Solved

Can't bring up another domain controller in Windows 2003

Posted on 2014-01-08
31
518 Views
Last Modified: 2014-01-29
I recently had a problem which you all helped me through.  I now have an additional problem that hopefully you can help me with.  We have an old 2003 domain that will be upgraded in a project this spring, but I have to make it last until then.  

Some background - our network was setup with one 2003 dc which was the dns server, fsmo roles, and the gc.  There was one additional dc which wasn't a gc.  

The main dc failed, and we had to seize the roles with the remaining dc, and make it a gc and a dns server.  It is performing properly as far as I can tell.  

However, I want to add another domain controller so that if the current one crashes, it's not catastrophic.  However, whenever I add the domain controller role to another server, and do the mandatory reboot, I get this message:
Security account manager initialization failed because of the following error: Directory Service cannot start.  Error status: 0xc00002e1
 
I have tried making an existing server a dc, and after I got the above error, I built a new 2003 server from scratch, and I get the same message.  Does this mean my AD is corrupt, and I can't add a dc?  Or is there a step I'm missing?  Do I need to do something before adding the role?
0
Comment
Question by:TOHIT
  • 13
  • 6
  • 5
  • +2
31 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39764845
The error message you describe above is most likely due to a permission issue or corrupt ntds.dit (active directory database) file.

Take a look at the below KB article which outlines steps to correct this...
http://support.microsoft.com/kb/258062

You may also want to check the event viewer for addtional logs which might provide more detail as to what exactly is causing this issue.

Will.
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39764856
Besides the previous mentioned KB, I'd also look into this hotfix: http://support.microsoft.com/kb/830574

Since you mentioned a broken AD ...
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39764873
No single answer for your question

This behavior can occur if you mark objects in Active Directory as authoritative using the Ntdsutil tool, and then restore Active Directory from a backup. This is the incorrect order in which to perform these steps.
There may be AD database corruption, but what i suspect is incorrectly configured file system permissions on server root drive may be through some kind of file sysem GPO or hardening etc and undone those changes might helps you.

I had this issue previously with 2K3 and the problem was related to the security
settings on system drive. Boot into DSRM and check that SYSTEM has permission on
system drive + windows directory + \windows\ntds. You can as well run System
Configuration and Analysis snapin to check your system against setup
template.
After I changed security settings, the system booted up normaly.

You can also check below articles and resolution mentioned in that to identify exact issue and may be its resolution
http://support.microsoft.com/kb/240655
http://support.microsoft.com/kb/258062

Acording to my experience this is serious problem and you should log a call with Microsoft in order to find out root cause and resolve it as i believe that they must be having some hidden (Premium) tools that can fix database corruption \ file system corruption if any

Mahesh
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39764880
Reposting what has already been posted.

Will.
0
 

Author Comment

by:TOHIT
ID: 39764934
Mahesh,
I didn't restore the AD.  I simply used the second dc and seized the roles, and made it a gc.  When you say the permissions are not correct, do you mean on the dc that I seized the roles with, or the new one that I am trying to make a dc?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39765134
@Will
Its my fault that I have not refreshed page causing duplication of some part of comment.
Next time I will refresh the page before publishing the comments post writing.

@Tohit:
Its new one that you are trying to make DC.
Basically what i mean to say, if you done any hardening on system drive or any GPO which can revoke system account permissions from system drive\NTDS folder.
You can just try by importing default security templates on server as per below articles
http://support.microsoft.com/kb/816585
http://support.microsoft.com/kb/313222

Have you tried hotfix suggested by spravtek ?

If still problem exists I suggest you to log call with MS for said reasons in my earlier comment

Mahesh
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 300 total points
ID: 39767445
Before just running any fixes first do some diagnostics.
You should not be focussing on the server that you want to make a DC but should rather focus on the existing DC.

Most likely problems on the existing DC are causing the issues.
If these are not resolved and your DC breaks then you'll have bigger issues which is what you're correctly trying to prevent.

On you existing DC, run "DCDIAG /v /f:dcdiag.txt"

Review the log file and post it here if you need any more help.
Information on the DCDIAG command
http://technet.microsoft.com/en-us/library/cc731968.aspx

Just a warning, but I wouldn't suggest restarting your existing DC until you're run the diagnostics. If the AD database IS corrupt then it won't start on your existing DC too which means no AD.
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 100 total points
ID: 39767474
When your main DC failed, you have done role seizure

Have you done metadata clean up as well for failed DC ?

Mahesh
0
 

Author Comment

by:TOHIT
ID: 39768668
I tried running DCDIAG but it is an unrecognized command.  Is it part of the support tools?  Do you know if I install it, does it require a reboot, which I'm trying to avoid?

Should I run the metadata clean up before or after the dcdiag?

