[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

remove/add DC box on a domain

Posted on 2011-09-13
14
Medium Priority
?
395 Views
Last Modified: 2012-05-12
Hi, I have a 2003 server that is DC and it is causing quite a few problems...

Originally it was a DNS problem, this was rectified, but I think its having WINS and other issues that is causing it to have authentication issues.

I have spent around a week looking at errors from nltest and netdiag, but nothing seems to apply.

The server is a print server and does do a few other small things, so I dont want to just trash it.


Would it be appropriate to dcpromo it, to make it a member server, then dcpromo it again to make it a DC again.

With the hope that the new AD stuff will fix any problems it was having before?


Thanks,
Dekkar
0
Comment
Question by:dekkar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
14 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36527603
Depending on the errors yes that could be an appropriate way to go; but WINS should not affect authentication issues.

Are you seeing replication errors, errors in logs?

repadmin /showrepl ....how long since it has replicated

dcdiag is another good tool

Thanks

Mike
0
 
LVL 11

Author Comment

by:dekkar
ID: 36527627
Replication is actually working OK... according to repadmin...

The problem is really confusing me..... I'll give you some of the symptoms...

dcdiag give the error:
Starting test: NetLogons
         * Network Logons Privileges Check
         [FBRS-DC] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
         ......................... FBRS-DC failed test NetLogons

Starting test: MachineAccount
         Checking machine account for DC FBRS-DC on DC FBRS-DC.
         Could not open pipe with [FBRS-DC]:failed with 1203: No network provider accepted the given network path.


Netdiag gives:

IpConfig results . . . . . : Passed
            Pinging the Primary WINS server 192.168.10.1 - reachable

        AutoConfiguration results. . . . . . : Passed
            AutoConfiguration is not in use.

        Default gateway test . . . : Passed
            Pinging gateway 192.168.10.254 - reachable
            At least one gateway reachable for this adapter.

        NetBT name test. . . . . . : Passed
            NetBT_Tcpip_{0EFB38FB-D5D9-4742-BC94-735484C25FD9}
            FBRS-DC        <00>  UNIQUE      REGISTERED
            FBRICE         <00>  GROUP       REGISTERED
            FBRICE         <1C>  GROUP       REGISTERED
            FBRS-DC        <20>  UNIQUE      REGISTERED
            FBRICE         <1E>  GROUP       REGISTERED
            FBRICE         <1D>  UNIQUE      REGISTERED
            ..__MSBROWSE__.<01>  GROUP       REGISTERED
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.



NS test . . . . . . . . . . . . . : Passed
      Interface {0EFB38FB-D5D9-4742-BC94-735484C25FD9}
        DNS Domain: fbrice.net.au
        DNS Servers: 192.168.10.1 192.168.10.240
        IP Address:         Expected registration with PDN (primary DNS domain name):
          Hostname: fbrs-dc.fbrice.net.au.
          Authoritative zone: fbrice.net.au.
          Primary DNS server: fbrs-dc.fbrice.net.au 192.168.10.1
          Authoritative NS:192.168.10.240 192.168.10.1 192.168.30.3 192.168.30.1
Check the DNS registration for DCs entries on DNS server '192.168.10.1'
The Record is different on DNS server '192.168.10.1'.
DNS server has more than one entries for this name, usually this means there are multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.10.1', no need to re-register.




Im getting these event logs:

DNS:
Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4004
Date:            8/09/2011
Time:            8:43:30 AM
User:            N/A
Computer:      FBRS-DC
Description:
The DNS server was unable to complete directory service enumeration of zone 30.168.192.in-addr.arpa.  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00               *#..    


Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4016
Date:            8/09/2011
Time:            8:43:30 AM
User:            N/A
Computer:      FBRS-DC
Description:
The DNS server timed out attempting an Active Directory service operation on DC=30.168.192.in-addr.arpa,cn=MicrosoftDNS,cn=System,DC=fbrice,DC=net,DC=au.  Check Active Directory to see that it is functioning properly. The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 55 00 00 00               U...    


millions of these in security:
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            13/09/2011
Time:            4:55:56 PM
User:            NT AUTHORITY\SYSTEM
Computer:      FBRS-DC
Description:
Pre-authentication failed:
       User Name:      DSR
       User ID:            FBRICE\DSR
       Service Name:      krbtgt/FBRICE.NET.AU
       Pre-Authentication Type:      0x0
       Failure Code:      0x19
       Client Address:      192.168.10.229


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.






And finally, clients can access the servers \\fbrs-dc\netlogon folder....


but if I try and browse this from the server itself, I get the "No network provider accepted the given network path"


All the problems seem minor, and the server is doing most things OK... Im just worried that something will happen and it will implode eventually.....



0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36527734
It seems that the netlogon and sysvol share are not available and hence the DC is not advertising as the Domain Controller.Ran net share command see if the netlogn and sysvol share are available.

If the netlogn or sysvol share are not availabe  or sysvol folder is empty you need to auth and non auth restore of sysvol.On healthy DC you need to ran d4 and on the DC where sysvol or netlogn share is not available you need to do d2.http://support.microsoft.com/kb/290762

If the isue persist post dcdiag /q and repadmin /replsum output.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 11

Author Comment

by:dekkar
ID: 36533178
Will give it a go... see what I get..... Might have to wait for the weekend before I can try...
0
 
LVL 11

Author Comment

by:dekkar
ID: 36533929
Just thought I would post these as requested before I go ahead with the changes....



