Jonathan Jones
asked on
AD FSMO Issues
Hello,
I am having problems with Schema and FSMO I believe. I was moving the 5 roles to another Domain Controller, the netdom query showed the roles transferred to the new DC, but when I ran netdom query on the demoted DC it reported the the Schema Role was on a different DC, not I can not access AD Users and Groups, Site Manager etc except where the Schema Role was being reported?? Users can log in and authenticate, but I can not access the remaining servers NTDS.dit or any related services, plus replication is now reporting broken: I did a dcdiag and this is what I got:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = PR-DC01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\PR -DC01
Starting test: Connectivity
......................... PR-DC01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\PR -DC01
Starting test: Advertising
......................... PR-DC01 passed test Advertising
Starting test: FrsEvent
The event log File Replication Service on server PR-DC01.prsdnj.org
could not be queried, error 0x5 "Access is denied."
......................... PR-DC01 failed test FrsEvent
Starting test: DFSREvent
......................... PR-DC01 passed test DFSREvent
Starting test: SysVolCheck
......................... PR-DC01 passed test SysVolCheck
Starting test: KccEvent
......................... PR-DC01 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... PR-DC01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... PR-DC01 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=prsdn j,DC=org
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=prsdn j,DC=org
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
CN=Schema,CN=Configuration ,DC=prsdnj ,DC=org
Error BUILTIN\Administrators doesn't have
Replicating Directory Changes
Replicating Directory Changes All
Replication Synchronization
Manage Replication Topology
access rights for the naming context:
CN=Schema,CN=Configuration ,DC=prsdnj ,DC=org
Error PRSDNJ\Enterprise Read-only Domain Controllers doesn't have
Replicating Directory Changes
Replicating Directory Changes All
Replicating Directory Changes In Filtered Set
access rights for the naming context:
CN=Schema,CN=Configuration ,DC=prsdnj ,DC=org
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=prsdnj,DC=org
......................... PR-DC01 failed test NCSecDesc
Starting test: NetLogons
......................... PR-DC01 passed test NetLogons
Starting test: ObjectsReplicated
......................... PR-DC01 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,PR-DC01] A recent replication attempt failed:
From PR-DC03 to PR-DC01
Naming Context: DC=DomainDnsZones,DC=prsdn j,DC=org
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2016-11-02 13:49:44.
The last success occurred at 2016-11-01 14:45:37.
26 failures have occurred since the last success.
Replication has been explicitly disabled through the server
options.
[Replications Check,PR-DC01] A recent replication attempt failed:
From PR-DC03 to PR-DC01
Naming Context: DC=ForestDnsZones,DC=prsdn j,DC=org
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2016-11-02 13:49:44.
The last success occurred at 2016-11-01 14:48:15.
30 failures have occurred since the last success.
Replication has been explicitly disabled through the server
options.
[Replications Check,PR-DC01] A recent replication attempt failed:
From PR-DC03 to PR-DC01
Naming Context: CN=Schema,CN=Configuration ,DC=prsdnj ,DC=org
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2016-11-02 13:49:44.
The last success occurred at 2016-11-01 14:45:37.
26 failures have occurred since the last success.
Replication has been explicitly disabled through the server
options.
[Replications Check,PR-DC01] A recent replication attempt failed:
From PR-DC03 to PR-DC01
Naming Context: CN=Configuration,DC=prsdnj ,DC=org
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2016-11-02 13:55:57.
The last success occurred at 2016-11-01 14:45:37.
117 failures have occurred since the last success.
Replication has been explicitly disabled through the server
options.
[Replications Check,PR-DC01] A recent replication attempt failed:
From PR-DC03 to PR-DC01
Naming Context: DC=prsdnj,DC=org
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2016-11-02 14:01:11.
The last success occurred at 2016-11-01 14:55:51.
3040 failures have occurred since the last success.
Replication has been explicitly disabled through the server
options.
......................... PR-DC01 failed test Replications
Starting test: RidManager
......................... PR-DC01 passed test RidManager
Starting test: Services
......................... PR-DC01 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x0000043D
Time Generated: 11/02/2016 13:02:39
Event String:
Windows failed to apply the Group Policy Services settings. Group Po
licy Services settings might have its own log file. Please click on the "More in
formation" link.
An error event occurred. EventID: 0x0000165B
Time Generated: 11/02/2016 13:07:38
Event String:
The session setup from computer 'WIN10-PARENT' failed because the se
curity database does not contain a trust account 'WIN10-PARENT$' referenced by t
he specified computer.
An error event occurred. EventID: 0x000016AD
Time Generated: 11/02/2016 13:11:05
Event String:
The session setup from the computer WIN10-PARENT failed to authentic
ate. The following error occurred:
A warning event occurred. EventID: 0x00000090
Time Generated: 11/02/2016 13:21:02
Event String:
The time service has stopped advertising as a good time source.
