Solved

remove/add DC box on a domain

Posted on 2011-09-13
14
391 Views
Last Modified: 2012-05-12
Hi, I have a 2003 server that is DC and it is causing quite a few problems...

Originally it was a DNS problem, this was rectified, but I think its having WINS and other issues that is causing it to have authentication issues.

I have spent around a week looking at errors from nltest and netdiag, but nothing seems to apply.

The server is a print server and does do a few other small things, so I dont want to just trash it.


Would it be appropriate to dcpromo it, to make it a member server, then dcpromo it again to make it a DC again.

With the hope that the new AD stuff will fix any problems it was having before?


Thanks,
Dekkar
0
Comment
Question by:dekkar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
14 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36527603
Depending on the errors yes that could be an appropriate way to go; but WINS should not affect authentication issues.

Are you seeing replication errors, errors in logs?

repadmin /showrepl ....how long since it has replicated

dcdiag is another good tool

Thanks

Mike
0
 
LVL 11

Author Comment

by:dekkar
ID: 36527627
Replication is actually working OK... according to repadmin...

The problem is really confusing me..... I'll give you some of the symptoms...

dcdiag give the error:
Starting test: NetLogons
         * Network Logons Privileges Check
         [FBRS-DC] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
         ......................... FBRS-DC failed test NetLogons

Starting test: MachineAccount
         Checking machine account for DC FBRS-DC on DC FBRS-DC.
         Could not open pipe with [FBRS-DC]:failed with 1203: No network provider accepted the given network path.


Netdiag gives:

IpConfig results . . . . . : Passed
            Pinging the Primary WINS server 192.168.10.1 - reachable

        AutoConfiguration results. . . . . . : Passed
            AutoConfiguration is not in use.

        Default gateway test . . . : Passed
            Pinging gateway 192.168.10.254 - reachable
            At least one gateway reachable for this adapter.

        NetBT name test. . . . . . : Passed
            NetBT_Tcpip_{0EFB38FB-D5D9-4742-BC94-735484C25FD9}
            FBRS-DC        <00>  UNIQUE      REGISTERED
            FBRICE         <00>  GROUP       REGISTERED
            FBRICE         <1C>  GROUP       REGISTERED
            FBRS-DC        <20>  UNIQUE      REGISTERED
            FBRICE         <1E>  GROUP       REGISTERED
            FBRICE         <1D>  UNIQUE      REGISTERED
            ..__MSBROWSE__.<01>  GROUP       REGISTERED
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.



NS test . . . . . . . . . . . . . : Passed
      Interface {0EFB38FB-D5D9-4742-BC94-735484C25FD9}
        DNS Domain: fbrice.net.au
        DNS Servers: 192.168.10.1 192.168.10.240
        IP Address:         Expected registration with PDN (primary DNS domain name):
          Hostname: fbrs-dc.fbrice.net.au.
          Authoritative zone: fbrice.net.au.
          Primary DNS server: fbrs-dc.fbrice.net.au 192.168.10.1
          Authoritative NS:192.168.10.240 192.168.10.1 192.168.30.3 192.168.30.1
Check the DNS registration for DCs entries on DNS server '192.168.10.1'
The Record is different on DNS server '192.168.10.1'.
DNS server has more than one entries for this name, usually this means there are multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.10.1', no need to re-register.




Im getting these event logs:

DNS:
Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4004
Date:            8/09/2011
Time:            8:43:30 AM
User:            N/A
Computer:      FBRS-DC
Description:
The DNS server was unable to complete directory service enumeration of zone 30.168.192.in-addr.arpa.  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00               *#..    


Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4016
Date:            8/09/2011
Time:            8:43:30 AM
User:            N/A
Computer:      FBRS-DC
Description:
The DNS server timed out attempting an Active Directory service operation on DC=30.168.192.in-addr.arpa,cn=MicrosoftDNS,cn=System,DC=fbrice,DC=net,DC=au.  Check Active Directory to see that it is functioning properly. The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 55 00 00 00               U...    


millions of these in security:
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            13/09/2011
Time:            4:55:56 PM
User:            NT AUTHORITY\SYSTEM
Computer:      FBRS-DC
Description:
Pre-authentication failed:
       User Name:      DSR
       User ID:            FBRICE\DSR
       Service Name:      krbtgt/FBRICE.NET.AU
       Pre-Authentication Type:      0x0
       Failure Code:      0x19
       Client Address:      192.168.10.229


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.






And finally, clients can access the servers \\fbrs-dc\netlogon folder....


but if I try and browse this from the server itself, I get the "No network provider accepted the given network path"


All the problems seem minor, and the server is doing most things OK... Im just worried that something will happen and it will implode eventually.....



0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36527734
It seems that the netlogon and sysvol share are not available and hence the DC is not advertising as the Domain Controller.Ran net share command see if the netlogn and sysvol share are available.

If the netlogn or sysvol share are not availabe  or sysvol folder is empty you need to auth and non auth restore of sysvol.On healthy DC you need to ran d4 and on the DC where sysvol or netlogn share is not available you need to do d2.http://support.microsoft.com/kb/290762

If the isue persist post dcdiag /q and repadmin /replsum output.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 11

Author Comment

by:dekkar
ID: 36533178
Will give it a go... see what I get..... Might have to wait for the weekend before I can try...
0
 
LVL 11

Author Comment

by:dekkar
ID: 36533929
Just thought I would post these as requested before I go ahead with the changes....



C:\Program Files\Support Tools>dcdiag /q
         [FBRS-DC] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
         ......................... FBRS-DC failed test NetLogons
         Could not open pipe with [FBRS-DC]:failed with 1203: No network provider accepted the given network path.
         Could not get NetBIOSDomainName
         Failed can not test for HOST SPN
         Failed can not test for HOST SPN
         * Missing SPN :(null)
         * Missing SPN :(null)
         ......................... FBRS-DC failed test MachineAccount
         Could not open Remote ipc to [FBRS-DC]:failed with 1203: No network provider accepted the given network path.
         ......................... FBRS-DC failed test Services
         [FBRS-DC] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
         ......................... FBRS-DC failed test frssysvol
         ......................... FBRS-DC failed test frsevent
         Failed to enumerate event log records, error No network provider accepted the given network path.
         ......................... FBRS-DC failed test kccevent
         Failed to enumerate event log records, error No network provider accepted the given network path.
         ......................... FBRS-DC failed test systemlog





C:\Program Files\Support Tools>repadmin /replsum
Replication Summary Start Time: 2011-09-14 14:14:33

Beginning data collection for replication summary, this may take awhile:
  .......


Source DC           largest delta  fails/total  %%  error
 FBRM-DC               01h:16m:36s    0 /  10    0
 FBRM-DC2                  19m:49s    0 /   5    0
 FBRS-DC                   28m:14s    0 /   5    0
 FBRS-DC2              01h:19m:48s    0 /  10    0


Destination DC    largest delta    fails/total  %%  error
 FBRM-DC               01h:19m:48s    0 /  10    0
 FBRM-DC2                  25m:48s    0 /   5    0
 FBRS-DC               01h:16m:36s    0 /  10    0
 FBRS-DC2                  28m:14s    0 /   5    0


Thanks,
Dekkar

0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36534009
Checked the DNS setting on the Server it should point to itself.If the public ip address is added in the NIC DNS setting remove the same and add to DNS forwarders if required.If 127.0.0.1 is entered as dns remove the same and add ip address.
Chech NIC binding the Nic which is online and has ip details should be in first order.If multiple NIC are present then disabled the unrequired NIC.
Disable the window firewall.Rboot the server for the setting to take effect.
Make sure the system time on all DC are sync.Check AD sites and services, make sure no dead or non-exsiting DC.

Did you check with the nslookup if you can contact the DNS Server and if it is responding properly?
Sometimes, when the DNS Server is not responding/resolving or it is not running properly it's necessary to reinstall the DNS Server again, instead to try to troubleshoot it.

Check the DNS console is the zone information loaded correctly.
Also check that both sysvol and netlogn share are available.
0
 
LVL 11

Author Comment

by:dekkar
ID: 36534044
Hi here are the details:

C:\Program Files\Support Tools>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : fbrs-dc
   Primary Dns Suffix  . . . . . . . : fbrice.net.au
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : fbrice.net.au

Ethernet adapter LAN 10.1:

   Connection-specific DNS Suffix  . : fbrice.net.au
   Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
   Physical Address. . . . . . . . . : 00-11-0A-E9-B9-2C
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.10.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.10.254
   DNS Servers . . . . . . . . . . . : 192.168.10.1
                                       192.168.10.240
   Primary WINS Server . . . . . . . : 192.168.10.1



There has only ever been one NIC enabled... nslookup works OK and I have restarted the server an number of times since the problem occurred.


As for sysvol and netlogon...... I can access these shares from any machine OK, but when I try and access them from the DC (locally) it doesn't allow it.

0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36534136
What error meaagase you recieve when you access sysvol and netlogn share?
0
 
LVL 11

Author Comment

by:dekkar
ID: 36534440
\\fbrs-dc\NETLOGON is not accessible. You might not have permission to use this network resource. Contact the administrator of the server to find out if you have access permissions.

No Network provider accepted the given network path.


It happens when I try and access any share on the DC box locally.

All other machines have no problem accessing them. So it looks as though the DC has locked itself out, but everything else works OK.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36534518
Check the permission on the sysvol folder the id with which you are login has full access.
Try to acesss by entering the IP adress of the server \\serverIPadress only and check if the sysvol and netlogn share are acessable.
0
 
LVL 11

Author Comment

by:dekkar
ID: 36539590
Hmmmmm permissions are all OK.

and no one can access the DC1 box via \\192.168.10.1


Just get an error saying windows cannot find it.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36540717
Disable the firewall setting on the DC.Also disable the antivirus app.
Check the sysvol share permission every one should have read permission and in ntfs security authentictated user should have atleast read permission.
check File and Printer sharing for Microsoft Networks are enabled on NIC.
0
 
LVL 11

Accepted Solution

by:
dekkar earned 0 total points
ID: 36570658
I ended up dcpromo, remove from domain, add to domain...... dcpromo again.....


0
 
LVL 11

Author Closing Comment

by:dekkar
ID: 36594787
Ended up doing what I had planned to do.....
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question