spectrum48k

lovely, ta.

Hanley

Let us know how you get on

spectrum48k

hmmmm, results of DCDIAG run on the old DC clearly shows problems I wasn't aware of...

Could I add at this point that DC2 was the name of a test server I put together and have since removed from the LAN. Sounds like there's some remanants kicking around that I may need to remove. Let me know your comments.

-------------------------------------------------------------------

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site\SERVER
Starting test: Connectivity
......................... SERVER passed test Connectivity

Doing primary tests

Testing server: Default-First-Site\SERVER
Starting test: Replications

[Replications Check,SERVER] A recent replication attempt failed:
From DC2 to SERVER
Naming Context: CN=Schema,CN=Configuration,DC=GKC,DC=LOCAL
The replication generated an error (1396):
Logon Failure: The target account name is incorrect.
The failure occurred at 2009-02-20 13:48.34.
The last success occurred at 2009-01-24 09:53.41.
622 failures have occurred since the last success.
Kerberos Error.
The Service Principal Name for DC2.
is not registered at the KDC (usually SERVER).
Verify domain partition of KDC is in sync with rest of enterprise.
The tool repadmin/syncall can be used for this purpose.

[Replications Check,SERVER] A recent replication attempt failed:
From DC2 to SERVER
Naming Context: CN=Configuration,DC=GKC,DC=LOCAL
The replication generated an error (1396):
Logon Failure: The target account name is incorrect.
The failure occurred at 2009-02-20 13:48.34.
The last success occurred at 2009-01-24 09:53.41.
622 failures have occurred since the last success.
Kerberos Error.
The Service Principal Name for DC2.
is not registered at the KDC (usually SERVER).
Verify domain partition of KDC is in sync with rest of enterprise.
The tool repadmin/syncall can be used for this purpose.

[Replications Check,SERVER] A recent replication attempt failed:
From DC2 to SERVER
Naming Context: DC=GKC,DC=LOCAL
The replication generated an error (1396):
Logon Failure: The target account name is incorrect.
The failure occurred at 2009-02-20 13:48.33.
The last success occurred at 2009-01-24 09:53.41.
622 failures have occurred since the last success.
Kerberos Error.
The Service Principal Name for DC2.
is not registered at the KDC (usually SERVER).
Verify domain partition of KDC is in sync with rest of enterprise.
The tool repadmin/syncall can be used for this purpose.

REPLICATION LATENCY WARNING
SERVER: A full synchronization is in progress
from DC2 to SERVER
Replication of new changes along this path will be delayed.
The full sync is 57.77% complete.

REPLICATION LATENCY WARNING
SERVER: A full synchronization is in progress
from DC to SERVER
Replication of new changes along this path will be delayed.
The full sync is 57.75% complete.

......................... SERVER passed test Replications
Starting test: NCSecDesc
......................... SERVER passed test NCSecDesc
Starting test: NetLogons
......................... SERVER passed test NetLogons
Starting test: Advertising
......................... SERVER passed test Advertising
Starting test: KnowsOfRoleHolders
......................... SERVER passed test KnowsOfRoleHolders
Starting test: RidManager
......................... SERVER passed test RidManager
Starting test: MachineAccount
......................... SERVER passed test MachineAccount
Starting test: Services
......................... SERVER passed test Services
Starting test: ObjectsReplicated
......................... SERVER passed test ObjectsReplicated
Starting test: frssysvol
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... SERVER passed test frssysvol
Starting test: kccevent
An Error Event occured. EventID: 0xC000066D
Time Generated: 02/20/2009 14:16:31
Event String: The Directory Service received a failure while

An Error Event occured. EventID: 0xC000066D
Time Generated: 02/20/2009 14:22:22
Event String: The Directory Service received a failure while

......................... SERVER failed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00000457
Time Generated: 02/20/2009 13:50:06
Event String: Driver SHARP MX-2300N PCL6 required for printer

An Error Event occured. EventID: 0x00000452
Time Generated: 02/20/2009 13:50:06
Event String: The printer could not be installed.
An Error Event occured. EventID: 0x00000457
Time Generated: 02/20/2009 13:50:14
Event String: Driver Sharpdesk Composer required for printer

An Error Event occured. EventID: 0x00000452
Time Generated: 02/20/2009 13:50:14
Event String: The printer could not be installed.
An Error Event occured. EventID: 0x00000457
Time Generated: 02/20/2009 14:11:55
Event String: Driver SHARP MX-2300N PCL6 required for printer

An Error Event occured. EventID: 0x00000452
Time Generated: 02/20/2009 14:11:55
Event String: The printer could not be installed.
An Error Event occured. EventID: 0x00000457
Time Generated: 02/20/2009 14:12:00
Event String: Driver Sharpdesk Composer required for printer

An Error Event occured. EventID: 0x00000452
Time Generated: 02/20/2009 14:12:00
Event String: The printer could not be installed.
......................... SERVER failed test systemlog

Running enterprise tests on : GKC.LOCAL
Starting test: Intersite
......................... GKC.LOCAL passed test Intersite
Starting test: FsmoCheck
......................... GKC.LOCAL passed test FsmoCheck


--------------------------------------------------------------------

Hanley

Can I just check your server names here?

