DNS Errors On New Network

Posted on 2011-10-11
Last Modified: 2012-05-12
Wow I have a Winner Here.
Was a 2003 Network that was upgraded to 2008 servers.
The Active Directory 2003 Server is still on Network...It appears that a DCPROMO
was aborted and There is a Ton of Errors::: This is on 2003 Server:

DNS Error 6702
DNS server has updated its own host (A) records. In order to ensure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update. An error was encountered during this update, the record data is the error code.

If this DNS server does not have any DS-integrated peers, then this error should be ignored.

Event ID 1054 on 2003-server Application
Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.

Event ID: 27 System Log
While processing a TGS request for the target server krbtgt/LOCAL, the account UserN@LOCAL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 1.


Active Directory Error 2092  

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: DC=Local
User Action:
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

Active Directory Error 2088:

Active Directory Domain Services could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory Domain Services successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.
Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory Domain Services forest, including logon authentication or access to network resources.
You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.
Alternate server name:
Failing DNS host name:
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1:
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
User Action:
 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
 2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on
  dcdiag /test:dns
 4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
  dcdiag /test:dns
 5) For further analysis of DNS error failures see KB 824449:
Additional Data
Error value:
 11004 The requested name is valid, but no data of the requested type was found.

My Question is this::: What Am I getting into???


Question by:Joseph Salazar
    LVL 14

    Accepted Solution

    It seems you hve tried to transfer roles to your 2008 server, but somewhere along the line it went wrong.
    Also the DNS is not completely replicatd under the 2008 server. If you check in the dns records, is there a listing for 2003?
    LVL 39

    Assisted Solution

    by:Krzysztof Pytko
    OK, it looks like your old DC box was inproperly demoted and something went wrong. So, I would suggest to decommission it with /force parameter. How to do that, you may find on my blog at

    After that remove this server from a network and do noy use it before reinstallation as DC again.

    Then you need to seize FSMO roles to the new DC. YOu will also find how to do that on my blog at

    As the last step, you should modify DNS entries on each statically configures server to point to the new one and remove the old one. Also do this change on your DHCP server. In server/scope options (depends on your configuration) modify option no. 006 (remove old DNS server - 2003 and put the new one - 2008)

    and advertise new time server in your environment

    [...]- after transfer of the PDCEmulator role, configure the NEW PDCEmulator to an external timesource and reconfigure the old PDCEmulator to use the domainhierarchie now. Therefore run on the NEW "w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update" where PEERS will be filled with the ip address or server( and on the OLD one run "w32tm /config /syncfromflags:domhier /reliable:no /update" and stop/start the time service on the old one. All commands run in an elevated command prompt without the quotes. [...]

    it's an extract fom MVP blog at

    after all, run on your 2008 DC in command-line

    dcdiag /c /v

    and review if there are no errors


    Author Closing Comment

    by:Joseph Salazar
    Opened a Ticket with Microsoft and you were both correct.

    They logged into all 4 of the servers an fixed issue....Yep this

    was a Microsoft Call for Sure.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Suggested Solutions

    Title # Comments Views Activity
    Exchange 2007 errors - cgi.dll 6 22
    ADFS Queries 3 23
    Internet Explorer zone mapping group policy 7 30
    exchange, scripts 3 34
    Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
    This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
    This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now