Domain membership test fail, AD reinstall?

[malaize2]

Have a win2003 server that I added to domain with a windows 2000 server 3 year ago. Had issues because only 3 of the FSMO roles transferred over so we get lots of "Windows cannot query for the list of group policy objects". I also ran netdiag /fix and was able to copy part of the results before the window closed. It failed on the 'Domain membership test'. The netdiag results are below. I would just like to uninstall and reinstall AD, but am not sure how to ensure that there is no leftover data corruption/junk (metadata?) from this original mess.
Could someone please point me in the right direction? We only have 20 users in AD so it wouldn't be that bad to have to readd them.



..................................

Computer Name: WIN2003SERVERJJ
DNS Host Name: win2003serverjjinc.JandJDog
System info : Microsoft Windows Server 2003 R2 (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 10, GenuineIntel
List of installed hotfixes :
KB915800-v9
KB923561
KB925398_WMP64
KB925902
KB926139-v2
KB927891
KB928090-IE7
KB929123
KB929969
KB930178
KB931768-IE7
KB931784
KB931836
KB932168
KB933566-IE7
KB933729
KB933854
KB935839
KB935840
KB935966
KB936021
KB936357
KB936782
KB938127-IE7
KB938464
KB938464-v2
KB941202
KB941568
KB941569
KB941644
KB941672
KB942763
KB942830
KB942831
KB943055
KB943460
KB943484
KB943485
KB943729
KB944533-IE7
KB944653
KB945553
KB946026
KB948496
KB948590
KB949014
KB950762
KB950974
KB951066
KB951072-v2
KB951698
KB951746
KB951748
KB952004
KB952069
KB952954
KB953298
KB954155
KB954211
KB954550-v5
KB954600
KB955069
KB955759
KB955839
KB956390-IE7
KB956391
KB956572
KB956744
KB956802
KB956803
KB956841
KB956844
KB957095
KB957097
KB958215-IE7
KB958644
KB958687
KB958690
KB958869
KB959426
KB960225
KB960714-IE7
KB960715
KB960803
KB960859
KB961063
KB961118
KB961371-v2
KB961373
KB961501
KB963027-IE7
KB967715
KB967723
KB968389
KB968537
KB968816
KB969059
KB969805
KB969897-IE7
KB969898
KB969947
KB970238
KB970483
KB970653-v3
KB971032
KB971468
KB971486
KB971557
KB971633
KB971657
KB971737
KB971961-IE8
KB972260-IE7
KB972260-IE8
KB972270
KB973037
KB973346
KB973354
KB973507
KB973540
KB973687
KB973815
KB973869
KB973874-IE8
KB973904
KB973917
KB974112
KB974318
KB974392
KB974571
KB975025
KB975254
KB975467
KB975560
KB975713
KB976662-IE8
KB977165-v2
KB977290
KB977914
KB978037
KB978207-IE8
KB978251
KB978262
KB978706
KB979306
Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Local Area Connection 3

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : win2003serverjjinc
IP Address . . . . . . . . : 192.168.1.7
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.1.3
Dns Servers. . . . . . . . : 192.168.1.7
192.168.1.5


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the local
machine. This machine is not working properly as a DC.


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{D6AA2F92-E274-4E42-8E0C-175BBB3361DA}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '192.168.1.7'
.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{D6AA2F92-E274-4E42-8E0C-175BBB3361DA}



thanks a lot

 

[Roadki11]

When you say only 3 roles transferred over, did you seize the remaining roles then?

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[malaize2]

Hi RoadKi11,

In the past I tried seizing the 2 roles that the win2003 server did not possess and it would'nt seize them. I just tried to seize them again with ntdsutil.exe and it worked. I first tried to seize Domain Naming Master and it failed, so then I tried to seize PDC and it worked. I then retried seizing Domain Naming Master and it was also successfull. Below is a copy the info it displayed when I seized the Domain Naming Master. Does it all look ok? After performing the seizure and rebooting the win2003 server we rebooted some pcs on our network and they only took 15-20 seconds to boot up once we entered the login passwords. Also, when we tried to open a mapped drive (that is mapped to the win2003 server) it would open almost instantaneously vs the 1min+ wait times we were having before the FSMO roles seizure. This was all done about an hour ago, and now things are getting slower. I have tried accessing a mapped drive on my pc and it's taking about 30 seconds before anything is displayed.

fsmo maintenance: seize domain naming master
Attempting safe transfer of domain naming FSMO before seizure.
FSMO transferred successfully - seizure not required.
Server "win2003serverjj" knows about 5 roles
Schema - CN=NTDS Settings,CN=WIN2003SERVERJJ,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=JandJDog
Domain - CN=NTDS Settings,CN=WIN2003SERVERJJ,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=JandJDog
PDC - CN=NTDS Settings,CN=WIN2003SERVERJJ,CN=Servers,CN=Default-First-Site-Name,
CN=Sites,CN=Configuration,DC=JandJDog
RID - CN=NTDS Settings,CN=WIN2003SERVERJJ,CN=Servers,CN=Default-First-Site-Name,
CN=Sites,CN=Configuration,DC=JandJDog
Infrastructure - CN=NTDS Settings,CN=WIN2003SERVERJJ,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=JandJDog
fsmo maintenance:

Is there another utility I can run to check the status of things on the win2003 server?

thanks

 

[Roadki11]

Is the DC a GC also? If its not it should be. Does the DC point to itself for DNS? Do the workstations point to the DC for DNS? No ISP DNS servers should be used. Run a new netdiag and dcdiag on the DC and post any issues. Use the following commands from a command prompt, it will output the info to txt files.

netdiag > C:\netdiag.txt

dcdiag > C:\dcdiag.txt


RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[malaize2]

Yes, this dc is also a GC. We just went into Active Directory Sites and Services\Default-First-Site-Name right clicked NTDS Site Settings, and selected Properties. The check box for 'Enable Universal Group Membership Caching' was not checked. I just checked it and then ran netdiag and dcdiag. Here are the results from those.

netdiag results:


...................................

Computer Name: WIN2003SERVERJJ
DNS Host Name: win2003serverjjinc.JandJDog
System info : Microsoft Windows Server 2003 R2 (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 10, GenuineIntel
List of installed hotfixes :
KB915800-v9
KB923561
KB925398_WMP64
KB925902
KB926139-v2
KB927891
KB928090-IE7
KB929123
KB929969
KB930178
KB931768-IE7
KB931784
KB931836
KB932168
KB933566-IE7
KB933729
KB933854
KB935839
KB935840
KB935966
KB936021
KB936357
KB936782
KB938127-IE7
KB938464
KB938464-v2
KB941202
KB941568
KB941569
KB941644
KB941672
KB942763
KB942830
KB942831
KB943055
KB943460
KB943484
KB943485
KB943729
KB944533-IE7
KB944653
KB945553
KB946026
KB948496
KB948590
KB949014
KB950762
KB950974
KB951066
KB951072-v2
KB951698
KB951746
KB951748
KB952004
KB952069
KB952954
KB953298
KB954155
KB954211
KB954550-v5
KB954600
KB955069
KB955759
KB955839
KB956390-IE7
KB956391
KB956572
KB956744
KB956802
KB956803
KB956841
KB956844
KB957095
KB957097
KB958215-IE7
KB958644
KB958687
KB958690
KB958869
KB959426
KB960225
KB960714-IE7
KB960715
KB960803
KB960859
KB961063
KB961118
KB961371-v2
KB961373
KB961501
KB963027-IE7
KB967715
KB967723
KB968389
KB968537
KB968816
KB969059
KB969805
KB969897-IE7
KB969898
KB969947
KB970238
KB970483
KB970653-v3
KB971032
KB971468
KB971486
KB971557
KB971633
KB971657
KB971737
KB971961-IE8
KB972260-IE7
KB972260-IE8
KB972270
KB973037
KB973346
KB973354
KB973507
KB973540
KB973687
KB973815
KB973869
KB973874-IE8
KB973904
KB973917
KB974112
KB974318
KB974392
KB974571
KB975025
KB975254
KB975467
KB975560
KB975713
KB976662-IE8
KB977165-v2
KB977290
KB977914
KB978037
KB978207-IE8
KB978251
KB978262
KB978706
KB979306
Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Local Area Connection 3

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : win2003serverjjinc
IP Address . . . . . . . . : 192.168.1.7
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.1.3
Dns Servers. . . . . . . . : 192.168.1.7
192.168.1.5


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC.


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{D6AA2F92-E274-4E42-8E0C-175BBB3361DA}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '192.168.1.7'.
[WARNING] The DNS entries for this DC are not registered correctly on DNS server '192.168.1.5'. Please wait for 30 minutes for DNS server replication.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{D6AA2F92-E274-4E42-8E0C-175BBB3361DA}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{D6AA2F92-E274-4E42-8E0C-175BBB3361DA}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Failed
[FATAL] Cannot find DC in domain 'JANDJDOG'. [ERROR_NO_SUCH_DOMAIN]


DC list test . . . . . . . . . . . : Failed
'JANDJDOG': Cannot find DC to get DC list from [test skipped].


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Skipped
'JANDJDOG': Cannot find DC to get DC list from [test skipped].


LDAP test. . . . . . . . . . . . . : Failed
Cannot find DC to run LDAP tests on. The error occurred was: The specified domain either does not exist or could not be contacted.


