none
DNS fails to start RRS feed

  • Question

  • Readers, my original problem with dns not stating became more of a solution thanks to the guidance of Lain Robertson. Lain guided me step-by-step in a very systematic approach fixing orphaned objects in active directory and replication problems. If you find you're having a similar problem with active directory this-post may be a good resource for you.   

    Original question to forum;

    Hello,

    I’m having trouble starting dns services on one of my domain controllers. I have two DC’s one is Server 2003 SP2 and the other Server 2008R2 SP1. The failed dns service is on the server 2008 box. DNS has been running on both these servers for a long while with no problems until recently. My intention was  this summer (we’re a school) to decommission the 2003 domain controller and replace with Server 2012 domain controller and leave the 2008 DC. However, since the 2008 DC is the failing dns service I was thinking of replacing that server with a 2012 domain controller as well.

    The Application logs on sever 2008 are showing event 1000 dns.exe is faulting, event 4113 The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed.
    I have done the obvious ping from both servers checked for MS updates or other installed apps, no network changes have been made, but haven’t found anything. 

    After discovering the failed dns service, I changed my DHCP scopes by removing the failed DNS settings and pointed all dns settings to the working 2003 server. No other changes were made.

    I’m wondering, instead of trouble-shooting the sync problem would I be better off installing server 2012 as a DC, then decommission the 2003 server and finally install the second 2012 DC? 

    What are the thoughts with this procedure and what might go wrong since I’m having trouble with a sync issue. Or does anyone have a suggestion for a fix?
    Thanks for reading,

    Rick



    • Edited by R. Morgan Monday, June 6, 2016 6:12 PM
    Wednesday, May 25, 2016 3:20 PM

Answers

  • Hi Rick,

    Yes, based on what I read, I'd definitely remove it.

    A Microsoft employee advocates following this post late in the thread but the feedback doesn't seem positive thus far. I haven't read the linked article yet, however, it does sound like KB314526 needs to be removed before whatever within the article is actioned, after which KB314526 should install without causing future DNS Server crashes. However, I'm reading between the lines here based on that person's posts alone.

    Cheers,
    Lain

    • Marked as answer by R. Morgan Monday, June 6, 2016 4:52 PM
    Monday, June 6, 2016 12:46 PM

All replies

  • Hi Rick,

    My initial concern with this would be for how long as this been going on, or more specifically, for how long has this been affecting replication? I personally wouldn't want to be promoting a new domain controller into an environment where I'm not 100% sure of the consistency of the directory.

    If you feel that the Server 2003 domain controller is behaving itself and the more trustworthy of the two resources, then I'd run the command below just to get a feel of how long it's been since the various directory partitions have been updated.

    repadmin /showreps <your2003dc.yourdomain.com> /all

    I'd also recommend running a "dcdiag /c /q" on both domain controllers to see what - if any, errors are reported.

    Feel free to post the results from any/all of the above commands if you want us to help you interpret the results, though if you do, it'd also be useful to have the results of "ipconfig /all" for both servers as well.

    Cheers,
    Lain

    Thursday, May 26, 2016 12:20 AM
  • Hi Rick,

    >>The Application logs on sever 2008 are showing event 1000 dns.exe is faulting,event 4113 The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed.

    For event 1000 and 4113,please check:

    1.Event ID 1000 — DNS Server Configuration

    https://technet.microsoft.com/en-us/library/cc735786(v=ws.10).aspx

    2.I just find 4013 whit this descrition:

    Event ID 4013 — DNS Server Active Directory Integration

    https://technet.microsoft.com/en-us/library/cc735842%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Troubleshoot DNS Event ID 4013: The DNS server was unable to load AD integrated DNS zones

    https://support.microsoft.com/en-us/kb/2001093

    >>I’m wondering, instead of trouble-shooting the sync problem would I be better off installing server 2012 as a DC, then decommission the 2003 server and finally install the second 2012 DC? It will be recommended.Support for windows server 2003 ended on July 14,2015.

    We suggest that you could install DNS server role on Windows Server 2012r2, and add secondary zone on them. (Master server is the old 2003 DNS server) Open Properties of the zone on old DNS server, click Zone Transfers tab and set it to allow.

    Once the zone transfer completed, change it from secondary to primary. Also change Name Servers to the new DNS server. Remove old servers and also clear their DNS records.

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, May 26, 2016 5:35 AM
  • Just to re-iterate what I said earlier, I would advocate caution in promoting a new domain controller when you've got failures occurring with the directory service.

    Fix those before worrying about promoting a new directory server lest you compound your existing problems rather than resolve them.

    Cheers,
    Lain

    Thursday, May 26, 2016 5:50 AM
  • Thanks Lain,

    Here is the results from repadmin, I changed the school name to myDomain in the text file.

    myDomain-Elementary-School\myDomain-PDC-2

    DC Options: IS_GC 

    Site Options: IS_GROUP_CACHING_ENABLED 

    DC object GUID: 1b51209e-39b7-4cd4-81a1-171fe3941ed6

    DC invocationID: 318fb45c-6aa1-4ae3-bc64-30b6e88d6cba



    ==== INBOUND NEIGHBORS ======================================



    DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC via RPC

            DC object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

            Last attempt @ 2016-05-30 08:46:07 was successful.



    CN=Configuration,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC via RPC

            DC object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

            Last attempt @ 2016-05-30 07:54:32 was successful.



    CN=Schema,CN=Configuration,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC via RPC

            DC object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

            Last attempt @ 2016-05-30 07:54:32 was successful.



    DC=DomainDnsZones,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC via RPC

            DC object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

            Last attempt @ 2016-05-30 07:54:32 was successful.



    DC=ForestDnsZones,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC via RPC

            DC object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

            Last attempt @ 2016-05-30 07:54:32 was successful.



    ==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============



    DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC via RPC

            DC object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

            Last attempt @ 2016-05-30 08:28:06 was successful.



    CN=Configuration,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC via RPC

            DC object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

            Last attempt @ 2016-05-30 05:06:19 was successful.



    CN=Schema,CN=Configuration,DC=myDomain,DC=local

        (null) via RPC

            DC object GUID: 505692b7-f408-41f5-a796-76b7688637d9

            Last attempt @ 2010-09-13 21:46:27 was successful.

        myDomain-Elementary-School\myDomain-PDC via RPC

            DC object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

            Last attempt @ 2016-05-24 18:55:09 was successful.



    DC=DomainDnsZones,DC=myDomain,DC=local

        (null) via RPC

            DC object GUID: 505692b7-f408-41f5-a796-76b7688637d9

            Last attempt @ 2010-09-13 21:46:30 was successful.

        myDomain-Elementary-School\myDomain-PDC via RPC

            DC object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

            Last attempt @ 2016-05-24 18:55:12 was successful.



    DC=ForestDnsZones,DC=myDomain,DC=local

        (null) via RPC

            DC object GUID: 505692b7-f408-41f5-a796-76b7688637d9

            Last attempt @ 2010-09-13 21:46:39 was successful.

        myDomain-Elementary-School\myDomain-PDC via RPC

            DC object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

            Last attempt @ 2016-05-24 18:55:15 was successful.



    ==== KCC CONNECTION OBJECTS ============================================

    Connection --

        Connection name : 9f8e8e18-1e79-432a-8be5-1bf2e9d90507

        Server DNS name : myDomain-pdc-2.myDomain.local

        Server DN  name : CN=NTDS Settings,CN=myDomain-PDC-2,CN=Servers,CN=myDomain-Elementary-School,CN=Sites,CN=Configuration,DC=myDomain,DC=local

            Source: myDomain-Elementary-School\myDomain-PDC

                    No Failures.

            TransportType: intrasite RPC

            options:  isGenerated

            ReplicatesNC: DC=ForestDnsZones,DC=myDomain,DC=local

            Reason:  RingTopology

                    Replica link has been added.

            ReplicatesNC: CN=Schema,CN=Configuration,DC=myDomain,DC=local

            Reason:  RingTopology

                    Replica link has been added.

            ReplicatesNC: DC=DomainDnsZones,DC=myDomain,DC=local

            Reason:  RingTopology

                    Replica link has been added.

            ReplicatesNC: DC=myDomain,DC=local

            Reason:  RingTopology

                    Replica link has been added.

            ReplicatesNC: CN=Configuration,DC=myDomain,DC=local

            Reason:  RingTopology

                    Replica link has been added.

    1 connections found.

    Monday, May 30, 2016 1:01 PM
  • Hi Rick,

    I found this solution:

    1. Log onto the First Domain Controller
    2. Open Regedit
    3. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
    4. Right-click Parameters, click New, and then click DWORD Value.
    5. Type “Allow Replication With Divergent and Corrupt Partner” and press enter.
    6. Open the entry and in the Value Data box type 0
    7. Reboot First DC wait for it to come back online and then repeat the above steps on the Second DC.

    Best Regards,

    Weily


    Please remember to mark the usefull replies as answers.


    • Edited by Weily Ngui Monday, May 30, 2016 1:26 PM
    • Proposed as answer by Weily Ngui Monday, May 30, 2016 1:26 PM
    Monday, May 30, 2016 1:15 PM
  • Lain,

    Results from dcdiag on server 2003. Where dcdiag references 10.0.0.4 that is server 2008.

             [Topology Integrity Check,myDomain-PDC-2] Intra-site topology generation is disabled in this site.
                IsmServ Service is stopped on [myDomain-PDC-2]
             ......................... myDomain-PDC-2 failed test Services
             ** Did not run Outbound Secure Channels test
             because /testdomain: was not entered
             The following problems were found while verifying various important DN

             references.  Note, that  these problems can be reported because of

             latency in replication.  So follow up to resolve the following

             problems, only if the same problem is reported on all DCs for a given

             domain or if  the problem persists after replication has had

             reasonable time to replicate changes. 
                [1] Problem: Missing Expected Value

                 Base Object:

                CN=SERV2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=myDomain,DC=local

                 Base Object Description: "SYSVOL FRS Member Object"

                 Value Object Attribute Name: frsComputerReference

                 Value Object Description: "DC Account Object"

                 Recommended Action: Check if this server is deleted, and if so

                clean up this DCs SYSVOL FRS Member Object.  Also see Knowledge

                Base Article:  Q312862

                 
                [2] Problem: Missing Expected Value

                 Base Object:

                CN=SERV2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=myDomain,DC=local

                 Base Object Description: "SYSVOL FRS Member Object"

                 Value Object Attribute Name: serverReference

                 Value Object Description: "DSA Object"

                 Recommended Action: Check if this server is deleted, and if so

                clean up this DCs SYSVOL FRS Member Object.  Also see Knowledge

                Base Article  Q312862

                 
                [3] Problem: Missing Expected Value

                 Base Object:

                CN=TMP,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=myDomain,DC=local

                 Base Object Description: "SYSVOL FRS Member Object"

                 Value Object Attribute Name: frsComputerReference

                 Value Object Description: "DC Account Object"

                 Recommended Action: Check if this server is deleted, and if so

                clean up this DCs SYSVOL FRS Member Object.  Also see Knowledge

                Base Article:  Q312862

                 
                [4] Problem: Missing Expected Value

                 Base Object:

                CN=TMP,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=myDomain,DC=local

                 Base Object Description: "SYSVOL FRS Member Object"

                 Value Object Attribute Name: serverReference

                 Value Object Description: "DSA Object"

                 Recommended Action: Check if this server is deleted, and if so

                clean up this DCs SYSVOL FRS Member Object.  Also see Knowledge

                Base Article  Q312862

                 
             ......................... myDomain-PDC-2 failed test VerifyEnterpriseReferences
             [myDomain-PDC-2] No security related replication errors were found on this DC!  To target the connection to a specific source DC use /ReplSource:<DC>.

    DNS Tests are running and not hung. Please wait a few minutes...
             Test results for domain controllers:
                
                DC: myDomain-pdc-2.myDomain.local
                Domain: myDomain.local

                      
                   TEST: Basic (Basc)
                      Warning: adapter [00000012] HP Network Teaming Virtual Miniport Driver has invalid DNS server: 10.0.0.4 (<name unavailable>)
                      
                   TEST: Forwarders/Root hints (Forw)
                      Error: Root hints list has invalid root hint server: d.root-servers.net. (128.8.10.90)
             
             Summary of test results for DNS servers used by the above domain controllers:

                DNS server: 10.0.0.4 (<name unavailable>)
                   1 test failure on this DNS server
                   This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 10.0.0.4
                   Name resolution is not functional. _ldap._tcp.myDomain.local. failed on the DNS server 10.0.0.4
                   
                DNS server: 128.8.10.90 (d.root-servers.net.)
                   1 test failure on this DNS server
                   This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
                   
             Summary of DNS test results:
             
                                                Auth Basc Forw Del  Dyn  RReg Ext  
                   ________________________________________________________________
                Domain: myDomain.local
                   myDomain-pdc-2                PASS WARN PASS PASS PASS PASS n/a  
             

    Monday, May 30, 2016 1:19 PM

  • I'd also recommend running a "dcdiag /c /q" on both domain controllers to see what - if any, errors are reported.

    Results from dcdiag on server 2008 with faild dns start.

             [myDomain-PDC] No security related replication errors were found on

             this DC!  To target the connection to a specific source DC use

             /ReplSource:<DC>.

             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have 

                Replicating Directory Changes In Filtered Set
             access rights for the naming context:

             DC=ForestDnsZones,DC=myDomain,DC=local
             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have 

                Replicating Directory Changes In Filtered Set
             access rights for the naming context:

             DC=DomainDnsZones,DC=myDomain,DC=local
             ......................... myDomain-PDC failed test NCSecDesc

             ** Did not run Outbound Secure Channels test because /testdomain: was

             not entered

             An error event occurred.  EventID: 0xC0001B77

                Time Generated: 05/30/2016   09:24:59

                Event String:

                The DNS Server service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

             ......................... myDomain-PDC failed test SystemLog

             The following problems were found while verifying various important DN

             references.  Note, that  these problems can be reported because of

             latency in replication.  So follow up to resolve the following

             problems, only if the same problem is reported on all DCs for a given

             domain or if  the problem persists after replication has had

             reasonable time to replicate changes. 
                [1] Problem: Missing Expected Value

                 Base Object:

                CN=SERV2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=myDomain,DC=local

                 Base Object Description: "SYSVOL FRS Member Object"

                 Value Object Attribute Name: serverReference

                 Value Object Description: "DC Account Object"

                 Recommended Action: Check if this server is deleted, and if so

                clean up this DCs SYSVOL FRS Member Object.  Also see Knowledge

                Base Article:  Q312862

                 
                [2] Problem: Missing Expected Value

                 Base Object:

                CN=SERV2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=myDomain,DC=local

                 Base Object Description: "SYSVOL FRS Member Object"

                 Value Object Attribute Name: frsComputerReference

                 Value Object Description: "DSA Object"

                 Recommended Action: Check if this server is deleted, and if so

                clean up this DCs SYSVOL FRS Member Object.  Also see Knowledge

                Base Article  Q312862

                 
                [3] Problem: Missing Expected Value

                 Base Object:

                CN=TMP,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=myDomain,DC=local

                 Base Object Description: "SYSVOL FRS Member Object"

                 Value Object Attribute Name: serverReference

                 Value Object Description: "DC Account Object"

                 Recommended Action: Check if this server is deleted, and if so

                clean up this DCs SYSVOL FRS Member Object.  Also see Knowledge

                Base Article:  Q312862

                 
                [4] Problem: Missing Expected Value

                 Base Object:

                CN=TMP,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=myDomain,DC=local

                 Base Object Description: "SYSVOL FRS Member Object"

                 Value Object Attribute Name: frsComputerReference

                 Value Object Description: "DSA Object"

                 Recommended Action: Check if this server is deleted, and if so

                clean up this DCs SYSVOL FRS Member Object.  Also see Knowledge

                Base Article  Q312862

                 
             ......................... myDomain-PDC failed test

             VerifyEnterpriseReferences

             DNS Service is stopped on [myDomain-PDC]

             ......................... myDomain-PDC failed test DNS

             Test results for domain controllers:

                
                DC: myDomain-pdc.myDomain.local

                Domain: myDomain.local

                

                      
                   TEST: Basic (Basc)
                      Error: DNS service is not running
             
             Summary of DNS test results:

             
                                                Auth Basc Forw Del  Dyn  RReg Ext
                _________________________________________________________________
                Domain: myDomain.local

                   myDomain-pdc                  PASS FAIL n/a  n/a  n/a  n/a  n/a  
             
             ......................... myDomain.local failed test DNS



    Monday, May 30, 2016 1:30 PM
  • Feel free to post the results from any/all of the above commands if you want us to help you interpret the results, though if you do, it'd also be useful to have the results of "ipconfig /all" for both servers as well.

    Results from ipconfig all,

    Server 2008

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : myDomain-pdc
       Primary Dns Suffix  . . . . . . . : myDomain.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : myDomain.local

    Ethernet adapter Default:

       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Citrix PV Ethernet Adapter
       Physical Address. . . . . . . . . : F2-9B-8D-5A-A3-17
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 10.0.0.4(Preferred) 
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 10.0.0.1
       DNS Servers . . . . . . . . . . . : 10.0.0.22
                                           127.0.0.127
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{341324BB-44C7-46A6-8BBB-20DDCF6FFA12}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Results from Server 2003



    Windows IP Configuration



       Host Name . . . . . . . . . . . . : myDomain-pdc-2

       Primary Dns Suffix  . . . . . . . : myDomain.local

       Node Type . . . . . . . . . . . . : Hybrid

       IP Routing Enabled. . . . . . . . : No

       WINS Proxy Enabled. . . . . . . . : No

       DNS Suffix Search List. . . . . . : myDomain.local



    Ethernet adapter Local Area Connection 6:



       Connection-specific DNS Suffix  . : 

       Description . . . . . . . . . . . : LAN:HP NC373i Multifunction Gigabit Server Adapter #3

       Physical Address. . . . . . . . . : 00-1B-78-2E-20-D6

       DHCP Enabled. . . . . . . . . . . : No

       IP Address. . . . . . . . . . . . : 10.0.0.22

       Subnet Mask . . . . . . . . . . . : 255.255.255.0

       Default Gateway . . . . . . . . . : 10.0.0.1

       DNS Servers . . . . . . . . . . . : 10.0.0.22

                                           10.0.0.4

    Monday, May 30, 2016 1:39 PM
  • Hi Rick,

    My initial concern with this would be for how long as this been going on, or more specifically, for how long has this been affecting replication? 


