none
Raise Domain Functional Level - The domain functional level cannot be raised because the PDC could not be contacted.

    Question

  • Hi,

    I want to install Lync for SharePoint and in the prerequisites; I have to raise the domain functionalities to Windows Server 2003 in my AD.

    Here is what I have :

    One Small Business Server, a Windows 2003 server that is acting as the AD for the entire company.

    When I want to raise, in the window I have this:

    A google search suggests me to use ntdsutil. I used the tool on the server and I seize everything. I still have the same phenomenon. Then I tried to Transfer everything, same result.

    I'm not very familiar with AD, I'm certainly missing some logs, debug tools... That's the reason why I ask this in that forum :)

    Regards,


    Friday, April 27, 2012 1:22 PM

Answers

All replies

  • Its seems that there is replication issue between DC if the PDC cannot be contacted.Since you mentioned that there SBS server is the FSMO role present on SBS server.It is the limitation of SBS that if sbs server exist in n/w the FSMO role holder should be SBS server only.

    Have you verified the replication between dc.Run dcdiag /q and repadmin /replsum to check the health of DC.Also most of the time replication issue due dns misconfig or necessary port not open for AD replication.

    Ensure the following on DC:
    1. Each DC / DNS server points to its private IP address as primary DNS server and other remote/local DNS servers as secondary in TCP/IP properties.
    2. Each DC has just one IP address and single network adapter is enabled.
    3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.
    4. Once you are done, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service each DC.
    Do not put private DNS IP addresses in forwarder list.
    5.Assigning static IP address to DC if IP address is assigned by DHCP server to DC.It is strongly not recommended.


    Active Directory Firewall Ports -http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, April 27, 2012 1:40 PM
  • Since there is SBS and there are certain limitation you can raise the query in below forum if above is not helpful.

    The SBS forum you'll find here http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/threads

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, April 27, 2012 1:41 PM
  • Hi,

    Thank you for your answer :-)

    Just before I check what you provided to me, I don't understand why we are speaking about replication here.
    I have only one physical server with one OS (SBS) and the AD service running on the machine.
    A replication for me means there is one source that want's to copy a copy of itself to another content... right ?

    Friday, April 27, 2012 1:52 PM
  • Hello,

    Your question ist not clearly!!

    Do you have 1x SBS 2003 DC with 1x Win2k3 DC or what?

    You wrote, you seize everything. Did you seize FSMO roles from SBS 2003 DC to Win2k3 DC or transfer?

    Regards

    Friday, April 27, 2012 1:55 PM
  • Hi,

    Thank you for your answer :-)

    Just before I check what you provided to me, I don't understand why we are speaking about replication here.
    I have only one physical server with one OS (SBS) and the AD service running on the machine.
    A replication for me means there is one source that want's to copy a copy of itself to another content... right ?

    Please give us some more inputs , as Patris said your question is confusing , you told you have already seized FSMO roles and next line you said you have transffered the roles?

    Please explain this in detail

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, April 27, 2012 2:00 PM
  • I'm sorry for the confusion.

    I have 1x SBS 2003 DC that's all, nothing else (this server was not configured by our company).

    In my Google searched, I found articles that explained to use ntdutil for making a server the PDC.

    I use the tool, I used it locally on the SBSServer, I connect to itself, then I tried the command seize PDC with success. This didn't solve my issue. Then I tried to seize everything (when you type ? in the tool you have the list of what you can seize (pid, ...)). This didn't solve my issue too. So I tried with the same tool to transfer everything (same as seize) with success but that didn't solve the primary issue.

    Friday, April 27, 2012 2:14 PM
  • Hello Gregory,

    I understand that you only have one domain controller in the domain which is SBS 2003 server, correct me if i'm wrong.

    Now you need to verufy that the FSMO roles are intact and the DC is functional. Run these commands tio ensure this.

    netdom query fsom  (this cmd lists all the fsmo roles)

    dcdiag /q (let us know the errors you get here)

    This could also be related DNS failure. Make sure the DC is pointing to the correct DNS server under the NIC's tcp/ip settings. Also run netdiag and dcdiag /test:dns to diagnose network related errors. Not that you need windows support tools installed on the DC to run these commands. Find the tool here - http://www.microsoft.com/en-us/download/details.aspx?id=15326

    Let me know what you find out!


     Sachin Gadhave (MCP, MCTS)

    View Sachin Gadhave's profile on LinkedIn

    Friday, April 27, 2012 2:17 PM
  • Hello,

    When you have just 1x domain controller, this domain controller is owner for all fsmo roles. 

    Please check event viewer and write here errors.

    Regards

    Friday, April 27, 2012 2:23 PM
  • Hello Sachin,

    Yes you are correct :-)

    Here is the result of the netdom command :

    C:\Documents and Settings\Administrator>netdom query FSMO
    Schema owner                sbsserver.MYCOMPANY.local
    Domain role owner           sbsserver.MYCOMPANY.local
    PDC role                    sbsserver.MYCOMPANY.local
    RID pool manager            sbsserver.MYCOMPANY.local
    Infrastructure owner        sbsserver.MYCOMPANY.local

    Here is the result of the command dcdiag /q

    C:\Documents and Settings\Administrator>dcdiag /q
                IsmServ Service is stopped on [SBSSERVER]
             ......................... SBSSERVER failed test Services
             An Error Event occured.  EventID: 0x00000457
                Time Generated: 04/27/2012   15:54:10
                (Event String could not be retrieved)
             An Error Event occured.  EventID: 0x00000457
                Time Generated: 04/27/2012   15:55:02
                (Event String could not be retrieved)
             ......................... SBSSERVER failed test systemlog
             Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
             A Primary Domain Controller could not be located.
             The server holding the PDC role is down.
             ......................... MYCOMPANY.local failed test FsmoCheck

    The server DNS in the properties of the network card is it's local IP (the SBS Server is also the DNS server).

    The result of the dcdiag /test:dns :

    C:\Documents and Settings\Administrator>dcdiag /test:dns

    Domain Controller Diagnosis

    Performing initial setup:
       Done gathering initial info.

    Doing initial required tests

       Testing server: Default-First-Site-Name\SBSSERVER
          Starting test: Connectivity
             ......................... SBSSERVER passed test Connectivity

    Doing primary tests

       Testing server: Default-First-Site-Name\SBSSERVER

    DNS Tests are running and not hung. Please wait a few minutes...

       Running partition tests on : ForestDnsZones

       Running partition tests on : DomainDnsZones

       Running partition tests on : Schema

       Running partition tests on : Configuration

       Running partition tests on : MYCOMPANY

       Running enterprise tests on : MYCOMPANY.local
          Starting test: DNS
             Test results for domain controllers:

                DC: sbsserver.MYCOMPANY.local
                Domain: MYCOMPANY.local


                   TEST: Basic (Basc)
                      Warning: adapter [00000001] HP NC373i Multifunction Gigabit Se
    rver Adapter has invalid DNS server: 195.238.2.21 (<name unavailable>) (note this is the secondary dns entry in the network properties)

                   TEST: Forwarders/Root hints (Forw)
                      Error: Forwarders list has invalid forwarder: 195.238.2.21 (<n
    ame unavailable>)

                   TEST: Records registration (RReg)
                      Network Adapter [00000001] HP NC373i Multifunction Gigabit Ser
    ver Adapter:
                         Error: Missing PDC SRV record at DNS server 10.136.105.10 :

                         _ldap._tcp.pdc._msdcs.MYCOMPANY.local

                         Error: Missing A record at DNS server 195.238.2.21 :
                         sbsserver.MYCOMPANY.local

                         Error: Missing CNAME record at DNS server 195.238.2.21 :
                         37a52bba-0ca3-4f47-989d-353d692dac92._msdcs.MYCOMPANY.local


                         Error: Missing DC SRV record at DNS server 195.238.2.21 :
                         _ldap._tcp.dc._msdcs.MYCOMPANY.local

                         Error: Missing GC SRV record at DNS server 195.238.2.21 :
                         _ldap._tcp.gc._msdcs.MYCOMPANY.local

