none
Issue with windows server 2008 R2 active directory access

    Question

  • When trying to access Active Directory Users and Computers I get the following error: The naming Information cannot be located for the following reason: the srever is not operational.

     

    The server is authenticating users and allowing users access to shares folders.

    I have uninstalled Symantec antivirus and eliminated possible issues with the Broadcomm NIC installed, I beleive thats it is a Microsoft Issue.

    Can you help?

    Tuesday, November 29, 2011 2:31 PM

Answers

  • Hello,

     

    Please run this command and post result here:

    NETDOM QUERY FSMO

     

    Regards


    Good point. He'll possibly have to seize the roles over first.

    Also possibly, for steps 2 and 3, instead of initially making the zones AD integrated, to simply make the zones Standard Primary zones (keeping the "Store in AD..." option unchecked. It's possible the server error message is coming from trying to store them in AD, beause it can't find AD.

    Steps revised :

    1. Create a crl.lan zone. Right-click Forward Lookup Zones, new zone, type in crl.lan. Uncheck the box on teh bottom to store in Active Directory. Allow Unescure and Secure updates.
    2. Right-click Forward Lookup zones, Create a _msdcs.crl.lan zone. Uncheck the box on teh bottom to store in Active Directory. Allow Unescure and Secure updates.

     

    Ace

     

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Thursday, December 08, 2011 7:23 PM
  • Hmm, this just keeps getting better!

    So it won't initialize Sysvol. That's why the DC can't be contacted. And it's trying to populate Sysvol from the other DC, which no longer exists.

    To fix it, we have to force it to initialize a new, empty Sysvol. This is called an Authoritative Sysvol Restore.

    To do that, do the following:

    1.  
      1. Click Start, and then click Run.
      2. In the Open box, type cmd and then press ENTER.
      3. In the Command box, type net stop ntfrs.
      4. Click Start, and then click Run.
      5. In the Open box, type regedit and then press ENTER.
      6. Locate the following subkey in the registry:
        HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
      7. In the right pane, double click BurFlags.
      8. In the Edit DWORD Value dialog box, type D4 and then click OK.
      9. Quit Registry Editor, and then switch to the Command box.
      10. In the Command box, type net start ntfrs.
      11. Quit the Command box.

     

    When the FRS service is restarted, the following actions occur:

    • The value for the BurFlags registry key is set back to 0.
    • An event 13566 is logged to signal that an authoritative restore is started.
    • Files in the reinitialized FRS replicated directories remain unchanged and become authoritative on direct replication. Additionally, the files become indirect replication partners through transitive replication.
    • The FRS database is rebuilt based on current file inventory.
    • When the process is complete, an event 13516 is logged to signal that FRS is operational. If the event is not logged, there is a problem with the FRS configuration.

     

    Restart the box after that.

    Reference:

    Using the BurFlags registry key to reinitialize File Replication Service replica sets
    http://support.microsoft.com/kb/290762/

     

    btw - did you know you posted your email address, and not the link to Skydrive? You may want to remove your email address so it doesn't get havested by web spiders searching for email addresses.

    You're going to need a double shot of whiskey after this mess is over.

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Saturday, December 10, 2011 1:09 AM
  • Took a little time to get remoted in, then some more time to resolve it, but it seems to be resolved and working fine now. With Steve's permission, I am posting the steps I took to resolve it. I hope others benefit from this.

    Ace

     

     

     

    ==================================================================
    ==================================================================
    Steve Weathrebee CRL issues.

    Resolution steps.

    ***********************************************************************

    C:\Users\admin>netdom query fsmo
    Schema master               dserver2.CRL.lan
    Domain naming master        dserver2.CRL.lan
    PDC                         dserver2.CRL.lan
    RID pool manager            dserver2.CRL.lan
    Infrastructure master       dserver2.CRL.lan
    The command completed successfully.

    ***********************************************************************
    Dcdiag shows:
          Starting test: MachineAccount         Checking machine account for DC DSERVER2 on DC DSERVER2.
             Warning:  Attribute userAccountControl of DSERVER2 is:         0x82020 = ( PASSWD_NOTREQD | SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION )         Typical setting for a DC is        

    0x82000 = ( SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION )         This may be affecting replication?         * SPN found :LDAP/dserver2.CRL.lan/CRL.lan
             * SPN found :LDAP/dserver2.CRL.lan
             * SPN found :LDAP/DSERVER2
             * SPN found :LDAP/dserver2.CRL.lan/CRL
             * SPN found :LDAP/b072f201-6e73-4798-93b1-01c0e084cc4d._msdcs.CRL.lan
             * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/b072f201-6e73-4798-93b1-01c0e084cc4d/CRL.lan
             * SPN found :HOST/dserver2.CRL.lan/CRL.lan
             * SPN found :HOST/dserver2.CRL.lan
             * SPN found :HOST/DSERVER2
             * SPN found :HOST/dserver2.CRL.lan/CRL
             * SPN found :GC/dserver2.CRL.lan/CRL.lan

    I changed it to what it should be: 0x82000 by using ADSI Edit:

    ADSI Edit shows decimal value for UserAccountControl as 532512 (0x82020)
    I changed it to 532480 (0x82000)

    Ref:
    Incorrect userAccountControl Attribute value causes error when running DCDIAG or during promotion of a server to a DC
    http://blogs.dirteam.com/blogs/jorge/archive/2006/08/27/Incorrect-_2600_quot_3B00_userAccountControl_2600_quot_3B00_-Attribute-value-causes-error-when-running-DCDIAG-or-during-promotion-of-a-

    server-to-a-DC.aspx


    ***********************************************************************
    Then restarted AD Domain Services service.

    Event ID 5706:
    The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\CRL.lan\SCRIPTS.  The following error occurred:
    The system cannot find the file specified.


    ***********************************************************************

    Computer Browser service disabled.

    Although not necessary, I enabled in order to view network shares

    No harm in keeping it enabled.


    ***********************************************************************

    TO see if any other DCs are in the domain, I ran metadata cleanup, but I found DSERVER2 is the only one, then quit the utility.

    C:\Users\admin>ntdsutil
    ntdsutil: metadata cleanup
    metadata cleanup: connections
    server connections: connect to server dserver2
    Binding to dserver2 ...
    Connected to dserver2 using credentials of locally logged on user.
    server connections: quit
    metadata cleanup: select operation target
    select operation target: list domains
    Found 1 domain(s)
    0 - DC=CRL,DC=lan
    select operation target: select domain 0
    No current site
    Domain - DC=CRL,DC=lan
    No current server
    No current Naming Context
    select operation target: lists sites
    Error parsing Input - Invalid Syntax.
    select operation target: list sites
    Found 1 site(s)
    0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=CRL,DC=lan
    select operation target: select site 0
    Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=CRL,DC=lan
    Domain - DC=CRL,DC=lan
    No current server
    No current Naming Context
    select operation target: list servers in site
    Found 1 server(s)
    0 - CN=DSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=CRL,DC=lan
    select operation target: quit
    metadata cleanup: quit
    ntdsutil: quit

    C:\Users\admin>


    ***********************************************************************

    More on Event ID 5106:

    Went to:
    Event ID 3051 and 5706 on domain controllers
    http://support.microsoft.com/?id=258805

    Checked reg entry per article:
    These error messages can occur if entries under the following registry key on the domain controller are missing or incorrect:
     KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

    Stopped netlogon service

    Reg location shows a value for SYSVOL, and the SYSVOL path exists to c:\windows\sysvol\sysvol
    Removed sysvol value
    Created:
    On the Edit menu, click Add Value, and then add the following registry values:
    Value Name: DBFlag
     Data Type: REG_SZ
     Value: 0

    Value Name: DBFlag
     Data Type: REG_SZ
     Value: 0

    Started Netlogon

    Netlogon share still not created.
    Folder are missing in SYSVOL.

    This could be due to this server is a replica DC and the initial replication never occured.
    I manually created the sysvol structure creating the following folders under c:\windows\sysvol\sysvol:
         ClientAgent
         Policies
         Scripts

    Restarted AD Domain Services.

    Netlogon successfully shared and started.

    Missing policies in Policies folder.

    Event ID 1058

    Default Policies show up in GPMC, but cannot connect or view settings.

    ***********************************************************************

    USed the following to rebuilt SYSVOL missing folders:

    How to rebuild the SYSVOL tree and its content in a domain
    http://support.microsoft.com/kb/315457 

    Note - since this is the only DC in the domain, I used the D4 option to build a new one.
    D2 would have been used to pull a copy from another DC.

    To configure the SYSVOL replica set to be authoritative, follow these steps: •Click Start, click Run, type regedit, and then click OK.
    •Locate and then click the BurFlags entry under the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\GUID
    GUID is the GUID of the domain system volume replica set that is shown in the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\GUID

    •Right-click BurFlags, and then click Modify.
    •Type D4 in the Value Data field (HexaDecimal), and then click OK.

    No good... Ok, next step to recreate the default GPOs...

    ***********************************************************************
    Ran:
    dcgpofix /ignoreschema

    Didn't have permissions to run it.
    Added myself to the Enterprise Admins and Schema Admins
    Logged off, then on again.


    Ran the command again. Sysvol policies and everything else is now created.
    GPMC now shows both policies and all settings.


    ***********************************************************************
    Symantec Endpoint INstalled!! WHAT???

    SEP is a known issue with blocking domain communications.

    Please uninstall and reboot and get back to me.


    ***********************************************************************

    Still cannot connect to DomainDnsZones or ForestDnsZones partitions.

    Error messages:


    ---------------------------
    ADSIEdit
    ---------------------------
    Operation failed. Error code: 0x202b
    A referral was returned from the server.
    0000202B: RefErr: DSID-031006BB, data 0, 1 access points
     ref 1: 'DomainDnsZones.CRL.lan'

    ---------------------------
    OK  
    ---------------------------

     

    and

     

    ---------------------------
    ADSIEdit
    ---------------------------
    Operation failed. Error code: 0x202b
    A referral was returned from the server.
    0000202B: RefErr: DSID-031006BB, data 0, 1 access points
     ref 1: 'ForestDnsZones.CRL.lan'

    ---------------------------
    OK  
    ---------------------------

     


    ***********************************************************************

    C:\Users\admin>dnscmd dserver2 /EnlistDirectoryPartition DomainDnsZones.CRL.lan

    Enlist directory partition failed: DomainDnsZones.CRL.lan
        status = 9904 (0x000026B0)
    Command failed:  DNS_ERROR_DP_ALREADY_ENLISTED     9904


    C:\Users\admin>

     

    ***********************************************************************

    C:\Users\admin>dnscmd dserver2 /EnlistDirectoryPartition ForestDnsZones.CRL.lan

    Enlist directory partition failed: ForestDnsZones.CRL.lan
        status = 9904 (0x000026B0)
    Command failed:  DNS_ERROR_DP_ALREADY_ENLISTED     9904


    C:\Users\admin>

     


    ***********************************************************************

    C:\Users\admin>dnscmd /Enumdirectorypartitions
    Enumerated directory partition list:

            Directory partition count = 2
     DomainDnsZones.CRL.lan                    Enlisted Auto Domain
     ForestDnsZones.CRL.lan                    Enlisted Auto Forest

     

    ***********************************************************************


    The two partitions are obviously corrupt.


    ***********************************************************************


    Using ADSI Edit, I deleted the DomainDNsZones and ForestDnsZones partition:

    Reference:

    Are Your DNS Application Partitions Corrupt?
    http://cbfive.com/blog/post/Are-Your-DNS-Application-Partitions-Corrupt.aspx


    Using ADSIEdit.msc
     1.Navigate to the CrossRef object for the application partition on a specific DC (CN=Partitions,CN=Configuration,DC=Domain,DC=Com)
     2.Delete the CrossRef object, essentially skipping to step 7 above.
     3.Force replication, validate that the partition is gone.
     4.Restart DNS, the service will re-add the partition.

    Optionally, you can do it this way, too:

    Using NTDSUtil:
     1.Open the CMD prompt
     2.NTDSUtil
     3.Domain Management (In 2008 it changes to "partition management")
     4.Connections => connect to server ERICSDC01
     5.Quit
     6.List <--- to see zones
     7.Delete NC DC=DomainDNSZones,DC=Domain DC=Com (This Deletes the CrossRef Object)
     8.Force replication, validate that the partition is gone.
     9.Restart DNS, the service will re-add the partition.

    ***********************************************************************

    After deleting DomainDnsZones:

    C:\Users\admin>dnscmd /Enumdirectorypartitions
    Enumerated directory partition list:

            Directory partition count = 2
     DomainDnsZones.CRL.lan                    Enlisted Deleted Auto Domain
     ForestDnsZones.CRL.lan                    Enlisted Auto Forest


    Command completed successfully.


    ***********************************************************************

    Recreated DomainDnsZones

    Right click DNS Server Name
    Configure Default Application Directory Partitions.

    Click YES for Domain partition
    On Second Prompt, Click NO for Forest partition

     

    ***********************************************************************


    After deleting ForestDnsZones but after recreating DomainDnsZones

    C:\Users\admin>dnscmd /Enumdirectorypartitions
    Enumerated directory partition list:

            Directory partition count = 2
     DomainDnsZones.CRL.lan                    Enlisted Auto Domain
     ForestDnsZones.CRL.lan                    Enlisted Deleted Auto Forest


    Command completed successfully.

