TOHIT
asked on
Can't bring up another domain controller in Windows 2003
I recently had a problem which you all helped me through. I now have an additional problem that hopefully you can help me with. We have an old 2003 domain that will be upgraded in a project this spring, but I have to make it last until then.
Some background - our network was setup with one 2003 dc which was the dns server, fsmo roles, and the gc. There was one additional dc which wasn't a gc.
The main dc failed, and we had to seize the roles with the remaining dc, and make it a gc and a dns server. It is performing properly as far as I can tell.
However, I want to add another domain controller so that if the current one crashes, it's not catastrophic. However, whenever I add the domain controller role to another server, and do the mandatory reboot, I get this message:
Security account manager initialization failed because of the following error: Directory Service cannot start. Error status: 0xc00002e1
I have tried making an existing server a dc, and after I got the above error, I built a new 2003 server from scratch, and I get the same message. Does this mean my AD is corrupt, and I can't add a dc? Or is there a step I'm missing? Do I need to do something before adding the role?
Some background - our network was setup with one 2003 dc which was the dns server, fsmo roles, and the gc. There was one additional dc which wasn't a gc.
The main dc failed, and we had to seize the roles with the remaining dc, and make it a gc and a dns server. It is performing properly as far as I can tell.
However, I want to add another domain controller so that if the current one crashes, it's not catastrophic. However, whenever I add the domain controller role to another server, and do the mandatory reboot, I get this message:
Security account manager initialization failed because of the following error: Directory Service cannot start. Error status: 0xc00002e1
I have tried making an existing server a dc, and after I got the above error, I built a new 2003 server from scratch, and I get the same message. Does this mean my AD is corrupt, and I can't add a dc? Or is there a step I'm missing? Do I need to do something before adding the role?
Besides the previous mentioned KB, I'd also look into this hotfix: http://support.microsoft.com/kb/830574
Since you mentioned a broken AD ...
Since you mentioned a broken AD ...
No single answer for your question
This behavior can occur if you mark objects in Active Directory as authoritative using the Ntdsutil tool, and then restore Active Directory from a backup. This is the incorrect order in which to perform these steps.
There may be AD database corruption, but what i suspect is incorrectly configured file system permissions on server root drive may be through some kind of file sysem GPO or hardening etc and undone those changes might helps you.
I had this issue previously with 2K3 and the problem was related to the security
settings on system drive. Boot into DSRM and check that SYSTEM has permission on
system drive + windows directory + \windows\ntds. You can as well run System
Configuration and Analysis snapin to check your system against setup
template.
After I changed security settings, the system booted up normaly.
You can also check below articles and resolution mentioned in that to identify exact issue and may be its resolution
http://support.microsoft.com/kb/240655
http://support.microsoft.com/kb/258062
Acording to my experience this is serious problem and you should log a call with Microsoft in order to find out root cause and resolve it as i believe that they must be having some hidden (Premium) tools that can fix database corruption \ file system corruption if any
Mahesh
This behavior can occur if you mark objects in Active Directory as authoritative using the Ntdsutil tool, and then restore Active Directory from a backup. This is the incorrect order in which to perform these steps.
There may be AD database corruption, but what i suspect is incorrectly configured file system permissions on server root drive may be through some kind of file sysem GPO or hardening etc and undone those changes might helps you.
I had this issue previously with 2K3 and the problem was related to the security
settings on system drive. Boot into DSRM and check that SYSTEM has permission on
system drive + windows directory + \windows\ntds. You can as well run System
Configuration and Analysis snapin to check your system against setup
template.
After I changed security settings, the system booted up normaly.
You can also check below articles and resolution mentioned in that to identify exact issue and may be its resolution
http://support.microsoft.com/kb/240655
http://support.microsoft.com/kb/258062
Acording to my experience this is serious problem and you should log a call with Microsoft in order to find out root cause and resolve it as i believe that they must be having some hidden (Premium) tools that can fix database corruption \ file system corruption if any
Mahesh
Reposting what has already been posted.
Will.
Will.
ASKER
Mahesh,
I didn't restore the AD. I simply used the second dc and seized the roles, and made it a gc. When you say the permissions are not correct, do you mean on the dc that I seized the roles with, or the new one that I am trying to make a dc?
I didn't restore the AD. I simply used the second dc and seized the roles, and made it a gc. When you say the permissions are not correct, do you mean on the dc that I seized the roles with, or the new one that I am trying to make a dc?
@Will
Its my fault that I have not refreshed page causing duplication of some part of comment.
Next time I will refresh the page before publishing the comments post writing.
@Tohit:
Its new one that you are trying to make DC.
Basically what i mean to say, if you done any hardening on system drive or any GPO which can revoke system account permissions from system drive\NTDS folder.
You can just try by importing default security templates on server as per below articles
http://support.microsoft.com/kb/816585
http://support.microsoft.com/kb/313222
Have you tried hotfix suggested by spravtek ?
If still problem exists I suggest you to log call with MS for said reasons in my earlier comment
Mahesh
Its my fault that I have not refreshed page causing duplication of some part of comment.
Next time I will refresh the page before publishing the comments post writing.
@Tohit:
Its new one that you are trying to make DC.
Basically what i mean to say, if you done any hardening on system drive or any GPO which can revoke system account permissions from system drive\NTDS folder.
You can just try by importing default security templates on server as per below articles
http://support.microsoft.com/kb/816585
http://support.microsoft.com/kb/313222
Have you tried hotfix suggested by spravtek ?
If still problem exists I suggest you to log call with MS for said reasons in my earlier comment
Mahesh
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I tried running DCDIAG but it is an unrecognized command. Is it part of the support tools? Do you know if I install it, does it require a reboot, which I'm trying to avoid?
Should I run the metadata clean up before or after the dcdiag?
Thanks
Should I run the metadata clean up before or after the dcdiag?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
yes, you need to install 2003 support tools
Installing 2003 support tools don't require reboot
http://www.microsoft.com/en-us/download/details.aspx?id=15326
Since your main DC got failed permanently just run metadata clean-up without fail.
its not dependent on DCdiag, you can run any time, if you run prior to metadata clean-up, it may show you non existent DC
Check below link to metadata clean-up
http://www.petri.co.il/delete_failed_dcs_from_ad.htm#
How many DCs you have total ?
Mahesh
Installing 2003 support tools don't require reboot
http://www.microsoft.com/en-us/download/details.aspx?id=15326
Since your main DC got failed permanently just run metadata clean-up without fail.
its not dependent on DCdiag, you can run any time, if you run prior to metadata clean-up, it may show you non existent DC
Check below link to metadata clean-up
http://www.petri.co.il/delete_failed_dcs_from_ad.htm#
How many DCs you have total ?
Mahesh
ASKER
Only one right now, which is why I am panicking
ASKER
Here is the result of my dcdiag. The one thing I noticed that was odd is that is says it found 5 dcs. I only originally had 2, one of which is the one that died. I've tried to bring a couple others on, but unsuccessfully. Does this look correct?
Here is the result of my dcdiag. The one thing I noticed that was odd is that is says it found 5 dcs. I only originally had 2, one of which is the one that died. I've tried to bring a couple others on, but unsuccessfully. Does this look correct?
Here is the result of my dcdiag. The one thing I noticed that was odd is that is says it found 5 dcs. I only originally had 2, one of which is the one that died. I've tried to bring a couple others on, but unsuccessfully. Does this look correct?
]Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine myserver2, is a DC.
* Connecting to directory service on server myserver2.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 5 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\MYSERVER2
Starting test: Connectivity
* Active Directory LDAP Services Check
The host 5e7b4633-dd92-415d-a4db-00a0000000ee._msdcs.TOHLAN.COM could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(5e7b4633-dd92-415d-a4db-00a0000000ee._msdcs.MYDOMAIN.COM) couldn't be
resolved, the server name (myserver2.MYDOMAIN.COM) resolved to the IP
address (172.18.XXX.XXX) and was pingable. Check that the IP address
is registered correctly with the DNS server.
......................... MYSERVER2 failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\MYSERVER2
Skipping all tests, because server MYSERVER2 is
not responding to directory service requests
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: VerifyReplicas
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : MYDOMAIN
Starting test: CrossRefValidation
......................... MYDOMAIN passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... MYDOMAIN passed test CheckSDRefDom
Running enterprise tests on : MYDOMAIN.COM
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... MYDOMAIN.COM passed test Intersite
Starting test: FsmoCheck
GC Name: \\myserver2.MYDOMAIN.COM
Locator Flags: 0xe00003fd
PDC Name: \\myserver2.MYDOMAIN.COM
Locator Flags: 0xe00003fd
Time Server Name: \\myserver2.MYDOMAIN.COM
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\myserver2.MYDOMAIN.COM
Locator Flags: 0xe00003fd
KDC Name: \\myserver2.MYDOMAIN.COM
Locator Flags: 0xe00003fd
......................... MYDOMAIN.COM passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS
ASKER
I noticed that the remaining dc was pointed to a different dns, instead of itself (it's a dns server). I changed that, reran the dcdiag, and received a different response, with several failures. The new results are:
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine myserver2, is a DC.
* Connecting to directory service on server myserver2.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 5 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\MYSERVER2
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... MYSERVER2 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\MYSERVER2
Starting test: Replications
* Replications Check
[Replications Check,MYSERVER2] A recent replication attempt failed:
From MYSERVER1 to MYSERVER2
Naming Context: CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=COM
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2014-01-09 11:59:44.
The last success occurred at 2014-01-05 22:53:08.
87 failures have occurred since the last success.
The guid-based DNS name 3d171b93-655b-42ea-8899-b89a1ccd9167._msdcs.MYDOMAIN.COM
is not registered on one or more DNS servers.
[MYSERVER1] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..
Printing RPC Extended Error Info:
Error Record 1, ProcessID is 296 (DcDiag)
System Time is: 1/9/2014 17:53:52:656
Generating component is 8 (winsock)
Status is 1722: The RPC server is unavailable.
Detection location is 323
Error Record 2, ProcessID is 296 (DcDiag)
System Time is: 1/9/2014 17:53:52:656
Generating component is 8 (winsock)
Status is 1237: The operation could not be completed. A retry should be performed.
Detection location is 313
Error Record 3, ProcessID is 296 (DcDiag)
System Time is: 1/9/2014 17:53:52:656
Generating component is 8 (winsock)
Status is 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Detection location is 311
NumberOfParameters is 3
Long val: 135
Pointer val: 0
Pointer val: 0
Error Record 4, ProcessID is 296 (DcDiag)
System Time is: 1/9/2014 17:53:52:656
Generating component is 8 (winsock)
Status is 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Detection location is 318
[Replications Check,MYSERVER2] A recent replication attempt failed:
From MYSERVER1 to MYSERVER2
Naming Context: CN=Configuration,DC=MYDOMAIN,DC=COM
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2014-01-09 11:59:42.
The last success occurred at 2014-01-05 23:29:26.
87 failures have occurred since the last success.
The guid-based DNS name 3d171b93-655b-42ea-8899-b89a1ccd9167._msdcs.MYDOMAIN.COM
is not registered on one or more DNS servers.
[Replications Check,MYSERVER2] A recent replication attempt failed:
From MYSERVER1 to MYSERVER2
Naming Context: DC=MYDOMAIN,DC=COM
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2014-01-09 11:59:39.
The last success occurred at 2014-01-05 23:35:47.
87 failures have occurred since the last success.
The guid-based DNS name 3d171b93-655b-42ea-8899-b89a1ccd9167._msdcs.MYDOMAIN.COM
is not registered on one or more DNS servers.
* Replication Latency Check
REPLICATION-RECEIVED LATENCY WARNING
MYSERVER2: Current time is 2014-01-09 12:53:31.
CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=COM
Last replication recieved from MYSERVER1 at 2014-01-05 22:53:08.
CN=Configuration,DC=MYDOMAIN,DC=COM
Last replication recieved from MYSERVER1 at 2014-01-05 23:29:26.
DC=MYDOMAIN,DC=COM
Last replication recieved from MYSERVER1 at 2014-01-05 23:35:47.
* Replication Site Latency Check
......................... MYSERVER2 passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC MYSERVER2.
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=COM
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=MYDOMAIN,DC=COM
(Configuration,Version 2)
* Security Permissions Check for
DC=MYDOMAIN,DC=COM
(Domain,Version 2)
......................... MYSERVER2 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\MYSERVER2\netlogon
Verified share \\MYSERVER2\sysvol
......................... MYSERVER2 passed test NetLogons
Starting test: Advertising
The DC MYSERVER2 is advertising itself as a DC and having a DS.
The DC MYSERVER2 is advertising as an LDAP server
The DC MYSERVER2 is advertising as having a writeable directory
The DC MYSERVER2 is advertising as a Key Distribution Center
The DC MYSERVER2 is advertising as a time server
The DS MYSERVER2 is advertising as a GC.
......................... MYSERVER2 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM
Role Domain Owner = CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM
Role PDC Owner = CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM
Role Rid Owner = CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM
Role Infrastructure Update Owner = CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM
......................... MYSERVER2 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 4603 to 1073741823
* myserver2.MYDOMAIN.COM is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 3103 to 3602
* rIDPreviousAllocationPool is 3103 to 3602
* rIDNextRID: 3250
......................... MYSERVER2 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC MYSERVER2 on DC MYSERVER2.
* SPN found :LDAP/myserver2.MYDOMAIN.COM/MYDOMAIN.COM
* SPN found :LDAP/myserver2.MYDOMAIN.COM
* SPN found :LDAP/MYSERVER2
* SPN found :LDAP/myserver2.MYDOMAIN.COM/MYDOMAIN
* SPN found :LDAP/5e7b4633-dd92-415d-a4db-89a9894022ee._msdcs.MYDOMAIN.COM
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/5e7b4633-dd92-415d-a4db-89a9894022ee/MYDOMAIN.COM
* SPN found :HOST/myserver2.MYDOMAIN.COM/MYDOMAIN.COM
* SPN found :HOST/myserver2.MYDOMAIN.COM
* SPN found :HOST/MYSERVER2
* SPN found :HOST/myserver2.MYDOMAIN.COM/MYDOMAIN
* SPN found :GC/myserver2.MYDOMAIN.COM/MYDOMAIN.COM
......................... MYSERVER2 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... MYSERVER2 passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
MYSERVER2 is in domain DC=MYDOMAIN,DC=COM
Checking for CN=MYSERVER2,OU=Domain Controllers,DC=MYDOMAIN,DC=COM in domain DC=MYDOMAIN,DC=COM on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM in domain CN=Configuration,DC=MYDOMAIN,DC=COM on 1 servers
Object is up-to-date on all servers.
......................... MYSERVER2 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... MYSERVER2 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
An Warning Event occured. EventID: 0x800034FA
Time Generated: 01/08/2014 16:48:46
(Event String could not be retrieved)
......................... MYSERVER2 failed test frsevent
Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x80000785
Time Generated: 01/09/2014 12:49:37
Event String: The attempt to establish a replication link for
the following writable directory partition
failed.
Directory partition:
CN=Configuration,DC=MYDOMAIN,DC=COM
Source domain controller:
CN=NTDS Settings,CN=TOHDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM
Source domain controller address:
7f6dba50-3ec1-4e55-8897-22ea3303b5fe._msdcs.MYDOMAIN.COM
Intersite transport (if any):
This domain controller will be unable to
replicate with the source domain controller until
this problem is corrected.
User Action
Verify if the source domain controller is
accessible or network connectivity is available.
Additional Data
Error value:
8524
The DSA operation is unable to proceed because of a DNS lookup failure.
An Warning Event occured. EventID: 0x80000785
Time Generated: 01/09/2014 12:49:37
Event String: The attempt to establish a replication link for
the following writable directory partition
failed.
Directory partition:
CN=Configuration,DC=MYDOMAIN,DC=COM
Source domain controller:
CN=NTDS Settings,CN=TOHDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM
Source domain controller address:
8b7b928a-faf5-4714-bf15-14731c699e05._msdcs.MYDOMAIN.COM
Intersite transport (if any):
This domain controller will be unable to
replicate with the source domain controller until
this problem is corrected.
User Action
Verify if the source domain controller is
accessible or network connectivity is available.
Additional Data
Error value:
8524
The DSA operation is unable to proceed because of a DNS lookup failure.
An Warning Event occured. EventID: 0x80000785
Time Generated: 01/09/2014 12:49:37
Event String: The attempt to establish a replication link for
the following writable directory partition
failed.
Directory partition:
CN=Configuration,DC=MYDOMAIN,DC=COM
Source domain controller:
CN=NTDS Settings,CN=TOHDC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM
Source domain controller address:
4c14f4f2-459f-4798-a4bc-cb156af14f55._msdcs.MYDOMAIN.COM
Intersite transport (if any):
This domain controller will be unable to
replicate with the source domain controller until
this problem is corrected.
User Action
Verify if the source domain controller is
accessible or network connectivity is available.
Additional Data
Error value:
8524
The DSA operation is unable to proceed because of a DNS lookup failure.
......................... MYSERVER2 failed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:27
Event String: The dynamic registration of the DNS record
'MYDOMAIN.COM. 600 IN A 172.18.1.6' failed on the
following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:27
Event String: The dynamic registration of the DNS record
'_ldap._tcp.MYDOMAIN.COM. 600 IN SRV 0 100 389 myserver2.MYDOMAIN.COM.'
failed on the following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:27
Event String: The dynamic registration of the DNS record
'_ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM. 600 IN SRV 0 100 389 myserver2.MYDOMAIN.COM.'
failed on the following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:27
Event String: The dynamic registration of the DNS record
'_ldap._tcp.0a3d3e02-f17d-4d45-b80f-1bb0cf2b403b.domains._msdcs.MYDOMAIN.COM. 600 IN SRV 0 100 389 myserver2.MYDOMAIN.COM.'
failed on the following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:27
Event String: The dynamic registration of the DNS record
'5e7b4633-dd92-415d-a4db-89a9894022ee._msdcs.MYDOMAIN.COM. 600 IN CNAME myserver2.MYDOMAIN.COM.'
failed on the following DNS server:
DNS server IP address: 172.16.4.2
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:27
Event String: The dynamic registration of the DNS record
'_ldap._tcp.dc._msdcs.MYDOMAIN.COM. 600 IN SRV 0 100 389 myserver2.MYDOMAIN.COM.'
failed on the following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:27
Event String: The dynamic registration of the DNS record
'_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM. 600 IN SRV 0 100 389 myserver2.MYDOMAIN.COM.'
failed on the following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:27
Event String: The dynamic registration of the DNS record
'MYDOMAIN.COM. 600 IN A 172.18.255.106' failed on
the following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:27
Event String: The dynamic registration of the DNS record
'_ldap._tcp.pdc._msdcs.MYDOMAIN.COM. 600 IN SRV 0 100 389 myserver2.MYDOMAIN.COM.'
failed on the following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:27
Event String: The dynamic registration of the DNS record
'_ldap._tcp.gc._msdcs.MYDOMAIN.COM. 600 IN SRV 0 100 3268 myserver2.MYDOMAIN.COM.'
failed on the following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:27
Event String: The dynamic registration of the DNS record
'_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.MYDOMAIN.COM. 600 IN SRV 0 100 3268 myserver2.MYDOMAIN.COM.'
failed on the following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:27
Event String: The dynamic registration of the DNS record
'gc._msdcs.MYDOMAIN.COM. 600 IN A 172.18.1.6'
failed on the following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:27
Event String: The dynamic registration of the DNS record
'gc._msdcs.MYDOMAIN.COM. 600 IN A 172.18.255.106'
failed on the following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:27
Event String: The dynamic registration of the DNS record
'_gc._tcp.MYDOMAIN.COM. 600 IN SRV 0 100 3268 myserver2.MYDOMAIN.COM.'
failed on the following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:27
Event String: The dynamic registration of the DNS record
'_gc._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM. 600 IN SRV 0 100 3268 myserver2.MYDOMAIN.COM.'
failed on the following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:34
Event String: The dynamic registration of the DNS record
'_kerberos._tcp.dc._msdcs.MYDOMAIN.COM. 600 IN SRV 0 100 88 myserver2.MYDOMAIN.COM.'
failed on the following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:34
Event String: The dynamic registration of the DNS record
'_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM. 600 IN SRV 0 100 88 myserver2.MYDOMAIN.COM.'
failed on the following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:34
Event String: The dynamic registration of the DNS record
'_kerberos._tcp.MYDOMAIN.COM. 600 IN SRV 0 100 88 myserver2.MYDOMAIN.COM.'
failed on the following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:34
Event String: The dynamic registration of the DNS record
'_kerberos._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM. 600 IN SRV 0 100 88 myserver2.MYDOMAIN.COM.'
failed on the following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:34
Event String: The dynamic registration of the DNS record
'_kerberos._udp.MYDOMAIN.COM. 600 IN SRV 0 100 88 myserver2.MYDOMAIN.COM.'
failed on the following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:34
Event String: The dynamic registration of the DNS record
'_kpasswd._tcp.MYDOMAIN.COM. 600 IN SRV 0 100 464 myserver2.MYDOMAIN.COM.'
failed on the following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:34
Event String: The dynamic registration of the DNS record
'_kpasswd._udp.MYDOMAIN.COM. 600 IN SRV 0 100 464 myserver2.MYDOMAIN.COM.'
failed on the following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
......................... MYSERVER2 failed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=MYSERVER2,OU=Domain Controllers,DC=MYDOMAIN,DC=COM and backlink on
CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM
are correct.
The system object reference (frsComputerReferenceBL)
CN=MYSERVER2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MYDOMAIN,DC=COM
and backlink on CN=MYSERVER2,OU=Domain Controllers,DC=MYDOMAIN,DC=COM are
correct.
The system object reference (serverReferenceBL)
CN=MYSERVER2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MYDOMAIN,DC=COM
and backlink on
CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM
are correct.
......................... MYSERVER2 passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : MYDOMAIN
Starting test: CrossRefValidation
......................... MYDOMAIN passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... MYDOMAIN passed test CheckSDRefDom
Running enterprise tests on : MYDOMAIN.COM
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... MYDOMAIN.COM passed test Intersite
Starting test: FsmoCheck
GC Name: \\myserver2.MYDOMAIN.COM
Locator Flags: 0xe00003fd
PDC Name: \\myserver2.MYDOMAIN.COM
Locator Flags: 0xe00003fd
Time Server Name: \\myserver2.MYDOMAIN.COM
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\myserver2.MYDOMAIN.COM
Locator Flags: 0xe00003fd
KDC Name: \\myserver2.MYDOMAIN.COM
Locator Flags: 0xe00003fd
......................... MYDOMAIN.COM passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS
@dvt_localboy
You have perfectly guess the issue.
Thanks
@TOHIT
You are not getting \ having clarity about your AD infrastructure, I am still suggesting you as my 1st comment to log a call with MS to isolate and resolve the issue as more you trying to troubleshoot, situation is getting more puzzling and this blog support is limited to comments only
Mahesh
You have perfectly guess the issue.
Thanks
@TOHIT
You are not getting \ having clarity about your AD infrastructure, I am still suggesting you as my 1st comment to log a call with MS to isolate and resolve the issue as more you trying to troubleshoot, situation is getting more puzzling and this blog support is limited to comments only
Mahesh
ASKER
I have called Microsoft and they said they do not support 2013.
ASKER
SPEC01,
I was cleaning up the references to the old failed server as you suggested. I noticed that in the GC-LDAP there is a _ldap reference to the old server. If I delete it, there will be none. Is this correct? Or do I need to add my existing dc there? If so, how do you add the _ldap entry? I don't see it as a selection.
I was cleaning up the references to the old failed server as you suggested. I noticed that in the GC-LDAP there is a _ldap reference to the old server. If I delete it, there will be none. Is this correct? Or do I need to add my existing dc there? If so, how do you add the _ldap entry? I don't see it as a selection.
You can try with MS Premium ticket \ call support OR
You can just call local directory specialist if any please
Mahesh
You can just call local directory specialist if any please
Mahesh
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
AD is VERY dependant on DNS.
If your DNS is not working correctly then your AD won't work correctly.
Once again server 172.16.4.8 appears to not accepting DNS registrations.
In this case it is from MYSERVER2.
Have a look at the dynamic registrations listed in your DCDIAG results and verify that your what servers are doing what.
Is this MYSERVER2's IP address: 172.18.255.106
If Yes, then that should be your Primary DNS Server for all your Servers.
If your DNS is not working correctly then your AD won't work correctly.
Error Value: %%9017
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:34
Event String: The dynamic registration of the DNS record
'_kpasswd._udp.TOHLAN.COM.600 IN SRV 0 100 464 myserver2.MYDOMAIN.COM.'
failed on the following DNS server:
DNS server IP address: 172.16.4.8
Returned Response Code (RCODE): 5
Returned Status Code: 9017
Once again server 172.16.4.8 appears to not accepting DNS registrations.
In this case it is from MYSERVER2.
Have a look at the dynamic registrations listed in your DCDIAG results and verify that your what servers are doing what.
Is this MYSERVER2's IP address: 172.18.255.106
If Yes, then that should be your Primary DNS Server for all your Servers.
ASKER
Thanks for the comments everyone. Yes MyServer1 was the dc that died. 172.16.4.8 is a dns in a different domain that we pointed to while we were adding the dns role to the current dc.
I will go through all the steps and let you know what I find. My biggest fear is the current dc rebooting before I get a second one up, and it failing because of these problems.
I will go through all the steps and let you know what I find. My biggest fear is the current dc rebooting before I get a second one up, and it failing because of these problems.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok. I apologize, I'm not very knowledgeable about DNS. We are trying to get some outside help in today. The existing server was not a dns. When I added it as a dns server, the forward lookup zone populated immediately, so I'm thinking it copied a cached copy from the old server.
Thanks again for all the help. I will let you know how it goes.
Thanks again for all the help. I will let you know how it goes.
ASKER
I've requested that this question be deleted for the following reason:
I did not realize how much detail I had posted about our network, including network names, addresses, domain name. On review, I am not comfortable with the amount of information about my network that is available with this question. I apologize for the inconvenience.
I did not realize how much detail I had posted about our network, including network names, addresses, domain name. On review, I am not comfortable with the amount of information about my network that is available with this question. I apologize for the inconvenience.
I fully agree with you wanting to remove data/references to your internal network...but is the problem now fixed? How was the fix done?
That moderator can review this question and remove and names or addresses that are applicable. Aside from that there is no reason to close the question.
Will.
Will.
ASKER
The problem is fixed now. We were not performing the metadata cleanup correctly. We were using a guide from the internet. A Microsoft engineer walked us through a much more complete process for the cleanup. Afterwards it worked.
ASKER
Thanks. Sorry for the trouble. I will make several posts to follow with the substitute text. Once corrected, I will give the points and close the question. Sorry again.
ASKER
Replacement text
For ID: 39770399
Replications Check,DC2] A recent replication attempt failed:
From DC1 to DC2
Naming Context: CN=Schema,CN=Configuration ,DC=MYDOMA IN,DC=COM
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2014-01-09 11:59:44.
The last success occurred at 2014-01-05 22:53:08.
87 failures have occurred since the last success.
The guid-based DNS name 3d171b93-655b-42ea-8899-b8 9a1ccd9167 ._msdcs.MY DOMAIN.COM
is not registered on one or more DNS servers.
The last success occurred at 2014-01-05 22:53:08.
This date shows when you last had a successful replication.
So I'm guessing your DC DC1 failed after that?
To confirm what Domain controllers are currently registered in AD run:
nltest /dclist:mydomain.com
http://support.microsoft.com/kb/158148$
You only want to see your "working" DC. If there are any other server then you need to run the metadata cleanup.
For all other servers listed you need to run the METADATA Cleanup and delete those servers, especially DC1.
Reason: If you only have one DC then your servers should not be trying to replicate with any other DC.
You then also need to clean up the DNS
Use these instructions to remove AD and DNS references for all "dead" DC's.
http://support.microsoft.com/kb/216498
See the errors below? They refer to DNS lookups that are failing.
The DSA operation is unable to proceed because of a DNS lookup failure.
This domain controller will be unable to replicate with the source domain controller until this problem is corrected.
Event String: The dynamic registration of the DNS record
'MYDOMAIN.COM. 600 IN A 172.18.1.6' failed on the
following DNS server:
DNS server IP address: 172.16.4.8
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:27
Event String: The dynamic registration of the DNS record
'_ldap._tcp.Default-First- Site-Name. _sites.MYD OMAIN.COM. 600 IN SRV 0 100 389 dc2.MYDOMAIN.COM.'
failed on the following DNS server:
DNS server IP address: 172.16.4.8
What is the server 172.16.4.8?
While you're working through these issues I'd suggest that you set every server to point to your existing DNS server(DC2).
If 172.16.4.8 is DC2 then run:
DCDIAG /test:DNS to confirm the health of your DNS server.
The new DCDIAG /TEST:DNS command can validate DNS health of Windows 2000 Server (SP3 or later) or Windows Server 2003 family domain controllers when run from the console of Windows XP or Windows Server 2003 member computers or Windows Server 2003 domain controllers.
http://technet.microsoft.com/en-us/library/cc776854(v=ws.10).aspx
How to troubleshoot DNS registration using NSLOOKUP
http://support.microsoft.com/kb/816587
You should be able to search all DNS records listed as failed once you've used the command
"set type=all" in nslookup.
Next, make sure that DC2 is correctly registered in DNS.
Run nltest /dsregdns
http://technet.microsoft.com/en-us/library/cc786478(v=ws.10).aspx
Once you've completed this task then re-run DCDIAG /v
If there are no failures then your AD is "clean"
NEXT step, setup a new server, add it to the domain, point it to DC2 for DNS and then promote it to a DC.
You should be fine from here on...
dcdiag is merly a way to check the health of AD services DNS,Replicaiton,etc...
This is a very bad statement to make. DCDIAG is your primary diagnostic tool for AD issues. If you do really support AD then it should always be the first thing you run to find out what is wrong with AD.
For ID: 39770399
Replications Check,DC2] A recent replication attempt failed:
From DC1 to DC2
Naming Context: CN=Schema,CN=Configuration
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2014-01-09 11:59:44.
The last success occurred at 2014-01-05 22:53:08.
87 failures have occurred since the last success.
The guid-based DNS name 3d171b93-655b-42ea-8899-b8
is not registered on one or more DNS servers.
The last success occurred at 2014-01-05 22:53:08.
This date shows when you last had a successful replication.
So I'm guessing your DC DC1 failed after that?
To confirm what Domain controllers are currently registered in AD run:
nltest /dclist:mydomain.com
http://support.microsoft.com/kb/158148$
You only want to see your "working" DC. If there are any other server then you need to run the metadata cleanup.
For all other servers listed you need to run the METADATA Cleanup and delete those servers, especially DC1.
Reason: If you only have one DC then your servers should not be trying to replicate with any other DC.
You then also need to clean up the DNS
Use these instructions to remove AD and DNS references for all "dead" DC's.
http://support.microsoft.com/kb/216498
See the errors below? They refer to DNS lookups that are failing.
The DSA operation is unable to proceed because of a DNS lookup failure.
This domain controller will be unable to replicate with the source domain controller until this problem is corrected.
Event String: The dynamic registration of the DNS record
'MYDOMAIN.COM. 600 IN A 172.18.1.6' failed on the
following DNS server:
DNS server IP address: 172.16.4.8
An Error Event occured. EventID: 0x0000168E
Time Generated: 01/09/2014 12:05:27
Event String: The dynamic registration of the DNS record
'_ldap._tcp.Default-First-
failed on the following DNS server:
DNS server IP address: 172.16.4.8
What is the server 172.16.4.8?
While you're working through these issues I'd suggest that you set every server to point to your existing DNS server(DC2).
If 172.16.4.8 is DC2 then run:
DCDIAG /test:DNS to confirm the health of your DNS server.
The new DCDIAG /TEST:DNS command can validate DNS health of Windows 2000 Server (SP3 or later) or Windows Server 2003 family domain controllers when run from the console of Windows XP or Windows Server 2003 member computers or Windows Server 2003 domain controllers.
http://technet.microsoft.com/en-us/library/cc776854(v=ws.10).aspx
How to troubleshoot DNS registration using NSLOOKUP
http://support.microsoft.com/kb/816587
You should be able to search all DNS records listed as failed once you've used the command
"set type=all" in nslookup.
Next, make sure that DC2 is correctly registered in DNS.
Run nltest /dsregdns
http://technet.microsoft.com/en-us/library/cc786478(v=ws.10).aspx
Once you've completed this task then re-run DCDIAG /v
If there are no failures then your AD is "clean"
NEXT step, setup a new server, add it to the domain, point it to DC2 for DNS and then promote it to a DC.
You should be fine from here on...
dcdiag is merly a way to check the health of AD services DNS,Replicaiton,etc...
This is a very bad statement to make. DCDIAG is your primary diagnostic tool for AD issues. If you do really support AD then it should always be the first thing you run to find out what is wrong with AD.
Take a look at the below KB article which outlines steps to correct this...
http://support.microsoft.com/kb/258062
You may also want to check the event viewer for addtional logs which might provide more detail as to what exactly is causing this issue.
Will.