Solved

New Windows Server 2008 Domain Controller will not take over domain operations correctly

Posted on 2012-04-13
107
2,975 Views
Last Modified: 2012-07-15
Setup:

Windows 2003 Server domain controller is getting phased out.

I ran adprep /forestprep and adprep /domainprep on the existing 2003 DC.

I then promoted the 2008 server to a DC, and made it a DNS server.

I restarted both servers multiple times.

I waited overnight, and then shutdown the old 2003 server.

I pointed the 2008 server to it's own IP for DNS, and removed the 2003 server IP from DNS in the NIC.

Even though the 2008 server is a domain controller, and was able to access active directory while the 2003 server was up, it is unable to access it with the 2003 server shutdown.

I am getting a few errors:

Netlogon Event:

This computer was not able to set up a secure session with a domain controller in domain MYDOMAIN due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

When accessing Active Directory

- Naming information could not be located because: The specified domain either does not exist or could not be contacted.

-  The domain "mydomain.local" could not be found because the specified domain either does not exist, or could not be contacted.

Group Policy Event:

The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.


My suspicion is that it is a DNS issue, but I am at a loss.

If I turn the 2003 DC back on, and point the 2008 server to it as DNS, then active directory and everything works fine.

I am thinking I probably missed a step somewhere.

Thanks for the help!
0
Comment
Question by:jkockler
  • 49
  • 25
  • 23
  • +4
107 Comments
 
LVL 8

Assisted Solution

by:X-treem
X-treem earned 100 total points
Comment Utility
did you transfer the roles?
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
No I did not. :)

Do you have a recommended read on this? I found a few on Google, but maybe you have something in the bookmarks.
0
 
LVL 8

Expert Comment

by:X-treem
Comment Utility
0
 
LVL 8

Expert Comment

by:X-treem
Comment Utility
ps: don't forget the GC
0
 
LVL 3

Expert Comment

by:Mutogi
Comment Utility
Hey lets not re invent the wheel here "demazter" has a PERFECT guide to follow

http://rdsrc.us/gXoZ0P

the last couple sections explain it very well.
0
 
LVL 33

Accepted Solution

by:
paulmacd earned 100 total points
Comment Utility
If the old DC is no longer available (it's not clear if it was demoted or not), you'll need to seize the FSMO roles on the new DC.

http://support.microsoft.com/kb/255504

http://www.petri.co.il/seizing_fsmo_roles.htm
0
 
LVL 2

Expert Comment

by:jpvargassoruco
Comment Utility
The guide proposed by "Mutogi" is a very good one, Excelent in fact, but I disagree with the last step because is going to remove your old DC and if something go wrong you will have a hard time configuring your new Windows server 2008 Domain Controller.

I would recommend to use this guide for your case, you will be able to transfer all 5 Roles without removing your old Domain controller.

http://www.petri.co.il/transferring_fsmo_roles.htm
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Thank you!

I appreciate the help!

I was able to migrate the roles, and the 2k8 is a GC.

Rebooting the 2k8 now with the 2k3 offline again.

Hopefully it's a go now.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Check your dcdiag before you do anything
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
DCDIAG was mostly successful, except for these errors:  

Testing server: Default-First-Site-Name\WIN2K8
    Starting test: Advertising
       Warning: DsGetDcName returned information for
       \\WIN2K3.MYDOMAIN.local, when we were trying to reach
       WIN2K8.
       SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
       ......................... WIN2K8 failed test Advertising

Starting test: NCSecDesc
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
       Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=ForestDnsZones,DC=mydomain,DC=local
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
       Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=DomainDnsZones,DC=mydomain,DC=local
    ......................... WIN2K8 failed test NCSecDesc
 Starting test: NetLogons
    Unable to connect to the NETLOGON share! (\\WIN2K8\netlo
    [WIN2K8] An net use or LsaPolicy operation failed with e
    67, The network name cannot be found..
    ......................... WIN2K8 failed test NetLogons
0
 
LVL 3

Expert Comment

by:Mutogi
Comment Utility
maybe a DNS issue check clients and server also add loopback for secondary DNS on server.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Here is how you fix the problem


Take backup of the policies and script folders from both the servers from c:\Windows\Sysvol\domain
Stop NTFRS service on both DCs.
Make one of the DC authoritative server by modifying registry setting : Navigate to registry HKLM\System\CCS\Services\NTFRS\Parameters\CumlativeReplicaSets and Set the Burflags value to D4. This should be done with server which has the Updated information available or correct data.

Go to other DC and make that Non-authoritative by navigating to same registry location HKLM\System\CCS\Services\NTFRS\Parameters\CumlativeReplicaSets and Set the Burflags value to D2.
Restart Ntfrs service on both servers and force replication to see event 13516 in event viewer for FRS.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Okay thanks! I will give that a go.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
" This should be done with server which has the Updated information available or correct data."

Are you referring to data in the  c:\windows\sysvol\domain folder?

The server that I want to make authoritative, does not have anything in the c:\windows\sysvol\domain folder

Normal?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
You want to make the server that is authoritative with the Burflag method is the server that has this data so, one of the older servers. Do NOT worry about the FSMO roles this has nothing to do with them.

At this point you want to get replication fully going and create SYSVOL and Netlogon.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
I already did the the FSMO roles. Does that matter?
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Nevermind .. I get what you are saying.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Okay did that.. I then went to active directory sites and services, and chose to replicate from the old server.

