Solved

User account cannot be found in Active Directory

Posted on 2011-09-19
33
498 Views
Last Modified: 2012-05-12
I have user that isn't able to map any network drives that she has access to. Everytime she tries to get to map drive it ask her for her username and password. Everytime she put in her credentials, it just pops the screen backup asking for credentials again. I tried logging into another machine with the same user account and I wasn't able to authenticate and it kept saying that I had wrong username or password. So what I did was I created a new account to see if this is just with her user account.

I created a testad (username) user account and logged onto my machine.I logged on successfully, however I tried to map a network drive and it asked me to put in username and password to share folder again. I put in testad and password and it didn't do anything except ask me for password again. I tried my admin account and it allowed me to map network drive.

Another weird thing is I tried to verify permissions on the directory/folder I'm trying to map to for both accounts and when I select permissions for folder, hit add and enter the user/object name testad, it says An object named "testad" cannot be found. I tried the initial user account and I got the same response. It's as if these users don't exist. What is going on? I had another tech try to log in on his machine with the new account I created and he couldn't even log on to the system. Not sure what is going on and how to test my AD or troubleshoot this issue. I checked event viewer and I saw no suspicious errors. I RAN dcdiag and no errors. I appreciate anyones help and support.
0
Comment
Question by:nimdatx
  • 16
  • 12
  • 4
  • +1
33 Comments
 
LVL 17

Expert Comment

by:Tony Massa
ID: 36562410
The computer you're mapping to must authenticate the user accounts against the domain.  If the server with the shared folder has a bad computer account in AD, then your users may not be able to authenticate.

Check that DNS is correct on your server that users are mapping to.  Check the Security log on your server.  If you are not auditing failed logon events, please enable it using GPEDIT.msc, and try again.  You should see every failed logon attempt from any user, as well as the reason.  Post anything that may be significant.

Check to be sure your server's account is okay in AD.  One of the tell-tale signs is that computer's group policy won't apply.  Go to a command prompt on your server, type:

GPUPDATE /target:computer /force

Check the application event log for a successful GPO processing.
*******************************************************************************************
If the computer account in AD is "bad", then you can "REJOIN" the computer to the domain (and resyncing to it's account) by going to computer properties (in 2008 it's "Advanced System Settings", compouter name tab, then hit the "CHANGE" button.  Change the FQDN domain name to the NetBIOS domain name, and hit OK.  

This will require a reboot.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 36567165
Sounds like you need to rejoin that computer to the domain.

0
 
LVL 1

Author Comment

by:nimdatx
ID: 36567384
I tried to join the user back to a work group and then back to domain. I successfully joined the domain, however whenever I try to map a network share it doesn't accept the username/password of that user. The screen just keeps coming backup asking for credentials. I verified permissions on share and I even added the user with full control and I still can't map a network drive.

About 4 months ago my primary DC was Fileserver (Win2k3 standard) and moved to my new Fileserver2 (Win2k8 Enterprise).

Old setup:

Fileserver Primary with DNS, DHCP and was a Fileserver.

New Setup:

Fileserver2 is now Primary DC, DHCP, DNS and fileserver is a separate server where users are mapped to.

All has been working and I didn't want to demote my old fileserver. About a week ago I had a HD crash on old Fileserver.

From what I can see in the event viewer is that since that happened I've been receiving a Event 1079 and Event 1030 repeatly.

Source Userenv - Event 1079: Windows cannot search for Group Policy objects. 9Operation error.) Group Policy processing aborted.
Source Userenv - Event 1030: Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

Not sure I would checked the logs?

I have four users that cannot get to their mapped drives/Network resources and I'm not sure why since permissions are set correctly, at least I think they are.

What I have done so far is try to join that PC in a workgroup and back to domain and still same results.

I have logged that user in at another PC and still same results. I created a new user and tried PC in question and still same issue.

