2003 R2 Domain issue.

Hello I have  two Domain controller  running 2003 R2 (yes I know I have to migrate, and I 'll do when I repair it).

today I meet "DC2" without free disk space, then I expand the disk (solved) but the problem is that the Domain controllers don't replicate to the other.

DC2 event log:
- Application : event Id 1030 source Userenv -->  Windows can not query for the list of Group Policy objects

 -System: event Id 4  source Kerberos -->  kerberos client received an error .... the password is different ...

and a lot of events showing NTDS replication, DNS, ...

DC1 event log:
- Application : event Id 1030 source Userenv -->  Windows can not query for the list of Group Policy objects

and a lot of events showing NTDS replication, DNS, ...

I have done a "dcpromo /force removed" in DC2 (because the kerveros event sound bad) , and in DC 1 seize the 5 roles, en the DNS by hand I cleaned all the DC2 items.

If I look in "user and Active Directory computers" I can see all the computers and user of the Active Directory.

But in the DC1 events I found:

- Application : event Id 1030 source Userenv -->  Windows can not query for the list of Group Policy objects

-System: event Id 5774 source NETLOGON --> there has been an error in recording dynamic DNS registration:
"DomainDnsZones.CLIENT.local 600 IN A 169 254 101 244" on the following DNS server

For computers and users to locate this domain controller, this record must register in DNS

I think the problem Is in the DNS server.

Can I repair the DNS server?

Who is Participating?
footechConnect With a Mentor Commented:
I'm unclear, did you do the authoritative restore?

Try running the command
repadmin /options yourDCname -disable_inbound_repl
I don't think this is set, but I want to make sure.

You can start and stop the netlogon service with
net start netlogon
net stop netlogon

With DC2 removed, I believe when you run repadmin /showreps there shouldn't be any connections.  Is this what you're seeing?

Follow these steps:
Check the registry key “HKLM\System\CurrentControlSet\Services\NTDS\Parameters" for a REG_DWORD entry “DSA Not Writable” set to "0×4".
Delete the “DSA Not Writable” entry and reboot the server.
If you seized the roles to DC1, then you have to perform a metadata cleanup for DC2.

Run the following and post back.
dcdiag /v
dcdiag /v /test:dns
limmontreefreeAuthor Commented:
thanks, yes I know, actually I'm working with the DC1 and DC2 (restored from backup) and in another VM I have (without NET)  DC1 as unique domain controller.

I'll send you the log.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

limmontreefreeAuthor Commented:
Here you are.

limmontreefreeAuthor Commented:
If you prefer I can stop DC1 and DC2 and start the new DC1 (alone as Domain controller) and send the logs form it.

Really my idea is leave a 2003 R2 DC and attach a new 2012 DC to the system, pass all the roles to the new 2012 DC and then shut down the old 2003 R2.

footechConnect With a Mentor Commented:
What is 3DC.Client.local?  Check to make sure there aren't any DNS records for DC1 that point to it or records for 3DC that point to the IP for DC1 (remember to check PTR records).

Can you start the Netlogon service on DC1?

I'm unclear what you've done.  You said you removed DC2, but then you said you restored it from backup.  I'll ignore the separate/duplicate DC1 that's not connected to anything.

From the DC2 results, it looks like replication hasn't worked since the beginning of the year and has now gone beyond the tombstone lifetime.  With all the rest I would just demote it (forcefully if necessary), do the metadata cleanup, get DC1 healthy, and after that's all done, repromote DC2 (or whatever other machine).   I wouldn't promote a new DC until DC1 is working correctly.
limmontreefreeAuthor Commented:
The server DC2 is named 3DC y rewrite it in the logs to make easier for you.

All the server are VM, after trying to shut down DC2 and because DC1 didn't goes  fine, I renamed the DC1's VHD and restored the DC1 and DC2, so now I can use both DC1 DC2 and the new alone DC1.

I think may be is better work with the alone DC1, and try repair the DNS.

I'll review the DNS configuration but I don't know much about DNS records.

I don't understand Why do you want to repromote DC2, I prefer attach a new 2012 server.

footechConnect With a Mentor Commented:
How did you restore the DCs?  If they were restored from snapshots, and taken at different times, there could be all sorts or problems with them, i.e. USN rollback, broken secure channel with domain members, etc.
This is turning into a mess.

If you want to work with the standalone DC1, get rid of the others.  Connect the DC1 to the network so that machines can use it.  There's little point in trying to repair a DC that other machines can't communicate with, as information can get out of sync, etc.

I don't care if you repromote DC2 or put in a new 2012 server.  I wrote that before I saw any mention of 2012.  So whichever way you want to proceed after DC1 is repaired is fine.

I'd like to see the current dcdiag results for whichever machine we're trying to repair.
limmontreefreeAuthor Commented:
Hello Footech.

The backup and restore was made with servers stopped (so I think it's alright)

I will to depromote one DC and leave only one as DC (at the momento) but I don't know what server is better keep running as DC.

Can you help me? Reading the logs what is the best candidate?  or Is better use the tool replmon to force the replication?

Thanks for your help.
I would say it's better to demote DC2 because it hasn't had a successful inbound replication with DC1 since January.

With that said, please make up your mind which you want to work on:  the standalone DC or the currently connected one.
limmontreefreeAuthor Commented:
I took the VMs and I'll do the tests in myserver.

I'll post the resoults.

limmontreefreeAuthor Commented:

I do the following:

In dc2 dcpromo /forceremoval
dc2 shutdown definitely

In dc1 (named DC)
seize all roles
with adsiedit.msc
configuration --> CN=Sites--> CN=servers -->delete  entry CN=DC2

run dcdiag and  dcdiag /dns:test
and send the files to you.

in the dns I  can see many entrys pointing to DC2, but At the momento I don't delete it or change the value DC2 for DC.

footechConnect With a Mentor Commented:
Can you start the Netlogon service?

If not, follow the steps in http://support.microsoft.com/kb/290762 to perform an authoritative restore.
limmontreefreeAuthor Commented:
I don't know how to try start the netlogon service, I can't see in the services.


Have I to perform your link?

Thanks again for your patience.
limmontreefreeAuthor Commented:
Ok I do it, and in the event Files Replication Service I get three event:

 Id 13501  the Files Replication Service is starting.

Id  135212
Warning The files replication service has detected a disk write cache in the unit containing  c:\windows\ntfrs\jet in the computer DC. It possible ......

Id 13516
The Files Replication Service no longer prevents that DC computer be a Domain Controller. ..

But If I do dcdiag /v in the services paragraph I get NETLOGON services is paused on DC.

also in the event viewer I get an NTDS  general event 1126  and  NTDS  general event 2103.

May be the server is in a USB rollback....

Please tell me your opinion to try to recover the Domain from the the other server.

Thanks again
limmontreefreeAuthor Commented:
yes I did the authoritative restore,

And after your last orders it seem to run correctly.

Many thanks.
Glad to hear it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.