Solved

A domain controller could not be contacted for the domain that contains an account for this computer

Posted on 2014-04-03
71
776 Views
Last Modified: 2014-05-12
We integrated a new windows 2008 server about a year ago and kept the old 2003 server online for backup DNS and authentication. However, if the old server goes off line, all the workstation can no longer log into the domain. any attempt gets this error.

"A domain controller could not be contacted for the domain that contains an account for this computer"

Then if I turn the old controller back on, they can all log in.  I checked all the FSMO roles and they are all on the new 2008 server. DNS seems to be working fine. NSlookup all point to the new server.

Thanks.
0
Comment
Question by:raffie613
  • 32
  • 19
  • 8
  • +4
71 Comments
 
LVL 19

Expert Comment

by:Patricksr1972
Comment Utility
Are the users migrated to the new domain controller?
If so i suspect you have 2 domain controllers, i would demote the old server to a non domain controller using DCPROMO.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Just check DNS server properties \ forwarders tab on 2008 ADC and if you found pointing to 2003 server, just remove that.

Also ensure that you have 2003 and 2008 both servers are kept on client computers where 2008 ADC is primary DNS and 2003 is secondary

Also check on 2008 ADC if its pointing to 2003 DC in its network card dns, if yes, point 2008 ADC to itself own IP in dns (its own IP and not 127.0.0.1) and restart netlogon and dns service and then check if it works

Also check if 2008 ADC ns record is correctly present in domain.com dns zone and _msdcs.domain.com dns zone

Also CNAME for both DCs are present in _msdcs.domain.com zone and if you ping them both should be able to resolve there own IP address

Can you please post dcdiag /q and repadmin /showrepl for both domain controllers here ?

Mahesh.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Also check if netlogon and Sysvol shares are present on 2008 ADC, I think its not there and there is your problem

Can you please confirm ?

Mahesh.
0
 
LVL 9

Expert Comment

by:discgman
Comment Utility
Were is DHCP being run at? Was that changed when you switched dns servers? Do the computers have dns servers manually configured on the nic?
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
Hi,

run the DCDIAG /V and see if you have error. lets fix it one by one.
0
 

Author Comment

by:raffie613
Comment Utility
ok ran DCDIAG /V
Failed test netlogon
failed test NCSecDesc

Also I can't not see any scripts folder listed under the C:\windows\Sysvol\sysvol\domain.local
0
 

Author Comment

by:raffie613
Comment Utility
Can I just copy it from the older 2003 DC and paste it into the directory in the 2008 DC?
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
No, you should not copy it from 2003 server

All you can do, just try non authoritative restore of sysvol as per below article on 2008 ADC
http://support.microsoft.com/kb/290762
 
if still you are facing problems with Netlogon share then demote and promote 2008 ADC again, it will resolve your problem

May be you have already transferred FSMO roles on to 2008 ADC, that you need to transfer again to 2003 DC prior to demotion of 2008 ADC

Mahesh.
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
Comment Utility
seems there is an issue with the replication between your 2003 and 2008 DCs.
Have you also checked for any error logs in event viewer of 2008 DC specifically for FRS, AD and DNS? Also you might want to check if 2008 DC is a Global catalog or not.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
hi,

Try to access the shares by using \\domain.com and see if you are able to see the sysvol share on windows 2008. if not then follow the below url and enable the share.

Set the SysvolReady Flag registry value to "0" and then back to "1" in the registry.

 Click Start, click Run, type regedit, and then click OK.
 Locate the following subkey in Registry Editor:

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]

 In the details pane, right-click SysvolReady Flag, and then click Modify.
 In the Value data box, type 0 and then click OK.
 Again in the details pane, right-click SysvolReady Flag, and then click
 Modify.  In the Value data box, type 1, and then click OK.

 Then run NET SHARE and see if the SYSVOL and NETLOGON share is present.
0
 

Author Comment

by:raffie613
Comment Utility
ok I did the regedit set the sysvolreadyflag to 1.
ran netshare and i can see the sysvol, but do not see anything that read netlogon.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
By toggling above registry value only Sysvol share can be populated

But when netlogon share is not populated you must follow instructions in my earlier comment

Mahesh.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
Perform the *authoritative restore* as suggested by mahesh
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Hi Santosh,

*Authoritative restore* will not help as Sysvol and netlogon are healthy on 2003 server

According to my earlier comment, Non Authoritative restore needs to be try out here on 2008 ADC

If it fails, then demotion and promotion of 2008 ADC is required,
0
 

Author Comment

by:raffie613
Comment Utility
ran dcdiag /v test again still getting failed netlogon and NCsecDesc
0
 

Author Comment

by:raffie613
Comment Utility
Mahesh:
I tried non auth restore using the regedit and D2.
didn't seem to help.
So I need to run dcpromo to demote it then run it again ? Why do you think it will not mess up again this time?
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
You don't have any standard option left other than that.
Demoting and promoting it again as ADC will hopefully replicate everything start from scratch on new 2008 ADC

Demote
reboot
promote
Check if it works

Some thing I forgot to tell  you that if you have Exchange installed on this ADC, you can't just demote the server
Please confirm.

