Avatar of Jack D
Jack D
Flag for United States of America asked on

Active Directory Stopped Working

Active Directory seems to have stopped working on my server. I have one server that functions as the PDC. Sometime in last week AD stopped. I have reviewed a lot of steps in previous questions and don't think it is a time issue or DNS issue but at this point who knows!

NLTEST results:
nltest /server:sjssrv01 /dsgetdc:sjscompany.com /gc /force
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

DCDIAG results:
C:\Users\administrator.SJSCOMPANY>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = SJSSRV01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SJSSRV01
      Starting test: Connectivity
         ......................... SJSSRV01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SJSSRV01
      Starting test: Advertising
         Fatal Error:DsGetDcName (SJSSRV01) call failed, error 1355
         The Locator could not find the server.
         ......................... SJSSRV01 failed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the SYSVOL has been
         shared.  Failing SYSVOL replication problems may cause Group Policy problems.
         ......................... SJSSRV01 passed test FrsEvent
      Starting test: DFSREvent
         ......................... SJSSRV01 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... SJSSRV01 passed test SysVolCheck
      Starting test: KccEvent
         An error event occurred.  EventID: 0xC0000466
            Time Generated: 07/10/2012   10:55:28
            Event String:
            Active Directory Domain Services was unable to establish a connection with the global ca
talog.
         ......................... SJSSRV01 failed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... SJSSRV01 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... SJSSRV01 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=sjscompany,DC=com
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=sjscompany,DC=com
         ......................... SJSSRV01 failed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\SJSSRV01\netlogon)
         [SJSSRV01] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
         ......................... SJSSRV01 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... SJSSRV01 passed test ObjectsReplicated
      Starting test: Replications
         ......................... SJSSRV01 passed test Replications
      Starting test: RidManager
         ......................... SJSSRV01 passed test RidManager
      Starting test: Services
         ......................... SJSSRV01 passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 07/10/2012   10:08:54
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain con
troller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is
configured and working correctly.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 07/10/2012   10:13:54
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain con
troller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is
configured and working correctly.
         An error event occurred.  EventID: 0xC00038D6
            Time Generated: 07/10/2012   10:17:34
            Event String:
            The DFS Namespace service could not initialize cross forest trust information on this do
main controller, but it will periodically retry the operation. The return code is in the record data
.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 07/10/2012   10:18:54
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain con
troller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is
configured and working correctly.
         An error event occurred.  EventID: 0xC0001B6F
            Time Generated: 07/10/2012   10:23:07
            Event String: The Windows Time service terminated with the following error:
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 07/10/2012   10:23:54
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain con
troller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is
configured and working correctly.
         A warning event occurred.  EventID: 0x0000000C
            Time Generated: 07/10/2012   10:26:04
            Event String:
            Time Provider NtpClient: This machine is configured to use the domain hierarchy to deter
mine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so the
re is no machine above it in the domain hierarchy to use as a time source. It is recommended that yo
u either configure a reliable time service in the root domain, or manually configure the AD PDC to s
ynchronize with an external time source. Otherwise, this machine will function as the authoritative
time source in the domain hierarchy. If an external time source is not configured or used for this c
omputer, you may choose to disable the NtpClient.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 07/10/2012   10:28:54
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain con
troller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is
configured and working correctly.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 07/10/2012   10:33:54
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain con
troller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is
configured and working correctly.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 07/10/2012   10:38:54
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain con
troller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is
configured and working correctly.
         A warning event occurred.  EventID: 0x0000A001
            Time Generated: 07/10/2012   10:39:04
            Event String:
            The Security System could not establish a secured connection with the server ldap/sjscom
pany.com/sjscompany.com@SJSCOMPANY.COM. No authentication protocol was available.
         An error event occurred.  EventID: 0x0000168F
            Time Generated: 07/10/2012   10:40:11
            Event String:
            The dynamic deletion of the DNS record '_kerberos._tcp.sjscompany.com. 600 IN SRV 0 100
88 SJSSRV01.sjscompany.com.' failed on the following DNS server:
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 07/10/2012   10:43:54
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain con
troller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is
configured and working correctly.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 07/10/2012   10:48:54
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain con
troller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is
configured and working correctly.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 07/10/2012   10:53:54
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain con
troller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is
configured and working correctly.
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 07/10/2012   10:54:08
            Event String:
            Name resolution for the name sjscompany.com timed out after none of the configured DNS s
ervers responded.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 07/10/2012   10:57:36
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain con
troller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is
configured and working correctly.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 07/10/2012   10:58:55
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain con
troller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is
configured and working correctly.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 07/10/2012   11:03:55
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain con
troller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is
configured and working correctly.
         ......................... SJSSRV01 failed test SystemLog
      Starting test: VerifyReferences
         ......................... SJSSRV01 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : sjscompany
      Starting test: CheckSDRefDom
         ......................... sjscompany passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... sjscompany passed test CrossRefValidation

   Running enterprise tests on : sjscompany.com
      Starting test: LocatorCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
         A KDC could not be located - All the KDCs are down.
         ......................... sjscompany.com failed test LocatorCheck
      Starting test: Intersite
         ......................... sjscompany.com passed test Intersite

SFC /scannow says Windows Resource Protection did not find any integrity violations.

Any help is greatly appreciated. Thanks.
Active DirectoryWindows Server 2008

Avatar of undefined
Last Comment
Jack D

8/22/2022 - Mon
emadallan

please execute this command:
netdom query fsmo
and give me the output.
Jack D

ASKER
C:\Users\administrator.SJSCOMPANY>netdom query fsmo
The specified domain either does not exist or could not be contacted.

The command failed to complete successfully.
emadallan

i guess you've run this command on a DC, if so than this indicate a huge problem in your AD to resolve your problem you should seize the fsmo role to another DC, do you have an additional DC?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Jack D

ASKER
No I don't.
emadallan

are your domain 2003, 2008, or 2008 R2 ?
Jack D

ASKER
2008 R2
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
emadallan

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Jack D

ASKER
That i dont know the answer to yet. If we assume i dont, what are my options?
emadallan

could you tell me what's on event viewer of your failed DC
Jack D

ASKER
Yes. Give me a couple hours.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Jack D

ASKER
AFter a reboot I see a lot of warnings and a few errors but they all pertain to not being able to contact the active directory services...
Jack D

ASKER
Looking back to the updates I applied on 6/28, this appears to be the date my problems started.

NETLOGON Error:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'sjscompany.com.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  

Possible causes of failure include:  
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration  

USER ACTION  
Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt on the domain controller or by restarting Net Logon service on the domain controller.



FIRST ERROR ALERT:
A duplicate name has been detected on the TCP network.  The IP address of the computer that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state.

Then I got a warning about the Timer-service stopped advertising... Then a lot of errors started.

I'm going to start looking into each of the updates I applied and removing any of the ones that could affect TIME, DNS, AD, etc...
emadallan

let me ask if your DC is a multihomed server, i mean did your DC have multiple Network interfaces, if this is the case you should know that it is not recommanded so first remove any additional interface, so your DC will have only one NIC. then on the DNS make sure that this one NIC IP is registered and no other IPs are registered on DNS.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Jack D

ASKER
In DNS in Forward Lookup:
_msdcs.DOMAIN
(same as parent folder) nameserver server record
f123870f-bf46-4058-8d41-0e0c94b83448 Alias (CNAME) server record

DOMAIN
one NS record for server here
two host records; one with server name and one (same as parent folder)

Reverse Lookup looks ok.
Jack D

ASKER
UPDATE:

DNS settings had a second server listed as a nameserver in the forward and reverse lookup zones. This is a server on our network but it is not a DC and not running AD. I have removed this entry and will advise. Thanks for any continued help.
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Jack D

ASKER
Troubleshooting steps were needed to get this far, but it was a major corruption issue at the file level that mandated recovery from backups. Replies above helped to get to that point but did not directly provide the answer.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes