Go Premium for a chance to win a PS4. Enter to Win


secondary domain controller error

Posted on 2013-06-09
Medium Priority
Last Modified: 2013-06-14
dear gurus

our master server is alive and working fine but when we try another server additional domain controller so it give below message

v r using w2k8 r2

you will not be able to install a writable replica domain controller at this time because the RID master master0.domain.com is offline

any one can guide step by step
Question by:tmsa12

Author Comment

ID: 39232649
i try the query on master and all 5 roles and services are working

netddom query /fsmo
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 39232810
it seems the RID role holder is down or decommissioned
run dcdiag /test:fsmocheck and seize the roles which are in error
I would suggest to go through below link and seize the roles to working DC

Seize FSMO role:

After seizing roles run dcdiag /q and post any errors
LVL 10

Expert Comment

ID: 39232860
I think it is a DNS misconfiguration, before we proceed any further jus let us know howmany DCs are there in the domain. Is it 2 including problem DC or more?

Based on your answer we can say what needs to be done. However I would suggest you to check some settings on Main DC (Alive one). Check DNS and Time Server settings first and fix them if you see any misconfigurations. Then Rund DCDiag /v to know AD health status. If everything is fine then you can fix the problem DC.

DNS Best Practices

Authoritative Time Server

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 24

Expert Comment

by:Nagendra Pratap Singh
ID: 39233843
Logon to master0.domain.com  and see the event logs. Maybe the server got culled sometime.

Author Comment

ID: 39234046
dear gurus

i hve run all commands you said and i attached output of the files.

can someone look into and advise if anything need to be correct it

i run all this commands on master domain controller

waiting your advise recommendation step by step

kind regards
LVL 10

Expert Comment

ID: 39234160
As mentioned it is a DNS misconfiguration issue. "The replication generated an error (1722)" is an indication of GUIDs are not getting resolved between DCs, I would again suggest you to check dcdiag /test:dns on all DCs and if it fails resolve it accordingly. I see replication between ATMCSRVR17, ATMCSRVR12 to ATMCSRVR10 is failing. If you run repadmin /replsum and repadmin /showreps you'll see more detailed errors.
LVL 24

Accepted Solution

Sandeshdubey earned 2000 total points
ID: 39234207
From the log it is clear that there is replication issue between DC.You are getting RPC service is unavaialble,Insufficient attributes were given to create an object. This object
may not exist because it may have been deleted and already garbage collected whcih indicates presence of lingering object issue.

 "The RPC server is unavailable" relates to port being blocked or network connectivity issue or due to dns misconfig.I would suggest contact network/security team to verify whether all the related AD ports being configured and allowed on the firewall for communication. Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.

Best practices for DNS client settings on DC and domain members.

Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
Disable Windows Firewall: http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

It can also be caused by antivirus software with many of them sporting a new feature called "network traffic protection," which can efffectively block necessary AD traffic

Active Directory and Active Directory Domain Services Port Requirements

Troubleshooting “RPC server is unavailable” error, reported in failing AD replication scenario.

For lingering object see this:http://blogs.technet.com/b/glennl/archive/2007/07/26/clean-that-active-directory-forest-of-lingering-objects.aspx.

If you have multiple DC in the network you can demote & re-promote the DC containing lingering object.Sometimes its difficult to remove lingering object either using repadmin /removelingeringobjects or other tool & easiest way to deal with such issues is demote & re-promote the DC. If lingering objects spreads int the domain then its more difficult to tackle them. Demote & promote is the best solution.

If there are instances of faulty DC which is removed from network and instances are present in AD then you need to run metadata cleanup.

Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, and more)

You need to first clean the erros before you proceed with adding new server to env.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question