[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Windows 2003 Forest & Domain Controllers

Posted on 2012-08-31
55
Medium Priority
?
1,236 Views
Last Modified: 2012-09-05
We use two have two offices with two domain controllers at each site. We have moved offices and we are no longer connected to the other company. The network at the new site is now slow accessing the internet, I connected a computer directly to the router and the speed is quick. I ran dcdiag and errors appeared as expected. Does this have an impact on accessing the internet? How do I resolve this issue?
0
Comment
Question by:mail2clk
  • 25
  • 12
  • 11
  • +2
55 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38356000
How do you have DNS setup on your DCs?   Were they using forwarders, are those forwarders still accessible?

You should also try to cleanup the errors you find.

Thanks

Mike
0
 

Author Comment

by:mail2clk
ID: 38356049
On our site there is one dns setup on the main server with two forwarders (open dns).
0
 
LVL 5

Expert Comment

by:schima_cz
ID: 38356212
Check ping reply from Google DNS 8.8.8.8
After that, check reply time from your DNS server via nslookup
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38356249
How we should Configuere DNS on our DC :-->

Every DNS server should Point to its own IP as a primary DNS and DNS located in remote site as a secondary DNS in TCP/IP properties
All the unused NIC's to be disabled
Valid DNS Ip from ISP to be configuered in DNS forwarders Do not configuere local DNS in forwarders
Public DNS IP's Should not be used at any NIC Card except Forwarders
Domain Controllers should not be multi-homed
Running VPN server and RRas server makes the DC multihomed refer http://support.microsoft.com/default.aspx?scid=kb;en-us;272294


If anything above is incorrect please correct it and run "ipconfig /flushdns & ipconfig /registerdns " and restart DNS service using "net stop dns & net start dns"

DNS best practices
http://technet.microsoft.com/en-us/library/cc778439(v=WS.10).aspx

Checklist: Deploying DNS for Active Directory
http://technet.microsoft.com/en-us/library/cc757116(v=ws.10)
0
 

Author Comment

by:mail2clk
ID: 38356608
I followed the above steps all of which are in place.Flushed, registered the dns and restarted the service. When I do a nslookup on www.google.com it time out then if I do it again I get the results. It's very random.
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38359060
Please run dcdiag /test:dns and post the result from DC
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 38359199
If I understand correctly, there are now two DCs in the domain/forest? Have one DC point to the other for DNS, then use a forwarder to pass on external queries. Have your client PCs point to the DCs for DNS.

Is there a part of the domain, like another DC, that the existing DCs could be looking for, at the old site?
0
 

Author Comment

by:mail2clk
ID: 38359387
In the DNS there are a total of 4 name servers two for each site. The other site is not accessible.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 38359415
Make sure no DNS-related or domain-related communication is destined for that other site. If the other site's DCs are in the domain database and are not needed anymore, they should be purged. All DCs will try to replicate at regular intervals, especially if they were in the same active directory site (they all are by default). Intersite replication has to be scheduled and configured explicitly.
0
 

Author Comment

by:mail2clk
ID: 38359463
Here are the results for the dcdiag
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.