Mahesh.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
@Mahesh,

my mistake, i was referring your

All you can do, just try non authoritative restore of sysvol as per below article on 2008 ADC
http://support.microsoft.com/kb/290762

@ raffie613,

1. Please transfer back FSMO roles to 2003
2. demote 2008.
3. double check ADUC , DNS and site & services and make sure there is no any entry for 2008.
4. promote 2008
5. verify sysvol, net share and make sure there is no any error related to AD and replications.
6. wait for 1 or 2 days.
7. transfer the FSMO to 2008.
0
 

Author Comment

by:raffie613
Comment Utility
Do i need to run ADprep again?
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
No,

As windows 2003 Schema is already updated.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
No, its not required

Just add windows 2003 server IP as preferred DNS server IP on 2008 ADC
Reboot the 2008 ADC once
After reboot run dcpromo
After successful demotion reboot and it will be converted to member server
check if netlogon and Sysvol share are removed
Then again run dcpromo and promote it to ADC
Reboot the server
After reboot check event viewer for File replication services event ID 13516
Also check Sysvol and netlogon are shared properly

Mahesh.
0
 

Author Comment

by:raffie613
Comment Utility
I was trying this remotely and lost the connection. Any reason the server would turn off and not come back up during dcpromo?
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
This is 1st time i heard that server turned off during dcpromo

Is this virtual server?

Please logon to server console and try
0
 

Author Comment

by:raffie613
Comment Utility
not a virtual server. will go on site and check it out.
0
 

Author Comment

by:raffie613
Comment Utility
ok took me a while to get this stuff done, but I ran DCpromo to demote, then again to promote it back. now i am getting an error when i try to open AD.

naming information cannot be located because"
the target principal name is incorrect.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
Hi,

After demotion, did you run the metadata cleanup, seems not.

1. demote it again,
2. run the metadata cleanup (http://www.msserverpro.com/metadata-cleanup-using-ntdsutil-in-windows-server-2008-r2/)
3. promote it.
0
 

Author Comment

by:raffie613
Comment Utility
ok, this time when i tried to demote it i am getting an error.

The operation failed"
manageing the netwrok session with server1.domain.local failed.
logon failure: the target account name is incorrect

now what?
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
run DCPROMO /FORCEREMOVAL

then run metadata cleanup
0
 

Author Comment

by:raffie613
Comment Utility
Would the meta data cleanup prevent the DCpromo from working? because now i can see everything but still getting those FRS replication errors.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
0
 

Author Comment

by:raffie613
Comment Utility
ok so I am not sure why I am still having the same problem then? Net share on the 2008 server still doesn't show the syvol and netlogon, but i see it when i go to \\domain.local but i think those are the ones on the old server.
Any other suggestions?
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
yes, you are right.

To make sure about healthy Domain controller, the Sysvol share should be present.

try to access \\windows2008
and you should be able to see Sysvol share.

See if you have any firewall or any antivirus firewall is blocking it on 2008.

try to disable the both firewall if any and check.
0
 

Author Comment

by:raffie613
Comment Utility
ok having trouble using metadata cleanup. at step

8. At the Select Operations Target prompt, type select domain 0, where number “0” is the failed domain controller, and press Enter.
so I am typing "select domain server2.domain.local" I also tried select domain server2" same result.

I am getting:
Error 80070057 parsing input-illegal syntex

I am running this from the old but working 2003 DC.


Suggestions?
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
seems some mistyping in article, pls follow second article. http://support.microsoft.com/kb/216498
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:raffie613
Comment Utility
FYI, I connected to server1 when i ran this. If i try to connect to server2, it gives me "DSbinding error 0x6d9(there are no more endpoints available from the endpoint mappiner)

ok so now when i type select domain, select site ect, it reads
No current server
No current naming context.

When i type list servers in site, it only shows the old 2003 server, but when i go to AD sites and services i still see SERVER2 listed.

So metadata cleanup is not giving me a server 2 to delete

Ideas?
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
Ok,

Do one thing, manually delete the server2 records from ADUC, DNS and site & services.
0
 

Author Comment

by:raffie613
Comment Utility
and then run dcpromo on 2008 server?
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
yes
0
 

Author Comment

by:raffie613
Comment Utility
Which records do I need to delete from DNS regarding the server2? Do I need to remove DNS from the 2008 server as well?
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
Hi,

your server2 is  deleted/removed server, hence you need to delete every records from ADUC and DNS.
0
 

Author Comment

by:raffie613
Comment Utility
It is not deleted, it is just demoted to a member server, so it will still have some record in DNS and ADUC, just not listed as a DC. But it is still listed as a name server in DNS on the old server.  I am asking specifically about that, do I delete that record? Do I remove DNS from the 2008 which is a member server now?

