spectrum48k

situation so far...
We have an existing domain of 20 workstations, with a windows 2000 SP4 domain controller. The DC also handles DNS for the domain. This machine is getting old and needs to be retired over the next year.

We decided to add a second domain controller, runnig win2k3. We have a spare computer, dual core, 3GHz, 3GB along with original copy of Win2k3 Standard Edition.

I prepped the old Windows 2000 DC inline with Microsoft's suggestion, using ADPREP /forest and /domain from the Win2k3 install CD.

The first attempt I had at installing Win2k3 seemed to go well, up to the point I added the domain controller role, which told me it finished successfully. Upon close inspection, DCDIAG reported an inability to syncronize with the old DC. It appeared I hadn't disabled the integrated NIC and some services had binded to it, instead of the additional gigabit NIC I fitted for that purpose. So I removed the new DC role and cleaned up the old DC using the NTSDUtil, getting rid of any meta-date.

Current Situation...
So the onboard NIC has been disabled, the Intel Pro 1000 NIC has been installed so yesterday I proceeded to install Win2k3 from scratch using a new static IP and NETBIOS name for the new DC. EVerything went well, so I added the machine to the domain, added the Domain Controller role which finished successfully. Quick look at DCDIAG revealed the new DC can't syncronize with the old DC...

DCDIAG Win2k (old DC)
--------------------------------------------------------------------------


Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site\SERVER
Starting test: Connectivity
......................... SERVER passed test Connectivity

Doing primary tests

Testing server: Default-First-Site\SERVER
Starting test: Replications
REPLICATION LATENCY WARNING
SERVER: A full synchronization is in progress
from DOMAINCONTROL to SERVER
Replication of new changes along this path will be delayed.
The full sync is 48.83% complete.
......................... SERVER passed test Replications
Starting test: NCSecDesc
......................... SERVER passed test NCSecDesc
Starting test: NetLogons
......................... SERVER passed test NetLogons
Starting test: Advertising
......................... SERVER passed test Advertising
Starting test: KnowsOfRoleHolders
......................... SERVER passed test KnowsOfRoleHolders
Starting test: RidManager
......................... SERVER passed test RidManager
Starting test: MachineAccount
......................... SERVER passed test MachineAccount
Starting test: Services
......................... SERVER passed test Services
Starting test: ObjectsReplicated
......................... SERVER passed test ObjectsReplicated
Starting test: frssysvol
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... SERVER passed test frssysvol
Starting test: kccevent
......................... SERVER passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00000457
Time Generated: 02/25/2009 10:48:20
Event String: Driver hp deskjet 990c required for printer

An Error Event occured. EventID: 0x00000452
Time Generated: 02/25/2009 10:48:20
Event String: The printer could not be installed.
An Error Event occured. EventID: 0x00000457
Time Generated: 02/25/2009 10:48:22
Event String: Driver Adobe PDF Converter required for printer

An Error Event occured. EventID: 0x00000452
Time Generated: 02/25/2009 10:48:22
Event String: The printer could not be installed.
An Error Event occured. EventID: 0x00000457
Time Generated: 02/25/2009 10:48:23
Event String: Driver An Error Event occured. EventID:

0x00000452
Time Generated: 02/25/2009 10:48:23
Event String: The printer could not be installed.
An Error Event occured. EventID: 0x00000457
Time Generated: 02/25/2009 10:48:24
Event String: Driver Send To Microsoft OneNote Driver required

An Error Event occured. EventID: 0x00000452
Time Generated: 02/25/2009 10:48:24
Event String: The printer could not be installed.
......................... SERVER failed test systemlog

Running enterprise tests on : GKC.LOCAL
Starting test: Intersite
......................... GKC.LOCAL passed test Intersite
Starting test: FsmoCheck
......................... GKC.LOCAL passed test FsmoCheck



DCDIAG from Wink3 (new DC)
--------------------------------------------------------------------------


Domain Controller Diagnosis

Performing initial setup:
The directory service on domaincontrol has not finished initializing. In order for the directory service to consider itself synchronized, it must attempt an initial synchronization with at least one replica of this server's writeable domain. It must also obtain Rid information from the Rid FSMO holder. The directory service has not signalled the event which lets other services know that it is ready to accept requests. Services such as the Key Distribution Center, Intersite Messaging Service, and NetLogon will not consider this system as an eligible domain controller.
The directory service on DOMAINCONTROL has not finished initializing. In order for the directory service to consider itself synchronized, it must attempt an initial synchronization with at least one replica of this server's writeable domain. It must also obtain Rid information from the Rid FSMO holder. The directory service has not signalled the event which lets other services know that it is ready to accept requests. Services such as the Key Distribution Center, Intersite Messaging Service, and NetLogon will not consider this system as an eligible domain controller.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site\DOMAINCONTROL
Starting test: Connectivity
The directory service on DOMAINCONTROL has not finished initializing. In order for the directory service to consider itself synchronized, it must attempt an initial synchronization with at least one replica of this server's writeable domain. It must also obtain Rid information from the Rid FSMO holder. The directory service has not signalled the event which lets other services know that it is ready to accept requests. Services such as the Key Distribution Center, Intersite Messaging Service, and NetLogon will not consider this system as an eligible domain controller.
......................... DOMAINCONTROL passed test Connectivity

Doing primary tests

Testing server: Default-First-Site\DOMAINCONTROL
Starting test: Replications
[Replications Check,DOMAINCONTROL] A recent replication attempt failed:
From SERVER to DOMAINCONTROL
Naming Context: DC=GKC,DC=LOCAL
The replication generated an error (8442):
The replication system encountered an internal error.
The failure occurred at 2009-02-25 10:38:25.
The last success occurred at (never).
136 failures have occurred since the last success.
A serious error is preventing replication from continuing.
Consult the error log for further information.
If a particular object is named, it may be necessary to manually
modify or delete the object.
If the condition persists, contact Microsoft Support.
REPLICATION LATENCY WARNING
DOMAINCONTROL: A full synchronization is in progress
from SERVER to DOMAINCONTROL
Replication of new changes along this path will be delayed.
The full sync is 0.00% complete.
......................... DOMAINCONTROL passed test Replications
Starting test: NCSecDesc
......................... DOMAINCONTROL passed test NCSecDesc
Starting test: NetLogons
......................... DOMAINCONTROL passed test NetLogons
Starting test: Advertising
Warning: the directory service on DOMAINCONTROL has not completed initial synchronization.
Other services will be delayed.
Verify that the server can replicate.
Warning: DsGetDcName returned information for \\server.GKC.LOCAL, when we were trying to reach DOMAINCONTROL.
Server is not responding or is not considered suitable.
......................... DOMAINCONTROL failed test Advertising
Starting test: KnowsOfRoleHolders
......................... DOMAINCONTROL passed test KnowsOfRoleHolders
Starting test: RidManager
Warning: attribute rIdSetReferences missing from CN=DOMAINCONTROL,OU=Domain Controllers,DC=GKC,DC=LOCAL
Could not get Rid set Reference :failed with 8481: The search failed to retrieve attributes from the database.
......................... DOMAINCONTROL failed test RidManager
Starting test: MachineAccount
......................... DOMAINCONTROL passed test MachineAccount
Starting test: Services
......................... DOMAINCONTROL passed test Services
Starting test: ObjectsReplicated
......................... DOMAINCONTROL passed test ObjectsReplicated
Starting test: frssysvol
......................... DOMAINCONTROL passed test frssysvol
Starting test: frsevent
......................... DOMAINCONTROL passed test frsevent
Starting test: kccevent
An Warning Event occured. EventID: 0x80000495
Time Generated: 02/25/2009 10:29:59
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC000043C
Time Generated: 02/25/2009 10:29:59
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC025083C
Time Generated: 02/25/2009 10:29:59
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x80000495
Time Generated: 02/25/2009 10:38:25
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC000043C
Time Generated: 02/25/2009 10:38:25
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC025083C
Time Generated: 02/25/2009 10:38:25
(Event String could not be retrieved)
......................... DOMAINCONTROL failed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00000457
Time Generated: 02/25/2009 10:39:06
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/25/2009 10:39:06
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/25/2009 10:39:07
(Event String could not be retrieved)
......................... DOMAINCONTROL failed test systemlog
Starting test: VerifyReferences
......................... DOMAINCONTROL passed test VerifyReferences

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : GKC
Starting test: CrossRefValidation
......................... GKC passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... GKC passed test CheckSDRefDom

Running enterprise tests on : GKC.LOCAL
Starting test: Intersite
......................... GKC.LOCAL passed test Intersite
Starting test: FsmoCheck
......................... GKC.LOCAL passed test FsmoCheck



So intead of bugging everyone on here, I did some research on the web, downloaded the support tools for each server and ran REPLMON on each. Interestingly the old DC comes through all the REPLMON reports successfully.

When REPLMON is run on the new DC, it passes it's checks on 2 of the 3 sections. It fails on this...

DC=GKC, DC=LOCAL
Default First Site\Server
Replication failure: changes have not been successfully replicated from SERVER for 51 attempts
Replication failure: the replication system encountered an internal error


I'm just not sure what I should check next ?

I haven't got a DNS server running on the new DC - when I added the Domain Controller role nothing was mentioned about DNS so I assumed it wasn't neccessary at this stage.

