Solved

Unable to create users in additional domain controller when PDC is offline

Posted on 2013-05-24
15
447 Views
Last Modified: 2013-12-10
Scenario

I have a Primary domain controller at central location & had configured additional domain controller at remote locations. when my remote location link is down, even after having an additional domain controller with global catalog enabled at the NTDS settings, Iam not able to create any users or manage users in the additional domain controller. The active directory users & groups shows offline.
0
Comment
Question by:ANUPKUMAR NAIR
15 Comments
 
LVL 7

Assisted Solution

by:scraby
scraby earned 84 total points
Comment Utility
what versions?  on 2003 and above there is no pdc anymore.  you said users and groups shows offline.  did you mean users and computers?  can you send a screen shot of what offline looks like.  you don't have this problem when the other dc is online?  dc's replicate with each other to make sure the latest change is propagated to all dc's, if they can't talk due to connectivity then they's keep trying, so if your dc is working properly you should be able to make changes regardless of connectivity.
0
 
LVL 2

Author Comment

by:ANUPKUMAR NAIR
Comment Utility
Hi Scarby,

Windows Server 2003 R2 with SP2at central location & windows 2008 R2 64 bit at remote location.

Right said the term PDC no more exist, It is a domain controller at central location & the other domain controler at remote location.

I have attached the screen shot.

This is the error I get when the link is disconnected, Prefered DNS server is the IP of my central location DC
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 250 total points
Comment Utility
It seems to be there is dns misconfig issue.Can you post the ipconfig /all details of DCs.

Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Also verify the health of dc by dcdiag /q and repadmin /replsum  and post the log.Ensure that DNS/GC role is configured on both server.
0
 
LVL 2

Author Comment

by:ANUPKUMAR NAIR
Comment Utility
10.0.0.32 (First Domain in the forest at central location) windows 2003 R2 32 Bit
10.0.0.33 (Additional Domain controller at Central location)windows 2003 R2 32 Bit
100.8.1.15(Active directory at DR Site) windows 2003 R2 32 Bit
100.100.100.11 ( Backup Domain controller) Windows 2008 R2 64 Bit

Apart from this I have 4 domain controlers at my remote locations

C:\Documents and Settings\anupnair>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : pdcmum
   Primary Dns Suffix  . . . . . . . : srlnt.com
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : srlnt.com

Ethernet adapter Local Area Connection 4:

   Connection-specific DNS Suffix  . : srlnt.com
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2
   Physical Address. . . . . . . . . : 00-14-5E-FE-12-45
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.0.0.32
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Default Gateway . . . . . . . . . : 10.0.0.1
   DNS Servers . . . . . . . . . . . : 10.0.0.33
                                       100.8.1.15

C:\Documents and Settings\anupnair>

----------------------------------------------------------------------------------------------------
BDC (100.100.100.11)

C:\Users\anupnair>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : BDCMUM
   Primary Dns Suffix  . . . . . . . : srlnt.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : srlnt.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : srlnt.com
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-13-FF-28
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e874:3b82:b2ea:2e9e%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 100.100.100.11(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 100.100.100.1
   DHCPv6 IAID . . . . . . . . . . . : 234884137
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-B1-86-34-00-0C-29-FA-D1-65

   DNS Servers . . . . . . . . . . . : 10.0.0.32
                                       4.2.2.2
                                       8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.srlnt.com:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : srlnt.com
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter 6TO4 Adapter:

   Connection-specific DNS Suffix  . : srlnt.com
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2002:6464:640b::6464:640b(Preferred)
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.0.0.32
                                       4.2.2.2
                                       8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\anupnair>
0
 
LVL 2

Author Comment

by:ANUPKUMAR NAIR
Comment Utility
Hi, I have noticed some thing.

My Additional domain controller (100.100.100.11) shows only a shortcut in the SYSVOL folder.
Sysvol.bmp
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 250 total points
Comment Utility
You have still not followed the suggetion posted in the link :http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Still I can see public Ip address 8.8.8.8 and 4.2.2.2 is configured as alternate dns setting.


--Check the DNS setting on the Server it should point to itself(assuming that dns role is installed on the server).If multiple DNS are present add the alternate dns setting as well

--If the public ip address is added in the NIC DNS setting remove the same and add to DNS forwarders if required.


--Check NIC binding the NIC which is online and has ip details should be in first order.If multiple NIC are present then disabled the unrequired NIC. http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/

--Also make sure the IPv6 is configured to dynamic (Automatically) if it is win2008 server.

--Ran ipconfig /flushdns and ipconfig /registerdns.Restart the netlogon and DNS service
 
**What about the dcdiag /q and repadmin /replsum please post the log.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 13

Assisted Solution

by:rhinoceros
rhinoceros earned 83 total points
Comment Utility
Have you pointed ADC's NIC dns configuration to itself?

Included ADC DNS Server IP 10.0.0.33?
0
 
LVL 2

Author Comment

by:ANUPKUMAR NAIR
Comment Utility
Hi Sandesh,
I have removed the public IP entries from the DNS & has primary DNS pointing to itself & the alternate pointing to first domain in the network.

Dcdiag /q output

C:\Documents and Settings\anupnair>dcdiag /q
         [Replications Check,PDCMUM] No replication recently attempted:
            From BEAS-DOMAIN-SER to PDCMUM
            Naming Context: DC=DomainDnsZones,DC=srlnt,DC=com
            The last attempt occurred at 2013-06-10 03:21:40 (about 11 hours ago
).
         [Replications Check,PDCMUM] No replication recently attempted:
            From BEAS-DOMAIN-SER to PDCMUM
            Naming Context: DC=ForestDnsZones,DC=srlnt,DC=com
            The last attempt occurred at 2013-06-10 03:21:40 (about 11 hours ago
).
         [Replications Check,PDCMUM] No replication recently attempted:
            From BEAS-DOMAIN-SER to PDCMUM
            Naming Context: CN=Schema,CN=Configuration,DC=srlnt,DC=com
            The last attempt occurred at 2013-06-10 03:21:40 (about 11 hours ago
).
         [Replications Check,PDCMUM] No replication recently attempted:
            From BEAS-DOMAIN-SER to PDCMUM
            Naming Context: CN=Configuration,DC=srlnt,DC=com
            The last attempt occurred at 2013-06-10 03:21:40 (about 11 hours ago
).
         [Replications Check,PDCMUM] No replication recently attempted:
            From BEAS-DOMAIN-SER to PDCMUM
            Naming Context: DC=srlnt,DC=com
            The last attempt occurred at 2013-06-10 03:21:39 (about 11 hours ago
).
         REPLICATION-RECEIVED LATENCY WARNING
         PDCMUM:  Current time is 2013-06-10 14:48:35.
            DC=DomainDnsZones,DC=srlnt,DC=com
               Last replication recieved from SRLADC-DR at 2013-05-25 16:20:05.
               Last replication recieved from BGLRADC at 2013-05-25 12:23:43.
               Last replication recieved from GGNADC at 2013-06-10 00:22:52.
            DC=ForestDnsZones,DC=srlnt,DC=com
               Last replication recieved from SRLADC-DR at 2013-05-25 16:20:05.
               Last replication recieved from BGLRADC at 2013-05-25 12:23:42.
               Last replication recieved from GGNADC at 2013-06-10 00:22:51.
            CN=Schema,CN=Configuration,DC=srlnt,DC=com
               Last replication recieved from SRLADC-DR at 2013-05-25 16:21:07.
               Last replication recieved from BGLRADC at 2013-05-25 12:22:35.
               Last replication recieved from GGNADC at 2013-06-10 02:29:09.
            CN=Configuration,DC=srlnt,DC=com
               Last replication recieved from SRLADC-DR at 2013-05-25 16:21:07.
               Last replication recieved from BGLRADC at 2013-05-25 12:20:40.
               Last replication recieved from GGNADC at 2013-06-10 02:29:09.
            DC=srlnt,DC=com
               Last replication recieved from SRLPDC at 2013-06-10 00:17:42.
               Last replication recieved from SRLADC-DR at 2013-05-25 16:25:35.
               Last replication recieved from BGLRADC at 2013-05-25 12:23:42.
               Last replication recieved from GGNADC at 2013-06-10 00:22:09.
         Warning: PDCMUM is not advertising as a time server.
         ......................... PDCMUM failed test Advertising
            NtFrs Service is stopped on [PDCMUM]
            Could not open w32time Service on [PDCMUM]:failed with 1060: The spe
cified service does not exist as an installed service.
         ......................... PDCMUM failed test Services
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 06/10/2013   14:26:25
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 06/10/2013   14:26:29
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 06/10/2013   14:26:32
            (Event String could not be retrieved)
         ......................... PDCMUM failed test systemlog


.......................................................................................................................................................
repadmin /replsum output as folows

Replication Summary Start Time: 2013-06-10 15:02:12



Beginning data collection for replication summary, this may take awhile:

  ...........









Destination DC    largest delta    fails/total  %%  error

 BDCMUM                    38m:14s    0 /  10    0  

 BEAS-DOMAIN-SER  >60 days           15 /  18   83  (1722) The RPC server is unavailable.

 GGNADC            15d.22h:39m:27s    5 /  13   38  (1722) The RPC server is unavailable.

 PDCMUM                11h:40m:33s    0 /  15    0  

 SRLPDC           >60 days            6 /   9   66  (1722) The RPC server is unavailable.

 SRLSERVER             11h:36m:40s    0 /  15    0  





Experienced the following operational errors trying to retrieve replication information:

          58 - BGLRADC.srlnt.com

          58 - SRLADC-DR.srlnt.com
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 250 total points
Comment Utility
You are getting the error "The RPC server is unavailable" relates to port being blocked or network connectivity issue or due to dns misconfig.I would suggest contact network/security team to verify whether all the related AD ports being configured and allowed on the firewall for communication. Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.

Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
Disable Windows Firewall: http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

It can also be caused by antivirus software with many of them sporting a new feature called "network traffic protection," which can efffectively block necessary AD traffic

Active Directory and Active Directory Domain Services Port Requirements
http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Also from the log it seems that server  BEAS-DOMAIN-SER  and

Troubleshooting “RPC server is unavailable” error, reported in failing AD replication scenario.http://blogs.technet.com/b/abizerh/archive/2009/06/11/troubleshooting-rpc-server-is-unavailable-error-reported-in-failing-ad-replication-scenario.aspx

Also from log it seems that couple of DC has also passed tombstone lifecycle period.
The default Tombstone Life time period is 60 days in Windows Server 2003
But the default Tombstone Lifetime period has been changed in Windows Server 2003 SP1 and later to 180 days:http://www.anas.co.in/2010/02/what-is-tombstone-lifetime-how-to.html

If the Servers  has reached the tombstone lifecycle period.To fix the issue you need to demote and promote the server which as passed tombstone lifecycle period.You cannot demote the faulty DC gracefully you need to do forcefull removal.You need to ran dcpromo/force removal and then run matadata cleanup on other DC(healthy) to remove the instance of faulty DC from AD database and DNS.If faulty DC is fsmo role holder server the you need to seize the FSMO role on other DC.Once done you can promote the Server back as DC

Reference link
Forcefull removal of DC: http://support.microsoft.com/kb/332199
Metadata cleanup: http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Seize FSMO role: http://www.petri.co.il/seizing_fsmo_roles.htm

Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, and more)
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

To get the clear view can you post the other DCs dcdiag /q,repadmin /resplum,repadmin /showreps,ipconfig /all details.

Hope this helps.
0
 
LVL 25

Assisted Solution

by:DrDave242
DrDave242 earned 83 total points
Comment Utility
These may not be the entirety of the problem, but they're certainly part of it:
           NtFrs Service is stopped on [PDCMUM]
            Could not open w32time Service on [PDCMUM]:failed with 1060: The spe
cified service does not exist as an installed service.
         ......................... PDCMUM failed test Services
Looks like the File Replication Service on PDCMUM isn't running.  Try to start it manually.  If it won't start, check the System and FRS event logs to find out why.  Even if it does start, check the FRS log anyway for any unusual events that may indicate that the service isn't operating properly.

Also, it appears that the Windows Time service has been unregistered on that server.  Assuming you don't have a third-party service handling time synchronization, this service is vital on a DC, especially the PDC emulator, which is the master time source for your entire domain.  To re-register the service, open an administrative command prompt and run w32tm /register.  You should then see Windows Time listed in the Services console.  You may need to tweak the service's registry settings in accordance with this KB article.  (Refer to the section regarding synchronizing with an external time source.)
0
 
LVL 2

Accepted Solution

by:
ANUPKUMAR NAIR earned 0 total points
Comment Utility
Hi Guys, sorry for the late reply

The global catalog was the primary server, I have enabled global catalog on the second server & was able to resolve this issue.
0
 
LVL 2

Author Comment

by:ANUPKUMAR NAIR
Comment Utility
Thank you all for helping me, resolve this issue
0
 
LVL 2

Author Closing Comment

by:ANUPKUMAR NAIR
Comment Utility
Thank you all for helping me, resolve this issue
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now