Active Directory not working properly 1

[kwei]

One of my servers doesnt seem to be applying group policies. On top of that, i am unable to access "domain controler security policy" and "domain security policy". When I try to open both of them, I get a Group Policy Error, stating "failed to open the Group Policy Object. You may not have appropriate rights." And a message under details stating "The specific domain either does not exist or could not be contacted."

Ive been dealing with this for weeks on end, GP has worked in the past, as have these snap ins. running "dcdiag.exe" does not come up with anything except once it gave an error with syslog.

This is a standalone DC on the network. everything else seems to be working properly. Any suggestions would be greatly appreciated on this one, as always,

Justin

 

[kwei]

Ok I just rebooted, loged in, still having same problem. Ran dcdiag /v again, here is the output:


DC Diagnosis

Performing initial setup:
* Verifing that the local machine clackserv, is a DC.
* Connecting to directory service on server clackserv.
* Collecting site info.
* Identifying all servers.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial non skippeable tests

Testing server: Default-First-Site-Name\CLACKSERV
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... CLACKSERV passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\CLACKSERV
Starting test: Replications
* Replications Check
[Replications Check,CLACKSERV] A recent replication attempt failed:
From CLACKSERV2 to CLACKSERV
Naming Context: CN=Schema,CN=Configuration,DC=clack,DC=ssm,DC=local
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2003-09-25 17:23.38.
The last success occurred at 2003-09-25 16:50.25.
2 failures have occurred since the last success.
The guid-based DNS name c5b0b596-629b-4955-89e0-4a338a267094._msdcs.clack.ssm.local
is not registered on one or more DNS servers.
[Replications Check,CLACKSERV] A recent replication attempt failed:
From CLACKSERV2 to CLACKSERV
Naming Context: CN=Configuration,DC=clack,DC=ssm,DC=local
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2003-09-25 17:23.38.
The last success occurred at 2003-09-25 17:07.13.
2 failures have occurred since the last success.
The guid-based DNS name c5b0b596-629b-4955-89e0-4a338a267094._msdcs.clack.ssm.local
is not registered on one or more DNS servers.
[Replications Check,CLACKSERV] A recent replication attempt failed:
From CLACKSERV2 to CLACKSERV
Naming Context: DC=clack,DC=ssm,DC=local
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2003-09-25 17:23.38.
The last success occurred at 2003-09-25 17:12.05.
2 failures have occurred since the last success.
The guid-based DNS name c5b0b596-629b-4955-89e0-4a338a267094._msdcs.clack.ssm.local
is not registered on one or more DNS servers.
......................... CLACKSERV passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=clack,DC=ssm,DC=local
* Security Permissions Check for
CN=Configuration,DC=clack,DC=ssm,DC=local
* Security Permissions Check for
DC=clack,DC=ssm,DC=local
......................... CLACKSERV passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
......................... CLACKSERV passed test NetLogons
Starting test: Advertising
The DC CLACKSERV is advertising itself as a DC and having a DS.
The DC CLACKSERV is advertising as an LDAP server
The DC CLACKSERV is advertising as having a writeable directory
The DC CLACKSERV is advertising as a Key Distribution Center
The DC CLACKSERV is advertising as a time server
The DS CLACKSERV is advertising as a GC.
......................... CLACKSERV passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=CLACKSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=clack,DC=ssm,DC=local
Role Domain Owner = CN=NTDS Settings,CN=CLACKSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=clack,DC=ssm,DC=local
Role PDC Owner = CN=NTDS Settings,CN=CLACKSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=clack,DC=ssm,DC=local
Role Rid Owner = CN=NTDS Settings,CN=CLACKSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=clack,DC=ssm,DC=local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=CLACKSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=clack,DC=ssm,DC=local
......................... CLACKSERV passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 2102 to 1073741823
* clackserv.clack.ssm.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1102 to 1601
* rIDNextRID: 1190
* rIDPreviousAllocationPool is 1102 to 1601
......................... CLACKSERV passed test RidManager
Starting test: MachineAccount
* SPN found :LDAP/clackserv.clack.ssm.local/clack.ssm.local
* SPN found :LDAP/clackserv.clack.ssm.local
* SPN found :LDAP/CLACKSERV
* SPN found :LDAP/clackserv.clack.ssm.local/CLACK
* SPN found :LDAP/a5dd0560-c6c0-4cb5-94d6-b0f20fde7fa8._msdcs.clack.ssm.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/a5dd0560-c6c0-4cb5-94d6-b0f20fde7fa8/clack.ssm.local
* SPN found :HOST/clackserv.clack.ssm.local/clack.ssm.local
* SPN found :HOST/clackserv.clack.ssm.local
* SPN found :HOST/CLACKSERV
* SPN found :HOST/clackserv.clack.ssm.local/CLACK
* SPN found :GC/clackserv.clack.ssm.local/clack.ssm.local
......................... CLACKSERV passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: RPCLOCATOR
* Checking Service: w32time
* Checking Service: TrkWks
* Checking Service: TrkSvr
* Checking Service: NETLOGON
* Checking Service: Dnscache
* Checking Service: NtFrs
......................... CLACKSERV passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
CLACKSERV is in domain DC=clack,DC=ssm,DC=local
Checking for CN=CLACKSERV,OU=Domain Controllers,DC=clack,DC=ssm,DC=local in domain DC=clack,DC=ssm,DC=local on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=CLACKSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=clack,DC=ssm,DC=local in domain CN=Configuration,DC=clack,DC=ssm,DC=local on 1 servers
Object is up-to-date on all servers.
......................... CLACKSERV passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service Event log test
The SYSVOL has been shared, and the AD is no longer
prevented from starting by the File Replication Service.
......................... CLACKSERV passed test frssysvol
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minutes.
......................... CLACKSERV passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x00000457
Time Generated: 09/25/2003 16:57:41
Event String: Driver HP LaserJet 4100 Series PCL required for
printer __mikef_HP LaserJet 4100 Series PCL is
unknown. Contact the administrator to install the
driver before you log in again.
An Error Event occured. EventID: 0x00000452
Time Generated: 09/25/2003 16:57:41
Event String: The printer could not be installed.
......................... CLACKSERV failed test systemlog

