a couple of hours. Dinner time.
0
 

Author Comment

by:Fubschuk
ID: 34283981
Thanks for sticking with me.
 dnslint.htm

I'm not sure #8 or #13 are sharing SYSVOL I ran a 'net share' on #8 and got these shares:

ADMIN$; C$; D$; IPC$; Address; ExchangeOAB; GroupMetrics
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34284609
It looks like you set the Burflags to D4 on #8?

Is #13 sharing its SYSVOL?
0
 

Author Comment

by:Fubschuk
ID: 34284906
I didn't change the Burflags on #8 they are still set to 0, should i change them to D4

NET share on #13 shows ADMIN$; C$;  IPC$;

No netlogon or sysvol shares on #13 or #8
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34284953
Do not change the flag yet.

Do you have any content of %Windows%Sysvol\Sysvol\Domain Name\NTFRS_Preexisting folder on any DC?

Or, do you have a backup of your SYSVOL? (ie. a system state)
0
 

Author Comment

by:Fubschuk
ID: 34285660
I have a copy of SYSVOL from Winserver11, a backup systemstate (22/11/2010) or I could get the current one from Winserver11, but that won't be untill tomorrow as I disabled the NIC
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 500 total points
ID: 34285974
That's good.

1. Stop the ntfrs service on both DCs.
2. Set the Burflags to D4 on #8.
3. Start ntfrs service on #8
4. Check that Event ID 13553 and 13516 is logged on #8

5. cmd > net share (on #8)

Don't do anything with #13 yet (don't start ntfrs)
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34285984
Btw. Do you use DFS?

If yes, you should not set the global Burflags.
0
 

Author Comment

by:Fubschuk
ID: 34286235
Not sure if i use DFS, how can i tell?

Also, before I proceed,  do I need to do anything with the SYSVOL files from Winserver11 Backup, or does that come later?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34286292
Verify HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\GUID

If you only have one GUID, then that's the SYSVOL replica, and you are not using DFS.

Keep the backup files as backup. If you have many custom made GPOs and scripts, we'll need to get them from #11 or a system state backup.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34286308
You set the Burflags here if you don't have DFS:

HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

0
 

Author Comment

by:Fubschuk
ID: 34286453
Complete up to point 4, then I get Event ID 13566:

File Replication Service is scanning the data in the system volume. Computer WINSERVER8 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
 
To check for the SYSVOL share, at the command prompt, type:
net share
 
When File Replication Service completes the scanning process, the SYSVOL share will appear.
 
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34286528
Please download frsdiag: http://www.microsoft.com/downloads/en/details.aspx?FamilyId=43CB658E-8553-4DE7-811A-562563EB5EBF&displaylang=en

Run a frsdiag and attach the two connstat files created.
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 500 total points
ID: 34286546
If the share has not been shared yet try:

ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net stop ntfrs
net start netlogon
net start ntfrs

net share  -> Any luck?
0
 

Author Comment

by:Fubschuk
ID: 34286816
No joy with the above so have attached frsdiag files (there are quite a few)
 ntfrs-sysvol.zip
0
 

Author Comment

by:Fubschuk
ID: 34286832
It's been a long day, I'll check back in the morning, thanks for you help today
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 500 total points
ID: 34286894
There is a bit called SysvolReady that the netlogon service should set to 1 when all is ok. If the netlogon service starts before DNS you could end up that netlogon don't set the bit.

Try to add:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\DependOnService
Add value: DNS

Restart #8
0
 

Author Comment

by:Fubschuk
ID: 34287153
No Joy, still no SYSVOL share, and EventID 13566 still present in logs
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34287179
How does the folder structure looks like under: %Windows%Sysvol\
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34287421
Also verify that the "SysVol" key is present under:

HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\
0
 

Author Comment

by:Fubschuk
ID: 34289709
The structure below SYSVOL is as below, but there are no files in any of the folders.
SYSVOL Tree Winserver 8
SYSVOL from #11 has a lot more in it:
 SYSVOL Tree Winserver 11
The  "SysVol" key is present under: HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\  
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34289731
#11 have both the Default Domain Policy and Default Domain Controller Policy. #8 don't have those.

