I'm having problem transfering FSMO Roles from one DC to another?

[whoisthat]

Hi All,

Below is the message that I received when I tried to use Ntdsutil to transfer FSMO Roles:

**********
ldap_modify_sW erro 0x34 <52 <unavailable>
Ldap extended error message is 000020AF: SvcErrSID-032106CB, problem 5002 <unavailable>, data 5

Win32 error returned is 0x20sf <The requested FSMO operation failed. the current FSMO holder could not be contacted>.
***********

Note: I've been having problem with the DC that holds FSMO roles. However, the two servers could ping each other using either IP or name without any problem.

Please help!!

Thanks,
Henry

 

[markdmac]

Try running DCDIAG and NETDIAG and report any errors.

I hope you find this post helpful.

Regards,

Mark

 

[Pelson2003]

There are any errors msgs on event viewer?

... please send the event if numbers ...

Thanks
Nelson

 

[whoisthat]

Event ID 3034

"The redirector was unable to initialize security context or query context attributes"

Event ID 64

W32Time


Thanks,
Henry

 

[58sniper]

Do like Mark said.

Post the results of
"netdom query fsmo"
as well

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[whoisthat]

I'm still unable to transfer 3 FSMO roles. Here is additional information. I hope one of you can help!!

Thanks,
Henry

Below is the error message when I tried to transfer FSMO roles:

*************************************
C:\WINNT\system32\ntdsutil.exe: roles
fsmo maintenance: connections
server connections: connect to server fs01
Binding to fs01 ...
Connected to fs01 using credentials of locally logged on user
server connections: q
fsmo maintenance: transfer rid master
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-032106CB, problem 5002 (UN
AVAILABLE), data 5

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Server "fs01" knows about 5 roles
Schema - CN=NTDS Settings,CN=FS01,CN=Servers,CN=Default-First-Site-Name,CN=S
ites,CN=Configuration,DC=cal.org,DC=org
Domain - CN=NTDS Settings,CN=FS01,CN=Servers,CN=Default-First-Site-Name,CN=S
ites,CN=Configuration,DC=ca,DC=org
PDC - CN=NTDS Settings,CN=BORG,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN
=Configuration,DC=caltrux,DC=org
RID - CN=NTDS Settings,CN=BORG,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN
=Configuration,DC=cal,DC=org
Infrastructure - CN=NTDS Settings,CN=BORG,CN=Servers,CN=Default-First-Site-Name,
CN=Sites,CN=Configuration,DC=cal,DC=org
fsmo maintenance:
*************************************

And here is the query from netdom:
*************************************
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\administrator.CAL>netdom query fsmo
Schema owner fs01.cal.org
Domain role owner fs01.cal.org
PDC role borg.cal.org
RID pool manager borg.cal.org
Infrastructure owner borg.cal.org
The command completed successfully.

C:\Documents and Settings\administrator.CAL>
*************************************

 

[markdmac]

Well, I am assuming you can't transfer the 3 roles from server Borg, but you did not do as I asked and provide DCDIAG and NETDIAG results.

I am willing to bet that you have DNS misconfigured on one or more servers, but need those test results to verify.

I hope you find this post helpful.

Regards,

Mark

 

[whoisthat]

Mark,

Below are the results from DCDIAG & NETDIAG:

***************************
Domain Controller Diagnosis

Performing initial setup:
LDAP bind failed with error 8341,
A directory service error has occurred..
***************************


**********************************
C:\Program Files\Resource Kit>netdiag

..........................................

Computer Name: BORG
DNS Host Name: borg.cal.org
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 6 Model 8 Stepping 6, GenuineIntel
List of installed hotfixes :
KB819696
KB820888
KB822343
KB822831
KB823182
KB823559
KB823980
KB824105
KB824141
KB824146
KB824151
KB825119
KB826232
KB828035
KB828741
KB828749
KB830352
KB832353
KB832359
KB834707-IE6SP1-20040929.091901
KB835732
KB837001
KB837272
KB839643-DirectX9
KB839645
KB840315
KB840987
KB841356
KB841533
KB841872
KB841873
KB842526
KB842773
KB870763
KB871250
KB873333
KB873339
KB883939-IE6SP1-20050428.125228
KB885250
KB885834
KB885835
KB885836
KB887797-OE6SP1-20041112.131144
KB888113
KB890046
KB890175
KB890859
KB890923-IE6SP1-20050225.103456
KB891781
KB893066
KB893086
KB893756
KB893803v2
KB894320
KB896358
KB896422
KB896423
KB896424
KB896688-IE6SP1-20051004.130236
KB896727-IE6SP1-20050719.165959
KB897715-OE6SP1-20050503.210336
KB899587
KB899588
KB899589
KB899591
KB900725
KB901017
KB901214
KB902400
KB904368
KB904706
KB905414
KB905495-IE6SP1-20050805.184113
KB905749
KB905915-IE6SP1-20051122.175908
KB908519
KB908523
KB911564
KB911565
KB912919
Q147222
Q816093
Q828026
Update Rollup 1


Netcard queries test . . . . . . . : Passed
[WARNING] The net card 'RAS Async Adapter' may not be working because it has
not received any packets.