C:\Documents and Settings\lvloadmin>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\LVLO-01
      Starting test: Connectivity
         ......................... LVLO-01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\LVLO-01
      Starting test: Replications
         [Replications Check,LVLO-01] A recent replication attempt failed:
            From LVMA-01 to LVLO-01
            Naming Context: DC=DomainDnsZones,DC=lv,DC=local
            The replication generated an error (1256):
            Win32 Error 1256
            The failure occurred at 2012-09-02 23:02:05.
            The last success occurred at 2012-08-30 07:51:26.
            316 failures have occurred since the last success.
         [Replications Check,LVLO-01] A recent replication attempt failed:
            From LVMA-02 to LVLO-01
            Naming Context: DC=DomainDnsZones,DC=lv,DC=local
            The replication generated an error (1256):
            Win32 Error 1256
            The failure occurred at 2012-09-02 23:02:28.
            The last success occurred at 2012-08-30 07:51:26.
            316 failures have occurred since the last success.
         [Replications Check,LVLO-01] A recent replication attempt failed:
            From LVMA-01 to LVLO-01
            Naming Context: DC=ForestDnsZones,DC=lv,DC=local
            The replication generated an error (1256):
            Win32 Error 1256
            The failure occurred at 2012-09-02 23:02:05.
            The last success occurred at 2012-08-30 07:51:25.
            316 failures have occurred since the last success.
         [Replications Check,LVLO-01] A recent replication attempt failed:
            From LVMA-02 to LVLO-01
            Naming Context: DC=ForestDnsZones,DC=lv,DC=local
            The replication generated an error (1256):
            Win32 Error 1256
            The failure occurred at 2012-09-02 23:02:28.
            The last success occurred at 2012-08-30 07:51:26.
            316 failures have occurred since the last success.
         [Replications Check,LVLO-01] A recent replication attempt failed:
            From LVMA-02 to LVLO-01
            Naming Context: CN=Schema,CN=Configuration,DC=lv,DC=local
            The replication generated an error (8524):
            Win32 Error 8524
            The failure occurred at 2012-09-02 23:02:30.
            The last success occurred at 2012-08-30 07:51:25.
            316 failures have occurred since the last success.
            The guid-based DNS name c53188f0-ec2c-4235-a571-5a2343606da3._msdcs.
lv.local
            is not registered on one or more DNS servers.
         [Replications Check,LVLO-01] A recent replication attempt failed:
            From LVMA-01 to LVLO-01
            Naming Context: CN=Schema,CN=Configuration,DC=lv,DC=local
            The replication generated an error (1722):
            Win32 Error 1722
            The failure occurred at 2012-09-02 23:02:51.
            The last success occurred at 2012-08-30 07:51:25.
            316 failures have occurred since the last success.
            [LVMA-01] DsBindWithSpnEx() failed with error 1722,
            Win32 Error 1722.
            The source remains down. Please check the machine.
         [Replications Check,LVLO-01] A recent replication attempt failed:
            From LVMA-01 to LVLO-01
            Naming Context: CN=Configuration,DC=lv,DC=local
            The replication generated an error (1722):
            Win32 Error 1722
            The failure occurred at 2012-09-02 23:02:26.
            The last success occurred at 2012-08-30 07:51:20.
            316 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,LVLO-01] A recent replication attempt failed:
            From LVMA-02 to LVLO-01
            Naming Context: CN=Configuration,DC=lv,DC=local
            The replication generated an error (8524):
            Win32 Error 8524
            The failure occurred at 2012-09-02 23:02:28.
            The last success occurred at 2012-08-30 07:51:25.
            316 failures have occurred since the last success.
            The guid-based DNS name c53188f0-ec2c-4235-a571-5a2343606da3._msdcs.
lv.local
            is not registered on one or more DNS servers.
         [Replications Check,LVLO-01] A recent replication attempt failed:
            From LVMA-01 to LVLO-01
            Naming Context: DC=lv,DC=local
            The replication generated an error (1722):
            Win32 Error 1722
            The failure occurred at 2012-09-02 23:02:05.
            The last success occurred at 2012-08-30 08:05:17.
            315 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,LVLO-01] A recent replication attempt failed:
            From LVMA-02 to LVLO-01
            Naming Context: DC=lv,DC=local
            The replication generated an error (8524):
            Win32 Error 8524
            The failure occurred at 2012-09-02 23:02:54.
            The last success occurred at 2012-08-30 07:51:25.
            316 failures have occurred since the last success.
            The guid-based DNS name c53188f0-ec2c-4235-a571-5a2343606da3._msdcs.
lv.local
            is not registered on one or more DNS servers.
         REPLICATION-RECEIVED LATENCY WARNING
         LVLO-01:  Current time is 2012-09-02 23:08:41.
            DC=DomainDnsZones,DC=lv,DC=local
               Last replication recieved from LVMA-01 at 2012-08-30 07:51:26.
               Last replication recieved from LVMA-02 at 2012-08-30 07:51:26.
            DC=ForestDnsZones,DC=lv,DC=local
               Last replication recieved from LVMA-01 at 2012-08-30 07:51:25.
               Last replication recieved from LVMA-02 at 2012-08-30 07:51:26.
            CN=Schema,CN=Configuration,DC=lv,DC=local
               Last replication recieved from LVMA-01 at 2012-08-30 07:51:25.
               Last replication recieved from LVMA-02 at 2012-08-30 07:51:25.
            CN=Configuration,DC=lv,DC=local
               Last replication recieved from LVMA-01 at 2012-08-30 07:51:20.
               Last replication recieved from LVMA-02 at 2012-08-30 07:51:24.
            DC=lv,DC=local
               Last replication recieved from LVMA-01 at 2012-08-30 08:05:17.
               Last replication recieved from LVMA-02 at 2012-08-30 07:59:20.
         REPLICATION-RECEIVED LATENCY WARNING
          Source site:
         CN=NTDS Site Settings,CN=Boston,CN=Sites,CN=Configuration,DC=lv,DC=loca
l
          Current time: 2012-09-02 23:08:41
          Last update time: 2012-08-30 07:34:40
          Check if source site has an elected ISTG running.
          Check replication from source site to this server.
         ......................... LVLO-01 passed test Replications
      Starting test: NCSecDesc
         ......................... LVLO-01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... LVLO-01 passed test NetLogons
      Starting test: Advertising
         ......................... LVLO-01 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Warning: LVMA-01 is the Schema Owner, but is not responding to DS RPC B
ind.
         [LVMA-01] LDAP search failed with error 58,
         Win32 Error 58.
         Warning: LVMA-01 is the Schema Owner, but is not responding to LDAP Bin
d.
         Warning: LVMA-01 is the Domain Owner, but is not responding to DS RPC B
ind.
         Warning: LVMA-01 is the Domain Owner, but is not responding to LDAP Bin
d.
         Warning: LVMA-01 is the PDC Owner, but is not responding to DS RPC Bind
.
         Warning: LVMA-01 is the PDC Owner, but is not responding to LDAP Bind.
         Warning: LVMA-01 is the Rid Owner, but is not responding to DS RPC Bind
.
         Warning: LVMA-01 is the Rid Owner, but is not responding to LDAP Bind.
         Warning: LVMA-01 is the Infrastructure Update Owner, but is not respond
ing to DS RPC Bind.
         Warning: LVMA-01 is the Infrastructure Update Owner, but is not respond
ing to LDAP Bind.
         ......................... LVLO-01 failed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... LVLO-01 failed test RidManager
      Starting test: MachineAccount
         ......................... LVLO-01 passed test MachineAccount
      Starting test: Services
         ......................... LVLO-01 passed test Services
      Starting test: ObjectsReplicated
         ......................... LVLO-01 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... LVLO-01 passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... LVLO-01 failed test frsevent
      Starting test: kccevent
         An Error Event occured.  EventID: 0xC0000566
            Time Generated: 09/02/2012   23:07:09
            Event String: The schedule attribute of the following site link
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 09/02/2012   23:07:09
            Event String: All domain controllers in the following site that
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/02/2012   23:07:09
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 09/02/2012   23:07:09
            Event String: The Knowledge Consistency Checker (KCC) was
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 09/02/2012   23:07:09
            Event String: All domain controllers in the following site that
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/02/2012   23:07:09
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 09/02/2012   23:07:09
            Event String: The Knowledge Consistency Checker (KCC) was
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 09/02/2012   23:07:09
            Event String: All domain controllers in the following site that
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/02/2012   23:07:09
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 09/02/2012   23:07:09
            Event String: The Knowledge Consistency Checker (KCC) was
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 09/02/2012   23:07:09
            Event String: All domain controllers in the following site that
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/02/2012   23:07:09
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 09/02/2012   23:07:09
            Event String: The Knowledge Consistency Checker (KCC) was
         ......................... LVLO-01 failed test kccevent
      Starting test: systemlog
         ......................... LVLO-01 passed test systemlog
      Starting test: VerifyReferences
         ......................... LVLO-01 passed test VerifyReferences

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : lv
      Starting test: CrossRefValidation
         ......................... lv passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... lv passed test CheckSDRefDom

   Running enterprise tests on : lv.local
      Starting test: Intersite
         ......................... lv.local passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         ......................... lv.local failed test FsmoCheck

C:\Documents and Settings\lvloadmin>
0
 
LVL 27

Assisted Solution

by:Jason Watkins
Jason Watkins earned 748 total points
ID: 38359475
You have a replication problem. It looks like some of the FSMO's are in the remote site. You need to either reconnect to the remote site and transfer them back or seize them to your remaining DC.

http://support.microsoft.com/kb/2200187
0
 
LVL 18

Assisted Solution

by:Sarang Tinguria
Sarang Tinguria earned 1252 total points
ID: 38359504
Thats correct you have replication issues
Can you post the
 dcdiag /test:dns 

Open in new window

and
repadmin /replsum

Open in new window

,
Ipconfig /all

Open in new window

and
netdom query FSMO

Open in new window

to dig it out further

Note: Do not paste here just attach a text file so the thread doesn't go long
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38359514
Further more I guess your both DC's are no more connected to each other on network and you don't want the other DC anymore..Correct me if am wrong
0
 

Author Comment

by:mail2clk
ID: 38360139
Dcdiag /test:dns
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\lvloadmin>dcdiag /test:dns

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\LVLO-01
      Starting test: Connectivity
         ......................... LVLO-01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\LVLO-01

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : DomainDnsZones

   Running partition tests on : ForestDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : lv

   Running enterprise tests on : lv.local
      Starting test: DNS
         Test results for domain controllers:

            DC: LVLO-01.lv.local
            Domain: lv.local


               TEST: Basic (Basc)
                  Warning: adapter [00000007] Broadcom BCM5708C NetXtreme II Gig
E (NDIS VBD Client) has invalid DNS server: 192.168.20.10 (<name unavailable>)

               TEST: Delegations (Del)
                  Warning: DNS server: lvma-01.lv.local. IP: <Unavailable> Failu
re:Missing glue A record

               TEST: Dynamic update (Dyn)
                  Warning: Dynamic update is enabled on the zone but not secure
lv.local.

