Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

AD / DNS Issues

Status
Not open for further replies.
webdavuser

webdavuser

Vendor
Nov 27, 2007
13
Hi,

I was wondering if someone could help. We've got bad problems on our domain currently. Until a month or so ago we had 3 DCs:

- Server1 - Primary DC (which was a VMWare Server Host at the time), & DNS Server
- Server2 - Backup DC, DNS Server & Exchange Server
- Server3 - Backup DC, File Server, DNS Server & Print Server

We decided to move to VMware ESX, so we didn't need Server1 anymore. Somehow, replication also failed from Server1 to the 2 Backup DCs. So I seized the roles, and gave them all to Server2. I was unable to remove Server1 from the domain through dcpromo, as Server1 had lost sight of the other servers. In the end, I had to just shut Server1 down, and remove all traces of Server1 from the domain. This appeared to work ok.

Recently, however, we started getting authentication issues on Exchange. Most of the time, the user simply needed to sign into Outlook as well as the initial domain logon. Occasionally, though, they would be refused access to Oulook, as it would keep asking for authentication & never accepting it. This problem mostly went away with a reboot of Server3.

These were minor issues, which weren't overly disruptive. However, last week, out File Server suddenly stopped allowing access to the file shares. The only way around this was to map the network drive to Server3's IP address, not host name. This leads me to think we have a DNS issue.

Yesterday, while I was trying to fix this problem, I read on a forum that I could try changing the DNS server, that Server3 itself points to, could be changed from itself to Server2. I did this, and it also killed printing. When I changed it back, the problem stayed, and now only one machine on the network, (rather strangely - I would expect all or none to fail, not some), can print.

Here is a list of the errors that I've been seeing on Server3, (Note: there aren't any of these errors on Server2, which makes me think it's a problem with Server3):

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1053
Date: 26/02/2009
Time: 16:35:19
User: NT AUTHORITY\SYSTEM
Computer: PACIFIC
Description:
Windows cannot determine the user or computer name. (The target principal name is incorrect. ). Group Policy processing aborted.

For more information, see Help and Support Center at
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 26/02/2009
Time: 16:25:15
User: NT AUTHORITY\SYSTEM
Computer: PACIFIC
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

For more information, see Help and Support Center at
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 26/02/2009
Time: 16:09:12
User: N/A
Computer: PACIFIC
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/pacific.oxted.xcomm.co.uk. The target name used was cifs/PACIFIC. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (OXTED.XCOMM.CO.UK), and the client realm. Please contact your system administrator.

For more information, see Help and Support Center at
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5513
Date: 26/02/2009
Time: 16:03:35
User: N/A
Computer: PACIFIC
Description:
The computer LEWIS tried to connect to the server \\PACIFIC using the trust relationship established by the XCOMM domain. However, the computer lost the correct security identifier (SID) when the domain was reconfigured. Reestablish the trust relationship.

For more information, see Help and Support Center at
Event Type: Error
Event Source: Print
Event Category: None
Event ID: 33
Date: 26/02/2009
Time: 16:02:03
User: NT AUTHORITY\SYSTEM
Computer: PACIFIC
Description:
The PrintQueue Container could not be found because the DNS Domain name could not be retrieved. Error: 80090322

For more information, see Help and Support Center at
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 26/02/2009
Time: 16:00:35
User: N/A
Computer: PACIFIC
Description:
The Network Load Balancing service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at
Event Type: Error
Event Source: DhcpServer
Event Category: None
Event ID: 1046
Date: 26/02/2009
Time: 16:00:14
User: N/A
Computer: PACIFIC
Description:
The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain oxted.xcomm.co.uk, has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this:
This machine is part of a directory service enterprise and is not authorized in the same domain. (See help on the DHCP Service Management Tool for additional information).

This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized.

Some unexpected network error occurred.

For more information, see Help and Support Center at Data:
0000: 00 00 00 00 ....

Event Type: Error
Event Source: DhcpServer
Event Category: None
Event ID: 1059
Date: 26/02/2009
Time: 16:00:14
User: N/A
Computer: PACIFIC
Description:
The DHCP service failed to see a directory server for authorization.

For more information, see Help and Support Center at Data:
0000: 3b 20 00 00 ; ..

I managed to fix error 1030 yesterday, following reading this Microsoft KB:


However, error 1053 still occurs. Whilst going through the instructions, I also noticed that Server3 is refused access to the Domain Controller Security Policy, whereas Server2 isn't. I then double checked the Operations Masters on both, and these are now wrong. Server2, (correctly says that it holds all the roles). Server3, however, thinks that it is the RID, and simply says ERROR for PDC & Infrastructure. When I try to connect to Server2 from Server3 in AD, it says that it can't connect.

There are lots of problems with Server3, then. Is it simply an AD replication issue? Or is it likely to stem from something else? Any advice would be greatly appreciated!

Regards,

Keith
 
Sort by date Sort by votes
On both DCs, look at the NIC properties and ensure they have themselves as primary DNS and each other as secondary.

Go into DNS server on each and ensure that Server1 is gone and that both servers are configured correctly.

Check all FSMO roles again and make sure that the PDC emulator role is on Server3.

Force replication from both servers.

Wait 1 hour.

Restart them one at a time.


You know that Exchange on a DC is a *really* bad idea right?
 
Upvote 0 Downvote
Ok, both servers have themselves as primary DNS servers & the other as secondary.

Server1 doesn't appear in the DNS records of either Server2 or Server3. However, I checked AD, and lo & behold, Server1 appears in the Domain Controllers list on Server3, but not Server2. (Note: Server2 can still can connect to Server3, but not vice versa.)

Before I make any changes, should I not try to force replication first?

Re: Exchange on a DC. Yes, I'm aware it's a bad idea. Unfortunately it's been on there for a number of years, and precedes me. Still, it's been working fine, up until we started virtualisation & adding / removing DCs as a result. So I doubt that it's a cause of our problems
 
Upvote 0 Downvote
I just tried replication, and got the following error:

'The following error occurred during the attempt to synchronize naming context <domain> from domain controller Server2 to domain controller Server3: The target principal name is incorrect.

This operation will not continue.'

I then tried to lookup a replication issue, and tried the suggestion on the following link:


Unfortunately, I got the following error:

'netdom resetpwd /server:server2 /domain\administrator /passwordd:admin_password
The machine account password for the local machine could not be reset.

Multiple connections to a server or shared resource by the same user, using more
than one user name, are not allowed. Disconnect all previous connections to the
server or shared resource and try again.

The command failed to complete successfully.'

Any ideas, then, anyone?

Keith
 
Upvote 0 Downvote
Since the DC on Exchange is tied, I'd be tempted to dcpromo the other one down, restart it, reapply SP2 and all updates and dcpromo it up again into the domain. Then put AD based DNS role onto that box and force replication.
 
Upvote 0 Downvote
That seems a bit extreme to me. If there's an alternative way I might try that
 
Upvote 0 Downvote
Ok, if I were to dcpromo Server3, then add it as a DC once I'd cleared up all the metadata, should I also remove DNS, then add it again?
 
Upvote 0 Downvote
Are all of your DC's Global Catalogs? Have you also cleaned up your Sites and Services? Has your DHCP server scope options been updated to reflect the removal of DC(server1)?

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!
 
Upvote 0 Downvote
DHCP never included any mention of Server1, so nothing to clean up there.

Both remaining DCs have global catolgs since Server1 was removed.

There's no mention in AD Sites & Services of Server1, on Server2 or Server3, so nothing to clean up. I also previously did a metadata cleanup (on Server2), when Server1 was removed.
 
Upvote 0 Downvote
When I try to run dcpromo on Server3, it says 'Before you can install or remove Active Directory, you must remove Certificate services. For more information about the consquences of removing Certificate Services, see Help And Support'.

On checking, Server3 is the main CA. Server2 says 'Cannot manage Certificate Services. The specified service does not exist as an installed service, 0x424 (WIN32: 1060)'.

What would you recommend? Uninstall Certificate Services on Server3 completely as well? Or try to migrate the settings to Server2?
 
Upvote 0 Downvote

it recommend that you remove the old certificates before you reinstall the Enterprise Windows Certificate

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!
 
Upvote 0 Downvote
I managed to call on some support direct from Microsoft in the end on this. Initially, we thought we'd need to dcpromo Server3 & start from scratch. But on checking, it seemed to just be a problem of lingering objects. It took a while to clear them. (We had difficulty resetting the admin password on the tombstoned server initially.)

Once they were cleared, it took a number of hours to clear the replication backlog. Eventually done, though, replication worked fine.

Thanks for all your help.

Keith
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
618
suncit
suncit
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
248
DrB0b
DrB0b
DTGMI
  • Locked
  • Question
WIN 10 Pro PC &amp; Adding back to our Network
Replies
0
Views
408
DTGMI
DTGMI
fredmartinmaine
  • Locked
  • Question
Domain Controller without DNS Server
Replies
4
Views
531
fredmartinmaine
fredmartinmaine
DrB0b
  • Locked
  • Question
Terminal Server issues doing anything network related after RDPing into
Replies
3
Views
180
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top