Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

New secondary DC 1

Status
Not open for further replies.
Trana

Trana

Technical User
Nov 2, 2002
76
AU
Hello,

I recently setup a secondary DC in my server 2003 environment following this basic guide:


Which all went fine (no error messages in the process) but after rebooting after "dcpromo" I can not login to the new DC server with any account.

Here are some of the event logs from the server: (extracted by remote managing the server from another machine):

-------

Directory Service:
ID 1126, Source NTDS General
Active Directory was unable to establish a connection with the global catalog.

Additional Data
Error value:
1355 The specified domain either does not exist or could not be contacted.
Internal ID:
3200cf3 * Comment: I've got lots of this with different Internal IDs

User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.

-------

File Replication Service:
ID 13508, Source NtFrs
The File Replication Service is having trouble enabling replication from PrimaryDC to SecondaryDC for c:\windows\sysvol\domain using the DNS name PrimaryDC.domain.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name PrimaryDC.domain.local from this computer.
[2] FRS is not running on PrimaryDC.domain.local.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

* Comment: FRS is running on PrimaryDC, the service is anyway
------

System:
ID 5781, Source NETLOGON
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'TrustedDomain.com.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

Possible causes of failure include:
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration

USER ACTION
Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt or by restarting Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD.

------

The SecondaryDC does have the proper IP-address for the PrimaryDC as its DNS.

Hmm, what else, the SecondaryDC is a very clean installation, just has McAfee antivirus on it and nothing else and all Windows Updates.

I'm leaning towards DNS errors, but I am not very good with DNSs, so please any tips or help regarding DNSs, keep it basic if you dont mind.

Thank you in advance.
Trana
 
Sort by date Sort by votes
Just a small addition, on the old DC, nltest /dsregdns now gives:

Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully
 
Upvote 0 Downvote
Is your domain controller a global catalog server?

Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams
 
Upvote 0 Downvote
Do netdiag /fix again and see what the results are

Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams
 
Upvote 0 Downvote
Yes, its a global catalog server for domain.local.

netdiag /fix results:

.......................................

Computer Name: OLDDC
DNS Host Name: oldDC.domain.local
System info : Microsoft Windows Server 2003 (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 3, GenuineIntel

Netcard queries test . . . . . . . : Passed

Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : oldDC.domain.local
IP Address . . . . . . . . : 192.168.1.100
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.1.1
Primary WINS Server. . . . : 192.168.1.100
Dns Servers. . . . . . . . : 192.168.1.100

AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.

WINS service test. . . . . : Passed

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{780965F0-71EE-45C9-B055-860FA64AC695}
1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.TrustedDomain.com.
re-registeration on DNS server '192.168.1.100' failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.Location._sites.gc._msdcs
.TrustedDomain.com. re-registeration on DNS server '192.168.1.100' failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.d1042699-8022-4175-a55e-1822c
a8254b9.domains._msdcs.TrustedDomain.com. re-registeration on DNS server '192.168.1.100' failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry 4580e03d-6c19-4aa1-bbc0-2e02e93a46db._ms
dcs.TrustedDomain.com. re-registeration on DNS server '192.168.1.100' failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry _gc._tcp.TrustedDomain.com. re-register
ation on DNS server '192.168.1.100' failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry _gc._tcp.Location._sites.TrustedDomain.com.
re-registeration on DNS server '192.168.1.100' failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.ForestDnsZones.TrustedDomain.com.
re-registeration on DNS server '192.168.1.100' failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.Location._sites.ForestDns
Zones.TrustedDomain.com. re-registeration on DNS server '192.168.1.100' failed.

DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry gc._msdcs.TrustedDomain.com. re-registe
ration on DNS server '192.168.1.100' failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry ForestDnsZones.TrustedDomain.com. re-re
gisteration on DNS server '192.168.1.100' failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Fix Failed: netdiag failed to re-register missing DNS entries for th
is DC on DNS server '192.168.1.100'.
[FATAL] No DNS servers have the DNS records for this DC registered.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{780965F0-71EE-45C9-B055-860FA64AC695}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{780965F0-71EE-45C9-B055-860FA64AC695}
The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Passed
Secure channel for domain 'DOMAIN' is to '\\site2.domain.local'.

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC 'site2.domain.local'.
[WARNING] Failed to query SPN registration on DC 'site3.domain.local'.
[WARNING] Failed to query SPN registration on DC 'site4.domain.local'.
[WARNING] Failed to query SPN registration on DC 'site5.domain.local'.
[WARNING] Failed to query SPN registration on DC 'site6.domain.local'.
[WARNING] Failed to query SPN registration on DC 'site7.domain.local'.
[FATAL] Cannot do NTLM authenticated ldap_bind to 'newDC.domain.local': Invalid Credentials.
[FATAL] Cannot do Negotiate authenticated ldap_bind to 'newDC.domain.local': Invalid Credentials.
[WARNING] Failed to query SPN registration on DC 'newDC.domain.local'.
[WARNING] Failed to query SPN registration on DC 'otherDC'.

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped
No active remote access connections.

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Note: run "netsh ipsec dynamic show /?" for more detailed information
 
Upvote 0 Downvote
I don't understand why those DNS errors are talking about trusteddomain.com. What is trusteddomain.com? Do you have a trust to another domain?

Also the invalid credentials are weird, I assume you are logged on as an administrative user?

Does newdc show up under the domain controllers container in active directory users and computers?
Does newdc show in AD sites and services console

Use this just to check that the srv records for the newdc are in place, I would have expected an error if they weren't though;


Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams
 
Upvote 0 Downvote
Yes, my domain has a trusted domain, for security reasons I have changed the name of that domain to TrustedDomain. Obviously theres something not quite right with the trust, but that should effect me setting up a new DC on my domain, should it?

I am logged with the domain administrator account I always use.

The NewDC is in the Domain Controllers OU in the AD, however I vaguely remember manually moving it there, but I might be wrong.

NewDC is showing in the Sites and Services, it is NOT a Global Catalog (but OldDC is) server and under NTDS settings it previously had nothing, I manually added the same AD connections as OldDC has, however it doesn't seem to make any difference.

Looking at Microsoft page you posted:

In DNS zone "domain" I have the path _msdcs/dc/_sites/default-first-site-name/_tcp, but only one server (which I dont administrer) listed for _kerberoes and _ldap SRV records.

For DNS zone "domain.local" I dont have the subpath /default-first-site-name, but I have my various sites with subpaths _tcp and they all have their appropriate _ldap and _kerberous servers. For my own site/location both oldDC and newDC is listed for both _kerberous and _ldap.
 
Upvote 0 Downvote
O, it was that trusteddomain bit that was confusing me, now that I know what it is I will ignore if for the moment.

Sounds like you have all the proper dns records then. Lets get back to basics;

On olddc can you ping
newdc
newdc.domain.local
olddc
olddc.domain.local

When you can log into newdc in safe mode try and ping the above names from there





Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams
 
Upvote 0 Downvote
Pings work fine from oldDC.

I was supposed to check safe mode yesterday but got tied up with other things all day, wont have physical access to the server until next week unfortunately.

But I am guessing ping will work just fine, I mean, I can RDP (but not login) to newDC and I can remote manage it.
 
Upvote 0 Downvote
Well I should have read your last post more carefully Pagy in regards to "back to basics", I rebooted the OldDC this weekend for some updates and what do you know...NewDC is working now.

I don't know what to say...bloody Microsoft.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
203
RRankin355
RRankin355
matt.a.mcbeath
  • Locked
  • Question
DHCP and DNS of old server migrating to new?
Replies
0
Views
100
matt.a.mcbeath
matt.a.mcbeath
Zych1
  • Locked
  • Question
Second DC not allowing logins
Replies
1
Views
108
Zych1
Zych1
kjv1611
  • Locked
  • Question
New Client Picks Up Old Client IP Address, Both now Share?
Replies
4
Views
151
kjv1611
kjv1611
Howesjaybird
  • Locked
  • Question
Server not responding to new hard drives dell poweredge r710
Replies
2
Views
141
SamBones
SamBones

Part and Inventory Search

Sponsor

Back
Top