none
Specified domain does not exist or cannot be contacted error since dcpromo to demote second domain controller RRS feed

  • Question

  • On our network we had two servers - server 2003 and 2008 both acting as domain controllers. Naturally, the 2008 server was added at a later date to the 2003 one. 

    I wanted to remove the 2003 server from the network leaving just the 2008 server. 

    I followed a guide to transfer all of the FSMO roles over from the 2003 server to the 2008 server and ensured that the 2008 server was a Global Catalogue server to try and make this as smooth as possible. 

    I was still not able to gracefully run DCPROMO to remove active directory from the 2003 server, but continued passed the error it gave when trying to check that it was not the only global catalogue server (knowing this was not the case from the above checks).

    I'm now stuck with a problem though - PCs on the network are not able to connect to the SQL Server on that server. 

    And when going in to Active Directory Users and Computers, I get the error "Specified domain does not exist or cannot be contacted"

    Running DCDIAG, shows the following errors which seem key to this. Can anyone advise where to start?

    Remember that the server it is trying and failing to connect to in these instances is itself. 

    My hunch is that it is bad DNS but I don't really know where to start with correcting it. 

    DNS server settings on the network adapter 192.168.200.2 (the servers own IP address) and no others. DNS service is running. I am not really sure what I should be looking for in the DNS config itself - maybe the issue is in there somewhere?

    Can anyone help?

    DCDIag results:

    Starting test: Advertising

             Fatal Error:DsGetDcName (SERVER) call failed, error 1355

             The Locator could not find the server.

             ......................... SERVER failed test Advertising

    Starting test: NetLogons

             Unable to connect to the NETLOGON share! (\\SERVER\netlogon)

             [SERVER] An net use or LsaPolicy operation failed with error 67,

             The network name cannot be found..

     Running enterprise tests on : Kermit.local

        Starting test: LocatorCheck
           Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
           A Global Catalog Server could not be located - All GC's are down.
           Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
           A Time Server could not be located.
           The server holding the PDC role is down.
           Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
           1355
           A Good Time Server could not be located.
           Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
           A KDC could not be located - All the KDCs are down.
           ......................... Kermit.local failed test LocatorCheck
        Starting test: Intersite
           ......................... Kermit.local passed test Intersite

    Friday, July 19, 2019 4:55 PM

All replies

  • Additionally, if I run "net share" - I am not seeing sysvol or netlogon shares listed - in case that is either relevant to the cause or symptoms of the problem.
    Friday, July 19, 2019 4:59 PM
  • Please run;
    • Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log
    • repadmin /showrepl >C:\repl.txt
    • ipconfig /all > C:\dc1.txt
    • ipconfig /all > C:\dc2.txt

      then put unzipped text files up on OneDrive and share a link.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, July 19, 2019 4:59 PM
  • Thanks for the quick reply! link below to the files output with the commands above. 

    Note there only is one dc now - so only one file for the ipconfig command. 

    https://1drv.ms/u/s!AnqeeV8ltbK6jF8l71F2XTuv5MYp?e=MG9Rsh

    Friday, July 19, 2019 5:51 PM
  • Please do not zip the files.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, July 19, 2019 6:08 PM
  • Apologies, I was in a rush and read as "zipped".

    Please see links below. Thank you for any help:

    https://1drv.ms/t/s!AnqeeV8ltbK6jGBr__iO5xNgolK9?e=3FeOuM

    https://1drv.ms/u/s!AnqeeV8ltbK6jGJht1g0U34b2keT?e=VAP7A3

    https://1drv.ms/t/s!AnqeeV8ltbK6jGGaozio452HUlEU?e=77Uwbu

    Monday, July 22, 2019 8:32 AM
  • Might try restarting netlogon service. Then work through the system event log errors, and possibly this one.

    https://support.microsoft.com/en-us/help/257338/troubleshooting-missing-sysvol-and-netlogon-shares-on-windows-domain-c

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Monday, July 22, 2019 12:51 PM
  • I have made some progress here but am now stuck again. 

    I found that sysvol folder was corrupted, and after much scouring of the internet, I founda  guide to correct this when there was no other copy or DC available. To do this I renamed the folder c:\windows\ntfrs\jet to jet.bak and restarted the active directory services. 

    That restored the sysvol folder and my connectivity to the active directory users and computers and sites and services admin tools.

    I ran dcgpofix on both domain and dc and that restored the netlogon folder. 

    However, the pcs on the domain are still not able to authenticate with the server. 

    I'm getting the following errors in the event log

    GroupPolicy:

    The processing of Group Policy failed. Windows attempted to read the file \\Kermit.local\SysVol\Kermit.local\Policies\{BF3F5B71-7ECC-4F9C-89FD-EDC577820C21}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 
    a) Name Resolution/Network Connectivity to the current domain controller. 
    b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 
    c) The Distributed File System (DFS) client has been disabled.

    The folder this references doesn't exist.

    NETLOGON

    Dynamic registration or deletion of one or more DNS records associated with DNS domain 'Kermit.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  

    Possible causes of failure include:  
    - TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers 
    - Specified preferred and alternate DNS servers are not running 
    - DNS server(s) primary for the records to be registered is not running 
    - Preferred or alternate DNS servers are configured with wrong root hints 
    - Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration  

    USER ACTION  
    Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt on the domain controller or by restarting Net Logon service on the domain controller.

    AND

    This computer was not able to set up a secure session with a domain controller in domain KERMIT due to the following: 
    There are currently no logon servers available to service the logon request. 
    This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

    ADDITIONAL INFO 
    If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

    Does this help guide where I can go from here?!

    Tuesday, July 23, 2019 4:24 PM
  • If sysvol or netlogon are missing you can follow along here. I don't remember if FRS or DFSR was used so posting both links. Use whichever is appropriate.

    https://support.microsoft.com/en-us/help/2958414/dfs-replication-how-to-troubleshoot-missing-sysvol-and-netlogon-shares

    https://support.microsoft.com/en-us/help/257338/troubleshooting-missing-sysvol-and-netlogon-shares-on-windows-domain-c

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Tuesday, July 23, 2019 4:32 PM
  • As per my previous post, I have managed to restore sysvol and netlogon shares which has seen some progress but still unable to authenticate from pcs on the network. 

    Tuesday, July 23, 2019 4:38 PM
  • As per my previous post, I have managed to restore sysvol and netlogon shares which has seen some progress but still unable to authenticate from pcs on the network. 

    Ok, confusing;

    The folder this references doesn't exist.

    NETLOGON

    please put up a new set of files

    • Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log
    • repadmin /showrepl >C:\repl.txt
    • ipconfig /all > C:\dc1.txt
    • ipconfig /all > C:\dc2.txt
    • ipconfig /all > C:\problemworkstation.txt

      then put unzipped text files up on OneDrive and share a link.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Tuesday, July 23, 2019 4:41 PM
  • Thank you. 

    I rebooted the server a couple of times following my final fixes, and all seems to be working now, so no need to investigate any further at this stage. 

    Thank you for contributing your thoughts.

    Wednesday, July 24, 2019 11:21 AM
  • Good news, you're welcome.

     

    (please don't forget to mark helpful replies as answer)

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Wednesday, July 24, 2019 12:10 PM