I don't see that event id, and I don't have anything in the sysvol\domain folder.

How long should it take?
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
This error kicked up on the new server receiving the information:

The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\mydomain.local\SCRIPTS.  The following error occurred:
The system cannot find the file specified.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Sometimes it can take a bit. Allow this to run for a while.

Did you follow the instructions to properly as well.

D4 on old DC
D2 on new DC.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Post ipconfig /all
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
This is from the new server that needs the data.


Windows IP Configuration

   Host Name . . . . . . . . . . . . : win2k8
   Primary Dns Suffix  . . . . . . . : mydomain.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mydomain.local

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II G
 VBD Client) #30
   Physical Address. . . . . . . . . : D4-AE-52-6C-23-A3
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::f842:438:7c5f:86a2%11(Pref
   IPv4 Address. . . . . . . . . . . : 192.168.1.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 248819282
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-E2-F7-84-D4-AE-52

   DNS Servers . . . . . . . . . . . : ::1
                                       192.168.1.10
                                       192.168.1.245
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{B569B19F-1973-48D2-9708-E5F7ECAD868B}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interfac
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
You need to remove the IP address of the server out of the DNS settings within the TCP\IP properties it should only be pointing to a old DC for DNS for now.

Once you have done this go through the burflag process again
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
ok
0
 
LVL 3

Expert Comment

by:Mutogi
Comment Utility
The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\mydomain.local\SCRIPTS.  The following error occurred:
The system cannot find the file specified.

same error on a migration that i had restart everything switches routers firewall waited and everything worked again
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
No errors this time, but still nothing in those folders. I waited it out, but it's only 6mb of data that has to move.

I am restarting both servers now.

Can I copy those files over manually, or is that just crazy talk?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Is there a PreExisting folder in the SYSVOL?
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
yes
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
The processing of Group Policy failed. Windows attempted to read the file \\mydomain.local\sysvol\mydomain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
I just realized the 2003 box is SP1. Is 2008 R2 able to replicate from a 2003 Sp1 box?
0
 
LVL 3

Expert Comment

by:Mutogi
Comment Utility
Are you seeing NTFS in Event Viewer?

i just completed a SBS2003 sp1 to server 2008 r2 with Exchange 2010, same error, restart all and established connection.

dont know if this helps but starting 03 server then 08 after restarting network.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
I have restarted a bunch and in that order.

This is definitely a DNS issue. I don't understand where it's coming from though.

I ran the repadmin /showrepl because of this error, and I have pasted the output of the command below. Everything passes except for the last one.

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.



Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.win2k8>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\win2k8
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 966e5731-a312-4cbf-9842-38925298f604
DSA invocationID: b5831ccd-d82e-43c9-b11b-4d8c13a01d1b

==== INBOUND NEIGHBORS ======================================

DC=intergy,DC=local
    Default-First-Site-Name\win2k3 via RPC
        DSA object GUID: 1d43785f-256b-4b2f-99ae-492e63dfe43b
        Last attempt @ 2012-04-13 14:58:50 was successful.

CN=Configuration,DC=mydomain,DC=local
    Default-First-Site-Name\win2k3 via RPC
        DSA object GUID: 1d43785f-256b-4b2f-99ae-492e63dfe43b
        Last attempt @ 2012-04-13 14:58:50 was successful.

CN=Schema,CN=Configuration,DC=mydomain,DC=local
    Default-First-Site-Name\win2k3 via RPC
        DSA object GUID: 1d43785f-256b-4b2f-99ae-492e63dfe43b
        Last attempt @ 2012-04-13 14:58:50 was successful.

DC=DomainDnsZones,DC=mydomain,DC=local
    Default-First-Site-Name\win2k3 via RPC
        DSA object GUID: 1d43785f-256b-4b2f-99ae-492e63dfe43b
        Last attempt @ 2012-04-13 14:58:50 was successful.

DC=ForestDnsZones,DC=mydomain,DC=local
    Default-First-Site-Name\win2k3 via RPC
        DSA object GUID: 1d43785f-256b-4b2f-99ae-492e63dfe43b
        Last attempt @ 2012-04-13 14:58:50 was successful.

Source: Default-First-Site-Name\win2k3
******* 3 CONSECUTIVE FAILURES since 2012-04-13 14:24:48
Last error: 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failu
re.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Post ipconfig /all from 2003 and 2008 server.

Run dcdiag /fix

You can replicate with SP1 but you should upgrade SP2
0
 
LVL 3

Expert Comment

by:Mutogi
Comment Utility
This is what i did in these steps:

turned off 03 server
turned off 08 server

powered on 03 till i can log in,
logged into 03 server

powered on 08 server
didnt log in



restart ISP internet firewall switches (ALL)

restarted content filter (Untangle) or sonicwall

went outside to smoke a cigarette,

went to bathroom



came back to sit in front of computer..........


logged into 03 server (locked screen)

looked at evntvwr

NTFS errors still there

changed local LAN DNS on 03 and 08 servers to
1.192.168.1.250 (08 server IP)
2. 127.0.0.1 (A MUST HAVE)
3. 192.168.1.245 (another dns on network)


restarted 03 server again.

ran this:
In my case these changes didn't resolve the problem:
1. Stop FRS.
2. Start Registry Editor (Regedt32.exe).
3. Locate and click the following key in the registry:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters
4. On the Edit menu, click Add Value, and then add the following registry value:
   Value name: Enable Journal Wrap Automatic Restore
   Data type: REG_DWORD
   Radix: Hexadecimal
   Value data: 1 (Default 0)
5. Quit Registry Editor.
6. Restart FRS.

