Solved

remove/add DC box on a domain

Posted on 2011-09-13
14
385 Views
Last Modified: 2012-05-12
Hi, I have a 2003 server that is DC and it is causing quite a few problems...

Originally it was a DNS problem, this was rectified, but I think its having WINS and other issues that is causing it to have authentication issues.

I have spent around a week looking at errors from nltest and netdiag, but nothing seems to apply.

The server is a print server and does do a few other small things, so I dont want to just trash it.


Would it be appropriate to dcpromo it, to make it a member server, then dcpromo it again to make it a DC again.

With the hope that the new AD stuff will fix any problems it was having before?


Thanks,
Dekkar
0
Comment
Question by:dekkar
  • 8
  • 5
14 Comments
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Depending on the errors yes that could be an appropriate way to go; but WINS should not affect authentication issues.

Are you seeing replication errors, errors in logs?

repadmin /showrepl ....how long since it has replicated

dcdiag is another good tool

Thanks

Mike
0
 
LVL 11

Author Comment

by:dekkar
Comment Utility
Replication is actually working OK... according to repadmin...

The problem is really confusing me..... I'll give you some of the symptoms...

dcdiag give the error:
Starting test: NetLogons
         * Network Logons Privileges Check
         [FBRS-DC] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
         ......................... FBRS-DC failed test NetLogons

Starting test: MachineAccount
         Checking machine account for DC FBRS-DC on DC FBRS-DC.
         Could not open pipe with [FBRS-DC]:failed with 1203: No network provider accepted the given network path.


Netdiag gives:

IpConfig results . . . . . : Passed
            Pinging the Primary WINS server 192.168.10.1 - reachable

        AutoConfiguration results. . . . . . : Passed
            AutoConfiguration is not in use.

        Default gateway test . . . : Passed
            Pinging gateway 192.168.10.254 - reachable
            At least one gateway reachable for this adapter.

        NetBT name test. . . . . . : Passed
            NetBT_Tcpip_{0EFB38FB-D5D9-4742-BC94-735484C25FD9}
            FBRS-DC        <00>  UNIQUE      REGISTERED
            FBRICE         <00>  GROUP       REGISTERED
            FBRICE         <1C>  GROUP       REGISTERED
            FBRS-DC        <20>  UNIQUE      REGISTERED
            FBRICE         <1E>  GROUP       REGISTERED
            FBRICE         <1D>  UNIQUE      REGISTERED
            ..__MSBROWSE__.<01>  GROUP       REGISTERED
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.



NS test . . . . . . . . . . . . . : Passed
      Interface {0EFB38FB-D5D9-4742-BC94-735484C25FD9}
        DNS Domain: fbrice.net.au
        DNS Servers: 192.168.10.1 192.168.10.240
        IP Address:         Expected registration with PDN (primary DNS domain name):
          Hostname: fbrs-dc.fbrice.net.au.
          Authoritative zone: fbrice.net.au.
          Primary DNS server: fbrs-dc.fbrice.net.au 192.168.10.1
          Authoritative NS:192.168.10.240 192.168.10.1 192.168.30.3 192.168.30.1
Check the DNS registration for DCs entries on DNS server '192.168.10.1'
The Record is different on DNS server '192.168.10.1'.
DNS server has more than one entries for this name, usually this means there are multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.10.1', no need to re-register.




Im getting these event logs:

DNS:
Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4004
Date:            8/09/2011
Time:            8:43:30 AM
User:            N/A
Computer:      FBRS-DC
Description:
The DNS server was unable to complete directory service enumeration of zone 30.168.192.in-addr.arpa.  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00               *#..    


Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4016
Date:            8/09/2011
Time:            8:43:30 AM
User:            N/A
Computer:      FBRS-DC
Description:
The DNS server timed out attempting an Active Directory service operation on DC=30.168.192.in-addr.arpa,cn=MicrosoftDNS,cn=System,DC=fbrice,DC=net,DC=au.  Check Active Directory to see that it is functioning properly. The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 55 00 00 00               U...    


millions of these in security:
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            13/09/2011
Time:            4:55:56 PM
User:            NT AUTHORITY\SYSTEM
Computer:      FBRS-DC
Description:
Pre-authentication failed:
       User Name:      DSR
       User ID:            FBRICE\DSR
       Service Name:      krbtgt/FBRICE.NET.AU
       Pre-Authentication Type:      0x0
       Failure Code:      0x19
       Client Address:      192.168.10.229


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.






And finally, clients can access the servers \\fbrs-dc\netlogon folder....


but if I try and browse this from the server itself, I get the "No network provider accepted the given network path"


All the problems seem minor, and the server is doing most things OK... Im just worried that something will happen and it will implode eventually.....



0
 
LVL 24

Expert Comment

by:Sandeshdubey
Comment Utility
It seems that the netlogon and sysvol share are not available and hence the DC is not advertising as the Domain Controller.Ran net share command see if the netlogn and sysvol share are available.

If the netlogn or sysvol share are not availabe  or sysvol folder is empty you need to auth and non auth restore of sysvol.On healthy DC you need to ran d4 and on the DC where sysvol or netlogn share is not available you need to do d2.http://support.microsoft.com/kb/290762

If the isue persist post dcdiag /q and repadmin /replsum output.
0
 
LVL 11

Author Comment

by:dekkar
Comment Utility
Will give it a go... see what I get..... Might have to wait for the weekend before I can try...
0
 
LVL 11

Author Comment

by:dekkar
Comment Utility
Just thought I would post these as requested before I go ahead with the changes....