I have tried the new user on new PC and still same issue.

echo %logonserver% point to FILESERVER2 when you logon to her desktop? YES

I also tried these steps:
1. Confirm that sufficient free disk space resides on the volumes hosting the Active Directory database then retry the operation. Confirm that the physical drives hosting the NTDS.DIT and log files do not reside on drives where NTFS compression is enabled. Also check for anti-virus software accessing these volumes.
 2. It may be of benefit to force the Security Descriptor Propagator to rebuild the object container ancestry in the database. This may be done by following the instructions in KB article 251343, http://support.microsoft.com/?id=251343.
 3. The problem may be related to the object's parent on this domain controller. On the source domain controller, move the object to have a different parent.
 4. If this machine is a global catalog and the error occurs in one of the read-only partitions, you should demote the machine as a global catalog using the Global Catalog checkbox in the Sites & Services user interface.

I also tried this.....
1. Confirm that sufficient free disk space resides on the volumes hosting the Active Directory database then retry the operation. Confirm that the physical drives hosting the NTDS.DIT and log files do not reside on drives where NTFS compression is enabled. Also check for anti-virus software accessing these volumes.
 2. It may be of benefit to force the Security Descriptor Propagator to rebuild the object container ancestry in the database. This may be done by following the instructions in KB article 251343, http://support.microsoft.com/?id=251343.

Diagnostic reports:

My new DC is Fileserver2, which seems to be ok when I run dcdiag.

C:\Users\nimda>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = Fileserver2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\FILESERVER2
      Starting test: Connectivity
         ......................... FILESERVER2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\FILESERVER2
      Starting test: Advertising
         ......................... FILESERVER2 passed test Advertising
      Starting test: FrsEvent
         ......................... FILESERVER2 passed test FrsEvent
      Starting test: DFSREvent
         ......................... FILESERVER2 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... FILESERVER2 passed test SysVolCheck
      Starting test: KccEvent
         ......................... FILESERVER2 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... FILESERVER2 passed test KnowsOfRoleHolde
      Starting test: MachineAccount
         ......................... FILESERVER2 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... FILESERVER2 passed test NCSecDesc
      Starting test: NetLogons
         ......................... FILESERVER2 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... FILESERVER2 passed test ObjectsReplicate
      Starting test: Replications
         ......................... FILESERVER2 passed test Replications
      Starting test: RidManager
         ......................... FILESERVER2 passed test RidManager
      Starting test: Services
         ......................... FILESERVER2 passed test Services
      Starting test: SystemLog
         ......................... FILESERVER2 passed test SystemLog
      Starting test: VerifyReferences
         ......................... FILESERVER2 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValida

   Running partition tests on : RAPA
      Starting test: CheckSDRefDom
         ......................... RAPA passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... RAPA passed test CrossRefValidation

   Running enterprise tests on : RAPA.local
      Starting test: LocatorCheck
         ......................... RAPA.local passed test LocatorCheck
      Starting test: Intersite
         ......................... RAPA.local passed test Intersite

Event Viewer
Directory Services:
NTDS Replication Event ID: 2108
This event contains REPAIR PROCEDURES for the 1084 event which has previously been logged. This message indicates a specific issue with the consistency of the Active Directory database on this replication destination. A database error occurred while applying replicated changes to the following object. The database had unexpected contents, preventing the change from being made.
 
Object:
CN=DBTF72G1,OU=BO Computers,OU=Business Office,DC=RAPA,DC=local
Object GUID:
bc7cd65c-88d5-4100-8cbc-2e466d9fa71e
Source domain controller:
7b7ffb9e-cc90-4923-acd2-7a54d62b980d._msdcs.RAPA.local

