Windows 2003 Forest & Domain Controllers

We use two have two offices with two domain controllers at each site. We have moved offices and we are no longer connected to the other company. The network at the new site is now slow accessing the internet, I connected a computer directly to the router and the speed is quick. I ran dcdiag and errors appeared as expected. Does this have an impact on accessing the internet? How do I resolve this issue?
mail2clkAsked:
Who is Participating?
 
Life1430Sr EngineerCommented:
There seems to be multiple issues on your site
1) FSMO's are not contactable by DC so seize them on live /Healthy DC using below link
http://www.petri.co.il/seizing_fsmo_roles.htm

2)There are stale servers in your Domain which are not replicating to each other seems to be LVMA-01 & LVMA-02 So try establishing link so they can replicate else use below links to force Removal and metadat cleanup
Forcefull removal of DC:
http://support.microsoft.com/kb/332199

Metadata cleanup:
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

3) DNS Are not properly Configured on DC
Refer my earlier post for DNS Best practices and Remove or check connectivity/Status of 192.168.20.10
0
 
Mike KlineCommented:
How do you have DNS setup on your DCs?   Were they using forwarders, are those forwarders still accessible?

You should also try to cleanup the errors you find.

Thanks

Mike
0
 
mail2clkAuthor Commented:
On our site there is one dns setup on the main server with two forwarders (open dns).
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
schima_czCommented:
Check ping reply from Google DNS 8.8.8.8
After that, check reply time from your DNS server via nslookup
0
 
Life1430Sr EngineerCommented:
How we should Configuere DNS on our DC :-->

Every DNS server should Point to its own IP as a primary DNS and DNS located in remote site as a secondary DNS in TCP/IP properties
All the unused NIC's to be disabled
Valid DNS Ip from ISP to be configuered in DNS forwarders Do not configuere local DNS in forwarders
Public DNS IP's Should not be used at any NIC Card except Forwarders
Domain Controllers should not be multi-homed
Running VPN server and RRas server makes the DC multihomed refer http://support.microsoft.com/default.aspx?scid=kb;en-us;272294


If anything above is incorrect please correct it and run "ipconfig /flushdns & ipconfig /registerdns " and restart DNS service using "net stop dns & net start dns"

DNS best practices
http://technet.microsoft.com/en-us/library/cc778439(v=WS.10).aspx

Checklist: Deploying DNS for Active Directory
http://technet.microsoft.com/en-us/library/cc757116(v=ws.10)
0
 
mail2clkAuthor Commented:
I followed the above steps all of which are in place.Flushed, registered the dns and restarted the service. When I do a nslookup on www.google.com it time out then if I do it again I get the results. It's very random.
0
 
Life1430Sr EngineerCommented:
Please run dcdiag /test:dns and post the result from DC
0
 
Jason WatkinsIT Project LeaderCommented:
If I understand correctly, there are now two DCs in the domain/forest? Have one DC point to the other for DNS, then use a forwarder to pass on external queries. Have your client PCs point to the DCs for DNS.

Is there a part of the domain, like another DC, that the existing DCs could be looking for, at the old site?
0
 
mail2clkAuthor Commented:
In the DNS there are a total of 4 name servers two for each site. The other site is not accessible.
0
 
Jason WatkinsIT Project LeaderCommented:
Make sure no DNS-related or domain-related communication is destined for that other site. If the other site's DCs are in the domain database and are not needed anymore, they should be purged. All DCs will try to replicate at regular intervals, especially if they were in the same active directory site (they all are by default). Intersite replication has to be scheduled and configured explicitly.
0
 
mail2clkAuthor Commented:
Here are the results for the dcdiag
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.



C:\Documents and Settings\lvloadmin>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\LVLO-01
      Starting test: Connectivity
         ......................... LVLO-01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\LVLO-01
      Starting test: Replications
         [Replications Check,LVLO-01] A recent replication attempt failed:
            From LVMA-01 to LVLO-01
            Naming Context: DC=DomainDnsZones,DC=lv,DC=local
            The replication generated an error (1256):
            Win32 Error 1256
            The failure occurred at 2012-09-02 23:02:05.
            The last success occurred at 2012-08-30 07:51:26.
            316 failures have occurred since the last success.
         [Replications Check,LVLO-01] A recent replication attempt failed:
            From LVMA-02 to LVLO-01
            Naming Context: DC=DomainDnsZones,DC=lv,DC=local
            The replication generated an error (1256):
            Win32 Error 1256
            The failure occurred at 2012-09-02 23:02:28.
            The last success occurred at 2012-08-30 07:51:26.
            316 failures have occurred since the last success.
         [Replications Check,LVLO-01] A recent replication attempt failed:
            From LVMA-01 to LVLO-01
            Naming Context: DC=ForestDnsZones,DC=lv,DC=local
            The replication generated an error (1256):
            Win32 Error 1256
            The failure occurred at 2012-09-02 23:02:05.
            The last success occurred at 2012-08-30 07:51:25.
            316 failures have occurred since the last success.
         [Replications Check,LVLO-01] A recent replication attempt failed:
            From LVMA-02 to LVLO-01
            Naming Context: DC=ForestDnsZones,DC=lv,DC=local
            The replication generated an error (1256):
            Win32 Error 1256
            The failure occurred at 2012-09-02 23:02:28.
            The last success occurred at 2012-08-30 07:51:26.
            316 failures have occurred since the last success.
         [Replications Check,LVLO-01] A recent replication attempt failed:
            From LVMA-02 to LVLO-01
            Naming Context: CN=Schema,CN=Configuration,DC=lv,DC=local
            The replication generated an error (8524):
            Win32 Error 8524
            The failure occurred at 2012-09-02 23:02:30.
            The last success occurred at 2012-08-30 07:51:25.
            316 failures have occurred since the last success.
            The guid-based DNS name c53188f0-ec2c-4235-a571-5a2343606da3._msdcs.
lv.local
            is not registered on one or more DNS servers.
         [Replications Check,LVLO-01] A recent replication attempt failed:
            From LVMA-01 to LVLO-01
            Naming Context: CN=Schema,CN=Configuration,DC=lv,DC=local
            The replication generated an error (1722):
            Win32 Error 1722
            The failure occurred at 2012-09-02 23:02:51.
            The last success occurred at 2012-08-30 07:51:25.
            316 failures have occurred since the last success.
            [LVMA-01] DsBindWithSpnEx() failed with error 1722,
            Win32 Error 1722.
            The source remains down. Please check the machine.
         [Replications Check,LVLO-01] A recent replication attempt failed:
            From LVMA-01 to LVLO-01
            Naming Context: CN=Configuration,DC=lv,DC=local
            The replication generated an error (1722):
            Win32 Error 1722
            The failure occurred at 2012-09-02 23:02:26.
            The last success occurred at 2012-08-30 07:51:20.
            316 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,LVLO-01] A recent replication attempt failed:
            From LVMA-02 to LVLO-01
            Naming Context: CN=Configuration,DC=lv,DC=local
            The replication generated an error (8524):
            Win32 Error 8524
            The failure occurred at 2012-09-02 23:02:28.
            The last success occurred at 2012-08-30 07:51:25.
            316 failures have occurred since the last success.
            The guid-based DNS name c53188f0-ec2c-4235-a571-5a2343606da3._msdcs.
lv.local
            is not registered on one or more DNS servers.
         [Replications Check,LVLO-01] A recent replication attempt failed:
            From LVMA-01 to LVLO-01
            Naming Context: DC=lv,DC=local
            The replication generated an error (1722):
            Win32 Error 1722
            The failure occurred at 2012-09-02 23:02:05.
            The last success occurred at 2012-08-30 08:05:17.
            315 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,LVLO-01] A recent replication attempt failed:
            From LVMA-02 to LVLO-01
            Naming Context: DC=lv,DC=local
            The replication generated an error (8524):
            Win32 Error 8524
            The failure occurred at 2012-09-02 23:02:54.
            The last success occurred at 2012-08-30 07:51:25.
            316 failures have occurred since the last success.
            The guid-based DNS name c53188f0-ec2c-4235-a571-5a2343606da3._msdcs.
lv.local
            is not registered on one or more DNS servers.
         REPLICATION-RECEIVED LATENCY WARNING
         LVLO-01:  Current time is 2012-09-02 23:08:41.
            DC=DomainDnsZones,DC=lv,DC=local
               Last replication recieved from LVMA-01 at 2012-08-30 07:51:26.
               Last replication recieved from LVMA-02 at 2012-08-30 07:51:26.
            DC=ForestDnsZones,DC=lv,DC=local
               Last replication recieved from LVMA-01 at 2012-08-30 07:51:25.
               Last replication recieved from LVMA-02 at 2012-08-30 07:51:26.
            CN=Schema,CN=Configuration,DC=lv,DC=local
               Last replication recieved from LVMA-01 at 2012-08-30 07:51:25.
               Last replication recieved from LVMA-02 at 2012-08-30 07:51:25.
            CN=Configuration,DC=lv,DC=local
               Last replication recieved from LVMA-01 at 2012-08-30 07:51:20.
               Last replication recieved from LVMA-02 at 2012-08-30 07:51:24.
            DC=lv,DC=local
               Last replication recieved from LVMA-01 at 2012-08-30 08:05:17.
               Last replication recieved from LVMA-02 at 2012-08-30 07:59:20.
         REPLICATION-RECEIVED LATENCY WARNING
          Source site:
         CN=NTDS Site Settings,CN=Boston,CN=Sites,CN=Configuration,DC=lv,DC=loca
l
          Current time: 2012-09-02 23:08:41
          Last update time: 2012-08-30 07:34:40
          Check if source site has an elected ISTG running.
          Check replication from source site to this server.
         ......................... LVLO-01 passed test Replications
      Starting test: NCSecDesc
         ......................... LVLO-01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... LVLO-01 passed test NetLogons
      Starting test: Advertising
         ......................... LVLO-01 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Warning: LVMA-01 is the Schema Owner, but is not responding to DS RPC B
ind.
         [LVMA-01] LDAP search failed with error 58,
         Win32 Error 58.
         Warning: LVMA-01 is the Schema Owner, but is not responding to LDAP Bin
d.
         Warning: LVMA-01 is the Domain Owner, but is not responding to DS RPC B
ind.
         Warning: LVMA-01 is the Domain Owner, but is not responding to LDAP Bin
d.
         Warning: LVMA-01 is the PDC Owner, but is not responding to DS RPC Bind
.
         Warning: LVMA-01 is the PDC Owner, but is not responding to LDAP Bind.
         Warning: LVMA-01 is the Rid Owner, but is not responding to DS RPC Bind
.
         Warning: LVMA-01 is the Rid Owner, but is not responding to LDAP Bind.
         Warning: LVMA-01 is the Infrastructure Update Owner, but is not respond
ing to DS RPC Bind.
         Warning: LVMA-01 is the Infrastructure Update Owner, but is not respond
ing to LDAP Bind.
         ......................... LVLO-01 failed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... LVLO-01 failed test RidManager
      Starting test: MachineAccount
         ......................... LVLO-01 passed test MachineAccount
      Starting test: Services
         ......................... LVLO-01 passed test Services
      Starting test: ObjectsReplicated
         ......................... LVLO-01 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... LVLO-01 passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... LVLO-01 failed test frsevent
      Starting test: kccevent
         An Error Event occured.  EventID: 0xC0000566
            Time Generated: 09/02/2012   23:07:09
            Event String: The schedule attribute of the following site link
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 09/02/2012   23:07:09
            Event String: All domain controllers in the following site that
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/02/2012   23:07:09
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 09/02/2012   23:07:09
            Event String: The Knowledge Consistency Checker (KCC) was
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 09/02/2012   23:07:09
            Event String: All domain controllers in the following site that
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/02/2012   23:07:09
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 09/02/2012   23:07:09
            Event String: The Knowledge Consistency Checker (KCC) was
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 09/02/2012   23:07:09
            Event String: All domain controllers in the following site that
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/02/2012   23:07:09
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 09/02/2012   23:07:09
            Event String: The Knowledge Consistency Checker (KCC) was
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 09/02/2012   23:07:09
            Event String: All domain controllers in the following site that
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/02/2012   23:07:09
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 09/02/2012   23:07:09
            Event String: The Knowledge Consistency Checker (KCC) was
         ......................... LVLO-01 failed test kccevent
      Starting test: systemlog
         ......................... LVLO-01 passed test systemlog
      Starting test: VerifyReferences
         ......................... LVLO-01 passed test VerifyReferences

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : lv
      Starting test: CrossRefValidation
         ......................... lv passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... lv passed test CheckSDRefDom

   Running enterprise tests on : lv.local
      Starting test: Intersite
         ......................... lv.local passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         ......................... lv.local failed test FsmoCheck

C:\Documents and Settings\lvloadmin>
0
 
Jason WatkinsIT Project LeaderCommented:
You have a replication problem. It looks like some of the FSMO's are in the remote site. You need to either reconnect to the remote site and transfer them back or seize them to your remaining DC.

http://support.microsoft.com/kb/2200187
0
 
Life1430Sr EngineerCommented:
Thats correct you have replication issues
Can you post the
 dcdiag /test:dns 

Open in new window

and
repadmin /replsum

Open in new window

,
Ipconfig /all

Open in new window

and
netdom query FSMO

Open in new window

to dig it out further

Note: Do not paste here just attach a text file so the thread doesn't go long
0
 
Life1430Sr EngineerCommented:
Further more I guess your both DC's are no more connected to each other on network and you don't want the other DC anymore..Correct me if am wrong
0
 
mail2clkAuthor Commented:
Dcdiag /test:dns
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\lvloadmin>dcdiag /test:dns

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\LVLO-01
      Starting test: Connectivity
         ......................... LVLO-01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\LVLO-01

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : DomainDnsZones

   Running partition tests on : ForestDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : lv

   Running enterprise tests on : lv.local
      Starting test: DNS
         Test results for domain controllers:

            DC: LVLO-01.lv.local
            Domain: lv.local


               TEST: Basic (Basc)
                  Warning: adapter [00000007] Broadcom BCM5708C NetXtreme II Gig
E (NDIS VBD Client) has invalid DNS server: 192.168.20.10 (<name unavailable>)

               TEST: Delegations (Del)
                  Warning: DNS server: lvma-01.lv.local. IP: <Unavailable> Failu
re:Missing glue A record

               TEST: Dynamic update (Dyn)
                  Warning: Dynamic update is enabled on the zone but not secure
lv.local.

         Summary of test results for DNS servers used by the above domain contro
llers:

            DNS server: 192.168.20.10 (<name unavailable>)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.168.20.10
               Name resolution is not functional. _ldap._tcp.lv.local. failed on
 the DNS server 192.168.20.10

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: lv.local
               LVLO-01                      PASS WARN PASS FAIL WARN PASS n/a

         ......................... lv.local failed test DNS

C:\Documents and Settings\lvloadmin>


repadmin /replsum

C:\Documents and Settings\lvloadmin>repadmin /replsum
Replication Summary Start Time: 2012-09-03 08:49:41

Beginning data collection for replication summary, this may take awhile:
  .......


Source DC           largest delta  fails/total  %%  error
 LVLO-01                   14m:20s    0 /   5    0
 LVLO-02                   02m:36s    0 /   5    0
 LVMA-01           04d.10h:10m:36s   10 /  10  100  (8524) Can't retrieve me...
 LVMA-02           04d.10h:10m:37s   10 /  10  100  (8524) Can't retrieve me...


Destination DC    largest delta    fails/total  %%  error
 LVLO-01           04d.00h:58m:21s   10 /  15   66  (1722) Can't retrieve me...
 LVLO-02           04d.10h:10m:37s   10 /  15   66  (8524) Can't retrieve me...


Experienced the following operational errors trying to retrieve replication info
rmation:
          58 - lvma-01.lv.local
          58 - lvma-02.lv.local

C:\Documents and Settings\lvloadmin>


ipconfig /all

C:\Documents and Settings\lvloadmin>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : LVLO-01
   Primary Dns Suffix  . . . . . . . : lv.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : lv.local

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
 VBD Client)
   Physical Address. . . . . . . . . : 00-1D-09-25-34-82
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.10.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.10.1
   DNS Servers . . . . . . . . . . . : 192.168.10.10
                                       192.168.20.10
   Primary WINS Server . . . . . . . : 192.168.10.10

C:\Documents and Settings\lvloadmin>

netdom query FSMO

C:\Documents and Settings\lvloadmin>netdom query FSMO
Schema owner                lvma-01.lv.local

Domain role owner           lvma-01.lv.local

PDC role                    lvma-01.lv.local

RID pool manager            lvma-01.lv.local

Infrastructure owner        lvma-01.lv.local

The command completed successfully.


C:\Documents and Settings\lvloadmin>
0
 
Jason WatkinsIT Project LeaderCommented:
"      DNS server: 192.168.20.10 (<name unavailable>)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.168.20.10
               Name resolution is not functional. _ldap._tcp.lv.local. failed on
 the DNS server 192.168.20.10
"

20.10, or the use of it, is a problem. Try another DNS server. Remove LVMA-01/02 from the domain.
0
 
mail2clkAuthor Commented:
I am about to seize the roles. According to Petri's website, the Infrastructure Master should not be on the same domain controller as the Global Catalog. On both our servers the GC is enabled. . I do not want to lose the Global Catalog. What steps should I take to install the Infrastructure Master and onto which server?
0
 
Jason WatkinsIT Project LeaderCommented:
0
 
mail2clkAuthor Commented:
The current operation master is not contactable both now and in the future. can I seize the role on the second domain controller then disable global catalog on that server?

Beginning data collection for replication summary, this may take awhile:
  .......


Source DC           largest delta  fails/total  %%  error
 LVLO-01                   04m:03s    0 /   5    0
 LVLO-02                   07m:17s    0 /   5    0
 LVMA-01           05d.18h:30m:18s   10 /  10  100  (8524) Can't retrieve me...
 LVMA-02           05d.18h:30m:19s   10 /  10  100  (8524) Can't retrieve me...


Destination DC    largest delta    fails/total  %%  error
 LVLO-01           05d.09h:18m:03s   10 /  15   66  (1722) Can't retrieve me...
 LVLO-02           05d.18h:30m:19s   10 /  15   66  (8524) Can't retrieve me...


Experienced the following operational errors trying to retrieve replication info
rmation:
          58 - lvma-01.lv.local
          58 - lvma-02.lv.local
0
 
Jason WatkinsIT Project LeaderCommented:
Each time a FSMO xfer operation, including seizing, the current FSMO owner will be solicited. If that machine cannot be contacted, it will throw an error. Seizing is your only option if the current owner cannot be contacted.
0
 
mail2clkAuthor Commented:
should I disable the Global Catalog on the server before seizing the Infrastructure Master?
0
 
Jason WatkinsIT Project LeaderCommented:
I have had both features enabled on a DC. It is as a default for Small Business Server, where only one DC is permitted. All domain/forests start out with all roles on the same machine that is also a GC. Up to you, really, but I don't see how you have any other option. If you have two working DC's make one a GC and give the other the infrastructure master role.
0
 
mail2clkAuthor Commented:
I've seized the roles but having problems with the metadata cleanup. Please see below
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\lvloadmin>netdom query fsmo
Schema owner                lvma-01.lv.local

Domain role owner           lvma-01.lv.local

PDC role                    lvma-01.lv.local

RID pool manager            lvma-01.lv.local

Infrastructure owner        lvma-01.lv.local

The command completed successfully.


C:\Documents and Settings\lvloadmin>c:/
'c:/' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\lvloadmin>cd c:\

C:\>cd windows

C:\WINDOWS>ntdsutil:
'ntdsutil:' is not recognized as an internal or external command,
operable program or batch file.

C:\WINDOWS>ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server lvlo-01
Binding to lvlo-01 ...
Connected to lvlo-01 using credentials of locally logged on user.
server connections: q
fsmo maintenance: ?

 ?                             - Show this help information
 Connections                   - Connect to a specific domain controller
 Help                          - Show this help information
 Quit                          - Return to the prior menu
 Seize domain naming master    - Overwrite domain role on connected server
 Seize infrastructure master   - Overwrite infrastructure role on connected serv
er
 Seize PDC                     - Overwrite PDC role on connected server
 Seize RID master              - Overwrite RID role on connected server
 Seize schema master           - Overwrite schema role on connected server
 Select operation target       - Select sites, servers, domains, roles and
                                 naming contexts
 Transfer domain naming master - Make connected server the domain naming master
 Transfer infrastructure master - Make connected server the infrastructure maste
r
 Transfer PDC                  - Make connected server the PDC
 Transfer RID master           - Make connected server the RID master
 Transfer schema master        - Make connected server the schema master

fsmo maintenance:
fsmo maintenance: seize domain naming master
Attempting safe transfer of domain naming FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210333, problem 5002 (UN
AVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of domain naming FSMO failed, proceeding with seizure ...
Server "lvlo-01" knows about 5 roles
Schema - CN=NTDS Settings,CN=LVMA-01,CN=Servers,CN=Boston,CN=Sites,CN=Configurat
ion,DC=lv,DC=local
Domain - CN=NTDS Settings,CN=LVLO-01,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=lv,DC=local
PDC - CN=NTDS Settings,CN=LVMA-01,CN=Servers,CN=Boston,CN=Sites,CN=Configuration
,DC=lv,DC=local
RID - CN=NTDS Settings,CN=LVMA-01,CN=Servers,CN=Boston,CN=Sites,CN=Configuration
,DC=lv,DC=local
Infrastructure - CN=NTDS Settings,CN=LVMA-01,CN=Servers,CN=Boston,CN=Sites,CN=Co
nfiguration,DC=lv,DC=local
fsmo maintenance: seize pdc
Attempting safe transfer of PDC FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-0321051A, problem 5002 (UN
AVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of PDC FSMO failed, proceeding with seizure ...
Server "lvlo-01" knows about 5 roles
Schema - CN=NTDS Settings,CN=LVMA-01,CN=Servers,CN=Boston,CN=Sites,CN=Configurat
ion,DC=lv,DC=local
Domain - CN=NTDS Settings,CN=LVLO-01,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=lv,DC=local
PDC - CN=NTDS Settings,CN=LVLO-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=lv,DC=local
RID - CN=NTDS Settings,CN=LVMA-01,CN=Servers,CN=Boston,CN=Sites,CN=Configuration
,DC=lv,DC=local
Infrastructure - CN=NTDS Settings,CN=LVMA-01,CN=Servers,CN=Boston,CN=Sites,CN=Co
nfiguration,DC=lv,DC=local
fsmo maintenance: seize rid master
Attempting safe transfer of RID FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-0321092B, problem 5002 (UN
AVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of RID FSMO failed, proceeding with seizure ...
Searching for highest rid pool in domain
Server "lvlo-01" knows about 5 roles
Schema - CN=NTDS Settings,CN=LVMA-01,CN=Servers,CN=Boston,CN=Sites,CN=Configurat
ion,DC=lv,DC=local
Domain - CN=NTDS Settings,CN=LVLO-01,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=lv,DC=local
PDC - CN=NTDS Settings,CN=LVLO-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=lv,DC=local
RID - CN=NTDS Settings,CN=LVLO-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=lv,DC=local
Infrastructure - CN=NTDS Settings,CN=LVMA-01,CN=Servers,CN=Boston,CN=Sites,CN=Co
nfiguration,DC=lv,DC=local
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210333, problem 5002 (UN
AVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
Server "lvlo-01" knows about 5 roles
Schema - CN=NTDS Settings,CN=LVLO-01,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=lv,DC=local
Domain - CN=NTDS Settings,CN=LVLO-01,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=lv,DC=local
PDC - CN=NTDS Settings,CN=LVLO-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=lv,DC=local
RID - CN=NTDS Settings,CN=LVLO-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=lv,DC=local
Infrastructure - CN=NTDS Settings,CN=LVMA-01,CN=Servers,CN=Boston,CN=Sites,CN=Co
nfiguration,DC=lv,DC=local
fsmo maintenance: q
ntdsutil: q
Disconnecting from lvlo-01...

C:\WINDOWS>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: lvlo-01
Error 80070057 parsing input - illegal syntax?
server connections: connect to server lvlo-01
Binding to lvlo-01 ...
Connected to lvlo-01 using credentials of locally logged on user.
server connections: q
metadata cleanup: list domains
Error 80070057 parsing input - illegal syntax?
metadata cleanup: select operation target
select operation target: list domains
Found 1 domain(s)
0 - DC=lv,DC=local
select operation target: 0
Error 80070057 parsing input - illegal syntax?
select operation target: 0
Error 80070057 parsing input - illegal syntax?
select operation target: list sites
Found 2 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lv,DC=local
1 - CN=Boston,CN=Sites,CN=Configuration,DC=lv,DC=local
select operation target: 1
Error 80070057 parsing input - illegal syntax?
select operation target: 1
Error 80070057 parsing input - illegal syntax?
select operation target:
0
 
Life1430Sr EngineerCommented:
As you have only one or two servers you may keep both the GC & infra master on same server with no further issues
0
 
mail2clkAuthor Commented:
Is it ok to delete manually the dns related entries relating to the dns in the dns server?

repadmin /replsum
Replication Summary Start Time: 2012-09-04 17:09:23

Beginning data collection for replication summary, this may take awhile:
  .......


Source DC           largest delta  fails/total  %%  error
 LVLO-01                   04m:03s    0 /   5    0
 LVLO-02                   07m:17s    0 /   5    0
 LVMA-01           05d.18h:30m:18s   10 /  10  100  (8524) Can't retrieve me...
 LVMA-02           05d.18h:30m:19s   10 /  10  100  (8524) Can't retrieve me...


Destination DC    largest delta    fails/total  %%  error
 LVLO-01           05d.09h:18m:03s   10 /  15   66  (1722) Can't retrieve me...
 LVLO-02           05d.18h:30m:19s   10 /  15   66  (8524) Can't retrieve me...


Experienced the following operational errors trying to retrieve replication info
rmation:
          58 - lvma-01.lv.local
          58 - lvma-02.lv.local

C:\Documents and Settings\lvloadmin>netdom query fsmo
Schema owner                lvma-01.lv.local

Domain role owner           LVLO-01.lv.local

PDC role                    lvma-01.lv.local

RID pool manager            lvma-01.lv.local

Infrastructure owner        lvma-01.lv.local

The command completed successfully.


C:\Documents and Settings\lvloadmin>netdom query fsmo
Schema owner                lvma-01.lv.local

Domain role owner           LVLO-01.lv.local

PDC role                    LVLO-01.lv.local

RID pool manager            lvma-01.lv.local

Infrastructure owner        lvma-01.lv.local

The command completed successfully.


C:\Documents and Settings\lvloadmin>netdom query fsmo
Schema owner                lvma-01.lv.local

Domain role owner           LVLO-01.lv.local

PDC role                    LVLO-01.lv.local

RID pool manager            LVLO-01.lv.local

Infrastructure owner        lvma-01.lv.local

The command completed successfully.


C:\Documents and Settings\lvloadmin>netdom query fsmo
Schema owner                LVLO-01.lv.local

Domain role owner           LVLO-01.lv.local

PDC role                    LVLO-01.lv.local

RID pool manager            LVLO-01.lv.local

Infrastructure owner        lvma-01.lv.local

The command completed successfully.


C:\Documents and Settings\lvloadmin>dcdiag /test:dns

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\LVLO-01
      Starting test: Connectivity
         ......................... LVLO-01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\LVLO-01

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : DomainDnsZones

   Running partition tests on : ForestDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : lv

   Running enterprise tests on : lv.local
      Starting test: DNS
         Test results for domain controllers:

            DC: LVLO-01.lv.local
            Domain: lv.local


               TEST: Delegations (Del)
                  Warning: DNS server: lvma-01.lv.local. IP: <Unavailable> Failu
re:Missing glue A record

               TEST: Dynamic update (Dyn)
                  Warning: Dynamic update is enabled on the zone but not secure
lv.local.

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: lv.local
               LVLO-01                      PASS PASS PASS FAIL WARN PASS n/a

         ......................... lv.local failed test DNS
0
 
mail2clkAuthor Commented:
Can I delete the Boston site manually since the metadata cleanup is not working?
0
 
Life1430Sr EngineerCommented:
Deleting the site would not be enough...Whats the error you are getting while performing metadata cleanup and Link of Petri for Metadata cleanup has steps with Snapshot that from where you should delete the DNS entries
0
 
mail2clkAuthor Commented:
I selected the options incorrectly. I've successfully removed the servers. repladmin /replsum shows valid information now.  But DCDiag /test:dns fails
0
 
mail2clkAuthor Commented:
There is still information in AD Sites & Services relating to Boston and entries in the DNS Server. What should I do next?

>dcdiag /test:dns

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\LVLO-01
      Starting test: Connectivity
         ......................... LVLO-01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\LVLO-01

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : DomainDnsZones

   Running partition tests on : ForestDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : lv

   Running enterprise tests on : lv.local
      Starting test: DNS
         Test results for domain controllers:

            DC: LVLO-01.lv.local
            Domain: lv.local


               TEST: Delegations (Del)
                  Warning: DNS server: lvma-01.lv.local. IP: <Unavailable> Failu
re:Missing glue A record

               TEST: Dynamic update (Dyn)
                  Warning: Dynamic update is enabled on the zone but not secure
lv.local.

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: lv.local
               LVLO-01                      PASS PASS PASS FAIL WARN PASS n/a

         ......................... lv.local failed test DNS
0
 
mail2clkAuthor Commented:
Additional information

repadmin /replsum
Replication Summary Start Time: 2012-09-04 18:15:34

Beginning data collection for replication summary, this may take awhile:
  .....


Source DC           largest delta  fails/total  %%  error
 LVLO-01                   10m:14s    0 /   5    0
 LVLO-02                   13m:28s    0 /   5    0


Destination DC    largest delta    fails/total  %%  error
 LVLO-01                   13m:28s    0 /   5    0
 LVLO-02                   10m:14s    0 /   5    0
0
 
Jason WatkinsIT Project LeaderCommented:
Looking better!
0
 
mail2clkAuthor Commented:
How do I deal with the leftover sites and dns information? also resolve the dcdiag /test:dns?
0
 
Life1430Sr EngineerCommented:
Now delete the Server from dssite.msc for which you have performed metadata cleanup and make sure prior deleting that NTDS setting is not associated with it

Make sure the DNS Pointing to itself only as a primary DNS server and remote server as a secondary on both servers NIC card properties then run "
ipconfig /flushdns & ipconfig /registerdns

Open in new window

", "
net stop netlogon & net start netlogon

Open in new window

"
0
 
Jason WatkinsIT Project LeaderCommented:
0
 
mail2clkAuthor Commented:
getting there. The dcdiag /test:dns is still failing. Can I delete the dns entries for the site Boston in the dns server?

C:\support tools>dcdiag /test:dns

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\LVLO-01
      Starting test: Connectivity
         ......................... LVLO-01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\LVLO-01

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : DomainDnsZones

   Running partition tests on : ForestDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : lv

   Running enterprise tests on : lv.local
      Starting test: DNS
         Test results for domain controllers:

            DC: LVLO-01.lv.local
            Domain: lv.local


               TEST: Delegations (Del)
                  Warning: DNS server: lvma-01.lv.local. IP: <Unavailable> Failu
re:Missing glue A record

               TEST: Dynamic update (Dyn)
                  Warning: Dynamic update is enabled on the zone but not secure
lv.local.

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: lv.local
               LVLO-01                      PASS PASS PASS FAIL WARN PASS n/a

         ......................... lv.local failed test DNS

C:\support tools>dcdiag /test:dns

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\LVLO-01
      Starting test: Connectivity
         ......................... LVLO-01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\LVLO-01

DNS Tests are running and not hung. Please wait a few minutes...
0
 
Jason WatkinsIT Project LeaderCommented:
I would remove all DNS records that reference any of the old DCs. This can be time-consuming as there are dozens for each DC.
0
 
mail2clkAuthor Commented:
I have an entry under _msdcs, I cannot delete it only delete the actual _msdcs container. I have removed all the other entries.
0
 
Life1430Sr EngineerCommented:
delete the NS entries of old DC's from _msdsc  and lv.local in your DNS Console
0
 
Jason WatkinsIT Project LeaderCommented:
I wouldn't delete containers in DNS, just the records (A, SRV) for the old DCs.
0
 
mail2clkAuthor Commented:
I am having slow access to websites. I believe it is dns related.

Default Server:  lvlo-01.lv.local
Address:  192.168.10.10

www.google.com
Server:  lvlo-01.lv.local
Address:  192.168.10.10

DNS request timed out.
    timeout was 2 seconds.
*** Request to lvlo-01.lv.local timed-out
>
0
 
mail2clkAuthor Commented:
If I do a nslookup a second time it works

Default Server:  lvlo-01.lv.local
Address:  192.168.10.10

www.google.com
Server:  lvlo-01.lv.local
Address:  192.168.10.10

DNS request timed out.
    timeout was 2 seconds.
*** Request to lvlo-01.lv.local timed-out
www.google.com
Server:  lvlo-01.lv.local
Address:  192.168.10.10

Non-authoritative answer:
Name:    www.l.google.com
Addresses:  173.194.66.105, 173.194.66.103, 173.194.66.104, 173.194.66.99
          173.194.66.106, 173.194.66.147
Aliases:  www.google.com

>
0
 
schima_czCommented:
1. start "nslookup"
2. type "server 8.8.8.8"
3. try some DNS request (live.com .....)
0
 
mail2clkAuthor Commented:
Default Server:  lvlo-01.lv.local
Address:  192.168.10.10

> server 8.8.8.8
DNS request timed out.
    timeout was 2 seconds.
Default Server:  [8.8.8.8]
Address:  8.8.8.8

> server 8.8.8.8
DNS request timed out.
    timeout was 2 seconds.
Default Server:  [8.8.8.8]
Address:  8.8.8.8

> 8.8.8.8
Server:  [8.8.8.8]
Address:  8.8.8.8

DNS request timed out.
    timeout was 2 seconds.
*** Request to [8.8.8.8] timed-out
> live.com
Server:  [8.8.8.8]
Address:  8.8.8.8

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to [8.8.8.8] timed-out
> live.com
Server:  [8.8.8.8]
Address:  8.8.8.8

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to [8.8.8.8] timed-out
>
0
 
schima_czCommented:
It looks like problem with Your ISP, because DNS connection is not at good condition. May Be Your ISP is blocking DNS traffic to other DNS servers. Have You tried to disable or uninstall firewalls, security software (everything from McAfee)
0
 
mail2clkAuthor Commented:
Outside of the domain everything works fine. i.e. different network same internet connection all works well.
0
 
Life1430Sr EngineerCommented:
Can you check what forwarders you have configuered
try using 4.2.2.2
0
 
schima_czCommented:
And if you try this?
Start - Run - Cmd - type "tracert 8.8.8.8"
0
 
mail2clkAuthor Commented:
I've changed the forwarders to 4.2.2.2. Tracert to 8.8.8.8. Some yahoo webpages are timing out.


Tracing route to b.resolvers.level3.net [4.2.2.2]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  firewall.lv.local [192.168.10.1]
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9    19 ms    19 ms    18 ms  b.resolvers.level3.net [4.2.2.2]

Trace complete.
0
 
Life1430Sr EngineerCommented:
It seems ICMP blocked somewhere in your network
You should be able to browse internet
0
 
schima_czCommented:
And Your firewall, what is it? It could be some rule on firewall ...
0
 
mail2clkAuthor Commented:
Kaspersky AV & Juniper Firewall
0
 
Life1430Sr EngineerCommented:
Are you able to browse internet..?
And Can you just conclude all your remaining issues and post here in single post
0
 
schima_czCommented:
Hmmm ..... Juniper, I saw a lot of troubles with this device. Is it possible to change Juniper? Try PC and some linux distribution (Endian .... )
0
 
mail2clkAuthor Commented:
I managed to resolve the issue. I removed the name server entry for the object under _msdcs. Internet is now normal and dcdiag /test:dns is now not failing.
0
 
mail2clkAuthor Commented:
Great help in resolving this issue.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.