none
Receiving 2108's and 1084's on DC...

    Question

  • Hi-

    We just noticed these errors on our Main - Primary AD-GC/DC machine. I think they have been reporting for sometime - at least the last two days.

    We do not have low disk space.

    We have no errors on our drives - chkdsk ran.

    Our roles are still seized by the same Primary DC.

    Issues w/ DNS - restarted DNS and FRS.

    However - we did perform a failover test a few weeks ago.

    We shutdown "this" Primary DC in order to test if other DC's would take over.

    Also - this DC seized roles of another DC that might have had a corrupted DB - could the old DC replicate corrupted DB entries/items?

    Herre are the details... trying to follow steps and go thru now...

    ###############################################

    Event Type:    Error
    Event Source:    NTDS Replication
    Event Category:    Replication
    Event ID:    1084
    Date:        4/10/2012
    Time:        10:09:30 AM
    User:        NT AUTHORITY\ANONYMOUS LOGON
    Computer:    MDNFILE
    Description:
    Internal event: Active Directory could not update the following object with changes received from the following source domain controller. This is because an error occurred during the application of the changes to Active Directory on the domain controller.
     
    Object:
    DC=Domain,DC=local
    Object GUID:
    35b883e2-ab72-463d-9432-f9c2c21fa04e
    Source domain controller:
    f241211b-d558-4227-9f7c-68e299c2310b._msdcs.domain.local
     
    Synchronization of the local domain controller with the source domain controller is blocked until this update problem is corrected.
     
    This operation will be tried again at the next scheduled replication.
     
    User Action
    Restart the local domain controller if this condition appears to be related to low system resources (for example, low physical or virtual memory).
     
    Additional Data
    Error value:
    1127 While accessing the hard disk, a disk operation failed even after retries.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    ################################################################

    Event Type:    Error
    Event Source:    NTDS Replication
    Event Category:    Replication
    Event ID:    2108
    Date:        4/10/2012
    Time:        10:19:12 AM
    User:        NT AUTHORITY\ANONYMOUS LOGON
    Computer:    MDNFILE
    Description:
    This event contains REPAIR PROCEDURES for the 1084 event which has previously been logged. This message indicates a specific issue with the consistency of the Active Directory database on this replication destination. A database error occurred while applying replicated changes to the following object. The database had unexpected contents, preventing the change from being made.
     
    Object:
    DC=Domain,DC=local
    Object GUID:
    35b883e2-ab72-463d-9432-f9c2c21fa04e
    Source domain controller:
    46e22a82-7b27-412c-adad-63270d89bc54._msdcs.domain.local

    User Action
     
     Please consult KB article 837932, http://support.microsoft.com/?id=837932. A subset of its repair procedures are listed here.
     1. Confirm that sufficient free disk space resides on the volumes hosting the Active Directory database then retry the operation. Confirm that the physical drives hosting the NTDS.DIT and log files do not reside on drives where NTFS compression is enabled. Also check for anti-virus software accessing these volumes.
     2. It may be of benefit to force the Security Descriptor Propagator to rebuild the object container ancestry in the database. This may be done by following the instructions in KB article 251343, http://support.microsoft.com/?id=251343.
     3. The problem may be related to the object's parent on this domain controller. On the source domain controller, move the object to have a different parent.
     4. If this machine is a global catalog and the error occurs in one of the read-only partitions, you should demote the machine as a global catalog using the Global Catalog checkbox in the Sites & Services user interface.   If the error is occurring in an application partition, you can stop the application partition from being hosted on this replica. This may be changed using the ntdsutil.exe command.
     5. Obtain the most recent ntdsutil.exe by installing the latest service pack for your operating system. Prior to booting into Directory Services Restore Mode (DSRM), verify that the DSRM password is known. Otherwise reset it prior to restarting the system.
     6. In DSRM, run the NT CMD prompt, run "ntdsutil files integrity". If corruption is found and other replicas exist, then demote replica and check your hardware. If no replicas are present, restore a system state backup and repeat this verification.
     7. Perform an offline defragmentation using the "ntdsutil files compact" function.
     8. The "ntdsutil semantic database analysis" should also be performed. If errors are found, they may be corrected using the "go fixup" function.  Note that this should not be confused with the database maintenance function called "ESE repair", which should not be used, since it causes data loss for Active Directory Databases.
     
     If none of these actions succeed and the replication error continues, you should demote this domain controller and promote it again.
     
    Additional Data
    Primary Error value:
    1127 While accessing the hard disk, a disk operation failed even after retries.
    Secondary Error value:
    -510 JET_errLogWriteFail, Failure writing to log file

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    ##############################################################

    Event Type:    Information
    Event Source:    NtFrs
    Event Category:    None
    Event ID:    13516
    Date:        4/10/2012
    Time:        9:54:55 AM
    User:        N/A
    Computer:    MDNFILE
    Description:
    The File Replication Service is no longer preventing the computer MDNFILE from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
     
    Type "net share" to check for the SYSVOL share.

    ###############################################

    Ran repladmin - this appears to be Ok...

    C:\>repadmin /showrepl

    repadmin running command /showrepl against server localhost

    Default-First-Site\MDNFILE
    DC Options: IS_GC
    Site Options: (none)
    DC object GUID: 99873373-3555-4dbb-922f-deda571b71a8
    DC invocationID: 8377a19c-2a1b-45fe-a8e3-1eeae7de71fe

    ==== INBOUND NEIGHBORS ======================================

    DC=domain,DC=local
        Default-First-Site\AUXMIL1 via RPC
            DC object GUID: 46e22a82-7b27-412c-adad-63270d89bc54
            Last attempt @ 2012-04-05 18:26:18 was successful.
        Default-First-Site\CDRDC via RPC
            DC object GUID: 99c28df2-382c-4789-9021-664fc9f89e43
            Last attempt @ 2012-04-05 18:26:18 was successful.
        Default-First-Site\MDNDC via RPC
            DC object GUID: f241211b-d558-4227-9f7c-68e299c2310b
            Last attempt @ 2012-04-05 18:26:21 was successful.

    CN=Configuration,DC=domain,DC=local
        Default-First-Site\AUXMIL1 via RPC
            DC object GUID: 46e22a82-7b27-412c-adad-63270d89bc54
            Last attempt @ 2012-04-05 17:50:05 was successful.
        Default-First-Site\CDRDC via RPC
            DC object GUID: 99c28df2-382c-4789-9021-664fc9f89e43
            Last attempt @ 2012-04-05 17:50:05 was successful.
        Default-First-Site\MDNDC via RPC
            DC object GUID: f241211b-d558-4227-9f7c-68e299c2310b
            Last attempt @ 2012-04-05 18:20:05 was successful.

    CN=Schema,CN=Configuration,DC=domain,DC=local
        Default-First-Site\CDRDC via RPC
            DC object GUID: 99c28df2-382c-4789-9021-664fc9f89e43
            Last attempt @ 2012-04-05 17:50:05 was successful.
        Default-First-Site\AUXMIL1 via RPC
            DC object GUID: 46e22a82-7b27-412c-adad-63270d89bc54
            Last attempt @ 2012-04-05 17:50:05 was successful.
        Default-First-Site\MDNDC via RPC
            DC object GUID: f241211b-d558-4227-9f7c-68e299c2310b
            Last attempt @ 2012-04-05 18:20:05 was successful.

    DC=DomainDnsZones,DC=domain,DC=local
        Default-First-Site\CDRDC via RPC
            DC object GUID: 99c28df2-382c-4789-9021-664fc9f89e43
            Last attempt @ 2012-04-05 17:50:06 was successful.
        Default-First-Site\AUXMIL1 via RPC
            DC object GUID: 46e22a82-7b27-412c-adad-63270d89bc54
            Last attempt @ 2012-04-05 17:50:06 was successful.
        Default-First-Site\MDNDC via RPC
            DC object GUID: f241211b-d558-4227-9f7c-68e299c2310b
            Last attempt @ 2012-04-05 18:20:05 was successful.