User Action
 
 Please consult KB article 837932, http://support.microsoft.com/?id=837932. A subset of its repair procedures are listed here.
 1. Confirm that sufficient free disk space resides on the volumes hosting the Active Directory database then retry the operation. Confirm that the physical drives hosting the NTDS.DIT and log files do not reside on drives where NTFS compression is enabled. Also check for anti-virus software accessing these volumes.
 2. It may be of benefit to force the Security Descriptor Propagator to rebuild the object container ancestry in the database. This may be done by following the instructions in KB article 251343, http://support.microsoft.com/?id=251343.
 3. The problem may be related to the object's parent on this domain controller. On the source domain controller, move the object to have a different parent.
 4. If this machine is a global catalog and the error occurs in one of the read-only partitions, you should demote the machine as a global catalog using the Global Catalog checkbox in the Sites & Services user interface.   If the error is occurring in an application partition, you can stop the application partition from being hosted on this replica. This may be changed using the ntdsutil.exe command.
 5. Obtain the most recent ntdsutil.exe by installing the latest service pack for your operating system. Prior to booting into Directory Services Restore Mode (DSRM), verify that the DSRM password is known. Otherwise reset it prior to restarting the system.
 6. In DSRM, run the NT CMD prompt, run "ntdsutil files integrity". If corruption is found and other replicas exist, then demote replica and check your hardware. If no replicas are present, restore a system state backup and repeat this verification.
 7. Perform an offline defragmentation using the "ntdsutil files compact" function.
 8. The "ntdsutil semantic database analysis" should also be performed. If errors are found, they may be corrected using the "go fixup" function.  Note that this should not be confused with the database maintenance function called "ESE repair", which should not be used, since it causes data loss for Active Directory Databases.
 
 If none of these actions succeed and the replication error continues, you should demote this domain controller and promote it again.
 
Additional Data
Primary Error value:
1127 While accessing the hard disk, a disk operation failed even after retries.
Secondary Error value:
-1018 JET_errReadVerifyFailure, Checksum error on a database page

Event ID: 1084
Internal event: Active Directory could not update the following object with changes received from the following source domain controller. This is because an error occurred during the application of the changes to Active Directory on the domain controller.
 
Object:
CN=DBTF72G1,OU=BO Computers,OU=Business Office,DC=RAPA,DC=local
Object GUID:
bc7cd65c-88d5-4100-8cbc-2e466d9fa71e
Source domain controller:
7b7ffb9e-cc90-4923-acd2-7a54d62b980d._msdcs.RAPA.local
 
Synchronization of the local domain controller with the source domain controller is blocked until this update problem is corrected.
 
This operation will be tried again at the next scheduled replication.
 
User Action
Restart the local domain controller if this condition appears to be related to low system resources (for example, low physical or virtual memory).
 
Additional Data
Error value:
1127 While accessing the hard disk, a disk operation failed even after retries.

Some more info.....

C:\Users\nimda>repadmin /replsummary
Replication Summary Start Time: 2011-09-19 13:40:20

Beginning data collection for replication summary, this may take awhile:
  ......


Source DSA          largest delta    fails/total %%   error
 FILESERVER                45m:18s    0 /   6    0
 FILESERVER2       07d.04h:47m:22s    1 /   9   11  (1127) While accessing the h
ard disk, a disk operation failed even after retries.
 VLS-D6DNY8C1          02h:45m:18s    0 /   3    0


Destination DSA     largest delta    fails/total %%   error
 FILESERVER        07d.04h:47m:22s    1 /   6   16  (1127) While accessing the h
ard disk, a disk operation failed even after retries.
 FILESERVER2           02h:45m:18s    0 /   9    0
 VLS-D6DNY8C1          02h:54m:05s    0 /   3    0

C:\Users\nimda>netdom query fsmo
Schema master               Fileserver2.RAPA.local
Domain naming master        Fileserver2.RAPA.local
PDC                         Fileserver2.RAPA.local
RID pool manager            Fileserver2.RAPA.local
Infrastructure master       Fileserver2.RAPA.local
The command completed successfully.

0
 
LVL 1

Author Comment

by:nimdatx
ID: 36567540
More test.....

