Gavin Robinson
asked on
DCDIAG Test Failures
I just started at a new organization & don't have a lot of information about their network. They've thrown me into it & basically said, "good luck." The first major problem I see is that I can't force gpupdate from a workstation because it can't find the Group Policy server. Both DCs are virtual. DC01 can see the rest of the network; I can ping the other DC & workstations, firewall, etc. but nobody can reach DC01. I can't ping it, I can't replicate AD, nada. If I run netstat from the "working DC," I get Server DC02 IP Address 10.10.1.6/Server DC02 IP Address 10.10.1.5, though. So, I run DCDIAG on DC01 & get failures for Advertising & SystemLog. Advertising: Warning: DsGetDcName returned information for \\DC02 when we were trying to reach \\DC01. SERVER IS NOT RESPONDING or IS NOT SUITABLE. SystemLogsays "The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data." I've tried running an authoritative & non-authoritative replication between the 2 of them. No dice. I've been beating my head against this thing for a couple of days now. Anybody got any ideas of where else to look?
John Gates, CISSP, CDPSE
Is DNS configured correctly with the proper zones and _MSDCS space? Can you describe a bit more the structure here? Do you have just two DCs?
ASKER
Yeah, only 2 DCs & 1 FS. FS can currently be reached from either DC. DNS is configured on both DCs, currently DC01 is set to get DNS from DC02 first, then itself. I'm seeing an A& NS record for DC01 in Forward Lookup Zones. Same for DC02. DC01 is 2008, DC02 is 2012. Thanks!
Do you get a clean DCDIAG on DC02? Are you saying that domain member computers (or any computer) can ping DC02 but none can ping DC01? Can you check to make sure that the Windows firewall or a 3rd party firewall is disabled on DC01? From DC02 can you successfully browse to DC01 by doing a \\DC01\c$ or \\DC01\sysvol command?
Lots of possibilities here. If you can feel confident after the proper tests that DC02 is working properly, it might just be easiest to DCPROMO DC01 and add it back. But, you're not quite there yet...
Lots of possibilities here. If you can feel confident after the proper tests that DC02 is working properly, it might just be easiest to DCPROMO DC01 and add it back. But, you're not quite there yet...
I would start with a NETDIAG and let's see what that reveals? There is a communication issue clearly with the errors you have posted thus far.
ASKER
I cannot browse to DC01 from DC02 at all & yes, I can ping DC02 from other machines & not DC01. No firewall (weirdly, I can't even get the firewall service to start on DC01 but I *think* that's a challenge for another day. No AV currently installed. I turned MSE off & that didn't make any changes. OK, so this is interesting: ran DCDIAG on DC02 & it failed NetLogon (the account used for this test must have network logon privileges). I'm logged on as the domain admin. FRSEvent also failed (There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. failed DFSREvent). Replication also failed.
The firewall service not starting could be part of the root cause of the problem. What errors are sent to the event logs when you try to start it?
It's never easy playing 20 questions for either party, right?! Well, when you do your DCDIAG on DC02 make sure you right click CMD and run as administrator even though you're logged on as a domain admin already. Try it again. See if you get same error. The replication errors aren't a huge deal as DC01 is currently FUBAR it seems.
Yeah, John's on to something with that. Event log!
ASKER
Event 7024, Serivce Control Manager: "The Windows Firewall service terminated with service-specific error The paramater is incorrect."
Yesterday, I made sure the firewall service was being started with the correct permissions. It was. Tried starting it as a different admin account. Same thing, so I switched it back to Local Service.
Yesterday, I made sure the firewall service was being started with the correct permissions. It was. Tried starting it as a different admin account. Same thing, so I switched it back to Local Service.
You are not running ISA server on either of the DCS are you?
https://support.microsoft.com/en-us/help/837864/the-microsoft-firewall-service-does-not-start-and-event-id-7024-is-log
https://support.microsoft.com/en-us/help/837864/the-microsoft-firewall-service-does-not-start-and-event-id-7024-is-log
ASKER
No ISA on either server.
Yes, set it to local service. This made no difference?
On the system where the firewall will not start: http://www.thewindowsclub.com/reset-windows-firewall-settings
Also, do these systems have IPV6 enabled or disabled?
ASKER
IPv6 is currently enabled. I'll try to reset the firewall in a minute. Currently, I'm figuring out how to work the phone system. Oh, the simple joys of new jobs. Thank y'all so much for your help. I'll let you know when I have more information.
ASKER
Tried to reset firewall settings & it doesn't even prompt me, "Are you sure?" Just keeps saying it's not set up the way Windows suggests. I am starting to lean toward that possibly being the root of my issue, though.
Is it allowing the reset? This I agree seems like the proper next step.
ASKER
Nope. Wouldn't reset itself; isn't turning on. I'm going to do some more research on it & take a look this weekend. I was able to configure the Sonicwall VPN & install it on the new work laptop today, so there's a small victory to hang my hat on.
ASKER
Tried the instructions here: https://social.technet.microsoft.com/Forums/windows/en-US/5366225a-46e7-4d6c-a389-8bd18a5c3aad/windows-firewall-damaged-by-windows-7-antivirus-2012?forum=w7itprosecurity Didn't help. Had a random thought, though. Looked at the last good replication, it's from 6/28. Go to Windows Update history. Sure enough, 2 updates were installed that day: KB3186497 & KB2310138. Rolled 'em back. Rebooted. That wasn't it, unfortunately. Tried uninstalling MSE & the .Net 4.7 update through Add/Remove Programs. Repaired .Net 4.7 back to its original state from 2015. Still not it. For the heck of it, I ran a Malwarebytes scan. Nothing. How about an AV scan since I haven't done that yet? Nope, nothing there. Next idea, copy HKLM\System\CurrentControl
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
SFC didn't do anything. Reinstalled MSE & it even told me that it couldn't start the firewall when it installed. Downloaded a Server 2008 R2 iso. Let's give the repair a shot....tomorrow morning.
At this point I'm tempted to just recommend promoting a new DC and then attempting a demotion (most likely you'll have to end up doing a forced removal procedure from AD) rather than beating your head against the wall trying to repair whatever is corrupted on DC01. Odds are that a normal demotion would fail on this machine anyway. Do you have a spare server hanging around to use for that? If you have any experience with Hyper-V or VMware, this is a perfect opportunity to create a new virtualized DC. Whichever way you go, I'm still happy to try and help you through your problem. Good luck. I foresee NTDSUTIL usage in your near future...
ASKER
The repair fixed the problem. Aggravating, to say the least.
ASKER
Thanks for the help. I really appreciate it.
Glad you got it sorted :-)