Running enterprise tests on : clack.ssm.local
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... clack.ssm.local passed test Intersite
Starting test: FsmoCheck
GC Name: \\clackserv.clack.ssm.local
Locator Flags: 0xe00001fd
PDC Name: \\clackserv.clack.ssm.local
Locator Flags: 0xe00001fd
Time Server Name: \\clackserv.clack.ssm.local
Locator Flags: 0xe00001fd
Preferred Time Server Name: \\clackserv.clack.ssm.local
Locator Flags: 0xe00001fd
KDC Name: \\clackserv.clack.ssm.local
Locator Flags: 0xe00001fd
......................... clack.ssm.local passed test FsmoCheck

I just removed the other printer and am rebooting now. Maybe that will help. I dont know why the laserjet 4100

 

[kwei]

Ok I just rebooted, loged in, still having same problem. Ran dcdiag /v again, here is the output:


DC Diagnosis

Performing initial setup:
* Verifing that the local machine clackserv, is a DC.
* Connecting to directory service on server clackserv.
* Collecting site info.
* Identifying all servers.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial non skippeable tests

Testing server: Default-First-Site-Name\CLACKSERV
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... CLACKSERV passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\CLACKSERV
Starting test: Replications
* Replications Check
[Replications Check,CLACKSERV] A recent replication attempt failed:
From CLACKSERV2 to CLACKSERV
Naming Context: CN=Schema,CN=Configuration,DC=clack,DC=ssm,DC=local
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2003-09-25 17:23.38.
The last success occurred at 2003-09-25 16:50.25.
2 failures have occurred since the last success.
The guid-based DNS name c5b0b596-629b-4955-89e0-4a338a267094._msdcs.clack.ssm.local
is not registered on one or more DNS servers.
[Replications Check,CLACKSERV] A recent replication attempt failed:
From CLACKSERV2 to CLACKSERV
Naming Context: CN=Configuration,DC=clack,DC=ssm,DC=local
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2003-09-25 17:23.38.
The last success occurred at 2003-09-25 17:07.13.
2 failures have occurred since the last success.
The guid-based DNS name c5b0b596-629b-4955-89e0-4a338a267094._msdcs.clack.ssm.local
is not registered on one or more DNS servers.
[Replications Check,CLACKSERV] A recent replication attempt failed:
From CLACKSERV2 to CLACKSERV
Naming Context: DC=clack,DC=ssm,DC=local
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2003-09-25 17:23.38.
The last success occurred at 2003-09-25 17:12.05.
2 failures have occurred since the last success.
The guid-based DNS name c5b0b596-629b-4955-89e0-4a338a267094._msdcs.clack.ssm.local
is not registered on one or more DNS servers.
......................... CLACKSERV passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=clack,DC=ssm,DC=local
* Security Permissions Check for
CN=Configuration,DC=clack,DC=ssm,DC=local
* Security Permissions Check for
DC=clack,DC=ssm,DC=local
......................... CLACKSERV passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
......................... CLACKSERV passed test NetLogons
Starting test: Advertising
The DC CLACKSERV is advertising itself as a DC and having a DS.
The DC CLACKSERV is advertising as an LDAP server
The DC CLACKSERV is advertising as having a writeable directory
The DC CLACKSERV is advertising as a Key Distribution Center
The DC CLACKSERV is advertising as a time server
The DS CLACKSERV is advertising as a GC.
......................... CLACKSERV passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=CLACKSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=clack,DC=ssm,DC=local
Role Domain Owner = CN=NTDS Settings,CN=CLACKSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=clack,DC=ssm,DC=local
Role PDC Owner = CN=NTDS Settings,CN=CLACKSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=clack,DC=ssm,DC=local