C:\Program Files\Support Tools>dcdiag /q
         [FBRS-DC] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
         ......................... FBRS-DC failed test NetLogons
         Could not open pipe with [FBRS-DC]:failed with 1203: No network provider accepted the given network path.
         Could not get NetBIOSDomainName
         Failed can not test for HOST SPN
         Failed can not test for HOST SPN
         * Missing SPN :(null)
         * Missing SPN :(null)
         ......................... FBRS-DC failed test MachineAccount
         Could not open Remote ipc to [FBRS-DC]:failed with 1203: No network provider accepted the given network path.
         ......................... FBRS-DC failed test Services
         [FBRS-DC] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
         ......................... FBRS-DC failed test frssysvol
         ......................... FBRS-DC failed test frsevent
         Failed to enumerate event log records, error No network provider accepted the given network path.
         ......................... FBRS-DC failed test kccevent
         Failed to enumerate event log records, error No network provider accepted the given network path.
         ......................... FBRS-DC failed test systemlog





C:\Program Files\Support Tools>repadmin /replsum
Replication Summary Start Time: 2011-09-14 14:14:33

Beginning data collection for replication summary, this may take awhile:
  .......


Source DC           largest delta  fails/total  %%  error
 FBRM-DC               01h:16m:36s    0 /  10    0
 FBRM-DC2                  19m:49s    0 /   5    0
 FBRS-DC                   28m:14s    0 /   5    0
 FBRS-DC2              01h:19m:48s    0 /  10    0


Destination DC    largest delta    fails/total  %%  error
 FBRM-DC               01h:19m:48s    0 /  10    0
 FBRM-DC2                  25m:48s    0 /   5    0
 FBRS-DC               01h:16m:36s    0 /  10    0
 FBRS-DC2                  28m:14s    0 /   5    0


Thanks,
Dekkar

0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36534009
Checked the DNS setting on the Server it should point to itself.If the public ip address is added in the NIC DNS setting remove the same and add to DNS forwarders if required.If 127.0.0.1 is entered as dns remove the same and add ip address.
Chech NIC binding the Nic which is online and has ip details should be in first order.If multiple NIC are present then disabled the unrequired NIC.
Disable the window firewall.Rboot the server for the setting to take effect.
Make sure the system time on all DC are sync.Check AD sites and services, make sure no dead or non-exsiting DC.

Did you check with the nslookup if you can contact the DNS Server and if it is responding properly?
Sometimes, when the DNS Server is not responding/resolving or it is not running properly it's necessary to reinstall the DNS Server again, instead to try to troubleshoot it.

Check the DNS console is the zone information loaded correctly.
Also check that both sysvol and netlogn share are available.
0
 
LVL 11

Author Comment

by:dekkar
ID: 36534044
Hi here are the details:

C:\Program Files\Support Tools>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : fbrs-dc
   Primary Dns Suffix  . . . . . . . : fbrice.net.au
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : fbrice.net.au

Ethernet adapter LAN 10.1:

   Connection-specific DNS Suffix  . : fbrice.net.au
   Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
   Physical Address. . . . . . . . . : 00-11-0A-E9-B9-2C
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.10.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.10.254
   DNS Servers . . . . . . . . . . . : 192.168.10.1
                                       192.168.10.240
   Primary WINS Server . . . . . . . : 192.168.10.1



There has only ever been one NIC enabled... nslookup works OK and I have restarted the server an number of times since the problem occurred.


As for sysvol and netlogon...... I can access these shares from any machine OK, but when I try and access them from the DC (locally) it doesn't allow it.

0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36534136
What error meaagase you recieve when you access sysvol and netlogn share?
0
 
LVL 11

Author Comment

by:dekkar
ID: 36534440
\\fbrs-dc\NETLOGON is not accessible. You might not have permission to use this network resource. Contact the administrator of the server to find out if you have access permissions.

No Network provider accepted the given network path.


It happens when I try and access any share on the DC box locally.

All other machines have no problem accessing them. So it looks as though the DC has locked itself out, but everything else works OK.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36534518
Check the permission on the sysvol folder the id with which you are login has full access.
Try to acesss by entering the IP adress of the server \\serverIPadress only and check if the sysvol and netlogn share are acessable.
0
 
LVL 11

Author Comment

by:dekkar
ID: 36539590
Hmmmmm permissions are all OK.

and no one can access the DC1 box via \\192.168.10.1


Just get an error saying windows cannot find it.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36540717
Disable the firewall setting on the DC.Also disable the antivirus app.
Check the sysvol share permission every one should have read permission and in ntfs security authentictated user should have atleast read permission.
check File and Printer sharing for Microsoft Networks are enabled on NIC.
0
 
LVL 11

Accepted Solution

by:
dekkar earned 0 total points
ID: 36570658
I ended up dcpromo, remove from domain, add to domain...... dcpromo again.....


0
 
LVL 11

Author Closing Comment

by:dekkar
ID: 36594787
Ended up doing what I had planned to do.....
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question