Fileserver which is not primary DC

dcdiag /v
         

 (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:44:23
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:44:42
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:44:42
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:44:58
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:44:58
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:45:13
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:45:13
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:45:42
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:45:42
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:45:58
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:45:58
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:46:33
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:46:33
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:46:51
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:46:51
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:47:18
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:47:18
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:47:35
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:47:35
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:47:59
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:47:59
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:48:17
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:48:17
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:48:34
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:48:34
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:48:58
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:48:58
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:49:17
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:49:17
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:49:36
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:49:36
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:50:07
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:50:07
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:50:23
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:50:23
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:50:38
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:50:38
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:50:54
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:50:54
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:51:14
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:51:14
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:51:32
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:51:32
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000043C
            Time Generated: 09/20/2011   09:51:49
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC025083C
            Time Generated: 09/20/2011   09:51:49
            (Event String could not be retrieved)
         ......................... FILESERVER failed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0xC0000007
            Time Generated: 09/20/2011   08:52:19
            Event String: The Security Account Manager failed a KDC request
in an unexpected way. The error is in the data
field. The account name was dbtf72g1$ and lookup
type 0x0.
         An Error Event occured.  EventID: 0x000016AD
            Time Generated: 09/20/2011   08:54:38
            Event String: The session setup from the computer DBTF72G1
failed to authenticate. The following error
occurred:
%%5
         An Error Event occured.  EventID: 0xC0000007
            Time Generated: 09/20/2011   08:54:40
            Event String: The Security Account Manager failed a KDC request
in an unexpected way. The error is in the data
field. The account name was
host/dbtf72g1.rapa.local and lookup type 0x48.
         An Error Event occured.  EventID: 0xC000001B
            Time Generated: 09/20/2011   09:00:54
            Event String: While processing a TGS request for the target
server krbtgt/RAPA.LOCAL, the account
nimda@RAPA.LOCAL did not have a suitable key for
generating a Kerberos ticket (the missing key has
an ID of 8). The requested etypes were 18.  The
accounts available etypes were
23  -133  -128  3  1.
         An Error Event occured.  EventID: 0xC000001B
            Time Generated: 09/20/2011   09:03:32
            Event String: While processing a TGS request for the target
server krbtgt/RAPA.LOCAL, the account
D5SNVLN1$@RAPA.LOCAL did not have a suitable key
for generating a Kerberos ticket (the missing key
has an ID of 8). The requested etypes were 18.
The accounts available etypes were
23  -133  -128  3  1.
         An Error Event occured.  EventID: 0xC000001B
            Time Generated: 09/20/2011   09:35:17
            Event String: While processing a TGS request for the target
server krbtgt/RAPA.LOCAL, the account
NANCYWILSONW7$@RAPA.LOCAL did not have a suitable
key for generating a Kerberos ticket (the missing
key has an ID of 8). The requested etypes were
18.  The accounts available etypes were
23  -133  -128  3  1.
         An Error Event occured.  EventID: 0x0000165B
            Time Generated: 09/20/2011   09:38:34
            Event String: The session setup from computer 'J4R5KQ1' failed
because the security database does not contain a
trust account 'J4R5KQ1$' referenced by the
specified computer.

USER ACTION
If this is the first occurrence of this event for
the specified computer and account, this may be a
transient issue that doesn't require any action
at this time. Otherwise, the following steps may
be taken to resolve this problem:

If 'J4R5KQ1$' is a legitimate machine account for
the computer 'J4R5KQ1', then 'J4R5KQ1' should be
rejoined to the domain.

If 'J4R5KQ1$' is a legitimate interdomain trust
account, then the trust should be recreated.

Otherwise, assuming that 'J4R5KQ1$' is not a
legitimate account, the following action should
be taken on 'J4R5KQ1':

If 'J4R5KQ1' is a Domain Controller, then the
trust associated with 'J4R5KQ1$' should be
deleted.