    DC=ForestDnsZones,DC=domain,DC=local
        Default-First-Site\CDRDC via RPC
            DC object GUID: 99c28df2-382c-4789-9021-664fc9f89e43
            Last attempt @ 2012-04-05 17:50:06 was successful.
        Default-First-Site\AUXMIL1 via RPC
            DC object GUID: 46e22a82-7b27-412c-adad-63270d89bc54
            Last attempt @ 2012-04-05 17:50:06 was successful.
        Default-First-Site\MDNDC via RPC
            DC object GUID: f241211b-d558-4227-9f7c-68e299c2310b
            Last attempt @ 2012-04-05 18:20:05 was successful.

    ###################################################

    DCDiag /q - shows lots of these errors...

     An Error Event occured.  EventID: 0xC000043C
        Time Generated: 04/10/2012   10:40:21
        (Event String could not be retrieved)
     An Error Event occured.  EventID: 0xC025083C
        Time Generated: 04/10/2012   10:40:21
        (Event String could not be retrieved)
     ......................... MDNFILE failed test kccevent

    ##################################

    Netdiag /q - passed all tests - except this one:

    Global results:
        [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.

    #################################################

    Any other ideas as to find out what could be wrong?

    Thanks or any help.

    -P

    Tuesday, April 10, 2012 3:46 PM

Answers

All replies

  • DCDIAG and Replication looks fine, I think the the issue with AD database, you need to verify the database integrity.

    Read the below thread :
    http://social.technet.microsoft.com/Forums/en/winserverDS/thread/62394928-2c05-4589-aea4-dae472948005
    http://social.technet.microsoft.com/Forums/en-AU/winserverDS/thread/de741ce2-1449-42b5-9a8b-c111f0b0ec00
    Basically ntdsutil "sem d a" "go f" and an offline defrag of the AD db did the trick.

    If offline defrag fail you need to repair AD database.However before you proceed take the backup of the server.If repair fail then demote/promote is the last option.

    To repair AD database
    C:\windows\system32>esentutl /P "database path"

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by Pickle Tuesday, April 10, 2012 7:49 PM
    Tuesday, April 10, 2012 4:04 PM
  • Hello,

    I would agree with Sandesh.

    How to complete a semantic database analysis for the Active Directory database by using Ntdsutil.exe: http://support.microsoft.com/kb/315136

    If you still have at least a healthy DC with GC then you can proceed like that:

    • Re-install the faulty DC
    • Resize FSMO roles on another DC: http://support.microsoft.com/kb/255504
    • Perform a metadata cleanup: http://technet.microsoft.com/en-us/library/cc736378%28v=ws.10%29.aspx
    • Promote again the re-installed server and make it a DC / DNS / GC server. Once done, transfer FSMO roles back to it

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    • Edited by Mr XMVP Tuesday, April 10, 2012 4:22 PM
    Tuesday, April 10, 2012 4:19 PM
  • Hello,

    please see http://support.microsoft.com/kb/837932 how to handle this.

    Also see previous discussion http://social.technet.microsoft.com/Forums/en/winserverDS/thread/62394928-2c05-4589-aea4-dae472948005


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, April 10, 2012 4:20 PM
  • Hi Sandesh, Mr X & Meinolf-

    Thanks for quick reply.

    This machine is a file/print server as well.

    Do you think the AD - DC/GC DB is the issue on this server only?

    Or - affects all the other AD - DC(member) servers DB's as well?

    We do not want to reboot this server into restore mode.

    We'd rather promote another DC - seize roles from this machine and fix the DB on a server that is "only" a DC - not a file/print server.

    Hope this makes sense. What do you think?

    Thx.

    -P

    Tuesday, April 10, 2012 4:48 PM
  • Hello,

    it may occur if that is the only DC that promotion of a new one fails as it must connect to the database to replicate. If you have another DC/DNS server use ONLY that one the server NIC as preferred that should be promoted to DC also.

    Do NOT seize FSMO roles except the server is crashed complete. Transfer them to another DC and if that is not possible demote the problem DC with /forceremoval, NOW seize FSMO roles on another DC, run metadata cleanup and after all this is replicated to all other DCs you can promote it again.

    So move the file/print server role to another domain member server with FSMT http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=10268 and migrate printers with http://technet.microsoft.com/en-us/library/cc722360.aspx or http://technet.microsoft.com/en-us/library/cc722360.aspx

    File/Print services should NOT run on a DC for performance reasons and also you are now limited with immediate reactions. A DC should be used for AD/DNS/GC and that's it. Other server roles have to run on domain MEMBER servers instead.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, April 10, 2012 5:13 PM
  • Hi Meinolf-

    Thanks for the quick details.

    Yes - we may have an issue w/ DNS if we demote or promote another DC.

    Although we have a backup DNS server - another DC(DNS/DHCP) that is a GC and all workstations/clients have it listed as the secondary DNS server.

    Ok - I understand this part:

    "Do NOT seize FSMO roles except the server is crashed complete. Transfer them to another DC and if that is not possible demote the problem DC with /forceremoval, NOW seize FSMO roles on another DC, run metadata cleanup and after all this is replicated to all other DCs you can promote it again."

    We do "not" want to move the File/Print server data or printers but understand the "role" can be changed.

    Can any of these steps be executed in a live environment?

    We'd do "not" want to affect the users - if possible.

    Can we perform the FSMT during production?

    We want to transfer the roles to another DC that is a GC already in our site.

    Yes - we understand that a file/print server should not have AD/DC installed on it - makes sense.

    -P

    Tuesday, April 10, 2012 5:34 PM
  • Hello,

    either you like to fix the DC or keep an up and running file/print machine? So move the file/print with the required downtimes and then fix the DC. FSMT and also Printmigration requires some downtime, during the copy process so do it on COB or at weekends. If possible test it in a lab before to get familiar with the steps.

    Transferring FSMO roles is no problem and without user effect or reboot.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, April 10, 2012 5:41 PM
  • Hi Meinolf-

    We'd like to keep the file/print server up and running - change it to a member server only.

    And transfer roles to another DC/GC - that is running "only" AD - Directory Services.

    Ok - if roles do "not" transfer - we have to fix the Primary DC/GC(file/print server).

    Schedule maintenance & boot into Restore mode.

    And if so - can we run FSMT - transfer print services at this time? ( While we are fixing DB)

    Thx.

    -P

    Tuesday, April 10, 2012 5:57 PM
  • Hello,

    do maintenance tasks one by one and never together. Even this may take more time you are safen and have not to fix multiple problems that may occur, stick to one.

    Keep in mind that administation has to be done without hurry, even if the boss is in your back, if it fails you have more trouble then using some more time for doing it correct and keep the system alive.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, April 10, 2012 6:03 PM
  • Hello,

    transferring FSMO roles is the easiest step you can do and see immediately the result, http://support.microsoft.com/kb/324801 so i would start with that one, then migrate the printers and then the files. But it depends on you how you handle it, just make sure to control each step.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Pickle Tuesday, April 10, 2012 7:50 PM
    Tuesday, April 10, 2012 6:29 PM
  • Ok - we tried transferring the Schema Master role and it failed - Could nto assign the new Dc operations master.

    Can we try to assign the other AD-DC/GC roles....?

    Oor do we need to go into Restore mode now and run ntdsutil and try to fix DB next?

    Tuesday, April 10, 2012 9:14 PM
  • Hello,

    of course you can use another DC when trying to transfer the FSMO roles.

    To check the AD database the FSMO roles are not a problem. Even the domain will work without the FSMO roles for some time.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, April 10, 2012 9:37 PM
  • Thanks - we are going to go into restore mode now. Could not transfer even from another DC...
    Tuesday, April 10, 2012 9:43 PM