Per interface results:

Adapter : cal

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : borg
IP Address . . . . . . . . : 10.10.1.10
Subnet Mask. . . . . . . . : 255.0.0.0
Default Gateway. . . . . . : 10.10.254.1
Primary WINS Server. . . . : 10.10.1.114
Secondary WINS Server. . . : 10.10.1.100
Dns Servers. . . . . . . . : 10.10.1.106
10.10.1.105


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Passed


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{AA846688-0581-4DDD-A8CF-1027A2CBA3BF}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '10.10.1.106'
and other DCs also have some of the names registered.
PASS - All the DNS entries for DC are registered on DNS server '10.10.1.105'
and other DCs also have some of the names registered.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{AA846688-0581-4DDD-A8CF-1027A2CBA3BF}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{AA846688-0581-4DDD-A8CF-1027A2CBA3BF}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC 'cta-dc02.cal.org'.


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
Local IPSec Policy Active: 'Client (Respond Only)'


The command completed successfully

C:\Program Files\Resource Kit>
************************************

Please help!!

Thanks,
Henry

 

[markdmac]

looks like you posted Netdiag but not DCDIAG. Anyway, I think this should address your problem.

http://support.microsoft.com/?kbid=834317

I hope you find this post helpful.

Regards,

Mark

 

[whoisthat]

Mark,

According to the article (834317) MaxReceiveBuffer should have the correct default value of 10485760. My servers have this value 10485760, so there is nothing to be chagned. The problem is somewhere else...

Thanks for trying...
Henry

 

[whoisthat]

Mark,
Here is the DCDIAG:
**********************

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\CT-FS01
Starting test: Connectivity
......................... FS01 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\FS01
Starting test: Replications
[Replications Check,FS01] A recent replication attempt failed:
From BORG to FS01
Naming Context: CN=Schema,CN=Configuration,DC=cal,DC=org
The replication generated an error (5):
Access is denied.
The failure occurred at 2006-02-23 11:47:08.
The last success occurred at 2005-12-14 02:55:03.
1741 failures have occurred since the last success.
[BORG] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
[Replications Check,FS01] A recent replication attempt failed:
From BORG to FS01
Naming Context: CN=Configuration,DC=cal,DC=org
The replication generated an error (5):
Access is denied.
The failure occurred at 2006-02-23 12:16:10.
The last success occurred at 2005-12-14 03:02:03.
3275 failures have occurred since the last success.
[Replications Check,FS01] A recent replication attempt failed:
From BORG to FS01
Naming Context: DC=cal,DC=org
The replication generated an error (5):
Access is denied.
The failure occurred at 2006-02-23 12:20:50.
The last success occurred at 2005-12-14 02:55:03.
1952 failures have occurred since the last success.
......................... FS01 passed test Replications
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes All
access rights for the naming context:
CN=Schema,CN=Configuration,DC=cal,DC=org
Error BUILTIN\Administrators doesn't have
Replicating Directory Changes All
access rights for the naming context:
CN=Schema,CN=Configuration,DC=cal,DC=org
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes All
access rights for the naming context:
CN=Configuration,DC=cal,DC=org
Error BUILTIN\Administrators doesn't have
Replicating Directory Changes All
access rights for the naming context:
CN=Configuration,DC=cal,DC=org
......................... FS01 failed test NCSecDesc
Starting test: NetLogons
* You must make sure there are no existing net use connections,
you can use "net use /d \\FS01\ipc$" or "net use /d
\\<machine-name>\<share-name>"
......................... FS01 failed test NetLogons
Starting test: Advertising
......................... FS01 passed test Advertising
Starting test: KnowsOfRoleHolders
Warning: BORG is the PDC Owner, but is not responding to DS RPC Bind.
[BORG] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: BORG is the PDC Owner, but is not responding to LDAP Bind.
Warning: BORG is the Rid Owner, but is not responding to DS RPC Bind.
Warning: BORG is the Rid Owner, but is not responding to LDAP Bind.
Warning: BORG is the Infrastructure Update Owner, but is not responding
to DS RPC Bind.
Warning: BORG is the Infrastructure Update Owner, but is not responding
to LDAP Bind.
......................... FS01 failed test KnowsOfRoleHolders
Starting test: RidManager
......................... FS01 failed test RidManager
Starting test: MachineAccount
Could not open pipe with [FS01]:failed with 1219: Multiple connecti
ons to a server or shared resource by the same user, using more than one user na
me, are not allowed. Disconnect all previous connections to the server or shared
resource and try again..
Could not get NetBIOSDomainName
Failed can not test for HOST SPN
Failed can not test for HOST SPN
* Missing SPN null)
* Missing SPN null)
......................... FS01 failed test MachineAccount
Starting test: Services
Could not open Remote ipc to [FS01]:failed with 1219: Multiple conn
ections to a server or shared resource by the same user, using more than one use
r name, are not allowed. Disconnect all previous connections to the server or sh
ared resource and try again..
......................... FS01 failed test Services
Starting test: ObjectsReplicated
......................... FS01 passed test ObjectsReplicated
Starting test: frssysvol
* You must make sure there are no existing net use connections,
you can use "net use /d \\FS01\ipc$" or "net use /d
\\<machine-name>\<share-name>"
......................... FS01 failed test frssysvol
Starting test: frsevent
......................... FS01 failed test frsevent
Starting test: kccevent
Failed to enumerate event log records, error Multiple connections to a
server or shared resource by the same user, using more than one user name, are n
ot allowed. Disconnect all previous connections to the server or shared resource
and try again..
......................... FS01 failed test kccevent
Starting test: systemlog
Failed to enumerate event log records, error Multiple connections to a
server or shared resource by the same user, using more than one user name, are n
ot allowed. Disconnect all previous connections to the server or shared resource
and try again..
......................... FS01 failed test systemlog
Starting test: VerifyReferences
......................... FS01 passed test VerifyReferences

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : cal
Starting test: CrossRefValidation
......................... cal passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... cal passed test CheckSDRefDom

Running enterprise tests on : cal.org
Starting test: Intersite
......................... cal.org passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
......................... cal.org failed test FsmoCheck

 

[markdmac]

You need to run the DCDIAG and NETDIAG on the other server as well so we can compare results.

I hope you find this post helpful.

Regards,

Mark

 

[sibawe2000]

Hi,

The second remark by "whoisthat" indicates "W32Time".

Could you confirm that both servers have the same time (AD fails to replicate when servers have a 5 minute time difference)

 

[markdmac]

An excellent point sibawae2000. We also need to focus on the fact that both servers claim to be holding some FSMO roles.

I beleive I know where this is going and if I am right it will be necessary to follow the steps outlined in my FAQ faq96-4733. But since these steps are drastic I want to be sure first before recomending following them.

Henry, I'd like to know if you right click on My Computer and choose properties. Click on the Computer Name tab. What is listed for full computer name? Does it include the server name followed by the full internal DNS name? Or just the computername with a period?

Also for the sake of readability, let me ask you to post the following. Please repost the DCDIAG and NETDIAG from each server. When posting please clearly identify at the top which server the report is from and post the results within code tags like this:

[ignore]

Server Borg DCDIAG REPORT
[i]report goes here[/i]

[/ignore]

Here is what the above will look like when posted:

Server Borg DCDIAG REPORT
[i]report goes here[/i]

I hope you find this post helpful.

Regards,

Mark

 

[whoisthat]

sibawae2000,

you are right. The servers have different times. I believe it is the W32Time problem. It is 4 minutes off for all the server except one. What is the steps to resolve this problem?

Thanks,
Henry

 

[markdmac]

For starters just manually set the time. the resolve setting an authoritative time source IF that resolves the issue.

I hope you find this post helpful.

Regards,

Mark

 

[sibawe2000]

Hi all,

I suggest you create a "scheduled task" on every CD to synchronize on some SNTP server.

To do that, add the following line to a *.bat file :

net time /setsntp:ntp2.usno.navy.mil

.. and schedule the execution

(navy.mil is reliable, but it's just an example; feel free to use any other SNTP server)

If your servers can't access the internet, it's trickier since you'd have to configure an SNTP server on your network.

Cheers

 

[markdmac]

SOP is to only have one DC sync to an SNTP server and have all others sync with that one internally to avoid the WAN traffic.

FYI too, you need to have port 123 open on your firewall for SNTP to work.

I hope you find this post helpful.

Regards,

Mark