     


    ***********************************************************************

    Recreated ForestDnsZones

    Right click DNS Server Name
    Configure Default Application Directory Partitions.

    click NO for Domain partition
    On Second Prompt, Click YES for Forest partition


    ***********************************************************************


    After recreating ForestDnsZones:

    C:\Users\admin>dnscmd /Enumdirectorypartitions
    Enumerated directory partition list:

            Directory partition count = 2
     DomainDnsZones.CRL.lan                    Enlisted Auto Domain
     ForestDnsZones.CRL.lan                    Enlisted Auto Forest


    Command completed successfully.

     

    ***********************************************************************

    Symantec Endpoint unistalled and rebooted.


    ***********************************************************************

    Event log errors are now CLEAN!!!!  <nice!>


    ***********************************************************************

    Symantec Endpoint reinstalled. I excluded the whole C:\windows folder and all subfolders. THis will take care of
    the NTDS and SYSVOL folders, and anything else it may try to block or quarantine.

    ***********************************************************************

    C:\Users\admin>NTFRSUTL ds dserver2
    NTFRS CONFIGURATION IN THE DS
    SUBSTITUTE DCINFO FOR DC
       FRS  DomainControllerName: (null)
       Computer Name            : DSERVER2
       Computer DNS Name        : dserver2.CRL.lan

    BINDING TO THE DS:
       ldap_connect     : dserver2.CRL.lan
       DsBind     : dserver2.CRL.lan

    NAMING CONTEXTS:
       SitesDn    : CN=Sites,cn=configuration,dc=crl,dc=lan
       ServicesDn : CN=Services,cn=configuration,dc=crl,dc=lan
       DefaultNcDn: DC=CRL,DC=lan
       ComputersDn: CN=Computers,DC=CRL,DC=lan
       DomainCtlDn: OU=Domain Controllers,DC=CRL,DC=lan
       Fqdn       : CN=dserver2,OU=Domain Controllers,DC=CRL,DC=lan
       Searching  : Fqdn

    COMPUTER: DSERVER2
       DN   : cn=dserver2,ou=domain controllers,dc=crl,dc=lan
       Guid : dcab9611-82fe-4ba3-93ace6f3764c44ea
       UAC  : 0x00082000
       Server BL : CN=DSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=CRL,DC=lan
       Settings  : cn=ntds settings,cn=dserver2,cn=servers,cn=default-first-site-name,cn=sites,cn=configuration,dc=crl,dc=lan
       DNS Name  : dserver2.CRL.lan
       WhenCreated  : 4/26/2011 11:25:2 Atlantic Standard Time Atlantic Daylight Time [240]
       WhenChanged  : 1/11/2012 16:52:4 Atlantic Standard Time Atlantic Daylight Time [240]

       SUBSCRIPTION: NTFRS SUBSCRIPTIONS
          DN   : cn=ntfrs subscriptions,cn=dserver2,ou=domain controllers,dc=crl,dc=lan
          Guid : 1315f31c-01a0-4d69-a14fe529e4b0cf49
          Working       : c:\windows\ntfrs
          Actual Working: c:\windows\ntfrs
          WhenCreated  : 4/26/2011 12:6:53 Atlantic Standard Time Atlantic DaylightTime [240]
          WhenChanged  : 4/26/2011 12:6:53 Atlantic Standard Time Atlantic DaylightTime [240]

          SUBSCRIBER: DOMAIN SYSTEM VOLUME (SYSVOL SHARE)
             DN   : cn=domain system volume (sysvol share),cn=ntfrs subscriptions,cn=dserver2,ou=domain controllers,dc=crl,dc=lan
             Guid : d46515fe-51d5-4f79-bec29effd142df73
             Member Ref: CN=DSERVER2,CN=Domain System Volume (SYSVOL share),CN=FileReplication Service,CN=System,DC=CRL,DC=lan
             Root      : c:\windows\sysvol\domain
             Stage     : c:\windows\sysvol\staging\domain
             WhenCreated  : 4/26/2011 12:6:53 Atlantic Standard Time Atlantic Daylight Time [240]
             WhenChanged  : 4/26/2011 12:6:53 Atlantic Standard Time Atlantic Daylight Time [240]
       Subscriber Member Back Links:
          cn=dserver2,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=crl,dc=lan

    SETTINGS: FILE REPLICATION SERVICE
       DN   : cn=file replication service,cn=system,dc=crl,dc=lan
       Guid : 70c455df-5704-4d2a-b11ab0eb36b6e907
       WhenCreated  : 4/3/2004 11:56:54 Atlantic Standard Time Atlantic Daylight Time [240]
       WhenChanged  : 4/26/2011 12:2:46 Atlantic Standard Time Atlantic Daylight Time [240]

       SET: DOMAIN SYSTEM VOLUME (SYSVOL SHARE)
          DN   : cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=crl,dc=lan
          Guid : bd486d4a-9726-4419-9589524e9fe04470
          Type          : 2
          Primary Member: (null)
          File Filter   : *.tmp, *.bak, ~*
          Dir  Filter   : (null)
          FRS Flags     : (null)
          WhenCreated  : 4/3/2004 12:4:36 Atlantic Standard Time Atlantic Daylight Time [240]
          WhenChanged  : 4/26/2011 12:3:5 Atlantic Standard Time Atlantic Daylight Time [240]

          MEMBER: DSERVER2
             DN   : cn=dserver2,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=crl,dc=lan
             Guid : 4884a00f-e43c-438b-b420ef689c6448fe
             Server Ref     : CN=NTDS Settings,CN=DSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=CRL,DC=lan
             Computer Ref   : cn=dserver2,ou=domain controllers,dc=crl,dc=lan
             Cracked Domain : CRL.lan
             Cracked Name   : 00000002 CRL\DSERVER2$
             Cracked Domain : CRL.lan
             Cracked Name   : fffffff4 S-1-5-21-1273149174-3599686218-3002231784-1246
             Computer's DNS : dserver2.CRL.lan
             WhenCreated  : 4/26/2011 12:6:53 Atlantic Standard Time Atlantic Daylight Time [240]
             WhenChanged  : 4/26/2011 12:6:53 Atlantic Standard Time Atlantic Daylight Time [240]

    C:\Users\admin>

    ***********************************************************************


    Final dcdiag /v errors:

          Starting test: Replications         * Replications Check
             * Replication Latency Check
                CN=Schema,CN=Configuration,DC=CRL,DC=lan
                   Latency information for 1 entries in the vector were ignored.
                      1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
                CN=Configuration,DC=CRL,DC=lan
                   Latency information for 1 entries in the vector were ignored.
                      1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
                DC=CRL,DC=lan
                   Latency information for 1 entries in the vector were ignored.
                      1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
             * Replication Site Latency Check
             ......................... DSERVER2 passed test Replications


    I wouldn't worry about this. DCDIAG is just reporting that you have a retired NTDS object (a DC). No prob there. It shows zero for any latency issues and is only flagging the one retired partner.

    There are no errors and warnings, so I'm cool with this being fixed.

     

    ***********************************************************************


    I was now finally able to change the replication scope of _msdcs.crl.lan to ForestDnsZones, and crl.lan to DomainDnsZones, and set Dynamic Updates to Secure only.


    ***********************************************************************

    Ace Fekay

    ***********************************************************************


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    • Proposed as answer by Patris_70 Sunday, January 15, 2012 1:48 PM
    • Marked as answer by steve.weatherbee Monday, January 16, 2012 1:01 PM
    Saturday, January 14, 2012 6:02 PM
  • Nice to hear you'er able to create the zones. The screenshots look good.

    Now follow Patris' recommdation to seize the FSMO roles. THIS IS A MUST!!

    Let's make sure this machine is a GC. AD Sites & Services, drill down into Servers, under the servername, NTDS settings, right click properties, check the box this is a GC. Then run:

    • ipconfig
    • net stop netlogon
    • net start netlogon
    • In DNS, check the GC folder under _msdcs.crl.lan to make sure the new machine's IP address shows up as a GC entry.

     

    Now run a metadata cleanup to remove the references to the DCs that no longer exist. Or just follow these steps:

    Complete Step by Step Guideline to Remove an Orphaned Domain controller
    Published by Ace Fekay, MCT, MVP DS on Oct 5, 2010 at 12:14 AM
    http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

     

    Then monitor the event logs for any errors.

    After a day or two, change the zones to AD integrated. That would be the middle CHANGE button below in the screenshot. Check the box to store in AD.

    Then after you hit Apply, click the bottom CHANGE button, and set the replication scope for each zone:

    For the crl.lan zone, select the middle button.
    For the _msdcs.crl.lan zone, the top button.

     

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Friday, December 09, 2011 5:06 PM
  • Hello Steve,

     

    First  sorry, my home internet was down!!

    Now:

    1- Use this command and enable Global Catalog (GC) on your Domain Controller.

    REPADMIN /OPTIONS dserver2.CRL.lan +IS_GC

    2- You seized PDC Emulator role to dserver2 Domain Controller, reset the time source, run this commands on dserver2:

    w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update

    net stop w32time

    net start w32time

    On your edge firewall, make sure UDP port 123 traffic is allowed inbound from the time source.

    More info:

    Configuring the Windows Time Service for Windows Server (Ace Fekay -MVP)

    3- Check for the SYSVOL share, at the command prompt, type:

    net share

     

    Regards

    Friday, December 09, 2011 10:51 PM

All replies

  • How many DCs do you have?  Are you running ADUC from DC?

    Try changing the domain controller from ADUC and connecting to a different DC.


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+| Houston, TX
    Blogs - http://blogs.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.
    Tuesday, November 29, 2011 5:09 PM
  • This is a single DC in a small domain. Yes running AD from the DC.

    Thanks for your help.

     

    Tuesday, November 29, 2011 5:12 PM
  • from clien computer can you ping to the domain controller using server name?
    Darshana Jayathilake
    Tuesday, November 29, 2011 5:15 PM
  • no. destination host unreachable.
    Tuesday, November 29, 2011 5:17 PM
  • Hi,

    Post "ipconfig /all" & "dcdiag /q" result.

    Regards,


    Abhijit Waikar - MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA
    Tuesday, November 29, 2011 5:30 PM
  • Windows IP Configuration

    Host Name . . . . . . . . . . . . : dserver2
    Primary Dns Suffix . . . . . . . : CRL.lan
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : CRL.lan

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client) #35
    Physical Address. . . . . . . . . : 78-2B-CB-15-BD-4A
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::4ca8:369b:34ac:7152%11(Preferred)
    IPv4 Address. . . . . . . . . . . : 142.227.54.28(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.192
    Default Gateway . . . . . . . . . : 142.227.54.62
    DHCPv6 IAID . . . . . . . . . . . : 192424907
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-1A-AE-E4-78-2B-CB-15-BD-4A
    DNS Servers . . . . . . . . . . . : 142.227.54.28
    142.227.51.1
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 8:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : isatap.{BC1269F5-0583-445B-8900-D0BE76C04E57}
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 9:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
    Physical Address. . . . . . . . . : 02-00-54-55-4E-01
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 11:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft 6to4 Adapter
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    IPv6 Address. . . . . . . . . . . : 2002:8ee3:361c::8ee3:361c(Preferred)
    Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
    DNS Servers . . . . . . . . . . . : 142.227.54.28
    142.227.51.1
    NetBIOS over Tcpip. . . . . . . . : Disabled

     

    and...

     


    Directory Server Diagnosis


    Performing initial setup:

    Trying to find home server...

    Home Server = dserver2

    * Identified AD Forest.
    Done gathering initial info.


    Doing initial required tests


    Testing server: Default-First-Site-Name\DSERVER2

    Starting test: Connectivity

    The host b072f201-6e73-4798-93b1-01c0e084cc4d._msdcs.CRL.lan could not

    be resolved to an IP address. Check the DNS server, DHCP, server name,

    etc.

    ......................... DSERVER2 failed test Connectivity

     

    Doing primary tests


    Testing server: Default-First-Site-Name\DSERVER2

    Skipping all tests, because server DSERVER2 is not responding to

    directory service requests.



    Running partition tests on : Schema

    Starting test: CheckSDRefDom

    ......................... Schema passed test CheckSDRefDom

    Starting test: CrossRefValidation

    ......................... Schema passed test CrossRefValidation


    Running partition tests on : Configuration

    Starting test: CheckSDRefDom

    ......................... Configuration passed test CheckSDRefDom

    Starting test: CrossRefValidation

    ......................... Configuration passed test CrossRefValidation


    Running partition tests on : CRL

    Starting test: CheckSDRefDom

    ......................... CRL passed test CheckSDRefDom

    Starting test: CrossRefValidation

    ......................... CRL passed test CrossRefValidation


    Running enterprise tests on : CRL.lan

    Starting test: LocatorCheck

    Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355

    A Global Catalog Server could not be located - All GC's are down.

    Warning: DcGetDcName(TIME_SERVER) call failed, error 1355

    A Time Server could not be located.

    The server holding the PDC role is down.

    Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error

    1355

    A Good Time Server could not be located.

    Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355

    A KDC could not be located - All the KDCs are down.

    ......................... CRL.lan failed test LocatorCheck

    Starting test: Intersite

    ......................... CRL.lan passed test Intersite

     

    Tuesday, November 29, 2011 5:32 PM
  • Hi,

    DCDIAG test was failed due to DNS GUID is not pingable and A Time Server could not be located.

    Proceed like this:

    • Run "ipconfig /flushdns & ipconfig /registerdns" restart dns server and netlogon service on DC.
    • Follow the article http://support.microsoft.com/kb/816042 and configure DC as a authorative time server

    Regards,


    Abhijit Waikar - MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA
    Tuesday, November 29, 2011 6:14 PM
  • There are no documents that match your search for "kb 816042DC"

    I will do a manual search for the KB article.

    Thanks again...

    Tuesday, November 29, 2011 6:24 PM
  • Hi,

    Here is correct path- http://support.microsoft.com/kb/816042 and configure DC as a authorative time server.

    Also you may run "w32tm /config /manualpeerlist:time.windows.com,0×1 /syncfromflags:manual / reliable:yes /update" on DC and "w32tm /config /syncfromflags:domhier /update" on member servers/clients.

    Regards,


    Abhijit Waikar - MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA
    Tuesday, November 29, 2011 6:37 PM
  • again dcdiag /q,..  

    The host b072f201-6e73-4798-93b1-01c0e084cc4d._msdcs.CRL.lan could not

             be resolved to an IP address. Check the DNS server, DHCP, server name,

             etc.

             ......................... DSERVER2 failed test Connectivity

             Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355

             A Global Catalog Server could not be located - All GC's are down.

             Warning: DcGetDcName(TIME_SERVER) call failed, error 1355

             A Time Server could not be located.

             The server holding the PDC role is down.

             Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error

             1355

             A Good Time Server could not be located.

             Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355

             A KDC could not be located - All the KDCs are down.

             ......................... CRL.lan failed test LocatorCheck

     

    I did not do a system restart on the DC..it maybe necessary it is a production server and is currently in use.

    Tuesday, November 29, 2011 6:38 PM
  • Windows IP Configuration

    Host Name . . . . . . . . . . . . : dserver2
    Primary Dns Suffix . . . . . . . : CRL.lan
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : CRL.lan

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client) #35
    Physical Address. . . . . . . . . : 78-2B-CB-15-BD-4A
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::4ca8:369b:34ac:7152%11(Preferred)
    IPv4 Address. . . . . . . . . . . : 142.227.54.28 (Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.192
    Default Gateway . . . . . . . . . : 142.227.54.62
    DHCPv6 IAID . . . . . . . . . . . : 192424907
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-1A-AE-E4-78-2B-CB-15-BD-4A
    DNS Servers . . . . . . . . . . . : 142.227.54.28
    142.227.51.1
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 8:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : isatap.{BC1269F5-0583-445B-8900-D0BE76C04E57}
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 9:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
    Physical Address. . . . . . . . . : 02-00-54-55-4E-01
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 11:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft 6to4 Adapter
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    IPv6 Address. . . . . . . . . . . : 2002:8ee3:361c::8ee3:361c(Preferred)
    Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
    DNS Servers . . . . . . . . . . . : 142.227.54.28
    142.227.51.1
    NetBIOS over Tcpip. . . . . . . . : Disabled


    Hello,

     

    1- Why did you use 142.227.54.28 IP Address ? 

    2- You have written above that you have a DC or Server. What is 142.227.51.1 IP Address (DNS Client)?Did you use external DNS Server IP Address for DNS Client?

    Private IPv4 address:

    10.0.0.0 – 10.255.255.255

    172.16.0.0 – 172.31.255.255

    192.168.0.0 – 192.168.255.255

    3- For DcGetDcName(TIME_SERVER) call failed, error 1355 (KB272686):

    1. Click Start, point to Programs, point to Administrative Tools, and then click Services.
    2. Click Services MMC.
    3. Start the Windows Time service.
    4. Under Startup Type, click Automatic.
    5. Restart the server.

    Regards

     

    Tuesday, November 29, 2011 7:03 PM
  • IP addresses are public addresses.

    .28 was available on the subnet.

    51.1 address is an outside DNS we are a public library we use a common database for a hosted solution for circulation.

    windows time service was in the automatic mode and was running.

    I will look at the KB article 272686 carefully.

    Thanks

    Tuesday, November 29, 2011 7:15 PM
  • I completely missed out the IP config, So is this a multihomed DC?

    MULTIHOMED Domain controllers is not recommended, it always results in multiple problems.

    • Being a VPN Server and even simply running RRAS makes it multi-homed.

    Active Directory Communication Fails on Multihomed Domain Controllers : http://support.microsoft.com/default.aspx?scid=kb;en-us;272294
    Symptoms of Multihomed Browsers : http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611

    Also ensure the following:

    • Use only private IP address for DC and remove public IP from NIC. 
    • Each DC / DNS server points to its private IP address as primary DNS server and other internal/remote DNS servers as secondary DNS in TCP/IP property.
    • Each DC has just one private IP address and one network adapter is enabled (disable unused NICs).

    Once you are done with above, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS server and NETLOGON service on each DC.

    Regards,


    Abhijit Waikar - MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA

    Tuesday, November 29, 2011 7:30 PM
  • Hello,

     

    Did you create Windows Domain in the Cloud?

    If yes, here is good article:

    Creating a Windows Domain in the Cloud

    AND

    Yous must delete 142.227.51.1 IP Address (DNS Client), and set 142.227.51.1 IP Address in the DNS Forwarders tab.

     

    Regards

    Tuesday, November 29, 2011 9:47 PM
  • 1.Check NIC binding the NIC which is online and has ip details should be in first order.If multiple NIC are present then disabled the unrequired NIC.In your case Local Area Connection* 8 should be in first order.
    http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/

    2.Remove alternate DNS setting 142.227.51.1 form both NIC (LAN8,LAN9) and add the same to DNS forwarder.

    3.Run ipconfig /flushdns and ipconfig /registerdns.Restart the netlogon and DNS service.

    4.Again ran dcdiag /q for any errors.

    5.Configure authorative time server on the PDC role holder server below is the KB article for the same.
    http://support.microsoft.com/kb/816042

    Make sure that below parameters are set correctly on PDC Server.
    1.Change the server type to NTP
    2.Set AnnounceFlags to 5
    3.Enable NTPServer
    4.Specify the time sources.eg time.windows.com,0x1
    5Configure other paratmeters as well.

    Restart the windows time service.Ran w32tm /resync /rediscover command.

    Check the system log you will get event id 35 and 37 related to time sync.

    Hope this helps.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

     

    Wednesday, November 30, 2011 3:07 AM
  • Latest DCdiag /q....        

     

     The host b072f201-6e73-4798-93b1-01c0e084cc4d._msdcs.CRL.lan could not

             be resolved to an IP address. Check the DNS server, DHCP, server name,

             etc.

             ......................... DSERVER2 failed test Connectivity

             Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355

             A Global Catalog Server could not be located - All GC's are down.

             Warning: DcGetDcName(TIME_SERVER) call failed, error 1355

             A Time Server could not be located.

             The server holding the PDC role is down.

             Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error

             1355

             A Good Time Server could not be located.

             Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355

             A KDC could not be located - All the KDCs are down.

             ......................... CRL.lan failed test LocatorCheck

     


    Note: when running the command w32tm /resync /rediscover

    I got the following error

    sending the resync command to the local computer

    the computer did not resync because no time data was available

    Wednesday, November 30, 2011 2:09 PM
  • Hello,

     

    I don't know, why you use Public IP Address for Domain Controller IP Address!!!???

    But this link show you, How to configure Multihomed (multihomed domain controller is not recommended).

    Multihoming a Windows Server

    AND

    Read this great article:

    Multihomed DCs with DNS, RRAS, and/or PPPoE adapters (Ace Fekay - MVP)

     

    Regards

    Wednesday, November 30, 2011 6:07 PM
  • the second DNS entry has been dealt with (removed) added as a DNS forwarder.

    The original problem presists.

    Thanks again



    Wednesday, November 30, 2011 6:15 PM
  • Event Type: Information
    Event Source: DNS
    Event Category: None
    Event ID: 708
    Date:  30/11/2011
    Time:  9:03:39 AM
    User:  N/A
    Computer: dserver2.CRL.lan
    Description:
    The DNS server did not detect any zones of either primary or secondary type during initialization. It will not be authoritative for any zones, and it will run as a caching-only server until a zone is loaded manually or by Active Directory replication. For more information, see the online Help.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    I'm now getting this DNS error as well.

    Wednesday, November 30, 2011 6:38 PM
  • Hello,

     

    Event ID 708 — DNS Server Informational Events

    Resolve

    This is a normal condition. No further action is required.

     

    Regards

    Wednesday, November 30, 2011 9:08 PM
  • Event Type: Information
    Event Source: DNS
    Event Category: None
    Event ID: 708
    Date:  30/11/2011
    Time:  9:03:39 AM
    User:  N/A
    Computer: dserver2.CRL.lan
    Description:
    The DNS server did not detect any zones of either primary or secondary type during initialization. It will not be authoritative for any zones, and it will run as a caching-only server until a zone is loaded manually or by Active Directory replication. For more information, see the online Help.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    I'm now getting this DNS error as well.

    Hi,

    Please run "dcdiag /test:dns" and "ipconfig /all" on problem DC and post the result.

     



    Abhijit Waikar - MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA
    Wednesday, November 30, 2011 10:31 PM
  • Is there any specific reason you have assigned public Ip address to DC?  It is not recommended by Microsoft because it renders your server vulnarable to direct attacks from the outside world.

    Are you using RRAS for Natting on this server?

    As you are using 2 NIC cards & I am assuming that you are using RRAS for NATTING. If you are using RRAS you need to assign Public IP's, DNS,s Gateways to the WAN NIC & private IP address on the LAN NIC.
    Why would you need to configure Private IP to LAN NIC?  The answer to this is - because RRAS has been configured to take care of the NATTING needs and will now be leasing IP Addresses (Private IP's) to the Client machine's or Member server's in the network, this LAN NIC will be used to lease the IP's. The LAN NIC will then connect to a Switch and all the client machines will also connect to this switch for there IP requirements.

    NOTE : Ideally You should have a Router/firewall which will take care of the NAT needs and will also provide your network 'security'. If you are going to use the current network layout (with 2 NIC's on the Server WAN & LAN), make sure in the properties of the the WAN NIC (Public IP NIC) the under IPv4 properties -> Click Advanced button --> DNS Tab make sure that you DO NOT have a check mark beside 'Register this connection's address in DNS'. However this box SHOULD BE checked in the LAN NIC card properties with DNS pointing to itself (Private IP address of this Server). Do not have a secondary DNS defined, if you want to define an IP (Public or Private), make sure you do it under forwarders in DNS.

    Make sure that LAN NIC(Private) is at the top in NIC binding.
    http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/

    Regarding the time issue is this server virtualised if this is the case refer below link.
    http://jorgequestforknowledge.wordpress.com/2011/09/14/time-sync-recommendations-for-virtual-dcs-on-hyper-v-change-in-recommendations/

    Hope this helps.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Thursday, December 01, 2011 3:42 AM

  • Windows IP Configuration

       Host Name . . . . . . . . . . . . : dserver2
       Primary Dns Suffix  . . . . . . . : CRL.lan
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : CRL.lan

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client) #35
       Physical Address. . . . . . . . . : 78-2B-CB-15-BD-4A
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::7839:1639:51ce:ba47%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 142.227.54.28(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.192
       Default Gateway . . . . . . . . . : 142.227.54.62
       DHCPv6 IAID . . . . . . . . . . . : 192424907
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-1A-AE-E4-78-2B-CB-15-BD-4A
       DNS Servers . . . . . . . . . . . : 142.227.54.28
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 8:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 9:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 02-00-54-55-4E-01
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 11:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : 6TO4 Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:8ee3:361c::8ee3:361c(Preferred)
       Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
       DNS Servers . . . . . . . . . . . : 142.227.54.28
       NetBIOS over Tcpip. . . . . . . . : Disabled

     

    and...

    Directory Server Diagnosis


    Performing initial setup:

       Trying to find home server...

       Home Server = dserver2

       * Identified AD Forest.
       Done gathering initial info.


    Doing initial required tests

      
       Testing server: Default-First-Site-Name\DSERVER2

          Starting test: Connectivity

             The host b072f201-6e73-4798-93b1-01c0e084cc4d._msdcs.CRL.lan could not

             be resolved to an IP address. Check the DNS server, DHCP, server name,

             etc.

             ......................... DSERVER2 failed test Connectivity

     

    Doing primary tests

      
       Testing server: Default-First-Site-Name\DSERVER2

      
          Starting test: DNS

     

             DNS Tests are running and not hung. Please wait a few minutes...

             ......................... DSERVER2 passed test DNS

      
       Running partition tests on : Schema

      
       Running partition tests on : Configuration

      
       Running partition tests on : CRL

      
       Running enterprise tests on : CRL.lan

          Starting test: DNS

             Test results for domain controllers:

               
                DC: dserver2.CRL.lan

                Domain: CRL.lan

     

                     
                   TEST: Basic (Basc)
                      Error: No LDAP connectivity
                      Warning: adapter

                      [00000006] Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client)

                      has invalid DNS server: 142.227.54.28 (DSERVER2)

                      Error: all DNS servers are invalid

                      No host records (A or AAAA) were found for this DC

                      Warning: The Active Directory zone on this DC/DNS server was

                      not found (probably a misconfiguration)
                     
                   TEST: Dynamic update (Dyn)
                      Warning: Failed to add the test record _dcdiag_test_record in zone CRL.lan
                  
                TEST: Records registration (RReg)
                   Error: Record registrations cannot be found for all the network

                   adapters

            
             Summary of test results for DNS servers used by the above domain

             controllers:

     

                DNS server: 142.227.54.28 (DSERVER2)

                   1 test failure on this DNS server

                   Name resolution is not functional. _ldap._tcp.CRL.lan. failed on the DNS server 142.227.54.28
                  
             Summary of DNS test results:

            
                                                Auth Basc Forw Del  Dyn  RReg Ext
                _________________________________________________________________
                Domain: CRL.lan

                   dserver2                     PASS FAIL PASS n/a  WARN FAIL n/a 
            
             ......................... CRL.lan failed test DNS

     

    Thursday, December 01, 2011 1:38 PM
  • Yes, there is a specific reason, the IP addressing is controlled by a policy out of my control.

    all othe conditions you mentioned are fixed, (hopefully)

    this server is not virtual.

    Thanks for your assistance.

     

    Thursday, December 01, 2011 1:56 PM
  • DCDIAG DNS test is failng due to the Public IP 142.227.54.28 which is configured on DC.

    Public Ip address on DC is not recommended because it renders your server vulnarable to direct attacks from the outside world. As you said there is a specific reason for public IP, you can ignore the DCDIAG errors for public IP NIC however to resolve the issue you need to add private IP and DNS on DC.

     


    Abhijit Waikar - MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA
    Thursday, December 01, 2011 6:00 PM
  • this ipadressing scheme worked for the 2003 DC I'm replacing, is the 2008 server configuration that much different?
    Thursday, December 01, 2011 6:35 PM
  • Hi there is difference between Win2003 & 2008 IP addressing.In win2008 IPv6 is introduced which is not there in win2003.

    Refer below link for more details:
    http://www.dgtaline.com/index.php?option=com_content&view=article&id=33:ipv6-features-and-benefits&catid=25:inroduction-to-mipv6&Itemid=44
    http://140.116.82.38/members/html/ms03/dclin/technique_paper/IPv6/IPv6%20Features%20and%20Benefiits.pdf

    I would recommend to make sure the IPv6 is configured to (Automatically) as below.

     

    Run ipconfig /flushdns & ipconfig /register dns and restart the netlogon and DNS service.

    Ran dcdiag /q to check for any errors.

    If the issue still persist check the dns zone in adsiedit.The info could be in ForestDnsZones, DomainDnsZones or Domain NC depending upon the zone configuration.

    For e.g

    [ForestDNSZones]
    the console tree, right-click ADSI Edit, and then click "Connect To."
    Click Select or type a Distinguished Name or Naming Context, type the following text in the list, and then click OK:
    DC=ForestDNSZones, DC=contoso, DC=com
    In the console tree, double-click DC=ForestDNSZones, DC=contoso, DC=com.
    Double-click CN=MicrosoftDNS, and click the zone (contoso.com). You should now be able to view the DNS records which exist in this DNS partition.

    Delete the DNS guid only(dont delete other records.) if it is present and restart netlogon and dns service.

    Similarly check in  DomainDnsZones or Domain NC depending upon the zone config.Reference link as below
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

    Note:Public Ip address on DC is not recommended due to vulnarablity.

    However I would recommend to have private IP address assigned to Domain Controller.

    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

     

    Saturday, December 03, 2011 1:34 AM
  • Hello,

     

    AGAIN:

    Why did you use Public IP Address for Domain Controller IP Address?

     

    Regards

    Saturday, December 03, 2011 9:57 AM
  • asked and answered.

    I appreciate you assistance, and realize although not ideal, Windows server 2008 should still work as advertised regardless of the IP address.

    I need to fix this system as is for now, it has worked this way for 8 years.

    Thanks, I do deeply apprecaite your help.

    Tuesday, December 06, 2011 2:01 PM
  • Steve,

    Let's create the DC's CNAME GUID, since the DCDIAG is barking that it can't resolve it because it doesn't exist.

     

    Right click your "_msdcs.CRL.lan" zone, and choose New -> Alias (CNAME)

    In the Alias Name box, type in:

              b072f201-6e73-4798-93b1-01c0e084cc4d

    In the "Fully qualified domain name (GWDN) target" box, type in:

              dserver2.CRL.lan
     
    After it's created, the record should look like this:

              b072f201-6e73-4798-93b1-01c0e084cc4d    Alias (CNAME)    dserver2.CRL.lan

     

    Also, let's make sure that the rest of the records are clean. Look under the crl.lan zone. Make sure you only see the following records that looks like the following:


    (same as parentfolder )     Host (A)                   142.227.54.28
    (same as parent folder)     Name Server (NS)     142.227.54.28
    (same as parent folder)     Start of Authority      142.227.54.28
    dserver2                          Host (A)                    142.227.54.28


    In addition, check the gc._msdcs.crl.lan zone. Make sure there is only one entry for the GC record, 142.227.54.28.

    Notice they all point to your single DC's IP. If you see any other IPs associated to the above records, please delete them.

     

    Follow the others' suggestions regarding a forwarder. If at all possible, consider using private IP addressing to secure and safeguard your environment.

     

    Then re-run the dcdiag, and post the results.

    Ace

     

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Tuesday, December 06, 2011 3:20 PM
  • http://support.microsoft.com/kb/323542... could u check the port no: are open ...
    Tuesday, December 06, 2011 4:28 PM
  • got the follwoing ADSI error when setting up your query.

    Operation Failed  Error code: 0x202b

    a referal was returned fronm the server.

    0000202B: RefErr: DSID-03100768. data 0 , 1 access points

    ref1: 'forestdnszones.contso.com'

     

    end....

    Tuesday, December 06, 2011 5:47 PM
  •  there was no -msdcs.CRL.lan or any other for that matter. I did try to create it, and got the following error:

    The zone can not be created.

    There was a server failure.

     

    end

    Tuesday, December 06, 2011 5:50 PM
  • there is no "My network places" visible on this 2008 sever

    network discovery is set to "custom"

     

    end...


    Tuesday, December 06, 2011 6:02 PM
  • got the follwoing ADSI error when setting up your query.

    Operation Failed  Error code: 0x202b

    a referal was returned fronm the server.

    0000202B: RefErr: DSID-03100768. data 0 , 1 access points

    ref1: 'forestdnszones.contso.com'

     

    end....

    Hello,

     

    forestdnszones.contso.com or forestdnszones.CRL.lan ???

    Do you have contso.com domain name!??

    Please run this command and post result here (unedited).

    dnscmd /enumdirectorypartitions

     

    Regards


    • Edited by Patris_70 Tuesday, December 06, 2011 8:25 PM
    Tuesday, December 06, 2011 8:09 PM
  • sorry you are correct

    forestdnszones.CRL.lan

    was indeed the last portion of the error.

    I'm getting a little punchy. This forum has been flakey all day. I had lost 2 replys prior to that one

    Tuesday, December 06, 2011 8:25 PM
  • Hello,

     

    OK, no problem.

    For ForestDNSZones, use this: DC=ForestDNSZones,DC=CRL,DC=lan

     

     

    For DomainDNSZones, use this: DC=DomainDNSZones,DC=CRL,DC=lan

     

     

    Regards

    Tuesday, December 06, 2011 9:26 PM
  • Hello,

     

    OK, no problem.

    Use this Distinguished Name or Naming Context for ForestDNSZones--> DC=ForestDNSZones,DC=CRL,DC=lan

    After connecting, for _msdcs.CRL.lan select CN=MicrosoftDNS

     

    Regards


    Tuesday, December 06, 2011 9:34 PM
  •  there was no -msdcs.CRL.lan or any other for that matter. I did try to create it, and got the following error:

    The zone can not be created.

    There was a server failure.

     

    end


    To understand what you're saying, are you saying that you do not see in the DNS console under Forward Lookup Zones, two zones called?

    _msdcs.crl.lan
    crl.lan

     

    I believe at this point based on the error message you are seeing, that you have duplicate zones in the AD database. Sandesh earlier posted a link to my blog explaining how to check for any dupes. If you find any, they must be removed.

    Quick background on where zones are stored in the AD Database. There are three partitions that they can be stored in. They are:

    1. ForestDnsZones
    2. DomainDnsZones
    3. DomainNC

    You must check each partition for anything that says "CNF...." and "InProgress...

    If you see either of them, that means you have duplicates, matter of fact, if you see any of the above, THEY are the duplicates. They MUST be deleted.

     

    So going back to how to connect...

    So when you tried to connect to the ForestDnsZones and the DomainDnsZones partitions using ADSI Edit, to get into the DomainDnsZones and ForestDnsZones partitions, you must enter the path as:

    • DC=ForestDNSZones,DC=contoso,DC=com
    • DC=DomainDNSZones,DC=contoso,DC=com

    For the DomainNC partition, that will show up in the dropdown box in ADSI Edit as "Domain." Then drill down for Microsoft DNS, and you should see your zones that are in the DomainNC partition.

    Reposting a link to my blog for your convenience since this thread is growing pretty fast:

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Tuesday, December 06, 2011 10:01 PM
  • Oh, wait a sec. We may be taking the wrong approach. If the university is saying that you must use THEIR DNS server and not your own, then the zones will not be AD integrated. They will only exist on THEIR DNS server.

    If this is the case, and the operative word here is "IF," then you won't have any zones on your DC, and you won't have any duplicates.

    And IF this is the case, then the ONLY DNS server that should be in the NIC properties, is THEIR DNS, not your server's IP.

     

    You must first confer with the university's IT department to determine how it was previously setup so we know the proper next steps so we can properly recommend the correct steps to diagnose and fix the issues, otherwise we may be leading you down the wrong path.

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Tuesday, December 06, 2011 10:12 PM
  • Hello,

     

    @Ace, you are right.

    But, he has written that 8 years has worked so.

     

    @steve

    Did you change Domain Controller and Domain name or has the same name as old Domain Controller and Domain Name?

    Do you have Backup of old Domain Controller?

     

    Regards

    Tuesday, December 06, 2011 11:45 PM
  • Hello,

     

    @Ace, you are right.

    But, he has written that 8 years has worked so.

     

    @steve

    Did you change Domain Controller and Domain name or has the same name as old Domain Controller and Domain Name?

    Do you have Backup of old Domain Controller?

     

    Regards


    Meant to hit Quote button, not Propose... sorry!

    Patris, excellent point. I guess we'll need more info about how it's been working for the past 8 years, especially since there is only one DC (according to the 2nd or 3rd post).

    I'm curious whether the university's DNS always been the DNS that was always used, or did the DC have DNS installed and the clients were using it as a DNS server?

    My feeling at this point is that it's possible that the university's IT dept has a mandate that all machines must use their DNS, including this DC and this DC's domain's client machines, then we need to focus on that DNS, and remove the DC as a DNS address.

    Either way, one of the DNS addresses in the ipconfig is wrong, but which one, not sure at this time.

    Regards,
    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Wednesday, December 07, 2011 12:02 AM
  • Hello,

     

    Ace, no problem.

    We are waiting on his answer. I hope that he can quickly answer.

     

    Regards

    Wednesday, December 07, 2011 8:31 PM
  • Patris, I'm getting more curious by the hour on this one! :-)

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Thursday, December 08, 2011 4:22 AM
  • It seems that there was win2003 Server which was acting as DC and public IP address was assigned to it and was working for 8 yrs and the same has been removed from the network after promoting win2008 Server and public IP address is now assigned to win2008.As steve weatherbee has mentioned it was working on 2003 server before.

    The reason that's why in the prevous post I pointed to check all the zones from ADSIedit and remove the cname record if any.Still I have a feeling that there may be the cname record in the ADSIedit which is causing the issue.

    Just missed out this point .I would also recommend to remove the old win2003 DC dns record from DNS(assuming that this DC was present in the n/w and has been removed) .

    In the DNS snap-in, expand the zone that is related to the domain from where the server has been removed.
    Remove the CNAME record in the _msdcs.root domain of forest zone in DNS.
    You should also delete the HOSTNAME and other DNS records.

    Also check the zone from adsiedit and remove the the cname record if any.Restart the netlogon and DNS service and check.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

     

    Thursday, December 08, 2011 5:24 AM
  • Ok... sorry the forums were offline all day yesterday. I was unable to post (I prefer to keep the discussion here, however if the technical issues persist, I am not opposed to moving to a different venue).

    I have quickly perused most of the posts after this one, and a really appreciate your knowledge and experience and your (I will not name you all, you know who you are) help, it appears I need to add a little back ground here that may help frame the problems...

    I will attempt to be be brief...

    In early September Microsoft issued an automatic update KB 2494007, this update included an update to "share-point services" which I was using a legacy version (2.0) for calendar sharing with in our domain, the update basically fried the 2003 sever (it was only minimally functional, file system was unavailable, DHCP stopped, for the most part the desktop was unavailable, etc...) This update was unremovable, and I no longer had access to my onboard tape backup drive.

    The 2008 server was up and connected to the domain and promoted, but was awaiting an update to the 2003 server to R2 to take it new place in the CRL domain, so was basically just idling and preforming very little function.

    I attempted to recover the 2003 server for several days (our Domain was down and users could no longer access the shared drives) during one of the recovery attempts I was able to recover my data and restore the shared files on the 2008 server.

    Note: I do have an ASR backup (after the update was installed, but prior to the system being re-booted) of the 2203 server. I have since reformatted that machine and installed a new version 32 bit of 2008 server. I briefly connected it to the CRL.lan domain with a new member server name, I was unable to get it to talk to the existing DC so I turned it off and concentrated on the failing (dserver2) to see if I could recover it.

    I worked through a number of issues, and then ran into this issue, which I had no answer for and then begun this thread...

    I tried MS help but was refered to pay support each time (Dell, as well for that matter), we are a small Public Library in rural Nova Scotia with big ideas and a small budget.

    The upstream DNS 142.227.51.1 is on a Provincial Government UNIX server  I use it because several other servers we use for resousces reside in thier farm, in the past they have been known to move server addresses, which really messed up my windows DNS (our web server was an example). The referral to it was my doing and can be completely removed (it is currently set up on the forwarders tab)

    I inherited the public IP address scheme, it had worked as a Microsoft Domain address scheme since April 2004, with no real issues, other than the above mentioned DNS issue

    I have 6 other such sub-net IP address schemes running in other branches (none of these attach to the existing domain) it is however the way things were done.

    This support thread is my only hope of recovering full functionality of this domain. I have considered a complete tear down and rebuild of the system, since the IP address scheme is less than desirable. I would prefer to recover and then plan the re-build.

    I hope this explanation helps some.

    Steve

    Thursday, December 08, 2011 1:35 PM
  • get the following error message..

    Operation failed. Error Coade:0x202b

    Referral was returned from the server

    0000202B: RefErr: DSID-031006BB, data 0, 1 access points

    ref1: 'FroestDNSZones.CRL.lan'

     

    end...

    Thursday, December 08, 2011 1:48 PM
  • same error as above Error code 0x202b on both querys..

     

    end...

    Thursday, December 08, 2011 2:03 PM
  • the oringinal DC name was dserver, that was the 2003 server that windows Update killed.

    Prior to the issue setting in I was able to access AD and delete the dserver DC, it coud not be DCpromo'd

     

    end...


    Thursday, December 08, 2011 2:05 PM
  • Hello steve,

     

    OK,If I understood correctly. tell me:

    1- Domain Name has not changed.

    2- Dc 2003 name was dserver (FQDN =dserver.CRL.lan) and now DC 2008 name is dserver2 (FQDN = dserver2.CRL.lan).

    3- DC 2008 has same IP Address as old DC 2003.

     

    Regards

    Thursday, December 08, 2011 2:27 PM
  • http://crl.library.ns.ca/files/adsi.pdf 

    here are the only entries I can see so far.

    end...


    Thursday, December 08, 2011 3:08 PM
  • Ok, let's see.... Here's what's standing out from what I'm seeing:

    The DNS server did not detect any zones of either primary or secondary type during initialization. It will not be authoritative for any zones, and it will run as a caching-only server until a zone is loaded manually or by Active Directory replication. For more information, see the online Help.

    So that means that the old server was holding the zone and it never replicated to the new one due to AD communication and replication errors.

    Therefore, we need to do a few things:

    1. Set itself as the only DNS. Keep the gov's DNS as a Forwarder.
    2. Create a crl.lan zone. Right-click Forward Lookup Zones, new zone, type in crl.lan. Place the zone in the DomainDnsZones (middle button) replication scope. Alow Secure updates on the zone.
    3. Right-click Forward Lookup zones, Create a _msdcs.crl.lan zone. Place it in the ForestDnsZones (top button) replication scope. Allow Secure Updates on the zone
    4. Under crl.lan zone, right-click, new Delegatiion, and delegate the _msdcs name to itself (enter its own IP in the delegation wizard). See the Parent-child link below.
    5. Run an ipconfig /registerdns, then run net stop netlogon, then run net start netlogon
    6. Then run a metadacleanup to remove the old server from AD. My blog below has a step by step to remove the orphaned machine.

    DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
    http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx

    Complete Step by Step Guideline to Remove an Orphaned Domain controller
    Published by Ace Fekay, MCT, MVP DS on Oct 5, 2010 at 12:14 AM
    http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

    Set


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Thursday, December 08, 2011 3:09 PM
  • exactly

    it does not have the same IP they had 2 different IP's since they were active on the same domain..

    just to ad confuson the reborn 2003 server was named dserver 2008

    dc2003 = dserver - IP was 142.227.54.24 now named dserver 2008 same IP (turned Off)

    DC 2008 = dserver2 = IP 142.227.54.28

     

    end..


    Thursday, December 08, 2011 3:14 PM
  • stopped at #2

     

    the zone cannot be created there was a server failure...

     

    end...


    Thursday, December 08, 2011 3:33 PM
  • Hello,

     

    Please run this command and post result here:

    NETDOM QUERY FSMO

     

    Regards

    Thursday, December 08, 2011 6:38 PM
  • Hello,

     

    Please run this command and post result here:

    NETDOM QUERY FSMO

     

    Regards


    Good point. He'll possibly have to seize the roles over first.

    Also possibly, for steps 2 and 3, instead of initially making the zones AD integrated, to simply make the zones Standard Primary zones (keeping the "Store in AD..." option unchecked. It's possible the server error message is coming from trying to store them in AD, beause it can't find AD.

    Steps revised :

    1. Create a crl.lan zone. Right-click Forward Lookup Zones, new zone, type in crl.lan. Uncheck the box on teh bottom to store in Active Directory. Allow Unescure and Secure updates.
    2. Right-click Forward Lookup zones, Create a _msdcs.crl.lan zone. Uncheck the box on teh bottom to store in Active Directory. Allow Unescure and Secure updates.

     

    Ace

     

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Thursday, December 08, 2011 7:23 PM
  • NETDOM QUERY FSMO result

     

    the specified domain does not exist or cannot be contacted

    the command failed to complete successfully.

     

    Note: we have had a little harsh weather and intermittent power outages.

    Friday, December 09, 2011 3:04 PM
  • I was able to create both zones as you indcated.

    Friday, December 09, 2011 3:18 PM
  • on to step #4 from pervious post: result
    Friday, December 09, 2011 3:37 PM
  • Hello Steve,

     

    Glad to hear.

    I thought almost me that FSMO roles holder is down. That is why this command written and Ace said right solution.

    Now question is:
    Do you want to use the old Domain Controller as a secondary Domain Controller or not (without demoting old DC)?
    I have asked for Seizing or Transfering FSMO roles.
     
     
     
    Regards
    • Edited by Patris_70 Friday, December 09, 2011 4:47 PM
    Friday, December 09, 2011 4:35 PM
  • Nice to hear you'er able to create the zones. The screenshots look good.

    Now follow Patris' recommdation to seize the FSMO roles. THIS IS A MUST!!

    Let's make sure this machine is a GC. AD Sites & Services, drill down into Servers, under the servername, NTDS settings, right click properties, check the box this is a GC. Then run:

    • ipconfig
    • net stop netlogon
    • net start netlogon
    • In DNS, check the GC folder under _msdcs.crl.lan to make sure the new machine's IP address shows up as a GC entry.

     

    Now run a metadata cleanup to remove the references to the DCs that no longer exist. Or just follow these steps:

    Complete Step by Step Guideline to Remove an Orphaned Domain controller
    Published by Ace Fekay, MCT, MVP DS on Oct 5, 2010 at 12:14 AM
    http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

     

    Then monitor the event logs for any errors.

    After a day or two, change the zones to AD integrated. That would be the middle CHANGE button below in the screenshot. Check the box to store in AD.

    Then after you hit Apply, click the bottom CHANGE button, and set the replication scope for each zone:

    For the crl.lan zone, select the middle button.
    For the _msdcs.crl.lan zone, the top button.

     

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Friday, December 09, 2011 5:06 PM
  • Question:

    I was just about to run metadacleanup, as per #6 of your prevoius post.

    Then on to sieze the FSMO roles, then onto your last post. Is that the correct order, or go on to your last post before compleing the metadacleanup?

    Thanks again...

    Friday, December 09, 2011 5:33 PM
  • I want to inregrate the OLD DC back into the domain, as i mentioned it is now a 2008 standard server (32 bit) I will use it for redundant data storage, DHCP and hopefully a back up DC.
    Friday, December 09, 2011 5:38 PM
  • netdom query FSMO

    same error:

    the specified domain either does not exist or cannot be contacted.

    the command failed to complete sucessfully.

     

    Friday, December 09, 2011 5:58 PM
  • Hello Steve,

     

    You can seize the FSMO roles,  clean Metadata. But, you must clean/format old DC, than install Windows Server again and promote to secondary Domain Controller.

    (Remember, after seizing FSMO roles, you can not use again old Domain Controller).

     

    Regards

     

     

    Friday, December 09, 2011 6:00 PM
  • Question:

    I was just about to run metadacleanup, as per #6 of your prevoius post.

    Then on to sieze the FSMO roles, then onto your last post. Is that the correct order, or go on to your last post before compleing the metadacleanup?

    Thanks again...


    As I mentioned, and Petris said, you must seize the roles FIRST!!!

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Friday, December 09, 2011 6:09 PM
  • @ seize domain naming master

    I get an invalid syntax message

    Friday, December 09, 2011 6:29 PM
  • got it it's "Seize naming master"

    now on to cleanup of AD

    Friday, December 09, 2011 6:33 PM
  • I still have no access to AD the seizing of roles seemingly went fine.

    end...

    Friday, December 09, 2011 6:42 PM
  • Make sure this DC is holding ALL five FSMO roles. If you believe it is holding all roles now, try and run netdom query fsmo again.

    Also post any event log errors (eventID# and Source names).

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Friday, December 09, 2011 6:43 PM
  • What do you mean no access to AD?

    How did you seize the roles? Did you use ntdsutil, or through the three different consoles (ADUC, AD Domains and Trusts, and AD Schema snapin)?

    Did you also make it a GC?

     

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Friday, December 09, 2011 6:47 PM
  •  

    Ran netdom query FSMO

    specified domain either odes not exist or not be contacted.

    command did not complete successfully.

    end..

     

    Friday, December 09, 2011 6:48 PM
  • ntdsutil

    I did not make it a GC (can I do this with a command line utility?)

    end..


    Friday, December 09, 2011 6:50 PM
    1. In addition to the event log errors, provide an updated ipconfig /all.
    2. Also provide a screenshot of the GC folder under _msdc.crl.lan -> expand the GC folder under _msdcs.crl.lan.
    3. Please show us the commands you used to seize each of the five FSMO roles.
    4. Run a net start, and post the results.

     

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Friday, December 09, 2011 6:55 PM
  • Windows IP Configuration

       Host Name . . . . . . . . . . . . : dserver2
       Primary Dns Suffix  . . . . . . . : CRL.lan
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : CRL.lan

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client) #35
       Physical Address. . . . . . . . . : 78-2B-CB-15-BD-4A
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::7839:1639:51ce:ba47%13(Preferred)
       IPv4 Address. . . . . . . . . . . : 142.227.54.28(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.192
       Default Gateway . . . . . . . . . : 142.227.54.62
       DHCPv6 IAID . . . . . . . . . . . : 192424907
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-1A-AE-E4-78-2B-CB-15-BD-4A
       DNS Servers . . . . . . . . . . . : 142.227.54.28
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 8:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 9:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 02-00-54-55-4E-01
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes


    ntdustil commands:

    roles

    connections

    connect to server dserver2.CRL.lan

    quit

    seize pdc

    seize rid master

    seize infrastructure master

    sieze schema master

    seize naming master

    quit

    quit

    end...

    These Windows services are started:

       Active Directory Domain Services
       Application Experience
       Application Host Helper Service
       Background Intelligent Transfer Service
       BackupAssist Service
       Base Filtering Engine
       Certificate Propagation
       Client for NFS
       COM+ Event System
       Cryptographic Services
       DCOM Server Process Launcher
       Desktop Window Manager Session Manager
       DFS Namespace
       DFS Replication
       DHCP Client
       DHCP Server
       Diagnostic Policy Service
       Diagnostic System Host
       Distributed Transaction Coordinator
       DNS Client
       DNS Server
       DSM SA Connection Service
       DSM SA Data Manager
       DSM SA Event Manager
       DSM SA Shared Services
       File Replication Service
       File Server Resource Manager
       Function Discovery Provider Host
       Function Discovery Resource Publication
       Group Policy Client
       Human Interface Device Access
       IIS Admin Service
       IKE and AuthIP IPsec Keying Modules
       Interactive Services Detection
       Intersite Messaging
       IP Helper
       IPsec Policy Agent
       Kerberos Key Distribution Center
       KtmRm for Distributed Transaction Coordinator
       mr2kserv
       Net Driver HPZ12
       Netlogon
       Network Connections
       Network List Service
       Network Location Awareness
       Network Store Interface Service
       Plug and Play
       Pml Driver HPZ12
       Print Spooler
       Remote Access Connection Manager
       Remote Procedure Call (RPC)
       Remote Registry
       Secondary Logon
       Secure Socket Tunneling Protocol Service
       Security Accounts Manager
       Server
       Server for NFS
       Shell Hardware Detection
       Simply Accounting Database Connection Manager
       Software Licensing
       Symantec Endpoint Protection
       Symantec Event Manager
       Symantec Management Client
       Symantec Settings Manager
       System Event Notification Service
       Task Scheduler
       TCP/IP NetBIOS Helper
       Telephony
       Terminal Services
       Terminal Services Configuration
       Terminal Services UserMode Port Redirector
       User Profile Service
       Windows Error Reporting Service
       Windows Event Log
       Windows Firewall
       Windows Font Cache Service
       Windows Management Instrumentation
       Windows Process Activation Service
       Windows Remote Management (WS-Management)
       Windows Search
       Windows Time
       Windows Update
       Workstation
       World Wide Web Publishing Service

    The command completed successfully.

    end...

     

    Friday, December 09, 2011 7:05 PM
  • Thank you. So far the above *looks* good.

    What about event log errors? Check each and every log, please. Post anythnig regarding the time service, FRS, NTFRS, KDC, and any other AD related error from all logs,  please.

    Also run a dcdiag /v, but post that result to http://skydrive.live.com.

     

    Thanks...


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Friday, December 09, 2011 7:24 PM
  • working on your request thought this looked suspect...

    Friday, December 09, 2011 7:51 PM
  • Public

    the dcdaig /v is here ( first time using this hope it works)


    end...

    NFS client

    event ID 16397

     

    Ad-domain services

    event id 1126

     

    Group policy

    event ID 1129

     

    file replication service

    enent ID 13566

     

    there are lots of other errors mostly DHCP

     

    end..

     


    Friday, December 09, 2011 8:07 PM
  • Hello Steve,

     

    First  sorry, my home internet was down!!

    Now:

    1- Use this command and enable Global Catalog (GC) on your Domain Controller.

    REPADMIN /OPTIONS dserver2.CRL.lan +IS_GC

    2- You seized PDC Emulator role to dserver2 Domain Controller, reset the time source, run this commands on dserver2:

    w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update

    net stop w32time

    net start w32time

    On your edge firewall, make sure UDP port 123 traffic is allowed inbound from the time source.

    More info:

    Configuring the Windows Time Service for Windows Server (Ace Fekay -MVP)

    3- Check for the SYSVOL share, at the command prompt, type:

    net share

     

    Regards

    Friday, December 09, 2011 10:51 PM
  • Hmm, this just keeps getting better!

    So it won't initialize Sysvol. That's why the DC can't be contacted. And it's trying to populate Sysvol from the other DC, which no longer exists.

    To fix it, we have to force it to initialize a new, empty Sysvol. This is called an Authoritative Sysvol Restore.

    To do that, do the following:

    1.  
      1. Click Start, and then click Run.
      2. In the Open box, type cmd and then press ENTER.
      3. In the Command box, type net stop ntfrs.
      4. Click Start, and then click Run.
      5. In the Open box, type regedit and then press ENTER.
      6. Locate the following subkey in the registry:
        HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
      7. In the right pane, double click BurFlags.
      8. In the Edit DWORD Value dialog box, type D4 and then click OK.
      9. Quit Registry Editor, and then switch to the Command box.
      10. In the Command box, type net start ntfrs.
      11. Quit the Command box.

     

    When the FRS service is restarted, the following actions occur:

    • The value for the BurFlags registry key is set back to 0.
    • An event 13566 is logged to signal that an authoritative restore is started.
    • Files in the reinitialized FRS replicated directories remain unchanged and become authoritative on direct replication. Additionally, the files become indirect replication partners through transitive replication.
    • The FRS database is rebuilt based on current file inventory.
    • When the process is complete, an event 13516 is logged to signal that FRS is operational. If the event is not logged, there is a problem with the FRS configuration.

     

    Restart the box after that.

    Reference:

    Using the BurFlags registry key to reinitialize File Replication Service replica sets
    http://support.microsoft.com/kb/290762/

     

    btw - did you know you posted your email address, and not the link to Skydrive? You may want to remove your email address so it doesn't get havested by web spiders searching for email addresses.

    You're going to need a double shot of whiskey after this mess is over.

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Saturday, December 10, 2011 1:09 AM
  • Hello Ace,

     

    A double shot of whiskey is not enough, he needs a bottle of whiskey. :)

     

    Regards

    Saturday, December 10, 2011 2:26 AM
  • Hello Ace,

     

    A double shot of whiskey is not enough, he needs a bottle of whiskey. :)

     

    Regards


    Yea, that's more like it!

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Saturday, December 10, 2011 6:27 AM
  • Good morning all,

    We (I) certianly had our chalenges last week. All things seem to be a go this week.

    Finished the above, everything appreared to be successful. Moving on the the next post.

     

    Monday, December 12, 2011 12:47 PM
  • Good morning all,

    We (I) certianly had our chalenges last week. All things seem to be a go this week.

    Finished the above, everything appreared to be successful. Moving on the the next post.

     


    Good to hear. So that means this is all ironed out?

    If so, please go through the responses and appropriately mark as answer which ones you feel helped you.

    And once again, good to hear!

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Monday, December 12, 2011 6:07 PM
  • wow what a difference a weekend makes, sorry for that screwup with skydrive, I'd never used it, and had no idea what I was doing.

    After the re-booyt I had only 3 notable errors in the event log

    netlogon = event ID 5706 cannot find specified file c:\windows\CRL.lan\scripts

    Group policy = event ID 1058

    and DHCP = event ID 1046

    *I love it when a plan comes together, moving on the next post...*

    Monday, December 12, 2011 6:19 PM
  • will do.

    I think I can take it from here, with no problems.

    I will go through the thread and mark the best answers, but I think it was really the whole thread that helped me tackle this issue but many thanks to patris_70 and to Ace Fekay, without you 2 I'd be back to square one.

    Thanks again, your help was deeply appreciated.

    Monday, December 12, 2011 6:26 PM
  • Hello Steve,

     

    Glad to hear.

    Now, time to a double shot of whiskey. :)

     

    Regards

    Monday, December 12, 2011 7:15 PM
  • Hello Ace,

     

    A double shot of whiskey is not enough, he needs a bottle of whiskey. :)

     

    Regards


    Make that two doubles! ;-)

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Monday, December 12, 2011 7:18 PM
  • Hello Steve,

     

    Glad to hear.

    Now, time to a double shot of whiskey. :)

     

    Regards


    Make that two doubles!

    And I responded to the wrong post a moment ago. :-)


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Monday, December 12, 2011 7:20 PM
  • wow what a difference a weekend makes, sorry for that screwup with skydrive, I'd never used it, and had no idea what I was doing.

    After the re-booyt I had only 3 notable errors in the event log

    netlogon = event ID 5706 cannot find specified file c:\windows\CRL.lan\scripts

    Group policy = event ID 1058

    and DHCP = event ID 1046

    *I love it when a plan comes together, moving on the next post...*


    THat's actually a vast improvement! :-)

     

    As for can't find the file - physically look at your DCs in that path to see if you can find it. That would be the NETLOGON share, specifically in windows\sysvol\sysvol\crl.lan\scripts.

    As for DHCP 1046, right click the DHCP server in the DHCP console, and choose Authorize. If it's not, we'll work from there.

    The 1058... let's see if the above two things are straightened out.

     

    Oh, where are we with the FSMOs? Post a netdom query fsmo results, please.

     

    And forgot to ask - under the gc.crl.lan, what IP addresses do you see? (That's the GC or Global Catalog, IP addresses. Your DC should be one.

     

     

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Monday, December 12, 2011 7:24 PM
  •  windows\sysvol\sysvol\crl.lan folder is empty.

    DHCP is now authorized and functioning.



    getting DHCP error related to the IAS service event ID 1070

    GP  event ID 1058 is unchanged.


    Note: I am installing the network access and policy services role.
    Tuesday, December 13, 2011 1:32 PM
  • The 1070 is related to NPS not started:

    Event ID 1070 — DHCP NAP: NPS Availability
    http://technet.microsoft.com/en-us/library/cc726931(WS.10).aspx

     

    Did you previously have a script in the NETLOGON share?


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Wednesday, December 14, 2011 12:20 AM
  • I setup NPS now DHCP is no longer working at all, it leases the addresses but does not retrun the lease to the arget machine (curently working on that)

    I can not answer your script question, I had bigger issues and did not take the time to look.

    errors as follows: GP error 1058

    termDD event id 50 and event ID 56

    Warnings:

    timeserver event id 12 and event id 36

    kerberos event ID 29

    Netlogon event ID 5703

    lsasrv event ID 40960

    DHCP event ID 10020 and 1056

    storfit event ID 5

    windows remote manager event ID 10154

    end...

    Wednesday, December 14, 2011 1:18 PM
  • in went back to change the DNS zones to active directory integrated and was only partially successful  both are still set to * all domain controllers in this domain (for windows 2000 compatibility):CRL.lan

    I get this server failure when try to make the appropriate change.

    end....

     

     

     

    Wednesday, December 14, 2011 2:27 PM
  • all events ID's are from the DC

    tryed to request a new certificate got the following error:

    Wednesday, December 14, 2011 3:11 PM
  • tried to setspn via the command line suggested:

    Wednesday, December 14, 2011 3:26 PM
  • Don't put the zone in AD yet, since there are still problems wtih your DC, but you can see that the rep scope will not set anyway due to the problems. This error may indicate a dupe zone still exists in the AD database. Remember that link I gave you to check for dupes? Here it is again:

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

    As for the time service, as Patris posted, my time blog will help configure it. THis is because the time server for an AD forest is the PDC Emulator. Since that was seized to the new machine, it must be configured as a time server for your forest. Since you only have the one DC, just run the following and use whatever time server the university tells you to (replace the IP in the example with what they tell you to use):

    w32tm /config /manualpeerlist:192.168.10.5 /syncfromflags:manual /reliable:yes /update

     

    As for installing NPS, why? That will definitely complicate the machine, and worse, since it's already having trouble, you're adding to it. Besides, NPS is part of RRAS, and RRAS should not be on a DC anyway. It turns it into a multihomed DC, which is extremely problematic. We need to fix this server first before adding services.

    Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, and/or PPPoE adapters - A multihomed DC is not a recommended configuration, however there are complex ways to configure such a DC to work properly.
    http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

     

    Have you thought about calling Microsoft Support to get this working? It's been a couple of weeks now. I think it's time to give them a call to get this going, wouldn't you think? They can log in and take care of it, where it's much difficult for us in the forums without actually seeing the machine first hand where we can recognize things if logged in remotely to take care of it. They can.

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Wednesday, December 14, 2011 4:09 PM
  • tried to setspn via the command line suggested:

    Hello Steve,

    Your input is incorrect.

    Please use this and test again.

     

    setspn -A WSMAN/dserver2.CRL.lan dserver2

     

    Regards

    Wednesday, December 14, 2011 5:12 PM
  • thank you that worked.

    @ Ace

    I disabled the NPS and removed the AD I from the DNS

    I did try and phone MS support they referred me to pay support, which I have absolutely no budget for. I would have preferred that since I believe that the automatic update caused the whole mess in the 1st place.

    I installed NPS because an event ID called for it, and I was also going back and doing cleanup thats when I tried to re-initiate the ADI in the DNS as per an earlier post.

    I do appreciate your assistance and I understand your frustration.

    Wednesday, December 14, 2011 5:30 PM
  • Hello,

     

    did you run this command too?

    setspn -A WSMAN/dserver2 dserver2

    Did you reset Time Services and set on dserver2 too?

    Run this command on dserver:

    w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update

    net stop w32time

    net start w32time

    On firewall, make sure UDP port 123 traffic is allowed inbound from the time source.

    Do you have 3rd-party cert.. in into the Personal/Certificate store?

    If yes, delete this 3rd-party cert...

     

    Now tell us, which event ID have you again?

     

    Regards

    Regards

    Wednesday, December 14, 2011 5:58 PM
  • I did redo both setpn commands, thanks for the corrected syntax.

    I did re-set time services and got the following warning:

    ~Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.~

     

    there are 0 certificates in the personal store.

    Group ploicy Event ID 1058

    termDD event ID 56

    there are a few warnings as well...

    end...

    Wednesday, December 14, 2011 6:13 PM
  • Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones:

    produced the following error:

    Wednesday, December 14, 2011 7:01 PM
  • Hello Steve,

     

    Configuring the Windows Time Service

    Basically, what this event means is that the PDC Emulator in the forest root domain has not been configured to synchronize its clock with an external stratum 1 time source, and as a result the clocks on all machines in your forest cannot be considered reliable. Now this may be an issue if employees rely upon their workstations’ CMOS clocks for signing in and out, but as far as Kerberos is concerned it’s a non-issue because Kerberos only requires that clocks on clients and authenticators agree with each other, not that they display accurate time. So if every machine’s clock in the forest is one hour late, Kerberos will still work fine and replay attacks will be prevented, which is the purpose of W32Time anyway.

    ------

    Check The TCP/IP NetBIOS Helper service (must start)

    Enable File and Printer Sharing for Microsoft Networks

    ------

    The Curious Case of Event ID: 56 with Source TermDD

    Did you install RAS and Terminal Services?

    IF yes, uninstall.

    ------

    Restart DC and check Event Viewer again.

     

    Regards

     


    • Edited by Patris_70 Wednesday, December 14, 2011 7:39 PM
    Wednesday, December 14, 2011 7:36 PM
  •  TCP/IP NetBIOS Helper service looks ok and is started.

    File and Printer Sharing for Microsoft Networks is enabled, However printer sharing is off (no printers installed)

     

    I need terminal services to run my accounting package (simply Accounting)

    I will restart shortly.

     

    end...

    Wednesday, December 14, 2011 8:14 PM
  • You're receiving a referral because it's trying to find the ForestDnsZones partition in contoso.com. You need to specify your own domain name.

    You have to time in:

    dc=forestdnszones,dc=crl,dc=lan

    and for the DomainDnsZones:

    dc=domaindnszones,dc=crl,dc=lan

     

    Sorry my example did not specify to use your own domain name substituting contoso.com in the example. I kind of thought that would be understood? I may have to update my blog to make sure it doesn't confuse others.

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Thursday, December 15, 2011 12:45 AM
  • cannot access that context get the folowing error:

    Was the same eror for both contexts you suggested>

    end...

    Thursday, December 15, 2011 1:44 PM
  • errors:

    GP 1058

    ntfsServer event id 1006

    netlogon event ID 5706

    warnings:

    storfit event ID 5

    winRM service event ID 10149 and 10154

    netlogon 5703

    kerberos KDC event ID 29

    Same time service error (I can accept this for now)

    DHCP server event ID1056 and 10020

    disk event id 51

    termDD event ID 50

    Thursday, December 15, 2011 1:55 PM
  • Hello Steve.

     

    I have other question:

    Which configuration or setting have you on derver2 DC (i mean exactly, such as users, clients, shared folder, etc.)?

    You told us, you have old DC but is down.

    Can you install dserver2 again (clean install) and than import users to new DC?

    Think about, You lost two weeks time.

    Please do not be angry, this is only a suggestion.

     

    Regards


    • Edited by Patris_70 Thursday, December 15, 2011 2:46 PM
    Thursday, December 15, 2011 2:45 PM
  • Patris_70

    Please do not mis-understand my frustration with MS as being anger, I feel let down by someone (MS Corp) I trusted and often advocated for. My frustration is with them and this seemingly new business model. ( I have had no needed MS support in some time and in the past found them most helpful, now when I really need help I have to get out my credit card before they'll even talk to me.)

    I have re-installed the old server and I am in the process of doing updates to it, it should be ready to use sometime today.

    We appear to have recovered the important stuff from the domain, although I can not be sure what still works and what had been damaged beyond my ability to repair.

    The current Domain (dserver2) is authenticating users, allowing them access to their shared files and applying the original folder security ( although i haven't looked into this very carefully)

    I would have no issues moving to the old server which will be named dserver2008 (it is 32 bit BTW) and re-installing the dserver2 from scratch.

    Again , not angry, just determined to get my domain back to normal, I have the time, hopefully I (we) can do this. What I don't have is money, unfortunately.

    Please know that I appreciate your assistance and your willingness to help.

    Thursday, December 15, 2011 3:20 PM
  • Did you also try it with DomainDnsZones?

    Are you able to add the Default Naming Context - that's the radio button next to "Select a well known Naming Context?"

    Sorry to hear your frustrations wtih support. For something like this, they would have to charge because it's a unique customer setup, and not an operating system error based on a Windows update, which would have been free. Anything specific like this is chargeable. I hope you understand. It's like saying my car's customized radio is not working and I take it back to Dodge or Ford, and say fix it, but they say it's not covered under warranty because you customized it, therefore we need to have a tech take the time to go through what you did, your custom installation, AD installation, etc, to understand the settings to be able to come up with a resolution.

     

    If I have some time, I would like to remote into it to see what I can find to repair it, but I am short on time this week. I'm teaching a day and eve class, and Friday afternoon, I must kick off a Win2003 Stf to SBS 2011 migration that will tie me up into the weekend. Maybe Sunday eve or Monday I may have time...


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Thursday, December 15, 2011 4:00 PM
  • I did try DomainDnsZones got the same result.

    My frustration with support come from my original call (back in early September, so it has really been two months, not 2 weeks) to them to simply help remove automatic update       KB 494007 from my 2003 server, after it was applied, at that juncture I felt they were obligated to help because this update fried my system. They then referred me to pay support only, no other level of support was offered.

    I accept your suggestion that I am beyond their help now (for free support), the original issue left me with a bitter taste in my mouth.

    I realize that this forum is not the place to debate this issue but felt is was worth mentioning.

    I would greatly appreciate you help, please let me know what you need to remote in to my system (we have to figure out a way to get you that info securely).

    I will be heading out on holidays until the 28th so tomorrow the 21st will be my last day. I can monitor your progress and will gladly assist in any way that I can. Please remember that this is a production server, the library is open most days (except Sundays) 8:00 am until 8:00 pm Atlantic time.

    A second server will soon be available if that option will resolve this issue faster.

    Thanks again for your help, I'd have been in the toilet long ago with out the help offered by this forum and its participants.

     

    yes.

    end...

     


    Thursday, December 15, 2011 5:30 PM
  • Hello Steve,

     

    Try with port 389.

     

     

    Regards

    Thursday, December 15, 2011 6:01 PM
  • same error as above error code ox202b
    Thursday, December 15, 2011 6:10 PM
  • Hello Steve,

     

    Please try with Active Directory Explorer v1.42 tool and test again.

     

     

     

    Hope you get not error again!!

     

    Regards

     

     

    Thursday, December 15, 2011 7:07 PM
  • Steve,

    I'm not sure of my schedule this weekend with the migration I'm performing. If I can get a few minutes to take a peak, I will. We'll use a remote tool such as Teamviewer or Crossloop, since I don't think your IT group will allow RDP. Give me your email address. When you post it, space out your email address so it won't be farmed by web bots.

    Keep in mind, based on all the info you've posted, it's either going to be an easy fix, or possibly a not so easy fix, depending on what I find. If it will take time to fix, that may be something I am short on. We'll discuss this when you email me.

    Also, in the meantime, please try Patris' suggestion to use AD Explorer. That would be easier than ADSI Edit.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Friday, December 16, 2011 2:05 AM
  • steve(dot)weatherbee (at)

    cumberland(no space)public(no space)libraries(dot)ca

    this goes directly to my black berry as well.

    Many Thanks again..

    end...

    Friday, December 16, 2011 1:16 PM
  • this is what I see perhaps I left out the path...

    Friday, December 16, 2011 1:39 PM
  • Hello Steve,

     

    Did you solve problem?

    If yes, please tell us how to.

     

    Regards

    Friday, December 23, 2011 1:09 AM
  • no resolution as of yet, I am on vacation for a few days, I will return on the 28th bit will be working on the CIRC desk at the library until the new year so I will most likely begin again in the new year with a new sense of vigor.

    Thanks for your your concern.

    Steve Weatherbee

    Friday, December 23, 2011 3:12 PM
  • Let's work on this after the Christmas break. I've been pretty busy the past few days working on a migration. The other day, I didn't get home until 5:30 am. Too bad RDP access is IP controlled, which requires coordinating a time between us to use CrossLoop.  

    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Friday, December 23, 2011 5:27 PM
  • @ ace

    where you able to get access to the server with the info I sent you earlier this week?

    Thursday, January 05, 2012 7:59 PM
  • Hello Steve,

     

    Active Directory Explorer v1.42 tool has not helped?

     

    Regards

    Thursday, January 05, 2012 8:15 PM
  • I did it would not access the AD I thought I posted the results here, but I don't see the post I will redo the attempt tomorrow and post the error.

    Thanks

    Happy New Year BTW

    Thursday, January 05, 2012 8:26 PM

  • This is what I see.

    end...

    Friday, January 06, 2012 2:34 PM
  • We should be seeing more than this. I'll try to get some free time tonight to look at this. Monday and onward, I just took a big contract for a day gig for a few weeks, as well as teaching an evening class. I will be tied up! So I'll try to get this in tonight...

     

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Friday, January 06, 2012 4:07 PM
  • Steve,

    I followed your email instructions, and I was able to authenticate in to your infrastructure (without mentioning specifics publicly), but I was not able to RDP to the server. I replied with sepecifics and screenshots. Let me know what I need to do to connect.

    I have the time this weekend, and I really want to take a look at this!

    Ace

     

    btw - I don't know if you've noticed, but this thread has grown so large, and with all the screenshots and the size of it, it takes an awfully long time to load. :-)


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Sunday, January 08, 2012 4:22 AM
  • yep been having issues logging onto the thread, perhaps we should start a new.

    I forwarded your e-mail on to Brandon Ulhman he is our contact at the Provincial Office and he setup the tunnelling sessions for us. He knows very little about MS systems, but should be able to help you. (Hopefully)

    Unfortunatly getting help on the weekend might be an issue.

    Sorry...

    end..

    Sunday, January 08, 2012 4:28 PM
  • Took a little time to get remoted in, then some more time to resolve it, but it seems to be resolved and working fine now. With Steve's permission, I am posting the steps I took to resolve it. I hope others benefit from this.

    Ace

     

     

     

    ==================================================================
    ==================================================================
    Steve Weathrebee CRL issues.

    Resolution steps.

    ***********************************************************************

    C:\Users\admin>netdom query fsmo
    Schema master               dserver2.CRL.lan
    Domain naming master        dserver2.CRL.lan
    PDC                         dserver2.CRL.lan
    RID pool manager            dserver2.CRL.lan
    Infrastructure master       dserver2.CRL.lan
    The command completed successfully.

    ***********************************************************************
    Dcdiag shows:
          Starting test: MachineAccount         Checking machine account for DC DSERVER2 on DC DSERVER2.
             Warning:  Attribute userAccountControl of DSERVER2 is:         0x82020 = ( PASSWD_NOTREQD | SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION )         Typical setting for a DC is        

    0x82000 = ( SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION )         This may be affecting replication?         * SPN found :LDAP/dserver2.CRL.lan/CRL.lan
             * SPN found :LDAP/dserver2.CRL.lan
             * SPN found :LDAP/DSERVER2
             * SPN found :LDAP/dserver2.CRL.lan/CRL
             * SPN found :LDAP/b072f201-6e73-4798-93b1-01c0e084cc4d._msdcs.CRL.lan
             * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/b072f201-6e73-4798-93b1-01c0e084cc4d/CRL.lan
             * SPN found :HOST/dserver2.CRL.lan/CRL.lan
             * SPN found :HOST/dserver2.CRL.lan
             * SPN found :HOST/DSERVER2
             * SPN found :HOST/dserver2.CRL.lan/CRL
             * SPN found :GC/dserver2.CRL.lan/CRL.lan

    I changed it to what it should be: 0x82000 by using ADSI Edit:

    ADSI Edit shows decimal value for UserAccountControl as 532512 (0x82020)
    I changed it to 532480 (0x82000)

    Ref:
    Incorrect userAccountControl Attribute value causes error when running DCDIAG or during promotion of a server to a DC
    http://blogs.dirteam.com/blogs/jorge/archive/2006/08/27/Incorrect-_2600_quot_3B00_userAccountControl_2600_quot_3B00_-Attribute-value-causes-error-when-running-DCDIAG-or-during-promotion-of-a-

    server-to-a-DC.aspx


    ***********************************************************************
    Then restarted AD Domain Services service.

    Event ID 5706:
    The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\CRL.lan\SCRIPTS.  The following error occurred:
    The system cannot find the file specified.


    ***********************************************************************

    Computer Browser service disabled.

    Although not necessary, I enabled in order to view network shares

    No harm in keeping it enabled.


    ***********************************************************************

    TO see if any other DCs are in the domain, I ran metadata cleanup, but I found DSERVER2 is the only one, then quit the utility.

    C:\Users\admin>ntdsutil
    ntdsutil: metadata cleanup
    metadata cleanup: connections
    server connections: connect to server dserver2
    Binding to dserver2 ...
    Connected to dserver2 using credentials of locally logged on user.
    server connections: quit
    metadata cleanup: select operation target
    select operation target: list domains
    Found 1 domain(s)
    0 - DC=CRL,DC=lan
    select operation target: select domain 0
    No current site
    Domain - DC=CRL,DC=lan
    No current server
    No current Naming Context
    select operation target: lists sites
    Error parsing Input - Invalid Syntax.
    select operation target: list sites
    Found 1 site(s)
    0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=CRL,DC=lan
    select operation target: select site 0
    Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=CRL,DC=lan
    Domain - DC=CRL,DC=lan
    No current server
    No current Naming Context
    select operation target: list servers in site
    Found 1 server(s)
    0 - CN=DSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=CRL,DC=lan
    select operation target: quit
    metadata cleanup: quit
    ntdsutil: quit

    C:\Users\admin>


    ***********************************************************************

    More on Event ID 5106:

    Went to:
    Event ID 3051 and 5706 on domain controllers
    http://support.microsoft.com/?id=258805

    Checked reg entry per article:
    These error messages can occur if entries under the following registry key on the domain controller are missing or incorrect:
     KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

    Stopped netlogon service

    Reg location shows a value for SYSVOL, and the SYSVOL path exists to c:\windows\sysvol\sysvol
    Removed sysvol value
    Created:
    On the Edit menu, click Add Value, and then add the following registry values:
    Value Name: DBFlag
     Data Type: REG_SZ
     Value: 0

    Value Name: DBFlag
     Data Type: REG_SZ
     Value: 0

    Started Netlogon

    Netlogon share still not created.
    Folder are missing in SYSVOL.

    This could be due to this server is a replica DC and the initial replication never occured.
    I manually created the sysvol structure creating the following folders under c:\windows\sysvol\sysvol:
         ClientAgent
         Policies
         Scripts

    Restarted AD Domain Services.

    Netlogon successfully shared and started.

    Missing policies in Policies folder.

    Event ID 1058

    Default Policies show up in GPMC, but cannot connect or view settings.

    ***********************************************************************

    USed the following to rebuilt SYSVOL missing folders:

    How to rebuild the SYSVOL tree and its content in a domain
    http://support.microsoft.com/kb/315457 

    Note - since this is the only DC in the domain, I used the D4 option to build a new one.
    D2 would have been used to pull a copy from another DC.

    To configure the SYSVOL replica set to be authoritative, follow these steps: •Click Start, click Run, type regedit, and then click OK.
    •Locate and then click the BurFlags entry under the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\GUID
    GUID is the GUID of the domain system volume replica set that is shown in the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\GUID

    •Right-click BurFlags, and then click Modify.
    •Type D4 in the Value Data field (HexaDecimal), and then click OK.

    No good... Ok, next step to recreate the default GPOs...

    ***********************************************************************
    Ran:
    dcgpofix /ignoreschema

    Didn't have permissions to run it.
    Added myself to the Enterprise Admins and Schema Admins
    Logged off, then on again.


    Ran the command again. Sysvol policies and everything else is now created.
    GPMC now shows both policies and all settings.


    ***********************************************************************
    Symantec Endpoint INstalled!! WHAT???

    SEP is a known issue with blocking domain communications.

    Please uninstall and reboot and get back to me.


    ***********************************************************************

    Still cannot connect to DomainDnsZones or ForestDnsZones partitions.

    Error messages:


    ---------------------------
    ADSIEdit
    ---------------------------
    Operation failed. Error code: 0x202b
    A referral was returned from the server.
    0000202B: RefErr: DSID-031006BB, data 0, 1 access points
     ref 1: 'DomainDnsZones.CRL.lan'

    ---------------------------
    OK  
    ---------------------------

     

    and

     

    ---------------------------
    ADSIEdit
    ---------------------------
    Operation failed. Error code: 0x202b
    A referral was returned from the server.
    0000202B: RefErr: DSID-031006BB, data 0, 1 access points
     ref 1: 'ForestDnsZones.CRL.lan'

    ---------------------------
    OK  
    ---------------------------

     


    ***********************************************************************

    C:\Users\admin>dnscmd dserver2 /EnlistDirectoryPartition DomainDnsZones.CRL.lan

    Enlist directory partition failed: DomainDnsZones.CRL.lan
        status = 9904 (0x000026B0)
    Command failed:  DNS_ERROR_DP_ALREADY_ENLISTED     9904


    C:\Users\admin>

     

    ***********************************************************************

    C:\Users\admin>dnscmd dserver2 /EnlistDirectoryPartition ForestDnsZones.CRL.lan

    Enlist directory partition failed: ForestDnsZones.CRL.lan
        status = 9904 (0x000026B0)
    Command failed:  DNS_ERROR_DP_ALREADY_ENLISTED     9904


    C:\Users\admin>

     


    ***********************************************************************

    C:\Users\admin>dnscmd /Enumdirectorypartitions
    Enumerated directory partition list:

            Directory partition count = 2
     DomainDnsZones.CRL.lan                    Enlisted Auto Domain
     ForestDnsZones.CRL.lan                    Enlisted Auto Forest

     

    ***********************************************************************


    The two partitions are obviously corrupt.


    ***********************************************************************


    Using ADSI Edit, I deleted the DomainDNsZones and ForestDnsZones partition:

    Reference:

    Are Your DNS Application Partitions Corrupt?
    http://cbfive.com/blog/post/Are-Your-DNS-Application-Partitions-Corrupt.aspx


    Using ADSIEdit.msc
     1.Navigate to the CrossRef object for the application partition on a specific DC (CN=Partitions,CN=Configuration,DC=Domain,DC=Com)
     2.Delete the CrossRef object, essentially skipping to step 7 above.
     3.Force replication, validate that the partition is gone.
     4.Restart DNS, the service will re-add the partition.

    Optionally, you can do it this way, too:

    Using NTDSUtil:
     1.Open the CMD prompt
     2.NTDSUtil
     3.Domain Management (In 2008 it changes to "partition management")
     4.Connections => connect to server ERICSDC01
     5.Quit
     6.List <--- to see zones
     7.Delete NC DC=DomainDNSZones,DC=Domain DC=Com (This Deletes the CrossRef Object)
     8.Force replication, validate that the partition is gone.
     9.Restart DNS, the service will re-add the partition.

    ***********************************************************************

    After deleting DomainDnsZones:

    C:\Users\admin>dnscmd /Enumdirectorypartitions
    Enumerated directory partition list:

            Directory partition count = 2
     DomainDnsZones.CRL.lan                    Enlisted Deleted Auto Domain
     ForestDnsZones.CRL.lan                    Enlisted Auto Forest


    Command completed successfully.


    ***********************************************************************

    Recreated DomainDnsZones

    Right click DNS Server Name
    Configure Default Application Directory Partitions.

    Click YES for Domain partition
    On Second Prompt, Click NO for Forest partition

     

    ***********************************************************************


    After deleting ForestDnsZones but after recreating DomainDnsZones

    C:\Users\admin>dnscmd /Enumdirectorypartitions
    Enumerated directory partition list:

            Directory partition count = 2
     DomainDnsZones.CRL.lan                    Enlisted Auto Domain
     ForestDnsZones.CRL.lan                    Enlisted Deleted Auto Forest


    Command completed successfully.

     


    ***********************************************************************

    Recreated ForestDnsZones

    Right click DNS Server Name
    Configure Default Application Directory Partitions.

    click NO for Domain partition
    On Second Prompt, Click YES for Forest partition


    ***********************************************************************


    After recreating ForestDnsZones:

    C:\Users\admin>dnscmd /Enumdirectorypartitions
    Enumerated directory partition list:

            Directory partition count = 2
     DomainDnsZones.CRL.lan                    Enlisted Auto Domain
     ForestDnsZones.CRL.lan                    Enlisted Auto Forest


    Command completed successfully.

     

    ***********************************************************************

    Symantec Endpoint unistalled and rebooted.


    ***********************************************************************

    Event log errors are now CLEAN!!!!  <nice!>


    ***********************************************************************

    Symantec Endpoint reinstalled. I excluded the whole C:\windows folder and all subfolders. THis will take care of
    the NTDS and SYSVOL folders, and anything else it may try to block or quarantine.

    ***********************************************************************

    C:\Users\admin>NTFRSUTL ds dserver2
    NTFRS CONFIGURATION IN THE DS
    SUBSTITUTE DCINFO FOR DC
       FRS  DomainControllerName: (null)
       Computer Name            : DSERVER2
       Computer DNS Name        : dserver2.CRL.lan

    BINDING TO THE DS:
       ldap_connect     : dserver2.CRL.lan
       DsBind     : dserver2.CRL.lan

    NAMING CONTEXTS:
       SitesDn    : CN=Sites,cn=configuration,dc=crl,dc=lan
       ServicesDn : CN=Services,cn=configuration,dc=crl,dc=lan
       DefaultNcDn: DC=CRL,DC=lan
       ComputersDn: CN=Computers,DC=CRL,DC=lan
       DomainCtlDn: OU=Domain Controllers,DC=CRL,DC=lan
       Fqdn       : CN=dserver2,OU=Domain Controllers,DC=CRL,DC=lan
       Searching  : Fqdn

    COMPUTER: DSERVER2
       DN   : cn=dserver2,ou=domain controllers,dc=crl,dc=lan
       Guid : dcab9611-82fe-4ba3-93ace6f3764c44ea
       UAC  : 0x00082000
       Server BL : CN=DSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=CRL,DC=lan
       Settings  : cn=ntds settings,cn=dserver2,cn=servers,cn=default-first-site-name,cn=sites,cn=configuration,dc=crl,dc=lan
       DNS Name  : dserver2.CRL.lan
       WhenCreated  : 4/26/2011 11:25:2 Atlantic Standard Time Atlantic Daylight Time [240]
       WhenChanged  : 1/11/2012 16:52:4 Atlantic Standard Time Atlantic Daylight Time [240]

       SUBSCRIPTION: NTFRS SUBSCRIPTIONS
          DN   : cn=ntfrs subscriptions,cn=dserver2,ou=domain controllers,dc=crl,dc=lan
          Guid : 1315f31c-01a0-4d69-a14fe529e4b0cf49
          Working       : c:\windows\ntfrs
          Actual Working: c:\windows\ntfrs
          WhenCreated  : 4/26/2011 12:6:53 Atlantic Standard Time Atlantic DaylightTime [240]
          WhenChanged  : 4/26/2011 12:6:53 Atlantic Standard Time Atlantic DaylightTime [240]

          SUBSCRIBER: DOMAIN SYSTEM VOLUME (SYSVOL SHARE)
             DN   : cn=domain system volume (sysvol share),cn=ntfrs subscriptions,cn=dserver2,ou=domain controllers,dc=crl,dc=lan
             Guid : d46515fe-51d5-4f79-bec29effd142df73
             Member Ref: CN=DSERVER2,CN=Domain System Volume (SYSVOL share),CN=FileReplication Service,CN=System,DC=CRL,DC=lan
             Root      : c:\windows\sysvol\domain
             Stage     : c:\windows\sysvol\staging\domain
             WhenCreated  : 4/26/2011 12:6:53 Atlantic Standard Time Atlantic Daylight Time [240]
             WhenChanged  : 4/26/2011 12:6:53 Atlantic Standard Time Atlantic Daylight Time [240]
       Subscriber Member Back Links:
          cn=dserver2,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=crl,dc=lan

    SETTINGS: FILE REPLICATION SERVICE
       DN   : cn=file replication service,cn=system,dc=crl,dc=lan
       Guid : 70c455df-5704-4d2a-b11ab0eb36b6e907
       WhenCreated  : 4/3/2004 11:56:54 Atlantic Standard Time Atlantic Daylight Time [240]
       WhenChanged  : 4/26/2011 12:2:46 Atlantic Standard Time Atlantic Daylight Time [240]

       SET: DOMAIN SYSTEM VOLUME (SYSVOL SHARE)
          DN   : cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=crl,dc=lan
          Guid : bd486d4a-9726-4419-9589524e9fe04470
          Type          : 2
          Primary Member: (null)
          File Filter   : *.tmp, *.bak, ~*
          Dir  Filter   : (null)
          FRS Flags     : (null)
          WhenCreated  : 4/3/2004 12:4:36 Atlantic Standard Time Atlantic Daylight Time [240]
          WhenChanged  : 4/26/2011 12:3:5 Atlantic Standard Time Atlantic Daylight Time [240]

          MEMBER: DSERVER2
             DN   : cn=dserver2,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=crl,dc=lan
             Guid : 4884a00f-e43c-438b-b420ef689c6448fe
             Server Ref     : CN=NTDS Settings,CN=DSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=CRL,DC=lan
             Computer Ref   : cn=dserver2,ou=domain controllers,dc=crl,dc=lan
             Cracked Domain : CRL.lan
             Cracked Name   : 00000002 CRL\DSERVER2$
             Cracked Domain : CRL.lan
             Cracked Name   : fffffff4 S-1-5-21-1273149174-3599686218-3002231784-1246
             Computer's DNS : dserver2.CRL.lan
             WhenCreated  : 4/26/2011 12:6:53 Atlantic Standard Time Atlantic Daylight Time [240]
             WhenChanged  : 4/26/2011 12:6:53 Atlantic Standard Time Atlantic Daylight Time [240]

    C:\Users\admin>

    ***********************************************************************


    Final dcdiag /v errors:

          Starting test: Replications         * Replications Check
             * Replication Latency Check
                CN=Schema,CN=Configuration,DC=CRL,DC=lan
                   Latency information for 1 entries in the vector were ignored.
                      1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
                CN=Configuration,DC=CRL,DC=lan
                   Latency information for 1 entries in the vector were ignored.
                      1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
                DC=CRL,DC=lan
                   Latency information for 1 entries in the vector were ignored.
                      1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
             * Replication Site Latency Check
             ......................... DSERVER2 passed test Replications


    I wouldn't worry about this. DCDIAG is just reporting that you have a retired NTDS object (a DC). No prob there. It shows zero for any latency issues and is only flagging the one retired partner.

    There are no errors and warnings, so I'm cool with this being fixed.

     

    ***********************************************************************


    I was now finally able to change the replication scope of _msdcs.crl.lan to ForestDnsZones, and crl.lan to DomainDnsZones, and set Dynamic Updates to Secure only.


    ***********************************************************************

    Ace Fekay

    ***********************************************************************


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    • Proposed as answer by Patris_70 Sunday, January 15, 2012 1:48 PM
    • Marked as answer by steve.weatherbee Monday, January 16, 2012 1:01 PM
    Saturday, January 14, 2012 6:02 PM
  •  Hello Ace,

     

    Thanks for this great info.

    You are awesome.

     

    Regards

    Sunday, January 15, 2012 1:48 PM
  • Thanks, Patris. It was a bit of a challenge. There were numerous things going on. I summarized this in another thread I created, because this thread takes awhile to load due to it's extreme size. Here's the link to it:

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/50a9e242-e4ac-47ba-87f3-f02443e1596a

    Cheers!

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    • Proposed as answer by Patris_70 Sunday, January 15, 2012 11:36 PM
    Sunday, January 15, 2012 9:35 PM
  • @Ace

    Once again, I owe you a great deal of gratitude. This was indeed tricky can of worms. I most certainly could not have unraveled it with out your help, and that of a couple of your colleagues that posted here as well. Many thanks to all of you.

    Sincerely,

    Steve weatherbee

    Cumberland Public Libraries.

    Monday, January 16, 2012 1:10 PM
  • It was my pleasure, Steve! :-)

    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Monday, January 16, 2012 9:40 PM