                         Error: Missing PDC SRV record at DNS server 195.238.2.21 :
                         _ldap._tcp.pdc._msdcs.MYCOMPANY.local

                   Error: Record registrations cannot be found for all the network a
    dapters

             Summary of test results for DNS servers used by the above domain contro
    llers:

                DNS server: 195.238.2.21 (<name unavailable>)
                   2 test failures on this DNS server
                   Name resolution is not functional. _ldap._tcp.MYCOMPANY.local. fa
    iled on the DNS server 195.238.2.21

             Summary of DNS test results:

                                                Auth Basc Forw Del  Dyn  RReg Ext
                   ________________________________________________________________
                Domain: MYCOMPANY.local
                   sbsserver                    PASS WARN PASS PASS PASS FAIL n/a

             ......................... MYCOMPANY.local failed test DNS

    ---------------

    It seems this issue might be relevant ?

    Error: Missing PDC SRV record at DNS server 10.136.105.10 :

                         _ldap._tcp.pdc._msdcs.MYCOMPANY.local

    Friday, April 27, 2012 2:52 PM
  • Hello,

    Please, run IPCONFIG /ALL command on DC and post here unedited result.

    Regards

    Friday, April 27, 2012 2:57 PM
  • Hello

    Sorry I just edit the name of the AD because it is my company's name, the rest is as is :

    C:\Documents and Settings\Administrator>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : sbsserver
       Primary Dns Suffix  . . . . . . . : MYCOMPANY.local
       Node Type . . . . . . . . . . . . : Unknown
       IP Routing Enabled. . . . . . . . : Yes
       WINS Proxy Enabled. . . . . . . . : Yes
       DNS Suffix Search List. . . . . . : MYCOMPANY.local

    Ethernet adapter Server Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : HP NC373i Multifunction Gigabit Server Ad
    apter
       Physical Address. . . . . . . . . : 00-18-71-E6-6A-8E
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 10.136.105.10
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 10.136.105.1
       DNS Servers . . . . . . . . . . . : 10.136.105.10
                                           195.238.2.21
       Primary WINS Server . . . . . . . : 10.136.105.10

    Friday, April 27, 2012 3:01 PM
  • Hello,

    1- Delete 195.238.2.21 from DNS client.

    2- Set 195.238.2.21 on DNS Forwarders tab.

    3- after setting, run this commands on DC:

    ipconfig /flushdns
    ipconfig /registerdns
    net stop netlogon
    net start netlogon

    4- Now test again.

    Regards

    Friday, April 27, 2012 3:23 PM
  • The account you are using to raise the functional level needs to be member of either the domain admin or enterprise admin group. I hope there is no other DC records left in the AD which was crashed but its metadata cleanup was not performed. Just look out this information in the DNS(esp under all the folder in _msdcs), objects in ADSS etc.

    http://technet.microsoft.com/en-us/library/cc527545%28v=ws.10%29.aspx


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, April 27, 2012 3:46 PM
    Moderator
  • Yes that is the problem.

    Perform these steps from command prompt-

    • Net stop DNS
    • Net stop netlogon
    • Rename the netlogon.dns and netlogon.dnb files under %systemroot%\system32\config folder.
    • ipconfig /flushdns
    • ipconfig /registerdns
    • net start dns
    • net start netlogon

    Also remove the second dns server (195.238.2.21) from the NIC ipv4 settings temporarily, your dc may not have rights to register with that DNS zone.

    let me know if this resolves your issue!


     Sachin Gadhave (MCP, MCTS)

    View Sachin Gadhave's profile on LinkedIn



    Friday, April 27, 2012 7:02 PM
  • Hello,

    assure the used accounts is member of domain/enterprise admins to raise the level. As this is about SBS systems the mentioned SBS forum is the BEST place to ask as SBS has too many different settings and wizards that are not included in the regular OS versions.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Saturday, April 28, 2012 8:39 AM
  • The error message you recieved in dcdiag is due to DNS misconfig.Remove the public ip address from DNS and add to DNS forwarder and restart the netlogn and dns service also run ipconfig /flushdns and ipconfig /registerdns.You are also getting "The server holding the PDC role is down" this could be also if the authorative time service is not configured correctly.

    Configure authorative time server,below is the KB article for the same.
    http://support.microsoft.com/kb/816042

    Make sure that below parameters are set correctly on PDC Server.
    1.Change the server type to NTP
    2.Set AnnounceFlags to 5
    3.Enable NTPServer
    4.Specify the time sources.eg time.windows.com,0x1 or other time source as per requiremet.
    5Configure other paratmeters as well.

    Restart the windows time service.Ran w32tm /resync /rediscover command.Check the system log you will get event id 35 and 37 related to time sync.
    To configure an NTP client: http://www.ehow.com/how_5981545_configure-windows-ntp-client.html

    Please also make sure that udp port 123 which as direction the chosen NTP server is not blocked.

    For other domain computers / servers, make sure that they are using NT5DS for time sync. More here: http://support.microsoft.com/kb/223184

    If still the above is not helpful as mentioned previous SBS has its own limitation you can raise the query in SBS forum for better assistance.
    SBS forum:http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/threads

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, April 28, 2012 10:34 AM
  • Hi everyone,

    Thanks for your answers.

    Until now I followed the steps provided by Patris.
    I think I'm close now but I still have an error running dcdiag dns :

    C:\Documents and Settings\Administrator>dcdiag /test:dns

    Domain Controller Diagnosis

    Performing initial setup:
       Done gathering initial info.

    Doing initial required tests

       Testing server: Default-First-Site-Name\SBSSERVER
          Starting test: Connectivity
             ......................... SBSSERVER passed test Connectivity

    Doing primary tests

       Testing server: Default-First-Site-Name\SBSSERVER

    DNS Tests are running and not hung. Please wait a few minutes...

       Running partition tests on : ForestDnsZones

       Running partition tests on : DomainDnsZones

       Running partition tests on : Schema

       Running partition tests on : Configuration

       Running partition tests on : MYCOMPANY

       Running enterprise tests on : MYCOMPANY.local
          Starting test: DNS
             Test results for domain controllers:

                DC: sbsserver.MYCOMPANY.local
                Domain: MYCOMPANY.local


                   TEST: Records registration (RReg)
                      Network Adapter [00000001] HP NC373i Multifunction Gigabit Ser
    ver Adapter:
                         Error: Missing PDC SRV record at DNS server 10.136.105.10 :

                         _ldap._tcp.pdc._msdcs.MYCOMPANY.local

                   Error: Record registrations cannot be found for all the network a
    dapters

             Summary of DNS test results:

                                                Auth Basc Forw Del  Dyn  RReg Ext
                   ________________________________________________________________
                Domain: IURISLINK.local
                   sbsserver                    PASS PASS PASS PASS PASS FAIL n/a

             ......................... MYCOMPANY.local failed test DNS

    @Sachin,

    What do you mean by edit the netlogon.dns and netlogon.dnb files ? The .dns is plaintext the other is binary text  mixed.
    I'm not very familiar with dns syntax.

    Thanks in advance :)

    Monday, April 30, 2012 9:18 AM
  • TEST: Records registration (RReg)
                      Network Adapter [00000001] HP NC373i Multifunction Gigabit Ser
    ver Adapter:
                         Error: Missing PDC SRV record at DNS server 10.136.105.10 :

                         _ldap._tcp.pdc._msdcs.MYCOMPANY.local

                   Error: Record registrations cannot be found for all the network a
    dapters

    Seems SRV Record of PDC has not been registered in DNS.

    Can you please stop the netlogon service and restart it back and check on your PDC?

    Refer - http://technet.microsoft.com/de-de/library/cc776854(v=ws.10).aspx

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.


    Monday, April 30, 2012 9:25 AM
  • By default, the Net Logon service registers certain SRV, CNAME, and A resource records every hour, even if some or all these records are correctly registered in DNS. The list of records that the Net Logon service tries to register is stored in the %systemroot%\System32\Config\Netlogon.dns file. This log file lists records that are required to be registered for this domain controller.

    1. Stop the Netlogon service.
    2. Rename the Netlogon.dns file to Netlogon.old, and then rename the Netlogon.dnb file to Netlogon.old2.
      Note Netlogon.dns and Netlogon.dnb are located in the <var>Windows</var>\System32\Config folder.
    3. Start the Netlogon service or restart your computer.


     Sachin Gadhave (MCP, MCTS)

    View Sachin Gadhave's profile on LinkedIn

    Monday, April 30, 2012 9:27 AM
  • Take a look at below article to verify and re-register the srv records. You can simple restart Netlogon, Dns server service to refresh the SRV records. Also, you can also use ipconfig /registerndns.

    http://support.microsoft.com/kb/816587

    http://blogs.msdn.com/b/mskumar/archive/2007/10/22/create-and-verify-dns-srv-and-a-records-for-client-automatic-client-sign-in.aspx


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, April 30, 2012 9:33 AM
    Moderator
  • Ok there is really something with that SRV dns :

    C:\Documents and Settings\Administrator>nslookup
    Default Server:  sbsserver.iurislink.local
    Address:  10.136.105.10

    > set type=all
    > _ldap._tcp.dc_msdcs.MYCOMPANY
    Server:  sbsserver.mycompany.local
    Address:  10.136.105.10

    *** sbsserver.mycompany.local can't find _ldap._tcp.dc_msdcs.MYCOMPANY: Non-exis
    tent domain
    > _ldap._tcp.dc_msdcs.MYCOMPANY.local
    Server:  sbsserver.mycompany.local
    Address:  10.136.105.10

    On this article (http://support.microsoft.com/kb/200525)

    it is said :

    "This error occurs when there is no PTR record for the name server's IP address. When Nslookup.exe starts, it does a reverse lookup to get the name of the default server. If no PTR data exists, this error message is returned. To correct make sure that a reverse lookup zone exists and contains PTR records for the name servers."

    The problem for me is that I cannot really understand what is wrong with the netlogon.dns if there is something wrong in this file...

    Also in the eventvwr

    Event Type:    Error
    Event Source:    Userenv
    Event Category:    None
    Event ID:    1054
    Date:        30/04/2012
    Time:        11:37:55
    User:        NT AUTHORITY\SYSTEM
    Computer:    SBSSERVER
    Description:
    Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    Monday, April 30, 2012 10:35 AM
  • Can you verify from the DNS console does the _msdcs.domainname zone exist will all record.If the records are present then stop the dns and netlogn service.Go to C:\windows\System32\Config folder rename the netlogon.dns and Netlogon.dnb file  to old  (netlogon.dns_ old,Netlogon.dnb_old) and restart the netlogon and dns service.Also run ipconfig /flushdns and ipconfig /registerdns.



    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, April 30, 2012 10:47 AM
  • Gregory,

     Did you stop and restrated the netlogon service on the DC as requested earlier?>

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, April 30, 2012 10:55 AM
  • Yes sorry I followed this procedure (stop the services, rename the 2 files, restart services, do the flush) but the issue is still there..

    I don't get it everything seems to be ok.
    May be I'll post it in the sbs forum as suggested..

    Monday, April 30, 2012 11:00 AM
  • Hello,

    1- Delete 195.238.2.21 from DNS client.

    2- Set 195.238.2.21 on DNS Forwarders tab.

    3- after setting, run this commands on DC:

    ipconfig /flushdns
    ipconfig /registerdns
    net stop netlogon
    net start netlogon

    4- Now test again.

    Regards

    Something strange also, but it is probably due to the difference between sbs and a regular win2k3 os, I don't have the same window :

    Monday, April 30, 2012 2:28 PM
  • The screen shot which you have attached is default Screen and by design in Win2008(DC1) and Win2003(SBS).In Win2008 you need to click on forwarder tab and then click on edit button and enter the required forwarders IP. 


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, April 30, 2012 3:10 PM
  • Since there is SBS and there are certain limitation you can raise the query in below forum if above is not helpful.

    The SBS forum you'll find here http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/threads

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    FYI the topic is there http://social.technet.microsoft.com/Forums/fr-FR/smallbusinessserver/thread/82ec6d25-636d-4b12-8a94-9cc4b6f45eec
    Tuesday, May 08, 2012 8:38 AM