Do you still think I should remove it completely under ADUC under computers on the network or in the domain?
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
Hi,


2 ways.

1. Do not delete it from ADUC, only remove it from DNS as Name server.
but in this case may be you will face some issue.

2. delete it from ADUC and DNS completely. then rejoin the machine to domain.
different name if possible.
0
 

Author Comment

by:raffie613
Comment Utility
well, which will get it to work like it should as a DC ?
0
 

Author Comment

by:raffie613
Comment Utility
Should I remove DNS from the 2008 server completely? As of now it doesn't work because AD is removed from it.
0
 

Author Comment

by:raffie613
Comment Utility
getting this message during DCpromo. I have seen it before but just wanted to make sure I do not need to do anything and that it won't cause the Sysvol folder to not be there again.


A delegation for this DNS Server will not be created because the authoritative parent zone cannot be found or it does not support dynamic updates. To ensure this DNS Server can be resolved as authoritative for the domain corp.domain.com, you can create a delegation to this DNS Server manually in the parent zone. Do you want to continue?
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
click on yes, and continue. Its common message.

http://www.jppinto.com/2010/07/dcpromo-on-windows-server-2008/
0
 

Author Comment

by:raffie613
Comment Utility
ok, finished the DCpromo again and still unable to see sysvol. i went to the folder in the C:\windows directory and manually shared the sysvol folder. now it shows up in Net Share but still unable to see a netlogon share. Firewall was disabled.
now what?
thanks.
Rafe
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
For Sysvol and netlogon, follow below.

Set the SysvolReady Flag registry value to "0" and then back to "1" in the registry.

 Click Start, click Run, type regedit, and then click OK.
 Locate the following subkey in Registry Editor:

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]

 In the details pane, right-click SysvolReady Flag, and then click Modify.
 In the Value data box, type 0 and then click OK.
 Again in the details pane, right-click SysvolReady Flag, and then click
 Modify.  In the Value data box, type 1, and then click OK.

 Then run NET SHARE and see if the SYSVOL and NETLOGON share is present.
0
 

Author Comment

by:raffie613
Comment Utility
value was already set to 0, but i followed these steps anyway. still not there.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
The final value should be 1.
0
 

Author Comment

by:raffie613
Comment Utility
I understand that. Still no results. Is there a way to manually share the netlogon folder?
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
0
 

Author Comment

by:raffie613
Comment Utility
Long article but not sure which part pertain to a workable solution for my problem. Did you have something specific from here in mind?

Thanks.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
Ok, Netlogon share should be enabled with SysVol.

are you getting any error regarding netlogon share ?

if yes then pls share the result of DCDIAG /V
0
 

Author Comment

by:raffie613
Comment Utility
DCDIAG /V results with this error only one i saw.


  There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         A warning event occurred.  EventID: 0x800034FD
            Time Generated: 05/03/2014   03:21:28
            Event String:
            File Replication Service is initializing the system volume with data
 from another domain controller. Computer SECURITYSERVER2 cannot become a domain
 controller until this process is complete. The system volume will then be share
d as SYSVOL.

            To check for the SYSVOL share, at the command prompt, type:
            net share

            When File Replication Service completes the initialization process,
the SYSVOL share will appear.

            The initialization of the system volume can take some time. The time
 is dependent on the amount of data in the system volume, the availability of ot
her domain controllers, and the replication interval between domain controllers.

         A warning event occurred.  EventID: 0x800034C4
            Time Generated: 05/03/2014   03:23:11
            Event String:
            The File Replication Service is having trouble enabling replication
from securityserver1.domain.local to SECURITYSERVER2 for c:\windows\sys
vol\domain using the DNS name securityserver1.domain.local. FRS will ke
ep retrying.
             Following are some of the reasons you would see this warning.

             [1] FRS can not correctly resolve the DNS name securityserver1.domainls.local from this computer.
             [2] FRS is not running on securityserver1.domain.local.
             [3] The topology information in the Active Directory Domain Service
s for this replica has not yet replicated to all the Domain Controllers.

             This event log message will appear once per connection, After the p
roblem is fixed you will see another event log message indicating that the conne
ction has been established.
         A warning event occurred.  EventID: 0x800034C4
            Time Generated: 05/03/2014   03:31:11
            Event String:
            The File Replication Service is having trouble enabling replication
from SECURITYSERVER1 to SECURITYSERVER2 for c:\windows\sysvol\domain using the D
NS name securityserver1.securitysignals.local. FRS will keep retrying.
             Following are some of the reasons you would see this warning.

             [1] FRS can not correctly resolve the DNS name securityserver1.secu
ritysignals.local from this computer.
             [2] FRS is not running on securityserver1.securitysignals.local.
             [3] The topology information in the Active Directory Domain Service
s for this replica has not yet replicated to all the Domain Controllers.

             This event log message will appear once per connection, After the p
roblem is fixed you will see another event log message indicating that the conne
ction has been established.
         ......................... SECURITYSERVER2 passed test FrsEvent
      Starting test: DFSREvent
         The DFS Replication Event Log.
         Skip the test because the server is running FRS.
         ......................... SECURITYSERVER2 passed test DFSREvent
      Starting test: SysVolCheck
         * The File Replication Service SYSVOL ready test
         The registry lookup failed to determine the state of the SYSVOL.  The
         error returned  was 0x0 "The operation completed successfully.".
         Check the FRS event log to see if the SYSVOL has successfully been
         shared.
         ......................... SECURITYSERVER2 passed test SysVolCheck
0
 

Author Comment

by:raffie613
Comment Utility
also see this error in event log

Log Name:      System
Source:        NETLOGON
Date:          4/28/2014 11:28:58 AM
Event ID:      5774
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      securityserver2.doimain.local
Description:
The dynamic registration of the DNS record 'gc._msdcs.domain.local. 600 IN A 10.0.0.5' failed on the following DNS server:  

DNS server IP address: ::
Returned Response Code (RCODE): 0
Returned Status Code: 0  

For computers and users to locate this domain controller, this record must be registered in DNS.  

USER ACTION  
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain  controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
  Or, you can manually add this record to DNS, but it is not recommended.  

ADDITIONAL DATA
Error Value: DNS name does not exist.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="NETLOGON" />
    <EventID Qualifiers="0">5774</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-04-28T16:28:58.000000000Z" />
    <EventRecordID>28975</EventRecordID>
    <Channel>System</Channel>
    <Computer>securityserver2.domain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>gc._msdcs.domain.local. 600 IN A 10.0.0.5</Data>
    <Data>%%9003</Data>
    <Data>::</Data>
    <Data>0</Data>
    <Data>0</Data>
    <Binary>0000</Binary>
  </EventData>
</Event>
0
 
LVL 25

Accepted Solution

by:
DrDave242 earned 500 total points
Comment Utility
Please check the File Replication Service event log on your 2003 DC for errors. It sounds like FRS may be in a journal-wrap state.
0
 

Author Comment

by:raffie613
Comment Utility
Wow DrDave,
you were correct. It is in a journal wrap state. How do I correct that?

Thanks.
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
There are a couple of ways. There's a registry edit that will correct it automatically, and I believe instructions for making the change are included in the description of the event that tells you it's in journal wrap. Alternatively, you can perform an authoritative (D4) restore of FRS using the steps in this article. (This link was already posted somewhere above, but in this case you'll want to follow the Authoritative FRS Restore steps on the 2003 DC to clear the journal wrap.)
0
 

Author Comment

by:raffie613
Comment Utility
the log says to go to  regedit
hley_local_machine> systems\currentcontrolset\services\Ntfrs\parameters" and look for "enable journal wrap automatic restore" update the value
I can't find such a value there.
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
If you want to use the registry method, you'll need to create that value if it doesn't exist. It's a DWORD and should have a value of 1, but you should be aware that this isn't the recommended way to resolve the issue. I wouldn't expect it to cause any problems in your environment, but performing the FRS restore is the Microsoft-recommended way of clearing a journal wrap.
0
 

Author Comment

by:raffie613
Comment Utility
ok i did the authoritative restore using D4. How do I know if it worked?
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
Check the FRS event log again. If FRS started with no problems, the journal wrap is cleared. Run the net share command to make sure the SYSVOL and NETLOGON shares exist.

Assuming they do, wait a few minutes and run net share on your new DC. If those two shares exist over there as well, the issue may very well be resolved.
0
 

Author Comment

by:raffie613
Comment Utility
do i need to restart FRS service? Should i have stopped it before making the changes? I did not see that anywhere in the article.
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
Sure, restarting it won't hurt.
0
 

Author Comment

by:raffie613
Comment Utility
ok, didn't get any errors on the 2003 DC. however, still not seeing the netlogon share on the 2008 DC, just the Sysvol and i think that is because i manually shared it. Do i just need to wait longer?
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
Ah, I forgot you manually shared it. You may want to undo that (unshare the folder), then restart FRS on that server and see what happens. If the shares don't appear within a few minutes after you restart the service, you may either check the FRS event log for relevant errors or refer back to that same FRS restore article and perform a non-authoritative restore of FRS on the 2008 DC.
0
 

Author Comment

by:raffie613
Comment Utility
did the non authoritative restore and BINGO! YATZEEEEE!

Thank you all for the help.
DrDave, you know your shit !
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
Thanks! Glad it's working!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now