New secondary DC 1

[Trana]

Hello,

I recently setup a secondary DC in my server 2003 environment following this basic guide:

http://www.petri.co.il/how_to_install_active_directory_replica_on_windows_2003.htm

Which all went fine (no error messages in the process) but after rebooting after "dcpromo" I can not login to the new DC server with any account.

Here are some of the event logs from the server: (extracted by remote managing the server from another machine):

-------

Directory Service:
ID 1126, Source NTDS General
Active Directory was unable to establish a connection with the global catalog.

Additional Data
Error value:
1355 The specified domain either does not exist or could not be contacted.
Internal ID:
3200cf3 * Comment: I've got lots of this with different Internal IDs

User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.

-------

File Replication Service:
ID 13508, Source NtFrs
The File Replication Service is having trouble enabling replication from PrimaryDC to SecondaryDC for c:\windows\sysvol\domain using the DNS name PrimaryDC.domain.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name PrimaryDC.domain.local from this computer.
[2] FRS is not running on PrimaryDC.domain.local.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

* Comment: FRS is running on PrimaryDC, the service is anyway
------

System:
ID 5781, Source NETLOGON
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'TrustedDomain.com.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

Possible causes of failure include:
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration

USER ACTION
Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt or by restarting Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD.

------

The SecondaryDC does have the proper IP-address for the PrimaryDC as its DNS.

Hmm, what else, the SecondaryDC is a very clean installation, just has McAfee antivirus on it and nothing else and all Windows Updates.

I'm leaning towards DNS errors, but I am not very good with DNSs, so please any tips or help regarding DNSs, keep it basic if you dont mind.

Thank you in advance.
Trana

 

[58sniper]

boot the server into safe mode, change the DNS to point to the other DC, and reboot. See if that at least lets you login.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[Trana]

Thanks, but like I said on the bottom of my post, the new DC does have the IP address of the first DC as its preferred DNS.

Besides, can I even log into safe mode, what account would I use?

 

[pagy]

When you run dcpromo on a server you are asked to enter a password for directory services restore mode administrator. You use that password and the username administrator.

I'd boot into safe mode and verify the dns settings on that new dc, I'll eat my hat if this is not a DNS problem....

Check that the new DC computer account has been created in ADUC,
Check out the link below and ensure that all the correct DNS records are present;

http://technet.microsoft.com/en-us/library/bb727055.aspx

Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[Roadki11]

I hope you are right pagy, ive had a hat or two in my day they dont taste very good. While high in fiber, they sure are chewy and have a nasty after taste.



RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[pagy]

:-> Too true Roadki11.

Trana,

Run a dcdiag and netdiag as well on your other DC and post the results

Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[Zelandakh]

You might be able to remotely manage it, change the DNS using remote registry and reboot it.

 

[Trana]

Thanks for all the replies.

First, I wont be able to try safe mode today (but later this week), dont have physical access to the server today. But see below, I dont think the DNS setting on the new server is the problem.

In the servers registry, HKLM->SYSTEM->ControlSet001->Services->TCIP->Parameters->Interfaces->{A92C6505...}->key NameServer is the correct IP address for the primary DC and DNS server. So that means the new server does have the correct DNS settings, correct?

DcDiag result:
Doing initial required tests

Testing server: Location\PrimaryDC
Starting test: Connectivity
The host 4580e03d-6c19-4aa1-bbc0-2e02e93a46db._msdcs.TrustedDomain.com
could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(4580e03d-6c19-4aa1-bbc0-2e02e93a46db._msdcs.TrustedDomain.com)
couldn't be resolved, the server name (PrimaryDC.domain.local)
resolved to the IP address (192.168.1.100) and was pingable. Check
that the IP address is registered correctly with the DNS server.
......................... PrimaryDC failed test Connectivity

Everything else passed.

NetDiag Result:

Messenger service is disabled, which generates a warning on the NetBT name test (which still passes). Is this a problem?

DNS test . . . . . . . . . . . . . : Failed
[WARNING] The DNS entries for this DC are not registered correctly on DNS se
rver '192.168.1.100'. Please wait for 30 minutes for DNS server replication.
[FATAL] No DNS servers have the DNS records for this DC registered.

LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC othersite.domain.local'.
[WARNING] Failed to query SPN registration on DC 'othersite.domain.local'.
[WARNING] Failed to query SPN registration on DC 'othersite.domain.local'.
[WARNING] Failed to query SPN registration on DC ' othersite.domain.local'.
[WARNING] Failed to query SPN registration on DC ' othersite.domain.local'.
[WARNING] Failed to query SPN registration on DC ' othersite.domain.local'.
[FATAL] Cannot do NTLM authenticated ldap_bind to 'primaryDC.domain.local': I
nvdomaind Credentials.
[FATAL] Cannot do Negotiate authenticated ldap_bind to 'primaryDC.domain.loca
l': Invdomaind Credentials.
[WARNING] Failed to query SPN registration on DC 'primaryDC.domain.local'.

