Fubschuk
asked on
Active Directory Replication
We have a new Windows 2008 Server (Winserver8) which is to take over from the old 2003 server. The old windows 2003 server (winserver11) also had exchange 2003. I (believe) have moved all the FSMO roles from this machine and transferred Exchange to the New 2008 Server with a view to retiring the 2003 server at some point. There is also another DC (Winserver13).
We recently had a problem where outlook clients could not connect to exchange, the problem seemed to be linked to Active Directory Replication, as when a replication was forced the Outlook clients could connect. I a previous question I was told to run
dcdiag /fix
and see what errors I got, below is the output from my New 2008 server (Winserver8)
Can anyone help rectify these problems?
Output fron dcdiag /fix on Winserver8:
We recently had a problem where outlook clients could not connect to exchange, the problem seemed to be linked to Active Directory Replication, as when a replication was forced the Outlook clients could connect. I a previous question I was told to run
dcdiag /fix
and see what errors I got, below is the output from my New 2008 server (Winserver8)
Can anyone help rectify these problems?
Output fron dcdiag /fix on Winserver8:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = WINSERVER8
* Identified AD Forest.
Ldap search capabality attribute search failed on server WINSERVER13, return
value = 81
Got error while checking if the DC is using FRS or DFSR. Error:
Win32 Error 81The VerifyReferences, FrsEvent and DfsrEvent tests might fail
because of this error.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\WINSERVER8
Starting test: Connectivity
......................... WINSERVER8 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\WINSERVER8
Starting test: Advertising
Warning: DsGetDcName returned information for
\\winserver11.Diplomat.local, when we were trying to reach WINSERVER8.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... WINSERVER8 failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... WINSERVER8 passed test FrsEvent
Starting test: DFSREvent
......................... WINSERVER8 passed test DFSREvent
Starting test: SysVolCheck
......................... WINSERVER8 passed test SysVolCheck
Starting test: KccEvent
......................... WINSERVER8 passed test KccEvent
Starting test: KnowsOfRoleHolders
[WINSERVER13] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..
Warning: WINSERVER13 is the Infrastructure Update Owner, but is not
responding to DS RPC Bind.
Warning: WINSERVER13 is the Infrastructure Update Owner, but is not
responding to LDAP Bind.
......................... WINSERVER8 failed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... WINSERVER8 passed test MachineAccount
Starting test: NCSecDesc
......................... WINSERVER8 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\WINSERVER8\netlogon)
[WINSERVER8] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... WINSERVER8 failed test NetLogons
Starting test: ObjectsReplicated
......................... WINSERVER8 passed test ObjectsReplicated
Starting test: Replications
......................... WINSERVER8 failed test Replications
Starting test: RidManager
......................... WINSERVER8 passed test RidManager
Starting test: Services
......................... WINSERVER8 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x000003F6
Time Generated: 11/25/2010 12:47:28
Event String:
Name resolution for the name dns.msftncsi.com timed out after none of the configured DNS servers responded.
......................... WINSERVER8 passed test SystemLog
Starting test: VerifyReferences
......................... WINSERVER8 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : Diplomat
Starting test: CheckSDRefDom
......................... Diplomat passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Diplomat passed test CrossRefValidation
Running enterprise tests on : Diplomat.local
Starting test: LocatorCheck
......................... Diplomat.local passed test LocatorCheck
Starting test: Intersite
......................... Diplomat.local passed test Intersite
Is the "TCP\IP Netbios helper" service running?
ASKER
Yes TCP/IP NetBIOS Helper is running - set to Automatic
At a first glanze, it looks like you got a DNS problems. ("dcdiag /fix" does nothing else then to write back the SPN used for replication).
Do you have three domain controllers at the moment?
1. Run and post: netdom query dc
2. Run and post: repadmin /replsum
3. Run and post: ipconfig /all (on all DCs listed in #1)
Do you have three domain controllers at the moment?
1. Run and post: netdom query dc
2. Run and post: repadmin /replsum
3. Run and post: ipconfig /all (on all DCs listed in #1)
ASKER
1...................
C:\>netdom query dc
List of domain controllers with accounts in the domain:
WINSERVER11
WINSERVER13
WINSERVER8
The command completed successfully.
2....................
C:\>repadmin /replsum
Replication Summary Start Time: 2010-11-26 15:12:00
Beginning data collection for replication summary, this may take awhile:
......
Source DSA largest delta fails/total %% error
WINSERVER11 23m:58s 0 / 10 0
WINSERVER13 21m:20s 0 / 10 0
WINSERVER8 23m:58s 0 / 10 0
Destination DSA largest delta fails/total %% error
WINSERVER11 20m:14s 0 / 10 0
WINSERVER13 23m:59s 0 / 10 0
WINSERVER8 21m:21s 0 / 10 0
3................
Winserver8
C:\>netdom query dc
List of domain controllers with accounts in the domain:
WINSERVER11
WINSERVER13
WINSERVER8
The command completed successfully.
2....................
C:\>repadmin /replsum
Replication Summary Start Time: 2010-11-26 15:12:00
Beginning data collection for replication summary, this may take awhile:
......
Source DSA largest delta fails/total %% error
WINSERVER11 23m:58s 0 / 10 0
WINSERVER13 21m:20s 0 / 10 0
WINSERVER8 23m:58s 0 / 10 0
Destination DSA largest delta fails/total %% error
WINSERVER11 20m:14s 0 / 10 0
WINSERVER13 23m:59s 0 / 10 0
WINSERVER8 21m:21s 0 / 10 0
3................
Winserver8
Windows IP Configuration
Host Name . . . . . . . . . . . . : WINSERVER8
Primary Dns Suffix . . . . . . . : Diplomat.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Diplomat.local
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client) #2
Physical Address. . . . . . . . . : 84-2B-2B-18-2B-07
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::849e:afd4:9d7d:814d%13(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.254.9(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.254.240
DHCPv6 IAID . . . . . . . . . . . : 310651691
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-EF-85-1F-84-2B-2B-18-2B-08
DNS Servers . . . . . . . . . . . : 10.0.254.8
NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client)
Physical Address. . . . . . . . . : 84-2B-2B-18-2B-08
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::4da9:550a:833b:4a2f%11(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.254.8(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.254.241
DHCPv6 IAID . . . . . . . . . . . : 243542827
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-EF-85-1F-84-2B-2B-18-2B-08
DNS Servers . . . . . . . . . . . : ::1
10.0.254.8
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{E184EFF1-5BF9-4878-BCF9-0FFC4BE0B5F9}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{245E2C8F-3ED4-412D-9ECC-8E8732DD3D91}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 12:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Winserver11Windows IP Configuration
Host Name . . . . . . . . . . . . : winserver11
Primary Dns Suffix . . . . . . . : Diplomat.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Diplomat.local
Ethernet adapter Intel Pro 1000 MT Gigabit Ethernet Adapter - Onboard:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-11-43-D1-19-C7
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.254.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 10.0.254.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.254.241
DNS Servers . . . . . . . . . . . : 10.0.254.11
Primary WINS Server . . . . . . . : 10.0.254.11
Winserver13Windows IP Configuration
Host Name . . . . . . . . . . . . : Winserver13
Primary Dns Suffix . . . . . . . : Diplomat.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Diplomat.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-11-43-D1-17-8D
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.254.13
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.254.240
DNS Servers . . . . . . . . . . . : 10.0.254.13
Replication is ok (strangely), but:
Any reason you got two NICs in the same IP-scope on Winserver8?