DC
SERVER
DC2

Which is which?

If you have an old server in there you can use NTDSUTIL to do a metadata cleanup see How to remove data in Active Directory after an unsuccessful domain controller demotion

Hanley

Okay, just read it closer....I'm assuming the following:

SERVER - this is your current Win2K domain controller
DC2 - the old DC you've since removed (did you use dcpromo to remove AD)
DC - this is your new 2K3 domain controller

Is that right?

Kieran_Burns

iTrader: (1)

This one will benefit everyone:

https://support.quest.com/Portal/Log...ge%3Ddownloads

download the AD software and install it. It picks up and removes lingering objects amongst its MANY other talents. A truly stupendous piece of software, just a pity it's so damn expensive! (you do however get a free trial and the free windows software is very useful)

spectrum48k

Correct

And to answer your question, no I didn't use DCPROMO to to remove AD from DC2

Hanley

In that case you need to do a metadata cleanup to remove all traces of DC from AD.

Use the guide above, it's fairly straightforward.

spectrum48k

Kieran, that links requires registration to access it. Can you name the product in question ? I'll look into it.

spectrum48k

is it easier to plug in dc2 again and remove its domain controller role ?

Hanley

No, just use ntdsutil....if you plug DC2 in you may introduce lingering objects (depending on how long it's been offline)...unless you get the software above

Seriously it's much easier to use ntdsutil...if you get stuck then one of us will help

Kieran_Burns

iTrader: (1)

A tribe called QUEST

Any old reg info will do - trust me it's worth it. We trialled it and spent thousands on the product it's so good

Download the free windows one and see what it shows you. The AD one sorted out a lingering objects issue we'd had for AGES in 5 minutes flat.

spectrum48k

Ok here's the new DCDIAG.TXT, after using NTDSUTIL and going through everything...

----------------------------------------------------

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site\SERVER
Starting test: Connectivity
......................... SERVER passed test Connectivity

Doing primary tests

Testing server: Default-First-Site\SERVER
Starting test: Replications
REPLICATION LATENCY WARNING
SERVER: A full synchronization is in progress
from DC to SERVER
Replication of new changes along this path will be delayed.
The full sync is 57.40% complete.
......................... SERVER passed test Replications
Starting test: NCSecDesc
......................... SERVER passed test NCSecDesc
Starting test: NetLogons
......................... SERVER passed test NetLogons
Starting test: Advertising
......................... SERVER passed test Advertising
Starting test: KnowsOfRoleHolders
......................... SERVER passed test KnowsOfRoleHolders
Starting test: RidManager
......................... SERVER passed test RidManager
Starting test: MachineAccount
......................... SERVER passed test MachineAccount
Starting test: Services
......................... SERVER passed test Services
Starting test: ObjectsReplicated
......................... SERVER passed test ObjectsReplicated
Starting test: frssysvol
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... SERVER passed test frssysvol
Starting test: kccevent
......................... SERVER passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00000457
Time Generated: 02/20/2009 16:22:30
Event String: Driver hp deskjet 990c required for printer

An Error Event occured. EventID: 0x00000452
Time Generated: 02/20/2009 16:22:30
Event String: The printer could not be installed.
An Error Event occured. EventID: 0x00000457
Time Generated: 02/20/2009 16:22:31
Event String: Driver Adobe PDF Converter required for printer

An Error Event occured. EventID: 0x00000452
Time Generated: 02/20/2009 16:22:31
Event String: The printer could not be installed.
An Error Event occured. EventID: 0x00000457
Time Generated: 02/20/2009 16:22:33
Event String: Driver

An Error Event occured. EventID: 0x00000452
Time Generated: 02/20/2009 16:22:33
Event String: The printer could not be installed.
An Error Event occured. EventID: 0x00000457
Time Generated: 02/20/2009 16:22:34
Event String: Driver Send To Microsoft OneNote Driver required

An Error Event occured. EventID: 0x00000452
Time Generated: 02/20/2009 16:22:34
Event String: The printer could not be installed.
......................... SERVER failed test systemlog

Running enterprise tests on : GKC.LOCAL
Starting test: Intersite
......................... GKC.LOCAL passed test Intersite
Starting test: FsmoCheck
......................... GKC.LOCAL passed test FsmoCheck


I think those printers listed, are just redundant and can be removed from the server.

Hanley

Also run DCDIAG on DC

spectrum48k

DCDIAG results on the new domain controller 'DC'

-----------------------------------------------------


Domain Controller Diagnosis

Performing initial setup:
The directory service on dc has not finished initializing.

In order for the directory service to consider itself synchronized, it must

attempt an initial synchronization with at least one replica of this

server's writeable domain. It must also obtain Rid information from the Rid

FSMO holder.

The directory service has not signalled the event which lets other services

know that it is ready to accept requests. Services such as the Key

Distribution Center, Intersite Messaging Service, and NetLogon will not

consider this system as an eligible domain controller.
The directory service on DC has not finished initializing.

In order for the directory service to consider itself synchronized, it must

attempt an initial synchronization with at least one replica of this

server's writeable domain. It must also obtain Rid information from the Rid

FSMO holder.

The directory service has not signalled the event which lets other services

know that it is ready to accept requests. Services such as the Key

Distribution Center, Intersite Messaging Service, and NetLogon will not

consider this system as an eligible domain controller.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site\DC
Starting test: Connectivity
The host 35d0cab2-ba30-4cdf-8f12-61d0387a511a._msdcs.GKC.LOCAL could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name

(35d0cab2-ba30-4cdf-8f12-61d0387a511a._msdcs.GKC.LOCAL) couldn't

be resolved, the server name (dc.GKC.LOCAL) resolved to the IP

address (10.0.0.10) and was pingable. Check that the IP address is

registered correctly with the DNS server.
......................... DC failed test Connectivity

Doing primary tests

Testing server: Default-First-Site\DC
Skipping all tests, because server DC is
not responding to directory service requests

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : GKC
Starting test: CrossRefValidation
......................... GKC passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... GKC passed test CheckSDRefDom

Running enterprise tests on : GKC.LOCAL
Starting test: Intersite
......................... GKC.LOCAL passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... GKC.LOCAL failed test FsmoCheck


that ip address mentioned at the start, 10.0.0.1, is NOT the IP address for the 'main' network card in the server. It's the IP address I gave to the slower network card, that isn't plugged into the LAN. Just to shed some light, this new DC has two network cards - one in use 192.168.0.2 and one not in use, 10.0.0.1

Hanley

run DCPROMO to remove AD (or what part of AD is installed)

Remove it from the domain

Perform a metadata cleanup on your other DC

Re-add DC to the domain and then run DCPROMO again

Something's not right

Hanley

As for the IP address you need to check the bindings and also check which connection is trying to register with DNS

spectrum48k

Will do , cheers Hanley

I'm guessing that during Windows 2003 installation, the AD and DNS roles have binded themself onto the inactive network card.

The inactive card is the integrated LAN card on the motherboard, but it only runs at 100Mbps

I've installed a Netgear GA3100 network card in there also, which runs at 1000Mbps. Thats the one I want the system to use, but looking at that DCDIAG report for the new domain controller 'DC' it may have binded to the inactive network card.

Hanley

That would explain the slow replication

I'd disable the other NIC during the install process

Let me know how you get on

hodgy0_2

just be careful ntdsutil is the IT equivelent of open heart surgery in an AD environment

but the technet article is very good

Hanley

good analogy

spectrum48k

I did disable the integreated NIC when I did the install.

Also, for some reason it didn't detect and install the netgear NIC during the install. I bet that messed things up, eh ? If it can't handle the netgear NIC, I might buy something like an Intel Pro 1000 card, which hopefully it will find and install during install.

Going off track for a sec, is it possible to get the netgear driver into the initial installation ? I know it looks for mass storage devices during the blue dos screen bit, but is it possible to get it to load the netgear driver too ?

Hanley

You don't need to mate, disable the on-board NIC in the BIOS, it will be unavailable to Windows then.

When you've installed Server 2003 install the driver for the NetGear NIC.

Then run DCPROMO to install AD and configure DNS

spectrum48k

Yeah, I disabled the integrated NIC in the BIOS, and ran the install. It didn't find any network cards. Then I installed the driver for the netgear GA311 and went from there.

I've just removed the new DC from AD and its now just a standalone server in a workgroup. For piece of mind I'm going to replace the netgear GA311 with an Intel Pro 1000 NIC and do a fresh install of WIn2k3. I'll give it a new name and static IP, so's not to confuse any remnants left on the main DC (there shouldn't be any after NTSDUTIL!)

the main DC is passing its DCDIAG tests so everything looks prepped and ready. I'll report back on Tues if there's any probs. Thanks for your help Hanley (and everyone else)

Hanley

It's all good practice mate

Good luck