Solved

Problem when join a windows 2008 r2 DC to our Domain forest

Posted on 2014-10-02
17
460 Views
Last Modified: 2014-10-06
Hi

We are trying to joining a DC windows 2008 r2 in our domain forest. The dcpromo and join domain worked fine, but not the domain replication. I tried to dcdiag getting this:

C:\>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = SRVDANMARK
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Danmark\SRVDANMARK
      Starting test: Connectivity
         The host 2e63e132-ea8a-4921-86d4-defac9362b62._msdcs.main.local
         could not be resolved to an IP address. Check the DNS server, DHCP,
         server name, etc.
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.
         ......................... SRVDANMARK failed test Connectivity

Doing primary tests

   Testing server: Danmark\SRVDANMARK
      Skipping all tests, because server SRVDANMARK is not responding to
      directory service requests.


   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : main
      Starting test: CheckSDRefDom
         ......................... main passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... main passed test CrossRefValidation

   Running enterprise tests on : main.local
      Starting test: LocatorCheck
         ......................... main.local passed test LocatorCheck
      Starting test: Intersite
         ......................... main.local passed test Intersite

And repadmin shows this:

C:\>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Danmark\SRVDANMARK
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 2e63e132-ea8a-4921-86d4-defac9362b62
DSA invocationID: eeafc641-6a60-4768-a900-509560e561a2

==== INBOUND NEIGHBORS ======================================

DC=main,DC=local
    US\srv1 via RPC
        DSA object GUID: 074f6dd3-b6af-4ce6-a70c-f7b4623dbadf
        Last attempt @ 2014-10-02 09:51:18 failed, result 3 (0x5):
            Access is denied.
        264 consecutive failure(s).
        Last success @ 2014-09-29 13:14:17.

CN=Configuration,DC=main,DC=local
    US\srv1 via RPC
        DSA object GUID: 074f6dd3-b6af-4ce6-a70c-f7b4623dbadf
        Last attempt @ 2014-10-02 09:51:18 failed, result 3 (0x5):
            Access is denied.
        264 consecutive failure(s).
        Last success @ 2014-09-29 13:13:53.

CN=Schema,CN=Configuration,DC=main,DC=local
    US\srv1 via RPC
        DSA object GUID: 074f6dd3-b6af-4ce6-a70c-f7b4623dbadf
        Last attempt @ 2014-10-02 09:51:19 failed, result 3 (0x5):
            Access is denied.
        264 consecutive failure(s).
        Last success @ 2014-09-29 13:13:43.

Source: US\srv1
******* 264 CONSECUTIVE FAILURES since 2014-09-29 13:14:17
Last error: 3 (0x5):
            Access is denied.

The srv1 is our main server with DNS also, but I am seeing Access is denied.

Any idea of the problem?
Thx
0
Comment
Question by:Handersson75
  • 9
  • 6
17 Comments
 
LVL 9

Expert Comment

by:Zacharia Kurian
Comment Utility
Have you installed any antivirus in your new  srv?  If so try disabling/uninstall it and see. Also try disabling windows fire wall. If that doesn't work out, follow the below;

net stop netlogon
net start netlogon
restart dns server from console
ipconfig /registerdns

There can be another issue if your event logs throws error code 0x621; then refer the link below;
http://support2.microsoft.com/kb/978387

Make sure the DNS in your new server is correct by running BPA against it. I would suggest to run BPA for all the roles in your new server as well as in your PDC.
0
 
LVL 1

Author Comment

by:Handersson75
Comment Utility
Tried first hotfix its not appliable. restart DNS server from console, so this means I mean restart us/srv1 right? because I did restart srvdanmark but it didnt work out well. the dns in srvdanmark is set with srv1.
0
 
LVL 1

Author Comment

by:Handersson75
Comment Utility
when I see this access denied was often a user right problem? Isnt it?
0
 
