DC is and is NOT on domain

[Muddhole]

Ok so my title sounds a little contradictive. The thing is, is I have a DC that appears to be part of my domain, but it doesn't replicate and I can't get it to see my other two DC's. I suspect it is a problem with either the machine not being registered in DNS or the other two DC's thinking that there is supposed to be another DC with another name on the network.

When I do a dcdiag, I get numerous errors along with the failing DC not passing the machine account. Also says it can't replicate with DC1 and other such info.

First how do I get the failing DC to reregister in DNS to get it to see the other two DC's?

Here is a dcdiag from the failing DC:

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\USER>dcdiag

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: *******\*********
Starting test: Connectivity
......................... ********* passed test Connectivity

Doing primary tests

Testing server: *********\*********
Starting test: Replications
REPLICATION-RECEIVED LATENCY WARNING
*********: Current time is 2008-05-04 13:03:09.
CN=Schema,CN=Configuration,*********-**,*********,DC=com
Last replication recieved from ********* at 2007-11-03 09:26:
29.
WARNING: This latency is over the Tombstone Lifetime of 60 days!

Last replication recieved from ********* at 2007-11-03 09:34:50.

WARNING: This latency is over the Tombstone Lifetime of 60 days!

Last replication recieved from ********* at 2007-11-03 11:47:
07.
WARNING: This latency is over the Tombstone Lifetime of 60 days!

CN=Configuration,DC=*********,DC=*********,DC=com
Last replication recieved from ********* at 2007-11-03 09:32:
42.
WARNING: This latency is over the Tombstone Lifetime of 60 days!

Last replication recieved from ********* at 2007-11-03 09:34:50.

WARNING: This latency is over the Tombstone Lifetime of 60 days!

Last replication recieved from ********* at 2007-11-03 11:47:
07.
WARNING: This latency is over the Tombstone Lifetime of 60 days!

DC=*********,DC=*********,DC=com
Last replication recieved from ********* at 2007-11-03 09:26:
29.
WARNING: This latency is over the Tombstone Lifetime of 60 days!

Last replication recieved from ********* at 2007-11-03 09:34:50.

WARNING: This latency is over the Tombstone Lifetime of 60 days!

Last replication recieved from ********* at 2007-11-03 11:47:
07.
WARNING: This latency is over the Tombstone Lifetime of 60 days!

REPLICATION-RECEIVED LATENCY WARNING
Source site:
CN=NTDS Site Settings,CN=*********,CN=Sites,CN=Configuration,DC=*********
,DC=*********,DC=com
Current time: 2008-05-04 13:03:09
Last update time: 2007-11-03 09:15:12
Check if source site has an elected ISTG running.
Check replication from source site to this server.
REPLICATION-RECEIVED LATENCY WARNING
Source site:
CN=NTDS Site Settings,CN=*********,CN=Sites,CN=Configuration,DC=*********
,DC=*********,DC=com
Current time: 2008-05-04 13:03:09
Last update time: 2007-12-11 12:01:51
Check if source site has an elected ISTG running.
Check replication from source site to this server.
......................... ********* passed test Replications
Starting test: NCSecDesc
......................... ********* passed test NCSecDesc
Starting test: NetLogons
......................... ********* passed test NetLogons
Starting test: Advertising
......................... ********* passed test Advertising
Starting test: KnowsOfRoleHolders
[CONTROLLER] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: ********* is the Schema Owner, but is not responding to DS RP
C Bind.
[*********] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: ********* is the Schema Owner, but is not responding to LDAP
Bind.
Warning: ********* is the Domain Owner, but is not responding to DS RP
C Bind.
Warning: ********* is the Domain Owner, but is not responding to LDAP
Bind.
Warning: ********* is the Rid Owner, but is not responding to DS RPC B
ind.
Warning: ********* is the Rid Owner, but is not responding to LDAP Bin
d.
......................... ********* failed test KnowsOfRoleHolders
Starting test: RidManager
......................... ********* failed test RidManager
Starting test: MachineAccount
The account ********* is not a DC account. It cannot replicate.
Warning: Attribute userAccountControl of ********* is: 0x81000 = (
UF_WORKSTATION_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TR
USTED_FOR_DELEGATION )
This may be affecting replication?
......................... ********* failed test MachineAccount
Starting test: Services
......................... ********* passed test Services
Starting test: ObjectsReplicated
......................... ********* passed test ObjectsReplicated
Starting test: frssysvol
......................... ********* passed test frssysvol
Starting test: frsevent
......................... ********* passed test frsevent
Starting test: kccevent
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/04/2008 13:02:50
Event String: All domain controllers in the following site that
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/04/2008 13:02:50
Event String: All domain controllers in the following site that
An Error Event occured. EventID: 0xC000051F
Time Generated: 05/04/2008 13:02:50
Event String: The Knowledge Consistency Checker (KCC) has
An Warning Event occured. EventID: 0x80000749
Time Generated: 05/04/2008 13:02:50
Event String: The Knowledge Consistency Checker (KCC) was
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/04/2008 13:02:50
Event String: All domain controllers in the following site that
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/04/2008 13:02:50
Event String: All domain controllers in the following site that
An Error Event occured. EventID: 0xC000051F
Time Generated: 05/04/2008 13:02:50
Event String: The Knowledge Consistency Checker (KCC) has
An Warning Event occured. EventID: 0x80000749
Time Generated: 05/04/2008 13:02:50
Event String: The Knowledge Consistency Checker (KCC) was
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/04/2008 13:02:50
Event String: All domain controllers in the following site that
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/04/2008 13:02:50
Event String: All domain controllers in the following site that
An Error Event occured. EventID: 0xC000051F
Time Generated: 05/04/2008 13:02:50
Event String: The Knowledge Consistency Checker (KCC) has
An Warning Event occured. EventID: 0x80000749
Time Generated: 05/04/2008 13:02:50
Event String: The Knowledge Consistency Checker (KCC) was
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/04/2008 13:02:50
Event String: All domain controllers in the following site that
An Warning Event occured. EventID: 0x8000061E
Time Generated: 05/04/2008 13:02:50
Event String: All domain controllers in the following site that
An Error Event occured. EventID: 0xC000051F
Time Generated: 05/04/2008 13:02:50
Event String: The Knowledge Consistency Checker (KCC) has
An Warning Event occured. EventID: 0x80000749
Time Generated: 05/04/2008 13:02:50
Event String: The Knowledge Consistency Checker (KCC) was
An Warning Event occured. EventID: 0x80000785
Time Generated: 05/04/2008 13:02:50
Event String: The attempt to establish a replication link for
An Warning Event occured. EventID: 0x80000785
Time Generated: 05/04/2008 13:02:50
Event String: The attempt to establish a replication link for
An Warning Event occured. EventID: 0x80000785
Time Generated: 05/04/2008 13:02:50
Event String: The attempt to establish a replication link for
An Warning Event occured. EventID: 0x80000785
Time Generated: 05/04/2008 13:02:50
Event String: The attempt to establish a replication link for
An Warning Event occured. EventID: 0x80000785
Time Generated: 05/04/2008 13:02:50
Event String: The attempt to establish a replication link for
An Warning Event occured. EventID: 0x80000785
Time Generated: 05/04/2008 13:02:50
Event String: The attempt to establish a replication link for
......................... ********* failed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x40000004
Time Generated: 05/04/2008 12:03:17
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 05/04/2008 12:03:53
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 05/04/2008 12:03:53
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 05/04/2008 12:06:45
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 05/04/2008 12:15:42
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 05/04/2008 12:15:42
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 05/04/2008 12:31:25
Event String: The kerberos client received a
An Error Event occured. EventID: 0x00000457
Time Generated: 05/04/2008 12:50:19
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 05/04/2008 13:03:09
Event String: The kerberos client received a
......................... ********* failed test systemlog
Starting test: VerifyReferences
......................... ********* passed test VerifyReferences

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : *********
Starting test: CrossRefValidation
......................... ********* passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ********* passed test CheckSDRefDom

Running enterprise tests on : *********.*********.com
Starting test: Intersite
......................... *********.*********.com passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
......................... *********.*********.com failed test FsmoCheck

Also, if I run a query for the roles on the failing DC it says that it hold two of the five in which it does not according to the other DC's.

DC1 has:
PDC

DC2 has:
Schema
Infrastructure
RID
Domain Naming

DCF = has:
PDC
Infrastructure

and states that DC2 has the other three.

LEGEND:
DC1 = Site B DC and is functioning
DC2 = Site A DC and is functioning
DCF = Failing DC

FYI: If I ping each DC by name from the failing DC I get the FQDN along with its' IP address. So maybe it isn't a DNS issue, but I'll leave that up to you experts.

Thanks!

Thanks

 

[theravager]

The server won't replicate as its been to long. Theres a few ways to fix this but the easiest is probably to just demote and repromote it.

Make sure all the roles are one or more of the other dcs and ensure the dns on the broken one has one of the working dcs as the primary.

You probably should do a metadata cleanup on the DC prior to promoting as well using ntdsutil.

 

[Muddhole]

I can't demote it cause it can't find the other DC's or can't see them. I can ping them fine and they come back with the full DNS names. Everytime I tried to either dcpromo it or replicate it, always gives an error of either not seeing the other DC's or not having access. Tried using ndtsutil as well but still got no where with that as well. Tried removing from domain and rejoining, but still gets same results. Tried adding SRV records, A records, and NS records, but I just cannot get this machine to see the other DC's. Everything seems fine, like nslookup works great and give full DNS but still nothing.

I also get non-existent domain sometimes but I can't remember what I was doing.

Got the noose in hand and ready to jump.

GEEEZ

Thank anyway, or if you have any more suggestions I'm wide open.

 

[theravager]

have you tried the /forceremoval switch?

If theres no data on the domain controller you could just rebuild it and do a metadata cleanup on another dc.

 

[Muddhole]

I just did a netdom password reset of the problem DC by first turning off KDC on the problem DC, then connecting to the PDC roles holder and resetting the password from there. I then restarted the problem DC and the PDC, but since I am doing it remotely I can't log back into the problem DC by RDC, it starts but then the RDC window just shuts down. I'll have to probably start KDC while logged into the machine personally. I should have change that service to automatic, then restarted. Too late now...

I'll see what happens tomorrow.

 

[rtichnor]

This happened to me a couple times.

The only way I could get everything back to 'normal', was to use ntdsutil on the DC I wanted to keep, then removed info from Active Directory about the DC I wanted to remove, then I re-installed that DC from the beginning.

Also, the DC that you are keeping in the domain, will need to seize the roles of the DC you're removing.