Solved

Unable to create users in additional domain controller when PDC is offline

Posted on 2013-05-24
15
457 Views
Last Modified: 2013-12-10
Scenario

I have a Primary domain controller at central location & had configured additional domain controller at remote locations. when my remote location link is down, even after having an additional domain controller with global catalog enabled at the NTDS settings, Iam not able to create any users or manage users in the additional domain controller. The active directory users & groups shows offline.
0
Comment
Question by:ANUPKUMAR NAIR
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
15 Comments
 
LVL 7

Assisted Solution

by:scraby
scraby earned 84 total points
ID: 39194754
what versions?  on 2003 and above there is no pdc anymore.  you said users and groups shows offline.  did you mean users and computers?  can you send a screen shot of what offline looks like.  you don't have this problem when the other dc is online?  dc's replicate with each other to make sure the latest change is propagated to all dc's, if they can't talk due to connectivity then they's keep trying, so if your dc is working properly you should be able to make changes regardless of connectivity.
0
 
LVL 2

Author Comment

by:ANUPKUMAR NAIR
ID: 39194864
Hi Scarby,

Windows Server 2003 R2 with SP2at central location & windows 2008 R2 64 bit at remote location.

Right said the term PDC no more exist, It is a domain controller at central location & the other domain controler at remote location.

I have attached the screen shot.

This is the error I get when the link is disconnected, Prefered DNS server is the IP of my central location DC
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 250 total points
ID: 39200383
It seems to be there is dns misconfig issue.Can you post the ipconfig /all details of DCs.

Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Also verify the health of dc by dcdiag /q and repadmin /replsum  and post the log.Ensure that DNS/GC role is configured on both server.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 2

Author Comment

by:ANUPKUMAR NAIR
ID: 39201476
10.0.0.32 (First Domain in the forest at central location) windows 2003 R2 32 Bit
10.0.0.33 (Additional Domain controller at Central location)windows 2003 R2 32 Bit
100.8.1.15(Active directory at DR Site) windows 2003 R2 32 Bit
100.100.100.11 ( Backup Domain controller) Windows 2008 R2 64 Bit

Apart from this I have 4 domain controlers at my remote locations

C:\Documents and Settings\anupnair>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : pdcmum
   Primary Dns Suffix  . . . . . . . : srlnt.com
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : srlnt.com

Ethernet adapter Local Area Connection 4:

   Connection-specific DNS Suffix  . : srlnt.com
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2
   Physical Address. . . . . . . . . : 00-14-5E-FE-12-45
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.0.0.32
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Default Gateway . . . . . . . . . : 10.0.0.1
   DNS Servers . . . . . . . . . . . : 10.0.0.33
                                       100.8.1.15

C:\Documents and Settings\anupnair>

----------------------------------------------------------------------------------------------------
BDC (100.100.100.11)

C:\Users\anupnair>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : BDCMUM
   Primary Dns Suffix  . . . . . . . : srlnt.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : srlnt.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : srlnt.com
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-13-FF-28
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e874:3b82:b2ea:2e9e%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 100.100.100.11(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 100.100.100.1
   DHCPv6 IAID . . . . . . . . . . . : 234884137
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-B1-86-34-00-0C-29-FA-D1-65

   DNS Servers . . . . . . . . . . . : 10.0.0.32
                                       4.2.2.2
                                       8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.srlnt.com:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : srlnt.com
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter 6TO4 Adapter:

   Connection-specific DNS Suffix  . : srlnt.com
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2002:6464:640b::6464:640b(Preferred)
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.0.0.32
                                       4.2.2.2
                                       8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\anupnair>
0
 
LVL 2

Author Comment

by:ANUPKUMAR NAIR
ID: 39201526
Hi, I have noticed some thing.

My Additional domain controller (100.100.100.11) shows only a shortcut in the SYSVOL folder.
Sysvol.bmp
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 250 total points
ID: 39231783
You have still not followed the suggetion posted in the link :http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Still I can see public Ip address 8.8.8.8 and 4.2.2.2 is configured as alternate dns setting.


--Check the DNS setting on the Server it should point to itself(assuming that dns role is installed on the server).If multiple DNS are present add the alternate dns setting as well

--If the public ip address is added in the NIC DNS setting remove the same and add to DNS forwarders if required.


--Check NIC binding the NIC which is online and has ip details should be in first order.If multiple NIC are present then disabled the unrequired NIC. http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/

--Also make sure the IPv6 is configured to dynamic (Automatically) if it is win2008 server.

--Ran ipconfig /flushdns and ipconfig /registerdns.Restart the netlogon and DNS service
 
**What about the dcdiag /q and repadmin /replsum please post the log.
0
 
LVL 13

Assisted Solution

by:rhinoceros
rhinoceros earned 83 total points
ID: 39233804
Have you pointed ADC's NIC dns configuration to itself?

Included ADC DNS Server IP 10.0.0.33?
0
 
LVL 2

Author Comment

by:ANUPKUMAR NAIR
ID: 39234168
Hi Sandesh,
I have removed the public IP entries from the DNS & has primary DNS pointing to itself & the alternate pointing to first domain in the network.

Dcdiag /q output

C:\Documents and Settings\anupnair>dcdiag /q
         [Replications Check,PDCMUM] No replication recently attempted:
            From BEAS-DOMAIN-SER to PDCMUM
            Naming Context: DC=DomainDnsZones,DC=srlnt,DC=com
            The last attempt occurred at 2013-06-10 03:21:40 (about 11 hours ago
).
         [Replications Check,PDCMUM] No replication recently attempted:
            From BEAS-DOMAIN-SER to PDCMUM
            Naming Context: DC=ForestDnsZones,DC=srlnt,DC=com
            The last attempt occurred at 2013-06-10 03:21:40 (about 11 hours ago
).
         [Replications Check,PDCMUM] No replication recently attempted:
            From BEAS-DOMAIN-SER to PDCMUM
            Naming Context: CN=Schema,CN=Configuration,DC=srlnt,DC=com
            The last attempt occurred at 2013-06-10 03:21:40 (about 11 hours ago
).
         [Replications Check,PDCMUM] No replication recently attempted:
            From BEAS-DOMAIN-SER to PDCMUM
            Naming Context: CN=Configuration,DC=srlnt,DC=com
            The last attempt occurred at 2013-06-10 03:21:40 (about 11 hours ago
).
         [Replications Check,PDCMUM] No replication recently attempted:
            From BEAS-DOMAIN-SER to PDCMUM
            Naming Context: DC=srlnt,DC=com
            The last attempt occurred at 2013-06-10 03:21:39 (about 11 hours ago
).
         REPLICATION-RECEIVED LATENCY WARNING
         PDCMUM:  Current time is 2013-06-10 14:48:35.
            DC=DomainDnsZones,DC=srlnt,DC=com
               Last replication recieved from SRLADC-DR at 2013-05-25 16:20:05.
               Last replication recieved from BGLRADC at 2013-05-25 12:23:43.
               Last replication recieved from GGNADC at 2013-06-10 00:22:52.
            DC=ForestDnsZones,DC=srlnt,DC=com
               Last replication recieved from SRLADC-DR at 2013-05-25 16:20:05.
               Last replication recieved from BGLRADC at 2013-05-25 12:23:42.
               Last replication recieved from GGNADC at 2013-06-10 00:22:51.
            CN=Schema,CN=Configuration,DC=srlnt,DC=com
               Last replication recieved from SRLADC-DR at 2013-05-25 16:21:07.
               Last replication recieved from BGLRADC at 2013-05-25 12:22:35.
               Last replication recieved from GGNADC at 2013-06-10 02:29:09.
            CN=Configuration,DC=srlnt,DC=com
               Last replication recieved from SRLADC-DR at 2013-05-25 16:21:07.
               Last replication recieved from BGLRADC at 2013-05-25 12:20:40.
               Last replication recieved from GGNADC at 2013-06-10 02:29:09.
            DC=srlnt,DC=com
               Last replication recieved from SRLPDC at 2013-06-10 00:17:42.
               Last replication recieved from SRLADC-DR at 2013-05-25 16:25:35.
               Last replication recieved from BGLRADC at 2013-05-25 12:23:42.
               Last replication recieved from GGNADC at 2013-06-10 00:22:09.
         Warning: PDCMUM is not advertising as a time server.
         ......................... PDCMUM failed test Advertising
            NtFrs Service is stopped on [PDCMUM]
            Could not open w32time Service on [PDCMUM]:failed with 1060: The spe
cified service does not exist as an installed service.
         ......................... PDCMUM failed test Services
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 06/10/2013   14:26:25
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 06/10/2013   14:26:29
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 06/10/2013   14:26:32
            (Event String could not be retrieved)
         ......................... PDCMUM failed test systemlog


.......................................................................................................................................................
repadmin /replsum output as folows

Replication Summary Start Time: 2013-06-10 15:02:12



Beginning data collection for replication summary, this may take awhile:

  ...........









Destination DC    largest delta    fails/total  %%  error

 BDCMUM                    38m:14s    0 /  10    0  

 BEAS-DOMAIN-SER  >60 days           15 /  18   83  (1722) The RPC server is unavailable.

 GGNADC            15d.22h:39m:27s    5 /  13   38  (1722) The RPC server is unavailable.

 PDCMUM                11h:40m:33s    0 /  15    0  

 SRLPDC           >60 days            6 /   9   66  (1722) The RPC server is unavailable.

 SRLSERVER             11h:36m:40s    0 /  15    0  





Experienced the following operational errors trying to retrieve replication information:

          58 - BGLRADC.srlnt.com

          58 - SRLADC-DR.srlnt.com
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 250 total points
ID: 39234251
You are getting the error "The RPC server is unavailable" relates to port being blocked or network connectivity issue or due to dns misconfig.I would suggest contact network/security team to verify whether all the related AD ports being configured and allowed on the firewall for communication. Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.

Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
Disable Windows Firewall: http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

It can also be caused by antivirus software with many of them sporting a new feature called "network traffic protection," which can efffectively block necessary AD traffic

Active Directory and Active Directory Domain Services Port Requirements
http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Also from the log it seems that server  BEAS-DOMAIN-SER  and

Troubleshooting “RPC server is unavailable” error, reported in failing AD replication scenario.http://blogs.technet.com/b/abizerh/archive/2009/06/11/troubleshooting-rpc-server-is-unavailable-error-reported-in-failing-ad-replication-scenario.aspx

Also from log it seems that couple of DC has also passed tombstone lifecycle period.
The default Tombstone Life time period is 60 days in Windows Server 2003
But the default Tombstone Lifetime period has been changed in Windows Server 2003 SP1 and later to 180 days:http://www.anas.co.in/2010/02/what-is-tombstone-lifetime-how-to.html

If the Servers  has reached the tombstone lifecycle period.To fix the issue you need to demote and promote the server which as passed tombstone lifecycle period.You cannot demote the faulty DC gracefully you need to do forcefull removal.You need to ran dcpromo/force removal and then run matadata cleanup on other DC(healthy) to remove the instance of faulty DC from AD database and DNS.If faulty DC is fsmo role holder server the you need to seize the FSMO role on other DC.Once done you can promote the Server back as DC

Reference link
Forcefull removal of DC: http://support.microsoft.com/kb/332199
Metadata cleanup: http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Seize FSMO role: http://www.petri.co.il/seizing_fsmo_roles.htm

Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, and more)
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

To get the clear view can you post the other DCs dcdiag /q,repadmin /resplum,repadmin /showreps,ipconfig /all details.

Hope this helps.
0
 
LVL 26

Assisted Solution

by:DrDave242
DrDave242 earned 83 total points
ID: 39259892
These may not be the entirety of the problem, but they're certainly part of it:
           NtFrs Service is stopped on [PDCMUM]
            Could not open w32time Service on [PDCMUM]:failed with 1060: The spe
cified service does not exist as an installed service.
         ......................... PDCMUM failed test Services
Looks like the File Replication Service on PDCMUM isn't running.  Try to start it manually.  If it won't start, check the System and FRS event logs to find out why.  Even if it does start, check the FRS log anyway for any unusual events that may indicate that the service isn't operating properly.

Also, it appears that the Windows Time service has been unregistered on that server.  Assuming you don't have a third-party service handling time synchronization, this service is vital on a DC, especially the PDC emulator, which is the master time source for your entire domain.  To re-register the service, open an administrative command prompt and run w32tm /register.  You should then see Windows Time listed in the Services console.  You may need to tweak the service's registry settings in accordance with this KB article.  (Refer to the section regarding synchronizing with an external time source.)
0
 
LVL 2

Accepted Solution

by:
ANUPKUMAR NAIR earned 0 total points
ID: 39698157
Hi Guys, sorry for the late reply

The global catalog was the primary server, I have enabled global catalog on the second server & was able to resolve this issue.
0
 
LVL 2

Author Comment

by:ANUPKUMAR NAIR
ID: 39698167
Thank you all for helping me, resolve this issue
0
 
LVL 2

Author Closing Comment

by:ANUPKUMAR NAIR
ID: 39708050
Thank you all for helping me, resolve this issue
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question