WAITED MINIMUM of 5mins  with regedit still open timed with stop watch,

CHECK EVENT VIEWER every minute. once replication happened

CHANGED DWORD to (0) ZERO and stopped

WAITED AGAIN 7 minutes to see error again was no more.......
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Thanks but it didn't work for me.

I am still getting a lot of errors, and mainly from group policy, for that c:\windows\sysvol directory.

I got everything I needed off the old 2K3 server, and decided to just seize the rolls, instead of just transferring them.

The win2k3 server is down for good.

I ran the commands to seize all of the rolls, yet I still get the error in the event log:

The processing of Group Policy failed. Windows attempted to read the file \\intergy.local\sysvol\mydomain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 200 total points
Comment Utility
Hey Dariusq:

Sounds like a metadata cleanup of DNS, FRS and AD of the 2003 server. It's the metadata that's causing problems of an AD server that doesn't exist any more.

The admin, with the 03 server on line, should have transfered the five FSMO roles and gracefully demoted the 03 server. This would have solved the metadata problems.

File replications event errors and Group policy errors will continue to exist while  you have metadata of an non-existant AD server with FSMO roles, non available DNS server, and non-existant FRS replication partner.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
@ChiefIT

Is there a way to clear the metadata?

Everything except for group policy seems to be working.

Is there a way to force a clean group policy, in order to get a clean slate on it, without having to rebuild the entire domain?

The group policy never replicated to the c:\windows\sysvol\ directory on the new server.

The win2k3 server is still accessible if I need it to be, but I am not sure what kind of major issues will arise if I put them together again, now that I have seized the FSMO roles.

I did transfer the FSMO roles to start with, but the group policy would not replicate to the new server.
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 200 total points
Comment Utility
This article helps clear metadata:

http://www.petri.co.il/delete_failed_dcs_from_ad.htm


You have to do this on ALL domain servers.

Don't forget you have to remove FRS, AD and DNS metadata... Follow this article to the T.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
In your case, the FAILED DC is the 2003 server that is removed and not to return to the domain.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Awesome thanks a million.

I am reading through the article now.

Once I remove the old DC metadata, do you think the new DC will then create the default group policy for a domain, and allow me to edit group policy?

My concern is since it never successfully replicated the group policy data from the old server,  there is something in place that will prevent it from allowing the default "out of box" policies.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
The reason I picked the Petri Article is because it addresses DNS, File Replication, and AD metadata..

DNS metadata will point to a DNS authrotitative server and AD server that doesn't exist any more... Hence some of your errors.

FRS metadata (sites and services).. Will point to a replication partner of the 08 server that doesn't exist any more... Hence Group Policy and File Replication errors. (Once fixed you have to reset the replication set. So, those errors may not immediately go away).

the AD database is still the AD database... With an AD server that's tombstoned within the AD database, you will not be able to gracefully add the new server to the domain.

These three metadata objects are the bain of your existance and it doesn't matter if that's on an 03 server OR an 08 server.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Your article doesn't address DNS metadata cleanup.. Make sure you do that as well.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Sounds good. I'll use yours instead. Just didn't want to do something to make it worst following the 2003 article.

Once I remove the old DC metadata, do you think the new DC will then create the default group policy for a domain, and allow me to edit group policy?

My concern is since it never successfully replicated the group policy data from the old server,  there is something in place that will prevent it from allowing the default "out of box" policies.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Right now, your group policy replications (performed via FRS) is seized. It's called Journal Wrap. It's when you get a partial data set of Group policy and then your replications between servers seize. Once seized GP STOPS. What we will do is clean up FRS metadata, and restart the NTFRS service to see if replications unhose themselves. We will address Group Policy AFTER metadata cleanup. This metadata is the root cause of your problems. Group policy is just a symptom that we will fix when the root cause is fixed.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
One other metadata object you need to clear up is to go into the DHCP snapin and navigate to the scope options of the DHCP servers.. Make sure that non-existant servers are removed from DHCP scope options as available DNS servers and AD servers.. DHCP passes this information down to the DHCP clients when they obtain a lease. No sense in pointing these clients to a server that doesn't exist.

While in DHCP scope options, Your time server should point to the AD server that holds the five FSMO roles OR NOT CONFIGURED.. Once clients are synchronized to the server for time, we can syncrhonize that server to an outside time source. Not configured will default DHCP clients to the server's broadcasted time.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Awesome. I'll check back when the meta cleanup is done. I'll probably wait until tomorrow to do it.
0
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 100 total points
Comment Utility
Alright the issue was the Windows 2008 Server never was consider a full DC server since FRS didn't replicate fully.

Please post another dcdiag
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
I agree Dariusq, but he did say the clients are domain members and can logon. So, I am little skeptical to conclude it's not a DC on the domain. It currently looks like a partial group policy replication. Once metadata is cleaned, and he goes to the command prompt to restart the NTFRS service, I totally agree it's a good idea to look at a verbose Dcdiag for errors.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Okay I'll post it. I did not clear the metadata because I didn't want to cause any issues for Monday morning, since everything seems to be functioning.

The C:\windows\sysvol\sysvol\mydomain.local  is empty on the 2008 DC. So all it did was setup the folder where the group policy would be stored, but nothing ever made it in there.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
We could reset the GPOs to default which will get them in there if you want to
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
I'm looking for the approach with the least probability of bricking the 2008 server, which allows the 2008 to be the main DC, and 2003 to be out of the picture.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Post dcdiag then lets see what we will do
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 4

Author Comment

by:jkockler
Comment Utility
Okay I'll get that up asap. I want to do it after hours.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Here is the DCDiag


Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.mydomain>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = win2k8
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\win2k8
      Starting test: Connectivity
         ......................... win2k8 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\win2k8
      Starting test: Advertising
         ......................... win2k8 passed test Advertising
      Starting test: FrsEvent
         ......................... win2k8 passed test FrsEvent
      Starting test: DFSREvent
         ......................... win2k8 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... win2k8 passed test SysVolCheck
      Starting test: KccEvent
         ......................... win2k8 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... win2k8 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... win2k8 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=mydomain,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=mydomain,DC=local
         ......................... win2k8 failed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\win2k8\netlogon)
         [win2k8] An net use or LsaPolicy operation failed with error
         67, The network name cannot be found..
         ......................... win2k8 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... win2k8 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,win2k8] A recent replication attempt
         failed:
            From win2k3 to win2k8
            Naming Context: DC=ForestDnsZones,DC=mydomain,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.

            The failure occurred at 2012-04-19 07:48:50.
            The last success occurred at 2012-04-13 16:45:35.
            135 failures have occurred since the last success.
         [win2k3] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         [Replications Check,win2k8] A recent replication attempt
         failed:
            From win2k3 to win2k8
            Naming Context: DC=DomainDnsZones,DC=mydomain,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.

            The failure occurred at 2012-04-19 07:48:50.
            The last success occurred at 2012-04-13 16:45:35.
            135 failures have occurred since the last success.
         [Replications Check,win2k8] A recent replication attempt
         failed:
            From win2k3 to win2k8
            Naming Context: CN=Schema,CN=Configuration,DC=mydomain,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2012-04-19 07:49:32.
            The last success occurred at 2012-04-13 16:45:35.
            135 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,win2k8] A recent replication attempt
         failed:
            From win2k3 to win2k8
            Naming Context: CN=Configuration,DC=mydomain,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2012-04-19 07:49:11.
            The last success occurred at 2012-04-13 16:45:35.
            135 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,win2k8] A recent replication attempt
         failed:
            From win2k3 to win2k8
            Naming Context: DC=mydomain,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2012-04-19 07:48:50.
            The last success occurred at 2012-04-13 16:45:35.
            135 failures have occurred since the last success.
            The source remains down. Please check the machine.
         ......................... win2k8 failed test Replications
      Starting test: RidManager
         ......................... win2k8 passed test RidManager
      Starting test: Services
         ......................... win2k8 passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x00000422
            Time Generated: 04/19/2012   07:11:14
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.local\sysvol\mydomain.local\Policies\{31B2F340-016D-11D2-945F-00C
04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy
 settings may not be applied until this event is resolved. This issue may be tra
nsient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 04/19/2012   07:16:14
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.local\sysvol\mydomain.local\Policies\{31B2F340-016D-11D2-945F-00C
04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy
 settings may not be applied until this event is resolved. This issue may be tra
nsient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 04/19/2012   07:21:15
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.local\sysvol\mydomain.local\Policies\{31B2F340-016D-11D2-945F-00C
04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy
 settings may not be applied until this event is resolved. This issue may be tra
nsient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 04/19/2012   07:26:15
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.local\sysvol\mydomain.local\Policies\{31B2F340-016D-11D2-945F-00C
04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy
 settings may not be applied until this event is resolved. This issue may be tra
nsient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 04/19/2012   07:31:16
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.local\sysvol\mydomain.local\Policies\{31B2F340-016D-11D2-945F-00C
04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy
 settings may not be applied until this event is resolved. This issue may be tra
nsient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 04/19/2012   07:35:56
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.local\sysvol\mydomain.local\Policies\{31B2F340-016D-11D2-945F-00C
04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy
 settings may not be applied until this event is resolved. This issue may be tra
nsient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 04/19/2012   07:36:16
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.local\sysvol\mydomain.local\Policies\{31B2F340-016D-11D2-945F-00C
04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy
 settings may not be applied until this event is resolved. This issue may be tra
nsient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 04/19/2012   07:41:17
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.local\sysvol\mydomain.local\Policies\{31B2F340-016D-11D2-945F-00C
04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy
 settings may not be applied until this event is resolved. This issue may be tra
nsient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 04/19/2012   07:46:18
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.local\sysvol\mydomain.local\Policies\{31B2F340-016D-11D2-945F-00C
04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy
 settings may not be applied until this event is resolved. This issue may be tra
nsient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 04/19/2012   07:51:18
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.local\sysvol\mydomain.local\Policies\{31B2F340-016D-11D2-945F-00C
04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy
 settings may not be applied until this event is resolved. This issue may be tra
nsient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 04/19/2012   07:56:19
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.local\sysvol\mydomain.local\Policies\{31B2F340-016D-11D2-945F-00C
04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy
 settings may not be applied until this event is resolved. This issue may be tra
nsient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 04/19/2012   08:01:19
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.local\sysvol\mydomain.local\Policies\{31B2F340-016D-11D2-945F-00C
04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy
 settings may not be applied until this event is resolved. This issue may be tra
nsient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 04/19/2012   08:06:20
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.local\sysvol\mydomain.local\Policies\{31B2F340-016D-11D2-945F-00C
04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy
 settings may not be applied until this event is resolved. This issue may be tra
nsient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000457
            Time Generated: 04/19/2012   08:08:16
            Event String:
            Driver Brother MFC-J615W Printer required for printer Brother MFC-J6
15W Printer is unknown. Contact the administrator to install the driver before y
ou log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 04/19/2012   08:08:16
            Event String:
            Driver Adobe PDF Converter required for printer Adobe PDF is unknown
. Contact the administrator to install the driver before you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 04/19/2012   08:08:17
            Event String:
            Driver Brother PC-FAX v.2.1 required for printer Brother PC-FAX v.2.
1 is unknown. Contact the administrator to install the driver before you log in
again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 04/19/2012   08:08:21
            Event String:
            Driver Wasp WPL-606 required for printer Wasp WPL-606 is unknown. Co
ntact the administrator to install the driver before you log in again.
         ......................... win2k8 failed test SystemLog
      Starting test: VerifyReferences
         ......................... win2k8 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : mydomain
      Starting test: CheckSDRefDom
         ......................... mydomain passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... mydomain passed test CrossRefValidation

   Running enterprise tests on : mydomain.local
      Starting test: LocatorCheck
         ......................... mydomain.local passed test LocatorCheck
      Starting test: Intersite
         ......................... mydomain.local passed test Intersite

C:\Users\administrator.mydomain>
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Go into the FRS event logs and delete ALL events. Go to the command prompt and type this:

Net Stop netlogon
Net Start netlogon
Net Stop NTFRS
Net Start NTFRS

Run DCdiag /v one more time, and post the results.

The errors you see are event log errors. They may be outdated after the removal of metadata. Resetting FRS will probably unhose the replication service. Even as a single DC, replication services will need to be up or GP will not work effectively.

If Group policy is hosed, we can reset that back to the default group policy with a command line. I want to see if the non-invasive approach works first.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
I have not cleared the metadata yet.

Should I go through that first?
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Im worried clearing the metadata is going to brick the DC.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Yes
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Hold on don't do a metadata cleanup on Windows 2003 Server
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Alright I havent done anything at this point.  What is the issue?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
I don't think you need to do a metadata cleanup on Windows 2003 Server since Windows 2008 Server is still not functioning properly.

Is the Windows 2008 Server down?
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
No.

The windows 2008 server is up. The 2003 server is completely off the network. I did a seizure of fsmo roles with the 2k8 server, after the transfer of roles did not seem to work correctly.  That was my mistake, since now the 2k3 server can never be brought back, to replicate in the group policy. However it is only group policy that seems to be missing, as the Win2k8 server is doing just fine with running authentication on the network, etc.

So what cheifit is saying to do is, clear the metadata of the win2k3 data, from the win2k8 server, so it stops looking for the win2k3 server for replication, and the group policy objects.

My concern is if there is any chance clearing the metadata will brick the win2k8 server, due to the fact that replication and the roles transfer did not complete 100%.

The win2k8 server can not be bricked. Everything is working execpet for group policy, which isn't that big of a deal for this network. However I would like it to be right. I just can not brick this install, as the software people would then need to redo their entire setup, which can not happen right now.

So if I clear the metadata of the win2k3 server from the win2k8 server, which is now the only DC in existence, could it brick the win2k8 server?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
No you will not brick the 2008 Server it will be have issues if you don't metadata cleanup the Windows 2003 Server.

Alright the right thing to do now is metadata cleanup

Thanks for bringing me up to speed
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Okay the metadata has been cleared, dns objects removed, and AD objects removed. I am going to reboot, and hope for the best.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
You will still probably see Group policy problems:

What I want you to do is this, (after the reboot).

Go into the Server's event logs and delete ALL FRS replication logs. As well, delete ALL system logs. This will remove all old data on Group policy events 1030 and 1058. It will also remove all data from 13508 and other 13000's event logs for File replications..

One those logs are cleaned, they will not show up on a DCdiag report UNLESS replications and group policy is still having problems.

Now that the logs have been cleaned of all old events, go to the server's command prompt and type:

DCdiag /V > C:\DCDiag.txt

Post the DCdiag.txt file on EE for us to see. We will still probably have to fix Group policy. But removing the metadata resolves the ROOT problem. Now, it's time to resolve the problems that ROOT problem created, which is group policy. (Please NOTE: A reboot will restart the FRS service and probably unhose Group policy)
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Group policy is still kicking up errors every couple of minutes, and I can not edit group policy.

I did see a good information event about the DC officially becoming a DC, and the FRS problem that was causing it, is resolved.

I will post a dcdiag as instructed.

Thanks for the help!
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Please read this article on Group policy problems:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/A_1073-Diagnosing-and-repairing-Events-1030-and-1058.html

In event logs, you will see errors popping in about every 15 minutes or 5 minutes (this time interval is important information). They should be within the system event logs and I believe they are 1030 and 1058 event log errors. Within those errors, you will see a GUID and path of the messed up (corrupt GPO).

It will look something like this:

"The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. "

We need this information.

ALSO, I would like to know what's up with Group policy, exactly:
Can you NOT go into the GP snapin?
Can you create an OU in AD and put a test group policy on that OU?
Can you get into the default domain policy without issue?
...What's not normal with group policy?

There are a number of means to fix group policy...

-REST ASSURED: I don't want you to panic. I have used a couple means to help other administrators out. You can do NOTHING, except delete the 2008 server from AD, that doesn't have a backdoor fix. You can even DELETE the sysvol and netlogon shares all together and we can rebuild them.

You might loose group policies in the process, we will get you to a clean domain.

We are about to get into fixes that MICROSOFT calls a LAST RESORT... At this time, if you have backup software, I do recommend Complete system image.

Tool 1:
DCGPOFIX-- This command line utility erases and rewrites the default domain policy AND/OR the Domain Controller Policy (this is why we need the GUID of the messed up group policy object).

Tool 2:
Burflag-- Burflag rewrites the Sysvol and Netlogon shares when erased.

Tool 3:

DFSutil Purgemupcache (purging the mupcache may resolve multiple UNC path (mup) to the domain controller that doesn't exist)

Before we begin to fix this, we will want from you:
1) The latest DCdiag /v
2) The group policy error that keeps popping up in system event logs with the Group policy path and GUID.
3) any FRS errors OR warnings related to file replications on the DC
NOTE: 2 & 3 will show up in Dcdiag but not as clear as the event logs.
4) Explicit on how group policy is acting
5) the time interval on GP errors in the system log
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
I should say what tool we use depends upon the information you provide. We will choose the LEAST invasive approach to fix your discrepancy and will play it safe.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Thanks guys.

I don't really mind if I lose group policy settings, because there isn't much in place from the old server anyway. Maybe a screen lockout policy, but nothing I couldn't redo within an hour.

When I go into the group policy snap-in. And right click the default policy, and click edit, it gives me an error (I will get that error for you).

If I go to properties of an OU, the group policy tab is missing all together.

I will post the group policy error from the system event log.

Thanks again for all the help. I think the worst is over at this point. Eliminating the 2003 metadata is what had me nervous.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Did you go through the link and get the default gpo reset?
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Not yet.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
BAD IDEA to neglect this GP discrepancy. Problems with GP is a symptom to a root problem with communications between the server and clients, or between servers..

First off, your clients are trying to find a GP that doesn't exist using a UNC path to it. That UNC path could be used for other domain services. Then, your event logs will fill up quickly, hence another problem.

Let's do this non-invasive tool to see if GP errors clear up:

Go to the command prompt with Elevated priveleges and type:
DFSutil /purgemupcache

We still need DCdiag reports and other information requested above to get a Clean and tight DC.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Ok I'll get it done this weekend at some point, and post.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
I reset the group policy with the >dcgpofix ..

It looks like it worked because I can edit group policy, and the error messages have ceased in the event logs.

I did get an error when I ran >dcgofix:

Warning: This tool was unable to re-create the EFS Certificates in the Default D
omain Policy GPO. For more information, see the Microsoft Knowledge Base article
: http://go.microsoft.com/fwlink/?LinkId=83410.

I received this event following the reset:

The Group Policy settings for the computer were processed successfully. New settings from 2 Group Policy objects were detected and applied.

So it looks good, but I will also post a dcdiag.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.mydomain>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = WIN2K8
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\WIN2K8
      Starting test: Connectivity
         ......................... WIN2K8 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\WIN2K8
      Starting test: Advertising
         ......................... WIN2K8 passed test Advertising
      Starting test: FrsEvent
         ......................... WIN2K8 passed test FrsEvent
      Starting test: DFSREvent
         ......................... WIN2K8 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... WIN2K8 passed test SysVolCheck
      Starting test: KccEvent
         ......................... WIN2K8 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... WIN2K8 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... WIN2K8 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=mydomain,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=mydomain,DC=local
         ......................... WIN2K8 failed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\WIN2K8\netlogon)
         [WIN2K8] An net use or LsaPolicy operation failed with error
         67, The network name cannot be found..
         ......................... WIN2K8 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... WIN2K8 passed test ObjectsReplicated
      Starting test: Replications
         ......................... WIN2K8 passed test Replications
      Starting test: RidManager
         ......................... WIN2K8 passed test RidManager
      Starting test: Services
         ......................... WIN2K8 passed test Services
      Starting test: SystemLog
         ......................... WIN2K8 passed test SystemLog
      Starting test: VerifyReferences
         ......................... WIN2K8 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : mydomain
      Starting test: CheckSDRefDom
         ......................... mydomain passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... mydomain passed test CrossRefValidation

   Running enterprise tests on : mydomain.local
      Starting test: LocatorCheck
         ......................... mydomain.local passed test LocatorCheck
      Starting test: Intersite
         ......................... mydomain.local passed test Intersite
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
The DC is cleaning up nicely. There are still a couple discrepancies.

1) One is with the netlogon share.

Here's the error:
Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\WIN2K8\netlogon)
         [WIN2K8] An net use or LsaPolicy operation failed with error
         67, The network name cannot be found..

We should look into this. It could be an error that existed prior to a fix that you need to delete out of the system event logs.
-----------------------------------
2) The second error is just forewarning you that if you wish to add a RODC (Read Only Domain Controller), that you will need to run adprep /rodcprep..

Here are those errors:
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=mydomain,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=mydomain,DC=local
         ......................... WIN2K8 failed test NCSecDesc


The netlogon shares concern me. Can you access netlogon shares?

One other test that I think is imporant is checking DNS...

Go to the command prompt and type: DCdiag /test:DNS
See if anything fails. You might possibly have DNS metadata still existing.

Prior to doing so, I think we should delete some cached objects:

Ipconfig /flushdns
and
DFSutil /purgemupcache
and
NBTSTAT -rr

we don't want cached data messing up replications or locations of network shares.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
I cleared the event logs before I ran the DCdiag.

I do not have a 'scripts' folder here: "%SystemRoot%\sysvol\sysvol\<domain DNS name>\scripts"

Which would probably means I do not have a netlogon share.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
So, we have to verify AD replications set and the DFS shares for permissions as well as the structure.. We can rebuild the structure as long as the files have the correct permissions.

http://technet.microsoft.com/en-us/library/cc816833%28v=ws.10%29.aspx
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Great thanks. I went through that, but it still does not have the scripts folder present.

At the end of the fix, it states:

Note This will cause Netlogon to share out SYSVOL, and the scripts folder will be present.

It does not specify how long it will take, or if I have to restart any services. I would guess I have to restart the netlogon service, but I have not done so.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Restarting FRS services should recreate the folder structure. This is why I was a little confused. The reboot should have recreated the Netlogon and sysvol shares and made sure they are correct.

You might restart FRS and DFS by going to the command prompt and typing:

Net Stop Netlogon
Net Start Netlogon
Net Stop DFSR
Net Start DFSR

The services may be preventing the creation of the Scripts folder because they will be use protected.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
PS:  Don't reboot with the Netlogon service down. You might not be able to log back in as the domain admin afterwards!!
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
I didn't reboot or restart the services, however when I logged back in, there was an unexpected shutdown reported. So it did reboot, but not from anything I did manually.

Netlogon shares still do not exist though.

>dcdiag /test:netlogons

Doing primary tests

   Testing server: Default-First-Site-Name\win2k8
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\win2k8\netl
         [win2k8] An net use or LsaPolicy operation failed with
         67, The network name cannot be found..
         ......................... win2k8 failed test NetLogons
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Lots of things can cause this issue:

Is Netbios enabled on the server's NIC configuration?

Is the firewall set to allow file and print sharing? Firewalls can block Netlogon, even if you are trying to communicate with it locally.
---------------------------------------------------------------
Let's make sure we are on the same page:

go to START>>Run> and type services.msc  

Are the DFSR and Netlogon services started and automatic?

++++++++PLUS++++++++++

Did you reset the reg key back to one on this case?

http://support.microsoft.com/kb/947022/en


The scripts folder should automatically recreate with this fix. If there is a service that's causing an error because another service is starting prior and is a dependency, (as in this case), you can now go into services and select that service to manually set that service that needs to way to a delayed start. This resolve a service dependency issue, as in this case. You might consider a delayed start to resolving this issue. Once the scripts folder is created, you can go back to a normal startup of this service.
-----------------------------------------------------------
Let's also test replications. Even if this is a solo DC, the replications has to be working correctly for a Netlogon and Sysvol shares to work right:

dcdiag /test:replications

If this test fails, open Event Viewer and check for errors in the Directory Service log.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
If that fix fails to recreate the Scripts folder, I have manually created the folders before. But, you have to make sure the file ACL and share permissions are correct or it will not work. In 2003 server, they use to have a KB article that lists the folder contents of sysvol and Netlogon as well as the file permissions defaults per file folder. Manually recreating the folders works if you have the permissions straight.. But, I don't have access to my 08 servers to verify permissions on the file folder defaults. You might have to ask a second question for the specific information. My servers are on a ship out at sea, right now.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Netbios is enabled on the NIC, with the "default" option. The NIC is using a static IP address, so it should be enabling netbios.

The local firewall is turned off completely.

DFRS and Netlogon services are started and automatic.

When I follwed that fix article, I set the value to 0, clicked ok, then went right back in and set it to 1.

I did not wait any length of time in between, nor restart any services.

I just went in and changed it to 0 and back to 1 again. Then restarted the netlogon service, and saw this event:

The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\mydomain.local\SCRIPTS.  The following error occurred:
The system cannot find the file specified.


So maybe I need to create the SCRIPTS folder for it, and then just make sure the permissions are correct, as you stated.

I also saw this error today, which I thought was strange because this server is set as a global catalog.

Active Directory Domain Services was unable to establish a connection with the global catalog.
 
Additional Data
Error value:
1355 The specified domain either does not exist or could not be contacted.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
It appears there is possibly a DNS discrepancy that allows you to locate the files and folders as well as the GC...

What's the... DCdiag /test:DNS
pony up?
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Yea that was my hunch as well.

This server had an alternate hoatname at one point.

It still shows that alternate name in sites and services.

Ill run the dns test a bit later today.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
If you are still missing you netlogon share go through this link.

http://support.microsoft.com/kb/947022

Is your SYSVOL shared?
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
To fix a naming discrpency:

Dcdiag /fix

at the command prompt. That should do it.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Here are the DNS test results:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.MYDOMAIN>dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = WIN2K8
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\WIN2K8
      Starting test: Connectivity
         ......................... WIN2K8 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\WIN2K8

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... WIN2K8 passed test DNS

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : MYDOMAIN

   Running enterprise tests on : MYDOMAIN.local
      Starting test: DNS
         Summary of test results for DNS servers used by the above domain
         controllers:

            DNS server: 198.32.64.12 (l.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 198.32.64.12
            DNS server: 2001:500:1::803f:235 (h.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:1::803f:235

            DNS server: 2001:500:2d::d (d.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2d::d

            DNS server: 2001:500:2f::f (f.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2f::f

            DNS server: 2001:500:3::42 (l.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:3::42

            DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:ba3e::2:30

            DNS server: 2001:503:c27::2:30 (j.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:c27::2:30

            DNS server: 2001:7fd::1 (k.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fd::1

            DNS server: 2001:7fe::53 (i.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fe::53

            DNS server: 2001:dc3::35 (m.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:dc3::35

         ......................... MYDOMAIN.local passed test DNS

C:\Users\administrator.MYDOMAIN>
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
That looks alright
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Yea thought so.

I guess I'll try manually creating the netlogon shares at this point. That is the only thing I can think of.

I'll post one more DCdiag. It says it can't find the path specified when trying to create that share automatically, which is very strange considering it is local.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Did you go through the last link I posted? That tells you how to create the netlogon properly
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Yes I did. I get an event from netlogon that it can not find the path specified.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Also flush the server's DNS cache.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Post a plain dcdiag
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.MYDOMAIN>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = WIN2K8
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\WIN2K8
      Starting test: Connectivity
         ......................... WIN2K8 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\WIN2K8
      Starting test: Advertising
         ......................... WIN2K8 passed test Advertising
      Starting test: FrsEvent
         ......................... WIN2K8 passed test FrsEvent
      Starting test: DFSREvent
         ......................... WIN2K8 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... WIN2K8 passed test SysVolCheck
      Starting test: KccEvent
         ......................... WIN2K8 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... WIN2K8 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... WIN2K8 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=MYDOMAIN,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=MYDOMAIN,DC=local
         ......................... WIN2K8 failed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\WIN2K8\netlogon)
         [WIN2K8] An net use or LsaPolicy operation failed with error
         67, The network name cannot be found..
         ......................... WIN2K8 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... WIN2K8 passed test ObjectsReplicated
      Starting test: Replications
         ......................... WIN2K8 passed test Replications
      Starting test: RidManager
         ......................... WIN2K8 passed test RidManager
      Starting test: Services
         ......................... WIN2K8 passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x00000457
            Time Generated: 04/27/2012   12:52:26
            Event String:
            Driver Brother MFC-J615W Printer required for printer Brother MFC-J6
15W Printer is unknown. Contact the administrator to install the driver before y
ou log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 04/27/2012   12:52:27
            Event String:
            Driver Brother PC-FAX v.2.1 required for printer Brother PC-FAX v.2.
1 is unknown. Contact the administrator to install the driver before you log in
again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 04/27/2012   12:52:28
            Event String:
            Driver Adobe PDF Converter required for printer Adobe PDF is unknown
. Contact the administrator to install the driver before you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 04/27/2012   12:52:31
            Event String:
            Driver Wasp WPL-606 required for printer Wasp WPL-606 is unknown. Co
ntact the administrator to install the driver before you log in again.
         ......................... WIN2K8 failed test SystemLog
      Starting test: VerifyReferences
         ......................... WIN2K8 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : MYDOMAIN
      Starting test: CheckSDRefDom
         ......................... MYDOMAIN passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... MYDOMAIN passed test CrossRefValidation

   Running enterprise tests on : MYDOMAIN.local
      Starting test: LocatorCheck
         ......................... MYDOMAIN.local passed test LocatorCheck
      Starting test: Intersite
         ......................... MYDOMAIN.local passed test Intersite

C:\Users\administrator.MYDOMAIN>
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Go through the link one more time
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
This problem looks like the same one:

http://support.microsoft.com/kb/947022/en-us

There has to be a reboot somehwere in the process after setting these reg keys.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
I haven't done this yet, but I'll check back as soon as I do.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Should I set the value to 0, reboot, and then set it back to 1?

Or should I set it to 0, set it to 1, and then reboot after the change?

The article makes no mention of a reboot.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
So the burflag method never worked. I just kept getting an error:

The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\mydomain.local\SCRIPTS.  The following error occurred:
The system cannot find the file specified.

So I manually created the directory, and now it passes DCDIAG. Is this alright?
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
I have seen manually re-creating a file folder location work before. Make sure any scripts that are used from there and configured as an AD policy for logons work. Also restart the netlogon service to see what happens.

If all looks good, it probably is. DCdiag is pretty accurate. Run DCdiag on all DCs to make sure the file creation makes it to other DCs. Force replicate between DCs to make sure it passes.

I'll bet you are all OK.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
I would have to agree with Chief as well
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now