I've checked the event viewer on the new DC and there's no problems in the File Replication section. If I look in Active Directory there's lots of repeated errors like this:
Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1084
Date: 25/02/2009
Time: 11:29:25
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DOMAINCONTROL
Description:
Internal event: Active Directory could not update the following object with changes received from the following source domain controller. This is because an error occurred during the application of the changes to Active Directory on the domain controller.

Object:
CN=,CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=G KC,DC=LOCAL
Object GUID:
ab3fc985-ef1f-4384-9dda-330a2ca2a062
Source domain controller:
ce5a8212-3eaf-4dde-a915-f21f04c50bb4._msdcs.GKC.LOCAL

Synchronization of the local domain controller with the source domain controller is blocked until this update problem is corrected.

This operation will be tried again at the next scheduled replication.

User Action
Restart the local domain controller if this condition appears to be related to low system resources (for example, low physical or virtual memory).

Additional Data
Error value:
8442 The replication system encountered an internal error.

For more information, see Help and Support Center at Events and Errors Message Center: Basic Search.

Hanley

Hi mate

So what you're left with now is not too bad, you just have 1 problem I believe which is stopping replication from completing.

The 1084 error is because the DC cannot write a transactional change to the local copy of the active directory database.

Couple of things to check:

Check there is sufficient disk space on the partition holding the AD database (normally C:\Windows\NTDS)

Also check you haven't got NTFS compression turned on for the system disk

Have you got anti-virus software running? If so you need to exclude C:\Windows\NTDS

Cheers

Hanley

spectrum48k

Hi Hanley - great to hear back from you!

Checked disk space - the server has 2GB left on the C:\ drive. I assume that's enough ? The server is old remember and it's c:\ drive is 17GB total.

Checked anti-virus - All previously disabled by me.

Checked NTFS compression - always has been turned off on C:\ and D:\

Hanley

Take a look here mate

Event ID 2108 and Event ID 1084 occur during inbound replication of Active Directory in Windows 2000 Server and in Windows Server 2003

Scroll down to Method 1 and start from there

Hanley

After you complete each step you wil need to use REPLMON to retry replication and monitor the event log

spectrum48k

Ok

1. I moved folders from the c and d drives on the old DC to a temp location to free up 5GB of space on each drive. Checked REPLMON - made no difference

2. I went into LDP to force the Security Descriptor Propagator to rebuild the object container. Checked REPLMON - made no difference

This next one I'm a bit unsure about how to implement...

3. The problem may be related to the object's parent on this domain controller. On the source domain controller, move the object to have a different parent.

This event contains REPAIR PROCEDURES for the 1084 event which has previously been logged. This message indicates a specific issue with the consistency of the Active Directory database on this replication destination. A database error occurred while applying replicated changes to the following object. The database had unexpected contents, preventing the change from being made.

Object:
CN=,CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=G KC,DC=LOCAL
Object GUID:
ab3fc985-ef1f-4384-9dda-330a2ca2a062
Source domain controller:
ce5a8212-3eaf-4dde-a915-f21f04c50bb4._msdcs.GKC.LOCAL

--------------------------------------------------------------------------

Also I was checking through this guide and can't find the 4 SRV records in the DNS server. Can you shed any light on this:
How to Install a Replica DC in an Existing AD Domain on Windows Server 2003

spectrum48k

I'm currently working through this Technet article which explains how to recover from the 1084 error mentioned above. It suggests going into LDP and deleteing the GUID mention in the 1084 error, but it won't let me delete it!

Technet article here:
Deploying Active Directory for Branch Office Environments

Its the section headed:
The replication system encountered an internal error

I'm trying to the remove the object referenced in the Event Log, but it won't let me delete it saying "unwilling to perform", "Operation not allowed through GC port,data0, v893.

Here's what the technet article says





To recover from this error, perform the following actions:

Locate the last event ID 1084 in the event log. Select the GUID of the failed object (in the example: 66aab46a-2693-4825-928f-05f6cd12c4e6), and select Copy.

Run Ldp.exe and connect to the local domain controller (for example, 10.10.20.1)

Bind with administrator privileges to the local directory.

Select Browse, and then select Delete

Enter <GUID=66aab46a-2693-4825-928f-05f6cd12c4e6> as the domain controller, and then delete this entry.

If the error occurred when the domain controller tried to create the replication link, run repadmin /kcc at the command prompt.

Hanley

If I'm reading this correctly you should be trying to delete the object ab3fc985-ef1f-4384-9dda-330a2ca2a062 on the source domain controller? That would be your Windows 2000 DC - is that were you're attempting to do the deletion?

Is this your original DC? ce5a8212-3eaf-4dde-a915-f21f04c50bb4._msdcs.GKC.LOCAL

As for the 4 service records that's because the DC hasn't completed it's first replication and is not yet advertising the services it can perform.

Hanley

Just noticed this from the DCDIAG on your first DC

Starting test: frssysvol
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... SERVER passed test frssysvol
Starting test: kccevent
......................... SERVER passed test kccevent

Have you checked this?

Hanley

What domain and forest functional level are you running...if required did you run ADPREP on your existing DC to allow a 2003 DC?? (I assume it wasn't required as you probably would have got an error when you ran DCPROMO on your 2003 DC)

Might seem like a stupid question but this is something that could be easily checked when troubleshooting onsite but sometimes it's difficult doing all this remotely

Hanley

This info may be useful reading

How to upgrade Windows 2000 domain controllers to Windows Server 2003

Scroll half way down the page until you see the section titled:

Overview: Upgrading Windows 2000 domain controllers to Windows Server 2003

Stealth

iTrader: (4)

Is your current DC set to Native or misxed mode? I don't think replication will occure if you try and shove a 2003DC in to a 2000 Native domain.

have you checked all permissions? Silly question but has the new server actually been moved i nto the right OU in the 2000AD (just a thought)

Stealth

iTrader: (4)

Is your current DC set to Native or misxed mode? I don't think replication will occure if you try and shove a 2003DC in to a 2000 Native domain.

have you checked all permissions? Silly question but has the new server actually been moved i nto the right OU in the 2000AD (just a thought)

Oh and what version of Windows 2003 did you install?? RC2? this is the Version with two disks, and amazingly, two versions of Ad-prep... you need to run Ad-prep from the 2nd disk, not the second disk for it to work successfully!

spectrum48k

I can't seem to shed any light on it. We don't use SYSVOL for anything at present?

spectrum48k

ah, I thought it meant delete them from the Win2k3 DC. I'll go back and delete from the WIn2k server

Yes, its the original (Win2k) server

spectrum48k

ran ADPREP /forestprep
ran ADPREP /domainprep

made sure the win2k server had sp4

Didn't get an error when I promoted the Win2k3 to additional DC. It was only when I checked DCDIAG and syslogs that I realised something was up.

spectrum48k

how do I check this Hanley ?

spectrum48k

remember I'm not upgrading the server from 2000 to 2003, I'm adding a win2k3 DC to a domain that already uses a Win2k DC.

Stealth

iTrader: (4)

Again, which windows 2003 are you using?? Is it RC2 ?

Hanley

Nothing in the logs?

Hanley

Good question regarding Native or Mixed.

I think running DCPROMO automatically moves the computer account in the DC OU

Any more thoughts / ideas??

I'm thinking it's definately related to Win 2000 / Win 2003 combination, or more having a 2003 DC on a 2000 functional domain

Hanley

Open Active Directory Users and Computers, right click your domain name and select properties.

You will see the Domain and Forest functional levels

Hanley

I think you may have got your Native and Mixed the wrong way round mate.

2000 Mixed mode is predominantly to offer legacy support and replication to NT4, it effectively acts an old style PDC.

2000 Native mode is where you should be. This allows you to use universal groups, nest groups within groups and removes the limit to the number of objects AD can support, enables multimaster replication, kerberos authentication etc etc. You can still have NT4.0 or 98 clients but they'll need the AD client tool.

spectrum48k

Standard Edition, Sp2

spectrum48k

Domain Operation Mode:
Native Mode (No pre-Windows 2000 Domain COntrollers)

Hanley

I know that, read the first paragraph in the link

This article discusses how to upgrade Microsoft Windows 2000 domain controllers to Microsoft Windows Server 2003 and how to add new Windows Server 2003 domain controllers to Windows 2000 domains.

spectrum48k

Nothing in the logs about this - the machine passes this section of DCDIAG, so I can only assume it's nothing major.

Hanley

Refer to the document above and go through each step on the section that begins

Overview: Upgrading Windows 2000 domain controllers to Windows Server 2003
The Windows Server 2003 adprep command that you run from the \I386 folder of the Windows Server 2003 media prepares a Windows 2000 forest and its domains for the addition of Windows Server 2003 domain controllers. The Windows Server 2003 adprep /forestprep command adds the following features:

phoenixgold

iTrader: (2)

Would it not be easier to introduce the new machine as a windows 2000DC, transfer the FSMO roles and then upgrade to 2003 ?

Hanley

I think that's a matter of opinion...it's a very straightforward procedure to install a 2003 DC into a 2K infrastructure and to start the process of decommissioning the 2K kit and raising the forest and domain functional levels.

But as with anything....problems are sometimes encountered