Take a copy of #11's SYSVOL and place the copy on the same partition.


Try to make #11 authoritative:

Stop ntfrs on both servers.
Burflags = D4 on #11
Burflags = D2 on #8

Start ntfrs on #11.
Check if Event ID 13553 and 13516 is logged on #11

0
 

Author Comment

by:Fubschuk
ID: 34290002
Do you mean put a copy of the #11 SYSVOL onto #8 replacing what is aready on #8?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34290292
No, just a "backup" of #11's sysvol content. (do not copy the content between the DC's)
0
 

Author Comment

by:Fubschuk
ID: 34290341
So just to be clear...
I will take the backup copy of #11 SYSVOL and replace the SYSVOL in #11 then
Try to make #11 authoritative:
Stop ntfrs on both servers.
Burflags = D4 on #11
Burflags = D2 on #8
Start ntfrs on #11.
Check if Event ID 13553 and 13516 is logged on #11
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34290420
Do not replace any SYSVOL on #11. I just want you to take a copy of it before you set the burflags.

The D4 flag should not touch the content (as D2 will), but to be on the safe side...
0
 

Author Comment

by:Fubschuk
ID: 34290531
Got event ID 13565 on#11
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34290617
Event 13565 indicate that the Burflags is set to D2.

Event 13566 indicate that the Burflags is set to D4.

In post http:#34283696 you attached a dcdiag, before we even started to talk about the Burflags.

A warning event occurred.  EventID: 0x800034FE
Time Generated: 12/06/2010   08:56:00


EventID: 0x800034FE = 13566

Did you set the flag before we took it up?

Can you try to restart #11, stop the ntfrs, set the burflags to D4.

Make sure ntfrs is not running on #8 during this.
0
 

Author Comment

by:Fubschuk
ID: 34290718
All Burflags were set to 0 before I change #13 to 2 in post http:#34283262. Then have only NOW just changed the Burflags on #11 and #8. Both #8 and #13 have Burflags set at 2 and both have ntfrs STOPPED.
I will now restart #11
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34290741
I assume you mean "D2" (hex), not "2"?



0
 

Author Comment

by:Fubschuk
ID: 34290871
ooooh I'd been putting 2 as in Decimal not "D2" Hexidecimal. Are those values ignored shall i repeat the exercise on #11/#8 using the HEX "D4" and "D2"
Stop ntfrs on both servers.
Burflags = D4 on #11
Burflags = D2 on #8
Start ntfrs on #11.
0
 

Author Comment

by:Fubschuk
ID: 34291280
Looking at the SYSVOL folders on all machines my observations are this
#8 & #13 look to be the same
#11 is different to it backup from 22/11/2010
Current SYSVOL #11
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34291389
hehe.. Yes, if you havn't done it already, set the burflags to:

stop ntfrs on both
"D4" on #11
"D2" on #8

start ntfrs on #11. Check if the event are present.

If they are, start ntfrs on #8. Check FRS events.

#13 is out of the replica set, so you shouldn't do anything on this.
0
 

Author Comment

by:Fubschuk
ID: 34291423
Same as before Got event ID 13565 on#11, bummer!

What about if i use the backup SYSVOL I have from 22/11/2010 on #11?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34291699
It has no purpose to use the backup as long as you can make an authroitative restore of the sysvol replica set.

Try to set the burflags on the cummulative replica set on #11:

Stop ntfrs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\GUID

Key= Burflags
Value (hex) = D4

start ntfrs.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:Fubschuk
ID: 34291747
Burflags already set at (hex)=d4
number of partners =0
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34291783
Is the Global Burflags = 0 and the replica spesific burflags = D4?

Is the "number of partners" = 0 on both #8 and #11?
0
 

Author Comment

by:Fubschuk
ID: 34291933
I have attache the Reg hive from #11 and #8 for ntfrs for you to look at. I can't see a global setting for #11 but #8 has 2 partners.
 ntfrs-11.txt

 ntfrs-8.txt
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 500 total points
ID: 34292035
Ok, lets try to get #8 authoritative.