    The problem started on 5/20/2016. I did find an event id 1000 dns.exe failed to start on 5/12, but apparently it recovered and then failed on the 20th of May and never recovered. 

    After looking at logs before the first dns.exe failure on 5/12 the server installed automatic updates 
    then apparently after the restart dns.exe failed to start, but recovered after a three minute pause. From my log files these are the updates that took place.

    Restart Required: To complete the installation of the following updates, the computer will be restarted within 15 minutes: 
    - Windows Malicious Software Removal Tool x64 - May 2016 (KB890830)
    - Update for Windows Server 2008 R2 x64 Edition (KB3153731)
    - Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 SP1 for x64 (KB3142024)
    - Update for Windows Server 2008 R2 x64 Edition (KB3145126)
    - Security Update for Windows Server 2008 R2 x64 Edition (KB3156016)
    - Security Update for Windows Server 2008 R2 x64 Edition (KB3156019)
    - Cumulative Security Update for Internet Explorer 11 for Windows Server 2008 R2 for x64-based Systems (KB3154070)
    - Security Update for Windows Server 2008 R2 x64 Edition (KB3153199)
    - Security Update for Microsoft .NET Framework 4.5.2 on Windows 7, Vista, Server 2008, and Server 2008 R2 for x64 (KB3142033)
    - Security Update for Windows Server 2008 R2 x64 Edition (KB3156017)
    - Security Update for Windows Server 2008 R2 x64 Edition (KB3153171)
    - Security Update for Windows Server 2008 R2 x64 Edition (KB3156013)

    • Edited by R. Morgan Monday, May 30, 2016 2:40 PM
    Monday, May 30, 2016 2:16 PM
  • Hi Rick,

    There's quite a lot going wrong here. In short form:

    1. There's references to domain controllers that no longer exist and haven't been cleaned up properly.
    2. Someone's disabled part of the KCC (specifically, intra-site topology generation).
    3. Replication permissions missing from a number of application partitions.
    4. DNS servers not responding.
    5. Something happened on the night of the 24th May 2016 that impacted outbound replication from the Server 2003 host to a specific domain controller.

    I'm not sure which domain controller to trust the most at this stage. Perhaps focus on whichever domain controller is holding the FSMO roles (assuming all FSMO roles are on the one domain controller).

    The first thing I'd be tackling is cleaning the old domain controllers out of Active Directory. Based on the output of the dcdiag's, I'm inclined to think that someone's already had a go at this manually and hasn't completed the task but you can certainly try using the "ntdsutil metadata cleanup" process described here to verify that.

    In relation to point 2, I can't help but think this is a mistake made by someone tinkering or thinking they know better than the KCC. I'd strongly recommend re-enabling this as per the information found at the end of this article. That said, if there is a valid reason for it being disabled then someone clearly needs to update the connection objects.

    Note: If your network does not have full mesh connectivity then the correct option to disable is "bridge all site links" which can be found under Sites and Services\Sites\Inter-Site Transports -> right-click the IP container and choose Properties.

    In relation to point 3, you can quickly resolve this yourself using ldp.exe or adsiedit.msc through binding to the two application partitions in question (DC=ForestDnsZones... and DC=DomainDnsZones...) and adding the following permission:

    Point 4 is also straight forward: remove any references to loopback addresses such as 127.0.0.1 (IPv4) or ::1 (IPv6) from adapters, as per best practice. DNS servers should always use the host's "real" address.

    Anyhow, as I said earlier, I'd emphatically recommend you fix these issues rather than just adding a new domain controller as that won't achieve anything other than promoting further issues. Once the environment is running and there are no errors, only then is it time to add in new domain controllers.

    If you have any issues or concerns, post back here and we'll be able to offer further assistance.

    Cheers,
    Lain

    Tuesday, May 31, 2016 2:58 AM
  • PS: I meant to include this in my earlier post, but if you can load up dnsmgmt.msc and check the "_msdcs" zone, can you post a list back here of the CNAME mappings?

    There's other ways to find this information, however, if I'm right and someone's botched an attempted cleanup, this is about the easiest way to cross reference some of the information coming from the FRS errors observed in the dcdiag output.

    Cheers,
    Lain

    Tuesday, May 31, 2016 3:03 AM
  • We suggest that you could install DNS server role on Windows Server 2012r2, and add secondary zone on them. (Master server is the old 2003 DNS server) Open Properties of the zone on old DNS server, click Zone Transfers tab and set it to allow.

    Once the zone transfer completed, change it from secondary to primary. Also change Name Servers to the new DNS server. Remove old servers and also clear their DNS records.


    If I can't resolve the error / problem I'll definitely keep your suggestion in mind. Lain makes the point, "I personally wouldn't want to be promoting a new domain controller into an environment where I'm not 100% sure of the consistency of the directory." Reading your message you mention to install the DNS roll, but I think what is going to happen is at some point I'm going to have to make the server a domain controller. 
    Tuesday, May 31, 2016 11:33 AM
  • Hi Rick,

    There's quite a lot going wrong here. In short form:

    1. There's references to domain controllers that no longer exist and haven't been cleaned up properly.

    Lain,

    I thought I would start with the first step, but didn't find the old domain controllers using GUI, Active Directory Users and Computers or Active Directory Sites and Services. Perhaps you can recommend a tool to remove orphaned domain controllers.

    So decided to look into step 2. The options attribute shows a value of 0x20. The KCC document says to take note of the list of flags but I'm unsure of the settings to enable KCC. Since the KCC is disabled I wanted to better understand how it works and that led me to the document, How to disable the Knowledge Consistency Checker . While reading the document this led to the option attribute setting using the Ldp.exe tool on the 2003 domain controller, but the option setting is missing. In the lower part of the document is how to re-enable KCC generation. At this point this is research and I haven't made any changes, I wanted to check in and get your thoughts.

    Thanks with the help,
    Rick

    Tuesday, May 31, 2016 6:19 PM
  • Hi Rick,

    It sounds like someone cleaned up the obvious objects but not the less obvious ones, which in this case refers to the FRS or DFS-R memberships.

    Can you use LDP (I like LDP because it's very hard to accidentally delete anything) to check for FRS/DFS-R membership for domain controllers that no longer exist, as per your dcdiag output from up top?

    Steps for generating a list of invalid SYSVOL members:

    1. From an elevated command prompt, run:
    dfsdiag /testdcs


    This should throw up some errors as well as the names of the invalid members.

    Steps for checking the relevant containers:

    1. Launch LDP.
    2. Connect to the domain.
    3. Bind to the domain (using domain admin credentials if you intend to remove any bogus references, or a normal "unprivileged" account if you just want to inspect the settings first).
    4. Go to the View menu -> Tree.
    5. Select the default naming context (your domain name in the usual "DC=" format) from the drop-down list and click the OK button.
    6. Expand the CN=System node.
    7. Expand the CN=File Replication Service
    8. Expand the CN=Domain System Volume (SYSVOL share) node and check for any non-existent domain controllers.
    9. Focusing back up one level on CN=System, expand the child node named CN=DFSR-GlobalSettings.
    10. Expand the CN=Domain System Volume node.
    11. Expand the CN=Topology node.
    12. As with step 8, check for any non-existent domain controllers.

    During steps 8 and 12, if you find any references to non-existent domain controllers, you can safely remove these. That said, the benefits of this clean-up won't be realised until the FRS or DFS-R service on the valid domain controllers poll AD and pick up the changes. You can monitor this with "dfsdiag /testdcs" and force the issue with a service restart or by using "dfsrdiag.exe pollad" if you're using DFS-R. In any case, once "dfsdiag /testdcs" stops showing the invalid domain controllers, that's one issue from the dcdiag output resolved.

    Putting this in context of the list I provided above, this deals - at least in part, with issue 1. You can and should definitely action points 2, 3 and 4 now. If you can also provide the list of domain controller GUIDs taken from the _msdcs DNS zone, that'd be appreciated.

    While I've already spoken about each of the points, for point 2, I'll go into a little more depth from a command perspective.

    First of all, you can check the KCC values for each site (you have to check each one with a separate command) with the following command:

    repadmin /siteoptions yourDcName /site:siteName

    For example,

    repadmin /siteoptions myDomain-pdc-2 /site:"myDomain-Elementary-School"

    This will come back and tell you if the KCC is disabled (i.e. either or both IS_AUTO_TOPOLOGY_DISABLED or IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED are listed).

    To re-enable the KCC for the domain controllers in that site, run:

    repadmin /siteoptions yourDcName /site:siteName -IS_AUTO_TOPOLOGY_DISABLED -IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED

    You can certainly fiddle with the "options" attribute of the site's NTDS Settings object but the above method is a little safer insofar as it takes the small chance of a mathematical mistake out of the equation. If you're interested in all that this flag offers, have a read of this reference - with the advisory that you do need to understand what you're doing before tinkering with these flags too much.

    As something of an aside and a point of comparison for your longer term planning, it's worth mentioning that the "options" attribute is actually empty in a native 2012 R2 environment or even an environment which has been successively upgraded from Server 2003 functional modes to Server 2012 R2.

    Cheers,
    Lain

    Wednesday, June 1, 2016 12:40 AM
  • Hi Rick,

    It sounds like someone cleaned up the obvious objects but not the less obvious ones, which in this case refers to the FRS or DFS-R memberships.

    Can you use LDP (I like LDP because it's very hard to accidentally delete anything) to check for FRS/DFS-R membership for domain controllers that no longer exist, as per your dcdiag output from up top?

    Steps for generating a list of invalid SYSVOL members:

    1. From an elevated command prompt, run:
    dfsdiag /testdcs

    Results from above command. The missing domain controllers did not show up in the report, but I do see the missing DC's when I run LDP step 8.  Moving forward to step 9 CN=System, I don't see CN=DFSR-GlobalSettings. I looked and looked thinking my eyes are going buggy but I don't see the setting. Is it possible the setting doesn't exist? Below is dfsdiag report and showing some errors.

    Information: The client computer is joined to the following domain: myDomain



    Starting TestDcs...



    Validating the DFS Namespace service...

    Validating DFS Namespace service on myDomain-PDC-2.

    Success: The DFS Namespace service on the following server is started and set to start automatically: myDomain-PDC-2

    Validating DFS Namespace service on myDomain-PDC.

    Success: The DFS Namespace service on the following server is started and set to start automatically: myDomain-PDC



    Validating SiteCostedReferrals Key...

    Validating site costed referrals in myDomain-PDC-2.

    Success: Site costing is enabled on SYSVOL/NETLOGON referrals.

    Validating site costed referrals in myDomain-PDC.

    Success: Site costing is enabled on SYSVOL/NETLOGON referrals.



    Validating registry entries...

    Comparing myDomain-PDC-2 - myDomain-PDC.

        No key was found. Computer: myDomain-PDC Key: CheckIfShouldRun

    Warning: The registry values under HKLM\CCS\Services\Dfs\Parameters are not consistent on all compared servers.



    Validating site associations...



    Validating the site associations on every domain controller of the following: myDomain-PDC-2

    Success: The site associated with the following host name is consistent on all accessible domain controllers: myDomain-PDC-2



    Validating the site associations on every domain controller of the following: myDomain-PDC

    Warning: The server has IP addresses with conflicting site associations

    Host name: myDomain-pdc  

    Site: myDomain-Elementary-School

    Domain controller: myDomain-PDC-2
    -------------------------------------------------------------------------------
    Host IP address                         Subnet-SiteMapping in AD
    -------------------------------------------------------------------------------
    ::1                                     No mapping exists       
    -------------------------------------------------------------------------------
    Success: The site associated with the following host name is consistent on all accessible domain controllers: myDomain-PDC

    Finished TestDcs.

    As always thanks!


    Wednesday, June 1, 2016 1:59 AM
  • Hi Rick,

    Just a quick answer to an early question - as I'll have to read the reply fully when I get back from a meeting, however, the nodes under 8 and 11 are mutually exclusive meaning you'll only find the domain controllers listed under one or the other. In other words, you've got no issues there.

    In short, one node relates to SYSVOL operating over the older FRS technology while you'd find them under the other node if the SYSVOL had been migrated to the DFS-R technology.

    I was just getting you to check both as I didn't know for sure which you were using.

    Anyhow, I'll come back to you soon-ish on the remainder.

    Cheers,
    Lain

    Wednesday, June 1, 2016 2:14 AM
  • While I've already spoken about each of the points, for point 2, I'll go into a little more depth from a command perspective.

    First of all, you can check the KCC values for each site (you have to check each one with a separate command) with the following command:

    repadmin /siteoptions yourDcName /site:siteName

    For example,

    repadmin /siteoptions myDomain-pdc-2 /site:"myDomain-Elementary-School"

    It comes back as, IS_GROUP_CACHING_ENABLED


    Wednesday, June 1, 2016 2:20 AM
  • Hi Rick,

    Okay, based on your latest information I'd be doing these two things straight away on the Server 2003 host (unless otherwise stated):

    1. Removing the orphaned domain controllers from CN=Domain System Volume (SYSVOL share) as per Step 8 above. Based on your original dcdiag reports from the Server 2003 machine above, you'd be removing the references to CN=SERV2 and CN=TMP, but you'll know which ones are bogus when you're looking at the node.
    2. Remove the 127.0.0.127 secondary DNS address on the Server 2008 DC.
    3. Remove the 10.0.0.4 secondary DNS address on the Server 2003 DC for the time being as it's not responding (according to the dcdiag output). This should leave both hosts with the primary DNS address of 10.0.0.22, which is the Server 2003 DC IPv4 address.
    4. Unlink the IPv6 protocol from the network adapter properties on each domain controller as that's just throwing some other misinformation in the way and it looks like IPv6 isn't being used in any case.
    5. Use "Users and Computers" (requires advanced mode view to be enabled), adsiedit or LDP to add the Enterprise Domain Controller permissions as outlined with a screenshot a few posts back to the DC=DomainDnsZones and DC=ForestDnsZones application partitions.
    6. If you can use LDP "tree" view to connect to the CN=Configuration,DC=youurdomain,DC=com node and verify that you have just the one site named "myDomain-Elementary-School" listed, as I still can't reconcile how the much earlier dcdiag from the Server 2003 DC reported that intra-site topology generation is disabled. Perhaps check this on both domain controllers, not just one or the other. You can also run the same "repadmin /siteoptions" command from above on each domain controller as an alternative but it needs to be understood where this is coming from and then fixed so that the KCC is once again enabled.
    7. Run the following command on both the Windows Server 2003 and Windows Server 2008 DCs:
      repadmin /kcc
    8. I really need those DC GUIDs from the _msdcs.yourDomain.com DNS zone so I know how to interpret the connections reported from the previous posts.

    Cheers,
    Lain

    Wednesday, June 1, 2016 3:44 AM
  • PS: I meant to include this in my earlier post, but if you can load up dnsmgmt.msc and check the "_msdcs" zone, can you post a list back here of the CNAME mappings?

    There's other ways to find this information, however, if I'm right and someone's botched an attempted cleanup, this is about the easiest way to cross reference some of the information coming from the FRS errors observed in the dcdiag output.

    Name Type Data
    dc
    domains
    gc
    pdc
    1b51209e-39b7-4cd4-81a1-171fe3941ed6 Alias (CNAME) myDomain-pdc-2.myDomain.local.
    ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1 Alias (CNAME) myDomain-pdc.myDomain.local.


    Wednesday, June 1, 2016 11:37 AM
  • Hi Rick,

    Thanks for the DNS output. It does help give context to some of the previous output.

    If you tackle the list above - which isn't as much work as it looks like, then I'd re-run "dcdiag /q /c" on both domain controllers and see where things are at.

    I'm still bothered by the original dcdiag results on the Server 2003 DC stating that intra-site replication is disabled, however, there should be a lot less static in the dcdiag output as the above steps will resolve a fair number of those issues.

    Cheers,
    Lain

    Wednesday, June 1, 2016 1:06 PM
  • Hi Lain,

    I'm stuck on step 5, using LDP I found DC=DomainDnsZones in the drop down menu but reviewing step 3, I can't find what you show in the image you provided. So I tried looking for object using Users and Computers in advance mode but am unable to find the the object. I'll keep looking.

    Sorry about the delay responding to your message yesterday, I was swamped here and didn't have a minute to reply.

    Thanks,

    Rick 

    Thursday, June 2, 2016 11:27 AM
  • Hi Rick,

    Perhaps use adsiedit.msc for that one. That's what I took the screenshot from as it's a little prettier to look at than LDP. It's also a little easier if you're not familiar with LDP's ACL editor.

    Cheers,
    Lain

    Thursday, June 2, 2016 12:49 PM
  • Hi Rick,

    Perhaps use adsiedit.msc for that one. That's what I took the screenshot from as it's a little prettier to look at than LDP. It's also a little easier if you're not familiar with LDP's ACL editor.

    Cheers,
    Lain

    Lain,

    I want to make sure I'm looking in the correct place using adsiedit.

    Open adsiedit > r. click ADSI.edit > Connection Setting , Select or type a Distinguished Name or Naming Context ( DC=DomainDnsZones, DC=myDomain, DC=local) > expand Domain [myDomain-pdc-2.myDomain.local] > right click child folder > Properties > Security Tab > Enterprise Domain Controllers is present.

    If I'm in the correct place I see Enterprise Domain Controllers in both DC=DomainDnsZones and DC=ForestDnsZones.