Thanks
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 100 total points
ID: 39768702
dcdiag is merly a way to check the health of AD services DNS,Replicaiton,etc...

I would do Dcdiag first, then try and correct any issues if possible. Then perform metadata cleanup. Another thing you should be checking is the SRV records in the DNS manager for your internal domain Zone _msdcs folder.

Make sure that the failed DC is not listed in any of the SRV records folders (gc,dc,ldap,kerberos,etc). If you do see them simply delete the records. Do the same for Sites and Services, remove and of the computer objects for the old DC.

Will.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39768704
yes, you need to install 2003 support tools
Installing 2003 support tools don't require reboot
http://www.microsoft.com/en-us/download/details.aspx?id=15326

Since your main DC got failed permanently just run metadata clean-up without fail.
its not dependent on DCdiag, you can run any time, if you run prior to metadata clean-up, it may show you non existent DC

Check below link to metadata clean-up
http://www.petri.co.il/delete_failed_dcs_from_ad.htm#

How many DCs you have total ?

Mahesh
0
 

Author Comment

by:TOHIT
ID: 39768746
Only one right now, which is why I am panicking
0
 

Author Comment

by:TOHIT
ID: 39768782
Here is the result of my dcdiag.  The one thing I noticed that was odd is that is says it found 5 dcs.  I only originally had 2, one of which is the one that died.  I've tried to bring a couple others on, but unsuccessfully.  Does this look correct?

Here is the result of my dcdiag.  The one thing I noticed that was odd is that is says it found 5 dcs.  I only originally had 2, one of which is the one that died.  I've tried to bring a couple others on, but unsuccessfully.  Does this look correct?

]Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine myserver2, is a DC. 
   * Connecting to directory service on server myserver2.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 5 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\MYSERVER2
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         The host 5e7b4633-dd92-415d-a4db-00a0000000ee._msdcs.TOHLAN.COM could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name

         (5e7b4633-dd92-415d-a4db-00a0000000ee._msdcs.MYDOMAIN.COM) couldn't be

         resolved, the server name (myserver2.MYDOMAIN.COM) resolved to the IP

         address (172.18.XXX.XXX) and was pingable.  Check that the IP address

         is registered correctly with the DNS server. 
         ......................... MYSERVER2 failed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\MYSERVER2
      Skipping all tests, because server MYSERVER2 is
      not responding to directory service requests
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: VerifyReplicas
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : MYDOMAIN
      Starting test: CrossRefValidation
         ......................... MYDOMAIN passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... MYDOMAIN passed test CheckSDRefDom
   
   Running enterprise tests on : MYDOMAIN.COM
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope

         provided by the command line arguments provided. 
         ......................... MYDOMAIN.COM passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\myserver2.MYDOMAIN.COM
         Locator Flags: 0xe00003fd
         PDC Name: \\myserver2.MYDOMAIN.COM
         Locator Flags: 0xe00003fd
         Time Server Name: \\myserver2.MYDOMAIN.COM
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\myserver2.MYDOMAIN.COM
         Locator Flags: 0xe00003fd
         KDC Name: \\myserver2.MYDOMAIN.COM
         Locator Flags: 0xe00003fd
         ......................... MYDOMAIN.COM passed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS

Open in new window

0
 

Author Comment

by:TOHIT
ID: 39768817
I noticed that the remaining dc was pointed to a different dns, instead of itself (it's a dns server).  I changed that, reran the dcdiag, and received a different response, with several failures.  The new results are:

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine myserver2, is a DC.
   * Connecting to directory service on server myserver2.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 5 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\MYSERVER2
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... MYSERVER2 passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\MYSERVER2
      Starting test: Replications
         * Replications Check
         [Replications Check,MYSERVER2] A recent replication attempt failed:
            From MYSERVER1 to MYSERVER2
            Naming Context: CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=COM
            The replication generated an error (8524):
            The DSA operation is unable to proceed because of a DNS lookup failure.
            The failure occurred at 2014-01-09 11:59:44.
            The last success occurred at 2014-01-05 22:53:08.
            87 failures have occurred since the last success.
            The guid-based DNS name 3d171b93-655b-42ea-8899-b89a1ccd9167._msdcs.MYDOMAIN.COM
            is not registered on one or more DNS servers.
         [MYSERVER1] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         Printing RPC Extended Error Info:
         Error Record 1, ProcessID is 296 (DcDiag)        
            System Time is: 1/9/2014 17:53:52:656
            Generating component is 8 (winsock)
            Status is 1722: The RPC server is unavailable.

            Detection location is 323
         Error Record 2, ProcessID is 296 (DcDiag)        
            System Time is: 1/9/2014 17:53:52:656
            Generating component is 8 (winsock)
            Status is 1237: The operation could not be completed. A retry should be performed.