Everything else passed.

 

[pagy]

Did you use the link I posted to ensure that all the necessary DC DNS records are in place?

Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[Trana]

Sorry, I missed that part of your previous post.

Where am I suppose to find this records?

Under Forward Lookup Zones\domain.local? If thats the case than no, I dont have any _ldap, _gc, _kerberous records at all. Only _msdcs, _sites, _tcp and _udp

Like I said, I'm not very good with DNS.

 

[Trana]

netdiag /fix:

DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.TrustedDomain.com.
re-registeration on DNS server '192.168.1.100’failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.Location._sites.gc._msdcs
.TrustedDomain.com. re-registeration on DNS server '192.168.1.100’failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.d1042699-8022-4175-a55e-1822c
a8254b9.domains._msdcs.TrustedDomain.com. re-registeration on DNS server '192.1
68.1.100’failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry 4580e03d-6c19-4aa1-bbc0-2e02e93a46db._ms
dcs.TrustedDomain.com. re-registeration on DNS server '192.168.1.100’failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry _gc._tcp.TrustedDomain.com. re-register
ation on DNS server '192.168.1.100’failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry _gc._tcp.Location._sites.TrustedDomain.com.
re-registeration on DNS server '192.168.1.100’failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[WARNING] The DNS entries for this DC cannot be verified right now on DNS
server 192.168.36.24, ERROR_TIMEOUT.
[FATAL] No DNS servers have the DNS records for this DC registered.

 

[Roadki11]

Any chance McAfee loaded a firewall?

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[Trana]

No, its not even running now anyway, I remotely stopped the McAfee services previously.

 

[pagy]

Just to clarify, you are running dcdiag and netdiag on your original domain controller yes? I'm assuming so as you said you can't log onto the new DC.

If so try;


nltest /dsregdns on the DC

That should recreate all the necessary DNS records for your domain controller

Can you also provide the results of ipconfig /all from the original DC

Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[Trana]

Hi Pagy, thanks for your continued help!

You are correct, the netdiag and dcdiag is from the old DC. All I can do on the new DC is remote manage and registry.

nltest /dsregdns

Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully

The command was very fast and I cant see any differences in the DNS management.

ipconfig /all

Host Name . . . . . . . . . . . . : oldDC
Primary Dns Suffix . . . . . . . : domain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.local

Ethernet adapter Local Area Connection - backup:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC7782 Gigabit Server Adapter #2
Physical Address. . . . . . . . . : **-**-**-**-**
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.10.10.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : domain.local
Description . . . . . . . . . . . : HP NC7782 Gigabit Server Adapter
Physical Address. . . . . . . . . : **-**-**-**-**
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.100
Primary WINS Server . . . . . . . : 192.168.1.100

In DNS management and under forward lookup zones I have both "domain" and "domain.local", not entirely sure why and if that could be the cause of any problems. I used domain.local where necessary when setting up the new DC

 

[Trana]

Forgot to mention, the 10.10.10.10 connection is used for a different network, this connection is not configured for DNS and the 192.168.1.100 one is the primary.

 

[pagy]

In my experience dual nics on a DC are a bad idea, can you disable the 10.10.10.10 nic for a while whilst troubleshooting.

Is your DNS zone domain.local AD integrated? If it is please ensure that dynamic updates are enabled on the zone.

Then on the DC;

ipconfig /flushdns
ipconfig /registerdns
nltest /dsregdns

dcdiag /fix
net stop netlogon
net start netlogon

Can you possible post a screenshot of your DNS console as well??

Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[Trana]

domain.local is AD Integrated and replicated to all Domain Controllers. Dynamic Updates are allowing both secure and nonsecure.

I disabled the secondary NIC which is fine for now.

nltest /dsregdns I now get:

Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully

dcdiag /fix gives the same result as before.

I restarted the new DC after this but I still cant login and I still have the same event log problems as before.

I dont have any convenient place to put a screenshot right now, but what do you want to see?

Its basically this:
DNS->
Cached Lookups
Forward Lookup Zones->

Domain->
_msdcs
_sites
_tcp
_udp
DomainDnsZones
ForestDnsZones
hercules
mac

domain.local->
_msdcs
_sites
_tcp
_udp
DomainDnsZones

Is that what you wanted to see?

I also tried dcdiag /test:dns and got a whole bunch of problems about "name resolution is not functional. _ldap._tcp.TrustedDomain.com"

So I cleared my DNS cache and re-run the test but got the same result. But anything related to the TrustedDomain shouldn't really affect me setting up my new DC for the new domain, should it?

 

[pagy]

What is trusteddomain.com?

setting up my new DC for the new domain, should it?

The new domain being domain.local ??

Have you renamed your domain at some point?

Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[Trana]

Sorry, I meant to say my Domain not new Domain, but yes, I was referring to domain.local.

I do however believe the domain was renamed when the company was bought 2-3 years ago, but this is a long time before I started here.