    Thanks, Rick

    Thursday, June 2, 2016 11:46 PM
  • Hi Rick,

    Okay, based on your latest information I'd be doing these two things straight away on the Server 2003 host (unless otherwise stated):

    1. Removing the orphaned domain controllers from CN=Domain System Volume (SYSVOL share) as per Step 8 above. Based on your original dcdiag reports from the Server 2003 machine above, you'd be removing the references to CN=SERV2 and CN=TMP, but you'll know which ones are bogus when you're looking at the node.
    2. Remove the 127.0.0.127 secondary DNS address on the Server 2008 DC.
    3. Remove the 10.0.0.4 secondary DNS address on the Server 2003 DC for the time being as it's not responding (according to the dcdiag output). This should leave both hosts with the primary DNS address of 10.0.0.22, which is the Server 2003 DC IPv4 address.
    4. Unlink the IPv6 protocol from the network adapter properties on each domain controller as that's just throwing some other misinformation in the way and it looks like IPv6 isn't being used in any case.
    5. Use "Users and Computers" (requires advanced mode view to be enabled), adsiedit or LDP to add the Enterprise Domain Controller permissions as outlined with a screenshot a few posts back to the DC=DomainDnsZones and DC=ForestDnsZones application partitions.
    6. If you can use LDP "tree" view to connect to the CN=Configuration,DC=youurdomain,DC=com node and verify that you have just the one site named "myDomain-Elementary-School" listed, as I still can't reconcile how the much earlier dcdiag from the Server 2003 DC reported that intra-site topology generation is disabled. Perhaps check this on both domain controllers, not just one or the other. You can also run the same "repadmin /siteoptions" command from above on each domain controller as an alternative but it needs to be understood where this is coming from and then fixed so that the KCC is once again enabled.

    Step 6, you asked is one site listed? I think so.

    >> Dn: CN=Configuration,DC=myDomain,DC=local
    2> objectClass: top; configuration; 
    1> cn: Configuration; 
    1> distinguishedName: CN=Configuration,DC=myDomain,DC=local; 
    1> instanceType: 0xD = ( DS_INSTANCETYPE_IS_NC_HEAD | IT_WRITE | IT_NC_ABOVE ); 
    1> whenCreated: 04/08/2004 08:48:53 Eastern Standard Time Eastern Daylight Time; 
    1> whenChanged: 05/24/2016 18:54:51 Eastern Standard Time Eastern Daylight Time; 
    1> subRefs: CN=Schema,CN=Configuration,DC=myDomain,DC=local; 
    1> uSNCreated: 6942; 
    1> dSASignature: { V1: Flags = 0x0; LatencySecs = 0; DsaGuid = ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1 }; 
    1> repsTo: dwVersion = 1, V1.cb: 278, V1.cConsecutiveFailures: 0 V1.timeLastSuccess: 13109356739 

    V1.timeLastAttempt: 13109356739 V1.ulResultLastAttempt: 0x0 V1.cbOtherDraOffset: 216 V1.cbOtherDra: 62 

    V1.ulReplicaFlags: 0x10 V1.rtSchedule: <ldp:skipped> V1.usnvec.usnHighObjUpdate: 0 V1.usnvec.usnHighPropUpdate: 0 

    V1.uuidDsaObj: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1 V1.uuidInvocId: 00000000-0000-0000-0000-000000000000 

    V1.uuidTransportObj: 00000000-0000-0000-0000-000000000000 V1~mtx_address: ee6dd11c-9c3c-4a6d-bcdd-

    504a86b82fe1._msdcs.myDomain.local V1.cbPASDataOffset: 0 V1~PasData: version = -1, size = -1, flag = -1 ; 
    1> repsFrom: dwVersion = 1, V1.cb: 278, V1.cConsecutiveFailures: 0 V1.timeLastSuccess: 13109385260 

    V1.timeLastAttempt: 13109385260 V1.ulResultLastAttempt: 0x0 V1.cbOtherDraOffset: 216 V1.cbOtherDra: 62 

    V1.ulReplicaFlags: 0x70 V1.rtSchedule: <ldp:skipped> V1.usnvec.usnHighObjUpdate: 13283697 

    V1.usnvec.usnHighPropUpdate: 13283697 V1.uuidDsaObj: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1 V1.uuidInvocId: 

    57308c77-ce93-48a8-a498-b3d0cec972ad V1.uuidTransportObj: 00000000-0000-0000-0000-000000000000 V1~mtx_address: 

    ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1._msdcs.myDomain.local V1.cbPASDataOffset: 0 V1~PasData: version = -1, size = 

    -1, flag = -1 ; 
    1> uSNChanged: 12666013; 
    1> showInAdvancedViewOnly: TRUE; 
    1> name: Configuration; 
    1> objectGUID: b302e40e-f8c8-42c7-b91b-4d3531bd8a2f; 
    1> replUpToDateVector: <ldp error: cannot process UPDATE_VECTOR v.2>; 
    3> wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS 

    Quotas,CN=Configuration,DC=myDomain,DC=local; 

    B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFoundConfig,CN=Configuration,DC=myDomain,DC=local; 

    B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,CN=Configuration,DC=myDomain,DC=local; 
    1> objectCategory: CN=Configuration,CN=Schema,CN=Configuration,DC=myDomain,DC=local; 
    2> masteredBy: CN=NTDS Settings,CN=myDomain-PDC,CN=Servers,CN=myDomain-Elementary-

    School,CN=Sites,CN=Configuration,DC=myDomain,DC=local; CN=NTDS Settings,CN=myDomain-PDC-2,CN=Servers,CN=myDomain-

    Elementary-School,CN=Sites,CN=Configuration,DC=myDomain,DC=local; 
    2> msDs-masteredBy: CN=NTDS Settings,CN=myDomain-PDC,CN=Servers,CN=myDomain-Elementary-

    School,CN=Sites,CN=Configuration,DC=myDomain,DC=local; CN=NTDS Settings,CN=myDomain-PDC-2,CN=Servers,CN=myDomain-

    Elementary-School,CN=Sites,CN=Configuration,DC=myDomain,DC=local; 
    -----------


    Friday, June 3, 2016 12:11 AM
  • Hi Rick,

    Okay, based on your latest information I'd be doing these two things straight away on the Server 2003 host (unless otherwise stated):

    1. Removing the orphaned domain controllers from CN=Domain System Volume (SYSVOL share) as per Step 8 above. Based on your original dcdiag reports from the Server 2003 machine above, you'd be removing the references to CN=SERV2 and CN=TMP, but you'll know which ones are bogus when you're looking at the node.
    2. Remove the 127.0.0.127 secondary DNS address on the Server 2008 DC.
    3. Remove the 10.0.0.4 secondary DNS address on the Server 2003 DC for the time being as it's not responding (according to the dcdiag output). This should leave both hosts with the primary DNS address of 10.0.0.22, which is the Server 2003 DC IPv4 address.
    4. Unlink the IPv6 protocol from the network adapter properties on each domain controller as that's just throwing some other misinformation in the way and it looks like IPv6 isn't being used in any case.
    5. Use "Users and Computers" (requires advanced mode view to be enabled), adsiedit or LDP to add the Enterprise Domain Controller permissions as outlined with a screenshot a few posts back to the DC=DomainDnsZones and DC=ForestDnsZones application partitions.
    6. If you can use LDP "tree" view to connect to the CN=Configuration,DC=youurdomain,DC=com node and verify that you have just the one site named "myDomain-Elementary-School" listed, as I still can't reconcile how the much earlier dcdiag from the Server 2003 DC reported that intra-site topology generation is disabled. Perhaps check this on both domain controllers, not just one or the other. You can also run the same "repadmin /siteoptions" command from above on each domain controller as an alternative but it needs to be understood where this is coming from and then fixed so that the KCC is once again enabled.

    Step 6 repadmin /siteoptions results

    Server 2003

    C:\Documents and Settings\Administrator.myDomain>repadmin /siteoptions
    myDomain-Elementary-School
    Current Site Options: IS_GROUP_CACHING_ENABLED

    Server 2008

    C:\Users\administrator.myDomain>repadmin /siteoptions
    myDomain-Elementary-School
    Current Site Options: IS_GROUP_CACHING_ENABLED


    Friday, June 3, 2016 12:17 AM
  • Hi Rick,

    Okay, based on your latest information I'd be doing these two things straight away on the Server 2003 host (unless otherwise stated):

    1. Removing the orphaned domain controllers from CN=Domain System Volume (SYSVOL share) as per Step 8 above. Based on your original dcdiag reports from the Server 2003 machine above, you'd be removing the references to CN=SERV2 and CN=TMP, but you'll know which ones are bogus when you're looking at the node.
    2. Remove the 127.0.0.127 secondary DNS address on the Server 2008 DC.
    3. Remove the 10.0.0.4 secondary DNS address on the Server 2003 DC for the time being as it's not responding (according to the dcdiag output). This should leave both hosts with the primary DNS address of 10.0.0.22, which is the Server 2003 DC IPv4 address.
    4. Unlink the IPv6 protocol from the network adapter properties on each domain controller as that's just throwing some other misinformation in the way and it looks like IPv6 isn't being used in any case.
    5. Use "Users and Computers" (requires advanced mode view to be enabled), adsiedit or LDP to add the Enterprise Domain Controller permissions as outlined with a screenshot a few posts back to the DC=DomainDnsZones and DC=ForestDnsZones application partitions.
    6. If you can use LDP "tree" view to connect to the CN=Configuration,DC=youurdomain,DC=com node and verify that you have just the one site named "myDomain-Elementary-School" listed, as I still can't reconcile how the much earlier dcdiag from the Server 2003 DC reported that intra-site topology generation is disabled. Perhaps check this on both domain controllers, not just one or the other. You can also run the same "repadmin /siteoptions" command from above on each domain controller as an alternative but it needs to be understood where this is coming from and then fixed so that the KCC is once again enabled.
    7. Run the following command on both the Windows Server 2003 and Windows Server 2008 DCs:
      repadmin /kcc

    Step 7 repadmin /kcc

    Sever 2003

    repadmin running command /kcc against server localhost

    Consistency check on localhost successful.

    Server 2008

    Repadmin: running command /kcc against full DC localhost
    myDomain-Elementary-School
    Current Site Options: IS_GROUP_CACHING_ENABLED
    Consistency check on localhost successful.


    Friday, June 3, 2016 12:23 AM
  • Hi Rick,

    That's definitely the right place though you need to click on the Advanced button to see the explicit permissions assigned to the Enterprise Domain Controllers group.

    Once you click on the Advanced button, look for the explicit permission from the screenshot above. I'd be checking for this permission whilst connected to the Server 2003 host as the idea here so far is to treat it as the trusted source and get the Server 2008 box back into alignment with it.

    Cheers,
    Lain

    Friday, June 3, 2016 12:29 AM
  • Hi Rick,

    Thanks for the additional information.

    Just going back to some of the output above, the LDP dump is of CN=Configuration,DC=yourDomain,DC=com - which I referenced in Step 6. What I should have spelt out when asking you to check how many sites there are is to expand the CN=Sites child node as the CN=Configuration doesn't actually tell you. All you are looking for is how many sites are listed as the report of intra-site topology being disabled came from somewhere (though perhaps you've already resolved that now).

    Once you've sorted out the Enterprise Domain Controllers permission, I'd run dcdiag /c /q on the Server 2003 domain controller again and post the output here. I'm hoping it's either fine now or at least very close to it.

    Cheers,
    Lain

    • Edited by Lain Robertson Friday, June 3, 2016 12:42 AM Change the dcdiag parameters.
    Friday, June 3, 2016 12:40 AM
  • Lain,

    There's a bunch of permissions for ENTERPRISE DOMAIN CONTROLLERS and I see one permission "Replicate Directory Changes", but no "Replicate Directory Changes in Filtered Set". Should I add the missing permission?

    -Rick

    Friday, June 3, 2016 12:52 AM
  • Lain,

    There's a bunch of permissions for ENTERPRISE DOMAIN CONTROLLERS and I see one permission "Replicate Directory Changes", but no "Replicate Directory Changes in Filtered Set". Should I add the missing permission?

    -Rick

    I should have mentioned this is on Server 2003
    Friday, June 3, 2016 12:53 AM
  • Yep.

    That's what the dcdiag output from the Server 2008 domain controller is moaning about (and justifiably so, as things changed a little between Server 2003 and 2008).

    Cheers,
    Lain

    Friday, June 3, 2016 12:57 AM
  • The sites listed are;

    CN=myDomain-Elementary-School...

    CN=Inter-Site Transports...

    CN=Subnets...

    Friday, June 3, 2016 1:06 AM
  • Yep.

    That's what the dcdiag output from the Server 2008 domain controller is moaning about (and justifiably so, as things changed a little between Server 2003 and 2008).

    Cheers,
    Lain

    Is that a Yep, as in Yep add the missing permission?
    Friday, June 3, 2016 1:08 AM
  • Okay, that's good. There is just the one site, as you say, though it does leave me a little confused as to where the alleged intra-site issue is coming from.

    Anyhow, I'll wait for the dcdiag output and keep my finger's crossed.

    Cheers,
    Lain

    Friday, June 3, 2016 1:10 AM
  • Sorry, Rick. Yes: add the permission in.

    Cheers,
    Lain

    Friday, June 3, 2016 1:11 AM
  • Lain,

    Here is the dcdiag output. 

             [Topology Integrity Check,myDomain-PDC-2] Intra-site topology generation is disabled in this site.
                IsmServ Service is stopped on [myDomain-PDC-2]
             ......................... myDomain-PDC-2 failed test Services
             ** Did not run Outbound Secure Channels test
             because /testdomain: was not entered
             The following problems were found while verifying various important DN

             references.  Note, that  these problems can be reported because of

             latency in replication.  So follow up to resolve the following

             problems, only if the same problem is reported on all DCs for a given

             domain or if  the problem persists after replication has had

             reasonable time to replicate changes. 
                [1] Problem: Missing Expected Value

                 Base Object:

                CN=myDomain-PDC,OU=Domain Controllers,DC=myDomain,DC=local

                 Base Object Description: "DC Account Object"

                 Value Object Attribute Name: frsComputerReferenceBL

                 Value Object Description: "SYSVOL FRS Member Object"

                 Recommended Action: See Knowledge Base Article: Q312862

                 
             ......................... myDomain-PDC-2 failed test VerifyEnterpriseReferences
             [myDomain-PDC-2] No security related replication errors were found on this DC!  To target the connection to a specific source DC use /ReplSource:<DC>.

    DNS Tests are running and not hung. Please wait a few minutes...

    Friday, June 3, 2016 1:24 AM
  • On server 2008 I still have an error; Issue:
    The Active Directory integrated DNS zone _msdcs.myDomain.local was not found.

    I thought this might help...

    Friday, June 3, 2016 1:34 AM
  • Hi Rick,

    Was this the result of dcdiag on the Server 2003 domain controller? I really need to understand where that site topology issue is coming from.

    Can you please run the following for me on the same host as you ran the above command and post the output back here?

    dcdiag /test:topology /v

    Cheers,
    Lain

    Friday, June 3, 2016 1:42 AM
  • Hi Lain,

    Yes the dcdiag test was on Server 2003 domain controller.

                            

    dcdiag /test:topology /v results from Server 2003 DC

    Domain Controller Diagnosis

    Performing initial setup:
       * Verifying that the local machine myDomain-pdc-2, is a DC. 
       * Connecting to directory service on server myDomain-pdc-2.
       * Collecting site info.
       * Identifying all servers.
       * Identifying all NC cross-refs.
       * Found 2 DC(s). Testing 1 of them.
       Done gathering initial info.

    Doing initial required tests

       Testing server: myDomain-Elementary-School\myDomain-PDC-2
          Starting test: Connectivity
             * Active Directory LDAP Services Check
             * Active Directory RPC Services Check
             ......................... myDomain-PDC-2 passed test Connectivity

    Doing primary tests

       Testing server: myDomain-Elementary-School\myDomain-PDC-2
          Test omitted by user request: Replications
          Starting test: Topology
             * Configuration Topology Integrity Check
             [Topology Integrity Check,myDomain-PDC-2] Intra-site topology generation is disabled in this site.
             * Analyzing the connection topology for DC=ForestDnsZones,DC=myDomain,DC=local.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             * Analyzing the connection topology for DC=DomainDnsZones,DC=myDomain,DC=local.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=myDomain,DC=local.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             * Analyzing the connection topology for CN=Configuration,DC=myDomain,DC=local.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             * Analyzing the connection topology for DC=myDomain,DC=local.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             ......................... myDomain-PDC-2 passed test Topology
          Test omitted by user request: CutoffServers
          Test omitted by user request: NCSecDesc
          Test omitted by user request: NetLogons
          Test omitted by user request: Advertising
          Test omitted by user request: KnowsOfRoleHolders
          Test omitted by user request: RidManager
          Test omitted by user request: MachineAccount
          Test omitted by user request: Services
          Test omitted by user request: OutboundSecureChannels
          Test omitted by user request: ObjectsReplicated
          Test omitted by user request: frssysvol
          Test omitted by user request: frsevent
          Test omitted by user request: kccevent
          Test omitted by user request: systemlog
          Test omitted by user request: VerifyReplicas
          Test omitted by user request: VerifyReferences
          Test omitted by user request: VerifyEnterpriseReferences
          Test omitted by user request: CheckSecurityError

       Running partition tests on : ForestDnsZones
          Test omitted by user request: CrossRefValidation
          Test omitted by user request: CheckSDRefDom

       Running partition tests on : DomainDnsZones
          Test omitted by user request: CrossRefValidation
          Test omitted by user request: CheckSDRefDom

       Running partition tests on : Schema
          Test omitted by user request: CrossRefValidation
          Test omitted by user request: CheckSDRefDom

       Running partition tests on : Configuration
          Test omitted by user request: CrossRefValidation
          Test omitted by user request: CheckSDRefDom

       Running partition tests on : myDomain
          Test omitted by user request: CrossRefValidation
          Test omitted by user request: CheckSDRefDom

       Running enterprise tests on : myDomain.local
          Test omitted by user request: Intersite
          Test omitted by user request: FsmoCheck
          Test omitted by user request: DNS
          Test omitted by user request: DNS

    Friday, June 3, 2016 1:49 AM
  • Thank, Rick.

