none
FSMO Change / GPMC Cannot contact specified domain controller

    Question

  • Hi,

    I recently migrated FSMO roles to a new DC, and now the GPMC is throwing errors when opening.  It's saying The specified domain controller could not be contacted.  This affects the following domain in the console.  The error was: The specified domain either does not exist or could not be contacted.

    When I choose a different domain controller, the error is redisplayed when selecting "The domain controller with the Operations Master token for the PDC emulator".  However, if I select the domain controller holding the PDC emulator role from the list, it connects fine.  

    netdom query /domain thedomain.local fsmo shows the correct DC as the role holder, and the hostname resolves.  

    dsquery server -hasfsmo pdc shows the correct server's full configuration partition DN.  

    I'm not really sure where the problem lies given the role has been transferred successfully and the DC holding the role is resolvable / reachable directly.


    • Edited by minerat Friday, September 18, 2015 7:14 PM clarity
    Friday, September 18, 2015 7:13 PM

Answers

  • Actually, it turns out it was a subtle DNS issue.   

    NETLOGON on the FSMO holder was logging error 5782 when the service was started.  

    _ldap._tcp._pdc._msdcs.domain.local still reflected the old PDC emulator.

    The NICs were configured correctly for DNS on the new FSMO holder (pointing to another server and to itself), yet NETLOGON was still erroring with "no dns servers configured for local system".  It turns out 'register this connection's addresses in DNS'  was unchecked on the nic team's IPv4 properties.  NETLOGON doesn't register addresses directly, but leverages the DHCP/Dynamic DNS client and will not execute (and return the spurious no dns servers error) if dynamic registration for the NIC is not enabled.  

    • Marked as answer by minerat Monday, September 21, 2015 3:12 PM
    Monday, September 21, 2015 3:11 PM

All replies

  • Additionally, Group Policy Modeling through the GPMC fails with this error:

    "Could not determine whether the specified user and computer are in the same forest as the domain controller"

    Group Policy Result fails with access denied.  However, gpresult works from the member servers via the command line and shows updated changes.  GPO/FRS replication is functioning properly - changes are present on other domain controllers.  It mostly seems to be an issue with the GPMC.

    Friday, September 18, 2015 8:31 PM
  • 1. Before doing procedures like this, AD should be healthy. DCDIAG is one the tools to use.

    2. Not only transfer of FSMO roles is needed. Hope you created GC and let replication finished before removing old server.

    3. Previous server operating systems needed running ADPREP (you have not been specific on operating system used).

    4. Very often error like your is consequence of problem with DNS.

    Rgds

    Milos

    Friday, September 18, 2015 8:35 PM
  • Thanks for the response.  

    1. DCDIAG came back clean - replication was fully up-to-date.  
    2. The FSMO role was transferred to a DC that's been around for a year+.  All of the DCs are GCs.  Previous FSMO holder is still online and functioning as a GC DC.
    3. I transferred from 2008 to 2012.  Domain functional level remains unchanged.
    4. What kind of problem with DNS?  The all DCs are fully resolvable.  Resolution from any DC running the GPMC works as expected.  
    • Marked as answer by minerat Monday, September 21, 2015 3:12 PM
    • Unmarked as answer by minerat Monday, September 21, 2015 3:12 PM
    Monday, September 21, 2015 2:16 PM
  • Actually, it turns out it was a subtle DNS issue.   

    NETLOGON on the FSMO holder was logging error 5782 when the service was started.  

    _ldap._tcp._pdc._msdcs.domain.local still reflected the old PDC emulator.

    The NICs were configured correctly for DNS on the new FSMO holder (pointing to another server and to itself), yet NETLOGON was still erroring with "no dns servers configured for local system".  It turns out 'register this connection's addresses in DNS'  was unchecked on the nic team's IPv4 properties.  NETLOGON doesn't register addresses directly, but leverages the DHCP/Dynamic DNS client and will not execute (and return the spurious no dns servers error) if dynamic registration for the NIC is not enabled.  

    • Marked as answer by minerat Monday, September 21, 2015 3:12 PM
    Monday, September 21, 2015 3:11 PM
  • Thank you for sharing your solutions and experience here. It will be very beneficial for other community members who have similar questions.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, September 22, 2015 1:56 AM
    Moderator