none
Added 1 Server 2008 R2 DC to 2 existing Server 2003 DCs, Server 2008 R2 Showed Group Policy Error 1054

    Question

  • Hi,

    Our organization's infrastructure is like this: 5 different location sites. Each site either has 1 DC or 2 DCs. All DCs have DNS, DHCP, and Global Catalog. All DCs replicate each other.   

    We are in the processing upgrading Server 2003 to Server 2008 R2. First, I worked on the 2 servers that held FSMO roles. Here's what I have done so far:

    - Upgraded 2 Server 2003 x86 DCs to Server 2008 R2 64x

       Ran adprep32 /forestprep on Server 2003 

       Ran adprep32 /domainprep on Server 2003

    - Installed Server 2008, Promo the new server as DC, Setup the new DCs as Global Catalog

    - Transferred FSMO to new DC

    - De-promote the old DC and delete from AD

    - Manually removed old DC from DNS and AD Sites and Services

    - These two DCs are running fine.

    When I worked on another site, I just added 1 Server 2008 R2 DC to 2 Server 2003 DCs, and have all of them running together. After the new DC running for 3 days, it receives the following errors:

    Netlogon with Event ID 5719 - This computer was not able to set up a secure session with domain controller in domain xxxxx due to the following: The remote procedure call failed and did not execute. This may lead to authentication problems. Make sure that this computer is connected to the network.

    Warning on Kerberos-Key-Distribution-Center with event ID 29 - The Key Distribution Center cannot find a suitable of certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card Logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

    Many errors on GroupPolicy with Event ID 1054 - The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by name resolution failure. Verify your DNS is configured and working correctly.

    DHCP-Server with event ID 1059 - The DHCP service failed to see a directory server for authorization.

    After having all these errors, the new DC lost all connection to AD, DHCP, and Sysvol. But server 2003 DCs are still running fine. Client's computers are also running fine.

    If I restarted the new DC, it will run like normal for 3 days, then the same errors appear again.

    I also try on another site, same thing happened on the new DC.

    Somebody please help me here. Thank you so much!!

    Friday, March 27, 2015 7:46 PM

Answers

  • You use nslookup to resolve dns names

    Please follow this:

    https://support.microsoft.com/en-us/kb/816587


    You wouldn't demand your Doctor a therapy just because you told him "I don't feel very well"
    You wouldn't expect your accountant to know how much your taxes are just because you told him "I have earned some money"
    Do not expect any IT Pro to suggest you a solution just because you said "It doesn't work"

    Tuesday, March 31, 2015 7:42 PM

All replies

  • Am 27.03.2015 um 20:46 schrieb Susie5354:
    > If I restarted the new DC, it will run like normal for 3 days, then the
    > same errors appear again.
     
    To me, this sounds more like a hardware issue: NICs, cables, switches
    and routers...
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Saturday, March 28, 2015 11:50 AM
  • Hi,

    In addition to others.

    For the event id 29, if there is no CA in your domain, you can ignore this event.

    https://support.microsoft.com/en-us/kb/967623?wa=wsignin1.0

    I think you could determine if there is a network connectivity problem by using the ping command https://technet.microsoft.com/en-us/library/cc774849(v=ws.10).aspx

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, March 30, 2015 9:24 AM
    Moderator
  • The new Server 2008 R2 is running with Server 2003 on the same subnet, and Server 2003 has no issues about loosing connection to the domain.
    Monday, March 30, 2015 2:18 PM
  • Hi,

    Is Windows firewall on? RPC dynamic port-range is different in 2008.

    REF: http://support.microsoft.com/en-us/kb/929851

    Did you try any test when this happened (ping, nslookup and so on)?


    You wouldn't demand your Doctor a therapy just because you told him "I don't feel very well"
    You wouldn't expect your accountant to know how much your taxes are just because you told him "I have earned some money"
    Do not expect any IT Pro to suggest you a solution just because you said "It doesn't work"

    Monday, March 30, 2015 3:02 PM
  • Hi Aperelli,

    We do have firewall. Most of the sites are using ISA2004, two sites are using Cisco5510. According to the site you sent, do I need to open a TCP and UDP port range from 49152 to 65535? It's such a big range.

    -->Did you try any test when this happened (ping, nslookup and so on)?

    I'm able to ping to other sites' servers. When I type nslookup, it gives me "DNS request timed out. timeout was 2 seconds. Default Server: Unknown. Address: 192.168.243.2 (this is the PDC server).

    What do you think? Thanks for helping!

    Tuesday, March 31, 2015 4:01 PM
  • Hi,

    here there's a more complete article about firewall configuration http://support.microsoft.com/en-us/kb/179442

    About nslookup, what did you query for? 


    You wouldn't demand your Doctor a therapy just because you told him "I don't feel very well"
    You wouldn't expect your accountant to know how much your taxes are just because you told him "I have earned some money"
    Do not expect any IT Pro to suggest you a solution just because you said "It doesn't work"

    Tuesday, March 31, 2015 4:12 PM
  • Thank you Aperelli, I did open the ports, but still not working.
    Tuesday, March 31, 2015 6:44 PM
  • I didn't understand what record did you test with nslookup, apparently you got a timeout. Can you do that again and post the output (and the commands you issued)

    You wouldn't demand your Doctor a therapy just because you told him "I don't feel very well"
    You wouldn't expect your accountant to know how much your taxes are just because you told him "I have earned some money"
    Do not expect any IT Pro to suggest you a solution just because you said "It doesn't work"

    Tuesday, March 31, 2015 6:48 PM
  • After restarted the server, the new DC is able to connect to the domain like I said at the beginning. So here's the result I get.

    C:>nslookup
    Default Server:  UnKnown
    Address:  192.168.243.2

    Tuesday, March 31, 2015 7:05 PM
  • You use nslookup to resolve dns names

    Please follow this:

    https://support.microsoft.com/en-us/kb/816587


    You wouldn't demand your Doctor a therapy just because you told him "I don't feel very well"
    You wouldn't expect your accountant to know how much your taxes are just because you told him "I have earned some money"
    Do not expect any IT Pro to suggest you a solution just because you said "It doesn't work"

    Tuesday, March 31, 2015 7:42 PM
  • Aperelli,

    I appear to be seeing similar issues; after running Nslookup as suggested it returned SRV service location records as needed.

    Is there something we should be looking for or seeing?

    Friday, April 10, 2015 7:25 PM
  • Hi,

    I'm sorry, you should open a new thread with details on you specific environment, we'll take it from there.


    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti


    • Edited by aperelli Friday, April 10, 2015 7:30 PM
    Friday, April 10, 2015 7:29 PM