Solved

Can't Access my Global Catalog

Posted on 2011-09-15
11
747 Views
Last Modified: 2012-05-12
I inherited a network of 3 servers including:
ADserver.123.asi -  Domain Controller & Active Directory
FileServer.123.asi - Also has a DC & AD
exchange.123.asi - Exchange Server

The problem I'm having is the 3rd server was taken off the domain (into a workgrou) put on another domain, taken off that (put into a workgroup) & then put back onto the domain -  so it doesn't have any of the dmaoin permissions or associationes, etc... (all screwed up).

So since everything on it is broken - I'm trying to do a restore from tape.  Now I put the tape restore to run & it can't authenticate any of the users.  

So to I went to crete a new user in AD (to use w/ the tape backup) & it gave me a waring that the Global Catalog could not be reached & the service wasn't running.

Where do I look to see if the GC service is running & if it is, what do i look at after that to get the GC to work with the DC & AD so I can autheitcate & retstore the exchange server?

Thanks.
0
Comment
Question by:spongebobzach
  • 7
  • 4
11 Comments
 
LVL 37

Expert Comment

by:Jamie McKillop
Comment Utility
Hello,

What are you restoring from tape? The Exchange server? How old is the backup? What server are you running ADUC from to create the new user? What version of Windows Server are your domain controllers running?

JJ
0
 

Author Comment

by:spongebobzach
Comment Utility
Hi JJ, thanks...

-I'm restoring my exchange server from a March 1, 2011 tape & that backup set/job is in the Backup Exec Catalog (that lives on BBAS01) so there is no problem in the backup software excpt when I get to the authentication from BBAS01 to APPSRV01.

-All servers are MS Windows 2003 R2 Standard.

-in this network APPSRV01.123.asi was the original DC for 123.asi.
-then BBAS01.123.asi was added & promoted to be a second DC for 123.asi.
-and exchange.123.asi was peacefully residing in the domain.

So just as an FYI  - the circumstance creating this problem is that the Exchange server was removed from the 123.asi domain to a workgroup, added as a server to a different domain (abc.asi), then moved to a workgroup then moved back to the original domain 123.asi, then promoted to a DC for 123.asi, which can’t be undone in DCPROMO or by moving to a workgroup - so this server is shot! That’s why I need to restore it.

Fast Forward to today:

I tried to do a restore from the BBAS01 Syamtec Backup Exec but I can't access the tape becuase BBAS01 can't find a Global catalog, which prevents me from authenticating tot he backup exec, preventing the restore.

TO ADD A NEW USER & GIVE THE USER ADMIN RIGHTS TO THE BACKUP SOFTWARE:
I tried to add a user In BBAS01.123.asi & the error reads:
Active Directory
Windows cannot verify that the username is unique because the following error occurred while contacting the global catalog: The server is not operational
Windows will create this user account, but the user can log on only after the user name is verified to be unique.  Make sure the global catalog is available.  For more information about troubleshooting this issue see Windows Help.

I successfully addded a user in APPSRV01.123.asi I- without the Global Catalog error - so the original DC APPSRV01works & sees the Global catalog!

But when I set the backup UN/PW to that new user added in APPSRV01, backup Exec is getting an "Access Denied" (becuase BBAS01 can't see the global catalog on APPSRV01)

So in review it seems that the DC in APPSRV01 is running properly but BBAS01 doesn’t see the Global catalog there.

So I need to get BBAS01 to see the Global catalog in APPSRV01 so the Backup Program can authenticate the user & allow access to the tape...?

0
 
LVL 37

Expert Comment

by:Jamie McKillop
Comment Utility
OK, let's try to solve the GC error first. On BBAS01, what DNS servers is it using as the primary and secondary on the TCP/IP properties of the NIC?

JJ
0
 

Author Comment

by:spongebobzach
Comment Utility
APPSRV01 is at 192.168.0.2
BBAS01 is at 192.168.0.4

APPSRV01 & BBAS01 DNS are both set to:
Primary 192.168.0.2
Secondary192.168.0.4

0
 
LVL 37

Expert Comment

by:Jamie McKillop
Comment Utility
Since your backup for exchange is more thant 90 days old, you can't use it because it is beyond the 90 day tombstone period. You will need to rebuild this server from scratch then promote it as a DC. Before you do that, you will need to manually remove it from AD by following these instructions:

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

In AD Sites and Services, can you check the other two DCs and tell me which are set as GCs?