An error event occurred. EventID: 0x0000165B
Time Generated: 11/02/2016 13:22:16
Event String:
The session setup from computer 'PR-STAFF-VM-051' failed because the
security database does not contain a trust account 'PR-STAFF-VM-051$' reference
d by the specified computer.
An error event occurred. EventID: 0x000016AD
Time Generated: 11/02/2016 13:24:27
Event String:
The session setup from the computer PR-STAFF-VM-051 failed to authen
ticate. The following error occurred:
An error event occurred. EventID: 0x00000429
Time Generated: 11/02/2016 14:00:39
Event String:
The processing of Group Policy failed. Windows could not evaluate th
e Windows Management Instrumentation (WMI) filter for the Group Policy object cn
={65FE5720-070B-40B6-B584- 86A1201E46 99},cn=pol icies,cn=s ystem,DC=p rsdnj,DC=o rg.
This could be caused by RSOP being disabled or Windows Management Instrumentati
on (WMI) service being disabled, stopped, or other WMI errors. Make sure the WMI
service is started and the startup type is set to automatic. New Group Policy o
bjects or settings will not process until this event has been resolved.
An error event occurred. EventID: 0x00000457
Time Generated: 11/02/2016 14:00:43
Event String:
Driver WebEx Document Loader required for printer WebEx Document Loa
der is unknown. Contact the administrator to install the driver before you log i
n again.
An error event occurred. EventID: 0x00000457
Time Generated: 11/02/2016 14:00:43
Event String:
Driver Lexmark T652 required for printer !!Prsdprint!PRHS146LEXT652
is unknown. Contact the administrator to install the driver before you log in ag
ain.
An error event occurred. EventID: 0x00000457
Time Generated: 11/02/2016 14:00:43
Event String:
Driver Dell B2360d-dn Laser Printer XL required for printer !!Hsprin
t!PRHS1392360DN is unknown. Contact the administrator to install the driver befo
re you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 11/02/2016 14:00:44
Event String:
Driver Microsoft Print To PDF required for printer Microsoft Print t
o PDF is unknown. Contact the administrator to install the driver before you log
in again.
An error event occurred. EventID: 0x00000457
Time Generated: 11/02/2016 14:00:44
Event String:
Driver Dell Open Print Driver (PS) required for printer !!Hsprint!PR
HSMEDIA5200 is unknown. Contact the administrator to install the driver before y
ou log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 11/02/2016 14:00:45
Event String:
Driver SAVIN C7570 PCL 6 required for printer !!hsprint!District Sav
in C7570 is unknown. Contact the administrator to install the driver before you
log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 11/02/2016 14:00:47
Event String:
Driver Dell Color MFP E525w PCL 6 required for printer !!JHSPRINT!JG
uercioni-Dell E525W Printer is unknown. Contact the administrator to install the
driver before you log in again.
......................... PR-DC01 failed test SystemLog
Starting test: VerifyReferences
......................... PR-DC01 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : prsdnj
Starting test: CheckSDRefDom
......................... prsdnj passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... prsdnj passed test CrossRefValidation
Running enterprise tests on : prsdnj.org
Starting test: LocatorCheck
......................... prsdnj.org passed test LocatorCheck
Starting test: Intersite
......................... prsdnj.org passed test Intersite
C:\Users\administrator.PRS DNJ>
I am having problems with Schema and FSMO I believe. I was moving the 5 roles to another Domain Controller, the netdom query showed the roles transferred to the new DC, but when I ran netdom query on the demoted DC it reported the the Schema Role was on a different DC, not I can not access AD Users and Groups, Site Manager etc except where the Schema Role was being reported?? Users can log in and authenticate, but I can not access the remaining servers NTDS.dit or any related services, plus replication is now reporting broken: I did a dcdiag and this is what I got:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = PR-DC01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\PR
Starting test: Connectivity
......................... PR-DC01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\PR
Starting test: Advertising
......................... PR-DC01 passed test Advertising
Starting test: FrsEvent
The event log File Replication Service on server PR-DC01.prsdnj.org
could not be queried, error 0x5 "Access is denied."
......................... PR-DC01 failed test FrsEvent
Starting test: DFSREvent
......................... PR-DC01 passed test DFSREvent
Starting test: SysVolCheck
......................... PR-DC01 passed test SysVolCheck
Starting test: KccEvent
......................... PR-DC01 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... PR-DC01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... PR-DC01 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=prsdn
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=prsdn
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
CN=Schema,CN=Configuration
Error BUILTIN\Administrators doesn't have
Replicating Directory Changes
Replicating Directory Changes All
Replication Synchronization
Manage Replication Topology
access rights for the naming context:
CN=Schema,CN=Configuration
Error PRSDNJ\Enterprise Read-only Domain Controllers doesn't have
Replicating Directory Changes
Replicating Directory Changes All
Replicating Directory Changes In Filtered Set
access rights for the naming context:
CN=Schema,CN=Configuration
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=prsdnj,DC=org
......................... PR-DC01 failed test NCSecDesc
Starting test: NetLogons
......................... PR-DC01 passed test NetLogons
Starting test: ObjectsReplicated
......................... PR-DC01 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,PR-DC01] A recent replication attempt failed:
From PR-DC03 to PR-DC01
Naming Context: DC=DomainDnsZones,DC=prsdn
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2016-11-02 13:49:44.
The last success occurred at 2016-11-01 14:45:37.
26 failures have occurred since the last success.
Replication has been explicitly disabled through the server
options.
[Replications Check,PR-DC01] A recent replication attempt failed:
From PR-DC03 to PR-DC01
Naming Context: DC=ForestDnsZones,DC=prsdn
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2016-11-02 13:49:44.
The last success occurred at 2016-11-01 14:48:15.
30 failures have occurred since the last success.
Replication has been explicitly disabled through the server
options.
[Replications Check,PR-DC01] A recent replication attempt failed:
From PR-DC03 to PR-DC01
Naming Context: CN=Schema,CN=Configuration
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2016-11-02 13:49:44.
The last success occurred at 2016-11-01 14:45:37.
26 failures have occurred since the last success.
Replication has been explicitly disabled through the server
options.
[Replications Check,PR-DC01] A recent replication attempt failed:
From PR-DC03 to PR-DC01
Naming Context: CN=Configuration,DC=prsdnj
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2016-11-02 13:55:57.
The last success occurred at 2016-11-01 14:45:37.
117 failures have occurred since the last success.
Replication has been explicitly disabled through the server
options.
[Replications Check,PR-DC01] A recent replication attempt failed:
From PR-DC03 to PR-DC01
Naming Context: DC=prsdnj,DC=org
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2016-11-02 14:01:11.
The last success occurred at 2016-11-01 14:55:51.
3040 failures have occurred since the last success.
Replication has been explicitly disabled through the server
options.
......................... PR-DC01 failed test Replications
Starting test: RidManager
......................... PR-DC01 passed test RidManager
Starting test: Services
......................... PR-DC01 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x0000043D
Time Generated: 11/02/2016 13:02:39
Event String:
Windows failed to apply the Group Policy Services settings. Group Po
licy Services settings might have its own log file. Please click on the "More in
formation" link.
An error event occurred. EventID: 0x0000165B
Time Generated: 11/02/2016 13:07:38
Event String:
The session setup from computer 'WIN10-PARENT' failed because the se
curity database does not contain a trust account 'WIN10-PARENT$' referenced by t
he specified computer.
An error event occurred. EventID: 0x000016AD
Time Generated: 11/02/2016 13:11:05
Event String:
The session setup from the computer WIN10-PARENT failed to authentic
ate. The following error occurred:
A warning event occurred. EventID: 0x00000090
Time Generated: 11/02/2016 13:21:02
Event String:
The time service has stopped advertising as a good time source.
An error event occurred. EventID: 0x0000165B
Time Generated: 11/02/2016 13:22:16
Event String:
The session setup from computer 'PR-STAFF-VM-051' failed because the
security database does not contain a trust account 'PR-STAFF-VM-051$' reference
d by the specified computer.
An error event occurred. EventID: 0x000016AD
Time Generated: 11/02/2016 13:24:27
Event String:
The session setup from the computer PR-STAFF-VM-051 failed to authen
ticate. The following error occurred:
An error event occurred. EventID: 0x00000429
Time Generated: 11/02/2016 14:00:39
Event String:
The processing of Group Policy failed. Windows could not evaluate th
e Windows Management Instrumentation (WMI) filter for the Group Policy object cn
={65FE5720-070B-40B6-B584-
This could be caused by RSOP being disabled or Windows Management Instrumentati
on (WMI) service being disabled, stopped, or other WMI errors. Make sure the WMI
service is started and the startup type is set to automatic. New Group Policy o
bjects or settings will not process until this event has been resolved.
An error event occurred. EventID: 0x00000457
Time Generated: 11/02/2016 14:00:43
Event String:
Driver WebEx Document Loader required for printer WebEx Document Loa
der is unknown. Contact the administrator to install the driver before you log i
n again.
An error event occurred. EventID: 0x00000457
Time Generated: 11/02/2016 14:00:43
Event String:
Driver Lexmark T652 required for printer !!Prsdprint!PRHS146LEXT652
is unknown. Contact the administrator to install the driver before you log in ag
ain.
An error event occurred. EventID: 0x00000457
Time Generated: 11/02/2016 14:00:43
Event String:
Driver Dell B2360d-dn Laser Printer XL required for printer !!Hsprin
t!PRHS1392360DN is unknown. Contact the administrator to install the driver befo
re you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 11/02/2016 14:00:44
Event String:
Driver Microsoft Print To PDF required for printer Microsoft Print t
o PDF is unknown. Contact the administrator to install the driver before you log
in again.
An error event occurred. EventID: 0x00000457
Time Generated: 11/02/2016 14:00:44
Event String:
Driver Dell Open Print Driver (PS) required for printer !!Hsprint!PR
HSMEDIA5200 is unknown. Contact the administrator to install the driver before y
ou log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 11/02/2016 14:00:45
Event String:
Driver SAVIN C7570 PCL 6 required for printer !!hsprint!District Sav
in C7570 is unknown. Contact the administrator to install the driver before you
log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 11/02/2016 14:00:47
Event String:
Driver Dell Color MFP E525w PCL 6 required for printer !!JHSPRINT!JG
uercioni-Dell E525W Printer is unknown. Contact the administrator to install the
driver before you log in again.
......................... PR-DC01 failed test SystemLog
Starting test: VerifyReferences
......................... PR-DC01 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : prsdnj
Starting test: CheckSDRefDom
......................... prsdnj passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... prsdnj passed test CrossRefValidation
Running enterprise tests on : prsdnj.org
Starting test: LocatorCheck
......................... prsdnj.org passed test LocatorCheck
Starting test: Intersite
......................... prsdnj.org passed test Intersite
C:\Users\administrator.PRS
ASKER
paulmacd,
Thanks, I tried that (2008 R2) and it keeps giving me these errors:
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server pr-dc03
Binding to pr-dc03 ...
Connected to pr-dc03 using credentials of locally logged on user.
server connections: q
fsmo maintenance: ?
? - Show this help information
Connections - Connect to a specific AD DC/LDS instance
Help - Show this help information
Quit - Return to the prior menu
Seize infrastructure master - Overwrite infrastructure role on connected serv
er
Seize naming master - Overwrite Naming Master role on connected serve
r
Seize PDC - Overwrite PDC role on connected server
Seize RID master - Overwrite RID role on connected server
Seize schema master - Overwrite schema role on connected server
Select operation target - Select sites, servers, domains, roles and
naming contexts
Transfer infrastructure master - Make connected server the infrastructure maste
r
Transfer naming master - Make connected server the naming master
Transfer PDC - Make connected server the PDC
Transfer RID master - Make connected server the RID master
Transfer schema master - Make connected server the schema master
fsmo maintenance: seize infrastructure master
Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-032103C6, problem 5002 (UN
AVAILABLE), data -2146893022
Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of infrastructure FSMO failed, proceeding with seizure ...
Server "pr-dc03" knows about 5 roles
Schema - CN=NTDS Settings,CN=PR-DC02,CN=Ser vers,CN=De fault-Firs t-Site-Nam e,CN=Si
tes,CN=Configuration,DC=pr sdnj,DC=or g
Naming Master - CN=NTDS Settings,CN=PR-DC03,CN=Ser vers,CN=De fault-Firs t-Site-Nam
e,CN=Sites,CN=Configuratio n,DC=prsdn j,DC=org
PDC - CN=NTDS Settings,CN=PR-DC02,CN=Ser vers,CN=De fault-Firs t-Site-Nam e,CN=Sites
,CN=Configuration,DC=prsdn j,DC=org
RID - CN=NTDS Settings,CN=PR-DC02,CN=Ser vers,CN=De fault-Firs t-Site-Nam e,CN=Sites
,CN=Configuration,DC=prsdn j,DC=org
Infrastructure - CN=NTDS Settings,CN=PR-DC03,CN=Ser vers,CN=De fault-Firs t-Site-Na
me,CN=Sites,CN=Configurati on,DC=prsd nj,DC=org
fsmo maintenance: seize naming master
Attempting safe transfer of domain naming FSMO before seizure.
ldap_modify_sW error 0xc(12 (Unavailable Critical Extension).
Ldap extended error message is 000020AE: SvcErr: DSID-032103B3, problem 5010 (UN
AVAIL_EXTENSION), data 8610
Win32 error returned is 0x20ae(The role owner attribute could not be read.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of domain naming FSMO failed, proceeding with seizure ...