    I know you've run this before, but I can't reconcile the difference between dcdiag and repadmin results. Can you please run the following once more on the Server 2003 domain controller and post back the results?

    repadmin /siteoptions /site:myDomain-Elementary-School myDomain-pdc-2

    Cheers,
    Lain

    • Edited by Lain Robertson Friday, June 3, 2016 2:18 AM Forgot to mention posting the results.
    Friday, June 3, 2016 2:16 AM
  • Thank, Rick.

    I know you've run this before, but I can't reconcile the difference between dcdiag and repadmin results. Can you please run the following once more on the Server 2003 domain controller?

    repadmin /siteoptions /site:myDomain-Elementary-School myDomain-pdc-2

    Cheers,
    Lain

    Yup, here are the results,

    myDomain-Elementary-School
    Current Site Options: IS_GROUP_CACHING_ENABLED

    Friday, June 3, 2016 2:18 AM
  • Okay, I'm struggling with that at the moment. It's like the configuration is fine - which relates to the options flag in Active Directory, yet the running configuration (if I can steal a Cisco term) is indicating an error.

    Moving on...

    Can you run the following commands over on the Server 2008 R2 host and post the output?

    dcdiag /c /q
    
    repadmin /replsummary myDomain-pdc

    We should find the Enterprise Domain Controller permissions issue is gone (from dcdiag) and if enough time has passed, that the DC=ForestDnsZones and DC=DomainDnsZones has successfully replicated.

    Cheers,
    Lain

    Friday, June 3, 2016 2:28 AM
  • From Server 2008 DC

    dcdiag /c /q results

             [myDomain-PDC] No security related replication errors were found on

             this DC!  To target the connection to a specific source DC use

             /ReplSource:<DC>.

             ** Did not run Outbound Secure Channels test because /testdomain: was

             not entered

             An error event occurred.  EventID: 0xC0001B7A

                Time Generated: 06/02/2016   21:30:59

                Event String:

                The DNS Server service terminated unexpectedly.  It has done this 5 time(s).

             An error event occurred.  EventID: 0xC0001B7A

                Time Generated: 06/02/2016   21:31:40

                Event String:

                The DNS Server service terminated unexpectedly.  It has done this 6 time(s).

             An error event occurred.  EventID: 0xC0001B7A

                Time Generated: 06/02/2016   21:32:31

                Event String:

                The DNS Server service terminated unexpectedly.  It has done this 7 time(s).

             An error event occurred.  EventID: 0xC0001B7A

                Time Generated: 06/02/2016   21:38:54

                Event String:

                The DNS Server service terminated unexpectedly.  It has done this 8 time(s).

             An error event occurred.  EventID: 0xC0001B77

                Time Generated: 06/02/2016   21:55:37

                Event String:

                The DNS Server service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

             An error event occurred.  EventID: 0xC0001B77

                Time Generated: 06/02/2016   21:57:38

                Event String:

                The DNS Server service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.

             An error event occurred.  EventID: 0xC0001B7A

                Time Generated: 06/02/2016   22:02:39

                Event String:

                The DNS Server service terminated unexpectedly.  It has done this 3 time(s).

             An error event occurred.  EventID: 0xC0001B77

                Time Generated: 06/02/2016   22:23:35

                Event String:

                The DNS Server service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

             An error event occurred.  EventID: 0xC0001B77

                Time Generated: 06/02/2016   22:25:37

                Event String:

                The DNS Server service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.

             ......................... myDomain-PDC failed test SystemLog

             The following problems were found while verifying various important DN

             references.  Note, that  these problems can be reported because of

             latency in replication.  So follow up to resolve the following

             problems, only if the same problem is reported on all DCs for a given

             domain or if  the problem persists after replication has had

             reasonable time to replicate changes. 
                [1] Problem: Missing Expected Value

                 Base Object:

                CN=myDomain-PDC,OU=Domain Controllers,DC=myDomain,DC=local

                 Base Object Description: "DC Account Object"

                 Value Object Attribute Name: frsComputerReferenceBL

                 Value Object Description: "SYSVOL FRS Member Object"

                 Recommended Action: See Knowledge Base Article: Q312862

                 
             ......................... myDomain-PDC failed test

             VerifyEnterpriseReferences

             Some objects relating to the DC myDomain-PDC have problems: 
                [1] Problem: Missing Expected Value

                 Base Object:

                CN=NTDS Settings,CN=myDomain-PDC,CN=Servers,CN=myDomain-Elementary-School,CN=Sites,CN=Configuration,DC=myDomain,DC=local

                 Base Object Description: "DSA Object"

                 Value Object Attribute Name: serverReferenceBL

                 Value Object Description: "SYSVOL FRS Member Object"

                 Recommended Action: See Knowledge Base Article: Q312862

                 
                [1] Problem: Missing Expected Value

                 Base Object:

                CN=myDomain-PDC,OU=Domain Controllers,DC=myDomain,DC=local

                 Base Object Description: "DC Account Object"

                 Value Object Attribute Name: frsComputerReferenceBL

                 Value Object Description: "SYSVOL FRS Member Object"

                 Recommended Action: See Knowledge Base Article: Q312862

                 
             ......................... myDomain-PDC failed test VerifyReferences

             DNS Service is stopped on [myDomain-PDC]

             ......................... myDomain-PDC failed test DNS

             Test results for domain controllers:

                
                DC: myDomain-pdc.myDomain.local

                Domain: myDomain.local

                

                      
                   TEST: Basic (Basc)
                      Error: DNS service is not running
             
             Summary of DNS test results:

             
                                                Auth Basc Forw Del  Dyn  RReg Ext
                _________________________________________________________________
                Domain: myDomain.local

                   myDomain-pdc                  PASS FAIL n/a  n/a  n/a  n/a  n/a  
             
             ......................... myDomain.local failed test DNS

    Friday, June 3, 2016 2:34 AM
  • Server 2008 DC

    repadmin results

    Replication Summary Start Time: 2016-06-02 22:35:45



    Beginning data collection for replication summary, this may take awhile:

      ....





    Source DSA          largest delta    fails/total %%   error

     myDomain-PDC-2             05m:23s    0 /   5    0  





    Destination DSA     largest delta    fails/total %%   error

     myDomain-PDC               05m:23s    0 /   5    0  

    Friday, June 3, 2016 2:37 AM
  • Hi Lain,

    How about we call it a session for today and take a look at it tomorrow sometime?

    Again - Thanks so much for helping out,

    Rick

    Friday, June 3, 2016 2:46 AM
  • Sure, Rick. I'm guessing there's a good timezone different between us.

    When you get back, if you can run a "repadmin /showrepl" on the Server 2008 host, I'd appreciate it. The /replsummary looks good but I should have listed the /showrepl version as I'm keen to see if the DNS partitions are now replicating.

    From a logical workflow perspective, if we can get that sorted then we can tackle the FRS membership issues. I'd expect once both are sorted that DNS will automatically come good and we should be done and dusted.

    Cheers,
    Lain

    Friday, June 3, 2016 2:57 AM
  • Lain,

    I'm on N.Y. time, Eastern. This has been a journey, but will definitely run the commands tomorrow.  I'm feeling a bit  dusted right about now...

    Till tomorrow,

    Rick

    Friday, June 3, 2016 3:05 AM
  • Hi Lain,

    Here is repadmin /showrepl from server 2008 DC

    Repadmin: running command /showrepl against full DC localhost

    myDomain-Elementary-School\myDomain-PDC

    DSA Options: IS_GC 

    Site Options: IS_GROUP_CACHING_ENABLED 

    DSA object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

    DSA invocationID: 57308c77-ce93-48a8-a498-b3d0cec972ad



    ==== INBOUND NEIGHBORS ======================================



    DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC-2 via RPC

            DSA object GUID: 1b51209e-39b7-4cd4-81a1-171fe3941ed6

            Last attempt @ 2016-06-03 11:57:39 was successful.



    CN=Configuration,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC-2 via RPC

            DSA object GUID: 1b51209e-39b7-4cd4-81a1-171fe3941ed6

            Last attempt @ 2016-06-03 11:51:30 was successful.



    CN=Schema,CN=Configuration,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC-2 via RPC

            DSA object GUID: 1b51209e-39b7-4cd4-81a1-171fe3941ed6

            Last attempt @ 2016-06-03 11:51:30 was successful.



    DC=DomainDnsZones,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC-2 via RPC

            DSA object GUID: 1b51209e-39b7-4cd4-81a1-171fe3941ed6

            Last attempt @ 2016-06-03 11:51:30 was successful.



    DC=ForestDnsZones,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC-2 via RPC

            DSA object GUID: 1b51209e-39b7-4cd4-81a1-171fe3941ed6

            Last attempt @ 2016-06-03 11:51:31 was successful.

    Friday, June 3, 2016 3:59 PM
  • Hi Lain,

    I also see in Active Directory Domain Services - Server 2008 DC, in the best practices window there is a warning that reads;

    Issue:

    Strict replication consistency is not enabled on the domain controller myDomain-pdc.myDomain.local.

    Should it be enabled or would be better enabled after DNS is functioning again?

    -Rick


    Friday, June 3, 2016 4:52 PM
  • Hi Rick,

    Western Australia here. I'm surprised we're getting any timezone overlap at all.

    Okay, so things are looking good again from a replication perspective as the two DNS partitions are now back on board with the rest of the naming contexts and replicating quite happily (which will have come from the Enterprise Domain Controllers permissions change).

    Before we look at the FRS membership issues, see if you can't start the DNS Server service now.

    Cheers,
    Lain

    Saturday, June 4, 2016 12:30 AM
  • PS: Don't worry about any best practice recommendations for the time being.

    Once everything is back to normal then you may well want to promote a new domain controller with the view of retiring the now unsupported Server 2003 domain controller, in which case you can look at what the newer iterations of the BPA have to say.

    Cheers,
    Lain

    Saturday, June 4, 2016 12:32 AM
  • Hi Rick,

    I'm about to step out for the morning in which case I wanted to leave you with something to have a read of (here), as this is the process for resetting FRS in a SYSVOL context.

    Don't action it unless you're comfortable with the steps as I'd rather field any questions you might have first, however, that said, here's some critical bullet points:

    1. You only want to perform this process on the Server 2008 domain controller (myDomain-pdc), not the Server 2003 domain controller (myDomain-PDC-2).
    2. You must only use the D2 hexadecimal value for BurFlags, not D4.

    Cheers,
    Lain

    • Edited by Lain Robertson Saturday, June 4, 2016 1:12 AM Forgot the URL.
    Saturday, June 4, 2016 1:11 AM
  • Hi Lain,

    Coincidentally I tried starting the DNS service in the morning my time and it started. I thought about posting the results to you, but thought to let it run and see what happens. While it was running the DNS objects were available, root hints etc. When I checked in on it about 30 minutes later it had gone back to a stopped state and since then I haven't been able to start it again. I've tried to replicate manually from Site and Services > NTDS Settings > myDomain-pdc-2 (Server 2003 to Server 2008) Replicate Configuration from the selected DC not knowing if the Knowledge Consistency Checker is replicating.

    I'll take a look at the link you provided.

    Thanks and have a good day.

    Rick 

    Saturday, June 4, 2016 1:59 AM
  • Hi Lain,

    I'm comfortable using the registry, but if you know of any other concerns I should know about I can wait.

    Thanks,

    Rick

    Saturday, June 4, 2016 2:17 AM
  • Hi Rick,

    No, there's no need to wait. It's really a simple process, so give it a go.

    Once you're done, give it a few minutes and then re-run the dcdiag /c /q command on the Server 2008 host to see if the FRS issues have been cleared.

    If they are, then you're done - at least with respect to having a trustworthy Active Directory domain. After that, you can promote new domain controllers or whatever it is you would like to tackle next while being confident there's no underlying issues that will bubble up as critical issues later on.

    Cheers,
    Lain

    Saturday, June 4, 2016 4:53 AM
  • Hi Rick,

    I'm about to step out for the morning in which case I wanted to leave you with something to have a read of (here), as this is the process for resetting FRS in a SYSVOL context.

    Don't action it unless you're comfortable with the steps as I'd rather field any questions you might have first, however, that said, here's some critical bullet points:

    1. You only want to perform this process on the Server 2008 domain controller (myDomain-pdc), not the Server 2003 domain controller (myDomain-PDC-2).
    2. You must only use the D2 hexadecimal value for BurFlags, not D4.

    Cheers,
    Lain

    Hi Lain,

    In the link you provided, step 9 there is no key in my registry - 

    Locate and then expand the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Sysvol Seeding\Domain System Volume (Sysvol share)

    There is a key up to, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Sysvol Seeding, but no Domain System Volume (Sysvol share).

    I'm not sure how the key should be entered as. Are they asking just to use the sysvol share name or do I use the entire string they provide in their example, Domain System Volume (Sysvol share)?

    And I thought this was going to be easy!

    Thanks for the help, Rick

    Saturday, June 4, 2016 9:31 PM
  • Hi Rick,

    I'm about to step out for the morning in which case I wanted to leave you with something to have a read of (here), as this is the process for resetting FRS in a SYSVOL context.

    Don't action it unless you're comfortable with the steps as I'd rather field any questions you might have first, however, that said, here's some critical bullet points:

    1. You only want to perform this process on the Server 2008 domain controller (myDomain-pdc), not the Server 2003 domain controller (myDomain-PDC-2).
    2. You must only use the D2 hexadecimal value for BurFlags, not D4.

    Cheers,
    Lain

    Hi Lain,

    In the link you provided, step 9 there is no key in my registry - 

    Locate and then expand the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Sysvol Seeding\Domain System Volume (Sysvol share)

    There is a key up to, 

    I'm not sure how the key should be entered as. Are they asking just to use the sysvol share name or do I use the entire string they provide in their example, Domain System Volume (Sysvol share)?

    And I thought this was going to be easy!

    Thanks for the help, Rick

    I found a few articles referencing the registry key so I am going to add Domain System Volume (Sysvol share).

     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Sysvol Seeding, but no Domain System Volume (Sysvol share).

    Saturday, June 4, 2016 9:43 PM
  • Okay here is what I did;

    net stop ntfrs.

    Set File Replication to manual.

    Set BurFlags to d2 in reg key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup"

    Created Reg Key, Domain System Volume (Sysvol share) in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Sysvol Seeding and created String Value = Replica Set Parent. In Replica Set Parent modified to myDomain-pdc-2 thinking I want to replicate from server 2003 DC (myDomain-pdc-2).

    I notice the value of BurFlags changes back to zero after I restart ntfrs

    I let the server run for about 30 minutes, here are the results.

             [myDomain-PDC] No security related replication errors were found on


             this DC!  To target the connection to a specific source DC use

             /ReplSource:<DC>.

             ** Did not run Outbound Secure Channels test because /testdomain: was

             not entered

             An error event occurred.  EventID: 0xC0001B77

                Time Generated: 06/04/2016   17:53:00

                Event String:

                The DNS Server service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

             An error event occurred.  EventID: 0xC0001B77

                Time Generated: 06/04/2016   17:55:01

                Event String:

                The DNS Server service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.

             An error event occurred.  EventID: 0xC0001B7A

                Time Generated: 06/04/2016   17:55:49

                Event String:

                The DNS Server service terminated unexpectedly.  It has done this 3 time(s).

             An error event occurred.  EventID: 0xC0001B7A

                Time Generated: 06/04/2016   18:00:02

                Event String:

                The DNS Server service terminated unexpectedly.  It has done this 4 time(s).

             An error event occurred.  EventID: 0xC0001B7A

                Time Generated: 06/04/2016   18:03:30

                Event String:

                The DNS Server service terminated unexpectedly.  It has done this 5 time(s).

             ......................... myDomain-PDC failed test SystemLog

             The following problems were found while verifying various important DN

             references.  Note, that  these problems can be reported because of

             latency in replication.  So follow up to resolve the following

             problems, only if the same problem is reported on all DCs for a given

             domain or if  the problem persists after replication has had

             reasonable time to replicate changes. 
                [1] Problem: Missing Expected Value

                 Base Object:

                CN=myDomain-PDC,OU=Domain Controllers,DC=myDomain,DC=local

                 Base Object Description: "DC Account Object"

                 Value Object Attribute Name: frsComputerReferenceBL

                 Value Object Description: "SYSVOL FRS Member Object"

                 Recommended Action: See Knowledge Base Article: Q312862

                 
             ......................... myDomain-PDC failed test

             VerifyEnterpriseReferences

             Some objects relating to the DC myDomain-PDC have problems: 
                [1] Problem: Missing Expected Value

                 Base Object:

                CN=NTDS Settings,CN=myDomain-PDC,CN=Servers,CN=myDomain-Elementary-School,CN=Sites,CN=Configuration,DC=myDomain,DC=local

                 Base Object Description: "DSA Object"

                 Value Object Attribute Name: serverReferenceBL

                 Value Object Description: "SYSVOL FRS Member Object"

                 Recommended Action: See Knowledge Base Article: Q312862

                 
                [1] Problem: Missing Expected Value

                 Base Object:

                CN=myDomain-PDC,OU=Domain Controllers,DC=myDomain,DC=local

                 Base Object Description: "DC Account Object"

                 Value Object Attribute Name: frsComputerReferenceBL

                 Value Object Description: "SYSVOL FRS Member Object"

                 Recommended Action: See Knowledge Base Article: Q312862

                 
             ......................... myDomain-PDC failed test VerifyReferences

             DNS Service is stopped on [myDomain-PDC]

             ......................... myDomain-PDC failed test DNS

             Test results for domain controllers:

                
                DC: myDomain-pdc.myDomain.local

                Domain: myDomain.local

                

                      
                   TEST: Basic (Basc)
                      Error: DNS service is not running
             
             Summary of DNS test results:

             
                                                Auth Basc Forw Del  Dyn  RReg Ext
                _________________________________________________________________
                Domain: myDomain.local

                   myDomain-pdc                  PASS FAIL n/a  n/a  n/a  n/a  n/a  
             
             ......................... myDomain.local failed test DNS

     

    Saturday, June 4, 2016 10:53 PM
  • I am also getting an event id 13562 from File Services and am taking a look at Recovering missing FRS objects
    Saturday, June 4, 2016 11:03 PM
  • Hi Lain,

    After running ntfrsutl ds command, right near the top 3 lines down it says FRS  DomainControllerName: (null). From what I've read a null attribute will halt inbound and outbound replication. I'm guessing because FRS is before  DomainControllerName, DomainControllerName is an FRS Object? If this is so, what should the attribute be instead of NULL. Or am I off course and null is ok?