Set the Burflags=0 on #11 (the cummuliative one). Set the global burflags to D2.

Global flag is located here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NtFrs\Parameters\Backup/Restore\Process at Startup

Set the global burflags=D4 on#8.

start ntfrs on #8.

Any luck in the frs event log?
0
 

Author Comment

by:Fubschuk
ID: 34292159
Yes
Event ID: 13553, 13554, 13516

Replication has started on #8 shall i run a dcdiag?
SYSVOL showing as shared
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34292214
That's good. Does the SYSVOL hold any Polices?

Set the flag (if not already set) to D2 on #11. Start ntfrs and check the event log
0
 

Author Comment

by:Fubschuk
ID: 34292220
Do i need to turn on ntfrs on #11 and #13 now?

I can noe RDP #13 and #11 but oulook still not connecting
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34292243
#13 is not a domain controller anymore. It might see itself as one, but hes off the domain.

0
 

Author Comment

by:Fubschuk
ID: 34292248
All SYSVOL folders on #8 are empty
0
 

Author Comment

by:Fubschuk
ID: 34292256
#11 was the one that failed removal on the domain
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34292257
Start ntfrs on #11 if you have set it to D2
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34292269
ohh.. long post so it's easy to mix it up.

Do it on #13 :)
0
 

Author Comment

by:Fubschuk
ID: 34292283
Event ID 13565 on #11 when starting ntfrs
0
 

Author Comment

by:Fubschuk
ID: 34292300
Same on #13: Event ID 13565 on #11 when starting ntfrs

File Replication Service is initializing the system volume with data from another domain controller. Computer WINSERVER13 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
 
To check for the SYSVOL share, at the command prompt, type:
net share
 
When File Replication Service completes the initialization process, the SYSVOL share will appear.
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 500 total points
ID: 34292302
Forget about #11 :)

Set the burflags to D2 on #13
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34292325
Is netlogon shared on #8?
0
 

Author Comment

by:Fubschuk
ID: 34292326
Do you think we need the contents of #11 SYSVOL as it is the only one with anything in.

Also should i take #11 back off the LAN as it is apearing back in the DNS recods?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34292388
I guess you have #11 as a name server (name server tab on the domain zone). Remove it from the tab. Also remove records it has created.

You need two policies to be able to authenticate. The Default Domain Policy (GUID=E31xxxxx-) and the Default Domain Controller Policy (GUID = 6Axxxxxxxx-).

If you have not modified these you can create them all over with a tool called DCGPOFIX. (you have to run setup /domainprep when on the Exchange when you do this).

Or you can restore them from a backup. If you have the GPMC on #11 you can run a backup directly, copy them over and restore them on #8.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34292446
*Default domain policy = GUID starts with 31B2F340-xxxxxxx
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34292495
I'll be offline most of the evening, but I'll check back with you.

If you decide to create those two polices from scratch. Here is a thread about it.
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24403319.html

You got to be sure that both SYSVOL and NETLOGON is shared on #8.

0
 

Author Comment

by:Fubschuk
ID: 34292679
That sounds Heavy, can you break it down a bit.
The GUIDs are thes the folders under \SYSVOL\Domain\Policies
6AC1xxxx
8FACExxx
31B2F3xxx
as shown in post 34291280
I have not modified any policies thay are 'out of the box' where do i get DCGPOFIX or will it be easier to the second option.
I can see domain object in GPEDIT on #11 but don't know how to proceed.
 GPEDIT on #11
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34293208
If you have not made any changed to the default policies since the domain was created, it's easier to use dcgpofix.

First run cmd > net view on #8
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34293704
If only SYSVOL shows up and not the NETLOGON share, follow this KB

http://support.microsoft.com/kb/947022/en-us
0
 

Author Comment

by:Fubschuk
ID: 34294457
Will it be safe to run dcgpofix on #8 which is also an Exchange 2010 server?
0
 

Author Comment

by:Fubschuk
ID: 34294463
I can't get the NETLOGON share using the above proceedure. I have notice this Event ID:5706

The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\Diplomat.local\SCRIPTS.  The following error occurred:
The system cannot find the file specified.

And also Event ID: 1058

The processing of Group Policy failed. Windows attempted to read the file \\Diplomat.local\SysVol\Diplomat.local\Policies\{de3b4a4c-6ef8-475b-af25-2af764b7aefd}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34294665
You'll get GPO errors. Don't bother them at the moment.

Stop both ntfrs and netlogon service on #8. Start them up again. Check if NETLOGON is shared.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34294675
ntfrs needs to be started first
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34294740
Regarding the dcgpofix tool, you can run it but it will set the default permissions on the default GPOs.

"setup /prepareAD" from the Exchange media should fix it up.

http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/be31c490-0784-498b-8a60-e5332170ea76/

0
 

Author Comment

by:Fubschuk
ID: 34294858
stopped both ntfrs and netlogon, restarted ntfrs first, but still no netlogon share
Event ID 5705
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34296841
Regarding the 5705 error, there was not much info out there.

Found this for NT and 2000: http://support.microsoft.com/kb/173882 (see the workaround for 2000)

This one says the same for 2003: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=5705&EvtSrc=NetLogon&LCID=1033



0
 

Author Comment

by:Fubschuk
ID: 34299059
Sorry my bad, it was event ID 5706
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34299185
Take a look at this KB if it will help you.

http://support.microsoft.com/kb/258805
0
 

Author Comment

by:Fubschuk
ID: 34299231
Still getting 5706

The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\Diplomat.local\SCRIPTS.  The following error occurred:
The system cannot find the file specified.

I have also run latested DCDIAG from #8
 dcdiag6.txt
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34299245
What is the value of:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

SysvolReady:
Sysvol:
DBflag (is it presen?):

If Dbflag is not present, stop netlogon, create it (Reg_sz, value = 0)
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34299316
You have configured your forwarders wrong: (this will only affect none local DNS queries):

10.0.254.11 (WINSERVER11) [Valid]
10.0.254.240 (<name unavailable>) [Valid]

Open the DNS consol, right click the #8 -> Proterties -> Forwarders tab.

You should either use root hints or your ISP DNS as forwarders.

Dcdiag looking better. You will have some errors due to Netlogon not shared.

0
 

Author Comment

by:Fubschuk
ID: 34299601
I have removed the entries for  the forwarders just leaving the root hints is that correct?

 dcdiag7.txt

SysvolReady: = 1
Sysvol: = c:|windows\SYSVOL\sysvol
DBflag = 0
 netlogon.txt
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34299644
Sysvol: = c:|windows\SYSVOL\sysvol

Is there a | (pipe) after C:?

Should be c:\windows\SYSVOL\sysvol
0
 

Author Comment

by:Fubschuk
ID: 34299673
Sorry, thats my poor typing, I attached the reg hive for that and as you will see those bits are ok
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34299781
HAve you started the ntfrs on #13 with the Burflags = D2?

Can you post a screen shot of your SYSVOL tree on #8 like you did earlier?
0
 

Author Comment

by:Fubschuk
ID: 34299869
ntfrs is running on #13 with the Burflags = D2

SYSVOL still has no files contained within the tree:

 sysvol tree #8
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 500 total points
ID: 34299913
Is the burflags still D2 on #13? (it should return to 0 once ntfrs is started)

Try to do this on #8:

Stop ntfrs and netlogon

Create a folder named "Policies" under c:\windows\sysvol\domain\
Create a folder named "scripts" under c:\windows\sysvol\domain\

Copy these two folder from #11 to the created "Policies" folder:

{6AC1786C-016F-11D2-945F-00C04fB984F9}
{31B2F340-016D-11D2-945F-00C04FB984F9}

Start ntfrs
Start netlogon

Check if Policies and scripts folder is present under \Sysvol\sysvol\diplomat.local\


0
 

Author Comment

by:Fubschuk
ID: 34300001
Netlogon now shared:


Share name   Resource                        Remark

-------------------------------------------------------------------------------
ADMIN$       C:\Windows                      Remote Admin                      
C$           C:\                             Default share                    
D$           D:\                             Default share                    
IPC$                                         Remote IPC                        
Address      D:\Exchange2010\Mailbox\addr... "Access to address objects"      
Download     D:\Download                    
ExchangeOAB  D:\Exchange2010\ExchangeOAB     OAB Distribution share            
GroupMetrics D:\Exchange2010\GroupMetrics    MailTips group metrics publishing
NETLOGON     C:\Windows\SYSVOL\sysvol\Diplomat.local\SCRIPTS  Logon server share                
SYSVOL       C:\Windows\SYSVOL\sysvol        Logon server share                

 New SYSVOL Tree on #8
All starting to look good now, Outlook still won't connect keeps asking for password
0
 

Author Comment

by:Fubschuk
ID: 34300008
Winserver11 is still apearing in the DNS on #8
I guess I should remove all the records of #11 from DNS on #8

Should i stop/remove DNS from #11
0
 

Author Comment

by:Fubschuk
ID: 34300017
Burflags on #13 now at 0
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 500 total points
ID: 34300025
Unplug #11 and remove records from DNS.

Does # 13 share its SYSVOL and NETLOGON?
0
 

Author Comment

by:Fubschuk
ID: 34300034
Will i need to stop ntfrs on #8 and #13 them remove the #11 DNS records from both machines?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34300036
No you don't need to stop anything. It's #11 who will register its own records.
0
 

Author Comment

by:Fubschuk
ID: 34300131
I restartted netlogon on #13 i and now it is sharing netlogon and sysvol.

I'm going to disconnect #11 and remove #11 record from #8 and #13.

Will i be able to use #11 at some point in the furture or should I re-build it?
0
 

Author Comment

by:Fubschuk
ID: 34300197
Looks like Group policy is looking for a different GUID {de3b4a4c-6ef8-475b-af25-2af764b7aefd}, I know you said not to worry about that at the moment but though you should know.

The processing of Group Policy failed. Windows attempted to read the file \\Diplomat.local\SysVol\Diplomat.local\Policies\{de3b4a4c-6ef8-475b-af25-2af764b7aefd}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
0
 

Author Comment

by:Fubschuk
ID: 34300248
dcdiag8 dcdiag8.txt
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34300267
Regarding #11, you need to remove AD from it with "dcpromo /forceremoval".
This will uninstall AD from it and it will be placed in a workgroup. I would reinstall it with a new name and IP if I was to decide.

{de3b4a4c-6ef8-475b-af25-2af764b7aefd} is a custom made GPO. You can copy it from #11 and place it like you did with the other two GPO.

Another option is to remove it (with use of GPMC).

How is your clients reacting with Outlook? Make sure the clients don't use #11 as DNS.

When you have copied or removed the {de3b4a4c-6ef8-475b-af25-2af764b7aefd} policy. Run a new dcdiag.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34300304
Just remember not to copy it to both #8 and #13. If you do that it will morph.

Just copy it to #8 and FRS will replicate it over to #13
0
 

Author Comment

by:Fubschuk
ID: 34300353
The thing is i can't find a folder with GUID {de3b4a4c-6ef8-475b-af25-2af764b7aefd} on any of the servers?? could use a copy of another GUID folder and rename it to this GUID?

So how do i remove the policy? How do you use GPMC? Wher can i find it?

Outlook still not connecting all client using 10.0.254.8 as primary and 8.8.8.8 as secondary DNS
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34300413
Domain clients should never use any public DNS (like google dns). Only internal DNS.That's why you use Forwarders on your internal DNS.

Open gpmc.msc from #8.