            Detection location is 313
         Error Record 3, ProcessID is 296 (DcDiag)        
            System Time is: 1/9/2014 17:53:52:656
            Generating component is 8 (winsock)
            Status is 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

            Detection location is 311
            NumberOfParameters is 3
            Long val: 135
            Pointer val: 0
            Pointer val: 0
         Error Record 4, ProcessID is 296 (DcDiag)        
            System Time is: 1/9/2014 17:53:52:656
            Generating component is 8 (winsock)
            Status is 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

            Detection location is 318
         [Replications Check,MYSERVER2] A recent replication attempt failed:
            From MYSERVER1 to MYSERVER2
            Naming Context: CN=Configuration,DC=MYDOMAIN,DC=COM
            The replication generated an error (8524):
            The DSA operation is unable to proceed because of a DNS lookup failure.
            The failure occurred at 2014-01-09 11:59:42.
            The last success occurred at 2014-01-05 23:29:26.
            87 failures have occurred since the last success.
            The guid-based DNS name 3d171b93-655b-42ea-8899-b89a1ccd9167._msdcs.MYDOMAIN.COM
            is not registered on one or more DNS servers.
         [Replications Check,MYSERVER2] A recent replication attempt failed:
            From MYSERVER1 to MYSERVER2
            Naming Context: DC=MYDOMAIN,DC=COM
            The replication generated an error (8524):
            The DSA operation is unable to proceed because of a DNS lookup failure.
            The failure occurred at 2014-01-09 11:59:39.
            The last success occurred at 2014-01-05 23:35:47.
            87 failures have occurred since the last success.
            The guid-based DNS name 3d171b93-655b-42ea-8899-b89a1ccd9167._msdcs.MYDOMAIN.COM
            is not registered on one or more DNS servers.
         * Replication Latency Check
         REPLICATION-RECEIVED LATENCY WARNING
         MYSERVER2:  Current time is 2014-01-09 12:53:31.
            CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=COM
               Last replication recieved from MYSERVER1 at 2014-01-05 22:53:08.
            CN=Configuration,DC=MYDOMAIN,DC=COM
               Last replication recieved from MYSERVER1 at 2014-01-05 23:29:26.
            DC=MYDOMAIN,DC=COM
               Last replication recieved from MYSERVER1 at 2014-01-05 23:35:47.
         * Replication Site Latency Check
         ......................... MYSERVER2 passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC MYSERVER2.
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=COM
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=MYDOMAIN,DC=COM
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=MYDOMAIN,DC=COM
            (Domain,Version 2)
         ......................... MYSERVER2 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\MYSERVER2\netlogon
         Verified share \\MYSERVER2\sysvol
         ......................... MYSERVER2 passed test NetLogons
      Starting test: Advertising
         The DC MYSERVER2 is advertising itself as a DC and having a DS.
         The DC MYSERVER2 is advertising as an LDAP server
         The DC MYSERVER2 is advertising as having a writeable directory
         The DC MYSERVER2 is advertising as a Key Distribution Center
         The DC MYSERVER2 is advertising as a time server
         The DS MYSERVER2 is advertising as a GC.
         ......................... MYSERVER2 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM
         Role Domain Owner = CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM
         Role PDC Owner = CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM
         Role Rid Owner = CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM
         ......................... MYSERVER2 passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 4603 to 1073741823
         * myserver2.MYDOMAIN.COM is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 3103 to 3602
         * rIDPreviousAllocationPool is 3103 to 3602
         * rIDNextRID: 3250
         ......................... MYSERVER2 passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC MYSERVER2 on DC MYSERVER2.
         * SPN found :LDAP/myserver2.MYDOMAIN.COM/MYDOMAIN.COM
         * SPN found :LDAP/myserver2.MYDOMAIN.COM
         * SPN found :LDAP/MYSERVER2
         * SPN found :LDAP/myserver2.MYDOMAIN.COM/MYDOMAIN
         * SPN found :LDAP/5e7b4633-dd92-415d-a4db-89a9894022ee._msdcs.MYDOMAIN.COM
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/5e7b4633-dd92-415d-a4db-89a9894022ee/MYDOMAIN.COM
         * SPN found :HOST/myserver2.MYDOMAIN.COM/MYDOMAIN.COM
         * SPN found :HOST/myserver2.MYDOMAIN.COM
         * SPN found :HOST/MYSERVER2
         * SPN found :HOST/myserver2.MYDOMAIN.COM/MYDOMAIN
         * SPN found :GC/myserver2.MYDOMAIN.COM/MYDOMAIN.COM
         ......................... MYSERVER2 passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... MYSERVER2 passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         MYSERVER2 is in domain DC=MYDOMAIN,DC=COM
         Checking for CN=MYSERVER2,OU=Domain Controllers,DC=MYDOMAIN,DC=COM in domain DC=MYDOMAIN,DC=COM on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM in domain CN=Configuration,DC=MYDOMAIN,DC=COM on 1 servers
            Object is up-to-date on all servers.
         ......................... MYSERVER2 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... MYSERVER2 passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         An Warning Event occured.  EventID: 0x800034FA
            Time Generated: 01/08/2014   16:48:46
            (Event String could not be retrieved)
         ......................... MYSERVER2 failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         An Warning Event occured.  EventID: 0x80000785
            Time Generated: 01/09/2014   12:49:37
            Event String: The attempt to establish a replication link for

the following writable directory partition
failed.

Directory partition:
CN=Configuration,DC=MYDOMAIN,DC=COM

Source domain controller:
CN=NTDS Settings,CN=TOHDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM

Source domain controller address:
7f6dba50-3ec1-4e55-8897-22ea3303b5fe._msdcs.MYDOMAIN.COM

Intersite transport (if any):

This domain controller will be unable to
replicate with the source domain controller until
this problem is corrected.  

User Action

Verify if the source domain controller is
accessible or network connectivity is available.

Additional Data

Error value:
8524
The DSA operation is unable to proceed because of a DNS lookup failure.

         An Warning Event occured.  EventID: 0x80000785
            Time Generated: 01/09/2014   12:49:37
            Event String: The attempt to establish a replication link for

the following writable directory partition
failed.

Directory partition:
CN=Configuration,DC=MYDOMAIN,DC=COM

Source domain controller:
CN=NTDS Settings,CN=TOHDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM

Source domain controller address:
8b7b928a-faf5-4714-bf15-14731c699e05._msdcs.MYDOMAIN.COM

Intersite transport (if any):

This domain controller will be unable to
replicate with the source domain controller until
this problem is corrected.  

User Action

Verify if the source domain controller is
accessible or network connectivity is available.

Additional Data

Error value:
8524
The DSA operation is unable to proceed because of a DNS lookup failure.

         An Warning Event occured.  EventID: 0x80000785
            Time Generated: 01/09/2014   12:49:37
            Event String: The attempt to establish a replication link for

the following writable directory partition
failed.

Directory partition:
CN=Configuration,DC=MYDOMAIN,DC=COM
Source domain controller:
CN=NTDS Settings,CN=TOHDC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM

Source domain controller address:
4c14f4f2-459f-4798-a4bc-cb156af14f55._msdcs.MYDOMAIN.COM

Intersite transport (if any):

This domain controller will be unable to
replicate with the source domain controller until
this problem is corrected.  

User Action

Verify if the source domain controller is
accessible or network connectivity is available.

Additional Data

Error value:
8524
The DSA operation is unable to proceed because of a DNS lookup failure.

         ......................... MYSERVER2 failed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:27
            Event String: The dynamic registration of the DNS record

'MYDOMAIN.COM. 600 IN A 172.18.1.6' failed on the
following DNS server:  

DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.
  Or, you can manually add this record to DNS,
but it is not recommended.  

ADDITIONAL DATA

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:27
            Event String: The dynamic registration of the DNS record

'_ldap._tcp.MYDOMAIN.COM. 600 IN SRV 0 100 389 myserver2.MYDOMAIN.COM.'
 failed on the following DNS server:  

DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.
  Or, you can manually add this record to DNS,
but it is not recommended.  

ADDITIONAL DATA

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:27
            Event String: The dynamic registration of the DNS record

'_ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM. 600 IN SRV 0 100 389 myserver2.MYDOMAIN.COM.'
 failed on the following DNS server:  

DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.
  Or, you can manually add this record to DNS,
but it is not recommended.  

ADDITIONAL DATA

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:27
            Event String: The dynamic registration of the DNS record

'_ldap._tcp.0a3d3e02-f17d-4d45-b80f-1bb0cf2b403b.domains._msdcs.MYDOMAIN.COM. 600 IN SRV 0 100 389 myserver2.MYDOMAIN.COM.'
 failed on the following DNS server:  

DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.
  Or, you can manually add this record to DNS,
but it is not recommended.  

ADDITIONAL DATA

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:27
            Event String: The dynamic registration of the DNS record

'5e7b4633-dd92-415d-a4db-89a9894022ee._msdcs.MYDOMAIN.COM. 600 IN CNAME myserver2.MYDOMAIN.COM.'
 failed on the following DNS server:  

DNS server IP address: 172.16.4.2
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.
  Or, you can manually add this record to DNS,
but it is not recommended.  

ADDITIONAL DATA

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:27
            Event String: The dynamic registration of the DNS record

'_ldap._tcp.dc._msdcs.MYDOMAIN.COM. 600 IN SRV 0 100 389 myserver2.MYDOMAIN.COM.'
 failed on the following DNS server:  

DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.
  Or, you can manually add this record to DNS,
but it is not recommended.  

ADDITIONAL DATA

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:27
            Event String: The dynamic registration of the DNS record

'_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM. 600 IN SRV 0 100 389 myserver2.MYDOMAIN.COM.'
 failed on the following DNS server:  

DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.
  Or, you can manually add this record to DNS,
but it is not recommended.  

ADDITIONAL DATA

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:27
            Event String: The dynamic registration of the DNS record

'MYDOMAIN.COM. 600 IN A 172.18.255.106' failed on
the following DNS server:  

DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.
  Or, you can manually add this record to DNS,
but it is not recommended.  

ADDITIONAL DATA

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:27
            Event String: The dynamic registration of the DNS record

'_ldap._tcp.pdc._msdcs.MYDOMAIN.COM. 600 IN SRV 0 100 389 myserver2.MYDOMAIN.COM.'
 failed on the following DNS server:  

DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.
  Or, you can manually add this record to DNS,
but it is not recommended.  

ADDITIONAL DATA

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:27
            Event String: The dynamic registration of the DNS record

'_ldap._tcp.gc._msdcs.MYDOMAIN.COM. 600 IN SRV 0 100 3268 myserver2.MYDOMAIN.COM.'
 failed on the following DNS server:  

DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.
  Or, you can manually add this record to DNS,
but it is not recommended.  

ADDITIONAL DATA

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:27
            Event String: The dynamic registration of the DNS record

'_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.MYDOMAIN.COM. 600 IN SRV 0 100 3268 myserver2.MYDOMAIN.COM.'
 failed on the following DNS server:  

DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.
  Or, you can manually add this record to DNS,
but it is not recommended.  

ADDITIONAL DATA

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:27
            Event String: The dynamic registration of the DNS record

'gc._msdcs.MYDOMAIN.COM. 600 IN A 172.18.1.6'
failed on the following DNS server:  

DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.
  Or, you can manually add this record to DNS,
but it is not recommended.  

ADDITIONAL DATA

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:27
            Event String: The dynamic registration of the DNS record

'gc._msdcs.MYDOMAIN.COM. 600 IN A 172.18.255.106'
failed on the following DNS server:  

DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.
  Or, you can manually add this record to DNS,
but it is not recommended.  

ADDITIONAL DATA

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:27
            Event String: The dynamic registration of the DNS record

'_gc._tcp.MYDOMAIN.COM. 600 IN SRV 0 100 3268 myserver2.MYDOMAIN.COM.'
 failed on the following DNS server:  

DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.
  Or, you can manually add this record to DNS,
but it is not recommended.  

ADDITIONAL DATA

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:27
            Event String: The dynamic registration of the DNS record

'_gc._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM. 600 IN SRV 0 100 3268 myserver2.MYDOMAIN.COM.'
 failed on the following DNS server:  

DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.
  Or, you can manually add this record to DNS,
but it is not recommended.  

ADDITIONAL DATA

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:34
            Event String: The dynamic registration of the DNS record

'_kerberos._tcp.dc._msdcs.MYDOMAIN.COM. 600 IN SRV 0 100 88 myserver2.MYDOMAIN.COM.'
 failed on the following DNS server:  

DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.
  Or, you can manually add this record to DNS,
but it is not recommended.  

ADDITIONAL DATA

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:34
            Event String: The dynamic registration of the DNS record

'_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM. 600 IN SRV 0 100 88 myserver2.MYDOMAIN.COM.'
 failed on the following DNS server:  

DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.
  Or, you can manually add this record to DNS,
but it is not recommended.  

ADDITIONAL DATA

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:34
            Event String: The dynamic registration of the DNS record

'_kerberos._tcp.MYDOMAIN.COM. 600 IN SRV 0 100 88 myserver2.MYDOMAIN.COM.'
 failed on the following DNS server:  

DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.
  Or, you can manually add this record to DNS,
but it is not recommended.  

ADDITIONAL DATA

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:34
            Event String: The dynamic registration of the DNS record

'_kerberos._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM. 600 IN SRV 0 100 88 myserver2.MYDOMAIN.COM.'
 failed on the following DNS server:  

DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.
  Or, you can manually add this record to DNS,
but it is not recommended.  

ADDITIONAL DATA

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:34
            Event String: The dynamic registration of the DNS record

'_kerberos._udp.MYDOMAIN.COM. 600 IN SRV 0 100 88 myserver2.MYDOMAIN.COM.'
 failed on the following DNS server:  

DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.
  Or, you can manually add this record to DNS,
but it is not recommended.  

ADDITIONAL DATA

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:34
            Event String: The dynamic registration of the DNS record

'_kpasswd._tcp.MYDOMAIN.COM. 600 IN SRV 0 100 464 myserver2.MYDOMAIN.COM.'
 failed on the following DNS server:  

DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.

  Or, you can manually add this record to DNS,
but it is not recommended.  

ADDITIONAL DATA

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:34
            Event String: The dynamic registration of the DNS record

'_kpasswd._udp.MYDOMAIN.COM. 600 IN SRV 0 100 464 myserver2.MYDOMAIN.COM.'
 failed on the following DNS server:  

DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain
controller, this record must be registered in
DNS.  

USER ACTION  

Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by  this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain  controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows  Server
Resource Kit CD.

  Or, you can manually add this record to DNS,
but it is not recommended.  



ADDITIONAL DATA

Error Value: %%9017
         ......................... MYSERVER2 failed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)

         CN=MYSERVER2,OU=Domain Controllers,DC=MYDOMAIN,DC=COM and backlink on

         CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM

         are correct.
         The system object reference (frsComputerReferenceBL)

         CN=MYSERVER2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MYDOMAIN,DC=COM

         and backlink on CN=MYSERVER2,OU=Domain Controllers,DC=MYDOMAIN,DC=COM are

         correct.
         The system object reference (serverReferenceBL)

         CN=MYSERVER2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MYDOMAIN,DC=COM

         and backlink on

         CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM

         are correct.
         ......................... MYSERVER2 passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : MYDOMAIN
      Starting test: CrossRefValidation
         ......................... MYDOMAIN passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... MYDOMAIN passed test CheckSDRefDom
   
   Running enterprise tests on : MYDOMAIN.COM
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope

         provided by the command line arguments provided.
         ......................... MYDOMAIN.COM passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\myserver2.MYDOMAIN.COM
         Locator Flags: 0xe00003fd
         PDC Name: \\myserver2.MYDOMAIN.COM
         Locator Flags: 0xe00003fd
         Time Server Name: \\myserver2.MYDOMAIN.COM
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\myserver2.MYDOMAIN.COM
         Locator Flags: 0xe00003fd
         KDC Name: \\myserver2.MYDOMAIN.COM
         Locator Flags: 0xe00003fd
         ......................... MYDOMAIN.COM passed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS

Open in new window

0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 35

Expert Comment

by:Mahesh
ID: 39768819
@dvt_localboy
You have perfectly guess the issue.
Thanks

@TOHIT
You are not getting \ having clarity about your AD infrastructure, I am still suggesting you as my 1st comment to log a call with MS to isolate and resolve the issue as more you trying to troubleshoot, situation is getting more puzzling and this blog support is limited to comments only

Mahesh
0
 

Author Comment

by:TOHIT
ID: 39768928
I have called Microsoft and they said they do not support 2013.
0
 

Author Comment

by:TOHIT
ID: 39768944
SPEC01,
I was cleaning up the references to the old failed server as you suggested.  I noticed that in the GC-LDAP there is a _ldap reference to the old server.  If I delete it, there will be none. Is this correct?  Or do I need to add my existing dc there?  If so, how do you add the _ldap entry?  I don't see it as a selection.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39768956
You can try with MS Premium ticket \ call support OR
You can just call local directory specialist if any please

Mahesh
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 300 total points
ID: 39770399
Replications Check,MYSERVER2] A recent replication attempt failed:
            From MYSERVER1 to MYSERVER2
            Naming Context: CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=COM
            The replication generated an error (8524):
            The DSA operation is unable to proceed because of a DNS lookup failure.
            The failure occurred at 2014-01-09 11:59:44.
            The last success occurred at 2014-01-05 22:53:08.
            87 failures have occurred since the last success.
            The guid-based DNS name 3d171b93-655b-42ea-8899-b89a1ccd9167._msdcs.MYDOMAIN.COM
            is not registered on one or more DNS servers.

The last success occurred at 2014-01-05 22:53:08.
This date shows when you last had a successful replication.
So I'm guessing your DC MYSERVER1 failed after that?

To confirm what Domain controllers are currently registered in AD run:
nltest /dclist:tohlan.com

http://support.microsoft.com/kb/158148$

You only want to see your "working" DC. If there are any other server then you need to run the metadata cleanup.

For all other servers listed you need to run the METADATA Cleanup and delete those servers, especially MYSERVER1.
Reason: If you only have one DC then your servers should not be trying to replicate with any other DC.

You then also need to clean up the DNS
Use these instructions to remove AD and DNS references for all "dead" DC's.
http://support.microsoft.com/kb/216498

See the errors below? They refer to DNS lookups that are failing.
The DSA operation is unable to proceed because of a DNS lookup failure.

This domain controller will be unable to replicate with the source domain controller until this problem is corrected.  

Event String: The dynamic registration of the DNS record
'MYDOMAIN.COM. 600 IN A 172.18.1.6' failed on the
following DNS server:  

DNS server IP address: 172.16.4.8
        An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:27
            Event String: The dynamic registration of the DNS record

'_ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM. 600 IN SRV 0 100 389 myserver2.MYDOMAIN.COM.'
 failed on the following DNS server:  

DNS server IP address: 172.16.4.8

What is the server 172.16.4.8?
While you're working through these issues I'd suggest that you set every server to point to your existing DNS server(MYSERVER2).

If 172.16.4.8 is MYSERVER2 then run:
DCDIAG /test:DNS to confirm the health of your DNS server.
The new DCDIAG /TEST:DNS command can validate DNS health of Windows 2000 Server (SP3 or later) or Windows Server 2003 family domain controllers when run from the console of Windows XP or Windows Server 2003 member computers or Windows Server 2003 domain controllers.
http://technet.microsoft.com/en-us/library/cc776854(v=ws.10).aspx

How to troubleshoot DNS registration using NSLOOKUP
http://support.microsoft.com/kb/816587
You should be able to search all DNS records listed as failed once you've used the command
"set type=all" in nslookup.

Next, make sure that MYSERVER2 is correctly registered in DNS.
Run nltest /dsregdns
http://technet.microsoft.com/en-us/library/cc786478(v=ws.10).aspx

Once you've completed this task then re-run DCDIAG /v
If there are no failures then your AD is "clean"

NEXT step, setup a new server, add it to the domain, point it to MYSERVER2 for DNS and then promote it to a DC.
You should be fine from here on...

dcdiag is merly a way to check the health of AD services DNS,Replicaiton,etc...
This is a very bad statement to make. DCDIAG is your primary diagnostic tool for AD issues. If you do really support AD then it should always be the first thing you run to find out what is wrong with AD.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39770409
AD is VERY dependant on DNS.
If your DNS is not working correctly then your AD won't work correctly.

Error Value: %%9017
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:34
            Event String: The dynamic registration of the DNS record

'_kpasswd._udp.TOHLAN.COM. 600 IN SRV 0 100 464 myserver2.MYDOMAIN.COM.'

 failed on the following DNS server:  



DNS server IP address: 172.16.4.8

Returned Response Code (RCODE): 5

Returned Status Code: 9017  

Once again server 172.16.4.8 appears to not accepting DNS registrations.
In this case it is from MYSERVER2.

Have a look at the dynamic registrations listed in your DCDIAG results and verify that your what servers are doing what.
Is this MYSERVER2's IP address: 172.18.255.106
If Yes, then that should be your Primary DNS Server for all your Servers.
0
 

Author Comment

by:TOHIT
ID: 39771173
Thanks for the comments everyone.  Yes MyServer1 was the dc that died.  172.16.4.8 is a dns in a different domain that we pointed to while we were adding the dns role to the current dc.  

I will go through all the steps and let you know what I find.  My biggest fear is the current dc rebooting before I get a second one up, and it failing because of these problems.
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 300 total points
ID: 39771244
172.16.4.8 is a dns in a different domain that we pointed to while we were adding the dns role to the current dc.  

OK that adds quite a bit to the picture
The basic problem here is that your DNS servers do not have the SRV records that Active Directory is trying to use to find your existing DC's.

Since that DNS server[172.16.4.8] is in a different domain, your client are most likely not authorized to create their DNS entries which explains why MYSERVER2 (which is the only DC and has all the FSMO roles) cannot register it's own DNS records.

While the SRV records for MYSERVER2 are not available your DC promotion cannot complete.

You can get around this issue of dynamic registration failing by enabling "Unsecure updates" on 172.16.4.8.

This will allow your servers from the other domain to update the SRV records.
The nltest /dsregdns command will ensure that the correct SRV records are added to DNS so that should sort out quite a bit of your problems.

While the DNS zone still holds the SRV records for HERNDON1 your clients will still try to look for it. Remember to clean up the DNS zone

You did mentioned that you made a DNS server.
Did you start with a new zone file or was it already a DNS server?
If it's a new zone then the SRV records won't have any references to the MYSERVER1.

 I recall you mentioned earlier that HERNDON2 wasn't pointing to itself originally but you had fixed that.

IF 172.16.4.8  is not a Windows DNS server then it won't have the _msdcs zone.
The instructions given before do still apply...
But make sure that you focus on this problem as a DNS issue.

My biggest fear is the current dc rebooting before I get a second one up, and it failing because of these problems.
I don't think that this should be a concern, unless the DC doesn't boot up at all.

The best thing you can do is to ensure that you have current and valid System State backups from MYSERVER2. This will allow you to restore AD should anything "surprising" happen to MYSERVER2.
0
 

Author Comment

by:TOHIT
ID: 39771355
Ok.  I apologize, I'm not very knowledgeable about DNS.  We are trying to get some outside help in today.  The existing server was not a dns.  When I added it as a dns server, the forward lookup zone populated immediately, so I'm thinking it copied a cached copy from the old server.  

Thanks again for all the help.  I will let you know how it goes.
0
 

Author Comment

by:TOHIT
ID: 39779247
I've requested that this question be deleted for the following reason:

I did not realize how much detail I had posted about our network, including network names, addresses, domain name.  On review, I am not comfortable with the amount of information about my network that is available with this question.  I apologize for the inconvenience.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39779210
I fully agree with you wanting to remove data/references to your internal network...but is the problem now fixed? How was the fix done?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39779248
That moderator can review this question and remove and names or addresses that are applicable. Aside from that there is no reason to close the question.

Will.
0
 

Author Comment

by:TOHIT
ID: 39786541
The problem is fixed now.  We were not performing the metadata cleanup correctly.  We were using a guide from the internet.  A Microsoft engineer walked us through a much more complete process for the cleanup.  Afterwards it worked.
0
 

Author Comment

by:TOHIT
ID: 39804111
Thanks.  Sorry for the trouble.  I will make several posts to follow with the substitute text.  Once corrected, I will give the points and close the question.  Sorry again.
0
 

Author Comment

by:TOHIT
ID: 39804127
Replacement text

For ID: 39770399

Replications Check,DC2] A recent replication attempt failed:
            From DC1 to DC2
            Naming Context: CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=COM
            The replication generated an error (8524):
            The DSA operation is unable to proceed because of a DNS lookup failure.
            The failure occurred at 2014-01-09 11:59:44.
            The last success occurred at 2014-01-05 22:53:08.
            87 failures have occurred since the last success.
            The guid-based DNS name 3d171b93-655b-42ea-8899-b89a1ccd9167._msdcs.MYDOMAIN.COM
            is not registered on one or more DNS servers.


The last success occurred at 2014-01-05 22:53:08.

This date shows when you last had a successful replication.
So I'm guessing your DC DC1 failed after that?

To confirm what Domain controllers are currently registered in AD run:
nltest /dclist:mydomain.com

http://support.microsoft.com/kb/158148$

You only want to see your "working" DC. If there are any other server then you need to run the metadata cleanup.

For all other servers listed you need to run the METADATA Cleanup and delete those servers, especially DC1.
Reason: If you only have one DC then your servers should not be trying to replicate with any other DC.

You then also need to clean up the DNS
Use these instructions to remove AD and DNS references for all "dead" DC's.
http://support.microsoft.com/kb/216498

See the errors below? They refer to DNS lookups that are failing.
The DSA operation is unable to proceed because of a DNS lookup failure.

This domain controller will be unable to replicate with the source domain controller until this problem is corrected.  

Event String: The dynamic registration of the DNS record

'MYDOMAIN.COM. 600 IN A 172.18.1.6' failed on the

following DNS server:  

DNS server IP address: 172.16.4.8

        An Error Event occured.  EventID: 0x0000168E
            Time Generated: 01/09/2014   12:05:27
            Event String: The dynamic registration of the DNS record

'_ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM. 600 IN SRV 0 100 389 dc2.MYDOMAIN.COM.'

 failed on the following DNS server:  

DNS server IP address: 172.16.4.8


What is the server 172.16.4.8?
While you're working through these issues I'd suggest that you set every server to point to your existing DNS server(DC2).

If 172.16.4.8 is DC2 then run:
DCDIAG /test:DNS to confirm the health of your DNS server.
The new DCDIAG /TEST:DNS command can validate DNS health of Windows 2000 Server (SP3 or later) or Windows Server 2003 family domain controllers when run from the console of Windows XP or Windows Server 2003 member computers or Windows Server 2003 domain controllers.

http://technet.microsoft.com/en-us/library/cc776854(v=ws.10).aspx

How to troubleshoot DNS registration using NSLOOKUP
http://support.microsoft.com/kb/816587
You should be able to search all DNS records listed as failed once you've used the command
"set type=all" in nslookup.

Next, make sure that DC2 is correctly registered in DNS.
Run nltest /dsregdns
http://technet.microsoft.com/en-us/library/cc786478(v=ws.10).aspx

Once you've completed this task then re-run DCDIAG /v
If there are no failures then your AD is "clean"

NEXT step, setup a new server, add it to the domain, point it to DC2 for DNS and then promote it to a DC.
You should be fine from here on...

dcdiag is merly a way to check the health of AD services DNS,Replicaiton,etc...
This is a very bad statement to make. DCDIAG is your primary diagnostic tool for AD issues. If you do really support AD then it should always be the first thing you run to find out what is wrong with AD.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now