Any reason you got two IP-addresses on Winserver11?
Is your DNS AD-integrated?
Any reason you got two NICs in the same IP-scope on Winserver8?
Any reason you got two IP-addresses on Winserver11?
Is your DNS AD-integrated?
ASKER
Winserve8 is using SMTP connectors on differnent ports as was Winserver11.
I did find that DNS was not running on Winserver13 and had recently rebooted after a Windows update. None of the other servers are set to automatic on Windows update so that might have been the cause of my problems, have turned off auto update now.
I am still getting errors when I run DCdiag /fix which i would like to get to the bottom of, see below....
I did find that DNS was not running on Winserver13 and had recently rebooted after a Windows update. None of the other servers are set to automatic on Windows update so that might have been the cause of my problems, have turned off auto update now.
I am still getting errors when I run DCdiag /fix which i would like to get to the bottom of, see below....
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = WINSERVER8
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\WINSERVER8
Starting test: Connectivity
......................... WINSERVER8 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\WINSERVER8
Starting test: Advertising
Warning: DsGetDcName returned information for
\\winserver11.Diplomat.local, when we were trying to reach WINSERVER8.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... WINSERVER8 failed test Advertising
Starting test: FrsEvent
......................... WINSERVER8 passed test FrsEvent
Starting test: DFSREvent
......................... WINSERVER8 passed test DFSREvent
Starting test: SysVolCheck
......................... WINSERVER8 passed test SysVolCheck
Starting test: KccEvent
......................... WINSERVER8 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... WINSERVER8 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... WINSERVER8 passed test MachineAccount
Starting test: NCSecDesc
......................... WINSERVER8 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\WINSERVER8\netlogon)
[WINSERVER8] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... WINSERVER8 failed test NetLogons
Starting test: ObjectsReplicated
......................... WINSERVER8 passed test ObjectsReplicated
Starting test: Replications
......................... WINSERVER8 passed test Replications
Starting test: RidManager
......................... WINSERVER8 passed test RidManager
Starting test: Services
......................... WINSERVER8 passed test Services
Starting test: SystemLog
......................... WINSERVER8 passed test SystemLog
Starting test: VerifyReferences
......................... WINSERVER8 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : Diplomat
Starting test: CheckSDRefDom
......................... Diplomat passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Diplomat passed test CrossRefValidation
Running enterprise tests on : Diplomat.local
Starting test: LocatorCheck
......................... Diplomat.local passed test LocatorCheck
Starting test: Intersite
......................... Diplomat.local passed test Intersite
Is your domain/forest zone AD-integrated?
ASKER
I belive so....
Enumerated zone list:
Zone count = 3
Zone name Type Storage Properties
. Cache AD-Domain
_msdcs.Diplomat.local Primary AD-Forest Secure Aging
Diplomat.local Primary AD-Domain Secure Aging
Command completed successfully.
Are all three DCs listed in the Name server tab on the zone?
If so, I would make things a little more easy during troubleshooting.
Configure that all three DCs uses 10.0.254.8 as primary DNS and itself as secondary.
On all DCs run:
ipconfig /flushdns
ipconfig /registerdns (to register the A-record)
Restart the netlogon service (to register SRV records)
If so, I would make things a little more easy during troubleshooting.
Configure that all three DCs uses 10.0.254.8 as primary DNS and itself as secondary.
On all DCs run:
ipconfig /flushdns
ipconfig /registerdns (to register the A-record)
Restart the netlogon service (to register SRV records)
ASKER
Ok done that all 3 DC were listed in the Name server tab on the zone
Run "dcdiag /test:dns /v > dnsdiag.txt".
Please attach the file.
Please attach the file.
ASKER
Here you go dnsdiag.txt
DNS looking good on Winserver8.
Run and attach:
dcdiag /v /e /c /f:dcdiag.txt
Run and attach:
dcdiag /v /e /c /f:dcdiag.txt
ASKER
On Winserver8 you should check the _msdcs DNS zone for inactive/orphaned CNAME registration. Delete incorrect registrations.
You'll find the DC's GUID by running ie. "repadmin /showrepl" on each DC.
ie.
SITE\DC-name
DC object GUID: xxxxxxxx-xxxx-xxxx-xxxx-xx xxxxx
On Winserver11 it looks like the RPC service is not running in shared mode:
Run this on Winserver11: sc config rpcss type=share
Run a new "dcdiag /v /e /f:dcdiag2.txt" (skip the /c)
You'll find the DC's GUID by running ie. "repadmin /showrepl" on each DC.
ie.
SITE\DC-name
DC object GUID: xxxxxxxx-xxxx-xxxx-xxxx-xx
On Winserver11 it looks like the RPC service is not running in shared mode:
Run this on Winserver11: sc config rpcss type=share
Run a new "dcdiag /v /e /f:dcdiag2.txt" (skip the /c)
ASKER
Not having any luck running sc config rpcss type=share on Winserver11
I get this:
DESCRIPTION:
Modifies a service entry in the registry and Service Database.
USAGE:
sc <server> config [service name] <option1> <option2>...
OPTIONS:
NOTE: The option name includes the equal sign.
type= <own|share|interact|kernel |filesys|r ec|adapt>
start= <boot|system|auto|demand|d isabled>
error= <normal|severe|critical|ig nore>
binPath= <BinaryPathName>
group= <LoadOrderGroup>
tag= <yes|no>
depend= <Dependencies(separated by / (forward slash))>
obj= <AccountName|ObjectName>
DisplayName= <display name>
password= <password>
I get this:
DESCRIPTION:
Modifies a service entry in the registry and Service Database.
USAGE:
sc <server> config [service name] <option1> <option2>...
OPTIONS:
NOTE: The option name includes the equal sign.
type= <own|share|interact|kernel
start= <boot|system|auto|demand|d
error= <normal|severe|critical|ig
binPath= <BinaryPathName>
group= <LoadOrderGroup>
tag= <yes|no>
depend= <Dependencies(separated by / (forward slash))>
obj= <AccountName|ObjectName>
DisplayName= <display name>
password= <password>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That worked here is dcdiag2.txt
dcdiag2.txt
dcdiag2.txt
You need to start the NTFRS service on Winserver11.
You are still having issues that Winserver11 is returned when trying to get Winserver13. This can be a pain when using multihomed Domain Controllers (as you should avoid it). Did you verify that you don't have any outdated A-records (for the DCs) and CNAME'S?
You are still having issues that Winserver11 is returned when trying to get Winserver13. This can be a pain when using multihomed Domain Controllers (as you should avoid it). Did you verify that you don't have any outdated A-records (for the DCs) and CNAME'S?
ASKER
Winserver11 is having problems, I rebooted it today as it suggested in the dcdiag text but I'm now having problems connection Outlook and logging on to machines. I get the error when trying to replicate. I have also noticed that there is no DNS information in the forward lookup zones on Winserver11
The CNAME's seem to be ok:
The CNAME's seem to be ok:
Can you take a screenshot of the _msdcs subdomin located under the forward lookup zone Diplomat.local?
It looks like it has been delegated.
It looks like it has been delegated.
ASKER
ASKER
Running dcdiag run on each machine (dcdiag /v /e /f:dcdiag2.txt)
Winserver11:
DCDiag1-11.txt
Winserver13:
DCDiag1-13.txt
Winserver8:
DCDiag1-8.txt
Winserver11:
DCDiag1-11.txt
Winserver13:
DCDiag1-13.txt
Winserver8:
DCDiag1-8.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
All DC are at the same site.
WINSERVER11 time is not in sync with the others it been out by about 1 hour since it was re-booted yesterday
WINSERVER11 time is not in sync with the others it been out by about 1 hour since it was re-booted yesterday
ASKER
Also WINSERVER11 is not showing anything for the forwarders in DNS it's all empty so i won't be able to delete anthing from there.
How do I set the Order of the bindings, Winserver 8 uses 2 NICs?
How do I set the Order of the bindings, Winserver 8 uses 2 NICs?
If Winserver11 is more than 5 minutes off sync with the others, it will not replicate (kereros auth. will fail). AD integrated DNS is in the application NC and will be affected by this.
Winserver11 should sync its time with the PDC holder.
Here's how I like to setup the domain time: http://adfordummiez.com/?p=67
Binding order: http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/
Winserver11 should sync its time with the PDC holder.
Here's how I like to setup the domain time: http://adfordummiez.com/?p=67
Binding order: http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/
Typo: *kerberos auth. will fail
ASKER
Have you tried to demote winserver11 and the process failed?
Is the winserver11 in use anymore? If you want to remove it you have to run a force removal + MD cleanup if there are any traces.
Is the winserver11 in use anymore? If you want to remove it you have to run a force removal + MD cleanup if there are any traces.
ASKER
I tried to remove winserver11 yesterday and it failed, I would like to remove it as a DC but looks like its lost its way.
Can't logon on the 11 or 13 now
Can't logon on the 11 or 13 now
So #11 has no role in you domain?
Who holdes the FSMO's? "netdom query fsmo"
Transfer or sieze any from FSMO from #11.
If you tried to demote it but it failed, you have to run "dcpromo /forceremoval" on #11, and run a MD Cleanup from a working DC. http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Are 8 and 13 Global Catalogs? cmd > "dsquery server -isgc"
If they are not GC, promote them to GCs.
All DCs uses #8 as primary DNS. Correct? Are your clients also using this as primary (DHCP scopes)?
Where is your Exchange located?
Is this a 2003 Exchange? -> Yes -> Verify that the Recipient Update Service is pointing to the correct DC.
http://www.msexchange.org/tutorials/MF017.html
Who holdes the FSMO's? "netdom query fsmo"
Transfer or sieze any from FSMO from #11.
If you tried to demote it but it failed, you have to run "dcpromo /forceremoval" on #11, and run a MD Cleanup from a working DC. http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Are 8 and 13 Global Catalogs? cmd > "dsquery server -isgc"
If they are not GC, promote them to GCs.
All DCs uses #8 as primary DNS. Correct? Are your clients also using this as primary (DHCP scopes)?
Where is your Exchange located?
Is this a 2003 Exchange? -> Yes -> Verify that the Recipient Update Service is pointing to the correct DC.
http://www.msexchange.org/tutorials/MF017.html
ASKER
Typing netdom query on any of the 3 servers results in the same:
"The specified domain either does not exist or could not be contacted"
If I run "dcpromo /forceremoval" on #11 it warns that it is a GC
I went through the MD cleanup and that showed no trace of #11
But when you run "dsquery server -isgc" it show that only Winserver13 is the GC
Exchange(2010) is on #8, #11 usede to be Exchange2003 untill we got the new machine #8
Nor sure what to do now
"The specified domain either does not exist or could not be contacted"
If I run "dcpromo /forceremoval" on #11 it warns that it is a GC
I went through the MD cleanup and that showed no trace of #11
But when you run "dsquery server -isgc" it show that only Winserver13 is the GC
Exchange(2010) is on #8, #11 usede to be Exchange2003 untill we got the new machine #8
Nor sure what to do now
ASKER
Stangley i just ran the "netdom query fsmo2 on#8 and got a result back (I didn't the first time)
C:\Users\Administrator.DIP LOMAT0>net dom query fsmo
Schema master WINSERVER8.Diplomat.local
Domain naming master WINSERVER8.Diplomat.local
PDC WINSERVER8.Diplomat.local
RID pool manager WINSERVER8.Diplomat.local
Infrastructure master WINSERVER8.Diplomat.local
The command completed successfully.
C:\Users\Administrator.DIP
Schema master WINSERVER8.Diplomat.local
Domain naming master WINSERVER8.Diplomat.local
PDC WINSERVER8.Diplomat.local
RID pool manager WINSERVER8.Diplomat.local
Infrastructure master WINSERVER8.Diplomat.local
The command completed successfully.
ASKER
Could the problem be that #11 used to be GC but #13 has not/never updated as GC which is why we can't logon?
C:\>dsquery server -isgc
"CN=WINSERVER13,CN=Servers ,CN=Defaul t-First-Si te-Name,CN =Sites,CN= Configurat ion, DC=Diplomat,DC=local"
C:\>dsquery server -isgc
"CN=WINSERVER13,CN=Servers
If you don't have a GC, users can login.
Try to promote #8 to a GC.
I went through the MD cleanup and that showed no trace of #11
Then it's removed from the domain. You just have to make sure that clients don't use this ex DC as a DNS/WINS.
Try to promote #8 to a GC.
I went through the MD cleanup and that showed no trace of #11
Then it's removed from the domain. You just have to make sure that clients don't use this ex DC as a DNS/WINS.
ASKER
#8 has promoted ok
"CN=WINSERVER13,CN=Servers ,CN=Defaul t-First-Si te-Name,CN =Sites,CN= Configurat ion, DC=Diplomat,DC=local"
"CN=WINSERVER8,CN=Servers, CN=Default -First-Sit e-Name,CN= Sites,CN=C onfigurati on, DC=Diplomat,DC=local"
So how do I make sure that nothing else tries to use #11 as the GC?
I can't logon the the Exchange console on #8 as "specified name is not a forest, ADDC,...."
I can't RDP on to #13 or #11 "Specified domain does not exist..."
I Can't get any emails on Oulook or OWA
It should all be working but it just isn't
"CN=WINSERVER13,CN=Servers
"CN=WINSERVER8,CN=Servers,
So how do I make sure that nothing else tries to use #11 as the GC?
I can't logon the the Exchange console on #8 as "specified name is not a forest, ADDC,...."
I can't RDP on to #13 or #11 "Specified domain does not exist..."
I Can't get any emails on Oulook or OWA
It should all be working but it just isn't
ASKER
Run a "dcdiag /e /v /f:dcdiag4.txt" on server 8
ASKER
Results of "dcdiag /e /v /f:dcdiag4.txt"
dcdiag4.txt
dcdiag4.txt
Is the firewall enabled on the 2008 server?
From a previous screen shot of the _msdcs domain:
bcd2bca9-7429-4998-9508-ec 7ff154a2c4 ._msdcs.Di plomat.loc al = winserver11
Starting test: KccEvent
* The KCC Event log test
An error event occurred. EventID: 0xC0000583
Time Generated: 12/06/2010 11:32:42
Event String:
Active Directory Domain Services failed to
construct a mutual authentication service
principal name (SPN) for the following directory
service.
Directory service:
bcd2bca9-7429-4998-9508-ec 7ff154a2c4 ._msdcs.Di plomat.loc al
Make sure that the two CNAME records in _msdcs is correct and that the corresponding A-record also is correct.
bcd2bca9-7429-4998-9508-ec
Starting test: KccEvent
* The KCC Event log test
An error event occurred. EventID: 0xC0000583
Time Generated: 12/06/2010 11:32:42
Event String:
Active Directory Domain Services failed to
construct a mutual authentication service
principal name (SPN) for the following directory
service.
Directory service:
bcd2bca9-7429-4998-9508-ec
Make sure that the two CNAME records in _msdcs is correct and that the corresponding A-record also is correct.
Also run this on #13:
sc config rpcss type= share
(remember space after =)
Is the time between 8 and 13 in sync?
#13 is logging FRS 13565. Have you tried to set the Burflags to D2?
sc config rpcss type= share
(remember space after =)
Is the time between 8 and 13 in sync?
#13 is logging FRS 13565. Have you tried to set the Burflags to D2?
ASKER
Disable the network on 11 or turn it off. Delete the CNAME and other records belonging to 11. (look through the _msdcs tree)
No need to delete the zone.
No need to delete the zone.
ASKER
I have deleted the references to #11 in the _MSDCS Tree there are still references to #11 in _sites _tcp _udp and domain uds zones and forest dns zones should i remove these aswell
Yes. All traces in DNS must be deleted
ASKER
I have removed all trace in DNS on #8 and #13 still no outlook connectivity still cannot RDP onto #13 what is the next step?
You didn't answer these:
Also run this on #13:
sc config rpcss type= share
(remember space after =)
Is the time between 8 and 13 in sync?
#13 is logging FRS 13565. Have you tried to set the Burflags to D2?
Also run this on #13:
sc config rpcss type= share
(remember space after =)
Is the time between 8 and 13 in sync?
#13 is logging FRS 13565. Have you tried to set the Burflags to D2?
ASKER
Ok I have run sc config rpcss type= share and
I have set the Burflag to 2 on #13 and restarted ntfrs service
#8 #13 are displaying the same time.
What next?
I have set the Burflag to 2 on #13 and restarted ntfrs service
#8 #13 are displaying the same time.
What next?
I didn't mean you should set the Burflags to D2. The dcdiag log indicated that you had done that, so I just asked you :)
If you're going to set the Burflags to D2, #8 need to share its SYSVOL and be authoritative. When you have DNS/advertising issus you should not set the Burflags.
If you do so #13 will dump its SYSVOL content to the Pre_Existing folder and wait for new content from an upstream partner. It will not find an upstream partner if #8 isn't advertising correctly.
Run a new dcdiag and also include a dnslint report.
dnslint /ad /s 10.0.254.8 /v
If you're going to set the Burflags to D2, #8 need to share its SYSVOL and be authoritative. When you have DNS/advertising issus you should not set the Burflags.
If you do so #13 will dump its SYSVOL content to the Pre_Existing folder and wait for new content from an upstream partner. It will not find an upstream partner if #8 isn't advertising correctly.
Run a new dcdiag and also include a dnslint report.
dnslint /ad /s 10.0.254.8 /v
ASKER
DCDIAG5.txt dcdiag5.txt
I can't run dnslint 'not recognised....'
Sorry about the Burflags should I put them back or is it too late #13 had them set to 0?
This depth of AD is beyond me, I only hope with your help I can fix it, the boss is getting worried it could be game over.
I can't run dnslint 'not recognised....'
Sorry about the Burflags should I put them back or is it too late #13 had them set to 0?
This depth of AD is beyond me, I only hope with your help I can fix it, the boss is getting worried it could be game over.
Get dnslint here: http://support.microsoft.com/kb/321045
The flag will return to 0 once the ntfrs service is started. Is #8 sharing its SYSVOL with content?
I think we'll get your domain back in shape, but it might take some time as this is a "offline" forum. If you're in a hurry you could always contact MS Support.
Please run the dnslint and attach the report. I'll check the dcdiag in a couple of hours. Dinner time.
The flag will return to 0 once the ntfrs service is started. Is #8 sharing its SYSVOL with content?
I think we'll get your domain back in shape, but it might take some time as this is a "offline" forum. If you're in a hurry you could always contact MS Support.
Please run the dnslint and attach the report. I'll check the dcdiag in a couple of hours. Dinner time.
ASKER
Thanks for sticking with me.
dnslint.htm
I'm not sure #8 or #13 are sharing SYSVOL I ran a 'net share' on #8 and got these shares:
ADMIN$; C$; D$; IPC$; Address; ExchangeOAB; GroupMetrics
dnslint.htm
I'm not sure #8 or #13 are sharing SYSVOL I ran a 'net share' on #8 and got these shares:
ADMIN$; C$; D$; IPC$; Address; ExchangeOAB; GroupMetrics
It looks like you set the Burflags to D4 on #8?
Is #13 sharing its SYSVOL?
Is #13 sharing its SYSVOL?
ASKER
I didn't change the Burflags on #8 they are still set to 0, should i change them to D4
NET share on #13 shows ADMIN$; C$; IPC$;
No netlogon or sysvol shares on #13 or #8
NET share on #13 shows ADMIN$; C$; IPC$;
No netlogon or sysvol shares on #13 or #8
Do not change the flag yet.
Do you have any content of %Windows%Sysvol\Sysvol\Dom ain Name\NTFRS_Preexisting folder on any DC?
Or, do you have a backup of your SYSVOL? (ie. a system state)
Do you have any content of %Windows%Sysvol\Sysvol\Dom
Or, do you have a backup of your SYSVOL? (ie. a system state)
ASKER
I have a copy of SYSVOL from Winserver11, a backup systemstate (22/11/2010) or I could get the current one from Winserver11, but that won't be untill tomorrow as I disabled the NIC
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Btw. Do you use DFS?
If yes, you should not set the global Burflags.
If yes, you should not set the global Burflags.
ASKER
Not sure if i use DFS, how can i tell?
Also, before I proceed, do I need to do anything with the SYSVOL files from Winserver11 Backup, or does that come later?
Also, before I proceed, do I need to do anything with the SYSVOL files from Winserver11 Backup, or does that come later?
Verify HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Se rvices\NtF rs\Paramet ers\Cumula tive Replica Sets\GUID
If you only have one GUID, then that's the SYSVOL replica, and you are not using DFS.
Keep the backup files as backup. If you have many custom made GPOs and scripts, we'll need to get them from #11 or a system state backup.
If you only have one GUID, then that's the SYSVOL replica, and you are not using DFS.
Keep the backup files as backup. If you have many custom made GPOs and scripts, we'll need to get them from #11 or a system state backup.
You set the Burflags here if you don't have DFS:
HKLM\SYSTEM\CurrentControl Set\Servic es\NtFrs\P arameters\ Backup/Res tore\Proce ss at Startup
HKLM\SYSTEM\CurrentControl
ASKER
Complete up to point 4, then I get Event ID 13566:
File Replication Service is scanning the data in the system volume. Computer WINSERVER8 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type:
net share
When File Replication Service completes the scanning process, the SYSVOL share will appear.
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume.
File Replication Service is scanning the data in the system volume. Computer WINSERVER8 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type:
net share
When File Replication Service completes the scanning process, the SYSVOL share will appear.
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume.
Please download frsdiag: http://www.microsoft.com/downloads/en/details.aspx?FamilyId=43CB658E-8553-4DE7-811A-562563EB5EBF&displaylang=en
Run a frsdiag and attach the two connstat files created.
Run a frsdiag and attach the two connstat files created.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No joy with the above so have attached frsdiag files (there are quite a few)
ntfrs-sysvol.zip
ntfrs-sysvol.zip
ASKER
It's been a long day, I'll check back in the morning, thanks for you help today
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No Joy, still no SYSVOL share, and EventID 13566 still present in logs
How does the folder structure looks like under: %Windows%Sysvol\
Also verify that the "SysVol" key is present under:
HKLM\SYSTEM\CurrentControl Set\Servic es\NtFrs\P arameters\
HKLM\SYSTEM\CurrentControl
ASKER
#11 have both the Default Domain Policy and Default Domain Controller Policy. #8 don't have those.
Take a copy of #11's SYSVOL and place the copy on the same partition.
Try to make #11 authoritative:
Stop ntfrs on both servers.
Burflags = D4 on #11
Burflags = D2 on #8
Start ntfrs on #11.
Check if Event ID 13553 and 13516 is logged on #11
Take a copy of #11's SYSVOL and place the copy on the same partition.
Try to make #11 authoritative:
Stop ntfrs on both servers.
Burflags = D4 on #11
Burflags = D2 on #8
Start ntfrs on #11.
Check if Event ID 13553 and 13516 is logged on #11
ASKER
Do you mean put a copy of the #11 SYSVOL onto #8 replacing what is aready on #8?
No, just a "backup" of #11's sysvol content. (do not copy the content between the DC's)
ASKER
So just to be clear...
I will take the backup copy of #11 SYSVOL and replace the SYSVOL in #11 then
Try to make #11 authoritative:
Stop ntfrs on both servers.
Burflags = D4 on #11
Burflags = D2 on #8
Start ntfrs on #11.
Check if Event ID 13553 and 13516 is logged on #11
I will take the backup copy of #11 SYSVOL and replace the SYSVOL in #11 then
Try to make #11 authoritative:
Stop ntfrs on both servers.
Burflags = D4 on #11
Burflags = D2 on #8
Start ntfrs on #11.
Check if Event ID 13553 and 13516 is logged on #11
Do not replace any SYSVOL on #11. I just want you to take a copy of it before you set the burflags.
The D4 flag should not touch the content (as D2 will), but to be on the safe side...
The D4 flag should not touch the content (as D2 will), but to be on the safe side...
ASKER
Got event ID 13565 on#11
Event 13565 indicate that the Burflags is set to D2.
Event 13566 indicate that the Burflags is set to D4.
In post http:#34283696 you attached a dcdiag, before we even started to talk about the Burflags.
A warning event occurred. EventID: 0x800034FE
Time Generated: 12/06/2010 08:56:00
EventID: 0x800034FE = 13566
Did you set the flag before we took it up?
Can you try to restart #11, stop the ntfrs, set the burflags to D4.
Make sure ntfrs is not running on #8 during this.
Event 13566 indicate that the Burflags is set to D4.
In post http:#34283696 you attached a dcdiag, before we even started to talk about the Burflags.
A warning event occurred. EventID: 0x800034FE
Time Generated: 12/06/2010 08:56:00
EventID: 0x800034FE = 13566
Did you set the flag before we took it up?
Can you try to restart #11, stop the ntfrs, set the burflags to D4.
Make sure ntfrs is not running on #8 during this.
ASKER
All Burflags were set to 0 before I change #13 to 2 in post http:#34283262. Then have only NOW just changed the Burflags on #11 and #8. Both #8 and #13 have Burflags set at 2 and both have ntfrs STOPPED.
I will now restart #11
I will now restart #11
I assume you mean "D2" (hex), not "2"?
ASKER
ooooh I'd been putting 2 as in Decimal not "D2" Hexidecimal. Are those values ignored shall i repeat the exercise on #11/#8 using the HEX "D4" and "D2"
Stop ntfrs on both servers.
Burflags = D4 on #11
Burflags = D2 on #8
Start ntfrs on #11.
Stop ntfrs on both servers.
Burflags = D4 on #11
Burflags = D2 on #8
Start ntfrs on #11.
ASKER
hehe.. Yes, if you havn't done it already, set the burflags to:
stop ntfrs on both
"D4" on #11
"D2" on #8
start ntfrs on #11. Check if the event are present.
If they are, start ntfrs on #8. Check FRS events.
#13 is out of the replica set, so you shouldn't do anything on this.
stop ntfrs on both
"D4" on #11
"D2" on #8
start ntfrs on #11. Check if the event are present.
If they are, start ntfrs on #8. Check FRS events.
#13 is out of the replica set, so you shouldn't do anything on this.
ASKER
Same as before Got event ID 13565 on#11, bummer!
What about if i use the backup SYSVOL I have from 22/11/2010 on #11?
What about if i use the backup SYSVOL I have from 22/11/2010 on #11?
It has no purpose to use the backup as long as you can make an authroitative restore of the sysvol replica set.
Try to set the burflags on the cummulative replica set on #11:
Stop ntfrs
HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Se rvices\NtF rs\Paramet ers\Cumula tive Replica Sets\GUID
Key= Burflags
Value (hex) = D4
start ntfrs.
Try to set the burflags on the cummulative replica set on #11:
Stop ntfrs
HKEY_LOCAL_MACHINE\SYSTEM\
Key= Burflags
Value (hex) = D4
start ntfrs.
ASKER
Burflags already set at (hex)=d4
number of partners =0
number of partners =0
Is the Global Burflags = 0 and the replica spesific burflags = D4?
Is the "number of partners" = 0 on both #8 and #11?
Is the "number of partners" = 0 on both #8 and #11?
ASKER
I have attache the Reg hive from #11 and #8 for ntfrs for you to look at. I can't see a global setting for #11 but #8 has 2 partners.
ntfrs-11.txt
ntfrs-8.txt
ntfrs-11.txt
ntfrs-8.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes
Event ID: 13553, 13554, 13516
Replication has started on #8 shall i run a dcdiag?
SYSVOL showing as shared
Event ID: 13553, 13554, 13516
Replication has started on #8 shall i run a dcdiag?
SYSVOL showing as shared
That's good. Does the SYSVOL hold any Polices?
Set the flag (if not already set) to D2 on #11. Start ntfrs and check the event log
Set the flag (if not already set) to D2 on #11. Start ntfrs and check the event log
ASKER
Do i need to turn on ntfrs on #11 and #13 now?
I can noe RDP #13 and #11 but oulook still not connecting
I can noe RDP #13 and #11 but oulook still not connecting
#13 is not a domain controller anymore. It might see itself as one, but hes off the domain.
ASKER
All SYSVOL folders on #8 are empty
ASKER
#11 was the one that failed removal on the domain
Start ntfrs on #11 if you have set it to D2
ohh.. long post so it's easy to mix it up.
Do it on #13 :)
Do it on #13 :)
ASKER
Event ID 13565 on #11 when starting ntfrs
ASKER
Same on #13: Event ID 13565 on #11 when starting ntfrs
File Replication Service is initializing the system volume with data from another domain controller. Computer WINSERVER13 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type:
net share
When File Replication Service completes the initialization process, the SYSVOL share will appear.
File Replication Service is initializing the system volume with data from another domain controller. Computer WINSERVER13 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type:
net share
When File Replication Service completes the initialization process, the SYSVOL share will appear.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is netlogon shared on #8?
ASKER
Do you think we need the contents of #11 SYSVOL as it is the only one with anything in.
Also should i take #11 back off the LAN as it is apearing back in the DNS recods?
Also should i take #11 back off the LAN as it is apearing back in the DNS recods?
I guess you have #11 as a name server (name server tab on the domain zone). Remove it from the tab. Also remove records it has created.
You need two policies to be able to authenticate. The Default Domain Policy (GUID=E31xxxxx-) and the Default Domain Controller Policy (GUID = 6Axxxxxxxx-).
If you have not modified these you can create them all over with a tool called DCGPOFIX. (you have to run setup /domainprep when on the Exchange when you do this).
Or you can restore them from a backup. If you have the GPMC on #11 you can run a backup directly, copy them over and restore them on #8.
You need two policies to be able to authenticate. The Default Domain Policy (GUID=E31xxxxx-) and the Default Domain Controller Policy (GUID = 6Axxxxxxxx-).
If you have not modified these you can create them all over with a tool called DCGPOFIX. (you have to run setup /domainprep when on the Exchange when you do this).
Or you can restore them from a backup. If you have the GPMC on #11 you can run a backup directly, copy them over and restore them on #8.
*Default domain policy = GUID starts with 31B2F340-xxxxxxx
I'll be offline most of the evening, but I'll check back with you.
If you decide to create those two polices from scratch. Here is a thread about it.
https://www.experts-exchange.com/questions/24403319/Default-Domain-Policy.html
You got to be sure that both SYSVOL and NETLOGON is shared on #8.
If you decide to create those two polices from scratch. Here is a thread about it.
https://www.experts-exchange.com/questions/24403319/Default-Domain-Policy.html
You got to be sure that both SYSVOL and NETLOGON is shared on #8.
ASKER
That sounds Heavy, can you break it down a bit.
The GUIDs are thes the folders under \SYSVOL\Domain\Policies
6AC1xxxx
8FACExxx
31B2F3xxx
as shown in post 34291280
I have not modified any policies thay are 'out of the box' where do i get DCGPOFIX or will it be easier to the second option.
I can see domain object in GPEDIT on #11 but don't know how to proceed.
The GUIDs are thes the folders under \SYSVOL\Domain\Policies
6AC1xxxx
8FACExxx
31B2F3xxx
as shown in post 34291280
I have not modified any policies thay are 'out of the box' where do i get DCGPOFIX or will it be easier to the second option.
I can see domain object in GPEDIT on #11 but don't know how to proceed.
If you have not made any changed to the default policies since the domain was created, it's easier to use dcgpofix.
First run cmd > net view on #8
First run cmd > net view on #8
If only SYSVOL shows up and not the NETLOGON share, follow this KB
http://support.microsoft.com/kb/947022/en-us
http://support.microsoft.com/kb/947022/en-us
ASKER
Will it be safe to run dcgpofix on #8 which is also an Exchange 2010 server?
ASKER
I can't get the NETLOGON share using the above proceedure. I have notice this Event ID:5706
The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\D iplomat.lo cal\SCRIPT S. The following error occurred:
The system cannot find the file specified.
And also Event ID: 1058
The processing of Group Policy failed. Windows attempted to read the file \\Diplomat.local\SysVol\Di plomat.loc al\Policie s\{de3b4a4 c-6ef8-475 b-af25-2af 764b7aefd} \gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\D
The system cannot find the file specified.
And also Event ID: 1058
The processing of Group Policy failed. Windows attempted to read the file \\Diplomat.local\SysVol\Di
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
You'll get GPO errors. Don't bother them at the moment.
Stop both ntfrs and netlogon service on #8. Start them up again. Check if NETLOGON is shared.
Stop both ntfrs and netlogon service on #8. Start them up again. Check if NETLOGON is shared.
ntfrs needs to be started first
Regarding the dcgpofix tool, you can run it but it will set the default permissions on the default GPOs.
"setup /prepareAD" from the Exchange media should fix it up.
http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/be31c490-0784-498b-8a60-e5332170ea76/
"setup /prepareAD" from the Exchange media should fix it up.
http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/be31c490-0784-498b-8a60-e5332170ea76/
ASKER
stopped both ntfrs and netlogon, restarted ntfrs first, but still no netlogon share
Event ID 5705
Event ID 5705
Regarding the 5705 error, there was not much info out there.
Found this for NT and 2000: http://support.microsoft.com/kb/173882 (see the workaround for 2000)
This one says the same for 2003: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=5705&EvtSrc=NetLogon&LCID=1033
Found this for NT and 2000: http://support.microsoft.com/kb/173882 (see the workaround for 2000)
This one says the same for 2003: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=5705&EvtSrc=NetLogon&LCID=1033
ASKER
Sorry my bad, it was event ID 5706
ASKER
Still getting 5706
The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\D iplomat.lo cal\SCRIPT S. The following error occurred:
The system cannot find the file specified.
I have also run latested DCDIAG from #8
dcdiag6.txt
The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\D
The system cannot find the file specified.
I have also run latested DCDIAG from #8
dcdiag6.txt
What is the value of:
HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Se rvices\Net logon\Para meters
SysvolReady:
Sysvol:
DBflag (is it presen?):
If Dbflag is not present, stop netlogon, create it (Reg_sz, value = 0)
HKEY_LOCAL_MACHINE\SYSTEM\
SysvolReady:
Sysvol:
DBflag (is it presen?):
If Dbflag is not present, stop netlogon, create it (Reg_sz, value = 0)
You have configured your forwarders wrong: (this will only affect none local DNS queries):
10.0.254.11 (WINSERVER11) [Valid]
10.0.254.240 (<name unavailable>) [Valid]
Open the DNS consol, right click the #8 -> Proterties -> Forwarders tab.
You should either use root hints or your ISP DNS as forwarders.
Dcdiag looking better. You will have some errors due to Netlogon not shared.
10.0.254.11 (WINSERVER11) [Valid]
10.0.254.240 (<name unavailable>) [Valid]
Open the DNS consol, right click the #8 -> Proterties -> Forwarders tab.
You should either use root hints or your ISP DNS as forwarders.
Dcdiag looking better. You will have some errors due to Netlogon not shared.
ASKER
I have removed the entries for the forwarders just leaving the root hints is that correct?
dcdiag7.txt
SysvolReady: = 1
Sysvol: = c:|windows\SYSVOL\sysvol
DBflag = 0
netlogon.txt
dcdiag7.txt
SysvolReady: = 1
Sysvol: = c:|windows\SYSVOL\sysvol
DBflag = 0
netlogon.txt
Sysvol: = c:|windows\SYSVOL\sysvol
Is there a | (pipe) after C:?
Should be c:\windows\SYSVOL\sysvol
Is there a | (pipe) after C:?
Should be c:\windows\SYSVOL\sysvol
ASKER
Sorry, thats my poor typing, I attached the reg hive for that and as you will see those bits are ok
HAve you started the ntfrs on #13 with the Burflags = D2?
Can you post a screen shot of your SYSVOL tree on #8 like you did earlier?
Can you post a screen shot of your SYSVOL tree on #8 like you did earlier?
ASKER
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Netlogon now shared:
Share name Resource Remark
-------------------------- ---------- ---------- ---------- ---------- ---------- ---
ADMIN$ C:\Windows Remote Admin
C$ C:\ Default share
D$ D:\ Default share
IPC$ Remote IPC
Address D:\Exchange2010\Mailbox\ad dr... "Access to address objects"
Download D:\Download
ExchangeOAB D:\Exchange2010\ExchangeOA B OAB Distribution share
GroupMetrics D:\Exchange2010\GroupMetri cs MailTips group metrics publishing
NETLOGON C:\Windows\SYSVOL\sysvol\D iplomat.lo cal\SCRIPT S Logon server share
SYSVOL C:\Windows\SYSVOL\sysvol Logon server share
All starting to look good now, Outlook still won't connect keeps asking for password
Share name Resource Remark
--------------------------
ADMIN$ C:\Windows Remote Admin
C$ C:\ Default share
D$ D:\ Default share
IPC$ Remote IPC
Address D:\Exchange2010\Mailbox\ad
Download D:\Download
ExchangeOAB D:\Exchange2010\ExchangeOA
GroupMetrics D:\Exchange2010\GroupMetri
NETLOGON C:\Windows\SYSVOL\sysvol\D
SYSVOL C:\Windows\SYSVOL\sysvol Logon server share
All starting to look good now, Outlook still won't connect keeps asking for password
ASKER
Winserver11 is still apearing in the DNS on #8
I guess I should remove all the records of #11 from DNS on #8
Should i stop/remove DNS from #11
I guess I should remove all the records of #11 from DNS on #8
Should i stop/remove DNS from #11
ASKER
Burflags on #13 now at 0
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Will i need to stop ntfrs on #8 and #13 them remove the #11 DNS records from both machines?
No you don't need to stop anything. It's #11 who will register its own records.
ASKER
I restartted netlogon on #13 i and now it is sharing netlogon and sysvol.
I'm going to disconnect #11 and remove #11 record from #8 and #13.
Will i be able to use #11 at some point in the furture or should I re-build it?
I'm going to disconnect #11 and remove #11 record from #8 and #13.
Will i be able to use #11 at some point in the furture or should I re-build it?
ASKER
Looks like Group policy is looking for a different GUID {de3b4a4c-6ef8-475b-af25-2 af764b7aef d}, I know you said not to worry about that at the moment but though you should know.
The processing of Group Policy failed. Windows attempted to read the file \\Diplomat.local\SysVol\Di plomat.loc al\Policie s\{de3b4a4 c-6ef8-475 b-af25-2af 764b7aefd} \gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
The processing of Group Policy failed. Windows attempted to read the file \\Diplomat.local\SysVol\Di
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
ASKER
dcdiag8 dcdiag8.txt
Regarding #11, you need to remove AD from it with "dcpromo /forceremoval".
This will uninstall AD from it and it will be placed in a workgroup. I would reinstall it with a new name and IP if I was to decide.
{de3b4a4c-6ef8-475b-af25-2 af764b7aef d} is a custom made GPO. You can copy it from #11 and place it like you did with the other two GPO.
Another option is to remove it (with use of GPMC).
How is your clients reacting with Outlook? Make sure the clients don't use #11 as DNS.
When you have copied or removed the {de3b4a4c-6ef8-475b-af25-2 af764b7aef d} policy. Run a new dcdiag.
This will uninstall AD from it and it will be placed in a workgroup. I would reinstall it with a new name and IP if I was to decide.
{de3b4a4c-6ef8-475b-af25-2
Another option is to remove it (with use of GPMC).
How is your clients reacting with Outlook? Make sure the clients don't use #11 as DNS.
When you have copied or removed the {de3b4a4c-6ef8-475b-af25-2
Just remember not to copy it to both #8 and #13. If you do that it will morph.
Just copy it to #8 and FRS will replicate it over to #13
Just copy it to #8 and FRS will replicate it over to #13
ASKER
The thing is i can't find a folder with GUID {de3b4a4c-6ef8-475b-af25-2 af764b7aef d} on any of the servers?? could use a copy of another GUID folder and rename it to this GUID?
So how do i remove the policy? How do you use GPMC? Wher can i find it?
Outlook still not connecting all client using 10.0.254.8 as primary and 8.8.8.8 as secondary DNS
So how do i remove the policy? How do you use GPMC? Wher can i find it?
Outlook still not connecting all client using 10.0.254.8 as primary and 8.8.8.8 as secondary DNS
Domain clients should never use any public DNS (like google dns). Only internal DNS.That's why you use Forwarders on your internal DNS.
Open gpmc.msc from #8.
Under "Group Policy Objects" are all GPO's stored (with friendly names, not GUID)
Click on the GPO and in the right pane it tells where it's linked. Right click and untick "link enable"
Open gpmc.msc from #8.
Under "Group Policy Objects" are all GPO's stored (with friendly names, not GUID)
Click on the GPO and in the right pane it tells where it's linked. Right click and untick "link enable"
You can rename another folder to match the GUID. I don't know what this GPO does, but if you want it back, you can restore it from the system state you had.
TYPO: You CAN NOT rename
ASKER
Have set Client DNS to #8 and #13
Looking in GPMC at the Group Policy Objects ther are 3 but none have the GUID {de3b4a4c-6ef8-475b-af25-2 af764b7aef d}
There are these:
Defaul Domain Controler Policy {6AC178...... and
Default Domain Policy {31B2F3.... and
New Group Policy Object {8FACE7... This errors with can't find file when you click on it
Looking in GPMC at the Group Policy Objects ther are 3 but none have the GUID {de3b4a4c-6ef8-475b-af25-2
There are these:
Defaul Domain Controler Policy {6AC178...... and
Default Domain Policy {31B2F3.... and
New Group Policy Object {8FACE7... This errors with can't find file when you click on it
Check GPMC on #13 if you see the missing GPO there.
ASKER
GPMC won't run on #13 can't find the MSC for it either (2003 Server)
You need to download and install GPMC for 2003.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887
ASKER
That shows the same policies as on #8
Lookin at the folders on #11 i don't see that GUID either??
How do we get over this, is this what is stoping Outlook from connecting?
Lookin at the folders on #11 i don't see that GUID either??
How do we get over this, is this what is stoping Outlook from connecting?
On #8:
open adsiedit.msc
Look for the presens under the domain partition for the CN = GUID
CN=Policies,CN=System,DC=d iplomat,DC =local
open adsiedit.msc
Look for the presens under the domain partition for the CN = GUID
CN=Policies,CN=System,DC=d
this has nothing to do with the Outlook.. but I would make the dcdiag clean before troubleshooting that issue.
hmm.. where is this GUID comming from..
Open regedit on #8 and #13 and look for the GUID under
HKEY_LOCAL_MACHINE\Softwar e\Microsof t\Windows\ CurrentVer sion\Group Policy\History
Open regedit on #8 and #13 and look for the GUID under
HKEY_LOCAL_MACHINE\Softwar
ASKER
Not there either, I even looked on the disabled #11 no trace of this GUID de3b4a4c-6ef8-475b-af25-2a f764b7aefd
Open AD Users & Computers -> View -> Tick Advanced features
Look in the System container -> Polices. (this should be the same as in adsiedit, but check for sure).
If there are no traces, open cmd and run:
dfsutil /PurgeMUPCache
Run a new dcdiag.
Look in the System container -> Polices. (this should be the same as in adsiedit, but check for sure).
If there are no traces, open cmd and run:
dfsutil /PurgeMUPCache
Run a new dcdiag.
clear system log before running dcdiag
ASKER
The GUID is not showing in System container -> Polices but i don't have dfsutil on #8 can i run it from #13?
Forget about the dfsutil.
Clear the system log on #8 and #13 and run a dcdiag from #8:
dcdiag /e /v /f:dcdiag9.txt
Clear the system log on #8 and #13 and run a dcdiag from #8:
dcdiag /e /v /f:dcdiag9.txt
ASKER
Looking a bit deeper into the event log, it looks like the policy it is looking for id to do with GUID 8FACE762-70DE-434B-BB90-AB C3A718B9B9 has it got confused??
The Folder is called 8FACE762-70DE-434B-BB90-AB C3A718B9B9 this is the policy folder 'New Group Policy' see post 34300585 above. I have copied the GUID folder over but still getting the GPO errors
The Folder is called 8FACE762-70DE-434B-BB90-AB
ErrorDescription The system cannot find the path specified.
DCName WINSERVER8.Diplomat.local
GPOCNName CN={8FACE762-70DE-434B-BB90-ABC3A718B9B9}, CN=Policies,CN=System,DC=Diplomat,DC=local
FilePath \\Diplomat.local\SysVol\Diplomat.local\Policies\{de3b4a4c-6ef8-475b-af25-2af764b7aefd}\gpt.ini
ASKER
DCDIAG9 dcdiag9.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok have done that, Outlook still not connecting. do you want another dcdiag?
I don't need a new diag atm.
Your initial post you mentioned that the Outlook client could not connect. Was this after you move Exchange over to the new server?
Have the client ever been able to connect to the mailbox after the move?
Have you verified that the Outlook profile is pointed to the correct mailbox server?
Your initial post you mentioned that the Outlook client could not connect. Was this after you move Exchange over to the new server?
Have the client ever been able to connect to the mailbox after the move?
Have you verified that the Outlook profile is pointed to the correct mailbox server?
ASKER
The exchang move happened in Septembert all was working ok until about this time last week.
What i think happend was #13 rebooted following a windows update. then things started going crazy couldn't log on to outlook all the time
Then you got involved,
Then at somepoint I rebooted #11 since that reboot we could not connect to Outlook at all so this was
then when I tried removing #11 from the domain and it failed.
But the event loogs are loking much better.... but still no Outlook do you thing they want to connect to #11 which was the old 2003 Exchange sever?
What i think happend was #13 rebooted following a windows update. then things started going crazy couldn't log on to outlook all the time
Then you got involved,
Then at somepoint I rebooted #11 since that reboot we could not connect to Outlook at all so this was
then when I tried removing #11 from the domain and it failed.
But the event loogs are loking much better.... but still no Outlook do you thing they want to connect to #11 which was the old 2003 Exchange sever?
ASKER
When starting the Exchange console i'm getting errors 5,22
22:
(Process w3wp.exe, PID 10256) "RBAC authorization is unavailable due to the transient error: An Active Directory error 0x51 occurred when trying to check the suitability of server 'winserver11.Diplomat.loca l'. Error: 'Active directory response: The LDAP server is unavailable.'"
Notice it is refering to 'winserver11.Diplomat.loca l'
Is that my problem? Is it Exchnage that is looking for 'winserver11.Diplomat.loca l'?
22:
(Process w3wp.exe, PID 10256) "RBAC authorization is unavailable due to the transient error: An Active Directory error 0x51 occurred when trying to check the suitability of server 'winserver11.Diplomat.loca
Notice it is refering to 'winserver11.Diplomat.loca
Is that my problem? Is it Exchnage that is looking for 'winserver11.Diplomat.loca
Exchange is 100% dependend of AD, DNS and a Global Catalog.
It obviously looks like Exchange is trying to get info from #11 which it can't.
I'm not an Exchange expert, so I advice you to start a new thread in the Exchange zone.
Something like "Exchange 2010 (or was it 2007?) trying to connect to demoted DC".
It obviously looks like Exchange is trying to get info from #11 which it can't.
I'm not an Exchange expert, so I advice you to start a new thread in the Exchange zone.
Something like "Exchange 2010 (or was it 2007?) trying to connect to demoted DC".
Btw, can you run a new dcdiag?
You had 3 domain controllers, so I guess you'll have some users in there. Why do you run Exchange on one of the DC's and not a dedicated Exchange server?
You had 3 domain controllers, so I guess you'll have some users in there. Why do you run Exchange on one of the DC's and not a dedicated Exchange server?
ASKER
ASKER
#11 was the first DC and the only server so it also ran exchange 2003, then we got another machine #13 to run SQL for an accounts package. Both machines are over 5 years old now. So we invested in a new machine 2008/exchange2010 with a view to replace #11, #13 in the future.
So when we get the next server in that will replace #13. In an ideal world we would have exchange on a separate machine but we don’t have that luxury. It’s still better to have 2 DC’s even if one is an exchange server would you agree?
Thank you so much for your help with these problem, its a shame we can't complete it all the way.
So when we get the next server in that will replace #13. In an ideal world we would have exchange on a separate machine but we don’t have that luxury. It’s still better to have 2 DC’s even if one is an exchange server would you agree?
Thank you so much for your help with these problem, its a shame we can't complete it all the way.
Did the Exch2003 and Exch2010 co-exist in your domain, and you have removed all traces of the 2003?
Exchange should find all DC's and "update that list". In the RUS on Exchange 2003 you could set witch GC that was prefered. 2010 don't use RUS. I'm on thin ice regarding such Exchange questions, so I can't assist you with that issue :(
Atleast your AD/FRS replication is working, and the DCDIAG is 100% free of errors/warnings.
Exchange should find all DC's and "update that list". In the RUS on Exchange 2003 you could set witch GC that was prefered. 2010 don't use RUS. I'm on thin ice regarding such Exchange questions, so I can't assist you with that issue :(
Atleast your AD/FRS replication is working, and the DCDIAG is 100% free of errors/warnings.
It’s still better to have 2 DC’s even if one is an exchange server would you agree?
Couldn't agree more! :)
Couldn't agree more! :)
ASKER
The Exchnage servers did co-exist for a while while whist i moved over the mailboxes etc to the new machine. All Exchange services were off on #11 and everything was working ok, I hadn't yet removed exchange from that machine but would have done so soon.
Thanks again for your assistance I have started a new thread on the Exchange Forum now:
https://www.experts-exchange.com/questions/26667792/Exchange-2010-trying-to-connect-to-demoted-DC.html
Thanks again for your assistance I have started a new thread on the Exchange Forum now:
https://www.experts-exchange.com/questions/26667792/Exchange-2010-trying-to-connect-to-demoted-DC.html
ASKER
If I stop ntfrs, netlogon and dns on #11 could I put it back on the network and see if exchnage will work better? or should do the dcpromo /forceremove before I put it back on?
I don't want to do this if it messes up you good work!
I don't want to do this if it messes up you good work!
The problem hosting Exchange on a DC, is that if you change the server role the Exchange will break.
Demoting a DC is a change in server role.
Your domain (#8 and #13) don't see #11 as a DC, but #11 will see itself as a DC. When you have run a metadata cleanup, you should demote #11 as a DC. Since this "DC" are unable to replicate you have to use the /forceremoval switch to be able to achieve this.
I would not start #11 until you have run a "dcpromo /forceremoval" on it. After this you have to join it to the domain as a member and you can introduce it back in.
I'm not sure how Exchange 2003 will handle it.
Demoting a DC is a change in server role.
Your domain (#8 and #13) don't see #11 as a DC, but #11 will see itself as a DC. When you have run a metadata cleanup, you should demote #11 as a DC. Since this "DC" are unable to replicate you have to use the /forceremoval switch to be able to achieve this.
I would not start #11 until you have run a "dcpromo /forceremoval" on it. After this you have to join it to the domain as a member and you can introduce it back in.
I'm not sure how Exchange 2003 will handle it.
ASKER
Ok i'll do that, thanks
You certainly deserve those points
You certainly deserve those points
ASKER
Really great EXPERT! A tribute to expert’s exchange