    NTFRS CONFIGURATION IN THE DS
    SUBSTITUTE DCINFO FOR DC
       FRS  DomainControllerName: (null)
       Computer Name            : myDomain-PDC
       Computer DNS Name        : myDomain-pdc.myDomain.local

    BINDING TO THE DS:
       ldap_connect     : myDomain-pdc.myDomain.local
       DsBind     : myDomain-pdc.myDomain.local

    NAMING CONTEXTS:
       SitesDn    : CN=Sites,cn=configuration,dc=myDomain,dc=local
       ServicesDn : CN=Services,cn=configuration,dc=myDomain,dc=local
       DefaultNcDn: DC=myDomain,DC=local
       ComputersDn: CN=Computers,DC=myDomain,DC=local
       DomainCtlDn: OU=Domain Controllers,DC=myDomain,DC=local
       Fqdn       : CN=myDomain-PDC,OU=Domain Controllers,DC=myDomain,DC=local
       Searching  : Fqdn

    COMPUTER: myDomain-PDC
       DN   : cn=myDomain-pdc,ou=domain controllers,dc=myDomain,dc=local
       Guid : e13afc13-57fa-40aa-a4bf3202e9e0638d
       UAC  : 0x00082000
       Server BL : CN=myDomain-PDC,CN=Servers,CN=myDomain-Elementary-School,CN=Sites,CN=Configuration,DC=myDomain,DC=local
       Settings  : cn=ntds settings,cn=myDomain-pdc,cn=servers,cn=myDomain-elementary-school,cn=sites,cn=configuration,dc=myDomain,dc=local
       DNS Name  : myDomain-pdc.myDomain.local
       WhenCreated  : 7/13/2010 8:23:38 Eastern Standard Time Eastern Daylight Time [300]
       WhenChanged  : 6/2/2016 16:37:16 Eastern Standard Time Eastern Daylight Time [300]

       SUBSCRIPTION: NTFRS SUBSCRIPTIONS
          DN   : cn=ntfrs subscriptions,cn=myDomain-pdc,ou=domain controllers,dc=myDomain,dc=local
          Guid : 2cea8059-a7c3-4202-b57cc1cbb0b78315
          Working       : c:\windows\ntfrs
          Actual Working: c:\windows\ntfrs
          WhenCreated  : 7/15/2010 23:20:30 Eastern Standard Time Eastern Daylight Time [300]
          WhenChanged  : 7/15/2010 23:20:30 Eastern Standard Time Eastern Daylight Time [300]

          SUBSCRIBER: DOMAIN SYSTEM VOLUME (SYSVOL SHARE)
             DN   : cn=domain system volume (sysvol share),cn=ntfrs subscriptions,cn=myDomain-pdc,ou=domain controllers,dc=myDomain,dc=local
             Guid : a51dd9a2-8658-4e44-a04042cf5cf42898
             Member Ref: (null)
             Root      : c:\windows\sysvol\domain
             Stage     : c:\windows\sysvol\staging\domain
             WhenCreated  : 7/15/2010 23:20:30 Eastern Standard Time Eastern Daylight Time [300]
             WhenChanged  : 7/15/2010 23:20:30 Eastern Standard Time Eastern Daylight Time [300]
       myDomain-PDC IS NOT A MEMBER OF ANY SET!

    Saturday, June 4, 2016 11:34 PM
  • H Rick,

    Can you please run the following command for me twice: once against the Server 2003 domain controller and once against the Server 2008 domain controller and post the results back? You can change the server the command runs against with the second parameter.

    repadmin /showobjmeta myDomain-pdc "CN=myDomain-pdc,CN=Servers,CN=myDomain-Elementary-School,CN=Sites,CN=Configuration,DC=myDomain,DC=local"

    Cheers,
    Lain

    Sunday, June 5, 2016 12:41 AM
  • H Rick,

    Can you please run the following command for me twice: once against the Server 2003 domain controller and once against the Server 2008 domain controller and post the results back? You can change the server the command runs against with the second parameter.

    repadmin /showobjmeta myDomain-pdc "CN=myDomain-pdc,CN=Servers,CN=myDomain-Elementary-School,CN=Sites,CN=Configuration,DC=myDomain,DC=local"

    Cheers,
    Lain

    Server 2003 DC Results



    11 entries.

    Loc.USN                          Originating DC   Org.USN  Org.Time/Date        Ver Attribute

    =======                          =============== ========= =============        === =========

      11578     101116d5-f5f8-448e-8f8d-f07b8c44d3df   1031827 2007-08-03 14:06:41    1 objectClass

      11578  myDomain-Elementary-School\myDomain-PDC-2     11578 2007-08-13 12:41:35    1 cn

      11578     101116d5-f5f8-448e-8f8d-f07b8c44d3df   1031827 2007-08-03 14:06:41    1 instanceType

      11578     101116d5-f5f8-448e-8f8d-f07b8c44d3df   1031827 2007-08-03 14:06:41    1 whenCreated

      11578     101116d5-f5f8-448e-8f8d-f07b8c44d3df   1031827 2007-08-03 14:06:41    1 showInAdvancedViewOnly

    1899748    myDomain-Elementary-School\myDomain-PDC    212750 2010-09-02 22:20:07    2 nTSecurityDescriptor

      11578     101116d5-f5f8-448e-8f8d-f07b8c44d3df   1031827 2007-08-03 14:06:41    1 name

      11578     101116d5-f5f8-448e-8f8d-f07b8c44d3df   1031827 2007-08-03 14:06:41    1 systemFlags

      11578     101116d5-f5f8-448e-8f8d-f07b8c44d3df   1031827 2007-08-03 14:06:41    1 serverReference

      11578     6790840f-6195-4fbd-96a7-60c6d42beff5     16422 2007-08-03 14:12:49    1 dNSHostName

      11578     101116d5-f5f8-448e-8f8d-f07b8c44d3df   1031827 2007-08-03 14:06:41    1 objectCategory

    1 entries.

    Type    Attribute     Last Mod Time                             Originating DC  Loc.USN Org.USN Ver

    ======= ============  =============                           ================= ======= ======= ===

            Distinguished Name

            =============================

    LEGACY  serverReference

            CN=myDomain-PDC-2,OU=Domain Controllers,DC=myDomain,DC=local


    Sunday, June 5, 2016 2:03 AM
  • H Rick,

    Can you please run the following command for me twice: once against the Server 2003 domain controller and once against the Server 2008 domain controller and post the results back? You can change the server the command runs against with the second parameter.

    repadmin /showobjmeta myDomain-pdc "CN=myDomain-pdc,CN=Servers,CN=myDomain-Elementary-School,CN=Sites,CN=Configuration,DC=myDomain,DC=local"

    Cheers,
    Lain

    Server 2008 DC Results



    11 entries.

    Loc.USN                           Originating DSA  Org.USN  Org.Time/Date        Ver Attribute

    =======                           =============== ========= =============        === =========

      11862      101116d5-f5f8-448e-8f8d-f07b8c44d3df   4244932 2010-07-15 14:38:00    1 objectClass

      21332     myDomain-Elementary-School\myDomain-PDC     21332 2010-07-16 08:28:11    2 cn

      11862      101116d5-f5f8-448e-8f8d-f07b8c44d3df   4244932 2010-07-15 14:38:00    1 instanceType

      11862      101116d5-f5f8-448e-8f8d-f07b8c44d3df   4244932 2010-07-15 14:38:00    1 whenCreated

      11862      101116d5-f5f8-448e-8f8d-f07b8c44d3df   4244932 2010-07-15 14:38:00    1 showInAdvancedViewOnly

     212762     myDomain-Elementary-School\myDomain-PDC    212762 2010-09-02 22:22:52    2 nTSecurityDescriptor

      21332     myDomain-Elementary-School\myDomain-PDC     21332 2010-07-16 08:28:11    2 name

      11862      101116d5-f5f8-448e-8f8d-f07b8c44d3df   4244932 2010-07-15 14:38:00    1 systemFlags

      11862      101116d5-f5f8-448e-8f8d-f07b8c44d3df   4244932 2010-07-15 14:38:00    1 serverReference

      21335     myDomain-Elementary-School\myDomain-PDC     21335 2010-07-16 08:28:11    2 dNSHostName

      11862      101116d5-f5f8-448e-8f8d-f07b8c44d3df   4244932 2010-07-15 14:38:00    1 objectCategory

    1 entries.

    Type    Attribute     Last Mod Time                            Originating DSA  Loc.USN Org.USN Ver

    ======= ============  =============                           ================= ======= ======= ===

            Distinguished Name

            =============================

    LEGACY  serverReference

            CN=myDomain-PDC,OU=Domain Controllers,DC=myDomain,DC=local


    Sunday, June 5, 2016 2:06 AM
  • Hi Rick,

    Just checking that you kept the distinguished name reference the same on both commands, as the Server 2003 output looks like it's from "CN=myDomain-pdc-2,CN=Servers,CN=myDomain-Elementary-School,CN=Sites,CN=Configuration,DC=myDomain,DC=local" instead of "CN=myDomain-pdc,CN=Servers,CN=myDomain-Elementary-School,CN=Sites,CN=Configuration,DC=myDomain,DC=local".

    Only the second parameter should be changed as we're trying to compare both the version and presence of the same attribute on both domain controllers.

    Cheers,
    Lain

    Sunday, June 5, 2016 2:07 AM
  • Hi Rick,

    Just checking that you kept the distinguished name reference the same on both commands, as the Server 2003 output looks like it's from "CN=myDomain-pdc-2,CN=Servers,CN=myDomain-Elementary-School,CN=Sites,CN=Configuration,DC=myDomain,DC=local" instead of "CN=myDomain-pdc,CN=Servers,CN=myDomain-Elementary-School,CN=Sites,CN=Configuration,DC=myDomain,DC=local".

    Only the second parameter should be changed as we're trying to compare both the version and presence of the same attribute on both domain controllers.

    Cheers,
    Lain

    Hi Lain,

    I was wondering if I had goofed that up, lets see if I did any better this time.

    Server 2003 DC results.

    11 entries.

    Loc.USN                          Originating DC   Org.USN  Org.Time/Date        Ver Attribute

    =======                          =============== ========= =============        === =========

    1765291     101116d5-f5f8-448e-8f8d-f07b8c44d3df   4244932 2010-07-15 14:38:00    1 objectClass

    1767886  myDomain-Elementary-School\myDomain-PDC-2   1767886 2010-07-16 08:30:19    2 cn

    1765291     101116d5-f5f8-448e-8f8d-f07b8c44d3df   4244932 2010-07-15 14:38:00    1 instanceType

    1765291     101116d5-f5f8-448e-8f8d-f07b8c44d3df   4244932 2010-07-15 14:38:00    1 whenCreated

    1765291     101116d5-f5f8-448e-8f8d-f07b8c44d3df   4244932 2010-07-15 14:38:00    1 showInAdvancedViewOnly

    1899760    myDomain-Elementary-School\myDomain-PDC    212762 2010-09-02 22:22:52    2 nTSecurityDescriptor

    1767886    myDomain-Elementary-School\myDomain-PDC     21332 2010-07-16 08:28:11    2 name

    1765291     101116d5-f5f8-448e-8f8d-f07b8c44d3df   4244932 2010-07-15 14:38:00    1 systemFlags

    1765291     101116d5-f5f8-448e-8f8d-f07b8c44d3df   4244932 2010-07-15 14:38:00    1 serverReference

    1767887    myDomain-Elementary-School\myDomain-PDC     21335 2010-07-16 08:28:11    2 dNSHostName

    1765291     101116d5-f5f8-448e-8f8d-f07b8c44d3df   4244932 2010-07-15 14:38:00    1 objectCategory

    1 entries.

    Type    Attribute     Last Mod Time                             Originating DC  Loc.USN Org.USN Ver

    ======= ============  =============                           ================= ======= ======= ===

            Distinguished Name

            =============================

    LEGACY  serverReference

            CN=myDomain-PDC,OU=Domain Controllers,DC=myDomain,DC=local


    Sunday, June 5, 2016 2:21 AM
  • Hi Rick,

    Thanks for that. Those values are all good and have the same version numbers, so there's no issues there. Time to move on and check the FRS membership directly.

    I'm going to be a bit rusty on the next part as I haven't had to touch FRS in almost eight years. Hopefully by looking up what I've forgotten before posting, I'll be near enough that you'll understand what my intent is.

    On the Server 2008 domain controller, can you:

    1. Open up adsiedit.msc.
    2. Connect to the default namespace.
    3. Navigate to "CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=myDomain,DC=local".
    4. Check that there is a child object starting with "CN=myDomain-pdc", and if so, right-click on it and choose Properties.
    5. Check whether the attribute named "serverReference" (or server-reference) is null or whether it has a value. If it has a value, post back here what it is. If it doesn't, set it to the following value:
      CN=NTDS Settings,CN=myDomain-PDC,CN=Servers,CN=myDomain-Elementary-School,CN=Sites,CN=Configuration,DC=myDomain,DC=local

    If you did update the value, restart the NTFRS service. You can quickly do this from an elevated command prompt with:

    net stop ntfrs

    net start ntfrs

    Cheers,
    Lain

    Sunday, June 5, 2016 2:58 AM
  • Hi Rick,

    Thanks for that. Those values are all good and have the same version numbers, so there's no issues there. Time to move on and check the FRS membership directly.

    I'm going to be a bit rusty on the next part as I haven't had to touch FRS in almost eight years. Hopefully by looking up what I've forgotten before posting, I'll be near enough that you'll understand what my intent is.

    On the Server 2008 domain controller, can you:

    1. Open up adsiedit.msc.
    2. Connect to the default namespace.
    3. Navigate to "CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=myDomain,DC=local".
    4. Check that there is a child object starting with "CN=myDomain-pdc", and if so, right-click on it and choose Properties.
    5. Check whether the attribute named "serverReference" (or server-reference) is null or whether it has a value. If it has a value, post back here what it is. If it doesn't, set it to the following value:
      CN=NTDS Settings,CN=myDomain-PDC,CN=Servers,CN=myDomain-Elementary-School,CN=Sites,CN=Configuration,DC=myDomain,DC=local

    If you did update the value, restart the NTFRS service. You can quickly do this from an elevated command prompt with:

    net stop ntfrs

    net start ntfrs

    Cheers,
    Lain

    Step 4, there is only one child object CN=myDomain-pdc-2. <-- Server 2003 DC

    • Edited by R. Morgan Sunday, June 5, 2016 3:12 AM
    Sunday, June 5, 2016 3:10 AM
  • Hi Lain,

    What are your thoughts about this object and no attributes being set?

    The nTFRSSubscriber object cn=domain system volume (sysvol share),cn=ntfrs subscriptions,cn=myDomain-pdc,ou=domain controllers,dc=myDomain,dc=local has a invalid value for the attribute frsMemberReference.


    • Edited by R. Morgan Sunday, June 5, 2016 3:22 AM
    Sunday, June 5, 2016 3:17 AM
  • Hi Rick,

    The missing attribute is relevant, but from what you described in the post prior, there'll be nothing to update that value to as it sounds like the actual FRS member object is missing.

    Before we put that back, can you confirm it's also missing (as per your Step 4 comment two posts back) on the Server 2003 host? I'm expecting it will be missing there too, but I just want to be sure before manually re-creating it.

    Once we've restored the FRS membership under "CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=myDomain,DC=local" we can then come back and update the missing frsMemberReference attribute to point to it.

    Cheers,
    Lain

    Sunday, June 5, 2016 3:40 AM
  • Hi Rick,

    The missing attribute is relevant, but from what you described in the post prior, there'll be nothing to update that value to as it sounds like the actual FRS member object is missing.

    Before we put that back, can you confirm it's also missing (as per your Step 4 comment two posts back) on the Server 2003 host? I'm expecting it will be missing there too, but I just want to be sure before manually re-creating it.

    Once we've restored the FRS membership under "CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=myDomain,DC=local" we can then come back and update the missing frsMemberReference attribute to point to it.

    Cheers,
    Lain

    Server 2003 DC results,

    Just as above there is only one child object CN=myDomain-pdc-2. <-- Server 2003 DC

    Sunday, June 5, 2016 4:02 AM
  • Okay, so we're going to follow the instructions from this article. Technically, you can do this from either domain controller, however, I'd be inclined to do it on the Server 2008 domain controller.

    Just over half way down is a heading of "Recovering deleted FRS member objects". We're going to follow those nine steps which covers both the recreation of the member object (steps 1 to 7) and the subsequent updating of the frsMemberReference attribute (steps 8 and 9).

    Let me know if you have any issues.

    PS: I know it's very late there, but the nine steps are fairly quick to navigate.

    Cheers,
    Lain

    Sunday, June 5, 2016 4:18 AM
  • It is getting a little late here and I want to give the steps a good read through before making the attempt. So, I'm going to call it a night and take a look at it first chance I get tomorrow. 

    I'll let you know how I make out

    Thanks again and have a good day,

    Rick

    Sunday, June 5, 2016 4:35 AM
  • Okay, so we're going to follow the instructions from this article. Technically, you can do this from either domain controller, however, I'd be inclined to do it on the Server 2008 domain controller.

    Just over half way down is a heading of "Recovering deleted FRS member objects". We're going to follow those nine steps which covers both the recreation of the member object (steps 1 to 7) and the subsequent updating of the frsMemberReference attribute (steps 8 and 9).

    Let me know if you have any issues.

    PS: I know it's very late there, but the nine steps are fairly quick to navigate.

    Cheers,
    Lain

    Step 8, I'm a little unsure about the attributes I used, I copied it from myDomain-PDC-2 attribute and changed the first CN to myDomain-PDC.

    CN=myDomain-PDC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=myDomain,DC=local



    • Edited by R. Morgan Sunday, June 5, 2016 1:02 PM
    Sunday, June 5, 2016 1:01 PM
  • Hi Rick,

    The value you've pasted above belongs to step 9. If this is what you meant (given steps 8 and 9 are part of the same update), then that value is fine.

    If there's anything you want to double-check, let me know, but otherwise, restart the NTFRS service and give it a bit to poll for the changes. So long as you've had no issues with the steps, you should fine the missing (null) values from the dcdiag are no longer reported. Of course, if any of the values are inappropriate then you'll continue to get errors, in which case post them back here and we can double-check them.

    Cheers,
    Lain

    Sunday, June 5, 2016 1:22 PM
  • Hi Lain

    Okay, I created the objects and changed attributes. Is there a command I can use to print out the objects? This way you can take a look and see if I made any errors.  

    Thanks,

    Rick

    Sunday, June 5, 2016 1:22 PM
  • Hi Rick,

    The value you've pasted above belongs to step 9. If this is what you meant (given steps 8 and 9 are part of the same update), then that value is fine.

    If there's anything you want to double-check, let me know, but otherwise, restart the NTFRS service and give it a bit to poll for the changes. So long as you've had no issues with the steps, you should fine the missing (null) values from the dcdiag are no longer reported. Of course, if any of the values are inappropriate then you'll continue to get errors, in which case post them back here and we can double-check them.

    Cheers,
    Lain

    I had to re-read steps 8-9 to make some sort of sense out of it, and really wasn't sure if I was grasping it.

    Okay I restarted ntfrs service and will let it poll. In the mean time I have to step out for awhile and won't be back until 1:00 or 2:00 pm  my time. I'm guessing that will be early AM on your side, but will post the results to you later.

    Thanks again,

    Rick



    • Edited by R. Morgan Sunday, June 5, 2016 1:40 PM
    Sunday, June 5, 2016 1:39 PM
  • I'd just re-run the same old "dcdiag /c /q", though you can also run the one you ran before yourself, "ntfrsutil ds" to check just the FRS changes you've just made.

    Or you could run both!

    Regardless, what we're hoping for is that the FRS issues are gone. If that's true then we'll want to re-run the burflags D2 process we attempted earlier to ensure SYSVOL consistency as the last piece of the puzzle.

    Cheers,
    Lain

    Sunday, June 5, 2016 1:42 PM
  • Okay before I leave I wanted to post the results to you. 

             [myDomain-PDC] No security related replication errors were found on

             this DC!  To target the connection to a specific source DC use

             /ReplSource:<DC>.

             ** Did not run Outbound Secure Channels test because /testdomain: was

             not entered

             An error event occurred.  EventID: 0x00000422

                Time Generated: 06/05/2016   09:04:01

                Event String:

                The processing of Group Policy failed. Windows attempted to read the file \\myDomain.local\sysvol\myDomain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


             An error event occurred.  EventID: 0x00000422

                Time Generated: 06/05/2016   09:09:01

                Event String:

                The processing of Group Policy failed. Windows attempted to read the file \\myDomain.local\sysvol\myDomain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


             An error event occurred.  EventID: 0x00000422

                Time Generated: 06/05/2016   09:14:02

                Event String:

                The processing of Group Policy failed. Windows attempted to read the file \\myDomain.local\sysvol\myDomain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


             An error event occurred.  EventID: 0x00000422

                Time Generated: 06/05/2016   09:19:03

                Event String:

                The processing of Group Policy failed. Windows attempted to read the file \\myDomain.local\sysvol\myDomain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


             An error event occurred.  EventID: 0x00000422

                Time Generated: 06/05/2016   09:24:03

                Event String:

                The processing of Group Policy failed. Windows attempted to read the file \\myDomain.local\sysvol\myDomain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


             An error event occurred.  EventID: 0x00000422

                Time Generated: 06/05/2016   09:29:04

                Event String:

                The processing of Group Policy failed. Windows attempted to read the file \\myDomain.local\sysvol\myDomain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


             An error event occurred.  EventID: 0x00000422

                Time Generated: 06/05/2016   09:34:05

                Event String:

                The processing of Group Policy failed. Windows attempted to read the file \\myDomain.local\sysvol\myDomain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


             An error event occurred.  EventID: 0x00000422

                Time Generated: 06/05/2016   09:38:22

                Event String:

                The processing of Group Policy failed. Windows attempted to read the file \\myDomain.local\sysvol\myDomain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


             An error event occurred.  EventID: 0x00000422

                Time Generated: 06/05/2016   09:39:05

                Event String:

                The processing of Group Policy failed. Windows attempted to read the file \\myDomain.local\sysvol\myDomain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


             An error event occurred.  EventID: 0x00000422

                Time Generated: 06/05/2016   09:44:06

                Event String:

                The processing of Group Policy failed. Windows attempted to read the file \\myDomain.local\sysvol\myDomain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


             An error event occurred.  EventID: 0x00000422

                Time Generated: 06/05/2016   09:49:07

                Event String:

                The processing of Group Policy failed. Windows attempted to read the file \\myDomain.local\sysvol\myDomain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


             An error event occurred.  EventID: 0x00000422

                Time Generated: 06/05/2016   09:54:07

                Event String:

                The processing of Group Policy failed. Windows attempted to read the file \\myDomain.local\sysvol\myDomain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


             An error event occurred.  EventID: 0x00000422

                Time Generated: 06/05/2016   09:59:08

                Event String:

                The processing of Group Policy failed. Windows attempted to read the file \\myDomain.local\sysvol\myDomain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 


             ......................... myDomain-PDC failed test SystemLog

             DNS Service is stopped on [myDomain-PDC]

             ......................... myDomain-PDC failed test DNS

             Test results for domain controllers:

                
                DC: myDomain-pdc.myDomain.local

                Domain: myDomain.local

                

                      
                   TEST: Basic (Basc)
                      Error: DNS service is not running
             
             Summary of DNS test results:

             
                                                Auth Basc Forw Del  Dyn  RReg Ext
                _________________________________________________________________
                Domain: myDomain.local

                   myDomain-pdc                  PASS FAIL n/a  n/a  n/a  n/a  n/a  
             
             ......................... myDomain.local failed test DNS

    Sunday, June 5, 2016 2:01 PM
  • Hi Rick,

    That finally looks quite good. I'm not concerned with the GPO failures at this point as we've still got the non-authoritive SYSVOL reset to re-run (the burflags = D2 registry procedure).

    Try starting the DNS Server and see if it stays running now. If it does, then run another "dcdiag /c /q" to see if anything new comes up.

    Cheers,
    Lain

    Sunday, June 5, 2016 4:49 PM
  • Hi Lain,

    Nope didn't start. I just want to make sure in the steps from this document  How to force a non-authoritative restore in the section, Recovering deleted FRS member objects I got the entries correct. In the example given they use CN=DC1. So I assume in this case that's the object missing and in my case CN=myDomain-PDC is the missing CN.

    In no cases I want to point to CN=myDomain-PDC-2? The reason for asking is because I know were trying to replicate from myDomain-PDC-2 the 2003 DC. I just wanted to make sure I got it correct. 

    Thanks,

    Rick

    Sunday, June 5, 2016 7:56 PM
  • Hi Rick,

    That finally looks quite good. I'm not concerned with the GPO failures at this point as we've still got the non-authoritive SYSVOL reset to re-run (the burflags = D2 registry procedure).

    Try starting the DNS Server and see if it stays running now. If it does, then run another "dcdiag /c /q" to see if anything new comes up.

    Cheers,
    Lain

    Server 2008 DC dcdiag /c /q results after making the settings below.

    First, net stop ntfrs

    Set File Replication Service to manual.

    Set burflags to d2

     net start ntfrs

    Set File Replication Service to automatic.

             [myDomain-PDC] No security related replication errors were found on

             this DC!  To target the connection to a specific source DC use

             /ReplSource:<DC>.

             Unable to connect to the NETLOGON share! (\\myDomain-PDC\netlogon)

             [myDomain-PDC] An net use or LsaPolicy operation failed with error 67,

             The network name cannot be found..

             ......................... myDomain-PDC failed test NetLogons

             ** Did not run Outbound Secure Channels test because /testdomain: was

             not entered

             An error event occurred.  EventID: 0xC0001B77

                Time Generated: 06/05/2016   15:37:28

                Event String:

                The DNS Server service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

             An error event occurred.  EventID: 0xC0001B77

                Time Generated: 06/05/2016   15:39:30

                Event String:

                The DNS Server service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.

             An error event occurred.  EventID: 0xC0001B7A

                Time Generated: 06/05/2016   15:44:31

                Event String:

                The DNS Server service terminated unexpectedly.  It has done this 3 time(s).

             ......................... myDomain-PDC failed test SystemLog

             DNS Service is stopped on [myDomain-PDC]

             ......................... myDomain-PDC failed test DNS

             Test results for domain controllers:


                DC: myDomain-pdc.myDomain.local

                Domain: myDomain.local




                   TEST: Basic (Basc)
                      Error: DNS service is not running

             Summary of DNS test results:


                                                Auth Basc Forw Del  Dyn  RReg Ext
                _________________________________________________________________
                Domain: myDomain.local

                   myDomain-pdc                  PASS FAIL n/a  n/a  n/a  n/a  n/a  

             ......................... myDomain.local failed test DNS

                                                                         

    • Edited by R. Morgan Sunday, June 5, 2016 8:05 PM
    Sunday, June 5, 2016 8:04 PM
  • Lain,

    Something I have noticed in sysvol folder is in myDomain.local folder, folders and files disappeared, but have been returning. Also as far as I can tell a new folder was created, NtFrs_PreExisting___See_EventLog that looks like it contains everything from the old sysvol.

    Now here is where it gets strange. A few days ago I created a file in the scripts folder called test.txt and I have been looking in sysvol\scripts to see if it has been replicated. I don't see the file in sysvol\myDomain.local\scripts, but it is in sysvol\myDomain.local\NtFrs_PreExisting___See_EventLog\scripts.

    I don't know... I found it odd it was replicated and put into the log folder but is not in the normal script folder.

    Rick



    • Edited by R. Morgan Sunday, June 5, 2016 8:17 PM
    Sunday, June 5, 2016 8:15 PM
  • Hi Rick,

    When you set the burflags to D2, it does take a little while for the SYSVOL to repopulate. And the content of SYSVOL is wiped in the process, which in the case of myDomain-PDC is fine as it hadn't been replicating regularly in any case on account of the null attributes preventing it from understanding the configuration.

    Essentially, we were asking myDomain-PDC (Server 2008) to re-stage the SYSVOL content using myDomain-PDC-2 (myDomain-PDC) as the source.

    If you ran the "dcdiag /c /q" more or less straight after the burflags then you can safely ignore the NETLOGON error from the output as it would still have been in the staging process. You can either re-run dcdiag or simply check to see if there's any content in the Netlogon share to see if the process is working (given you posted nearly five hours ago, it should well and truly be finished).

    So the summary is the directory and FRS look to be consistent again - which is good, meaning we'll need to tackle DNS separately now.

    What errors are showing up in the DNS Server node of Event Viewer?.

    Cheers,
    Lain

    • Edited by Lain Robertson Monday, June 6, 2016 1:06 AM Removed incorrect Server 2003 DNS reference.
    Monday, June 6, 2016 12:53 AM
  • Hi Lain,

    I'm getting an event 4013, the last one was at 6/5/2016 4:34:59 PM.

    The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

    Monday, June 6, 2016 2:40 AM
  • Hi Lain,

    I'm getting an event 4013, the last one was at 6/5/2016 4:34:59 PM.

    The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

    One more thing, remember the test file I mentioned, test.txe? It is in the SYSVOL\domain\scripts folder, so I guess replication has taken place.
    • Edited by R. Morgan Monday, June 6, 2016 2:42 AM
    Monday, June 6, 2016 2:42 AM
  • Also event 1000 being reported

    Faulting application name: dns.exe, version: 6.1.7601.23375, time stamp: 0x56e06454
    Faulting module name: dns.exe, version: 6.1.7601.23375, time stamp: 0x56e06454
    Exception code: 0xc0000005
    Fault offset: 0x000000000006138f
    Faulting process id: 0x15f0
    Faulting application start time: 0x01d1bf9cd70e8197
    Faulting application path: C:\Windows\system32\dns.exe
    Faulting module path: C:\Windows\system32\dns.exe
    Report Id: 155a88db-2b90-11e6-b45b-f29b8d5aa317

    Monday, June 6, 2016 2:48 AM
  • In best practice analyzer there is

    • The Active Directory integrated DNS zone _msdcs.andover.local was not found
    • The DNS server will fail to resolve DNS queries for DNS zones for which it is not authoritative.

    But since DNS is not running I think that is why these errors are occurring. 

     
    • Edited by R. Morgan Monday, June 6, 2016 2:54 AM
    Monday, June 6, 2016 2:53 AM
  • Hi Rick,

    Directory service replication is different to SYSVOL replication, unfortunately, meaning the .txt file check only demonstrates the latter is working as expected, not the former.

    The application crash indicates an access denied crash has taken place (the last four digits, in this case 0005, indicate the type of error).

    Can you please run the following two commands on the Server 2008 host and post the output?

    repadmin /showrepl /all
    
    dcdiag /c /skip:dns

    Cheers,
    Lain

    Monday, June 6, 2016 8:09 AM
  • Hi Lain,

    Results from Server 2008 DC, repadmin /showrepl /all


    Repadmin: running command /showrepl against full DC localhost

    myDomain-Elementary-School\myDomain-PDC

    DSA Options: IS_GC 

    Site Options: IS_GROUP_CACHING_ENABLED 

    DSA object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

    DSA invocationID: 57308c77-ce93-48a8-a498-b3d0cec972ad



    ==== INBOUND NEIGHBORS ======================================



    DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC-2 via RPC

            DSA object GUID: 1b51209e-39b7-4cd4-81a1-171fe3941ed6

            Last attempt @ 2016-06-06 08:11:09 was successful.



    CN=Configuration,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC-2 via RPC

            DSA object GUID: 1b51209e-39b7-4cd4-81a1-171fe3941ed6

            Last attempt @ 2016-06-06 07:49:35 was successful.



    CN=Schema,CN=Configuration,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC-2 via RPC

            DSA object GUID: 1b51209e-39b7-4cd4-81a1-171fe3941ed6

            Last attempt @ 2016-06-06 07:49:35 was successful.



    DC=DomainDnsZones,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC-2 via RPC

            DSA object GUID: 1b51209e-39b7-4cd4-81a1-171fe3941ed6

            Last attempt @ 2016-06-06 07:49:35 was successful.



    DC=ForestDnsZones,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC-2 via RPC

            DSA object GUID: 1b51209e-39b7-4cd4-81a1-171fe3941ed6

            Last attempt @ 2016-06-06 07:49:35 was successful.



    ==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============



    DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC-2 via RPC

            DSA object GUID: 1b51209e-39b7-4cd4-81a1-171fe3941ed6

            Last attempt @ 2016-06-06 07:27:22 was successful.



    CN=Configuration,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC-2 via RPC

            DSA object GUID: 1b51209e-39b7-4cd4-81a1-171fe3941ed6

            Last attempt @ 2016-06-06 05:02:24 was successful.



    CN=Schema,CN=Configuration,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC-2 via RPC

            DSA object GUID: 1b51209e-39b7-4cd4-81a1-171fe3941ed6

            Last attempt @ 2016-05-24 16:51:46 was successful.



    DC=DomainDnsZones,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC-2 via RPC

            DSA object GUID: 1b51209e-39b7-4cd4-81a1-171fe3941ed6

            Last attempt @ 2016-06-02 21:19:34 was successful.



    DC=ForestDnsZones,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC-2 via RPC

            DSA object GUID: 1b51209e-39b7-4cd4-81a1-171fe3941ed6

            Last attempt @ 2016-06-02 21:18:20 was successful.



    ==== KCC CONNECTION OBJECTS ============================================

    Connection --

        Connection name : f2cdf3c5-5a0b-4027-b1d6-ef00cbf6cabb

        Server DNS name : myDomain-pdc.myDomain.local

        Server DN  name : CN=NTDS Settings,CN=myDomain-PDC,CN=Servers,CN=myDomain-Elementary-School,CN=Sites,CN=Configuration,DC=myDomain,DC=local

            Source: myDomain-Elementary-School\myDomain-PDC-2

                    No Failures.

            TransportType: intrasite RPC

            options:  isGenerated

            ReplicatesNC: DC=ForestDnsZones,DC=myDomain,DC=local

            Reason:  RingTopology

                    Replica link has been added.

            ReplicatesNC: CN=Schema,CN=Configuration,DC=myDomain,DC=local

            Reason:  RingTopology

                    Replica link has been added.

            ReplicatesNC: DC=DomainDnsZones,DC=myDomain,DC=local

            Reason:  RingTopology

                    Replica link has been added.

            ReplicatesNC: DC=myDomain,DC=local

            Reason:  RingTopology

                    Replica link has been added.

            ReplicatesNC: CN=Configuration,DC=myDomain,DC=local

            Reason:  RingTopology

                    Replica link has been added.

    1 connections found.


    Monday, June 6, 2016 12:13 PM
  • Results server 2008 DC, dcdiag /c /skip:dns.                

    Directory Server Diagnosis

    Performing initial setup:

       Trying to find home server...

       Home Server = myDomain-pdc

       * Identified AD Forest. 
       Done gathering initial info.


    Doing initial required tests


       Testing server: myDomain-Elementary-School\myDomain-PDC

          Starting test: Connectivity

             ......................... myDomain-PDC passed test Connectivity



    Doing primary tests


       Testing server: myDomain-Elementary-School\myDomain-PDC

          Starting test: Advertising

             ......................... myDomain-PDC passed test Advertising

          Starting test: CheckSecurityError

             [myDomain-PDC] No security related replication errors were found on

             this DC!  To target the connection to a specific source DC use

             /ReplSource:<DC>.

             ......................... myDomain-PDC passed test CheckSecurityError

          Starting test: CutoffServers

             ......................... myDomain-PDC passed test CutoffServers

          Starting test: FrsEvent

             There are warning or error events within the last 24 hours after the

             SYSVOL has been shared.  Failing SYSVOL replication problems may cause

             Group Policy problems. 
             ......................... myDomain-PDC passed test FrsEvent

          Starting test: DFSREvent

             ......................... myDomain-PDC passed test DFSREvent

          Starting test: SysVolCheck

             ......................... myDomain-PDC passed test SysVolCheck

          Starting test: FrsSysVol

             ......................... myDomain-PDC passed test FrsSysVol

          Starting test: KccEvent

             ......................... myDomain-PDC passed test KccEvent

          Starting test: KnowsOfRoleHolders

             ......................... myDomain-PDC passed test KnowsOfRoleHolders

          Starting test: MachineAccount

             ......................... myDomain-PDC passed test MachineAccount

          Starting test: NCSecDesc

             ......................... myDomain-PDC passed test NCSecDesc

          Starting test: NetLogons

             ......................... myDomain-PDC passed test NetLogons

          Starting test: ObjectsReplicated

             ......................... myDomain-PDC passed test ObjectsReplicated

          Starting test: OutboundSecureChannels

             ** Did not run Outbound Secure Channels test because /testdomain: was

             not entered

             ......................... myDomain-PDC passed test

             OutboundSecureChannels

          Starting test: Replications

             ......................... myDomain-PDC passed test Replications

          Starting test: RidManager

             ......................... myDomain-PDC passed test RidManager

          Starting test: Services

             ......................... myDomain-PDC passed test Services

          Starting test: SystemLog

             An error event occurred.  EventID: 0x00000457

                Time Generated: 06/06/2016   08:07:13

                Event String:

                Driver Xerox WorkCentre 5335 PCL6 required for printer WorkCentre 5335 PCL6 is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 06/06/2016   08:07:14

                Event String:

                Driver PDFCreator required for printer PDFCreator is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 06/06/2016   08:07:16

                Event String:

                Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0xC0001B77

                Time Generated: 06/06/2016   08:07:37

                Event String:

                The DNS Server service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 06/06/2016   08:07:46

                Event String:

                Driver HP LaserJet 1020 required for printer !!Hp6005-3286!HP LaserJet 1020 is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 06/06/2016   08:07:47

                Event String:

                Driver Xerox WorkCentre 5335 PS required for printer WorkCentre 5335 PS is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 06/06/2016   08:07:51

                Event String:

                Driver HP LaserJet 1020 required for printer !!lenovo-3447!Adanti is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 06/06/2016   08:07:53

                Event String:

                Driver HP LaserJet 1020 required for printer !!Hp6005-3306!HP LaserJet 1020 is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 06/06/2016   08:07:56

                Event String:

                Driver HP LaserJet 1020 required for printer !!Hp6005-3283!HP LaserJet 1020 is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 06/06/2016   08:07:56

                Event String:

                Driver HP LaserJet 4100 Series PCL required for printer !!myDomain-pdc-2.myDomain.local!HP LaserJet 4100 Series PCL is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 06/06/2016   08:07:57

                Event String:

                Driver HP LaserJet 4050 Series PCL6 required for printer !!10.0.0.22!HP LaserJet 4050 is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0xC0001B77

                Time Generated: 06/06/2016   08:09:38

                Event String:

                The DNS Server service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.

             ......................... myDomain-PDC failed test SystemLog

          Starting test: Topology

             ......................... myDomain-PDC passed test Topology

          Starting test: VerifyEnterpriseReferences

             ......................... myDomain-PDC passed test

             VerifyEnterpriseReferences

          Starting test: VerifyReferences

             ......................... myDomain-PDC passed test VerifyReferences

          Starting test: VerifyReplicas

             ......................... myDomain-PDC passed test VerifyReplicas



       Running partition tests on : ForestDnsZones

          Starting test: CheckSDRefDom

             ......................... ForestDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ForestDnsZones passed test

             CrossRefValidation


       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test

             CrossRefValidation


       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation


       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation


       Running partition tests on : myDomain

          Starting test: CheckSDRefDom

             ......................... myDomain passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... myDomain passed test CrossRefValidation


       Running enterprise tests on : myDomain.local

          Starting test: LocatorCheck

             ......................... myDomain.local passed test LocatorCheck

          Starting test: FsmoCheck

             ......................... myDomain.local passed test FsmoCheck

          Starting test: Intersite

             ......................... myDomain.local passed test Intersite

    Monday, June 6, 2016 12:26 PM
  • Hi Rick,

    Thanks for those results. They essentially show everything is fine, though a little piece of advice would be to disable RDS from mapping client printers - at least I'm guessing that's how all those printer driver error messages got there. Certainly, the domain controller is no place for hosting printers.

    Whatever the issue is, it's specific to the DNS server process and not a by-product of something still being wrong with the directory service. This also confirms you can ignore the event id 4013 error. I'm guessing this doesn't coincide with manually starting the DNS Server service, but more likely happens during a reboot, in which case this error can safely be ignored.

    My suggestion next is to remove the DNS Server role from the Server 2008 machine, restart, and then re-add it as it appears it may well be a binary issue. One piece of information I would like before you do that though is an updated "ipconfig /all" from the Server 2008 machine as I want to ensure some of the earlier changes I posited are in place.

    Anyhow, it's all about the DNS service now. Everything else is healthy (as can be, given how important DNS is).

    Cheers,
    Lain

    Monday, June 6, 2016 12:34 PM
  • Hi Lane,

    Way back near the top of our post I mentioned Microsoft updates and came across an article that  KB3145126  could be causing DNS to stop working. What are your thoughts about this?

    KB3145126 Causing DNS.exe Crashes

    Thanks,

    Rick

    Monday, June 6, 2016 12:37 PM
  • Hi Rick,

    Yes, based on what I read, I'd definitely remove it.

    A Microsoft employee advocates following this post late in the thread but the feedback doesn't seem positive thus far. I haven't read the linked article yet, however, it does sound like KB314526 needs to be removed before whatever within the article is actioned, after which KB314526 should install without causing future DNS Server crashes. However, I'm reading between the lines here based on that person's posts alone.

    Cheers,
    Lain

    • Marked as answer by R. Morgan Monday, June 6, 2016 4:52 PM
    Monday, June 6, 2016 12:46 PM
  • Okay, I just quickly read the KB article itself and it clearly states that you may need to remove the KB to make DNS stable and then run the script and dnscmd commands. I'd certainly be doing that as if it can break once for RFC reasons then it's quite possible future patches could break it again based on the same reasoning.

    Cheers,
    Lain

    • Edited by Lain Robertson Monday, June 6, 2016 12:50 PM Spelling correction.
    Monday, June 6, 2016 12:50 PM
  • Lain,

    Today is a good day! I removed the KB started DNS and it stayed running. I did a DNS restart and it seems to be running. It's funny how things work out, I like to think of this entire event as optimistic. 

    If you don't mind I would like to stay in touch with you, I owe you big time for your help and knowledge. if you could send me an email to contact you I would appreciate it.

    Also if there is anything else I can do as a follow up with replication?

    I plan on removing the 2003 domain controller this summer, that will be replaced with a  2012 DC. The new domain controllers will be hosted on Server 2012 so no need to use them as file, print servers. In the past I was limited because of available hardware, so different roles were installed on those domain controllers.  

    Anyway, I hope you have an excellent day!

    Cheers,

    Rick


    • Edited by R. Morgan Monday, June 6, 2016 1:35 PM
    Monday, June 6, 2016 1:34 PM
  • Hi Rick,

    That's a great outcome and allows you to move through those future upgrade plans from a position of confidence.

    Because the Server 2003 host is holding you back feature-wise, there isn't much else I would point out for now.

    Based on what you've said, from a planning perspective I'd be looking at something like the following:

    1. Get your new Server 2012 R2 platform up and running and use this to replace the Server 2003 domain controller.
    2. Raise your domain and then forest functional levels to be at least 2008 R2 to match what will then be your lowest functional level domain controller.
    3. Enable the Active Directory Recycle bin. This is of greater user than the humble name implies, particularly in situations where you're trying to recover from what might seem to be a disaster.
    4. Convert the SYSVOL structure over from FRS (which you're on now) to DFS-R as discussed here and here.
    5. Transfer all the FSMO roles to the new Server 2012 R2 domain controller.
    6. Use dcpromo to demote the current Server 2008 R2 domain controller gracefully and remove it from the domain. Perform any additional clean-up such as the removal of DNS records relating to the Server 2008 R2 host.
    7. Rebuild the host (it sounds like it's physical and not virtual?) also as Server 2012 R2 and promote that to be your second domain controller.

    Remember, dcdiag is your best friend and you should use it often both during things like these updates as well as generally just as a spot check on the health of the environment.

    There's a lot of best practices around domain controllers, given how mission critical they are, but a few ones I'm going to mention here are:

    1. Don't run any other roles or software on them.
    2. Don't upgrade domain controllers in-place. Demote, remove and replace them with a new one. This isn't a Microsoft best practice, by the way, but many of us treat is as a golden rule.
    3. They should only have one interface (disable any extras if it's a hardware platform supporting multiple NICs).
    4. Make sure they're not using loopback addresses as DNS servers in the IP configuration (be that IPv4 or IPv6).
    5. Unlink IPv6 on the network interface if IPv6 isn't being used. Don't confuse this with disabling the IPv6 stack, which you don't want to do (as outlined in KB929852).

    Anyhow, I'm really glad you stuck with it and fixed your existing issues before tackling some of these bigger picture issues. They would have just been that much harder to resolve if they were obscured by all of the above kinds of activities.

    You can get a hold of me at lain _dot_ robertson _at_ Hotmail _dot_ com (deliberately obscured to minimise spam bots).

    Cheers,
    Lain

    Monday, June 6, 2016 2:05 PM
  • Lain,

    Everything looks good so far, but in dns best practices I have one error left. I was reading that this could have been left over from a 2000 domain controller. My understanding is the last 2000 DC was decommissioned here over ten years ago. Any thoughts how to handle this last error?

    The Active Directory integrated DNS zone _msdcs.myDomain.local was not found.

    Thanks,

    Rick

    Monday, June 6, 2016 2:56 PM
  • Hi Rick,

    I've never made use of the BPA so I might ask you to run a quick check for me first. Can you run the following command?

    nslookup 1b51209e-39b7-4cd4-81a1-171fe3941ed6.myDomain.com myDomain-PDC

    This should return the CNAME record for myDomain-PDC.myDomain.com. If it does then technically you don't have a real error.

    My guess is that the BPA is checking for the _msdcs.myDomain.com being its own Active Directory-integrated zone, which is something that should have been actioned by whoever took the environment from Server 2000 to 2003 (and later).

    You can find the steps for this process in this article, where the section you're most likely after is "Case 2".

    As I say though, if you get a result for the above nslookup then it's not really an error, just a configuration it doesn't like (which is fair enough given it is called the BPA!).

    Cheers,
    Lain

    • Edited by Lain Robertson Monday, June 6, 2016 10:41 PM Updated command.
    Monday, June 6, 2016 10:35 PM
  • After running nslookup I'm getting 

    Server:  UnKnown
    Address:  fe80::e530:a853:653d:a874

    I read the document, but will have to get back to it later. I'll let you know how I make out. 

    Thanks again,

    Rick

    Wednesday, June 8, 2016 1:45 PM
  • Hi Lain,

    Your not going to believe it. I checked my server and dns was stopped again. I checked if auto update installed  KB314526 , but it was not re-installed. A new update was installed KB3145126, so I uninstalled it and dns came back up. 

    Just thought you would like to know,

    Rick

    Wednesday, June 8, 2016 2:01 PM
  • Hi Lain,

    Your not going to believe it. I checked my server and dns was stopped again. I checked if auto update installed  KB314526 , but it was not re-installed. A new update was installed KB3145126, so I uninstalled it and dns came back up. 

    Just thought you would like to know,

    Rick

    I'm going to follow the instructions in the above link. I'll post results when I'm finished.

    Rick

    Wednesday, June 8, 2016 2:16 PM
  • Hi Rick,

    There's still something wrong with your IP configuration on whichever server you ran that nslookup. You should never get the loopback or IPv6 link-local address like that.

    If you want to post the output of an "ipconfig /all", we can check it for you.

    When you removed the KB3145126, did you still go ahead and apply the script as the KB article states? As I said earlier, if you don't do this, you may well continue to run into the issue with future updates as the script is responsible for fixing a standards (RFC) issue.

    Again, what I would be doing as per the KB article is:

    1. Remove update KB3145126.
    2. Run the script from the KB article on the Server 2008 host.
    3. Re-applying the KB3145126 update.

    Cheers,
    Lain

    • Edited by Lain Robertson Wednesday, June 8, 2016 10:46 PM Missed a word in my haste
    Wednesday, June 8, 2016 10:32 PM
  • Hi Rick,

    There's still something wrong with your IP configuration on whichever server you ran that nslookup. You should never get the loopback or IPv6 link-local address like that.

    If you want to post the output of an "ipconfig /all", we can check it for you.

    server 2008 DC ipconfig /all


    Windows IP Configuration

       Host Name . . . . . . . . . . . . : myDomain-pdc
       Primary Dns Suffix  . . . . . . . : myDomain.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : myDomain.local

    Ethernet adapter Default:

       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Citrix PV Ethernet Adapter
       Physical Address. . . . . . . . . : F2-9B-8D-5A-A3-17
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::e530:a853:653d:a874%12(Preferred) 
       IPv4 Address. . . . . . . . . . . : 10.0.0.4(Preferred) 
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 10.0.0.1
       DHCPv6 IAID . . . . . . . . . . . : 280158953
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-84-E9-F5-B2-E2-E9-84-3F-7F
       DNS Servers . . . . . . . . . . . : 10.0.0.22
                                           10.0.0.4
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{341324BB-44C7-46A6-8BBB-20DDCF6FFA12}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes


    Thursday, June 9, 2016 11:48 AM
  • Hi Rick,

    There's still something wrong with your IP configuration on whichever server you ran that nslookup. You should never get the loopback or IPv6 link-local address like that.

    If you want to post the output of an "ipconfig /all", we can check it for you.

    Server 2003 doesn't have IPv6 installed, but here is the ipconfig results.

    Server 2003 DC, ipconfig /all, 



    Windows IP Configuration



       Host Name . . . . . . . . . . . . : myDomain-pdc-2

       Primary Dns Suffix  . . . . . . . : myDomain.local

       Node Type . . . . . . . . . . . . : Hybrid

       IP Routing Enabled. . . . . . . . : No

       WINS Proxy Enabled. . . . . . . . : No

       DNS Suffix Search List. . . . . . : myDomain.local



    Ethernet adapter Local Area Connection 6:



       Connection-specific DNS Suffix  . : 

       Description . . . . . . . . . . . : LAN:HP NC373i Multifunction Gigabit Server Adapter #3

       Physical Address. . . . . . . . . : 00-1B-78-2E-20-D6

       DHCP Enabled. . . . . . . . . . . : No

       IP Address. . . . . . . . . . . . : 10.0.0.22

       Subnet Mask . . . . . . . . . . . : 255.255.255.0

       Default Gateway . . . . . . . . . : 10.0.0.1

       DNS Servers . . . . . . . . . . . : 10.0.0.22

    Thursday, June 9, 2016 11:52 AM
  • Hi Rick,

    Since you're not really using IPv6, unbind it from the network interface on the Server 2008 host as shown below.

    Cheers,
    Lain

    Thursday, June 9, 2016 12:00 PM
  • Going back to the script included in the KB article, once you run that from the Server 2008 R2 host, KB3145126 - or any of its future iterations, will install and not cause the DNS Server service to crash.

    Cheers,
    Lain

    Thursday, June 9, 2016 12:03 PM
  • Hi Lain,

    I'm getting an error when I run the script. I looked through it thinking I have to plug in my own domain or server name in one of the variables, but I don't think that's the case. Execution Policy is set as RemoteSigned, my scripts live in a folder c:\scripts and I have a small hello world script that echos hello world that runs OK. Power Script is version v2.

    Thanks, Rick

    Unexpected token 'var' in expression or statement.
    At C:\scripts\ps.ps1:1 char:15
    + $count = 0$var <<<<  = get-wmiobject -query "select * from win32_service where name = 'dns'"
        + CategoryInfo          : ParserError: (var:String) [], ParseException
        + FullyQualifiedErrorId : UnexpectedToken





    • Edited by R. Morgan Thursday, June 9, 2016 12:13 PM
    Thursday, June 9, 2016 12:10 PM
  • OK, unbind.
    Thursday, June 9, 2016 12:15 PM
  • That's funny. They've made a mistake in the script they've posted - well, at least one anyway.

    That first line should read like this:

    $count = 0; $var = get-wmiobject -query "select * from win32_service where name = 'dns'";

    Let me know if you find more errors in their script.

