Problem when join a windows 2008 r2 DC to our Domain forest

Hi

We are trying to joining a DC windows 2008 r2 in our domain forest. The dcpromo and join domain worked fine, but not the domain replication. I tried to dcdiag getting this:

C:\>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = SRVDANMARK
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Danmark\SRVDANMARK
      Starting test: Connectivity
         The host 2e63e132-ea8a-4921-86d4-defac9362b62._msdcs.main.local
         could not be resolved to an IP address. Check the DNS server, DHCP,
         server name, etc.
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.
         ......................... SRVDANMARK failed test Connectivity

Doing primary tests

   Testing server: Danmark\SRVDANMARK
      Skipping all tests, because server SRVDANMARK is not responding to
      directory service requests.


   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : main
      Starting test: CheckSDRefDom
         ......................... main passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... main passed test CrossRefValidation

   Running enterprise tests on : main.local
      Starting test: LocatorCheck
         ......................... main.local passed test LocatorCheck
      Starting test: Intersite
         ......................... main.local passed test Intersite

And repadmin shows this:

C:\>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Danmark\SRVDANMARK
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 2e63e132-ea8a-4921-86d4-defac9362b62
DSA invocationID: eeafc641-6a60-4768-a900-509560e561a2

==== INBOUND NEIGHBORS ======================================

DC=main,DC=local
    US\srv1 via RPC
        DSA object GUID: 074f6dd3-b6af-4ce6-a70c-f7b4623dbadf
        Last attempt @ 2014-10-02 09:51:18 failed, result 3 (0x5):
            Access is denied.
        264 consecutive failure(s).
        Last success @ 2014-09-29 13:14:17.

CN=Configuration,DC=main,DC=local
    US\srv1 via RPC
        DSA object GUID: 074f6dd3-b6af-4ce6-a70c-f7b4623dbadf
        Last attempt @ 2014-10-02 09:51:18 failed, result 3 (0x5):
            Access is denied.
        264 consecutive failure(s).
        Last success @ 2014-09-29 13:13:53.

CN=Schema,CN=Configuration,DC=main,DC=local
    US\srv1 via RPC
        DSA object GUID: 074f6dd3-b6af-4ce6-a70c-f7b4623dbadf
        Last attempt @ 2014-10-02 09:51:19 failed, result 3 (0x5):
            Access is denied.
        264 consecutive failure(s).
        Last success @ 2014-09-29 13:13:43.

Source: US\srv1
******* 264 CONSECUTIVE FAILURES since 2014-09-29 13:14:17
Last error: 3 (0x5):
            Access is denied.

The srv1 is our main server with DNS also, but I am seeing Access is denied.

Any idea of the problem?
Thx
LVL 1
Handersson75Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zacharia KurianAdministrator- Data Center & NetworkCommented:
Have you installed any antivirus in your new  srv?  If so try disabling/uninstall it and see. Also try disabling windows fire wall. If that doesn't work out, follow the below;

net stop netlogon
net start netlogon
restart dns server from console
ipconfig /registerdns

There can be another issue if your event logs throws error code 0x621; then refer the link below;
http://support2.microsoft.com/kb/978387

Make sure the DNS in your new server is correct by running BPA against it. I would suggest to run BPA for all the roles in your new server as well as in your PDC.
0
Handersson75Author Commented:
Tried first hotfix its not appliable. restart DNS server from console, so this means I mean restart us/srv1 right? because I did restart srvdanmark but it didnt work out well. the dns in srvdanmark is set with srv1.
0
Handersson75Author Commented:
when I see this access denied was often a user right problem? Isnt it?
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Handersson75Author Commented:
Just did more research, the DNS server srv1 is missing the SRV records in SRVDANMARK, none LDAP record and Kerberos record, this could be the reason why its not working?
0
Zacharia KurianAdministrator- Data Center & NetworkCommented:
0
Handersson75Author Commented:
Many of this error shows up when I run a AD role BPA:

Title:
The AD DS BPA should be able to collect data about the name of the forest from the domain controller SRVDANMARK

Severity:
Error

Date:
10/2/2014 1:00:53 PM

Category:
Configuration

Issue:
The Active Directory Domain Services Best Practices Analyzer (AD DS BPA) is not able to collect data about the name of the forest from the domain controller SRVDANMARK.

Impact:
The AD DS BPA will not be able to validate configuration data about the name of the forest.

Resolution:
Troubleshoot the domain controller SRVDANMARK to determine the root cause of the problem.

More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=142188
0
Zacharia KurianAdministrator- Data Center & NetworkCommented:
0
Zacharia KurianAdministrator- Data Center & NetworkCommented:
Hope you are using a statistic IP in this server.
0
Handersson75Author Commented:
Yes its a statistic IP in server. Only one DC in that Denmark site.
0
Handersson75Author Commented:
I just checked my dns server and this is very interesting thing shows up, the main.local-> dc-> _sites -> there is no srvdanmark folder. Other sites shows fine but just not Danmark. under the domains I am not seeing _ldap SRV record, however under _gc. the Danmark shows up fine, not its not helping...
0
Zacharia KurianAdministrator- Data Center & NetworkCommented:
ok. can you post the snapshots of DNS zones  + DNS properties (of DNS Role)  in each server?
0
Handersson75Author Commented:
I did some edit of the pic due to the Company policy but this is how it is right now. dns.png
0
Zacharia KurianAdministrator- Data Center & NetworkCommented:
I would suggest you to reconfigure DNS.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Handersson75Author Commented:
how do i do that?
0
jrhelgesonCommented:
You are having a problem with your AD DNS Environment. I'd be willing to bet that the FSMO role holders for the Forest & Domain DNS

Replace DC=yourdomain,DC=tld with your domain information.

Open ADSIEdit. Connect to the server you want to transfer the roles to (it is important, otherwise you'll get an error).
 
For domain DNS zones:
Connect to DC=DomainDnsZones,DC=yourdomain,DC=tld
Open the properties of the object CN=Infrastructure,DC=DomainDnsZones,DC=yourdomain,DC=tld
Change the attribute fSMORoleOwner to CN=NTDSSettings,CN=Name_of_DC,CN=Servers,CN=DRSite,CN=Sites,CN=Configuration,DC=Yourdomain,DC=TLD
For forest DNS zones
Connect to DC=ForestDnsZones,DC=yourdomain,DC=tld and do the same.

Here are some more detailed instructions with screenshots.
0
Handersson75Author Commented:
Zacharia Kurian was right, it was problem with the DNS config, but he didn´t really say how to fix it.

jrhelgeson did a good effort so Im going to split the Points.

The problem was fixed, The main problem was the DNS role of DC, when I did a dcpromo, I installed DNS with it, but I regret that and removed the DNS from the list again, big mistake! Now the forest AD thought the DNS server was installed on the server and because I removed it, it got alot of errors, so I simply just reinstalled it, Everything started to work.

The time was setting back to wrong everytime when I restart the server, so I need to set the time automaticly sync with time server and its now going fine.

I needed to redo the repadmin and Everything is working now.

Thank you for your time.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.