Role Rid Owner = CN=NTDS Settings,CN=CLACKSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=clack,DC=ssm,DC=local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=CLACKSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=clack,DC=ssm,DC=local
......................... CLACKSERV passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 2102 to 1073741823
* clackserv.clack.ssm.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1102 to 1601
* rIDNextRID: 1190
* rIDPreviousAllocationPool is 1102 to 1601
......................... CLACKSERV passed test RidManager
Starting test: MachineAccount
* SPN found :LDAP/clackserv.clack.ssm.local/clack.ssm.local
* SPN found :LDAP/clackserv.clack.ssm.local
* SPN found :LDAP/CLACKSERV
* SPN found :LDAP/clackserv.clack.ssm.local/CLACK
* SPN found :LDAP/a5dd0560-c6c0-4cb5-94d6-b0f20fde7fa8._msdcs.clack.ssm.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/a5dd0560-c6c0-4cb5-94d6-b0f20fde7fa8/clack.ssm.local
* SPN found :HOST/clackserv.clack.ssm.local/clack.ssm.local
* SPN found :HOST/clackserv.clack.ssm.local
* SPN found :HOST/CLACKSERV
* SPN found :HOST/clackserv.clack.ssm.local/CLACK
* SPN found :GC/clackserv.clack.ssm.local/clack.ssm.local
......................... CLACKSERV passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: RPCLOCATOR
* Checking Service: w32time
* Checking Service: TrkWks
* Checking Service: TrkSvr
* Checking Service: NETLOGON
* Checking Service: Dnscache
* Checking Service: NtFrs
......................... CLACKSERV passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
CLACKSERV is in domain DC=clack,DC=ssm,DC=local
Checking for CN=CLACKSERV,OU=Domain Controllers,DC=clack,DC=ssm,DC=local in domain DC=clack,DC=ssm,DC=local on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=CLACKSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=clack,DC=ssm,DC=local in domain CN=Configuration,DC=clack,DC=ssm,DC=local on 1 servers
Object is up-to-date on all servers.
......................... CLACKSERV passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service Event log test
The SYSVOL has been shared, and the AD is no longer
prevented from starting by the File Replication Service.
......................... CLACKSERV passed test frssysvol
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minutes.
......................... CLACKSERV passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x00000457
Time Generated: 09/25/2003 16:57:41
Event String: Driver HP LaserJet 4100 Series PCL required for
printer __mikef_HP LaserJet 4100 Series PCL is
unknown. Contact the administrator to install the
driver before you log in again.
An Error Event occured. EventID: 0x00000452
Time Generated: 09/25/2003 16:57:41
Event String: The printer could not be installed.
......................... CLACKSERV failed test systemlog

Running enterprise tests on : clack.ssm.local
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... clack.ssm.local passed test Intersite
Starting test: FsmoCheck
GC Name: \\clackserv.clack.ssm.local
Locator Flags: 0xe00001fd
PDC Name: \\clackserv.clack.ssm.local
Locator Flags: 0xe00001fd
Time Server Name: \\clackserv.clack.ssm.local
Locator Flags: 0xe00001fd
Preferred Time Server Name: \\clackserv.clack.ssm.local
Locator Flags: 0xe00001fd
KDC Name: \\clackserv.clack.ssm.local
Locator Flags: 0xe00001fd
......................... clack.ssm.local passed test FsmoCheck

I just removed the other printer and am rebooting now. Maybe that will help. Ok no it didnt, same problem persists. Do I have to reinstall a 2003 driver for the printers even if they are not there? There are currently no printers attached to the server and there is no one TS into it that would make it want to install a driver...