Server "pr-dc03" knows about 5 roles
Schema - CN=NTDS Settings,CN=PR-DC02,CN=Ser vers,CN=De fault-Firs t-Site-Nam e,CN=Si
tes,CN=Configuration,DC=pr sdnj,DC=or g
Naming Master - CN=NTDS Settings,CN=PR-DC03,CN=Ser vers,CN=De fault-Firs t-Site-Nam
e,CN=Sites,CN=Configuratio n,DC=prsdn j,DC=org
PDC - CN=NTDS Settings,CN=PR-DC02,CN=Ser vers,CN=De fault-Firs t-Site-Nam e,CN=Sites
,CN=Configuration,DC=prsdn j,DC=org
RID - CN=NTDS Settings,CN=PR-DC02,CN=Ser vers,CN=De fault-Firs t-Site-Nam e,CN=Sites
,CN=Configuration,DC=prsdn j,DC=org
Infrastructure - CN=NTDS Settings,CN=PR-DC03,CN=Ser vers,CN=De fault-Firs t-Site-Na
me,CN=Sites,CN=Configurati on,DC=prsd nj,DC=org
fsmo maintenance:
fsmo maintenance: seize PDC
Attempting safe transfer of PDC FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-032105B0, problem 5002 (UN
AVAILABLE), data -2146893022
Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of PDC FSMO failed, proceeding with seizure ...
Server "pr-dc03" knows about 5 roles
Schema - CN=NTDS Settings,CN=PR-DC02,CN=Ser vers,CN=De fault-Firs t-Site-Nam e,CN=Si
tes,CN=Configuration,DC=pr sdnj,DC=or g
Naming Master - CN=NTDS Settings,CN=PR-DC03,CN=Ser vers,CN=De fault-Firs t-Site-Nam
e,CN=Sites,CN=Configuratio n,DC=prsdn j,DC=org
PDC - CN=NTDS Settings,CN=PR-DC03,CN=Ser vers,CN=De fault-Firs t-Site-Nam e,CN=Sites
,CN=Configuration,DC=prsdn j,DC=org
RID - CN=NTDS Settings,CN=PR-DC02,CN=Ser vers,CN=De fault-Firs t-Site-Nam e,CN=Sites
,CN=Configuration,DC=prsdn j,DC=org
Infrastructure - CN=NTDS Settings,CN=PR-DC03,CN=Ser vers,CN=De fault-Firs t-Site-Na
me,CN=Sites,CN=Configurati on,DC=prsd nj,DC=org
fsmo maintenance:
fsmo maintenance: seize RID master
Attempting safe transfer of RID FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210CE0, problem 5002 (UN
AVAILABLE), data -2146893022
Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of RID FSMO failed, proceeding with seizure ...
Searching for highest rid pool in domain
Server "pr-dc03" knows about 5 roles
Schema - CN=NTDS Settings,CN=PR-DC02,CN=Ser vers,CN=De fault-Firs t-Site-Nam e,CN=Si
tes,CN=Configuration,DC=pr sdnj,DC=or g
Naming Master - CN=NTDS Settings,CN=PR-DC03,CN=Ser vers,CN=De fault-Firs t-Site-Nam
e,CN=Sites,CN=Configuratio n,DC=prsdn j,DC=org
PDC - CN=NTDS Settings,CN=PR-DC03,CN=Ser vers,CN=De fault-Firs t-Site-Nam e,CN=Sites
,CN=Configuration,DC=prsdn j,DC=org
RID - CN=NTDS Settings,CN=PR-DC03,CN=Ser vers,CN=De fault-Firs t-Site-Nam e,CN=Sites
,CN=Configuration,DC=prsdn j,DC=org
Infrastructure - CN=NTDS Settings,CN=PR-DC03,CN=Ser vers,CN=De fault-Firs t-Site-Na
me,CN=Sites,CN=Configurati on,DC=prsd nj,DC=org
fsmo maintenance:
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-032103C6, problem 5002 (UN
AVAILABLE), data -2146893022
Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
Server "pr-dc03" knows about 5 roles
Schema - CN=NTDS Settings,CN=PR-DC03,CN=Ser vers,CN=De fault-Firs t-Site-Nam e,CN=Si
tes,CN=Configuration,DC=pr sdnj,DC=or g
Naming Master - CN=NTDS Settings,CN=PR-DC03,CN=Ser vers,CN=De fault-Firs t-Site-Nam
e,CN=Sites,CN=Configuratio n,DC=prsdn j,DC=org
PDC - CN=NTDS Settings,CN=PR-DC03,CN=Ser vers,CN=De fault-Firs t-Site-Nam e,CN=Sites
,CN=Configuration,DC=prsdn j,DC=org
RID - CN=NTDS Settings,CN=PR-DC03,CN=Ser vers,CN=De fault-Firs t-Site-Nam e,CN=Sites
,CN=Configuration,DC=prsdn j,DC=org
Infrastructure - CN=NTDS Settings,CN=PR-DC03,CN=Ser vers,CN=De fault-Firs t-Site-Na
me,CN=Sites,CN=Configurati on,DC=prsd nj,DC=org
fsmo maintenance:
Thanks, I tried that (2008 R2) and it keeps giving me these errors:
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server pr-dc03
Binding to pr-dc03 ...
Connected to pr-dc03 using credentials of locally logged on user.
server connections: q
fsmo maintenance: ?
? - Show this help information
Connections - Connect to a specific AD DC/LDS instance
Help - Show this help information
Quit - Return to the prior menu
Seize infrastructure master - Overwrite infrastructure role on connected serv
er
Seize naming master - Overwrite Naming Master role on connected serve
r
Seize PDC - Overwrite PDC role on connected server
Seize RID master - Overwrite RID role on connected server
Seize schema master - Overwrite schema role on connected server
Select operation target - Select sites, servers, domains, roles and
naming contexts
Transfer infrastructure master - Make connected server the infrastructure maste
r
Transfer naming master - Make connected server the naming master
Transfer PDC - Make connected server the PDC
Transfer RID master - Make connected server the RID master
Transfer schema master - Make connected server the schema master
fsmo maintenance: seize infrastructure master
Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-032103C6, problem 5002 (UN
AVAILABLE), data -2146893022
Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of infrastructure FSMO failed, proceeding with seizure ...
Server "pr-dc03" knows about 5 roles
Schema - CN=NTDS Settings,CN=PR-DC02,CN=Ser
tes,CN=Configuration,DC=pr
Naming Master - CN=NTDS Settings,CN=PR-DC03,CN=Ser
e,CN=Sites,CN=Configuratio
PDC - CN=NTDS Settings,CN=PR-DC02,CN=Ser
,CN=Configuration,DC=prsdn
RID - CN=NTDS Settings,CN=PR-DC02,CN=Ser
,CN=Configuration,DC=prsdn
Infrastructure - CN=NTDS Settings,CN=PR-DC03,CN=Ser
me,CN=Sites,CN=Configurati
fsmo maintenance: seize naming master
Attempting safe transfer of domain naming FSMO before seizure.
ldap_modify_sW error 0xc(12 (Unavailable Critical Extension).
Ldap extended error message is 000020AE: SvcErr: DSID-032103B3, problem 5010 (UN
AVAIL_EXTENSION), data 8610
Win32 error returned is 0x20ae(The role owner attribute could not be read.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of domain naming FSMO failed, proceeding with seizure ...
Server "pr-dc03" knows about 5 roles
Schema - CN=NTDS Settings,CN=PR-DC02,CN=Ser
tes,CN=Configuration,DC=pr
Naming Master - CN=NTDS Settings,CN=PR-DC03,CN=Ser
e,CN=Sites,CN=Configuratio
PDC - CN=NTDS Settings,CN=PR-DC02,CN=Ser
,CN=Configuration,DC=prsdn
RID - CN=NTDS Settings,CN=PR-DC02,CN=Ser
,CN=Configuration,DC=prsdn
Infrastructure - CN=NTDS Settings,CN=PR-DC03,CN=Ser
me,CN=Sites,CN=Configurati
fsmo maintenance:
fsmo maintenance: seize PDC
Attempting safe transfer of PDC FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-032105B0, problem 5002 (UN
AVAILABLE), data -2146893022
Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of PDC FSMO failed, proceeding with seizure ...
Server "pr-dc03" knows about 5 roles
Schema - CN=NTDS Settings,CN=PR-DC02,CN=Ser
tes,CN=Configuration,DC=pr
Naming Master - CN=NTDS Settings,CN=PR-DC03,CN=Ser
e,CN=Sites,CN=Configuratio
PDC - CN=NTDS Settings,CN=PR-DC03,CN=Ser
,CN=Configuration,DC=prsdn
RID - CN=NTDS Settings,CN=PR-DC02,CN=Ser
,CN=Configuration,DC=prsdn
Infrastructure - CN=NTDS Settings,CN=PR-DC03,CN=Ser
me,CN=Sites,CN=Configurati
fsmo maintenance:
fsmo maintenance: seize RID master
Attempting safe transfer of RID FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210CE0, problem 5002 (UN
AVAILABLE), data -2146893022
Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of RID FSMO failed, proceeding with seizure ...
Searching for highest rid pool in domain
Server "pr-dc03" knows about 5 roles
Schema - CN=NTDS Settings,CN=PR-DC02,CN=Ser
tes,CN=Configuration,DC=pr
Naming Master - CN=NTDS Settings,CN=PR-DC03,CN=Ser
e,CN=Sites,CN=Configuratio
PDC - CN=NTDS Settings,CN=PR-DC03,CN=Ser
,CN=Configuration,DC=prsdn
RID - CN=NTDS Settings,CN=PR-DC03,CN=Ser
,CN=Configuration,DC=prsdn
Infrastructure - CN=NTDS Settings,CN=PR-DC03,CN=Ser
me,CN=Sites,CN=Configurati
fsmo maintenance:
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-032103C6, problem 5002 (UN
AVAILABLE), data -2146893022
Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
Server "pr-dc03" knows about 5 roles
Schema - CN=NTDS Settings,CN=PR-DC03,CN=Ser
tes,CN=Configuration,DC=pr
Naming Master - CN=NTDS Settings,CN=PR-DC03,CN=Ser
e,CN=Sites,CN=Configuratio
PDC - CN=NTDS Settings,CN=PR-DC03,CN=Ser
,CN=Configuration,DC=prsdn
RID - CN=NTDS Settings,CN=PR-DC03,CN=Ser
,CN=Configuration,DC=prsdn
Infrastructure - CN=NTDS Settings,CN=PR-DC03,CN=Ser
me,CN=Sites,CN=Configurati
fsmo maintenance:
Check again by running...
netdom /query FSMO
...at the command prompt. It looks like all five roles are on PR-DC03:
Server "pr-dc03" knows about 5 roles
Schema - CN=NTDS Settings,CN=PR-DC03,CN=Ser vers,CN=De fault-Firs t-Site-Nam e,CN=Sites ,CN=Config uration,DC =prsdnj,DC =org
Naming Master - CN=NTDS Settings,CN=PR-DC03,CN=Ser vers,CN=De fault-Firs t-Site-Nam e,CN=Sites ,CN=Config uration,DC =prsdnj,DC =org
PDC - CN=NTDS Settings,CN=PR-DC03,CN=Ser vers,CN=De fault-Firs t-Site-Nam e,CN=Sites ,CN=Config uration,DC =prsdnj,DC =org
RID - CN=NTDS Settings,CN=PR-DC03,CN=Ser vers,CN=De fault-Firs t-Site-Nam e,CN=Sites ,CN=Config uration,DC =prsdnj,DC =org
Infrastructure - CN=NTDS Settings,CN=PR-DC03,CN=Ser vers,CN=De fault-Firs t-Site-Nam e,CN=Sites ,CN=Config uration,DC =prsdnj,DC =org
netdom /query FSMO
...at the command prompt. It looks like all five roles are on PR-DC03:
Server "pr-dc03" knows about 5 roles
Schema - CN=NTDS Settings,CN=PR-DC03,CN=Ser
Naming Master - CN=NTDS Settings,CN=PR-DC03,CN=Ser
PDC - CN=NTDS Settings,CN=PR-DC03,CN=Ser
RID - CN=NTDS Settings,CN=PR-DC03,CN=Ser
Infrastructure - CN=NTDS Settings,CN=PR-DC03,CN=Ser
ASKER
paulmacd,
When I go to that PR-DC03, is says PR-DC01 is the roles holder, as does all of the remaining DC server, but PR-DC03 is the only one I can access the users and groups etc:
C:\Users\administrator.PRS DNJ>netdom /query FSMO
Schema master PR-DC01.prsdnj.org
Domain naming master PR-DC01.prsdnj.org
PDC PR-DC01.prsdnj.org
RID pool manager PR-DC01.prsdnj.org
Infrastructure master PR-DC01.prsdnj.org
The command completed successfully.
When I go to that PR-DC03, is says PR-DC01 is the roles holder, as does all of the remaining DC server, but PR-DC03 is the only one I can access the users and groups etc:
C:\Users\administrator.PRS
Schema master PR-DC01.prsdnj.org
Domain naming master PR-DC01.prsdnj.org
PDC PR-DC01.prsdnj.org
RID pool manager PR-DC01.prsdnj.org
Infrastructure master PR-DC01.prsdnj.org
The command completed successfully.
ASKER
Also I am seeing this on one of the DCs, which leads me to believe that its a permissions issue:
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=prsdn j,DC=org
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=prsdn j,DC=org
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
CN=Schema,CN=Configuration ,DC=prsdnj ,DC=org
Error BUILTIN\Administrators doesn't have
Replicating Directory Changes
Replicating Directory Changes All
Replication Synchronization
Manage Replication Topology
access rights for the naming context:
CN=Schema,CN=Configuration ,DC=prsdnj ,DC=org
Error PRSDNJ\Enterprise Read-only Domain Controllers doesn't have
Replicating Directory Changes
Replicating Directory Changes All
Replicating Directory Changes In Filtered Set
access rights for the naming context:
CN=Schema,CN=Configuration ,DC=prsdnj ,DC=org
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=prsdnj,DC=org
Also with Repadmin I get this:
DC=DomainDnsZones,DC=prsdn j,DC=org
Default-First-Site-Name\PR -DC03 via RPC
DSA object GUID: 87cd5396-756e-4e41-9ea1-7e 1d6316dc3c
Last attempt @ 2016-11-03 07:49:46 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
44 consecutive failure(s).
Last success @ 2016-11-01 14:45:37.
Default-First-Site-Name\PR -DC02 via RPC
DSA object GUID: e31eac56-84ec-4fea-9b40-e3 749f4f1074
Last attempt @ 2016-11-03 07:49:46 was successful.
Default-First-Site-Name\PR -DC04 via RPC
DSA object GUID: 0b299f27-8279-4071-9aa2-9e 93e630e82d
Last attempt @ 2016-11-03 07:49:46 was successful.
ETESDNJ\ETESD-DC01 via RPC
DSA object GUID: 156cdf94-304b-401e-b01c-c9 5d14e5086d
Last attempt @ 2016-11-03 08:34:46 was successful.
Source: Default-First-Site-Name\PR -DC03
******* 5557 CONSECUTIVE FAILURES since 2016-11-01 14:55:51
Last error: 8456 (0x2108):
The source server is currently rejecting replication requests.
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=prsdn
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=prsdn
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
CN=Schema,CN=Configuration
Error BUILTIN\Administrators doesn't have
Replicating Directory Changes
Replicating Directory Changes All
Replication Synchronization
Manage Replication Topology
access rights for the naming context:
CN=Schema,CN=Configuration
Error PRSDNJ\Enterprise Read-only Domain Controllers doesn't have
Replicating Directory Changes
Replicating Directory Changes All
Replicating Directory Changes In Filtered Set
access rights for the naming context:
CN=Schema,CN=Configuration
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=prsdnj,DC=org
Also with Repadmin I get this:
DC=DomainDnsZones,DC=prsdn
Default-First-Site-Name\PR
DSA object GUID: 87cd5396-756e-4e41-9ea1-7e
Last attempt @ 2016-11-03 07:49:46 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
44 consecutive failure(s).
Last success @ 2016-11-01 14:45:37.
Default-First-Site-Name\PR
DSA object GUID: e31eac56-84ec-4fea-9b40-e3
Last attempt @ 2016-11-03 07:49:46 was successful.
Default-First-Site-Name\PR
DSA object GUID: 0b299f27-8279-4071-9aa2-9e
Last attempt @ 2016-11-03 07:49:46 was successful.
ETESDNJ\ETESD-DC01 via RPC
DSA object GUID: 156cdf94-304b-401e-b01c-c9
Last attempt @ 2016-11-03 08:34:46 was successful.
Source: Default-First-Site-Name\PR
******* 5557 CONSECUTIVE FAILURES since 2016-11-01 14:55:51
Last error: 8456 (0x2108):
The source server is currently rejecting replication requests.
Here's what Microsoft has to say about "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set". Here's an alternate solution.
ASKER
On the alternate solution, fails to find DC=ForestDnsZoones,DC=prsd nj,DC=org in ADSI edit, which I think is the root of the problem, is there a way to reset the partition perms?
"ForestDnsZoones" should be ForestDnsZones. That was a typo in the example. You can see the correct spelling in the image above the step.
ASKER
Paul,
I think I found the problem, not sure how to fix though ... the fsmo roles report themselves on 2 servers simultaneously PR-DC03, and PR-DC01, anyway to fix this? I have tried to seize but does not change the PDC
I think I found the problem, not sure how to fix though ... the fsmo roles report themselves on 2 servers simultaneously PR-DC03, and PR-DC01, anyway to fix this? I have tried to seize but does not change the PDC
Turn off the bad server (PR-DC01?), then seize the role.
ASKER
Did not work at all, I am panicking, is there a utility that can fix this? NTDSUTIL says the ntds.dit is clean??
"Did not work at all..."
What didn't work? How do you know? What symptoms are you seeing of a problem?
What didn't work? How do you know? What symptoms are you seeing of a problem?
ASKER
paulmacd,
I was able to fix it, it was a permission issue that was stopping Users and Groups/GPO Manager/ADSIEdit from opening. I had to go to Command Prompt -> ldp.exe navigate to CN=Schema and change the permissions on Authenticated Users to be able to Read all Objects AND Descending Objects. The Descending Objects was missing and breaking the AD partition
I was able to fix it, it was a permission issue that was stopping Users and Groups/GPO Manager/ADSIEdit from opening. I had to go to Command Prompt -> ldp.exe navigate to CN=Schema and change the permissions on Authenticated Users to be able to Read all Objects AND Descending Objects. The Descending Objects was missing and breaking the AD partition
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Alternate instructions via TechNet.