[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

2008 Foundation server wont complete compliance check.

Posted on 2012-08-19
44
Medium Priority
?
4,774 Views
Last Modified: 2012-10-11
Hello

I have a new server which came with 2008 Foundation server.

I have joined it to the domain and the domain contains only 10 non-windows built-in users.

So far as I can see it meets the requirements for the Foundation server to complete its compliance checking but I keep getting the something like the following message...

"The server did not finish checking the license compliance. If the server is joined to a domain, make sure that the server can connect to a domain controller. If the license compliant check cannot be completed, the server will automatically shut down in 0 hour(s) 30 minute(s)."

My problem is I'm not sure how to determine whats causing this as I thought if I was able to join this server to the domain that it must have been able to contact the domain controller in the first place.

Any assistance is greatly appreciated in advance

Thanks
0
Comment
Question by:johnkan
  • 24
  • 17
  • 3
44 Comments
 
LVL 29

Assisted Solution

by:Michael Pfister
Michael Pfister earned 1200 total points
ID: 38312116
On your domain controller, please execute

dcdiag > dcdiag.txt

remove personal information and post it here.
0
 
LVL 33

Assisted Solution

by:Exchange_Geek
Exchange_Geek earned 800 total points
ID: 38313784
It is either a DC issue, so you'd need to check the following

=> Dcdiag as suggested above
=> Netdiag /v
=> nltest /dsgetsite
=> check for errors in App / DS logs in event viewer
=> netdom query fsmo
=> we're hoping that this server isn't installed on child domains.

Regards,
Exchange_Geek
0
 

Author Comment

by:johnkan
ID: 38315597
Hello Experts

Ah, I think I see a potential problem. Their used to be a 2003 AD Domain controller on this network before We introduced the 2008 Server.

The 2003 server actually failed and eventually would not start up at all.

We had to seize all of the roles which I thought was the end of it, but looking at the output of Dcdiag I can see the old DC is still mentioned prominently.

When We completed the seizing process, it all seemed to work ok.

Here is the output of the DCdiag.
##########################################################
Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = OURHOMESERVER

   * Identified AD Forest.
   Ldap search capabality attribute search failed on server OLDDOMAINCONTROLLER, return

   value = 81
   Got error while checking if the DC is using FRS or DFSR. Error:

   Win32 Error 81The VerifyReferences, FrsEvent and DfsrEvent tests might fail

   because of this error.

   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\OURHOMESERVER

      Starting test: Connectivity

         ......................... OURHOMESERVER passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\OURHOMESERVER

      Starting test: Advertising

         ......................... OURHOMESERVER passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... OURHOMESERVER passed test FrsEvent

      Starting test: DFSREvent

         ......................... OURHOMESERVER passed test DFSREvent

      Starting test: SysVolCheck

         ......................... OURHOMESERVER passed test SysVolCheck

      Starting test: KccEvent

         ......................... OURHOMESERVER passed test KccEvent

      Starting test: KnowsOfRoleHolders

         [OLDDOMAINCONTROLLER] DsBindWithSpnEx() failed with error 1722,

         The RPC server is unavailable..
         Warning: OLDDOMAINCONTROLLER is the Schema Owner, but is not responding to DS

         RPC Bind.

         Warning: OLDDOMAINCONTROLLER is the Schema Owner, but is not responding to LDAP

         Bind.

         ......................... OURHOMESERVER failed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... OURHOMESERVER passed test MachineAccount

      Starting test: NCSecDesc

         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=ForestDnsZones,DC=ourdomain,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=DomainDnsZones,DC=ourdomain,DC=local
         ......................... OURHOMESERVER failed test NCSecDesc

      Starting test: NetLogons

         ......................... OURHOMESERVER passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... OURHOMESERVER passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,OURHOMESERVER] A recent replication attempt failed:

            From OLDDOMAINCONTROLLER to OURHOMESERVER

            Naming Context: DC=ForestDnsZones,DC=ourdomain,DC=local

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see Windows Help.

           

            The failure occurred at 2012-08-21 21:00:18.

            The last success occurred at 2012-04-06 14:46:43.

            3295 failures have occurred since the last success.

         [Replications Check,OURHOMESERVER] A recent replication attempt failed:

            From OLDDOMAINCONTROLLER to OURHOMESERVER

            Naming Context: DC=DomainDnsZones,DC=ourdomain,DC=local

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see Windows Help.

           

            The failure occurred at 2012-08-21 21:00:18.

            The last success occurred at 2012-04-06 14:52:49.

            3295 failures have occurred since the last success.

         [Replications Check,OURHOMESERVER] A recent replication attempt failed:

            From OLDDOMAINCONTROLLER to OURHOMESERVER

            Naming Context:

            CN=Schema,CN=Configuration,DC=ourdomain,DC=local

            The replication generated an error (1722):

            The RPC server is unavailable.

            The failure occurred at 2012-08-21 21:01:00.

            The last success occurred at 2012-04-06 14:46:43.

            3295 failures have occurred since the last success.

            The source remains down. Please check the machine.

         [Replications Check,OURHOMESERVER] A recent replication attempt failed:

            From OLDDOMAINCONTROLLER to OURHOMESERVER

            Naming Context: CN=Configuration,DC=ourdomain,DC=local

            The replication generated an error (1722):

            The RPC server is unavailable.

            The failure occurred at 2012-08-21 21:00:39.

            The last success occurred at 2012-04-06 15:37:46.

            3295 failures have occurred since the last success.

            The source remains down. Please check the machine.

         [Replications Check,OURHOMESERVER] A recent replication attempt failed:

            From OLDDOMAINCONTROLLER to OURHOMESERVER

            Naming Context: DC=ourdomain,DC=local

            The replication generated an error (1722):

            The RPC server is unavailable.

            The failure occurred at 2012-08-21 21:00:18.

            The last success occurred at 2012-04-06 15:40:39.

            3295 failures have occurred since the last success.

            The source remains down. Please check the machine.

         ......................... OURHOMESERVER failed test Replications

      Starting test: RidManager

         ......................... OURHOMESERVER passed test RidManager

      Starting test: Services

         ......................... OURHOMESERVER passed test Services

      Starting test: SystemLog

         An error event occurred.  EventID: 0xC004000B

            Time Generated: 08/21/2012   21:35:34

            Event String:

            The driver detected a controller error on \Device\Harddisk2\DR3.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 08/21/2012   21:35:35

            Event String:

            Driver Canon MP530 FAX required for printer Canon MP530 FAX is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 08/21/2012   21:35:36

            Event String:

            Driver CutePDF Writer required for printer CutePDF Writer is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 08/21/2012   21:35:36

            Event String:

            Driver Canon MP530 Series Printer required for printer Canon MP530 Series Printer is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 08/21/2012   21:35:39

            Event String:

            Driver HP Color LaserJet 2605/2605dn/2605dtn PS required for printer HP Color LaserJet 2605/2605dn/2605dtn PS is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 08/21/2012   21:35:42

            Event String:

            Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.

         ......................... OURHOMESERVER failed test SystemLog

      Starting test: VerifyReferences

         ......................... OURHOMESERVER passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : ourdomain

      Starting test: CheckSDRefDom

         ......................... ourdomain passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ourdomain passed test

         CrossRefValidation

   
   Running enterprise tests on : ourdomain.local

      Starting test: LocatorCheck

         ......................... ourdomain.local passed test

         LocatorCheck

      Starting test: Intersite

         ......................... ourdomain.local passed test Intersite
##########################################################

Thanks
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 29

Expert Comment

by:Michael Pfister
ID: 38315661
Hi,

glad it helped. If the Foundation server now finishes the compliance check, please accept the solution to close the question.
Thanks
0
 

Author Comment

by:johnkan
ID: 38315673
Hi mpfister

My problem now is that I'm not sure how to fully seize all of the roles and remove the references to the old domain controller that is long gone...

The foundation server doesnt seem to want to finish its compliance while our existing DC is still referring to the original 2003 DC.

Thanks heaps

John Kan
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 38315703
You'll have to seize the FSMO Roles, how-to steps are defined in this link

Once done, you'll need to remove all instances of the other DC that doesn't
exist from you're environment using link

Regards,
Exchange_Geek
0
 
LVL 29

Expert Comment

by:Michael Pfister
ID: 38315739
Ah, sorry, I misunderstood that seizing the roles already helped :-)
Just follow Exchange_Geeks links ...
0
 

Author Comment

by:johnkan
ID: 38315892
Hi Exchange_Geek

I ran the seize process when I installed the new 2008 server and it seemed to return all of the right response messages.

How can I determine what roles the current DC already has ?

If I were to re-run the whole seize process again will I break the 2008 server ?

Thanks heaps
0
 
LVL 29

Assisted Solution

by:Michael Pfister
Michael Pfister earned 1200 total points
ID: 38315913
0
 

Author Comment

by:johnkan
ID: 38315961
Hi mpfister

OK, I see that currently my 2008 server has the PDC, Infrastructure, and RID roles.

When I used the MMC Active Directory snapin, I could see there the 'Schema Master' is offline and ERROR appears where a server name would normally appear.

Additionally, there is a change button that appear to let me change the Schema Master Role to my 2008 Server.

If I click this button will it actually seize the Schema Master role or is that a bit optimistic ??..

Thanks heaps
0
 
LVL 29

Expert Comment

by:Michael Pfister
ID: 38315981
You can try, but I'm afraid it won't let you without the other DC. In that case you will have to use ntdsutil, as described in Exchange_Geek's link.
0
 

Author Comment

by:johnkan
ID: 38331508
Hi mpfister and Exchange_Geek

Sorry, I need to try this solution on a weekend just in case some goes wrong and I need time to correct it.

I will try seizing the schema master role on the 31/8, 7 days time.

I will post the outcome I've completed it.

Sorry for the delay.

Thanks heaps
0
 

Author Comment

by:johnkan
ID: 38356362
Hi experts

I am about to try the seizing of the master schema role on my Win 2008 server.

At present it is set as a 'GC'  DC type under the Active Directory Users and Computers.

The 2003 server that failed still appears as a 'DC'. If I remove the 2003 server will my GC domain controller also act as a DC in this domain ?. I have at present on ly one server, so I can only guess it would act a a GC and DC ??...

Thanks
0
 

Author Comment

by:johnkan
ID: 38356381
Hello mpfister and Exchange_Geek

OK, I have completed the seizing of the schema master role to my 2008 server.

The 2003 server that failed still appears as a DC in the list of domain controllers.

This server failed and will never be bought back online so I will remove it.

Is there anything else I should check or do before I do that ?. This will leave me with only my 2008 server which is currently a GC as a domain controller.

I'm guessing you can still have a win network that has just one server as everything for the Active Directory domain ?.

Thanks heaps
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 38356690
You've already seized the roles (I'm assuming now all the roles belong to 2008) and then you'll have to clean up AD using ntdsutil.

That's it.

Regards,
Exchange_Geek
0
 

Author Comment

by:johnkan
ID: 38356959
Hi Exchange_Geek

If I remove the server using the Active Directory Users and Computers gui would that have the same effect as using ntdsutil ?.

Thanks heaps
0
 
LVL 29

Expert Comment

by:Michael Pfister
ID: 38357279
To be sure everything gets removed, use http://www.petri.co.il/delete_failed_dcs_from_ad.htm as Exchange_Geek posted
0
 

Author Comment

by:johnkan
ID: 38371719
Hi Exchange_Geek

OK, I've now run through process using the instructions in the link supplied... http://www.petri.co.il/delete_failed_dcs_from_ad.htm 

This seemed to run ok.

When I re-run dcdiag I dont get the bits that refer to the failed domain controller and also the tests run by dcdiag are now passed where previously they indicated failed replication tests.

I am now going to see if the 2008 Foundation server compliance check completes successfully.

I wil update you as soon as I can tell if this has sorted my problem.

Thanks heaps
0
 

Author Comment

by:johnkan
ID: 38374257
Hello Experts

While I was waiting to determine whether or not my problem has been resolved I see that the 2008 Foundation server that is not completing its compliance check shows up in the computer section of the 'Active Directory User and Computers', but not under the Domain Controllers section yet.

Should the 2008 Foundation server appear as a Domain Controller ?

Thanks heaps
0
 

Author Comment

by:johnkan
ID: 38380640
Hello Experts...

I think I am still getting the same error message. It took 5 hours before the error message appeared again.

Not sure what to try next.

The DNS looks fine now.

the domain controller that is the only one on the network appears to be working fine for other computers and when I join new computers to the network, the do appear to be able to connect to the domain controller so, just not sure why the Foundation server is stating it can't contact a domain controller.

Would it be worth trying to remove the server from the domain and then re-joining it to the domain ?

Thanks heaps
0
 
LVL 29

Expert Comment

by:Michael Pfister
ID: 38396045
http://www.windowsitpro.com/article/john-savills-windows-faqs/q-what-is-windows-server-2008-foundation-edition-

Features that are part of Windows Server 2008 Foundation include:
  - Active Directory: Foundation can be a domain controller (DC) in a domain only with other foundation server DCs (you can't mix Foundation DCs with non-Foundation DCs)

So in your scenario it can be a member server only.
0
 
LVL 29

Expert Comment

by:Michael Pfister
ID: 38396056
Please execute

dcdiag /v > dcdiag.txt

on your DC and post the file best by attaching it (see the Attach File link below the edit box)
0
 

Author Comment

by:johnkan
ID: 38398120
Hi mpfister

OK file dcdiag output attached.

Thanks heaps
dcdiag.txt
0
 
LVL 29

Expert Comment

by:Michael Pfister
ID: 38398226
Nothing unusual in dcdiag output, the NCSecDesc errors are normal if a domain controller isn't prepped for RODCs...

And you still get the compliance check error? Strange...

Just to make sure dns is ok, please run:

dcdiag /test:dns > diag_dns.txt
and post the result
0
 
LVL 29

Expert Comment

by:Michael Pfister
ID: 38398234
0
 

Author Comment

by:johnkan
ID: 38401464
Hi mpfister

OK, I've attached the output of dcdiag /test:dns.

the dns it seems to fail on 203.171.32.70 and 203.171.36.70 are the ISP's dns servers.

Thanks heaps
diag-dns.txt
0
 

Author Comment

by:johnkan
ID: 38427319
Hi mpfister and exchange_geek

I think this problem might be solved now...I have not had the compliance message now for 3 days.

I am going to give it 3 more days and if I dont get the compliance message again I will be sure it has been resolved.

I will get back to you in 3 days time.

Thanks heaps
0
 

Author Comment

by:johnkan
ID: 38444462
Hello mpfister and exchange_geek

Well, for 4 days no messages about the compliance check not completing came up. It looked like the problem was resolved with the removal of the failed dns server from the forwarders section in DNS.

Today though, the error message regarding the compliance not being completed appeared again and indicated it would shut down in 9 days and 23 hours again...

Doe's anyone know where in the foundation server it tells me whether the compliance check actually completed ever ?.

Once the compliance check completes successfully, does it ever recheck at a later stage ?

I'm about ready to give up on this foundation server...not sure what else I can try next.

any final suggestions..

Thanks heaps
0
 

Author Comment

by:johnkan
ID: 38461070
Hello mpfister and exchange_geek

I am still sometimes getting the error message about the compliance check not completing, but it never seems to report that the time before shutting down will be anything other than 9 hours 23 minutes.

What happens if I add more users than the maximum number for a foundation server in future ?.

Thanks heaps
0
 
LVL 29

Accepted Solution

by:
Michael Pfister earned 1200 total points
ID: 38462259
The primary DNS entry on the first NIC with TCP/IP v4 should point to the domain controller, not the ISP (on both, the domain controller and the member server). The DNS server on your DC will be configured to hold DNS forwarders, in your case the ISP DNS to resolve names not belonging to your domain.
This misconfig is also the reason for  the TEST: Records registration (RReg) failing.
So please modify both server's NIC primary DNS entry to point to the real IP of the DC (on DC do _not_ use 127.0.0.1). Then add the ISP's DNS as forwarder in your DNS server config on your DC.


Regarding licensing:
http://technet.microsoft.com/en-us/library/dd459191(v=ws.10).aspx

"you will receive a warning message if you exceed the fifteen-user limit."

You will be unlicensed then.
0
 

Author Comment

by:johnkan
ID: 38462350
Hi mpfister

Ok, i've completed the change to the primary dns server as recommended.

Should the foundation server give me some form of success message to confirm the compliance has now been checked and is correct or do I just have to assume that if I dont keep getting the compliance message that all is now correct ?

Thanks heaps
0
 
LVL 29

Expert Comment

by:Michael Pfister
ID: 38462463
Please rerun

dcdiag /test:dns > diag_dns.txt
and post the result

I believe it will check for compliance on a regular basis. So if you don't get compliance errors, all is ok.
0
 

Author Comment

by:johnkan
ID: 38462600
Hello mpfister

dcdiag completed much faster this time, maybe thats a good sign..

I've attached the output.

Thanks heaps
dcdiag-20101004.txt
0
 
LVL 29

Expert Comment

by:Michael Pfister
ID: 38462694
Looks good. Just to make sure the previous DNS problems are gone, please run

dcdiag /test:dns > diag_dns.txt

and post the result.
0
 

Author Comment

by:johnkan
ID: 38462810
Hello mpfister

attached is the output of dcdiag /test:dns

looks a lot shorter than the last time I ran it.

thanks
dcdiagtestdns-20121005.txt
0
 
LVL 29

Expert Comment

by:Michael Pfister
ID: 38463082
Looks good now. Lets cross fingers the Foundation server is happy now ... :-)
0
 

Author Comment

by:johnkan
ID: 38465175
Hello mpfister

Is there somewhere I can look on the foundation server that actually states it is currently compliant ?, or do I just need to see if the compliance check messages appear again ?

Thanks heaps
0
 
LVL 29

Expert Comment

by:Michael Pfister
ID: 38466467
Haven't found a way to trigger the check... I'd just wait
0
 

Author Comment

by:johnkan
ID: 38469407
Hi mpfister

OK, will do.

Do you think if I dont get any further compliance check failure messages in say 3 days thats enough t0 say the compliance check has completed successfully ?

Thanks heaps
0
 
LVL 29

Expert Comment

by:Michael Pfister
ID: 38471133
Yes, but this won't prevent it from getting "non-compliant" again, i.e. by creating more than 15 accounts...
0
 

Author Comment

by:johnkan
ID: 38471212
Hello mpfister

Thats fine, at present there are only 10 users, not counting default windows server ones.

Thanks heaps
0
 

Author Comment

by:johnkan
ID: 38485464
Hello mpfister

Well its been 6 days since I made the changes to the DNS and I have not seen any of the compliance check failure messages.

I think its all good now.

Do you think thats safe to say ?

Thanks heaps
0
 
LVL 29

Expert Comment

by:Michael Pfister
ID: 38485479
Yes, I think so too
0
 

Author Comment

by:johnkan
ID: 38485493
Hi mpfister

Right, I'm going to finally close this question.

Thanks heaps
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question