If 'J4R5KQ1' is not a Domain Controller, it
should be disjoined from the domain.
         An Error Event occured.  EventID: 0x000016AD
            Time Generated: 09/20/2011   09:40:52
            Event String: The session setup from the computer J4R5KQ1
failed to authenticate. The following error
occurred:
%%5
         ......................... FILESERVER failed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=FILESERVER,OU=Domain Controllers,DC=RAPA,DC=local and backlink on
         CN=FILESERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configu
ration,DC=RAPA,DC=local
         are correct.
         The system object reference (frsComputerReferenceBL)
         CN=FILESERVER,CN=Domain System Volume (SYSVOL share),CN=File Replicatio
n Service,CN=System,DC=RAPA,DC=local
         and backlink on CN=FILESERVER,OU=Domain Controllers,DC=RAPA,DC=local
         are correct.
         The system object reference (serverReferenceBL)
         CN=FILESERVER,CN=Domain System Volume (SYSVOL share),CN=File Replicatio
n Service,CN=System,DC=RAPA,DC=local
         and backlink on
         CN=NTDS Settings,CN=FILESERVER,CN=Servers,CN=Default-First-Site-Name,CN
=Sites,CN=Configuration,DC=RAPA,DC=local
         are correct.
         ......................... FILESERVER passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : RAPA
      Starting test: CrossRefValidation
         ......................... RAPA passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... RAPA passed test CheckSDRefDom

   Running enterprise tests on : RAPA.local
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         Skipping site STARVASC-Site, this site is outside the scope provided
         by the command line arguments provided.
         ......................... RAPA.local passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\fileserver.RAPA.local
         Locator Flags: 0xe00001fc
         PDC Name: \\Fileserver2.RAPA.local
         Locator Flags: 0xe00033fd
         Time Server Name: \\fileserver.RAPA.local
         Locator Flags: 0xe00001fc
         Preferred Time Server Name: \\Fileserver2.RAPA.local
         Locator Flags: 0xe00033fd
         KDC Name: \\fileserver.RAPA.local
         Locator Flags: 0xe00001fc
         ......................... RAPA.local passed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS

Same Test on new primary DC

dcdiag /v


Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\nimda>dcdiag /v

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   * Verifying that the local machine Fileserver2, is a Directory Server.
   Home Server = Fileserver2
   * Connecting to directory service on server Fileserver2.
   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=RAPA,DC=local,
LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=RAPA,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=STARVASC-Site,CN=Sites,
CN=Configuration,DC=RAPA,DC=local
   Getting ISTG and options for the site
   * Identifying all servers.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=RAPA,DC=local,
LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=FILESERVER,CN=Servers,
CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=RAPA,DC=local
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=VLS-D6DNY8C1,CN=Server
s,CN=STARVASC-Site,CN=Sites,CN=Configuration,DC=RAPA,DC=local
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=FILESERVER2,CN=Servers
,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=RAPA,DC=local
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.
   * Found 3 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\FILESERVER2
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
         ......................... FILESERVER2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\FILESERVER2
      Starting test: Advertising
         The DC FILESERVER2 is advertising itself as a DC and having a DS.
         The DC FILESERVER2 is advertising as an LDAP server
         The DC FILESERVER2 is advertising as having a writeable directory
         The DC FILESERVER2 is advertising as a Key Distribution Center
         The DC FILESERVER2 is advertising as a time server
         The DS FILESERVER2 is advertising as a GC.
         ......................... FILESERVER2 passed test Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Starting test: FrsEvent
         * The File Replication Service Event log test
         ......................... FILESERVER2 passed test FrsEvent
      Starting test: DFSREvent
         The DFS Replication Event Log.
         Skip the test because the server is running FRS.
         ......................... FILESERVER2 passed test DFSREvent
      Starting test: SysVolCheck
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... FILESERVER2 passed test SysVolCheck
      Starting test: KccEvent
         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 min
utes.
         ......................... FILESERVER2 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=FILESERVER2,CN=Servers,CN=Defau
lt-First-Site-Name,CN=Sites,CN=Configuration,DC=RAPA,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=FILESERVER2,CN=Servers,CN=Defau
lt-First-Site-Name,CN=Sites,CN=Configuration,DC=RAPA,DC=local
         Role PDC Owner = CN=NTDS Settings,CN=FILESERVER2,CN=Servers,CN=Default-
First-Site-Name,CN=Sites,CN=Configuration,DC=RAPA,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=FILESERVER2,CN=Servers,CN=Default-
First-Site-Name,CN=Sites,CN=Configuration,DC=RAPA,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=FILESERVER2,CN=S
ervers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=RAPA,DC=local
         ......................... FILESERVER2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Checking machine account for DC FILESERVER2 on DC FILESERVER2.
         * SPN found :LDAP/Fileserver2.RAPA.local/RAPA.local
         * SPN found :LDAP/Fileserver2.RAPA.local
         * SPN found :LDAP/FILESERVER2
         * SPN found :LDAP/Fileserver2.RAPA.local/RAPA
         * SPN found :LDAP/7b7ffb9e-cc90-4923-acd2-7a54d62b980d._msdcs.RAPA.loca
l
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/7b7ffb9e-cc90-4923-ac
d2-7a54d62b980d/RAPA.local
         * SPN found :HOST/Fileserver2.RAPA.local/RAPA.local
         * SPN found :HOST/Fileserver2.RAPA.local
         * SPN found :HOST/FILESERVER2
         * SPN found :HOST/Fileserver2.RAPA.local/RAPA
         * SPN found :GC/Fileserver2.RAPA.local/RAPA.local
         ......................... FILESERVER2 passed test MachineAccount
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC FILESERVER2.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=RAPA,DC=local
            (NDNC,Version 3)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=RAPA,DC=local
            (NDNC,Version 3)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=RAPA,DC=local
            (Schema,Version 3)
         * Security Permissions Check for
           CN=Configuration,DC=RAPA,DC=local
            (Configuration,Version 3)
         * Security Permissions Check for
           DC=RAPA,DC=local
            (Domain,Version 3)
         * Security Permissions Check for
           DC=STARVASC,DC=RAPA,DC=local
            (Domain,Version 2)
         ......................... FILESERVER2 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\FILESERVER2\netlogon
         Verified share \\FILESERVER2\sysvol
         ......................... FILESERVER2 passed test NetLogons
      Starting test: ObjectsReplicated
         FILESERVER2 is in domain DC=RAPA,DC=local
         Checking for CN=FILESERVER2,OU=Domain Controllers,DC=RAPA,DC=local in d
omain DC=RAPA,DC=local on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=FILESERVER2,CN=Servers,CN=Default-Firs
t-Site-Name,CN=Sites,CN=Configuration,DC=RAPA,DC=local in domain CN=Configuratio
n,DC=RAPA,DC=local on 1 servers
            Object is up-to-date on all servers.
         ......................... FILESERVER2 passed test ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            CN=Schema,CN=Configuration,DC=RAPA,DC=local
               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            CN=Configuration,DC=RAPA,DC=local
               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            DC=RAPA,DC=local
               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            DC=STARVASC,DC=RAPA,DC=local
               Latency information for 1 entries in the vector were ignored.
                  0 were retired Invocations.  1 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
         ......................... FILESERVER2 passed test Replications
      Starting test: RidManager
         * Available RID Pool for the Domain is 4603 to 1073741823
         * Fileserver2.RAPA.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 4103 to 4602
         * rIDPreviousAllocationPool is 4103 to 4602
         * rIDNextRID: 4152
         ......................... FILESERVER2 passed test RidManager
      Starting test: Services
         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... FILESERVER2 passed test Services
      Starting test: SystemLog
         * The System Event log test
         Found no errors in "System" Event log in the last 60 minutes.
         ......................... FILESERVER2 passed test SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=FILESERVER2,OU=Domain Controllers,DC=RAPA,DC=local and backlink on
         CN=FILESERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Config
uration,DC=RAPA,DC=local
         are correct.
         The system object reference (serverReferenceBL)
         CN=FILESERVER2,CN=Domain System Volume (SYSVOL share),CN=File Replicati
on Service,CN=System,DC=RAPA,DC=local
         and backlink on
         CN=NTDS Settings,CN=FILESERVER2,CN=Servers,CN=Default-First-Site-Name,C
N=Sites,CN=Configuration,DC=RAPA,DC=local
         are correct.
         The system object reference (frsComputerReferenceBL)
         CN=FILESERVER2,CN=Domain System Volume (SYSVOL share),CN=File Replicati
on Service,CN=System,DC=RAPA,DC=local
         and backlink on CN=FILESERVER2,OU=Domain Controllers,DC=RAPA,DC=local
         are correct.
         ......................... FILESERVER2 passed test VerifyReferences
      Test omitted by user request: VerifyReplicas

      Test omitted by user request: DNS
      Test omitted by user request: DNS

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : RAPA
      Starting test: CheckSDRefDom
         ......................... RAPA passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... RAPA passed test CrossRefValidation

   Running enterprise tests on : RAPA.local
      Test omitted by user request: DNS
      Test omitted by user request: DNS
      Starting test: LocatorCheck
         GC Name: \\Fileserver2.RAPA.local
         Locator Flags: 0xe00033fd
         PDC Name: \\Fileserver2.RAPA.local
         Locator Flags: 0xe00033fd
         Time Server Name: \\Fileserver2.RAPA.local
         Locator Flags: 0xe00033fd
         Preferred Time Server Name: \\Fileserver2.RAPA.local
         Locator Flags: 0xe00033fd
         KDC Name: \\Fileserver2.RAPA.local
         Locator Flags: 0xe00033fd
         ......................... RAPA.local passed test LocatorCheck
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         Skipping site STARVASC-Site, this site is outside the scope provided
         by the command line arguments provided.
         ......................... RAPA.local passed test Intersite
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36568138
Did you do asdi edit and remove the failed server?
Is dhcp only handing out ip's of you current active domain controllers?
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36568147
You will also need to clean up dns references that are pointing to dead server
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36568187
5q6tdcv4,

I have not performed asdi edit, not sure how to do that and I'm afraid to do more damage. You know....DHCP was enabled after a reboot when old DC/Fileserver's HD failed. I guess it was started after reboot. I did noticed that IPs where leased. That was the very first thing I did was check DHCP on old DC server. I stopped services (DHCP). i do know that my new DC (Fileserver2) has leased out more IPs through DHCP, so it looks ok. I'm not sure how to clean out references that are pointing to dead server. Note that old DC/Fileserver is still used for certain applications and some fileshares.

Very good point....how would I proceed to do all that?

Thanks so much.
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36568209
well for starters how many domain controllers do you currently have running?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 36568242
Follow this article and remove the bad DC.

http://support.microsoft.com/kb/216498
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36568268
Three Domain Controllers
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36568294
No, follow this: http://fawzi.wordpress.com/2010/11/11/remove-failed-dc-from-ad-manually-never-been-easier/
since you have a 2008 DC you don't need to do the manual method
I would still crawl through dns and clean up any reference to any non-existant DC......just delete the SRV records.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 36568317
Interesting that your link contains links to the MS KB I posted...

Use the MS links..stop making other people money off ADs.

Yes, you can also do it from the GUI in 2008, but who knows what functional level everything is at.

0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36568327
Thank you for your input. I will post link to whoever has the best content. At my discretion, not yours
0
 
LVL 51

Expert Comment

by:Netman66
ID: 36568340
You started the pissing match, not I.