JJ
0
Want to promote your upcoming event?

Is your company attending an event or exhibiting at a trade show soon? Are you speaking at a conference? Spread the word by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 

Author Comment

by:spongebobzach
Comment Utility
The APPSRV01 is the primay AD & holds the Global Catalog.

BBAS01 was a secondary AD server

Exchange was just that & should not have been a DC (it was elevated in error)

I'd like to forget exchange for a minute & get BBAS01 to find APPSRV01 & the GC ...

I tried the instructions but I initially did the removal of the exchange server directly on the exchange server & it said that it can't remove itself (although I got to the end of the process).

Then I repeated the exchange server process from APPSRV01 - & when it came time to list the DC Servers, the exchange server was no longer listed as a DC. So becuase it had been listed & was a DC choice to remove on the first attempt inside the exchange server, that exchange actually was removed as a DC on the initial attempt.

So with that exchange appears to be removed as a DC as far as the first part of these instructions are concerned (remove meta data) http://www.petri.co.il/delete_failed_dcs_from_ad.htm.

Now how do I get BBAS01 to talk to APPSRV01's GC?
0
 

Author Comment

by:spongebobzach
Comment Utility
my other though is to learn if there is a way for me to open/import the 123.asi exchange store into the abc.asi exchange server & I can get to the mailbox from there?
0
 
LVL 37

Accepted Solution

by:
Jamie McKillop earned 500 total points
Comment Utility
Check you event logs on both DCs for any errors.

Run dcdiag from both servers.

JJ
0
 

Author Comment

by:spongebobzach
Comment Utility
I ran dcdiag & grabbed some events I beleive my elp identify a solution...  thanks!
---------------------------------------------------------
APPSRV01
C:\Documents and Settings\Administrator>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\APPSRV01
      Starting test: Connectivity
         ......................... APPSRV01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\APPSRV01
      Starting test: Replications
         ......................... APPSRV01 passed test Replications
      Starting test: NCSecDesc
         ......................... APPSRV01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... APPSRV01 passed test NetLogons
      Starting test: Advertising
         ......................... APPSRV01 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... APPSRV01 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... APPSRV01 passed test RidManager
      Starting test: MachineAccount
         ......................... APPSRV01 passed test MachineAccount
      Starting test: Services
         ......................... APPSRV01 passed test Services
      Starting test: ObjectsReplicated
         ......................... APPSRV01 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... APPSRV01 passed test frssysvol
      Starting test: frsevent
         ......................... APPSRV01 passed test frsevent
      Starting test: kccevent
         ......................... APPSRV01 passed test kccevent
      Starting test: systemlog
         ......................... APPSRV01 passed test systemlog
      Starting test: VerifyReferences
         ......................... APPSRV01 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : irma
      Starting test: CrossRefValidation
         ......................... irma passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... irma passed test CheckSDRefDom

   Running enterprise tests on : irma.asi
      Starting test: Intersite
         ......................... irma.asi passed test Intersite
      Starting test: FsmoCheck
         ......................... irma.asi passed test FsmoCheck
------------------------------------------------------------
BBAS01

C:\>dcdiag
'dcdiag' is not recognized as an internal or external command, operable program or batch file.
---------------------------------------------------------------
I think BBAS01 is looking for Exchange as a DC...?

Event Type:      Error
Event Source:      NTDS Replication
Event Category:      DS RPC Client
Event ID:      2087
Date:            9/16/2011
Time:            2:35:44 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      BBAS01
Description:
Active Directory could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
 
Source domain controller:
 EXCHANGE
Failing DNS host name:
 a9bd1530-5dcb-4ede-82d4-c8fe20e2101a._msdcs.irma.asi
 
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1:
 
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
 
User Action:
 
 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
 
 2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
 
 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns
 
  dcdiag /test:dns
 
 4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
 
  dcdiag /test:dns
 
 5) For further analysis of DNS error failures see KB 824449:
   http://support.microsoft.com/?kbid=824449
 
Additional Data
Error value:
 11004 The requested name is valid, but no data of the requested type was found.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
----------------------------------------


Event Type:      Information
Event Source:      W32Time
Event Category:      None
Event ID:      38
Date:            9/17/2011
Time:            8:44:09 AM
User:            N/A
Computer:      BBAS01
Description:
The time provider NtpClient cannot reach or is currently receiving invalid time data from appsrv01.irma.asi (ntp.d|192.168.0.4:123->192.168.0.2:123).
---------------------------------------------------
Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            9/16/2011
Time:            12:35:41 PM
User:            N/A
Computer:      BBAS01
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/bbas01.irma.asi.  The target name used was LDAP/BBAS01. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (IRMA.ASI), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-----------------------------------------------
Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            9/16/2011
Time:            12:35:44 PM
User:            N/A
Computer:      BBAS01
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/bbas01.irma.asi.  The target name used was ldap/bbas01.irma.asi. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (IRMA.ASI), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------
Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            9/16/2011
Time:            12:38:21 PM
User:            N/A
Computer:      BBAS01
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/bbas01.irma.asi.  The target name used was LDAP/bbas01.irma.asi/irma.asi@IRMA.ASI. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (IRMA.ASI), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
----------------------------------------------------
Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            9/16/2011
Time:            12:38:51 PM
User:            N/A
Computer:      BBAS01
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/appsrv01.irma.asi.  The target name used was . This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (IRMA.ASI), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-----------------------------------------------------------
Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            9/16/2011
Time:            12:39:39 PM
User:            N/A
Computer:      BBAS01
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/bbas01.irma.asi.  The target name used was cifs/BBAS01. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (IRMA.ASI), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------------------------------------
Event Type:      Error
Event Source:      NETLOGON
Event Category:      None
Event ID:      5721
Date:            9/16/2011
Time:            1:43:07 PM
User:            N/A
Computer:      BBAS01
Description:
The session setup to the Windows NT or Windows 2000 Domain Controller \\appsrv01.irma.asi for the domain IRMA failed because the Domain Controller did not have an account BBAS01$ needed to set up the session by this computer BBAS01.  

ADDITIONAL DATA
If this computer is a member of or a Domain Controller in the specified domain, the aforementioned account is a computer account for this computer in the specified domain. Otherwise, the account is an interdomain trust account with the specified domain.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 8b 01 00 c0               ¿..À    
----------------------------------
Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            9/16/2011
Time:            12:38:21 PM
User:            N/A
Computer:      BBAS01
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/bbas01.irma.asi.  The target name used was LDAP/bbas01.irma.asi/irma.asi@IRMA.ASI. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (IRMA.ASI), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 

Author Comment

by:spongebobzach
Comment Utility
Event Type:      Warning
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1308
Date:            9/16/2011
Time:            2:40:12 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      BBAS01
Description:
The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following domain controller has consistently failed.
 
Attempts:
5709
Domain controller:
CN=NTDS Settings,CN=APPSRV01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=irma,DC=asi
Period of time (minutes):
175987
 
The Connection object for this domain controller will be ignored, and a new temporary connection will be established to ensure that replication continues. Once replication with this domain controller resumes, the temporary connection will be removed.
 
Additional Data
Error value:
5 Access is denied.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type:      Warning
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1308
Date:            9/16/2011
Time:            2:40:12 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      BBAS01
Description:
The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following domain controller has consistently failed.
 
Attempts:
76
Domain controller:
CN=NTDS Settings,CN=EXCHANGE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=irma,DC=asi
Period of time (minutes):
4365
 
The Connection object for this domain controller will be ignored, and a new temporary connection will be established to ensure that replication continues. Once replication with this domain controller resumes, the temporary connection will be removed.
 
Additional Data
Error value:
8524 The DSA operation is unable to proceed because of a DNS lookup failure.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 

Author Closing Comment

by:spongebobzach
Comment Utility
Thanks JJ - I got an AD engineer to look at it & I ended up extracting the outlook mailboxes from the exchange.edb without having to start the info store & the boxes are both corrupt so they have to be wiped & rebuilt (no local admin accounts, the DCs aren't speaking to each other, etc...  time to consolidate! but thanks for trying you're definately on the right path...
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Bulk Exchange 365 Password Change 6 36
User profile Size Report 3 34
Folder NTFS Permissions 14 63
Custom attributes in Exchange 8 31
Easy CSR creation in Exchange 2007,2010 and 2013
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now