         Summary of test results for DNS servers used by the above domain contro
llers:

            DNS server: 192.168.20.10 (<name unavailable>)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.168.20.10
               Name resolution is not functional. _ldap._tcp.lv.local. failed on
 the DNS server 192.168.20.10

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: lv.local
               LVLO-01                      PASS WARN PASS FAIL WARN PASS n/a

         ......................... lv.local failed test DNS

C:\Documents and Settings\lvloadmin>


repadmin /replsum

C:\Documents and Settings\lvloadmin>repadmin /replsum
Replication Summary Start Time: 2012-09-03 08:49:41

Beginning data collection for replication summary, this may take awhile:
  .......


Source DC           largest delta  fails/total  %%  error
 LVLO-01                   14m:20s    0 /   5    0
 LVLO-02                   02m:36s    0 /   5    0
 LVMA-01           04d.10h:10m:36s   10 /  10  100  (8524) Can't retrieve me...
 LVMA-02           04d.10h:10m:37s   10 /  10  100  (8524) Can't retrieve me...


Destination DC    largest delta    fails/total  %%  error
 LVLO-01           04d.00h:58m:21s   10 /  15   66  (1722) Can't retrieve me...
 LVLO-02           04d.10h:10m:37s   10 /  15   66  (8524) Can't retrieve me...


Experienced the following operational errors trying to retrieve replication info
rmation:
          58 - lvma-01.lv.local
          58 - lvma-02.lv.local

C:\Documents and Settings\lvloadmin>


ipconfig /all

C:\Documents and Settings\lvloadmin>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : LVLO-01
   Primary Dns Suffix  . . . . . . . : lv.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : lv.local

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
 VBD Client)
   Physical Address. . . . . . . . . : 00-1D-09-25-34-82
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.10.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.10.1
   DNS Servers . . . . . . . . . . . : 192.168.10.10
                                       192.168.20.10
   Primary WINS Server . . . . . . . : 192.168.10.10

C:\Documents and Settings\lvloadmin>

netdom query FSMO

C:\Documents and Settings\lvloadmin>netdom query FSMO
Schema owner                lvma-01.lv.local

Domain role owner           lvma-01.lv.local

PDC role                    lvma-01.lv.local

RID pool manager            lvma-01.lv.local

Infrastructure owner        lvma-01.lv.local

The command completed successfully.


C:\Documents and Settings\lvloadmin>
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 38360805
"      DNS server: 192.168.20.10 (<name unavailable>)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.168.20.10
               Name resolution is not functional. _ldap._tcp.lv.local. failed on
 the DNS server 192.168.20.10
"

20.10, or the use of it, is a problem. Try another DNS server. Remove LVMA-01/02 from the domain.
0
 
LVL 18

Accepted Solution

by:
Sarang Tinguria earned 1252 total points
ID: 38361330
There seems to be multiple issues on your site
1) FSMO's are not contactable by DC so seize them on live /Healthy DC using below link
http://www.petri.co.il/seizing_fsmo_roles.htm

2)There are stale servers in your Domain which are not replicating to each other seems to be LVMA-01 & LVMA-02 So try establishing link so they can replicate else use below links to force Removal and metadat cleanup
Forcefull removal of DC:
http://support.microsoft.com/kb/332199

Metadata cleanup:
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

3) DNS Are not properly Configured on DC
Refer my earlier post for DNS Best practices and Remove or check connectivity/Status of 192.168.20.10
0
 

Author Comment

by:mail2clk
ID: 38364110
I am about to seize the roles. According to Petri's website, the Infrastructure Master should not be on the same domain controller as the Global Catalog. On both our servers the GC is enabled. . I do not want to lose the Global Catalog. What steps should I take to install the Infrastructure Master and onto which server?
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 38364366
0
 

Author Comment

by:mail2clk
ID: 38364409
The current operation master is not contactable both now and in the future. can I seize the role on the second domain controller then disable global catalog on that server?

Beginning data collection for replication summary, this may take awhile:
  .......


Source DC           largest delta  fails/total  %%  error
 LVLO-01                   04m:03s    0 /   5    0
 LVLO-02                   07m:17s    0 /   5    0
 LVMA-01           05d.18h:30m:18s   10 /  10  100  (8524) Can't retrieve me...
 LVMA-02           05d.18h:30m:19s   10 /  10  100  (8524) Can't retrieve me...


Destination DC    largest delta    fails/total  %%  error
 LVLO-01           05d.09h:18m:03s   10 /  15   66  (1722) Can't retrieve me...
 LVLO-02           05d.18h:30m:19s   10 /  15   66  (8524) Can't retrieve me...


Experienced the following operational errors trying to retrieve replication info
rmation:
          58 - lvma-01.lv.local
          58 - lvma-02.lv.local
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 38364471
Each time a FSMO xfer operation, including seizing, the current FSMO owner will be solicited. If that machine cannot be contacted, it will throw an error. Seizing is your only option if the current owner cannot be contacted.
0
 

Author Comment

by:mail2clk
ID: 38364498
should I disable the Global Catalog on the server before seizing the Infrastructure Master?
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 38364518
I have had both features enabled on a DC. It is as a default for Small Business Server, where only one DC is permitted. All domain/forests start out with all roles on the same machine that is also a GC. Up to you, really, but I don't see how you have any other option. If you have two working DC's make one a GC and give the other the infrastructure master role.
0
 

Author Comment

by:mail2clk
ID: 38364594
I've seized the roles but having problems with the metadata cleanup. Please see below
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\lvloadmin>netdom query fsmo
Schema owner                lvma-01.lv.local

Domain role owner           lvma-01.lv.local

PDC role                    lvma-01.lv.local

RID pool manager            lvma-01.lv.local

Infrastructure owner        lvma-01.lv.local

The command completed successfully.


C:\Documents and Settings\lvloadmin>c:/
'c:/' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\lvloadmin>cd c:\

C:\>cd windows

C:\WINDOWS>ntdsutil:
'ntdsutil:' is not recognized as an internal or external command,
operable program or batch file.

C:\WINDOWS>ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server lvlo-01
Binding to lvlo-01 ...
Connected to lvlo-01 using credentials of locally logged on user.
server connections: q
fsmo maintenance: ?

 ?                             - Show this help information
 Connections                   - Connect to a specific domain controller
 Help                          - Show this help information
 Quit                          - Return to the prior menu
 Seize domain naming master    - Overwrite domain role on connected server
 Seize infrastructure master   - Overwrite infrastructure role on connected serv
er
 Seize PDC                     - Overwrite PDC role on connected server
 Seize RID master              - Overwrite RID role on connected server
 Seize schema master           - Overwrite schema role on connected server
 Select operation target       - Select sites, servers, domains, roles and
                                 naming contexts
 Transfer domain naming master - Make connected server the domain naming master
 Transfer infrastructure master - Make connected server the infrastructure maste
r
 Transfer PDC                  - Make connected server the PDC
 Transfer RID master           - Make connected server the RID master
 Transfer schema master        - Make connected server the schema master

fsmo maintenance:
fsmo maintenance: seize domain naming master
Attempting safe transfer of domain naming FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210333, problem 5002 (UN
AVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of domain naming FSMO failed, proceeding with seizure ...
Server "lvlo-01" knows about 5 roles
Schema - CN=NTDS Settings,CN=LVMA-01,CN=Servers,CN=Boston,CN=Sites,CN=Configurat
ion,DC=lv,DC=local
Domain - CN=NTDS Settings,CN=LVLO-01,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=lv,DC=local
PDC - CN=NTDS Settings,CN=LVMA-01,CN=Servers,CN=Boston,CN=Sites,CN=Configuration
,DC=lv,DC=local
RID - CN=NTDS Settings,CN=LVMA-01,CN=Servers,CN=Boston,CN=Sites,CN=Configuration
,DC=lv,DC=local
Infrastructure - CN=NTDS Settings,CN=LVMA-01,CN=Servers,CN=Boston,CN=Sites,CN=Co
nfiguration,DC=lv,DC=local
fsmo maintenance: seize pdc
Attempting safe transfer of PDC FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-0321051A, problem 5002 (UN
AVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of PDC FSMO failed, proceeding with seizure ...
Server "lvlo-01" knows about 5 roles
Schema - CN=NTDS Settings,CN=LVMA-01,CN=Servers,CN=Boston,CN=Sites,CN=Configurat
ion,DC=lv,DC=local
Domain - CN=NTDS Settings,CN=LVLO-01,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=lv,DC=local
PDC - CN=NTDS Settings,CN=LVLO-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=lv,DC=local
RID - CN=NTDS Settings,CN=LVMA-01,CN=Servers,CN=Boston,CN=Sites,CN=Configuration
,DC=lv,DC=local
Infrastructure - CN=NTDS Settings,CN=LVMA-01,CN=Servers,CN=Boston,CN=Sites,CN=Co
nfiguration,DC=lv,DC=local
fsmo maintenance: seize rid master
Attempting safe transfer of RID FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-0321092B, problem 5002 (UN
AVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of RID FSMO failed, proceeding with seizure ...
Searching for highest rid pool in domain
Server "lvlo-01" knows about 5 roles
Schema - CN=NTDS Settings,CN=LVMA-01,CN=Servers,CN=Boston,CN=Sites,CN=Configurat
ion,DC=lv,DC=local
Domain - CN=NTDS Settings,CN=LVLO-01,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=lv,DC=local
PDC - CN=NTDS Settings,CN=LVLO-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=lv,DC=local
RID - CN=NTDS Settings,CN=LVLO-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=lv,DC=local
Infrastructure - CN=NTDS Settings,CN=LVMA-01,CN=Servers,CN=Boston,CN=Sites,CN=Co
nfiguration,DC=lv,DC=local
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210333, problem 5002 (UN
AVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
Server "lvlo-01" knows about 5 roles
Schema - CN=NTDS Settings,CN=LVLO-01,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=lv,DC=local
Domain - CN=NTDS Settings,CN=LVLO-01,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=lv,DC=local
PDC - CN=NTDS Settings,CN=LVLO-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=lv,DC=local
RID - CN=NTDS Settings,CN=LVLO-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=lv,DC=local
Infrastructure - CN=NTDS Settings,CN=LVMA-01,CN=Servers,CN=Boston,CN=Sites,CN=Co
nfiguration,DC=lv,DC=local
fsmo maintenance: q
ntdsutil: q
Disconnecting from lvlo-01...

C:\WINDOWS>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: lvlo-01
Error 80070057 parsing input - illegal syntax?
server connections: connect to server lvlo-01
Binding to lvlo-01 ...
Connected to lvlo-01 using credentials of locally logged on user.
server connections: q
metadata cleanup: list domains
Error 80070057 parsing input - illegal syntax?
metadata cleanup: select operation target
select operation target: list domains
Found 1 domain(s)
0 - DC=lv,DC=local
select operation target: 0
Error 80070057 parsing input - illegal syntax?
select operation target: 0
Error 80070057 parsing input - illegal syntax?
select operation target: list sites
Found 2 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lv,DC=local
1 - CN=Boston,CN=Sites,CN=Configuration,DC=lv,DC=local
select operation target: 1
Error 80070057 parsing input - illegal syntax?
select operation target: 1
Error 80070057 parsing input - illegal syntax?
select operation target:
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38364597
As you have only one or two servers you may keep both the GC & infra master on same server with no further issues
0
 

Author Comment

by:mail2clk
ID: 38364611
Is it ok to delete manually the dns related entries relating to the dns in the dns server?

repadmin /replsum
Replication Summary Start Time: 2012-09-04 17:09:23

Beginning data collection for replication summary, this may take awhile:
  .......


Source DC           largest delta  fails/total  %%  error
 LVLO-01                   04m:03s    0 /   5    0
 LVLO-02                   07m:17s    0 /   5    0
 LVMA-01           05d.18h:30m:18s   10 /  10  100  (8524) Can't retrieve me...
 LVMA-02           05d.18h:30m:19s   10 /  10  100  (8524) Can't retrieve me...


Destination DC    largest delta    fails/total  %%  error
 LVLO-01           05d.09h:18m:03s   10 /  15   66  (1722) Can't retrieve me...
 LVLO-02           05d.18h:30m:19s   10 /  15   66  (8524) Can't retrieve me...


Experienced the following operational errors trying to retrieve replication info
rmation:
          58 - lvma-01.lv.local
          58 - lvma-02.lv.local

C:\Documents and Settings\lvloadmin>netdom query fsmo
Schema owner                lvma-01.lv.local

Domain role owner           LVLO-01.lv.local

PDC role                    lvma-01.lv.local

RID pool manager            lvma-01.lv.local

Infrastructure owner        lvma-01.lv.local

The command completed successfully.


C:\Documents and Settings\lvloadmin>netdom query fsmo
Schema owner                lvma-01.lv.local

Domain role owner           LVLO-01.lv.local

PDC role                    LVLO-01.lv.local

RID pool manager            lvma-01.lv.local

Infrastructure owner        lvma-01.lv.local

The command completed successfully.


C:\Documents and Settings\lvloadmin>netdom query fsmo
Schema owner                lvma-01.lv.local

Domain role owner           LVLO-01.lv.local

PDC role                    LVLO-01.lv.local

RID pool manager            LVLO-01.lv.local

Infrastructure owner        lvma-01.lv.local

The command completed successfully.


C:\Documents and Settings\lvloadmin>netdom query fsmo
Schema owner                LVLO-01.lv.local

Domain role owner           LVLO-01.lv.local

PDC role                    LVLO-01.lv.local

RID pool manager            LVLO-01.lv.local

Infrastructure owner        lvma-01.lv.local

The command completed successfully.


C:\Documents and Settings\lvloadmin>dcdiag /test:dns

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\LVLO-01
      Starting test: Connectivity
         ......................... LVLO-01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\LVLO-01

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : DomainDnsZones

   Running partition tests on : ForestDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : lv

   Running enterprise tests on : lv.local
      Starting test: DNS
         Test results for domain controllers:

            DC: LVLO-01.lv.local
            Domain: lv.local


               TEST: Delegations (Del)
                  Warning: DNS server: lvma-01.lv.local. IP: <Unavailable> Failu
re:Missing glue A record

               TEST: Dynamic update (Dyn)
                  Warning: Dynamic update is enabled on the zone but not secure
lv.local.

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: lv.local
               LVLO-01                      PASS PASS PASS FAIL WARN PASS n/a

         ......................... lv.local failed test DNS
0
 

Author Comment

by:mail2clk
ID: 38364624
Can I delete the Boston site manually since the metadata cleanup is not working?
0
 
LVL 18

Assisted Solution

by:Sarang Tinguria
Sarang Tinguria earned 1252 total points
ID: 38364656
Deleting the site would not be enough...Whats the error you are getting while performing metadata cleanup and Link of Petri for Metadata cleanup has steps with Snapshot that from where you should delete the DNS entries
0
 

Author Comment

by:mail2clk
ID: 38364681
I selected the options incorrectly. I've successfully removed the servers. repladmin /replsum shows valid information now.  But DCDiag /test:dns fails
0
 

Author Comment

by:mail2clk
ID: 38364691
There is still information in AD Sites & Services relating to Boston and entries in the DNS Server. What should I do next?

>dcdiag /test:dns

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\LVLO-01
      Starting test: Connectivity
         ......................... LVLO-01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\LVLO-01

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : DomainDnsZones

   Running partition tests on : ForestDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : lv

   Running enterprise tests on : lv.local
      Starting test: DNS
         Test results for domain controllers:

            DC: LVLO-01.lv.local
            Domain: lv.local


               TEST: Delegations (Del)
                  Warning: DNS server: lvma-01.lv.local. IP: <Unavailable> Failu
re:Missing glue A record

               TEST: Dynamic update (Dyn)
                  Warning: Dynamic update is enabled on the zone but not secure
lv.local.

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: lv.local
               LVLO-01                      PASS PASS PASS FAIL WARN PASS n/a

         ......................... lv.local failed test DNS
0
 

Author Comment

by:mail2clk
ID: 38364694
Additional information

repadmin /replsum
Replication Summary Start Time: 2012-09-04 18:15:34

Beginning data collection for replication summary, this may take awhile:
  .....


Source DC           largest delta  fails/total  %%  error
 LVLO-01                   10m:14s    0 /   5    0
 LVLO-02                   13m:28s    0 /   5    0


Destination DC    largest delta    fails/total  %%  error
 LVLO-01                   13m:28s    0 /   5    0
 LVLO-02                   10m:14s    0 /   5    0
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 38364721
Looking better!
0
 

Author Comment

by:mail2clk
ID: 38364734
How do I deal with the leftover sites and dns information? also resolve the dcdiag /test:dns?
0
 
LVL 18

Assisted Solution

by:Sarang Tinguria
Sarang Tinguria earned 1252 total points
ID: 38364748
Now delete the Server from dssite.msc for which you have performed metadata cleanup and make sure prior deleting that NTDS setting is not associated with it

Make sure the DNS Pointing to itself only as a primary DNS server and remote server as a secondary on both servers NIC card properties then run "
ipconfig /flushdns & ipconfig /registerdns

Open in new window

", "
net stop netlogon & net start netlogon

Open in new window

"
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 38364750
0
 

Author Comment

by:mail2clk
ID: 38364793
getting there. The dcdiag /test:dns is still failing. Can I delete the dns entries for the site Boston in the dns server?

C:\support tools>dcdiag /test:dns

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\LVLO-01
      Starting test: Connectivity
         ......................... LVLO-01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\LVLO-01

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : DomainDnsZones

   Running partition tests on : ForestDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : lv

   Running enterprise tests on : lv.local
      Starting test: DNS
         Test results for domain controllers:

            DC: LVLO-01.lv.local
            Domain: lv.local


               TEST: Delegations (Del)
                  Warning: DNS server: lvma-01.lv.local. IP: <Unavailable> Failu
re:Missing glue A record

               TEST: Dynamic update (Dyn)
                  Warning: Dynamic update is enabled on the zone but not secure
lv.local.

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: lv.local
               LVLO-01                      PASS PASS PASS FAIL WARN PASS n/a

         ......................... lv.local failed test DNS

C:\support tools>dcdiag /test:dns

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\LVLO-01
      Starting test: Connectivity
         ......................... LVLO-01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\LVLO-01

DNS Tests are running and not hung. Please wait a few minutes...
0
 
LVL 27

Assisted Solution

by:Jason Watkins
Jason Watkins earned 748 total points
ID: 38364815
I would remove all DNS records that reference any of the old DCs. This can be time-consuming as there are dozens for each DC.
0
 

Author Comment

by:mail2clk
ID: 38364865
I have an entry under _msdcs, I cannot delete it only delete the actual _msdcs container. I have removed all the other entries.
0
 
LVL 18

Assisted Solution

by:Sarang Tinguria
Sarang Tinguria earned 1252 total points
ID: 38364867
delete the NS entries of old DC's from _msdsc  and lv.local in your DNS Console
0
 
LVL 27

Assisted Solution

by:Jason Watkins
Jason Watkins earned 748 total points
ID: 38364881
I wouldn't delete containers in DNS, just the records (A, SRV) for the old DCs.
0
 

Author Comment

by:mail2clk
ID: 38364908
I am having slow access to websites. I believe it is dns related.

Default Server:  lvlo-01.lv.local
Address:  192.168.10.10

www.google.com
Server:  lvlo-01.lv.local
Address:  192.168.10.10

DNS request timed out.
    timeout was 2 seconds.
*** Request to lvlo-01.lv.local timed-out
>
0
 

Author Comment

by:mail2clk
ID: 38364912
If I do a nslookup a second time it works

Default Server:  lvlo-01.lv.local
Address:  192.168.10.10

www.google.com
Server:  lvlo-01.lv.local
Address:  192.168.10.10

DNS request timed out.
    timeout was 2 seconds.
*** Request to lvlo-01.lv.local timed-out
www.google.com
Server:  lvlo-01.lv.local
Address:  192.168.10.10

Non-authoritative answer:
Name:    www.l.google.com
Addresses:  173.194.66.105, 173.194.66.103, 173.194.66.104, 173.194.66.99
          173.194.66.106, 173.194.66.147
Aliases:  www.google.com

>
0
 
LVL 5

Expert Comment

by:schima_cz
ID: 38364934
1. start "nslookup"
2. type "server 8.8.8.8"
3. try some DNS request (live.com .....)
0
 

Author Comment

by:mail2clk
ID: 38364954
Default Server:  lvlo-01.lv.local
Address:  192.168.10.10

> server 8.8.8.8
DNS request timed out.
    timeout was 2 seconds.
Default Server:  [8.8.8.8]
Address:  8.8.8.8

> server 8.8.8.8
DNS request timed out.
    timeout was 2 seconds.
Default Server:  [8.8.8.8]
Address:  8.8.8.8

> 8.8.8.8
Server:  [8.8.8.8]
Address:  8.8.8.8

DNS request timed out.
    timeout was 2 seconds.
*** Request to [8.8.8.8] timed-out
> live.com
Server:  [8.8.8.8]
Address:  8.8.8.8

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to [8.8.8.8] timed-out
> live.com
Server:  [8.8.8.8]
Address:  8.8.8.8

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to [8.8.8.8] timed-out
>
0
 
LVL 5

Expert Comment

by:schima_cz
ID: 38364988
It looks like problem with Your ISP, because DNS connection is not at good condition. May Be Your ISP is blocking DNS traffic to other DNS servers. Have You tried to disable or uninstall firewalls, security software (everything from McAfee)
0
 

Author Comment

by:mail2clk
ID: 38365006
Outside of the domain everything works fine. i.e. different network same internet connection all works well.
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38365016
Can you check what forwarders you have configuered
try using 4.2.2.2
0
 
LVL 5

Expert Comment

by:schima_cz
ID: 38365036
And if you try this?
Start - Run - Cmd - type "tracert 8.8.8.8"
0
 

Author Comment

by:mail2clk
ID: 38365104
I've changed the forwarders to 4.2.2.2. Tracert to 8.8.8.8. Some yahoo webpages are timing out.


Tracing route to b.resolvers.level3.net [4.2.2.2]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  firewall.lv.local [192.168.10.1]
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9    19 ms    19 ms    18 ms  b.resolvers.level3.net [4.2.2.2]

Trace complete.
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38365177
It seems ICMP blocked somewhere in your network
You should be able to browse internet
0
 
LVL 5

Expert Comment

by:schima_cz
ID: 38365896
And Your firewall, what is it? It could be some rule on firewall ...
0
 

Author Comment

by:mail2clk
ID: 38365911
Kaspersky AV & Juniper Firewall
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38365941
Are you able to browse internet..?
And Can you just conclude all your remaining issues and post here in single post
0
 
LVL 5

Expert Comment

by:schima_cz
ID: 38366711
Hmmm ..... Juniper, I saw a lot of troubles with this device. Is it possible to change Juniper? Try PC and some linux distribution (Endian .... )
0
 

Author Comment

by:mail2clk
ID: 38366889
I managed to resolve the issue. I removed the name server entry for the object under _msdcs. Internet is now normal and dcdiag /test:dns is now not failing.
0
 

Author Closing Comment

by:mail2clk
ID: 38366894
Great help in resolving this issue.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question