2nd DC install gone wrong 1

[sstabb]

Sorry this is so long, I need some help, I am very new to Windows.
I have installed a 2nd domain controller in an existing domain and it is really screwed up. I think that I need to start over. What I would like is a document on "how to add a second domain controller". The 2nd domain controller is in a different subnet if this matters. The second DC needs to also be a secondary DNS server and will DHCP clients on that subnet.
I tried to start over by removing the Domain Controller role through configure your server and get a message that "active directory could not transfer the remaining data in directory CN=Schema, CN=configuration, DC=schellhogan, DC=local to domain controller server1.schellhogan.local" "Could not find the domain controller for this domain"
My steps went like this
Setup DC server1 192.168.100.1 (up and running fine)
Installed server on ServerSSI 192.168.200.1
Made primary dns on SSIserver = server1
Used the configure your server wizard to install AD
Used the configure your server wizard to install DNS on serverSSI

EventsLog (Applications)
Event ID: 1054
User: NT AUTHORITY\SYSTEM
Computer: SERVERSSI
Description:
Windows cannot obtain the domain controller name for your computer network.
(An unexpected network error occurred. ). Group Policy processing aborted.

Events (directory service)
Event Type: Warning
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1308
Date: 8/9/2004
Time: 8:32:51 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVERSSI
Description:
The Knowledge Consistency Checker (KCC) has detected that successive
attempts to replicate with the following domain controller has consistently
failed.
Attempts:
36
Domain controller:
CN=NTDS
Settings,CN=SERVER1,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configurati
on,DC=SchellHogan,DC=local
Period of time (minutes):
1369

The Connection object for this domain controller will be ignored, and a new
temporary connection will be established to ensure that replication
continues. Once replication with this domain controller resumes, the
temporary connection will be removed.
Additional Data
Error value:
1908 Could not find the domain controller for this domain.

Plus Event ID 1586 and 1104

Thank you all in advance for your help
Scott

 

[technome]

Your not replicating, and I will bet you have a root zone in DNS, a zone represented by "."., because you used the wizard. Delete the root zone. For the future, not good to use the wizard, learn how to manually create a basic DNS server. Highly recommend Mark Minasi's Windows Server 200x books.

Run DcDiag.exe
Run NetDiag.exe

post the txt file results of the two tools

 

[sstabb]

Thank You. Here are the logs.
I will be ordering the book today.

Netdiag.log from server that I was trying to add to the domain.

Computer Name: SERVERSSI
DNS Host Name: serverssi.SchellHogan.local
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 6 Model 8 Stepping 3, GenuineIntel
List of installed hotfixes :
KB819696
KB823182
KB823353
KB823559
KB824105
KB824141
KB825119
KB828035
KB828741
KB835732
KB837001
KB839643
KB839645
KB840315
KB840374
KB867801
Q147222
Q828026
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : serverssi
IP Address . . . . . . . . : 192.168.200.2
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.200.100
Dns Servers. . . . . . . . : 192.168.100.1
192.168.200.2
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC.
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{B551C559-21C6-4254-BACE-E556E91A7331}
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '192.168.100.1' and other DCs also have some of the names registered.
[WARNING] The DNS entries for this DC cannot be verified right now on DNS server 192.168.200.2, ERROR_TIMEOUT.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{B551C559-21C6-4254-BACE-E556E91A7331}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{B551C559-21C6-4254-BACE-E556E91A7331}
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Passed
Secure channel for domain 'SCHELLHOGAN' is to '\\SERVER1.SchellHogan.local'.
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully

This is the DCDiag from the server that I am trying to add.

Domain Controller Diagnosis

Performing initial setup:
The directory service on serverssi has not finished initializing.

In order for the directory service to consider itself synchronized, it must

attempt an initial synchronization with at least one replica of this

server's writeable domain. It must also obtain Rid information from the Rid

FSMO holder.

The directory service has not signalled the event which lets other services

know that it is ready to accept requests. Services such as the Key

Distribution Center, Intersite Messaging Service, and NetLogon will not

consider this system as an eligible domain controller.
The directory service on SERVERSSI has not finished initializing.

