2008 Foundation server wont complete compliance check.

Hello

I have a new server which came with 2008 Foundation server.

I have joined it to the domain and the domain contains only 10 non-windows built-in users.

So far as I can see it meets the requirements for the Foundation server to complete its compliance checking but I keep getting the something like the following message...

"The server did not finish checking the license compliance. If the server is joined to a domain, make sure that the server can connect to a domain controller. If the license compliant check cannot be completed, the server will automatically shut down in 0 hour(s) 30 minute(s)."

My problem is I'm not sure how to determine whats causing this as I thought if I was able to join this server to the domain that it must have been able to contact the domain controller in the first place.

Any assistance is greatly appreciated in advance

Thanks
johnkanAsked:
Who is Participating?
 
Michael PfisterConnect With a Mentor Commented:
The primary DNS entry on the first NIC with TCP/IP v4 should point to the domain controller, not the ISP (on both, the domain controller and the member server). The DNS server on your DC will be configured to hold DNS forwarders, in your case the ISP DNS to resolve names not belonging to your domain.
This misconfig is also the reason for  the TEST: Records registration (RReg) failing.
So please modify both server's NIC primary DNS entry to point to the real IP of the DC (on DC do _not_ use 127.0.0.1). Then add the ISP's DNS as forwarder in your DNS server config on your DC.


Regarding licensing:
http://technet.microsoft.com/en-us/library/dd459191(v=ws.10).aspx

"you will receive a warning message if you exceed the fifteen-user limit."

You will be unlicensed then.
0
 
Michael PfisterConnect With a Mentor Commented:
On your domain controller, please execute

dcdiag > dcdiag.txt

remove personal information and post it here.
0
 
Exchange_GeekConnect With a Mentor Commented:
It is either a DC issue, so you'd need to check the following

=> Dcdiag as suggested above
=> Netdiag /v
=> nltest /dsgetsite
=> check for errors in App / DS logs in event viewer
=> netdom query fsmo
=> we're hoping that this server isn't installed on child domains.

Regards,
Exchange_Geek
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
johnkanAuthor Commented:
Hello Experts

Ah, I think I see a potential problem. Their used to be a 2003 AD Domain controller on this network before We introduced the 2008 Server.

The 2003 server actually failed and eventually would not start up at all.

We had to seize all of the roles which I thought was the end of it, but looking at the output of Dcdiag I can see the old DC is still mentioned prominently.

When We completed the seizing process, it all seemed to work ok.

Here is the output of the DCdiag.
##########################################################
Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = OURHOMESERVER

   * Identified AD Forest.
   Ldap search capabality attribute search failed on server OLDDOMAINCONTROLLER, return

   value = 81
   Got error while checking if the DC is using FRS or DFSR. Error:

   Win32 Error 81The VerifyReferences, FrsEvent and DfsrEvent tests might fail

   because of this error.

   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\OURHOMESERVER

      Starting test: Connectivity

         ......................... OURHOMESERVER passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\OURHOMESERVER

      Starting test: Advertising

         ......................... OURHOMESERVER passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... OURHOMESERVER passed test FrsEvent

      Starting test: DFSREvent

         ......................... OURHOMESERVER passed test DFSREvent

      Starting test: SysVolCheck

         ......................... OURHOMESERVER passed test SysVolCheck

      Starting test: KccEvent

         ......................... OURHOMESERVER passed test KccEvent

      Starting test: KnowsOfRoleHolders

         [OLDDOMAINCONTROLLER] DsBindWithSpnEx() failed with error 1722,

         The RPC server is unavailable..
         Warning: OLDDOMAINCONTROLLER is the Schema Owner, but is not responding to DS

         RPC Bind.

         Warning: OLDDOMAINCONTROLLER is the Schema Owner, but is not responding to LDAP

         Bind.

         ......................... OURHOMESERVER failed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... OURHOMESERVER passed test MachineAccount

      Starting test: NCSecDesc

         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=ForestDnsZones,DC=ourdomain,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=DomainDnsZones,DC=ourdomain,DC=local
         ......................... OURHOMESERVER failed test NCSecDesc

      Starting test: NetLogons

         ......................... OURHOMESERVER passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... OURHOMESERVER passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,OURHOMESERVER] A recent replication attempt failed:

            From OLDDOMAINCONTROLLER to OURHOMESERVER

            Naming Context: DC=ForestDnsZones,DC=ourdomain,DC=local

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see Windows Help.

           

            The failure occurred at 2012-08-21 21:00:18.

            The last success occurred at 2012-04-06 14:46:43.

            3295 failures have occurred since the last success.

         [Replications Check,OURHOMESERVER] A recent replication attempt failed:

            From OLDDOMAINCONTROLLER to OURHOMESERVER

            Naming Context: DC=DomainDnsZones,DC=ourdomain,DC=local

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see Windows Help.

           

            The failure occurred at 2012-08-21 21:00:18.

            The last success occurred at 2012-04-06 14:52:49.

            3295 failures have occurred since the last success.

         [Replications Check,OURHOMESERVER] A recent replication attempt failed:

            From OLDDOMAINCONTROLLER to OURHOMESERVER

            Naming Context:

            CN=Schema,CN=Configuration,DC=ourdomain,DC=local

            The replication generated an error (1722):

            The RPC server is unavailable.

            The failure occurred at 2012-08-21 21:01:00.

            The last success occurred at 2012-04-06 14:46:43.

            3295 failures have occurred since the last success.

            The source remains down. Please check the machine.

         [Replications Check,OURHOMESERVER] A recent replication attempt failed:

            From OLDDOMAINCONTROLLER to OURHOMESERVER

            Naming Context: CN=Configuration,DC=ourdomain,DC=local

            The replication generated an error (1722):

            The RPC server is unavailable.

            The failure occurred at 2012-08-21 21:00:39.

            The last success occurred at 2012-04-06 15:37:46.

            3295 failures have occurred since the last success.

            The source remains down. Please check the machine.

         [Replications Check,OURHOMESERVER] A recent replication attempt failed:

            From OLDDOMAINCONTROLLER to OURHOMESERVER

            Naming Context: DC=ourdomain,DC=local

            The replication generated an error (1722):

            The RPC server is unavailable.

            The failure occurred at 2012-08-21 21:00:18.

            The last success occurred at 2012-04-06 15:40:39.

            3295 failures have occurred since the last success.

            The source remains down. Please check the machine.

         ......................... OURHOMESERVER failed test Replications

      Starting test: RidManager

         ......................... OURHOMESERVER passed test RidManager

      Starting test: Services

         ......................... OURHOMESERVER passed test Services

      Starting test: SystemLog

         An error event occurred.  EventID: 0xC004000B

            Time Generated: 08/21/2012   21:35:34

            Event String:

            The driver detected a controller error on \Device\Harddisk2\DR3.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 08/21/2012   21:35:35

            Event String:

            Driver Canon MP530 FAX required for printer Canon MP530 FAX is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 08/21/2012   21:35:36

            Event String:

            Driver CutePDF Writer required for printer CutePDF Writer is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 08/21/2012   21:35:36

            Event String:

            Driver Canon MP530 Series Printer required for printer Canon MP530 Series Printer is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 08/21/2012   21:35:39

            Event String:

            Driver HP Color LaserJet 2605/2605dn/2605dtn PS required for printer HP Color LaserJet 2605/2605dn/2605dtn PS is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 08/21/2012   21:35:42

            Event String:

            Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.

         ......................... OURHOMESERVER failed test SystemLog

      Starting test: VerifyReferences

         ......................... OURHOMESERVER passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : ourdomain

      Starting test: CheckSDRefDom

         ......................... ourdomain passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ourdomain passed test

         CrossRefValidation

   
   Running enterprise tests on : ourdomain.local

      Starting test: LocatorCheck

         ......................... ourdomain.local passed test

         LocatorCheck

      Starting test: Intersite

         ......................... ourdomain.local passed test Intersite
##########################################################

Thanks
0
 
Michael PfisterCommented:
Hi,

glad it helped. If the Foundation server now finishes the compliance check, please accept the solution to close the question.
Thanks
0
 
johnkanAuthor Commented:
Hi mpfister

My problem now is that I'm not sure how to fully seize all of the roles and remove the references to the old domain controller that is long gone...

The foundation server doesnt seem to want to finish its compliance while our existing DC is still referring to the original 2003 DC.

Thanks heaps

John Kan
0
 
Exchange_GeekCommented:
You'll have to seize the FSMO Roles, how-to steps are defined in this link

Once done, you'll need to remove all instances of the other DC that doesn't
exist from you're environment using link

Regards,
Exchange_Geek
0
 
Michael PfisterCommented:
Ah, sorry, I misunderstood that seizing the roles already helped :-)
Just follow Exchange_Geeks links ...
0
 
johnkanAuthor Commented:
Hi Exchange_Geek

I ran the seize process when I installed the new 2008 server and it seemed to return all of the right response messages.

How can I determine what roles the current DC already has ?

If I were to re-run the whole seize process again will I break the 2008 server ?

Thanks heaps
0
 
Michael PfisterConnect With a Mentor Commented:
0
 
johnkanAuthor Commented:
Hi mpfister

OK, I see that currently my 2008 server has the PDC, Infrastructure, and RID roles.

When I used the MMC Active Directory snapin, I could see there the 'Schema Master' is offline and ERROR appears where a server name would normally appear.

Additionally, there is a change button that appear to let me change the Schema Master Role to my 2008 Server.

If I click this button will it actually seize the Schema Master role or is that a bit optimistic ??..

Thanks heaps
0
 
Michael PfisterCommented:
You can try, but I'm afraid it won't let you without the other DC. In that case you will have to use ntdsutil, as described in Exchange_Geek's link.
0
 
johnkanAuthor Commented:
Hi mpfister and Exchange_Geek

Sorry, I need to try this solution on a weekend just in case some goes wrong and I need time to correct it.

I will try seizing the schema master role on the 31/8, 7 days time.

I will post the outcome I've completed it.

Sorry for the delay.

Thanks heaps
0
 
johnkanAuthor Commented:
Hi experts

I am about to try the seizing of the master schema role on my Win 2008 server.

At present it is set as a 'GC'  DC type under the Active Directory Users and Computers.

The 2003 server that failed still appears as a 'DC'. If I remove the 2003 server will my GC domain controller also act as a DC in this domain ?. I have at present on ly one server, so I can only guess it would act a a GC and DC ??...

Thanks
0
 
johnkanAuthor Commented:
Hello mpfister and Exchange_Geek

OK, I have completed the seizing of the schema master role to my 2008 server.

The 2003 server that failed still appears as a DC in the list of domain controllers.

This server failed and will never be bought back online so I will remove it.

Is there anything else I should check or do before I do that ?. This will leave me with only my 2008 server which is currently a GC as a domain controller.

I'm guessing you can still have a win network that has just one server as everything for the Active Directory domain ?.

Thanks heaps
0
 
Exchange_GeekCommented:
You've already seized the roles (I'm assuming now all the roles belong to 2008) and then you'll have to clean up AD using ntdsutil.

That's it.

Regards,
Exchange_Geek
0
 
johnkanAuthor Commented:
Hi Exchange_Geek

If I remove the server using the Active Directory Users and Computers gui would that have the same effect as using ntdsutil ?.

Thanks heaps
0
 
Michael PfisterCommented:
To be sure everything gets removed, use http://www.petri.co.il/delete_failed_dcs_from_ad.htm as Exchange_Geek posted
0
 
johnkanAuthor Commented:
Hi Exchange_Geek

OK, I've now run through process using the instructions in the link supplied... http://www.petri.co.il/delete_failed_dcs_from_ad.htm 

This seemed to run ok.

When I re-run dcdiag I dont get the bits that refer to the failed domain controller and also the tests run by dcdiag are now passed where previously they indicated failed replication tests.

I am now going to see if the 2008 Foundation server compliance check completes successfully.

I wil update you as soon as I can tell if this has sorted my problem.

Thanks heaps
0
 
johnkanAuthor Commented:
Hello Experts

While I was waiting to determine whether or not my problem has been resolved I see that the 2008 Foundation server that is not completing its compliance check shows up in the computer section of the 'Active Directory User and Computers', but not under the Domain Controllers section yet.

Should the 2008 Foundation server appear as a Domain Controller ?

Thanks heaps
0
 
johnkanAuthor Commented:
Hello Experts...

I think I am still getting the same error message. It took 5 hours before the error message appeared again.

Not sure what to try next.

The DNS looks fine now.

the domain controller that is the only one on the network appears to be working fine for other computers and when I join new computers to the network, the do appear to be able to connect to the domain controller so, just not sure why the Foundation server is stating it can't contact a domain controller.

Would it be worth trying to remove the server from the domain and then re-joining it to the domain ?

Thanks heaps
0
 
Michael PfisterCommented:
http://www.windowsitpro.com/article/john-savills-windows-faqs/q-what-is-windows-server-2008-foundation-edition-

Features that are part of Windows Server 2008 Foundation include:
  - Active Directory: Foundation can be a domain controller (DC) in a domain only with other foundation server DCs (you can't mix Foundation DCs with non-Foundation DCs)

So in your scenario it can be a member server only.
0
 
Michael PfisterCommented:
Please execute

dcdiag /v > dcdiag.txt

on your DC and post the file best by attaching it (see the Attach File link below the edit box)
0
 
johnkanAuthor Commented:
Hi mpfister

OK file dcdiag output attached.

Thanks heaps
dcdiag.txt
0
 
Michael PfisterCommented:
Nothing unusual in dcdiag output, the NCSecDesc errors are normal if a domain controller isn't prepped for RODCs...

And you still get the compliance check error? Strange...

Just to make sure dns is ok, please run:

dcdiag /test:dns > diag_dns.txt
and post the result
0
 
Michael PfisterCommented:
0
 
johnkanAuthor Commented:
Hi mpfister

OK, I've attached the output of dcdiag /test:dns.

the dns it seems to fail on 203.171.32.70 and 203.171.36.70 are the ISP's dns servers.

Thanks heaps
diag-dns.txt
0
 
johnkanAuthor Commented:
Hi mpfister and exchange_geek

I think this problem might be solved now...I have not had the compliance message now for 3 days.

I am going to give it 3 more days and if I dont get the compliance message again I will be sure it has been resolved.

I will get back to you in 3 days time.

Thanks heaps
0
 
johnkanAuthor Commented:
Hello mpfister and exchange_geek

Well, for 4 days no messages about the compliance check not completing came up. It looked like the problem was resolved with the removal of the failed dns server from the forwarders section in DNS.

Today though, the error message regarding the compliance not being completed appeared again and indicated it would shut down in 9 days and 23 hours again...

Doe's anyone know where in the foundation server it tells me whether the compliance check actually completed ever ?.

Once the compliance check completes successfully, does it ever recheck at a later stage ?

I'm about ready to give up on this foundation server...not sure what else I can try next.

any final suggestions..

Thanks heaps
0
 
johnkanAuthor Commented:
Hello mpfister and exchange_geek

I am still sometimes getting the error message about the compliance check not completing, but it never seems to report that the time before shutting down will be anything other than 9 hours 23 minutes.

What happens if I add more users than the maximum number for a foundation server in future ?.

Thanks heaps
0
 
johnkanAuthor Commented:
Hi mpfister

Ok, i've completed the change to the primary dns server as recommended.

Should the foundation server give me some form of success message to confirm the compliance has now been checked and is correct or do I just have to assume that if I dont keep getting the compliance message that all is now correct ?

Thanks heaps
0
 
Michael PfisterCommented:
Please rerun

dcdiag /test:dns > diag_dns.txt
and post the result

I believe it will check for compliance on a regular basis. So if you don't get compliance errors, all is ok.
0
 
johnkanAuthor Commented:
Hello mpfister

dcdiag completed much faster this time, maybe thats a good sign..

I've attached the output.

Thanks heaps
dcdiag-20101004.txt
0
 
Michael PfisterCommented:
Looks good. Just to make sure the previous DNS problems are gone, please run

dcdiag /test:dns > diag_dns.txt

and post the result.
0
 
johnkanAuthor Commented:
Hello mpfister

attached is the output of dcdiag /test:dns

looks a lot shorter than the last time I ran it.

thanks
dcdiagtestdns-20121005.txt
0
 
Michael PfisterCommented:
Looks good now. Lets cross fingers the Foundation server is happy now ... :-)
0
 
johnkanAuthor Commented:
Hello mpfister

Is there somewhere I can look on the foundation server that actually states it is currently compliant ?, or do I just need to see if the compliance check messages appear again ?

Thanks heaps
0
 
Michael PfisterCommented:
Haven't found a way to trigger the check... I'd just wait
0
 
johnkanAuthor Commented:
Hi mpfister

OK, will do.

Do you think if I dont get any further compliance check failure messages in say 3 days thats enough t0 say the compliance check has completed successfully ?

Thanks heaps
0
 
Michael PfisterCommented:
Yes, but this won't prevent it from getting "non-compliant" again, i.e. by creating more than 15 accounts...
0
 
johnkanAuthor Commented:
Hello mpfister

Thats fine, at present there are only 10 users, not counting default windows server ones.

Thanks heaps
0
 
johnkanAuthor Commented:
Hello mpfister

Well its been 6 days since I made the changes to the DNS and I have not seen any of the compliance check failure messages.

I think its all good now.

Do you think thats safe to say ?

Thanks heaps
0
 
Michael PfisterCommented:
Yes, I think so too
0
 
johnkanAuthor Commented:
Hi mpfister

Right, I'm going to finally close this question.

Thanks heaps
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.