    Cheers,
    Lain

    Thursday, June 9, 2016 12:17 PM
  • That did it, the script ran OK.

    Results from server 2008 DC

    Total number of zones found: 1
    The zones are:
    www.google.com

    Thursday, June 9, 2016 12:21 PM
  • That did it, the script ran OK.

    Results from server 2008 DC

    Total number of zones found: 1
    The zones are:
    www.google.com

    I have to find the article why I have the google forward lookup zone, but it had to do with filtering. It's been a while since I put it in.
    Thursday, June 9, 2016 12:26 PM
  • Okay, well, the issue is that it's not RFC compliant meaning you'll continue to have issues with it.

    I guess have a think about the scenario and see if it's still needed. If not, remove the zone. If so, let us know what the actual business requirement is and maybe we can think of another way around it that still maintains RFC compliance.

    Cheers,
    Lain

    Thursday, June 9, 2016 12:33 PM
  • Google had a document a few years back to help schools redirect ssl traffic that could not be filtered since it was encrypted. At the time adult websites would get through filters, so the redirect was a work around from google. If you google, nosslsearch.google.com you'll find articles about the issue, but I can't find the original article from google.

    Do you think the CNAME nosslsearch.google.com is the cause of the problem as explained here ?

    Thanks,

    Rick


    • Edited by R. Morgan Thursday, June 9, 2016 12:50 PM
    Thursday, June 9, 2016 12:49 PM
  • Yes, I do. The way in which www.google.com has effectively been redirected to nosslsearch.google.com is what's non-RFC compliant and therefore what's causing DNS to crash after this update.

    Cheers,
    Lain

    Thursday, June 9, 2016 1:02 PM
  • OK, I'm going to remove the zone but will monitor web traffic and it doesn't seem that google is supporting the nosslsearch.google.com  from the lack of positive articles.
    Thursday, June 9, 2016 1:15 PM
  • Yeah, fair enough. In any case, it will stop the DNS crash issue both now and in the future, which is a good thing.

    Cheers,
    Lain

    Thursday, June 9, 2016 1:21 PM
  • I removed the google zone and ran the script.

    No zones found with the issue

     I also re-applied KB3145126 , but will have to check on it later after a restart.

    Thanks,

    Rick


    • Edited by R. Morgan Thursday, June 9, 2016 2:44 PM
    Thursday, June 9, 2016 2:44 PM
  • Hi Lain,

    I restarted the server and dns is running, KB3145126  is installed.

    -Rick

    Friday, June 10, 2016 12:08 AM
  • Happy days!

    You shouldn't have this issue again now that zone has been removed, which is peace of mind.

    Cheers,
    Lain

    Friday, June 10, 2016 12:14 AM
  • Yup, things are looking pretty good here. I'm still looking into the  zone _msdcs.myDomain.local was not found from dns best practice. Once that's fixed dns is pretty much clean!

    Rick

    Friday, June 10, 2016 12:21 AM
  • Hi Lain,
    I still have the problem with _msdcs.ForestName. I created the zone per the instructions here case 2. I run nslookup 1b51209e-39b7-4cd4-81a1-171fe3941ed6.myDomain.com myDomain-PDC from myDomain-pdc and here are the results;
    Server:  localhost
    Address:  ::1

    *** localhost can't find 1b51209e-39b7-4cd4-81a1-171fe3941ed6.myDomain.local: Non-existent domain

    IPv6 is disabled (unchecked) and am still getting the ::1
    I forced replication, but will re-run the command in fifteen minutes or so.
    Thanks, Rick

    Friday, June 10, 2016 1:15 AM
  • Hi Lain,
    I still have the problem with _msdcs.ForestName. I created the zone per the instructions here case 2. I run nslookup 1b51209e-39b7-4cd4-81a1-171fe3941ed6.myDomain.com myDomain-PDC from myDomain-pdc and here are the results;
    Server:  localhost
    Address:  ::1

    *** localhost can't find 1b51209e-39b7-4cd4-81a1-171fe3941ed6.myDomain.local: Non-existent domain

    IPv6 is disabled (unchecked) and am still getting the ::1
    I forced replication, but will re-run the command in fifteen minutes or so.
    Thanks, Rick

    I might add that this server, server 2008 DC  is running on a citrix box with one virtual adapter assigned to the server.

    • Edited by R. Morgan Friday, June 10, 2016 1:17 AM
    Friday, June 10, 2016 1:16 AM
  • I thought this might help, text file from the new forward zone _msdcs.ForestName

    Name Type Data Timestamp
    (same as parent folder) Start of Authority (SOA) [2], myDomain-pdc.myDomain.local., hostmaster.myDomain.local. static
    (same as parent folder) Name Server (NS) myDomain-pdc.myDomain.local. static
    (same as parent folder) Name Server (NS) myDomain-pdc-2.myDomain.local. static

    Friday, June 10, 2016 1:26 AM
  • Hi Rick,

    I can't imaging how the IPv6 loopback address (::1) can even be used if IPv6 has been unlinked. That's straight-up bizarre!

    I'm assuming if you run a similar query on the Server 2003 host that it comes back fine?

    nslookup 1b51209e-39b7-4cd4-81a1-171fe3941ed6.myDomain.com myDomain-PDC-2

    Also, if you can run the following on the Server 2008 host and post the results, I'd appreciate it:

    netsh int ipv6 sh dns

    Cheers,
    Lain

    Friday, June 10, 2016 1:49 AM
  • Results from server 2003 DC

    nslookup 1b51209e-39b7-4cd4-81a1-171fe3941ed6.myDomain.local myDomain-PDC-2

    Server:  myDomain-pdc-2.myDomain.local
    Address:  10.0.0.22

    *** myDomain-pdc-2.myDomain.local can't find 1b51209e-39b7-4cd4-81a1-171fe3941ed6.myDomain.local: Non-existent domain


    • Edited by R. Morgan Friday, June 10, 2016 3:34 PM
    Friday, June 10, 2016 3:34 PM
  • Results from server 2008 DC

    netsh int ipv6 sh dns

    Configuration for interface "Loopback Pseudo-Interface 1"
        Statically Configured DNS Servers:    None
        Register with which suffix:           None

    Configuration for interface "isatap.{341324BB-44C7-46A6-8BBB-20DDCF6FFA12}"
        Statically Configured DNS Servers:    None
        Register with which suffix:           None

    Configuration for interface "Teredo Tunneling Pseudo-Interface"
        Statically Configured DNS Servers:    None
        Register with which suffix:           None

    Friday, June 10, 2016 3:37 PM
  • Results from server 2003 DC

    nslookup 1b51209e-39b7-4cd4-81a1-171fe3941ed6.myDomain.local myDomain-PDC-2

    Server:  myDomain-pdc-2.myDomain.local
    Address:  10.0.0.22

    *** myDomain-pdc-2.myDomain.local can't find 1b51209e-39b7-4cd4-81a1-171fe3941ed6.myDomain.local: Non-existent domain


    Hi Lain,

    Being that 1b51209e-39b7-4cd4-81a1-171fe3941ed6 is the GUID DC object wouldn't you think the guid would be resolve using nslookup? It seems that this would most definitely have to be resolved.

    PS I sent you an email from my gmail account and was wondering if you received it?

    Thanks, Rick 


    • Edited by R. Morgan Friday, June 10, 2016 4:05 PM
    Friday, June 10, 2016 4:01 PM
  • Hi Lain,

    In DNS would you think there should be a CNAME record that contains the GUID of each domain controller? I looked at server 2003 & 2008 DC DNS records, but no CNAME with GUID. Unless I'm looking in the wrong place.

    Just a thought,

    Rick

    Friday, June 10, 2016 5:03 PM
  • Hi Rick,

    I've gone and made a copy-and-paste typo. Each of those nslookup commands should have had _msdcs.mydomain.local as the suffix. I made a mistake in missing the _msdcs label so you may want to re-run those two checks.

    The netsh output shows that there is no local adapter bound to the IPv6 stack, so how it's resolving local DNS queries with a server address of ::1 is beyond me.

    Cheers,
    Lain

    Saturday, June 11, 2016 9:06 AM
  • Hi Lain, 

    Good news, it resolved. Perhaps the IPv6 loop back is an anomaly, being that this server is being hosted on a Citrix xen server, but I'm just guessing at this point. I checked adapter settings in the registry and really didn't notice anything out of the ordinary. 

    Results from server 2008 DC

    Server:  localhost
    Address:  ::1

    Name:    myDomain-pdc-2.myDomain.local
    Address:  10.0.0.22
    Aliases:  1b51209e-39b7-4cd4-81a1-171fe3941ed6._msdcs.myDomain.local

    Thanks,

    Rick

    Saturday, June 11, 2016 1:09 PM
  • In my dns setting forward look up zones I created the zone _msdcs.ForestName following the instructions here, step 9 under case 2.

    Do you think the zone should read as _msdcs.myDomain.local and not _msdcs.ForestName? This would match your example.

    Thanks,

    Rick

    Saturday, June 11, 2016 1:17 PM
  • In my dns setting forward look up zones I created the zone _msdcs.ForestName following the instructions here, step 9 under case 2.

    Do you think the zone should read as _msdcs.myDomain.local and not _msdcs.ForestName? This would match your example.

    Thanks,

    Rick

    OK, I added the zone _msdcs.myDomain.local, ran best practice and the _msdcs.myDomain.local error is gone. I guess I was not understanding step 9 in the article above. Unless nslookup should be able to resolve _msdcs.ForestName? Now I'm just left with a few yellow warnings, I'll let you know how I make out.

    Thanks,

    Rick


    • Edited by R. Morgan Saturday, June 11, 2016 1:36 PM
    Saturday, June 11, 2016 1:35 PM
  • Hi Rick,

    You've already figured it out yourself, but I'll just confirm for your own peace of mind that it should indeed be _msdcs.mydomain.local.

    It sounds like everything's running well at last (ignoring the IPv6 loopback reference which I just can't explain) meaning you can tackle those future scopes of work with confidence.

    Cheers,
    Lain

    Saturday, June 11, 2016 1:49 PM
  • Hi Lain,

    I took care of the yellow warnings under best practice and everything is good!


    Saturday, June 11, 2016 5:54 PM
  • Lain,

    It was quite a journey getting to this point.

    I lucked out way-back at the beginning of this post when you chimed in. I don't know at any point you might have wondered, "oh no what did I get myself into"? But you hung in there with me step-by-step until the problem was solved.

    You're truly a gentleman and a scholar!

    Sincerely,

    Rick Morgan

    Saturday, June 11, 2016 5:57 PM
  • Hi Lain,

    I'm finally getting around decommissioning the DC on Server 2003. My concern is after running repadmin /showreps /all there are some logs that show some replication attempts taking place in 2010 and am wondering if I should be concerned with this.     Look under "OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS" there you will see several 2010 entries.

    Thanks, Rick

    myDomain-Elementary-School\myDomain-PDC-2

    DC Options: IS_GC 

    Site Options: IS_GROUP_CACHING_ENABLED 

    DC object GUID: 1b51209e-39b7-4cd4-81a1-171fe3941ed6

    DC invocationID: 318fb45c-6aa1-4ae3-bc64-30b6e88d6cba



    ==== INBOUND NEIGHBORS ======================================



    DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC via RPC

            DC object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

            Last attempt @ 2016-07-31 23:05:52 was successful.



    CN=Configuration,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC via RPC

            DC object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

            Last attempt @ 2016-07-31 22:59:52 was successful.



    CN=Schema,CN=Configuration,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC via RPC

            DC object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

            Last attempt @ 2016-07-31 22:59:52 was successful.



    DC=DomainDnsZones,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC via RPC

            DC object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

            Last attempt @ 2016-07-31 22:59:52 was successful.



    DC=ForestDnsZones,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC via RPC

            DC object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

            Last attempt @ 2016-07-31 22:59:52 was successful.



    ==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============



    DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC via RPC

            DC object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

            Last attempt @ 2016-07-31 22:32:45 was successful.



    CN=Configuration,DC=myDomain,DC=local

        myDomain-Elementary-School\myDomain-PDC via RPC

            DC object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

            Last attempt @ 2016-07-31 11:59:06 was successful.



    CN=Schema,CN=Configuration,DC=myDomain,DC=local

        (null) via RPC

            DC object GUID: 505692b7-f408-41f5-a796-76b7688637d9

            Last attempt @ 2010-09-13 21:46:27 was successful.

        myDomain-Elementary-School\myDomain-PDC via RPC

            DC object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

            Last attempt @ 2016-07-18 11:00:17 was successful.



    DC=DomainDnsZones,DC=myDomain,DC=local

        (null) via RPC

            DC object GUID: 505692b7-f408-41f5-a796-76b7688637d9

            Last attempt @ 2010-09-13 21:46:30 was successful.

        myDomain-Elementary-School\myDomain-PDC via RPC

            DC object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

            Last attempt @ 2016-07-18 11:00:20 was successful.



    DC=ForestDnsZones,DC=myDomain,DC=local

        (null) via RPC

            DC object GUID: 505692b7-f408-41f5-a796-76b7688637d9

            Last attempt @ 2010-09-13 21:46:39 was successful.

        myDomain-Elementary-School\myDomain-PDC via RPC

            DC object GUID: ee6dd11c-9c3c-4a6d-bcdd-504a86b82fe1

            Last attempt @ 2016-07-30 16:32:34 was successful.



    ==== KCC CONNECTION OBJECTS ============================================

    Connection --

        Connection name : 9f8e8e18-1e79-432a-8be5-1bf2e9d90507

        Server DNS name : myDomain-pdc-2.myDomain.local

        Server DN  name : CN=NTDS Settings,CN=myDomain-PDC-2,CN=Servers,CN=myDomain-Elementary-School,CN=Sites,CN=Configuration,DC=myDomain,DC=local

            Source: myDomain-Elementary-School\myDomain-PDC

                    No Failures.

            TransportType: intrasite RPC

            options:  isGenerated

            ReplicatesNC: DC=ForestDnsZones,DC=myDomain,DC=local

            Reason:  RingTopology

                    Replica link has been added.

            ReplicatesNC: CN=Schema,CN=Configuration,DC=myDomain,DC=local

            Reason:  RingTopology

                    Replica link has been added.

            ReplicatesNC: DC=DomainDnsZones,DC=myDomain,DC=local

            Reason:  RingTopology

                    Replica link has been added.

            ReplicatesNC: DC=myDomain,DC=local

            Reason:  RingTopology

                    Replica link has been added.

            ReplicatesNC: CN=Configuration,DC=myDomain,DC=local

            Reason:  RingTopology

                    Replica link has been added.

    1 connections found.


    • Edited by R. Morgan Monday, August 1, 2016 3:24 AM
    Monday, August 1, 2016 3:23 AM
  • Hi Rick,

    I wouldn't worry about those particular outbound failures as a prerequisite for the demotion as there's another correctly replicating partner receiving the changes.

    If you run dcdiag on the other domain controllers and get the same (null) reference, then yes, there's something that needs to be fixed, however, that's something to fix independent of the demotion itself.

    Cheers,
    Lain

    Monday, August 1, 2016 4:52 AM
  • Hi Lain,

    There is just the two domain controllers, one is Server 2003 and the other is Server 2008R2. Here is dcdiag output from Server 2008R2. It looks pretty good to me, but you might say different?

    -Rick


    Directory Server Diagnosis


    Performing initial setup:

       Trying to find home server...

       Home Server = MyDomain-pdc

       * Identified AD Forest. 
       Done gathering initial info.


    Doing initial required tests

       
       Testing server: MyDomain-Elementary-School\MyDomain-PDC

          Starting test: Connectivity

             ......................... MyDomain-PDC passed test Connectivity



    Doing primary tests

       
       Testing server: MyDomain-Elementary-School\MyDomain-PDC

          Starting test: Advertising

             ......................... MyDomain-PDC passed test Advertising

          Starting test: FrsEvent

             ......................... MyDomain-PDC passed test FrsEvent

          Starting test: DFSREvent

             ......................... MyDomain-PDC passed test DFSREvent

          Starting test: SysVolCheck

             ......................... MyDomain-PDC passed test SysVolCheck

          Starting test: KccEvent

             ......................... MyDomain-PDC passed test KccEvent

          Starting test: KnowsOfRoleHolders

             ......................... MyDomain-PDC passed test KnowsOfRoleHolders

          Starting test: MachineAccount

             ......................... MyDomain-PDC passed test MachineAccount

          Starting test: NCSecDesc

             ......................... MyDomain-PDC passed test NCSecDesc

          Starting test: NetLogons

             ......................... MyDomain-PDC passed test NetLogons

          Starting test: ObjectsReplicated

             ......................... MyDomain-PDC passed test ObjectsReplicated

          Starting test: Replications

             ......................... MyDomain-PDC passed test Replications

          Starting test: RidManager

             ......................... MyDomain-PDC passed test RidManager

          Starting test: Services

             ......................... MyDomain-PDC passed test Services

          Starting test: SystemLog

             ......................... MyDomain-PDC passed test SystemLog

          Starting test: VerifyReferences

             ......................... MyDomain-PDC passed test VerifyReferences

       
       
       Running partition tests on : ForestDnsZones

          Starting test: CheckSDRefDom

             ......................... ForestDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ForestDnsZones passed test

             CrossRefValidation

       
       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test

             CrossRefValidation

       
       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation

       
       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation

       
       Running partition tests on : MyDomain

          Starting test: CheckSDRefDom

             ......................... MyDomain passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... MyDomain passed test CrossRefValidation

       
       Running enterprise tests on : MyDomain.local

          Starting test: LocatorCheck

             ......................... MyDomain.local passed test LocatorCheck

          Starting test: Intersite

             ......................... MyDomain.local passed test Intersite

    Monday, August 1, 2016 12:07 PM
  • Yep, that looks fine.

    Cheers,
    Lain

    Monday, August 1, 2016 1:33 PM