In order for the directory service to consider itself synchronized, it must

attempt an initial synchronization with at least one replica of this

server's writeable domain. It must also obtain Rid information from the Rid

FSMO holder.

The directory service has not signalled the event which lets other services

know that it is ready to accept requests. Services such as the Key

Distribution Center, Intersite Messaging Service, and NetLogon will not

consider this system as an eligible domain controller.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\SERVERSSI
Starting test: Connectivity
The directory service on SERVERSSI has not finished initializing.

In order for the directory service to consider itself synchronized,

it must attempt an initial synchronization with at least one replica

of this server's writeable domain. It must also obtain Rid

information from the Rid FSMO holder.

The directory service has not signalled the event which lets other

services know that it is ready to accept requests. Services such as

the Key Distribution Center, Intersite Messaging Service, and NetLogon

will not consider this system as an eligible domain controller.
......................... SERVERSSI passed test Connectivity

Doing primary tests

Testing server: Default-First-Site\SERVERSSI
Starting test: Replications
[Replications Check,SERVERSSI] A recent replication attempt failed:
From SERVER1 to SERVERSSI
Naming Context: CN=Schema,CN=Configuration,DC=SchellHogan,DC=local
The replication generated an error (1908):
Could not find the domain controller for this domain.
The failure occurred at 2004-08-09 19:00:52.
The last success occurred at 2004-08-08 09:42:48.
37 failures have occurred since the last success.
Kerberos Error.
A KDC was not found to authenticate the call.
Check that sufficient domain controllers are available.
[Replications Check,SERVERSSI] A recent replication attempt failed:
From SERVER1 to SERVERSSI
Naming Context: CN=Configuration,DC=SchellHogan,DC=local
The replication generated an error (1908):
Could not find the domain controller for this domain.
The failure occurred at 2004-08-09 18:59:51.
The last success occurred at 2004-08-08 09:43:11.
38 failures have occurred since the last success.
Kerberos Error.
A KDC was not found to authenticate the call.
Check that sufficient domain controllers are available.
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source SERVER1
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.
[Replications Check,SERVERSSI] A recent replication attempt failed:
From SERVER1 to SERVERSSI
Naming Context: DC=SchellHogan,DC=local
The replication generated an error (1908):
Could not find the domain controller for this domain.
The failure occurred at 2004-08-09 18:58:51.
The last success occurred at (never).
50 failures have occurred since the last success.
Kerberos Error.
A KDC was not found to authenticate the call.
Check that sufficient domain controllers are available.
REPLICATION LATENCY WARNING
SERVERSSI: A full synchronization is in progress
from SERVER1 to SERVERSSI
Replication of new changes along this path will be delayed.
The full sync is 0.00% complete.
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source SERVER1
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.
REPLICATION-RECEIVED LATENCY WARNING
SERVERSSI: Current time is 2004-08-09 19:16:13.
CN=Schema,CN=Configuration,DC=SchellHogan,DC=local
Last replication recieved from SERVER1 at 2004-08-08 09:42:43.
CN=Configuration,DC=SchellHogan,DC=local
Last replication recieved from SERVER1 at 2004-08-08 09:43:03.
......................... SERVERSSI passed test Replications
Starting test: NCSecDesc
......................... SERVERSSI passed test NCSecDesc
Starting test: NetLogons
......................... SERVERSSI passed test NetLogons
Starting test: Advertising
Warning: the directory service on SERVERSSI has not completed initial synchronization.
Other services will be delayed.
Verify that the server can replicate.
Warning: DsGetDcName returned information for \\SERVER1.SchellHogan.local, when we were trying to reach SERVERSSI.
Server is not responding or is not considered suitable.
......................... SERVERSSI failed test Advertising
Starting test: KnowsOfRoleHolders
......................... SERVERSSI passed test KnowsOfRoleHolders
Starting test: RidManager
Warning: attribute rIdSetReferences missing from CN=SERVERSSI,OU=Domain Controllers,DC=SchellHogan,DC=local
Could not get Rid set Reference :failed with 8481: The search failed to retrieve attributes from the database.
......................... SERVERSSI failed test RidManager
Starting test: MachineAccount
......................... SERVERSSI passed test MachineAccount
Starting test: Services
......................... SERVERSSI passed test Services
Starting test: ObjectsReplicated
......................... SERVERSSI passed test ObjectsReplicated
Starting test: frssysvol
......................... SERVERSSI passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... SERVERSSI failed test frsevent
Starting test: kccevent
......................... SERVERSSI passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0xC25A001D
Time Generated: 08/09/2004 19:05:07
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0x00000457
Time Generated: 08/09/2004 19:05:22
Event String: Driver Amyuni PDF Converter 2.07 required for
......................... SERVERSSI failed test systemlog
Starting test: VerifyReferences
Some objects relating to the DC SERVERSSI have problems:
[1] Problem: Missing Expected Value
Base Object:
CN=SERVERSSI,OU=Domain Controllers,DC=SchellHogan,DC=local

Base Object Description: "DC Account Object"

Value Object Attribute Name: frsComputerReferenceBL

Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
[1] Problem: Missing Expected Value
Base Object:
CN=NTDS Settings,CN=SERVERSSI,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=SchellHogan,DC=local
Base Object Description: "DSA Object"

Value Object Attribute Name: serverReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
......................... SERVERSSI failed test VerifyReferences
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : SchellHogan
Starting test: CrossRefValidation
......................... SchellHogan passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... SchellHogan passed test CheckSDRefDom
Running enterprise tests on : SchellHogan.local
Starting test: Intersite
......................... SchellHogan.local passed test Intersite
Starting test: FsmoCheck

 

[sstabb]

On the books, I see
Mastering Windows server 2003 (Cybex)
I assume that this is it. I will have it in 3 days.
Thanks.
Scott

 

[technome]

Scott..

Is there reason these servers are on different subnets?

My suggestion is is to rebuild this new server from scratch, if possible.

No offense intended but at the moment you do not have enough AD knowledge to cleanup the machine or AD database.
No put down intended, on my first AD I was not well prepared for an authoritative restore, which was needed, 3 months after installation.

As is the AD database in server1 may have some info about the second DC which will need to be cleaned up. If you Demote the new server successfully, it still may have remnants of the original DCpromo. Minasi cover AD cleanup in his book

Once you get this book you have some heavy duty reading to do, concentrate on the DNS, first. Carefully read about Split Brain DNS. This is rough reading, but you need to understand much more or else problems will arise later on.


Make sure your server1 AD is clean of any references to the new server.
On the new server, create it as member server first. Get the DNS installed, set it up MANUALLY, not through the wizard. Run Netdaig and NSlookup until you have no errors, then promote it to a DC. Run DcDiag and Netdiag once it is promoted, clear up any problems. On my systems, the FMSO is the most protected (Tape backed), they are global catalog servers, as should the second DC. I would have both DCs as DNS, DHCP servers.

 

[sstabb]

The new server is on a different subnet because its network is connected to the main office via DSL.

you are correct about the AD/DNS knowledge. The first time I saw AD was about 2 months ago. I have taken 1 class towards my MCSE, but it was the 2273. That sfuff is easy compared to this.

I will force the ServerSSI to demote, and I have a backup of the system state on Server1 just prior to promoting ServerSSI, I did it in NT backup, I wonder if i should just restore it. I'll look at the book too, got it today.

Thanks for all the help.

 

[technome]

Great, I under estimated your knowledge.. you have a system state backup, you can do an authoritative restore on server1 of just the system state, which will not have any incorrect AD info in it. Follow the pointers for the restore in the book. I would do another system state backup of server1 (present state), just to be safe, before doing the restore from the older backup.
Don't feel bad about AD, the concepts take awhile to set in.

My personal feeling is AD is far more complicated than need be, and the tools and procedures could be greatly enhanced, and integrated(if Microsoft puts some effort out).. seems MS is more interested in creating the XP Desktop (Fisher-Price, Romper-Room) interface.
With a good bit of effort, AD management could be done from one tool, and AD restorations could be a few choices via a menu. To be flamed, if Novell had maintained its market share, we would be light years ahead