none
RID Master is offline error when running dcpromo.exe

    Question

  • I am trying to add a new 2008R2 DC to an existing domain.  Adprep has been run to extend the schema, and the object version is at 47.  When I select the domain to add the DC to I get an error message that says "You will not be able to install a writable replica domain controller at this time because the RID master DC01.domain.com is offline."  I am able to do an nslookup and ping DC01.domain.com.  Any ideas as to why dcpromo cannot see it?

    Thanks,

    Monday, August 23, 2010 6:13 PM

Answers

  • I found the issue, It was not DNS, but by looking into that the problem emerged.  My DC could resolve and ping DC01 but DC01 could resolve but not ping my DC.  DC01 needed to have a persistent route added to allow it to talk to my new DC.  Thanks for your help on this guys!
    • Marked as answer by Denhams Wednesday, August 25, 2010 1:38 PM
    Wednesday, August 25, 2010 1:37 PM

All replies

  • Is the server DC01 working properly? If so, please run "dcdiag /v >>c:\dcdiag.txt"on DC01 to check if there is any error. If any error, please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file c:\dcdiag.txt and then give us the download address.

    Please check your router/Firewall settings and make sure your ports configuration meets requirement at least in "Replication" and "User and computer authentication" section of the article below:

    Active Directory and Active Directory Domain Services Port Requirements
    http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx

    If possible, try to move new Windows server in the same DC network to test.

    If the error still occurs, run "netdom query fsmo >>C:\fsmo.txt" and paste content of C:\fsmo.txt here.

    Thanks
    Monday, August 23, 2010 6:41 PM
  • Hi,

     

    The cause is that Dcpromo attempts to identify the owner of the RID Master role by reading the fsmoRoleOwner attribute of CN=RID Manager$,CN=System,DC=<domain> and extracting the dnsHostName of the RID Master. Dcpromo then tries to initiate an LDAP connection over port 389 to the RID Master Server using its fully qualified computer name. If the LDAP connection fails for any reason, Dcpromo determines the RID Master to be offline. Initial sync failures by the RID FSMO should not cause this error.

     

    a.    Run repadmin /showattr fsmo_rid: ncobj:domain: /filter:(objectclass=ridmanager) /subtree and netdom query fsmo

    b.    The output of the repadmin command will include the fSMORoleOwner. If the fSMORoleOwner distinguished name path that is returned from the command in the previous step is mangled or assigned to a deleted domain controller, remove the metadata for that domain controller and seize the role to a live domain controller that hosts a writable copy of the domain partition.

    c.    Verify that RID master role is assigned to a live domain controller that has successfully inbound-replicated the domain directory partition since it last restarted from at least one other domain controller in the same domain.

    d.    If the current role holder is the only live domain controller in the domain but its copy of Active Directory or AD DS refers to domain controllers that no longer exist, remove the stale metadata for those domain controllers, restart the live domain controller, and try promotion again.

     

    Hope it helps.

     

    Regards,

    Bruce

    Tuesday, August 24, 2010 4:38 AM
  • output of "repadmin /showattr fsmo_rid: ncobj:domain: /filter:(objectclass=ridmanager) /subtree"

    Repadmin experienced the following error trying get to the FSMO you requested in this subtree: DC=domain,DC=com
    Error: An error occurred:
        Win32 Error 8367(0x20af): The requested FSMO operation failed. The current FSMO holder could not be contacted.

    output of "netdom query fsmo "

    Schema master               DC01.domain.com
    Domain naming master        DC01.domain.com
    PDC                         DC01.domain.com
    RID pool manager            DC01.domain.com
    Infrastructure master       DC01.domain.com
    The command completed successfully.

     

     

    Tuesday, August 24, 2010 2:03 PM
  • Here is the link to the dcdiag output:

    http://cid-5774e7f0febced91.skydrive.live.com/redir.aspx?resid=5774E7F0FEBCED91!105&Bpub=SDX.Docs&Bsrc=GetSharingLink

    Our other 2 DC's can still talk to DC01 so I don't think ports are blocked, although they are both 2003 DC's.

    Tuesday, August 24, 2010 3:29 PM
  • Let's start with the error with EventID: 0x00000457

    Based on the following link, this kind of error may be caused due to a printer driver problem.

    Have a look to the link:

    http://forums.techarena.in/active-directory/713677.htm

    Tuesday, August 24, 2010 3:30 PM
  • Win32 Error 8367(0x20af): The requested FSMO operation failed. The current FSMO holder could not be contacted.

    It is possible that this error is due to a DNS problem.

    To make sure that it is not a DNS problem, proceed like that:

    1- Make sure that the server is using 127.0.0.1 IP address as primary DNS server.

    2- Run this command ipconfig /registerdns to force it to update its DNS records

    3- run nltest /dsregdns for the domain controller SRV records. nltest is a windows support tool on the windows server cd  http://technet.microsoft.com/en-us/library/cc731935(WS.10).aspx

    Tuesday, August 24, 2010 3:37 PM
  • Yes, I am not worried about the EventID: 0x00000457 error, it is because I used remote desktop to go into the server to run dcdiag.  The server did not have the drivers to connect to my local printers.
    Tuesday, August 24, 2010 3:39 PM
  • Okay, have your tried what I mentioned about DNS?

    It may be a DNS issue.

    Best regards.

    Tuesday, August 24, 2010 3:53 PM
  • The primary DNS is not 127.0.0.1 because the server is not a DNS server yet, DNS is installed by dcpromo.  The primary DNS is set to our other DC. 

    I ran ipconfig /registerdns  then checked and the proper entry is in DNS for the server.

    This is the output from nltest:

    C:\Windows\system32>nltest /dsregdns
    I_NetLogonControl failed: Status = 50 0x32 ERROR_NOT_SUPPORTED

    Tuesday, August 24, 2010 4:01 PM
  • Just to clarify:

    You have run these commands on your DNS server? (You should run them DC01 and you should make sure that the primary DNS server is well configured on DC01)

    For the 127.0.0.1, I mean that make sure that the DNS server is using 127.0.0.1 Ip address as primary DNS server.

    For the other client computers make sure that they are using the correct DNS server as a primary DNS server.

    Best regards.

    Tuesday, August 24, 2010 4:07 PM
  • Just to clarify:

    You have run these commands on your DNS server? (You should run them DC01 and you should make sure that the primary DNS server is well configured on DC01)

    For the 127.0.0.1, I mean that make sure that the DNS server is using 127.0.0.1 Ip address as primary DNS server.

    For the other client computers make sure that they are using the correct DNS server as a primary DNS server.

    Best regards.


    That actually should not be the DNS configuration. The DNS Server should be pointing to its Private IP address and not the loopback adapter.

    It will work, don't get me wrong, but I've never had any of the ADDS problems that are mentioned in this forum by pointing to itself as the DNS server.

    Example: DC = 10.1.1.2, point it to 10.1.1.2, or at least add it as a secondary DNS server.

    You added the Role in Server Manager, and then ran DCpromo, correct?


    Steve Kline
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Product Specialist
    Microsoft Certified Network Product Specialist
    This posting is "as is" without warranties and confers no rights.
    Tuesday, August 24, 2010 5:54 PM
  • I found the issue, It was not DNS, but by looking into that the problem emerged.  My DC could resolve and ping DC01 but DC01 could resolve but not ping my DC.  DC01 needed to have a persistent route added to allow it to talk to my new DC.  Thanks for your help on this guys!
    • Marked as answer by Denhams Wednesday, August 25, 2010 1:38 PM
    Wednesday, August 25, 2010 1:37 PM
  • Hi,

     

    Thank you for your feedback and telling us how you fixed the problem. If you have more questions in the future, you’re welcomed to this forum.

     

    Regards,

    Bruce

    Thursday, August 26, 2010 8:39 AM