none
Verification of replica failed. The Wizard cannot access the list of domains in the forest

    Question

  • Hello,

    I have DC2(MBDC), and DC1. The DC2 was the primary domain controller and was holding the DNS, AD DS, and DHCP, the operating system of DC2 was Win 2008. The DC2 was damaged due to electricity shortage. I sized the FSMO roles in DC1 and then transferred the roles to DC1, DC1 already was a the alternate DNS.

    Now the AD is not connecting in Exchange server 2007 (mail.macca.org.af), and I am not able to join a new computer to the domain. I have prepared a new server and want to promote it as a domain controller, but I get this message during DCpromo.

    Verification of replica failed. The Wizard cannot access the list of domains in the forest. The network path was not found.

    Please help.

    Thanks,

    Zilgai

    Wednesday, December 28, 2016 8:53 AM

Answers

  • netlogon is running, still the same problem.

    • Marked as answer by Zilgai Thursday, December 29, 2016 12:28 PM
    Thursday, December 29, 2016 12:28 PM
  • I have error 4007 in the event log.

    The DNS server was unable to open zone _msdcs.macca.org.af in the Active Directory from the application directory partition ForestDnsZones.macca.org.af. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

     

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    It is about the Partition.

    Thanks,

    • Marked as answer by Zilgai Monday, January 2, 2017 4:48 AM
    Monday, January 2, 2017 4:48 AM
  • Hello,

    still the same, no luck.

    • Marked as answer by Zilgai Monday, January 9, 2017 5:30 AM
    Monday, January 9, 2017 5:30 AM
  • Hi DNS is installed on DC1 and I can open the forward and reverse lookup zones.

    • Marked as answer by Zilgai Monday, January 9, 2017 8:52 AM
    Monday, January 9, 2017 8:52 AM

All replies

  • Hello,

    Can you please verify the eventlog on your DC1? It looks like it has the security channel broken on it.

    The easy way to verify this through the GUI is to open DNS Server snap-in on DC1. Can it open AD integrated zones?

    If it is really so, here is an article describing how you can fix it using Netdom utility: https://blogs.technet.microsoft.com/asiasupp/2007/01/17/typical-symptoms-when-secure-channel-is-broken/

    /Bulat

    Wednesday, December 28, 2016 9:49 AM
  • Hello

    please make sure that the problematic server has its A record registered in corresponding DNS zones. Please see details from:
    Error message: The wizard cannot gain access to the list of domains in the forest
    https://support.microsoft.com/en-sg/kb/259374

    Thanks

    krishna

    Wednesday, December 28, 2016 10:19 AM
  • From my understanding, DC1 is not a DNS server and, by loosing DC2, you no longer have a DNS server. As DNS is mandatory for AD to work, you can proceed as the following:

    1. Install DNS on DC1 and create your domain DNS zones: domain.com and _msdcs.domain.com
    2. Make sure that the zones are AD-Integrated and that clients are allowed to register
    3. Make DC1 points to itself as primary DNS server and 127.0.0.1 as secondary one
    4. Run ipconfig /registerdns and restart netlogon on DC1

    That should make your DC1 register its DNS records. Also, make sure that your AD-Integrated systems point to DC1 as primary DNS server and do not forget to configure your forwarders to point to your ISP DNS servers on DC1 so that public DNS resolution will work. You will have to manually re-create your previously created DNS records.

    After that, check again that your systems are working properly.

    A advise for future implementation: It is advised to have at least two DC/DNS/GC servers per AD domain. When you create a new DC, you can make it and DC1 DHCP servers too with 50/50 rule for the scopes.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile


    • Edited by Mr XMVP Wednesday, December 28, 2016 8:45 PM
    Wednesday, December 28, 2016 8:44 PM
  • Hi Zilgai,
    Alternatively, you could also check if there is firewall block between the server and the existing DC, or some ports are not opened in order to allow the initial promotion and subsequent replication to take place.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by Zilgai Thursday, December 29, 2016 12:24 PM
    • Unmarked as answer by Zilgai Thursday, December 29, 2016 12:24 PM
    Thursday, December 29, 2016 3:03 AM
    Moderator
  • I
     checked the records are in place still not luck

    Thursday, December 29, 2016 12:18 PM
  • The DNS is installed in DC1 and I can open the dns and also the nslookup is successful and the netdom query fsmo is also successful, but still I cannot join a computer to the domain and also cannot promote a new server as a secondary DC. I assigned the DC1 ip as the primary dns and the 127.0.0.1 as secondary. still the same problem
    Thursday, December 29, 2016 12:23 PM
  • netlogon is running, still the same problem.

    • Marked as answer by Zilgai Thursday, December 29, 2016 12:28 PM
    Thursday, December 29, 2016 12:28 PM
  • Can you try to browse Configuration partition from the DC1? Is it successful?

    /Regards

    Thursday, December 29, 2016 1:18 PM
  • I have error 4007 in the event log.

    The DNS server was unable to open zone _msdcs.macca.org.af in the Active Directory from the application directory partition ForestDnsZones.macca.org.af. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

     

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    It is about the Partition.

    Thanks,

    • Marked as answer by Zilgai Monday, January 2, 2017 4:48 AM
    Monday, January 2, 2017 4:48 AM
  • That's the issue.

    Your DC cannot read the AD partition. This can mean two things. Either your AD database is corrupted, in which case you will most likely have to restore from backup. Or your DC has problems with it's computer account (more common name of the problem - broken secure trust relationship with the domain). 

    The second problem can most often be fixed by reestablishing the relationship between the DC and the domain. The troubleshooting steps are described in the article I have provided above: https://support.microsoft.com/en-sg/kb/259374

    Have you tried to check these?

    /Regards


    • Edited by Avendil Monday, January 2, 2017 7:46 AM
    Monday, January 2, 2017 7:46 AM
  • Hello,

    still the same, no luck.

    • Marked as answer by Zilgai Monday, January 9, 2017 5:30 AM
    Monday, January 9, 2017 5:30 AM
  • Hi DNS is installed on DC1 and I can open the forward and reverse lookup zones.

    • Marked as answer by Zilgai Monday, January 9, 2017 8:52 AM
    Monday, January 9, 2017 8:52 AM
  • Hi Zilgai,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    If the problem persists, please confirm that the DC1 is running in good health, you could run dcdiag command to take a look and run dcdiag /test:dns to check DNS: https://social.technet.microsoft.com/wiki/contents/articles/17741.dcdiag-for-dns-test-details-explained.aspx

    Regarding error 4007, please check:

    Fix - EventID 4007 DNS Server Error

    http://www.techadre.com/content/fix-eventid-4007-dns-server-error

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, January 12, 2017 1:42 AM
    Moderator