locked
Windows 2008 Domain Controller Netlogon Service Paused RRS feed

  • Question

  • Windows 2008 native active directory domain forest
    1 windows Windows 2008 R2 domain controller (holds ____ FSMO roles)
    1 windows 2008 domain controller (netlogon paused, Event IDs 2103 and 2105)
    DFSR replication
    fully patched as on noon PST 11/05/2010

    If I unpause the netlogon on the windows 2008 DC it show itself as having the RID manager FSMO roles (in conflict with Windows 2008 R2 DC)

    Is there a method to modify schema and/or registry so that Windows 2008 Dc shows correct FSMO role holders when netlogon service is restarted?

    Friday, November 5, 2010 8:23 PM

Answers

  • Hello,

    something is wrong on one of the DCs. Remove the one that should not have the RID master and do a metadata cleanup, then reinstall the computer and promote it again to DC and make it DNS/GC.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, November 8, 2010 6:29 PM

All replies

  • Please post the Netdom Query FSMO command result from both DCs here. 


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara

    This posting is provided AS IS with no warranties, and confers no rights.
    Friday, November 5, 2010 8:29 PM
  • have you restored the DC using an image or something alike? Please check
    http://blogs.dirteam.com/blogs/jorge...03/08/597.aspx 

     

    Friday, November 5, 2010 9:48 PM
  • Paused Netlogon service following a restore indicates typically that you used non-AD compliant restore method (which seems to be the case since you mentioned "backup image". Is this the case? Do you see event ID 2103 and 2095 in the Directory Services Event log? If so, shut down the DC, perform the restore using a supported method (e.g. NT Backup and non-authoritative restore). Make sure you use a recent backup (no older than the tombstone interval)...


    http://www.virmansec.com/blogs/skhairuddin
    Saturday, November 6, 2010 7:36 AM
  • Hello,

    as mentioned from the others there seems to be a problem with multiple FSMO roles which can occur after seizing them and then restore to the previous mahcine from backup. Please describe more details about the steps you have done before this happens.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Saturday, November 6, 2010 10:27 AM
  • There was no restore done on this DC.  There was a RAID failure (Iused the Windows software RAID 1) but since it was a RAID 1 I was able to bring the machine back up.  Once online was when the netlogon pause and FSMO isse occurred.

    Windows 2008 R2 DC (correct)

    C:\Users\administrator.MMICMANHOMENET>netdom query fsmo
    Schema master                windows2008R2.mmicmanhomenet.local
    Domain naming master         windows2008R2.mmicmanhomenet.local
    PDC                          windows2008R2.mmicmanhomenet.local
    RID pool manager             windows2008R2.mmicmanhomenet.local
    Infrastructure master        windows2008R2.mmicmanhomenet.local
    The command completed successfully.

     

    Windows 2008 DC (incorrect, netdom running while netlogon unpaused)

     

    C:\Users\Administrator.000>netdom query fsmo
    Schema owner                windows2008R2.mmicmanhomenet.local

    Domain role owner           windows2008R2.mmicmanhomenet.local

    PDC role                          windows2008R2.mmicmanhomenet.local

    RID pool manager            windows2008.mmicmanhomenet.local

    Infrastructure owner        windows2008R2.mmicmanhomenet.local

    The command completed successfully.


    C:\Users\Administrator.000>

    Saturday, November 6, 2010 2:36 PM
  • Note:

    Even in netlogon paused state, the Windows 2008 DC shows that it has the RID naming master role when checked under "Active Directory Users and Computers -> Operations Masters" even though the "netdom query FSMO" command shows otherwise.

    Saturday, November 6, 2010 2:42 PM
  • Hello,

    what you see is the reason that the netlogon service stops. Please use the support tools to up;load the following data:

    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt (if more then one DC exists)
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)

    As the output will become large, DON'T post them into the thread, please use Windows Sky Drive and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.

    After verifying the output, i think you should remove one of the DCs, depending on the output and start fresh with the other one.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Saturday, November 6, 2010 2:52 PM
  • http://cid-fcf92d226039fa32.office.live.com/browse.aspx/.Documents?uc=3

     

    Note:  This 2008 native AD domain/forest uses DFSR replication.  There is a residual Schema object which shows up as an error in the "VerifyEnterpriseReferences" of dcdiag file (yes I named the problem DC with a less-than-desirable name.  It was named that way seven years ago when it was a Windows 2003 DC and I never changed it becasue it was also a standalone root CA)

    Saturday, November 6, 2010 4:14 PM
  • would prefer not to remove this DC.  To remove it it would leave one of my main sites without one.  This DC is also a DFSR file server (there is another but is located in different site) and a standalone root CA.  I was planning on bringing up another DC when this one crashed.  Now I am in a catch 22 where I need this DC functional before I install another.
    Saturday, November 6, 2010 7:10 PM
  • Netlogon paused error are due to corruption in AD database which can happen abrupt shutdown or scanning by Antivirus software, so you have to do the repair of AD database if it can't be repaired demote & promote will be the option.

    To resolve Netlogon pause issue,do the below operation.


    -To get a single domain controller out of USN Rollback:
    -Open Regedit
    -Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
    -Locate the key Dsa Not Writable=dword:00000004
    -Delete the entire key
    -Enable replication by running repadmin /options servername -DISABLE_OUTBOUND_REPL and repadmin /options servername -DISABLE_INBOUND_REPL
    -Reboot.

    References:

     

    http://exchangeserverpro.com/recovering-a-single-domain-controller-from-a-usn-rollback

     

    You have to transfer CA to another server.

    http://www.lazynetworkadmin.com/knowledgebase-mainmenu-6/2-windows/144-migrate-microsoft-root-ca-to-another-server

    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c70bd7cd-9f03-484b-8c4b-279bc29a3413&displaylang=en


    Awinish Vishwakarma | Technical Architect EE - http://www.experts-exchange.com/M_5074322.html
    Sunday, November 7, 2010 9:33 AM
  • Hello,

    as shown in the following output:

    Forwarders Information:
                         192.168.1.111 (<name unavailable>) [Valid]
                         192.168.1.97 (<name unavailable>) [Valid]
                         192.168.11.6 (<name unavailable>) [Valid]

    you use the domain internal DNS servers as Forwarders which shouldn't be the case, only not domain DNS servers should be used here.

    -----------------------

    Also you have a site PalmHarbor containing:

    NTDS Settings\0ADEL:2fede063-9293-4af4-807d-72ab88bfef08,CN=NOQUARTER\0ADEL:32a8b82e-b807-47e0-b95d-dfa5560685ca

    which looks like some machines are double listed or not complete remvoed. Is that site existing with no DCs in it?

    -----------------------


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Sunday, November 7, 2010 2:11 PM
  • How many DCs do you have?  and how many sites?    

    Also, please post IPCONFIG/ALL result from your 2 DCs here.     

     


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara

    This posting is provided AS IS with no warranties, and confers no rights.
    Sunday, November 7, 2010 2:49 PM
  • <<<<Forwarders Information:
                         192.168.1.111 (<name unavailable>) [Valid] --- this is a TMG 2010
                         192.168.1.97 (<name unavailable>) [Valid]  --- this is a linus server 
                         192.168.11.6 (<name unavailable>) [Valid] ---- this is a TMG 2010

    you use the domain internal DNS servers as Forwarders which shouldn't be the case, only not domain DNS servers should be used here.>>>>>

    These are caching only nameservers which resolve external IP address ONLY.  These are not domain internal DNS servers.  My hosts point to the domain DNS servers which are on my domain controllers (192.168.11.4, 192.168.1.107)

     

    <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

    Also you have a site PalmHarbor containing:

    NTDS Settings\0ADEL:2fede063-9293-4af4-807d-72ab88bfef08,CN=NOQUARTER\0ADEL:32a8b82e-b807-47e0-b95d-dfa5560685ca

    which looks like some machines are double listed or not complete remvoed. Is that site existing with no DCs in it?>>>>>>>>>>>>>>>

    Palm HArbor is a a site with no DC yet.  Plan is to add a Windows 2008 R2 Enterprise DC once I upgrade current Windows 2008 ( in TimeWarnerOrange site) DC to windows 2008 R2 and upgrade forest/domain to R2 native .  Orange site currently has a Windows 2008 R2 Enterprise DC.  NOQUARTER was a Windows 2003 DC at Palm Harbor site which has been demoted and removed from domain.

    Sunday, November 7, 2010 8:57 PM
  • Based upon your advice above I was able to get netlogon service to start on the Windows 2008 Enterprise DC.  Two major issues still remain:

    1.  CAnnot start Windows Time service.  Before I noticed that netlogon was also paused I tried changing startup to "local system" instead of the default "Local Service."  Need to get right password for "Local Service" so that I can start the Windows Time Service.

    2. "netdom query fsmo" on Windows 2008 Enterprise (DC in TimeWArnerORange site) still shows that it holds the RID manager FSMO role, which is incorrect.  The Windows 2008 R2 Enterprise DC (in Orange site) holds all FSMO roles.  Both DCs are in the same forest&domain.

    Sunday, November 7, 2010 9:17 PM
  • 1.      2 Domain Controllers

    2.       3 Sites

    3.        ipconfig /all for Windows 2008 R2 DC (holds all FSMO roles, global catalog)


    C:\Users\administrator.MMICMANHOMENET>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : spock
       Primary Dns Suffix  . . . . . . . : mmicmanhomenet.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : mmicmanhomenet.local

    Ethernet adapter Local Area Connection 2:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : VMware PCI Ethernet Adapter
       Physical Address. . . . . . . . . : 00-0C-29-30-3A-9F
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.1.107(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.1.126
       DNS Servers . . . . . . . . . . . : 192.168.1.107
                                           192.168.11.4
       NetBIOS over Tcpip. . . . . . . . : Disabled

    4.   ipconfig /all for Windows 2008 SP 2 DC (Global Catalog Server, says it hold RID master role.  It should not hold this role.)

    C:\Users\Administrator.000>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : BLOWJOB
       Primary Dns Suffix  . . . . . . . : mmicmanhomenet.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : Yes
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : mmicmanhomenet.local

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . : mmicmanhomenet.local
       Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Server Adapter
       Physical Address. . . . . . . . . : 00-04-23-A5-C8-16
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::adce:d09e:5952:3a6a%9(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.11.4(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.11.1
       DHCPv6 IAID . . . . . . . . . . . : 150996003
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0F-4F-C0-F1-00-04-23-A5-C8-16
       DNS Servers . . . . . . . . . . . : 192.168.1.107
                                           192.168.11.4
       NetBIOS over Tcpip. . . . . . . . : Disabled

     

     

    Monday, November 8, 2010 4:59 PM
  • Hello,

    something is wrong on one of the DCs. Remove the one that should not have the RID master and do a metadata cleanup, then reinstall the computer and promote it again to DC and make it DNS/GC.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, November 8, 2010 6:29 PM
  • Did you restore the Windows 2008 DC before?  As you can see FSMO is different on the Windows 2008 DC.  My recommendation is to remove Windows 2008 DC and install a new one. 


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara

    This posting is provided AS IS with no warranties, and confers no rights.
    Friday, November 12, 2010 4:08 PM