Under "Group Policy Objects" are all GPO's stored (with friendly names, not GUID)

Click on the GPO and in the right pane it tells where it's linked. Right click and untick "link enable"

0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34300431
You can rename another folder to match the GUID. I don't know what this GPO does, but if you want it back, you can restore it from the system state you had.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34300441
TYPO: You CAN NOT rename
0
 

Author Comment

by:Fubschuk
ID: 34300585
Have set Client DNS to #8 and #13

Looking in GPMC at the Group Policy Objects ther are 3 but none have the GUID  {de3b4a4c-6ef8-475b-af25-2af764b7aefd}
There are these:
Defaul Domain Controler Policy {6AC178...... and
Default Domain Policy {31B2F3.... and
New Group Policy Object {8FACE7... This errors with can't find file when you click on it
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34300668
Check GPMC on #13 if you see the missing GPO there.
0
 

Author Comment

by:Fubschuk
ID: 34300753
GPMC won't run on #13 can't find the MSC for it either (2003 Server)
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34300804
0
 

Author Comment

by:Fubschuk
ID: 34300923
That shows the same policies as on #8

Lookin at the folders on #11 i don't see that GUID either??

How do we get over this, is this what is stoping Outlook from connecting?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34300969
On #8:

open adsiedit.msc

Look for the presens under the domain partition for the CN = GUID

CN=Policies,CN=System,DC=diplomat,DC=local
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34301015
this has nothing to do with the Outlook.. but I would make the dcdiag clean before troubleshooting that issue.
0
 

Author Comment

by:Fubschuk
ID: 34301100
Same GUIDS in ADSI, it's a baffling

 ADSI
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34301193
hmm.. where is this GUID comming from..

Open regedit on #8 and #13 and look for the GUID under

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\History
0
 

Author Comment

by:Fubschuk
ID: 34301297
Not there either, I even looked on the disabled #11 no trace of this GUID de3b4a4c-6ef8-475b-af25-2af764b7aefd
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34301334
Open AD Users & Computers -> View -> Tick Advanced features

Look in the System container -> Polices. (this should be the same as in adsiedit, but check for sure).

If there are no traces, open cmd and run:

dfsutil /PurgeMUPCache

Run a new dcdiag.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34301342
clear system log before running dcdiag
0
 

Author Comment

by:Fubschuk
ID: 34301462
The GUID is not showing in System container -> Polices but i don't have dfsutil on #8 can i run it from #13?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34301497
Forget about the dfsutil.

Clear the system log on #8 and #13 and run a dcdiag from #8:

dcdiag /e /v /f:dcdiag9.txt
0
 

Author Comment

by:Fubschuk
ID: 34301579
Looking a bit deeper into the event log, it looks like the policy it is looking for id to do with GUID 8FACE762-70DE-434B-BB90-ABC3A718B9B9 has it got confused??
The Folder is called 8FACE762-70DE-434B-BB90-ABC3A718B9B9 this is the policy folder 'New Group Policy' see post 34300585 above. I have copied the GUID folder over but still getting the GPO errors

 GPO New Group Policy
 
ErrorDescription The system cannot find the path specified.  

  DCName WINSERVER8.Diplomat.local 

  GPOCNName CN={8FACE762-70DE-434B-BB90-ABC3A718B9B9}, CN=Policies,CN=System,DC=Diplomat,DC=local 

  FilePath \\Diplomat.local\SysVol\Diplomat.local\Policies\{de3b4a4c-6ef8-475b-af25-2af764b7aefd}\gpt.ini

Open in new window

0
 

Author Comment

by:Fubschuk
ID: 34301605
DCDIAG9 dcdiag9.txt
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 500 total points
ID: 34301634
Can you delete the "New Group Policy Object" from GPMC?
0
 

Author Comment

by:Fubschuk
ID: 34301686
Ok have done that, Outlook still not connecting. do you want another dcdiag?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34301715
I don't need a new diag atm.

Your initial post you mentioned that the Outlook client could not connect. Was this after you move Exchange over to the new server?

Have the client ever been able to connect to the mailbox after the move?

Have you verified that the Outlook profile is pointed to the correct mailbox server?
0
 

Author Comment

by:Fubschuk
ID: 34301901
The exchang move happened in Septembert all was working ok until about this time last week.

What i think happend was #13 rebooted following a windows update. then things started going crazy couldn't log on to outlook all the time
Then you got involved,
Then at somepoint I rebooted #11 since that reboot we could not connect to Outlook at all so this was
then when I tried removing #11 from the domain and it failed.
But the event loogs are loking much better.... but still no Outlook do you thing they want to connect to #11 which was the old 2003 Exchange sever?
0
 

Author Comment

by:Fubschuk
ID: 34302131
When starting the Exchange console i'm getting errors 5,22
22:
(Process w3wp.exe, PID 10256) "RBAC authorization is unavailable due to the transient error: An Active Directory error 0x51 occurred when trying to check the suitability of server 'winserver11.Diplomat.local'. Error: 'Active directory response: The LDAP server is unavailable.'"

Notice it is refering to 'winserver11.Diplomat.local'

Is that my problem? Is it Exchnage that is looking for 'winserver11.Diplomat.local'?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34302536
Exchange is 100% dependend of AD, DNS and a Global Catalog.

It obviously looks like Exchange is trying to get info from #11 which it can't.

I'm not an Exchange expert, so I advice you to start a new thread in the Exchange zone.

Something like "Exchange 2010 (or was it 2007?) trying to connect to demoted DC".
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34304190
Btw, can you run a new dcdiag?

You had 3 domain controllers, so I guess you'll have some users in there. Why do you run Exchange on one of the DC's and not a dedicated Exchange server?


0
 

Author Comment

by:Fubschuk
ID: 34308108
0
 

Author Comment

by:Fubschuk
ID: 34308147
#11 was the first DC and the only server so it also ran exchange 2003, then we got another machine #13 to run SQL for an accounts package. Both machines are over 5 years old now. So we invested in a new machine 2008/exchange2010 with a view to replace #11, #13 in the future.
So when we get the next server in that will replace #13. In an ideal world we would have exchange on a separate machine but we don’t have that luxury. It’s still better to have 2 DC’s even if one is an exchange server would you agree?

Thank you so much for your help with these problem, its a shame we can't complete it all the way.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34308217
Did the Exch2003 and Exch2010 co-exist in your domain, and you have removed all traces of the 2003?

Exchange should find all DC's and "update that list". In the RUS on Exchange 2003 you could set witch GC that was prefered. 2010 don't use RUS. I'm on thin ice regarding such Exchange questions, so I can't assist you with that issue :(

Atleast your AD/FRS replication is working, and the DCDIAG is 100% free of errors/warnings.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34308233
It’s still better to have 2 DC’s even if one is an exchange server would you agree?

Couldn't agree more! :)
0
 

Author Comment

by:Fubschuk
ID: 34308300
The Exchnage servers did co-exist for a while while whist i moved over the mailboxes etc to the new machine. All Exchange services were off on #11 and everything was working ok, I hadn't yet removed exchange from that machine but would have done so soon.

Thanks again for your assistance I have started a new thread on the Exchange Forum now:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26667792.html
0
 

Author Comment

by:Fubschuk
ID: 34308342
If I stop ntfrs, netlogon and dns on #11 could I put it back on the network and see if exchnage will work better? or should do the dcpromo /forceremove before I put it back on?
I don't want to do this if it messes up you good work!
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34308646
The problem hosting Exchange on a DC, is that if you change the server role the Exchange will break.
Demoting a DC is a change in server role.

Your domain (#8 and #13) don't see #11 as a DC, but #11 will see itself as a DC. When you have run a metadata cleanup, you should demote #11 as a DC. Since this "DC" are unable to replicate you have to use the /forceremoval switch to be able to achieve this.

I would not start #11 until you have run a "dcpromo /forceremoval" on it. After this you have to join it to the domain as a member and you can introduce it back in.

I'm not sure how Exchange 2003 will handle it.

0
 

Author Comment

by:Fubschuk
ID: 34308665
Ok i'll do that, thanks

You certainly deserve those points
0
 

Author Closing Comment

by:Fubschuk
ID: 34308703
Really great EXPERT! A tribute to expert’s exchange
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment