Ken Moody
asked on
'Primary' Domain controller not seeing global catalog
Situation: Active Directory domain with four total DC's. In main office subnet, One primary domain controller/DNS/DHCP server running Win2003. A secondary DC also serving DHCP and DNS but running Win2008. Two other DC's in two separate subnets.
The main controller (PDXAD) is not able to view the global catalog, though the other DC's can. Unfortunately, this has had the effect of essentially disabling our exchange (2003) servers, as they are unable to start several exchange services - system attendant, MAT and Info Store.
So, I suspect I could just shut down the PDXAD server and the exchange servers would turn to the other DC's for authentication, but I'd rather fix the problem rather than just address the symptom.
The AD server in question is generating the following even log error entries;
DIRECTORY SERVICES EVENT LOG:
-------------------------- ---------- ---------- ---------- ---------- -----
Event Type: Error
Event Source: NTDS General
Event Category: Global Catalog
Event ID: 1126
Date: 12/21/2012
Time: 9:56:21 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: PDXAD
Description:
Active Directory was unable to establish a connection with the global catalog.
Additional Data
Error value:
1355 The specified domain either does not exist or could not be contacted.
Internal ID:
3200cf3
User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.
-------------------------- ---------- ---------- ---------- ---------- -----
Event Type: Error
Event Source: NTDS General
Event Category: Global Catalog
Event ID: 1126
Date: 12/21/2012
Time: 10:56:33 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: PDXAD
Description:
Active Directory was unable to establish a connection with the global catalog.
Additional Data
Error value:
1355 The specified domain either does not exist or could not be contacted.
Internal ID:
3200cf3
User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.
-------------------------- ---------- ---------- ---------- ---------- -----
SYSTEM EVENT LOG
Event Type: Error
Event Source: DhcpServer
Event Category: None
Event ID: 1059
Date: 12/21/2012
Time: 10:46:15 AM
User: N/A
Computer: PDXAD
Description:
The DHCP service failed to see a directory server for authorization.
There continue to be success audit entries in the ecurity event log, so it seems the DC is still authenticating users.
I have followed the steps in this article, including flushing the logs.
http://technet.microsoft.com/en-us/library/cc756476(v=ws.10).aspx
Not sure of the next best step. Any suggestions would be greatly appreciated.
Many thanks,
Ken
The main controller (PDXAD) is not able to view the global catalog, though the other DC's can. Unfortunately, this has had the effect of essentially disabling our exchange (2003) servers, as they are unable to start several exchange services - system attendant, MAT and Info Store.
So, I suspect I could just shut down the PDXAD server and the exchange servers would turn to the other DC's for authentication, but I'd rather fix the problem rather than just address the symptom.
The AD server in question is generating the following even log error entries;
DIRECTORY SERVICES EVENT LOG:
--------------------------
Event Type: Error
Event Source: NTDS General
Event Category: Global Catalog
Event ID: 1126
Date: 12/21/2012
Time: 9:56:21 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: PDXAD
Description:
Active Directory was unable to establish a connection with the global catalog.
Additional Data
Error value:
1355 The specified domain either does not exist or could not be contacted.
Internal ID:
3200cf3
User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.
--------------------------
Event Type: Error
Event Source: NTDS General
Event Category: Global Catalog
Event ID: 1126
Date: 12/21/2012
Time: 10:56:33 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: PDXAD
Description:
Active Directory was unable to establish a connection with the global catalog.
Additional Data
Error value:
1355 The specified domain either does not exist or could not be contacted.
Internal ID:
3200cf3
User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.
--------------------------
SYSTEM EVENT LOG
Event Type: Error
Event Source: DhcpServer
Event Category: None
Event ID: 1059
Date: 12/21/2012
Time: 10:46:15 AM
User: N/A
Computer: PDXAD
Description:
The DHCP service failed to see a directory server for authorization.
There continue to be success audit entries in the ecurity event log, so it seems the DC is still authenticating users.
I have followed the steps in this article, including flushing the logs.
http://technet.microsoft.com/en-us/library/cc756476(v=ws.10).aspx
Not sure of the next best step. Any suggestions would be greatly appreciated.
Many thanks,
Ken
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Also worth mentioning, the Directory Synch Service is hanging in a Starting state.
Thanks
KM
Thanks
KM
ASKER
nltest results:
C:\Documents and Settings\Administrator.PDX AD>Nltest /dsgetdc:corp.nbsrealtors. c
om
DsGetDcName failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
C:\Documents and Settings\Administrator.PDX AD>nltest /dsgetsite
PDX
The command completed successfully
So it's like the DC doesn't even see that it should be a part of the corp.nbsrealtors.c
om domain.
Thanks!
KM
C:\Documents and Settings\Administrator.PDX
om
DsGetDcName failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
C:\Documents and Settings\Administrator.PDX
PDX
The command completed successfully
So it's like the DC doesn't even see that it should be a part of the corp.nbsrealtors.c
om domain.
Thanks!
KM
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks a ton for the help folks. The issue has been resolved.
On the primary DC, the nic has only itself listed for DNS. I added the address of another DC in the first position, moved the dc address to the second, restarted, viola.
All is well in the world.
Hope you all have a very Merry Christmas.
Ken
On the primary DC, the nic has only itself listed for DNS. I added the address of another DC in the first position, moved the dc address to the second, restarted, viola.
All is well in the world.
Hope you all have a very Merry Christmas.
Ken
ASKER
I have rebooted the offending DC.
This is whats appearing in the DNS event log.
--------------------------
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4013
Date: 12/21/2012
Time: 11:58:33 AM
User: N/A
Computer: PDXAD
Description:
The DNS server was unable to open the Active Directory. This DNS server is configured to use directory service information and can not operate without access to the directory. The DNS server will wait for the directory to start. If the DNS server is started but the appropriate event has not been logged, then the DNS server is still waiting for the directory to start.
--------------------------
Results from the DCDIAG
--------------------------
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\Administrator.PDX
Domain Controller Diagnosis
Performing initial setup:
The directory service on PDXAD has not finished initializing.
In order for the directory service to consider itself synchronized, it must
attempt an initial synchronization with at least one replica of this
server's writeable domain. It must also obtain Rid information from the Rid
FSMO holder.
The directory service has not signalled the event which lets other services
know that it is ready to accept requests. Services such as the Key
Distribution Center, Intersite Messaging Service, and NetLogon will not
consider this system as an eligible domain controller.
The directory service on PDXAD has not finished initializing.
In order for the directory service to consider itself synchronized, it must
attempt an initial synchronization with at least one replica of this
server's writeable domain. It must also obtain Rid information from the Rid
FSMO holder.
The directory service has not signalled the event which lets other services
know that it is ready to accept requests. Services such as the Key
Distribution Center, Intersite Messaging Service, and NetLogon will not
consider this system as an eligible domain controller.
Done gathering initial info.
Doing initial required tests
Testing server: PDX\PDXAD
Starting test: Connectivity
The host 7196d580-5dd4-45bb-baa7-1e
om could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(7196d580-5dd4-45bb-baa7-1
couldn't be resolved, the server name (PDXAD.corp.nbsrealtors.co
resolved to the IP address (10.1.1.1) and was pingable. Check that
the IP address is registered correctly with the DNS server.
......................... PDXAD failed test Connectivity
Doing primary tests
Testing server: PDX\PDXAD
Skipping all tests, because server PDXAD is
not responding to directory service requests
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : corp
Starting test: CrossRefValidation
......................... corp passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... corp passed test CheckSDRefDom
Running enterprise tests on : corp.nbsrealtors.com
Starting test: Intersite
......................... corp.nbsrealtors.com passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQU
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Thanks again for your help!
KM