LVL 1

Author Comment

by:Handersson75
Comment Utility
Just did more research, the DNS server srv1 is missing the SRV records in SRVDANMARK, none LDAP record and Kerberos record, this could be the reason why its not working?
0
 
LVL 9

Expert Comment

by:Zacharia Kurian
Comment Utility
0
 
LVL 1

Author Comment

by:Handersson75
Comment Utility
Many of this error shows up when I run a AD role BPA:

Title:
The AD DS BPA should be able to collect data about the name of the forest from the domain controller SRVDANMARK

Severity:
Error

Date:
10/2/2014 1:00:53 PM

Category:
Configuration

Issue:
The Active Directory Domain Services Best Practices Analyzer (AD DS BPA) is not able to collect data about the name of the forest from the domain controller SRVDANMARK.

Impact:
The AD DS BPA will not be able to validate configuration data about the name of the forest.

Resolution:
Troubleshoot the domain controller SRVDANMARK to determine the root cause of the problem.

More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=142188
0
 
LVL 9

Expert Comment

by:Zacharia Kurian
Comment Utility
0
 
LVL 9

Expert Comment

by:Zacharia Kurian
Comment Utility
Hope you are using a statistic IP in this server.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:Handersson75
Comment Utility
Yes its a statistic IP in server. Only one DC in that Denmark site.
0
 
LVL 1

Author Comment

by:Handersson75
Comment Utility
I just checked my dns server and this is very interesting thing shows up, the main.local-> dc-> _sites -> there is no srvdanmark folder. Other sites shows fine but just not Danmark. under the domains I am not seeing _ldap SRV record, however under _gc. the Danmark shows up fine, not its not helping...
0
 
LVL 9

Expert Comment

by:Zacharia Kurian
Comment Utility
ok. can you post the snapshots of DNS zones  + DNS properties (of DNS Role)  in each server?
0
 
LVL 1

Author Comment

by:Handersson75
Comment Utility
I did some edit of the pic due to the Company policy but this is how it is right now. dns.png
0
 
LVL 9

Accepted Solution

by:
Zacharia Kurian earned 250 total points
Comment Utility
I would suggest you to reconfigure DNS.
0
 
LVL 1

Author Comment

by:Handersson75
Comment Utility
how do i do that?
0
 
LVL 15

Assisted Solution

by:jrhelgeson
jrhelgeson earned 250 total points
Comment Utility
You are having a problem with your AD DNS Environment. I'd be willing to bet that the FSMO role holders for the Forest & Domain DNS

Replace DC=yourdomain,DC=tld with your domain information.

Open ADSIEdit. Connect to the server you want to transfer the roles to (it is important, otherwise you'll get an error).
 
For domain DNS zones:
Connect to DC=DomainDnsZones,DC=yourdomain,DC=tld
Open the properties of the object CN=Infrastructure,DC=DomainDnsZones,DC=yourdomain,DC=tld
Change the attribute fSMORoleOwner to CN=NTDSSettings,CN=Name_of_DC,CN=Servers,CN=DRSite,CN=Sites,CN=Configuration,DC=Yourdomain,DC=TLD
For forest DNS zones
Connect to DC=ForestDnsZones,DC=yourdomain,DC=tld and do the same.

Here are some more detailed instructions with screenshots.
0
 
LVL 1

Author Closing Comment

by:Handersson75
Comment Utility
Zacharia Kurian was right, it was problem with the DNS config, but he didn´t really say how to fix it.

jrhelgeson did a good effort so Im going to split the Points.

The problem was fixed, The main problem was the DNS role of DC, when I did a dcpromo, I installed DNS with it, but I regret that and removed the DNS from the list again, big mistake! Now the forest AD thought the DNS server was installed on the server and because I removed it, it got alot of errors, so I simply just reinstalled it, Everything started to work.

The time was setting back to wrong everytime when I restart the server, so I need to set the time automaticly sync with time server and its now going fine.

I needed to redo the repadmin and Everything is working now.

Thank you for your time.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now