Solved

Active Directory screwed

Posted on 2016-11-30
9
29 Views
Last Modified: 2016-11-30
Hi

My primary DC failed and can not  get it running and secondary fails to start Active Directory. This is the dcdiag output.
Any help would be highly appreciated.

C:\Users\Administrator.KAUFMANN>dcdiag /fix

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = ADS01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Standardname-des-ersten-Standorts\ADS01
      Starting test: Connectivity
         ......................... ADS01 passed test Connectivity

Doing primary tests

   Testing server: Standardname-des-ersten-Standorts\ADS01
      Starting test: Advertising
         Fatal Error:DsGetDcName (ADS01) call failed, error 1355
         The Locator could not find the server.
         ......................... ADS01 failed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
         replication problems may cause Group Policy problems.
         ......................... ADS01 passed test FrsEvent
      Starting test: DFSREvent
         ......................... ADS01 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... ADS01 passed test SysVolCheck
      Starting test: KccEvent
         ......................... ADS01 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... ADS01 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... ADS01 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... ADS01 passed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\ADS01\netlogon)
         [ADS01] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
         ......................... ADS01 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... ADS01 passed test ObjectsReplicated
      Starting test: Replications
         ......................... ADS01 passed test Replications
      Starting test: RidManager
         ......................... ADS01 passed test RidManager
      Starting test: Services
         ......................... ADS01 passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x000727A5
            Time Generated: 11/30/2016   08:33:45
            Event String: The WinRM service is not listening for WS-Management requests.
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 11/30/2016   08:34:07
            Event String:
            Name resolution for the name _ldap._tcp.dc._msdcs.kaufmann.local. timed out after none of the configured DNS servers responded.
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 11/30/2016   08:34:08
            Event String:
            Name resolution for the name _ldap._tcp.dc._msdcs.kaufmann.local. timed out after none of the configured DNS servers responded.
         A warning event occurred.  EventID: 0x000727AA
            Time Generated: 11/30/2016   08:34:35
            Event String:
            The WinRM service failed to create the following SPNs: WSMAN/ADS01.kaufmann.local; WSMAN/ADS01.
         A warning event occurred.  EventID: 0x0000000C
            Time Generated: 11/30/2016   08:34:35
            Event String:
            Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
         A warning event occurred.  EventID: 0x00002724
            Time Generated: 11/30/2016   08:34:39
            Event String:
            This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.
         A warning event occurred.  EventID: 0x00001796
            Time Generated: 11/30/2016   08:34:55
            Event String:
            Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
         A warning event occurred.  EventID: 0xC000042B
            Time Generated: 11/30/2016   08:36:35
            Event String:
            The RD Session Host server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
         An error event occurred.  EventID: 0x00000469
            Time Generated: 11/30/2016   08:39:36
            Event String:
            The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
         An error event occurred.  EventID: 0x00000469
            Time Generated: 11/30/2016   08:39:37
            Event String:
            The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
         An error event occurred.  EventID: 0x00002720
            Time Generated: 11/30/2016   08:39:38
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         A warning event occurred.  EventID: 0x00001696
            Time Generated: 11/30/2016   08:40:43
            Event String:
            Dynamic registration or deregistration of one or more DNS records failed with the following error:
         An error event occurred.  EventID: 0xC0001B63
            Time Generated: 11/30/2016   09:04:12
            Event String:
            A timeout (30000 milliseconds) was reached while waiting for a transaction response from the VMTools service.
         An error event occurred.  EventID: 0xC0001B63
            Time Generated: 11/30/2016   09:04:42
            Event String:
            A timeout (30000 milliseconds) was reached while waiting for a transaction response from the VMTools service.
         An error event occurred.  EventID: 0xC0001B63
            Time Generated: 11/30/2016   09:05:12
            Event String:
            A timeout (30000 milliseconds) was reached while waiting for a transaction response from the VMTools service.
         An error event occurred.  EventID: 0xC0001B63
            Time Generated: 11/30/2016   09:05:42
            Event String:
            A timeout (30000 milliseconds) was reached while waiting for a transaction response from the VMTools service.
         ......................... ADS01 failed test SystemLog
      Starting test: VerifyReferences
         ......................... ADS01 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : kaufmann
      Starting test: CheckSDRefDom
         ......................... kaufmann passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... kaufmann passed test CrossRefValidation

   Running enterprise tests on : kaufmann.local
      Starting test: LocatorCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
         A KDC could not be located - All the KDCs are down.
         ......................... kaufmann.local failed test LocatorCheck
      Starting test: Intersite
         ......................... kaufmann.local passed test Intersite
0
Comment
Question by:un1x86
9 Comments
 
LVL 6

Expert Comment

by:Andy
Comment Utility
Hi,

What OS are the DC's?
Are they both GC servers? - If they are you can try seizing roles on the second AD server then rebuild the failed primary.
Do they each have DNS servers pointing to themselves, not each other?
Does DHCP have both DNS servers in the scope options?
Also, reboot a client to see if it can connect to the 2nd server as DNS.
0
 
LVL 11

Author Comment

by:un1x86
Comment Utility
hi

What OS are the DC's?
Windows 2016

Are they both GC servers? - If they are you can try seizing roles on the second AD server then rebuild the failed primary.
Not sure.

Do they each have DNS servers pointing to themselves, not each other?
primary server is completely gone. It has been deleted by mistake

Does DHCP have both DNS servers in the scope options?
Yes

Also, reboot a client to see if it can connect to the 2nd server as DNS.
nslookup everything seems to work fine of that DNS

C:\Users\Administrator>nslookup ads01
Server:  ADS01.kaufmann.local
Address:  192.168.1.15

Name:    ads01.kaufmann.local
Address:  192.168.1.15


C:\Users\Administrator>nslookup app01
Server:  ADS01.xx.local
Address:  192.168.1.15

Name:    app01.xx.local
Address:  192.168.1.16

Open in new window

0
 
LVL 6

Expert Comment

by:Andy
Comment Utility
To see if a server is a GC server you can check this in Active Directory Sites and services > NTDS > Properties, you will see a box that should be checked for GC (Global Catalog)

Do/did you just have the 2 DC's?
0
 
LVL 11

Author Comment

by:un1x86
Comment Utility
I can't even open Active Directory Sites and services
Screen-Shot-2016-11-30-at-10.22.53.png
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 6

Expert Comment

by:Andy
Comment Utility
OK, how many users/devices are there?

Are they physical or virtual DC's?
Did you take a recent full backup of the DC including systems state (inc. SYSVOL) and AD database?
0
 
LVL 13

Expert Comment

by:John Tsioumpris
Comment Utility
Can you open Active Directory Sites and services on the working server ?
What happened to your main server?
0
 
LVL 24

Accepted Solution

by:
-MAS earned 500 total points
Comment Utility
HI,
Your easiest option is to find backup of your FSMO holder as your additional domain controller is not healthy to work on its own.  Instead of wasting your time fixing please try to restore the backup.

Thanks
MAS
0
 
LVL 6

Expert Comment

by:Andy
Comment Utility
I would also say you'll need to restore hence my question regarding backups.
Did you delete the computer object in AD?

A couple of articles on restoring DC's:
http://www.vkernel.ro/blog/restoring-failed-active-directory-domain-controllers
https://technet.microsoft.com/en-us/library/cc535164.aspx
0
 
LVL 11

Author Closing Comment

by:un1x86
Comment Utility
MAS has greatly helped me on private chat.

We had to restore the old ads and recreate the new one as a backup.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now