Justin

 

[svsawkar]

You have a DNS problem. Your GUID records for your DC's have not been registered correctly and are also not accessible.

Describe to us your entire DNS infrastructure, where everyone points for prefered and secondary (and tertiary, etc) and we should have this straightened out in a jiffy.

/Siddharth

 

[jvierra]

/Siddharth

Explain how this effect name resolution and why rpc is not available.

 

[kwei]

"Describe to us your entire DNS infrastructure, where everyone points for prefered and secondary (and tertiary, etc) and we should have this straightened out in a jiffy."

Hi Siddharth, thanks for following up. Lets see, CLACKSERV is the DNS server for the dmain. Every other host on the domain points to it for DNS alone. Side note, CLACKSERV2 does not have any fuction on the domain, as I just added it last week as a backup for the transfer I was going to do. Right now its just sitting there. Right now CLACKSERVs forward lookup zones consist of DNS from our service provider on the first tier. Second DNS servers from another service provider we use at another location. Third entry is pointing at clackserv.clack.ssm.local, which CLACKSERV itsef. Last I have one more set of DNS servers.

My reverse lookup is configured to 17.172.in-addr.arpa and the results of nslookup are:
C:\Documents and Settings\Administrator.CLACKSERV>nslookup
Default Server: clackserv.clack.ssm.local
Address: 172.17.16.4

>

Hope that is what you are looking for,

Justin

 

[svsawkar]

>Right now CLACKSERVs forward lookup zones consist of DNS >from our service provider on the first tier.

Your DNS should be hosting the namespace of your AD domain. So if you are company.corp, that is the zone that the DNS server should host. If you expand this zone in dns, do you see the 4 subdomains?

Are your DC's ONLY pointing to this DNS server, or do they have any alternate DNS servers configured? Make sure everyone ONLY points to CLACKSERV and nothing else. CLACKSERV can either forward to the internet or use root hints.

No machines should point to an external ip address.

/Siddharth

 

[kwei]

Expanding the zone under the DNS snap-in, I dont see the 4 domains.

There are only 2 DCs, clackserv and clackserv2. and about 20 workstations on the network. The second DC (clackserv2) is pointing to this one (clackserv) for DNS and this one onle. All the workstations are only pointing at clackserv for DNS.

I removed all other domains from my name server list under DNS for clackserv. it now has clackserv as the first tier for DNS, and the service providers DCs as the second tier.

Does this sound right?

Justin

 

[jvierra]

I hope the event log is set to use full tracking of all security events. Be sure Warnings, Errors, Failures are checked as well as successes on both DCs. Last time I sw this the DCs had somehow been set to not log anything but Successfull events.

 

[svsawkar]

This doesn't have anything to do with logging events.

Make sure your forward lookup zone it set to Allow Dynamic Updates: Yes. Right click on your forward lookup zone for your internal namespace and click on properties.

You have no need to host your service providers namespace in any way, shape, or form.

You need to lookup some articles on how to configure DNS as this is really very fundamental W2k stuff. Without a solid knowledge of DNS, implementing AD will be a waste of time.

This forum has lots of good posts on DNS, as does microsoft.com. Read them all

/Siddharth

 

[jvierra]

Are you sure you don't get this message with dcdiag


C:\Program Files\Support Tools>dcdiag /s:lazare4

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: New-York-City\LAZARE4
Starting test: Connectivity
The host a3a1029a-7ae4-40d7-8b20-532241b5d5be._msdcs.lkiny.com could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name (a3a1029a-7ae4-40d7-8b20-532241b5d5be._msdcs.lkiny.com)
couldn't be resolved, the server name (lazare4.lkiny.com) resolved to the IP address
(10.1.1.66) and was pingable. Check that the IP address is registered correctly with the
DNS server.
......................... LAZARE4 failed test Connectivity

 

[kwei]

Siddarth, Thanks for your advice on DNS, yes it seems I have a bit to learn. I set my forward zone to allow dynamic updates: Yes (previouslynly secure updates) and have removed my service providers name space so only clackserv is listed under the name servers. Reboot, still getting those dang errors though...

jvierra: here is the output of running dcdiag /s:clackserv:



DC Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial non skippeable tests

Testing server: Default-First-Site-Name\CLACKSERV
Starting test: Connectivity
......................... CLACKSERV passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\CLACKSERV
Starting test: Replications
[Replications Check,CLACKSERV] A recent replication attempt failed:
From CLACKSERV2 to CLACKSERV
Naming Context: CN=Schema,CN=Configuration,DC=clack,DC=ssm,DC=local
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2003-09-29 22:43.48.
The last success occurred at 2003-09-29 15:47.41.
10 failures have occurred since the last success.
The guid-based DNS name c5b0b596-629b-4955-89e0-4a338a267094._msdcs.clack.ssm.local
is not registered on one or more DNS servers.
[CLACKSERV2] DsBind() failed with error 1722,
The RPC server is unavailable..
[Replications Check,CLACKSERV] A recent replication attempt failed:
From CLACKSERV2 to CLACKSERV
Naming Context: CN=Configuration,DC=clack,DC=ssm,DC=local
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2003-09-29 22:43.48.
The last success occurred at 2003-09-29 16:22.12.
10 failures have occurred since the last success.
The guid-based DNS name c5b0b596-629b-4955-89e0-4a338a267094._msdcs.clack.ssm.local
is not registered on one or more DNS servers.
[Replications Check,CLACKSERV] A recent replication attempt failed:
From CLACKSERV2 to CLACKSERV
Naming Context: DC=clack,DC=ssm,DC=local
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2003-09-29 22:43.48.
The last success occurred at 2003-09-29 16:34.29.
10 failures have occurred since the last success.
The guid-based DNS name c5b0b596-629b-4955-89e0-4a338a267094._msdcs.clack.ssm.local
is not registered on one or more DNS servers.
......................... CLACKSERV passed test Replications
Starting test: NCSecDesc
......................... CLACKSERV passed test NCSecDesc
Starting test: NetLogons
......................... CLACKSERV passed test NetLogons
Starting test: Advertising
......................... CLACKSERV passed test Advertising
Starting test: KnowsOfRoleHolders
......................... CLACKSERV passed test KnowsOfRoleHolders
Starting test: RidManager
......................... CLACKSERV passed test RidManager
Starting test: MachineAccount
......................... CLACKSERV passed test MachineAccount
Starting test: Services
......................... CLACKSERV passed test Services
Starting test: ObjectsReplicated
......................... CLACKSERV passed test ObjectsReplicated
Starting test: frssysvol
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... CLACKSERV passed test frssysvol
Starting test: kccevent
An Information Event occured. EventID: 0x4000051C
Time Generated: 09/29/2003 22:48:48
Event String: The Directory Service consistency checker has

An Warning Event occured. EventID: 0x80000438
Time Generated: 09/29/2003 22:49:35
Event String: Replication warning: Couldn't notify directory

......................... CLACKSERV failed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00000457
Time Generated: 09/29/2003 22:36:23
Event String: Driver HP LaserJet 4100 Series PCL required for

An Error Event occured. EventID: 0x00000452
Time Generated: 09/29/2003 22:36:23
Event String: The printer could not be installed.
An Error Event occured. EventID: 0x80001778
Time Generated: 09/29/2003 22:43:31
Event String: The previous system shutdown at 10:40:49 PM on

An Error Event occured. EventID: 0x00000457
Time Generated: 09/29/2003 22:48:52
Event String: Driver HP LaserJet 4100 Series PCL required for

An Error Event occured. EventID: 0x00000452
Time Generated: 09/29/2003 22:48:52
Event String: The printer could not be installed.
......................... CLACKSERV failed test systemlog

Running enterprise tests on : clack.ssm.local
Starting test: Intersite
......................... clack.ssm.local passed test Intersite
Starting test: FsmoCheck

Not sure what else to try, thank you both for your continuous help!!

Justin

 

[kwei]

Just an FYI the replication is failing because I took clackserv2 offline.

Justin

 

[jvierra]

Justin

A little testing later.

I poosted a dcdiag that failed. It was an obvious failure caused by missing SRV records in DNS. I caused the missing records by not having the network card TCPIP settings for DNS set to update the DNS records and then changing some of the network settings like removing IPSec and re-installing it on the NIC.

After forcing the error I reset the DNS registration values on the NIC TCP/IP parms and waited. After some time the SRV records were re-created correctly.

I looked for any KB articles that might describe a better way to do this but found none.

I was able to determine that not having intact or correct SRV records will cause GP application to fail at least intermittently. I was also able to force messages on a member server about not finding the GC (Global Catalog) thus forcing a root search on AD. Root searches fail but searches from the domain node of AD worked correctly.

This is a little different from W2K AD at least with this small amount of testing and analysis.

Siddharth - you are pobably absolutely right about DNS being the source of the problem. The first step is the required first step after a promo - Check the SRV records.

If DNS updating on the NIC is turned off and you change the drivers it will change the GUID which will invalidate the SRV records and they will age out of DNS. ( My best guess ) I bet ther are other ways for the records to become invalid.

The SRV records are required for AD-DNS replication to occur. If these records are stale or incorrect or missing then name resolution will fail much of the time.

Anyone who has a better or more complete explanation please chime in as I am always open to better, more accurate or correct explanations.

 

[kwei]

Hey jvierra, so to test your theory, I need to
1. Disable update of DNS settings on the network card of clackserv (how do I do this, is this the same thing as "register this connections address in DNS"?)

2. Remove IPSec by going into TCP/IP options under advanced settings for the card, select IP security, and Enable/Disable IPSEC (currently its disabled).

3. Re run dcdiag /s:clackserv and see if i get a similar error to the one you showed me yesturday.

4. Go back in and put a check back next to the "Register this connections address in DNS" and wait for the SRV records to be re-created?

Sound right? Thanks,

Justin

 

[jvierra]

I guess I was a little confusing. Just make sure that you have the settings for set for "update dns"

First check DNS for the SRV records required for AD.
If they are all right then this may not be your problem.

If you think the records are damaged or incorrect then do the check the following.

Be sure that you don't have a security policy that overrides the following settings. If you set up your policy you should know if this is true.

Check these two settings -

1. "Append Primary and connection Specific suffixes in DNS"
(must be selectd)
2. "Register this connection's address in DNS."
( must be checked ).



Then wait for the registration to occur or, from the console, disable and erenable the connection.

Warning - your users may get dumped and AD may change it's behavior.

I am not sure that this is your problem as yuor last dcdiag showed a good domain. I haven't experimented heavily with other forms of failure of DNS registration for AD in 2003.

<B>MCSE training really comes in handy when your having fun. I highly recommend it to one and all alike.

 

[kwei]

Ok I checked:
1. &quot;Append Primary and connection Specific suffixes in DNS&quot;
(must be selectd)
2. &quot;Register this connection's address in DNS.&quot;
( must be checked ).

and they both are currently &quot;checked&quot;. I'll have to disable/re-enable the connecton tomorrow as I am working remotely on it right now. I did just reboot it so if that helps we will see. If not I will just try tomorrow morning.

Also, I am unclear as to how to check DNS for the SRV records required for AD. I ran this command ldap._tcp.dc._msdcs.domainname in nslookup and everything came back without any errors, if that is what you mean...

Justin

 

[jvierra]

That only checks one entry nut if that entry is intact then maybe you are alright.

Rebooting wil accomplish the same as I outlined but I believe it was alright to begin with,

You may have to disble DNS registration and re-enable it although I am pretty sure that it would be right by just re-booting.

Let me know if anything changes. It will be a good clue as to what is wrong.

 

[jvierra]

Note - the command you ran only check the ldap entry. Remember - nslookup is - sort of - an industry tool to check DNS records and not an AD checker - so to speak.

AD is not ldap but is query-able ( is that a word ) by ldap. LDAP is good for getting info out of AD but is not the best way to determine if AD is &quot;consistent&quot;.

AD seems t o co-exist with DNS and they co-operate to resolve names and access to resources but they are totally independent entities. AD relies on DNS for name resolution to a great extent but once &quot;discovered&quot; responds independently. This creates - in my opinion - a mas over AD that complicated troubleshooting.

I would prefer that AD take over the work of DNS so as to provide more consistency. My guess is that MS decided to separate &quot;industry tools&quot; from MS tools to make it easier for everyone to understand. In this effort I believe thaey have failed.

We are techs. It is our job to know how this works.

MS - a little more info would be helpful at this point.

 

[kwei]

jviverra,

Rebooting had no effect, I'll give disabling/re-enabling DNS registration a shot tonight. As for right now, unfortunately as far as the problem goes, were still at sqare one, however I have leared a bit more about DNS than I did before so its not all bad.

Reguarding your last statement about LDAP and AD, well, my question then would be what is the best way to check the consistency of AD, if any. Yes, MS please assist if possible, as always, Thanks,

Justin

 

[jvierra]

Did you check DNS for the SRV records? If they are all there then this is a waste of time.

Under your forward lookup zone domain record
domainname.local

You should have records that look like
_msdcs
_tcp
_domain
_sites
_udp

These are folders with SRV records.
Do they exist?
Do they contain SRV records?
Do the SRV records point to the right domain an DC?