0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36568370
Anyway,
there is no need to go through the hassle of manually delete the domain controller when all you have to do is delete the server object from ADUC when running a server 2008 Controller. There is much less chance of a mistake. It will also perform cleanup on older versions of Server as well
Just right click the dead server and delete, server 2008 will do the metadata cleanup.
Again I still suggest verifying no DNS references to old server that relate to AD
Capture.JPG
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36568521
Ok....so I go to my current primary DC Fileserver2 (2008) and delete the domain controller Fileserver which is server 2003? Can provide the proper steps to clean up DNS again?
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36568536
Also, will I still be able to access Fileserver once I delete? Remember, we have some important applications and shared folders users access and map to.
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36568539
You will need to rejoin fileserver as a member server back to the domain after you remove it
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36568544
Any other roles besides file server running on the 2003 server?
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36568564
I have these under DC. Why do I have one listed as DC and the other a GC? I'm about to delete Fileserver/DC?

 DC
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36568573
that is saying that active directory thinks fileserver is a domain controller....fileserver2 is a global catalog controller
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36568575
Yes.

DNS Role
DHCP Role, however it's stopped.
Fileserver
Application server
Fileserver
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36568583
can you run dcpromo on the fileserver? and demote it? (from an elevated command prompt)
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36568599
I haven't tried. I'm scared it will ruin something else. Should I do that?
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36568606
It is the best way
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36568611
I want to make sure everything is working 100% ok on my new Fileserver2, before I demote Fileserver.
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36568616
Ok, that is a good step
0
 
LVL 13

Accepted Solution

by:
5g6tdcv4 earned 500 total points
ID: 36568673
as far as AD is concerned this is the important part:
Schema master               Fileserver2.RAPA.local
Domain naming master        Fileserver2.RAPA.local
PDC                         Fileserver2.RAPA.local
RID pool manager            Fileserver2.RAPA.local
Infrastructure master       Fileserver2.RAPA.loca

all roles are held on the new server and it is a GC, so you should be able to demote the old server either through dcpromo, or though deletion of the domain controller computer object (dcpromo preferred)
The only other problem you might run into is if any dhcp server is handing out IP's with primary dns and secondary dns pointing to incorrect AD servers.
Make sure the DCHP server will be handing out correct DNS information
In active directory its all about the dns, it is critically important
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36568711
I appreciate all your help!!!! I just need to be able to make sure DHCP and DNS is working correctly on new server. How can achieve your comment below. If possible, your steps would be greatly appreciated. It's easier for me to perform that way.

The only other problem you might run into is if any dhcp server is handing out IP's with primary dns and secondary dns pointing to incorrect AD servers.
Make sure the DCHP server will be handing out correct DNS information
In active directory its all about the dns, it is critically important
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36568740
so just check a client that is getting its ip from your dhcp server, run "ipconfig /all" and verify DNS is pointing to the correct AD servers
make sure DCHP services are shutdown on 2003 server! set them to manual start.

you can check dns by doing dcdiag /test:dns
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36568748
another simple way is to shutdown all dns/dhcp/AD services running on the 2003 server and see what problems pop-up on the network
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36568839
ok....so I'll shut down all DNS, DHCP and AD services. How do I shutdown AD services? Where do I delete SRV records? Or can I just shut down DNS on 2003/Fileserver?
C:\Users\nimda> dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = Fileserver2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\FILESERVER2
      Starting test: Connectivity
         ......................... FILESERVER2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\FILESERVER2

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... FILESERVER2 passed test DNS

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : RAPA

   Running enterprise tests on : RAPA.local
      Starting test: DNS
         ......................... RAPA.local passed test DNS

 DNS

How do I clean DNS out on my new Fileserver2
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36568854
Dcpromo should clean bad dns entries
You would only need to clean it by hand if demotion is unsuccessful
0

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now