C:\Program Files\Support Tools>dcdiag /q
         [FBRS-DC] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
         ......................... FBRS-DC failed test NetLogons
         Could not open pipe with [FBRS-DC]:failed with 1203: No network provider accepted the given network path.
         Could not get NetBIOSDomainName
         Failed can not test for HOST SPN
         Failed can not test for HOST SPN
         * Missing SPN :(null)
         * Missing SPN :(null)
         ......................... FBRS-DC failed test MachineAccount
         Could not open Remote ipc to [FBRS-DC]:failed with 1203: No network provider accepted the given network path.
         ......................... FBRS-DC failed test Services
         [FBRS-DC] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
         ......................... FBRS-DC failed test frssysvol
         ......................... FBRS-DC failed test frsevent
         Failed to enumerate event log records, error No network provider accepted the given network path.
         ......................... FBRS-DC failed test kccevent
         Failed to enumerate event log records, error No network provider accepted the given network path.
         ......................... FBRS-DC failed test systemlog





C:\Program Files\Support Tools>repadmin /replsum
Replication Summary Start Time: 2011-09-14 14:14:33

Beginning data collection for replication summary, this may take awhile:
  .......


Source DC           largest delta  fails/total  %%  error
 FBRM-DC               01h:16m:36s    0 /  10    0
 FBRM-DC2                  19m:49s    0 /   5    0
 FBRS-DC                   28m:14s    0 /   5    0
 FBRS-DC2              01h:19m:48s    0 /  10    0


Destination DC    largest delta    fails/total  %%  error
 FBRM-DC               01h:19m:48s    0 /  10    0
 FBRM-DC2                  25m:48s    0 /   5    0
 FBRS-DC               01h:16m:36s    0 /  10    0
 FBRS-DC2                  28m:14s    0 /   5    0


Thanks,
Dekkar

0
 
LVL 24

Expert Comment

by:Sandeshdubey
Comment Utility
Checked the DNS setting on the Server it should point to itself.If the public ip address is added in the NIC DNS setting remove the same and add to DNS forwarders if required.If 127.0.0.1 is entered as dns remove the same and add ip address.
Chech NIC binding the Nic which is online and has ip details should be in first order.If multiple NIC are present then disabled the unrequired NIC.
Disable the window firewall.Rboot the server for the setting to take effect.
Make sure the system time on all DC are sync.Check AD sites and services, make sure no dead or non-exsiting DC.

Did you check with the nslookup if you can contact the DNS Server and if it is responding properly?
Sometimes, when the DNS Server is not responding/resolving or it is not running properly it's necessary to reinstall the DNS Server again, instead to try to troubleshoot it.

Check the DNS console is the zone information loaded correctly.
Also check that both sysvol and netlogn share are available.
0
 
LVL 11

Author Comment

by:dekkar
Comment Utility
Hi here are the details:

C:\Program Files\Support Tools>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : fbrs-dc
   Primary Dns Suffix  . . . . . . . : fbrice.net.au
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : fbrice.net.au

Ethernet adapter LAN 10.1:

   Connection-specific DNS Suffix  . : fbrice.net.au
   Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
   Physical Address. . . . . . . . . : 00-11-0A-E9-B9-2C
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.10.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.10.254
   DNS Servers . . . . . . . . . . . : 192.168.10.1
                                       192.168.10.240
   Primary WINS Server . . . . . . . : 192.168.10.1



There has only ever been one NIC enabled... nslookup works OK and I have restarted the server an number of times since the problem occurred.


As for sysvol and netlogon...... I can access these shares from any machine OK, but when I try and access them from the DC (locally) it doesn't allow it.

0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 24

Expert Comment

by:Sandeshdubey
Comment Utility
What error meaagase you recieve when you access sysvol and netlogn share?
0
 
LVL 11

Author Comment

by:dekkar
Comment Utility
\\fbrs-dc\NETLOGON is not accessible. You might not have permission to use this network resource. Contact the administrator of the server to find out if you have access permissions.

No Network provider accepted the given network path.


It happens when I try and access any share on the DC box locally.

All other machines have no problem accessing them. So it looks as though the DC has locked itself out, but everything else works OK.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
Comment Utility
Check the permission on the sysvol folder the id with which you are login has full access.
Try to acesss by entering the IP adress of the server \\serverIPadress only and check if the sysvol and netlogn share are acessable.
0
 
LVL 11

Author Comment

by:dekkar
Comment Utility
Hmmmmm permissions are all OK.

and no one can access the DC1 box via \\192.168.10.1


Just get an error saying windows cannot find it.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
Comment Utility
Disable the firewall setting on the DC.Also disable the antivirus app.
Check the sysvol share permission every one should have read permission and in ntfs security authentictated user should have atleast read permission.
check File and Printer sharing for Microsoft Networks are enabled on NIC.
0
 
LVL 11

Accepted Solution

by:
dekkar earned 0 total points
Comment Utility
I ended up dcpromo, remove from domain, add to domain...... dcpromo again.....


0
 
LVL 11

Author Closing Comment

by:dekkar
Comment Utility
Ended up doing what I had planned to do.....
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Resolve DNS query failed errors for Exchange
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now