[WARNING] Cannot find DC in domain 'JANDJDOG'. [ERROR_NO_SUCH_DOMAIN]


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully

*****************************
*****************************



dcdiag results


Domain Controller Diagnosis

Performing initial setup:
[win2003serverjjinc] Directory Binding Error 5:
Access is denied.
This may limit some of the tests that can be performed.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\WIN2003SERVERJJ
Starting test: Connectivity
......................... WIN2003SERVERJJ passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\WIN2003SERVERJJ
Starting test: Replications
[Replications Check,WIN2003SERVERJJ] A recent replication attempt failed:
From WIN2KSERVER to WIN2003SERVERJJ
Naming Context: CN=Schema,CN=Configuration,DC=JandJDog
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2010-03-09 12:57:54.
The last success occurred at 2009-07-01 15:49:05.
6032 failures have occurred since the last success.
[WIN2KSERVER] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..
[Replications Check,WIN2003SERVERJJ] A recent replication attempt failed:
From WIN2KSERVER to WIN2003SERVERJJ
Naming Context: CN=Configuration,DC=JandJDog
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2010-03-09 12:57:54.
The last success occurred at 2009-07-01 15:49:05.
6032 failures have occurred since the last success.
[Replications Check,WIN2003SERVERJJ] A recent replication attempt failed:
From WIN2KSERVER to WIN2003SERVERJJ
Naming Context: DC=JandJDog
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2010-03-09 12:57:54.
The last success occurred at 2009-07-01 15:49:05.
6668 failures have occurred since the last success.
REPLICATION-RECEIVED LATENCY WARNING
WIN2003SERVERJJ: Current time is 2010-03-09 13:51:26.
CN=Schema,CN=Configuration,DC=JandJDog
Last replication recieved from WIN2KSERVER at 2009-07-01 15:49:05.
WARNING: This latency is over the Tombstone Lifetime of 60 days!
CN=Configuration,DC=JandJDog
Last replication recieved from WIN2KSERVER at 2009-07-01 15:49:05.
WARNING: This latency is over the Tombstone Lifetime of 60 days!
DC=JandJDog
Last replication recieved from WIN2KSERVER at 2009-07-01 15:49:05.
WARNING: This latency is over the Tombstone Lifetime of 60 days!
......................... WIN2003SERVERJJ passed test Replications
Starting test: NCSecDesc
......................... WIN2003SERVERJJ passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\WIN2003SERVERJJ\netlogon)
[WIN2003SERVERJJ] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
......................... WIN2003SERVERJJ failed test NetLogons
Starting test: Advertising
Fatal ErrorsGetDcName (WIN2003SERVERJJ) call failed, error 1355
The Locator could not find the server.
......................... WIN2003SERVERJJ failed test Advertising
Starting test: KnowsOfRoleHolders
......................... WIN2003SERVERJJ passed test KnowsOfRoleHolders
Starting test: RidManager
......................... WIN2003SERVERJJ passed test RidManager
Starting test: MachineAccount
......................... WIN2003SERVERJJ passed test MachineAccount
Starting test: Services
......................... WIN2003SERVERJJ passed test Services
Starting test: ObjectsReplicated
......................... WIN2003SERVERJJ passed test ObjectsReplicated
Starting test: frssysvol
......................... WIN2003SERVERJJ passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may cause

Group Policy problems.
......................... WIN2003SERVERJJ failed test frsevent
Starting test: kccevent
......................... WIN2003SERVERJJ passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x40000004
Time Generated: 03/09/2010 12:57:54
Event String: The kerberos client received a

An Error Event occured. EventID: 0x40000004
Time Generated: 03/09/2010 13:07:38
Event String: The kerberos client received a

An Error Event occured. EventID: 0xC00010E1
Time Generated: 03/09/2010 13:14:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC00010E1
Time Generated: 03/09/2010 13:36:37
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC00010E1
Time Generated: 03/09/2010 13:46:39
(Event String could not be retrieved)
......................... WIN2003SERVERJJ failed test systemlog
Starting test: VerifyReferences
......................... WIN2003SERVERJJ passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : JandJDog
Starting test: CrossRefValidation
......................... JandJDog passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... JandJDog passed test CheckSDRefDom

Running enterprise tests on : JandJDog
Starting test: Intersite
......................... JandJDog passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... JandJDog failed test FsmoCheck

 

[Roadki11]

Is the date and time on the DC correct?


RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[malaize2]

Yes, the date and time are correct. Is there an oddity with the date/time from the diagnostics I ran?

Thanks,

malaize2

 

[Roadki11]

Nothing major, I just saw the time server call failed and know from past experience that a DC even 5 minutes out of time sync can cause major issues.

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[malaize2]

I did some googling and ran netdom.exe to try and view the fsmo roles and received the following.

C:\Documents and Settings\win2003server>netdom query fsmo
The target principal name is incorrect.

The command failed to complete successfully.

C:\Documents and Settings\win2003server>


Not sure what I should try next. There definitely are some major problems between the win2003server and the win2kserver. I have tried seizing roles with ntdsutil.exe but it isn't grabbing the roles. What do you think is the best way to straighten this mess out?

thank you,
eli

 

[Roadki11]

Just to many unknowns, is that 2k server a DC? Is the 2k server even active? Looks like you are least trying to replicate DNS to the 2k server and its not working. You need to figure out if the 2k3 server is really holding all the FSMO roles and check that 2k server to make sure it doesnt think it still owns some FSMO roles. Might just want to remove that 2k server all together. Clean up the AD meta data and DNS.

I am not sure what to say. You could work on this for a month and never get it worked out. With only 20 users I would be inclined to build a new domain and start over, I think in the end you will save a lot of time and have a solid, stable, trustworthy end product.



RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen