Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » DCpromo issue. Health check on AD and group policy.
DCpromo issue. Health check on AD and group policy. [message #156954] Sat, 27 June 2009 17:07 Go to next message
ITTeamQueensbridgebha  is currently offline ITTeamQueensbridgebha
Messages: 7
Registered: July 2009
Junior Member
Hi Folks

we have 3 domain controllers all running windows 2003 (DC with FMSO roles
has SP1 and the other 2 have SP2). One of the SP2 DC's is about to suffer an
imminent hard drive failure and I wanted to decommission it before it dies.
We have also had intermittent issues with some workstations on the domain not
picking up policies and correctly logging people on. I suspect that these
workstations are trying to authenticate to this problem DC and the
communication between the two isn't happening hence why users cant get their
settings and policies not being applied.

The problem is I tryed to DCpromo this server yesterday and couldn't remove
it as a DC. when I ran dcpromo it seemed like it was going to decommision
itself until I got the following error:

The operation failed because: Active Directory could not configure the
computer account SERVER$ on the remote domain controller
firstDCindomain.domain.com. "Access is denied."
Specify an account with Enterprise Adminstrator privileges to the forest,
home.domain.com.

I have checked thisI keep getting the same error message over and over. Its
odd because I have done various promotion and decommison of DC's and never
had this trouble in the past. In fact a year ago I had to decommision this
exact server and repromote this exact server after some maintenance and never
had a problem.

My worry is I have got a feeling that either active directory may be in a
slight mess or its related to group policy objects. I have seen a few issues
appearing on some of our workstations which relate to not picking up gpo
objects and gpo.ini.

I have read that i can do a dcpromo/force removal and this is likely to
work, my worry is this could cause issues as I have to use a util called
ntsdutil to clear out active direcory, this sounds scary and I am not
comfortable with doing this method in case I make the problem worse.

Is there something I could run which could check active directory and group
policy for all the DC's to help me identify the problem. I have run dcdiag on
all 3 domain controllers and the problem server did bring up more issues than
the other 2, and it was pointing to the File replication service and
replication issues. Its like it cannot communicate with the other DC's. I
have manually tried to do replication through sites and services and this
works without any errors.

So I am confused. Has anyone suffered this issue?

Please help!
RE: DCpromo issue. Health check on AD and group policy. [message #156955 is a reply to message #156954] Sat, 27 June 2009 19:05 Go to previous messageGo to next message
Garry Starck-MCITP En  is currently offline Garry Starck-MCITP En
Messages: 69
Registered: July 2009
Member
Hi IT Team @ Queensbridge.bham.sch.uk

Before I go on, are you logging on with a user account that is part of the
Enterprise Admins group, or at the least a domain admin account of the domain
in question? Can you please post more data from the following commandline
utils:

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag /v > c:\netdiag.log (On each dc)
-> repadmin /showrepl dc* /verbose /all /intersite > c:\repl.txt
-> dnslint /ad /s "ip address of your dc"


Try running MS Sonar to check you SYSVOL replication status: Download Sonar
@
http://www.microsoft.com/downloads/details.aspx?FamilyID=158 cb0fb-fe09-477c-8148-25ae02cf15d8&displaylang=en

Use sonar to check if the sysvols (File Replication Service) is replicating.
Sometimes if you update a GPO on a DC, the GPO points to a GPT.INI file in
the SYSVOL which if the faulting DC is not replicating FRS (SYSVOL), but AD
is replicating, then the actual data that to AD's GPO object loads is
outdated. --- SO: CHECK the FRS services eventlogs under computer management.

Run REPADMIN /replsum to ascertain AD replication status.

If AD is replcated (Converged), has the FRS (Sysvol) completed repl. Check
DC1,2 and 3's SYSVOL size per each DC. Should be the same size.

Does the FRS eventlog have and event along the lines of a "Journal Wrap"
etc. If so, on the faulting DC, you could follow
http://support.microsoft.com/kb/316790 (The D2) option, not D4, and restart
the FRS service

Has the faulting DC time sych'd with the other 2 "GOOD" dc's.

Have you logged on recently and not just unlocked the DC?

If all above does not help, remove the DC from the Network phyically, and
manually remove the DC via following
http://support.microsoft.com/default.aspx/kb/216498

What give's you the idea that the Harddrive is going to crash, any Event ID
etc??

I would ensure that the SYSVOL on the 2 Good DC's is fine and most up to date.
I would copy the SYSVOL from the faulty DC to a safe location incase you
realise that one or 2 GPO's were directly modified/created on the faulty DC.
(Just incase).
I would try logging of then on with an account that has enterprise rights to
the faulty DC. Then Try DCPROMO out of AD. If still not working, then run the
NTDSUTIL as previously proposed. But please do rather post the
DCDIAG/NETDIAG/REPADMIN results before incase this is sometime minor

Regards










--
Garry Starck
MCITP Enterprise Administrator, MCTS AD, MCSE 2003 Messaging, MCDBA


"IT Team @ Queensbridge.bham.sch.uk" wrote:

> Hi Folks
>
> we have 3 domain controllers all running windows 2003 (DC with FMSO roles
> has SP1 and the other 2 have SP2). One of the SP2 DC's is about to suffer an
> imminent hard drive failure and I wanted to decommission it before it dies.
> We have also had intermittent issues with some workstations on the domain not
> picking up policies and correctly logging people on. I suspect that these
> workstations are trying to authenticate to this problem DC and the
> communication between the two isn't happening hence why users cant get their
> settings and policies not being applied.
>
> The problem is I tryed to DCpromo this server yesterday and couldn't remove
> it as a DC. when I ran dcpromo it seemed like it was going to decommision
> itself until I got the following error:
>
> The operation failed because: Active Directory could not configure the
> computer account SERVER$ on the remote domain controller
> firstDCindomain.domain.com. "Access is denied."
> Specify an account with Enterprise Adminstrator privileges to the forest,
> home.domain.com.
>
> I have checked thisI keep getting the same error message over and over. Its
> odd because I have done various promotion and decommison of DC's and never
> had this trouble in the past. In fact a year ago I had to decommision this
> exact server and repromote this exact server after some maintenance and never
> had a problem.
>
> My worry is I have got a feeling that either active directory may be in a
> slight mess or its related to group policy objects. I have seen a few issues
> appearing on some of our workstations which relate to not picking up gpo
> objects and gpo.ini.
>
> I have read that i can do a dcpromo/force removal and this is likely to
> work, my worry is this could cause issues as I have to use a util called
> ntsdutil to clear out active direcory, this sounds scary and I am not
> comfortable with doing this method in case I make the problem worse.
>
> Is there something I could run which could check active directory and group
> policy for all the DC's to help me identify the problem. I have run dcdiag on
> all 3 domain controllers and the problem server did bring up more issues than
> the other 2, and it was pointing to the File replication service and
> replication issues. Its like it cannot communicate with the other DC's. I
> have manually tried to do replication through sites and services and this
> works without any errors.
>
> So I am confused. Has anyone suffered this issue?
>
> Please help!
Re: DCpromo issue. Health check on AD and group policy. [message #156959 is a reply to message #156954] Sat, 27 June 2009 20:40 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"IT Team @ Queensbridge.bham.sch.uk"
<ITTeamQueensbridgebhamschuk@discussions.microsoft.com> wrote in message
news:549DDD68-7147-468F-A292-0EDF3FE5CAB9@microsoft.com...
> Hi Folks
>
> we have 3 domain controllers all running windows 2003 (DC with FMSO roles
> has SP1 and the other 2 have SP2). One of the SP2 DC's is about to suffer
> an
> imminent hard drive failure and I wanted to decommission it before it
> dies.
> We have also had intermittent issues with some workstations on the domain
> not
> picking up policies and correctly logging people on. I suspect that these
> workstations are trying to authenticate to this problem DC and the
> communication between the two isn't happening hence why users cant get
> their
> settings and policies not being applied.
>
> The problem is I tryed to DCpromo this server yesterday and couldn't
> remove
> it as a DC. when I ran dcpromo it seemed like it was going to decommision
> itself until I got the following error:
>
> The operation failed because: Active Directory could not configure the
> computer account SERVER$ on the remote domain controller
> firstDCindomain.domain.com. "Access is denied."
> Specify an account with Enterprise Adminstrator privileges to the forest,
> home.domain.com.
>
> I have checked thisI keep getting the same error message over and over.
> Its
> odd because I have done various promotion and decommison of DC's and never
> had this trouble in the past. In fact a year ago I had to decommision this
> exact server and repromote this exact server after some maintenance and
> never
> had a problem.
>
> My worry is I have got a feeling that either active directory may be in a
> slight mess or its related to group policy objects. I have seen a few
> issues
> appearing on some of our workstations which relate to not picking up gpo
> objects and gpo.ini.
>
> I have read that i can do a dcpromo/force removal and this is likely to
> work, my worry is this could cause issues as I have to use a util called
> ntsdutil to clear out active direcory, this sounds scary and I am not
> comfortable with doing this method in case I make the problem worse.
>
> Is there something I could run which could check active directory and
> group
> policy for all the DC's to help me identify the problem. I have run dcdiag
> on
> all 3 domain controllers and the problem server did bring up more issues
> than
> the other 2, and it was pointing to the File replication service and
> replication issues. Its like it cannot communicate with the other DC's. I
> have manually tried to do replication through sites and services and this
> works without any errors.
>
> So I am confused. Has anyone suffered this issue?
>
> Please help!

Hello IT Team,

Garry gave you plenty of useful information to help you with this. And as he
stated, if you need to simply remove it if you can't get it to work, make
sure you follow that article he posted to remove its reference from the AD
database using ntdsutil after you unplug it. This is important if you unplug
the machine and never expect to return it before promoting anything new into
the domain.

I would like to add, that the lack of this DC replicating, or the ability to
remove it by the normal process of using dcpromo, can be due to numerous
factors. This may also cause problems with your other existing DCs.

Things that can cause AD problems:

1. Multihomed DC (DC has more than one NIC and/or IP, which is NOT
recommended or advised). This is due to the additional IPs registered into
DNS that will cause problems with AD communications.

2. Single label AD DNS domain name ('domain' vs the required minimum of
'domain.net,' 'domain.local,' etc).

3. Using your ISP, router or some other DNS as an address in the DC's IP
properties. Rule of thumb is to NEVER use a DNS server that does not host a
copy of the AD zone, or that does not have a reference to it such as using
Secondary zones, conditional forwarding or a stub. This rule also applies to
all machines in a domain. Only use the ISP's DNS as a Forwarder in DNS
properties.

4. Local Windows or third party firewall blocking necessary ports.

5. Firewall between Sites blocking necessary ports. (There are over 30 ports
that need to be opened in addition to the UDP Service ports - 1004 - 65536).

6. IPSec policy on the DC preventing communications.

7. RRAS installed on a DC. Not advised or recommended. This goes back to the
no-multihomed rule because of the additional IPs RRAS registers into DNS.


If you feel you can handle it with the information provided by Garry and I,
that would be great. Otherwise, if you need additional specific assistance
to get communication working, we'll need specific config info from your
machines. Please post the following information to get us started in
diagnosing this.

1. Unedited ipconfig /all from your three DCs. You can change your domain
name to hide it, but don't change the IPs or the format of the domain name,
please. Simply copy and paste if from a CMD prompt.

2. Any Event log errors from all three DCs in the app and System logs.

3. Are the DCs all in one site, or in different Sites?
If so, do you have AD Sites configured?
If so, any firewalls rules between locations?

4. What issues are you seeing on the workstations regarding GPOs? Please
post the event ID as well as an ipconfig /all of a sample workstation this
is occuring on.

Thanks,

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among
responding engineers, as well as to help others benefit from your
resolution.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org
http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Re: DCpromo issue. Health check on AD and group policy. [message #156963 is a reply to message #156954] Sun, 28 June 2009 05:51 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello IT Team Queensbridge.bham.sch.uk ITTeamQueensbridgebhamschukdiscussions.microsoft.com,

As already stated from the others the output from the diagnostic tools and
answers to the additional questions are really a good starting point to see
what's going ono in your domain. So we are looking for the answers/outputs.

You wrote about the remove/restore of that server some time ago, maybe you
can also give some more detailed info about the way you did it.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi Folks
>
> we have 3 domain controllers all running windows 2003 (DC with FMSO
> roles has SP1 and the other 2 have SP2). One of the SP2 DC's is about
> to suffer an imminent hard drive failure and I wanted to decommission
> it before it dies. We have also had intermittent issues with some
> workstations on the domain not picking up policies and correctly
> logging people on. I suspect that these workstations are trying to
> authenticate to this problem DC and the communication between the two
> isn't happening hence why users cant get their settings and policies
> not being applied.
>
> The problem is I tryed to DCpromo this server yesterday and couldn't
> remove it as a DC. when I ran dcpromo it seemed like it was going to
> decommision itself until I got the following error:
>
> The operation failed because: Active Directory could not configure the
> computer account SERVER$ on the remote domain controller
> firstDCindomain.domain.com. "Access is denied."
> Specify an account with Enterprise Adminstrator privileges to the
> forest,
> home.domain.com.
> I have checked thisI keep getting the same error message over and
> over. Its odd because I have done various promotion and decommison of
> DC's and never had this trouble in the past. In fact a year ago I had
> to decommision this exact server and repromote this exact server after
> some maintenance and never had a problem.
>
> My worry is I have got a feeling that either active directory may be
> in a slight mess or its related to group policy objects. I have seen a
> few issues appearing on some of our workstations which relate to not
> picking up gpo objects and gpo.ini.
>
> I have read that i can do a dcpromo/force removal and this is likely
> to work, my worry is this could cause issues as I have to use a util
> called ntsdutil to clear out active direcory, this sounds scary and I
> am not comfortable with doing this method in case I make the problem
> worse.
>
> Is there something I could run which could check active directory and
> group policy for all the DC's to help me identify the problem. I have
> run dcdiag on all 3 domain controllers and the problem server did
> bring up more issues than the other 2, and it was pointing to the File
> replication service and replication issues. Its like it cannot
> communicate with the other DC's. I have manually tried to do
> replication through sites and services and this works without any
> errors.
>
> So I am confused. Has anyone suffered this issue?
>
> Please help!
>
Re: DCpromo issue. Health check on AD and group policy. [message #156970 is a reply to message #156963] Sun, 28 June 2009 10:11 Go to previous messageGo to next message
ITTeamQueensbridgebha  is currently offline ITTeamQueensbridgebha
Messages: 7
Registered: July 2009
Junior Member
Hi

I wasn't sure how to attach the files. so have pasted all of the files that
were generated into this one post. It wont let me attach all files as they
are very long.

Is there a way to attach files?

Any help would be most appreciated. After running the various utils it seems
that the problem DC (NED) isn't replicating properly with the FRS. The same
server hosts DFS and that seems to be working fine, but clearly there is some
sort of replication issue.
Re: DCpromo issue. Health check on AD and group policy. [message #156971 is a reply to message #156970] Sun, 28 June 2009 10:22 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"IT Team @ Queensbridge.bham.sch.uk"
<ITTeamQueensbridgebhamschuk@discussions.microsoft.com> wrote in message
news:CE09F9AF-E6DF-440F-B225-78FE2F782E4A@microsoft.com...
> Hi
>
> I wasn't sure how to attach the files. so have pasted all of the files
> that
> were generated into this one post. It wont let me attach all files as they
> are very long.
>
> Is there a way to attach files?
>
> Any help would be most appreciated. After running the various utils it
> seems
> that the problem DC (NED) isn't replicating properly with the FRS. The
> same
> server hosts DFS and that seems to be working fine, but clearly there is
> some
> sort of replication issue.
>
>

I believe there is a 100k limit to attachments, but I do not remember.

You can copy and paste the data into your post, or attach them, but you have
to break them up into separate posts. Keep them as text files only (no docs,
excel or anything other than a text file in notepad). You can have the event
log errors and ipconfigs in one post, another post with a netdiag errors
only, and another post with the dcdiag errors only.

I hope that helps.

Ace
RE: DCpromo issue. Health check on AD and group policy. [message #156972 is a reply to message #156955] Sun, 28 June 2009 10:31 Go to previous messageGo to next message
ITTeamQueensbridgebha  is currently offline ITTeamQueensbridgebha
Messages: 7
Registered: July 2009
Junior Member
Hi

I have run the various utils as stated in my last post.

The sonar util offered something interesting, clearly its showing that
replication isn't happy on one of the DC's

I have also checked to see if the user was a member of the enterprise admins
group and it was. It was actually run using the administrator account which
should have full access to everything.

Below is the output from using the sonar util. I kept it logging data for
about 5 minutes:

Member,DNSSuffix,Domain,Site,DataCollectionState,DataCollect ionError,RefreshInterval,UpdateTime,UpdateCost,SCMState,FRSS tate,ReplicaPath,StagingPath,InConnections,OutConnections,In JoinedConnections,OutJoinedConnections,LastInJoinInterval,La stOutJoinInterval,VerCompiledOn,VerLatestChanges,ServiceStar tTime,BacklogFiles,BacklogFilesCycle,BacklogFilesDelta,Backl ogSize,BacklogConnections,BacklogConnectionsCycle,BacklogCon nectionsDelta,USNJournalSize,Burflags,JoinsTotal,VVJoinsActi veOutbound,LastVVJoinDateOutbound,SharingViolations,SYSVOLSh ared,LocalChangeOrdersTotal,LocalChangeOrdersDelta,LocalChan geOrdersCycle,USNRecordsAcceptedTotal,USNRecordsAcceptedDelt a,USNRecordsAcceptedCycle,ChangeOrdersMorphedTotal,ChangeOrd ersMorphedDelta,ChangeOrdersMorphedCycle,CommTimeoutTotal,Co mmTimeoutDelta,CommTimeoutCycle,DiskSpaceReplicaRoot,DiskSpa ceStagingRoot,ExcessiveReplicationCycle,LongJoinCycle,HugeFi leCycle,StagingFullCycle,StagingFilesRegeneratedTotal,Stagin gFilesRegeneratedDelta,StagingFilesRegeneratedCycle
bart,queensbridge.pri,QUEENSBRIDGE.PRI,Default-First-Site-Na me,Succeeded,,00:01:00,28/06/2009
13:58:48,172,Running,ACTIVE,C:\WINDOWS\SYSVOL\domain,C:\WIND OWS\SYSVOL\staging\domain,
2, 2, 1, 1,1.21:07:00,1.21:06:00,24/03/2005 15:06:43,Install Override
fix,02/06/2009 18:11:39,0,,0,,0,,0,0,0,,0,06/06/2009
11:10:32,0,Ok,,,,,,,,,,,,,8626,8626,0,1,0,0,,,
ned,queensbridge.pri,QUEENSBRIDGE.PRI,Default-First-Site-Nam e,Failed, "FRSSets
(Unexpected output (0))",00:01:00,28/06/2009
13:58:49,109,Running,,C:\WINDOWS\SYSVOL\domain,C:\WINDOWS\SY SVOL\staging\domain,,,,,,,16/02/2007
20:01:30,Install Override fix,26/06/2009 15:07:06,,,,,,,,0,0,,,,0,Not
shared,,,,,,,,,,,,,14399,14399,0,0,0,0,,,
lisa,queensbridge.pri,QUEENSBRIDGE.PRI,Default-First-Site-Na me,Succeeded,,00:01:00,28/06/2009
13:58:49,328,Running,ACTIVE,C:\WINDOWS\SYSVOL\domain,C:\WIND OWS\SYSVOL\staging\domain,
2, 2, 1, 1,1.21:06:00,1.21:07:00,16/02/2007 20:01:30,Install Override
fix,26/06/2009 16:51:33,0,,0,,0,,0,0,0,,0,07/08/2008
14:11:39,0,Ok,,,,,,,,,,,,,143065,143065,0,1,0,0,,,
lisa,queensbridge.pri,QUEENSBRIDGE.PRI,Default-First-Site-Na me,Succeeded,,00:00:59,28/06/2009
13:59:48,109,Running,ACTIVE,C:\WINDOWS\SYSVOL\domain,C:\WIND OWS\SYSVOL\staging\domain,
2, 2, 1, 1,1.21:07:00,1.21:08:00,16/02/2007 20:01:30,Install Override
fix,26/06/2009 16:51:33,0,,0,,0,,0,0,0,,0,07/08/2008
14:11:39,0,Ok,,,,,,,,,,,,,143065,143065,0,1,0,0,,,
bart,queensbridge.pri,QUEENSBRIDGE.PRI,Default-First-Site-Na me,Succeeded,,00:00:59,28/06/2009
13:59:48,125,Running,ACTIVE,C:\WINDOWS\SYSVOL\domain,C:\WIND OWS\SYSVOL\staging\domain,
2, 2, 1, 1,1.21:08:00,1.21:07:00,24/03/2005 15:06:43,Install Override
fix,02/06/2009 18:11:39,0,,0,,0,,0,0,0,,0,06/06/2009
11:10:32,0,Ok,,,,,,,,,,,,,8626,8626,0,1,0,0,,,
ned,queensbridge.pri,QUEENSBRIDGE.PRI,Default-First-Site-Nam e,Failed, "FRSSets
(Unexpected output (0))",00:00:59,28/06/2009
13:59:48,94,Running,,C:\WINDOWS\SYSVOL\domain,C:\WINDOWS\SYS VOL\staging\domain,,,,,,,16/02/2007
20:01:30,Install Override fix,26/06/2009 15:07:06,,,,,,,,0,0,,,,0,Not
shared,,,,,,,,,,,,,14399,14399,0,0,0,0,,,
lisa,queensbridge.pri,QUEENSBRIDGE.PRI,Default-First-Site-Na me,Succeeded,,00:00:59,28/06/2009
14:00:48,94,Running,ACTIVE,C:\WINDOWS\SYSVOL\domain,C:\WINDO WS\SYSVOL\staging\domain,
2, 2, 1, 1,1.21:08:00,1.21:09:00,16/02/2007 20:01:30,Install Override
fix,26/06/2009 16:51:33,0,,0,,0,,0,0,0,,0,07/08/2008
14:11:39,0,Ok,,,,,,,,,,,,,143065,143065,0,1,0,0,,,
bart,queensbridge.pri,QUEENSBRIDGE.PRI,Default-First-Site-Na me,Succeeded,,00:00:59,28/06/2009
14:00:48,125,Running,ACTIVE,C:\WINDOWS\SYSVOL\domain,C:\WIND OWS\SYSVOL\staging\domain,
2, 2, 1, 1,1.21:09:00,1.21:08:00,24/03/2005 15:06:43,Install Override
fix,02/06/2009 18:11:39,0,,0,,0,,0,0,0,,0,06/06/2009
11:10:32,0,Ok,,,,,,,,,,,,,8626,8626,0,1,0,0,,,
ned,queensbridge.pri,QUEENSBRIDGE.PRI,Default-First-Site-Nam e,Failed, "FRSSets
(Unexpected output (0))",00:00:59,28/06/2009
14:00:48,94,Running,,C:\WINDOWS\SYSVOL\domain,C:\WINDOWS\SYS VOL\staging\domain,,,,,,,16/02/2007
20:01:30,Install Override fix,26/06/2009 15:07:06,,,,,,,,0,0,,,,0,Not
shared,,,,,,,,,,,,,14399,14399,0,0,0,0,,,
lisa,queensbridge.pri,QUEENSBRIDGE.PRI,Default-First-Site-Na me,Succeeded,,00:00:43,28/06/2009
14:01:31,94,Running,ACTIVE,C:\WINDOWS\SYSVOL\domain,C:\WINDO WS\SYSVOL\staging\domain,
2, 2, 1, 1,1.21:09:00,1.21:09:00,16/02/2007 20:01:30,Install Override
fix,26/06/2009 16:51:33,0,,0,,0,,0,0,0,,0,07/08/2008
14:11:39,0,Ok,,,,,,,,,,,,,143065,143065,0,1,0,0,,,
bart,queensbridge.pri,QUEENSBRIDGE.PRI,Default-First-Site-Na me,Succeeded,,00:00:43,28/06/2009
14:01:31,156,Running,ACTIVE,C:\WINDOWS\SYSVOL\domain,C:\WIND OWS\SYSVOL\staging\domain,
2, 2, 1, 1,1.21:09:00,1.21:09:00,24/03/2005 15:06:43,Install Override
fix,02/06/2009 18:11:39,0,,0,,0,,0,0,0,,0,06/06/2009
11:10:32,0,Ok,,,,,,,,,,,,,8626,8626,0,1,0,0,,,
ned,queensbridge.pri,QUEENSBRIDGE.PRI,Default-First-Site-Nam e,Failed, "FRSSets
(Unexpected output (0))",00:00:43,28/06/2009
14:01:32,109,Running,,C:\WINDOWS\SYSVOL\domain,C:\WINDOWS\SY SVOL\staging\domain,,,,,,,16/02/2007
20:01:30,Install Override fix,26/06/2009 15:07:06,,,,,,,,0,0,,,,0,Not
shared,,,,,,,,,,,,,14399,14399,0,0,0,0,,,
lisa,queensbridge.pri,QUEENSBRIDGE.PRI,Default-First-Site-Na me,Succeeded,,00:00:05,28/06/2009
14:01:37,94,Running,ACTIVE,C:\WINDOWS\SYSVOL\domain,C:\WINDO WS\SYSVOL\staging\domain,
2, 2, 1, 1,1.21:09:00,1.21:09:00,16/02/2007 20:01:30,Install Override
fix,26/06/2009 16:51:33,0,,0,,0,,0,0,0,,0,07/08/2008
14:11:39,0,Ok,,,,,,,,,,,,,143065,143065,0,1,0,0,,,
bart,queensbridge.pri,QUEENSBRIDGE.PRI,Default-First-Site-Na me,Succeeded,,00:00:05,28/06/2009
14:01:37,141,Running,ACTIVE,C:\WINDOWS\SYSVOL\domain,C:\WIND OWS\SYSVOL\staging\domain,
2, 2, 1, 1,1.21:09:00,1.21:09:00,24/03/2005 15:06:43,Install Override
fix,02/06/2009 18:11:39,0,,0,,0,,0,0,0,,0,06/06/2009
11:10:32,0,Ok,,,,,,,,,,,,,8626,8626,0,1,0,0,,,
ned,queensbridge.pri,QUEENSBRIDGE.PRI,Default-First-Site-Nam e,Failed, "FRSSets
(Unexpected output (0))",00:00:05,28/06/2009
14:01:37,109,Running,,C:\WINDOWS\SYSVOL\domain,C:\WINDOWS\SY SVOL\staging\domain,,,,,,,16/02/2007
20:01:30,Install Override fix,26/06/2009 15:07:06,,,,,,,,0,0,,,,0,Not
shared,,,,,,,,,,,,,14399,14399,0,0,0,0,,,
lisa,queensbridge.pri,QUEENSBRIDGE.PRI,Default-First-Site-Na me,Succeeded,,00:00:57,28/06/2009
14:02:35,94,Running,ACTIVE,C:\WINDOWS\SYSVOL\domain,C:\WINDO WS\SYSVOL\staging\domain,
2, 2, 1, 1,1.21:10:00,1.21:10:00,16/02/2007 20:01:30,Install Override
fix,26/06/2009 16:51:33,0,,0,,0,,0,0,0,,0,07/08/2008
14:11:39,0,Ok,,,,,,,,,,,,,143065,143065,0,1,0,0,,,
bart,queensbridge.pri,QUEENSBRIDGE.PRI,Default-First-Site-Na me,Succeeded,,00:00:57,28/06/2009
14:02:35,156,Running,ACTIVE,C:\WINDOWS\SYSVOL\domain,C:\WIND OWS\SYSVOL\staging\domain,
2, 2, 1, 1,1.21:10:00,1.21:10:00,24/03/2005 15:06:43,Install Override
fix,02/06/2009 18:11:39,0,,0,,0,,0,0,0,,0,06/06/2009
11:10:32,0,Ok,,,,,,,,,,,,,8626,8626,0,1,0,0,,,
ned,queensbridge.pri,QUEENSBRIDGE.PRI,Default-First-Site-Nam e,Failed, "FRSSets
(Unexpected output (0))",00:00:57,28/06/2009
14:02:35,125,Running,,C:\WINDOWS\SYSVOL\domain,C:\WINDOWS\SY SVOL\staging\domain,,,,,,,16/02/2007
20:01:30,Install Override fix,26/06/2009 15:07:06,,,,,,,,0,0,,,,0,Not
shared,,,,,,,,,,,,,14399,14399,0,0,0,0,,,
bart,queensbridge.pri,QUEENSBRIDGE.PRI,Default-First-Site-Na me,Succeeded,,00:00:59,28/06/2009
14:03:35,125,Running,ACTIVE,C:\WINDOWS\SYSVOL\domain,C:\WIND OWS\SYSVOL\staging\domain,
2, 2, 1, 1,1.21:11:00,1.21:11:00,24/03/2005 15:06:43,Install Override
fix,02/06/2009 18:11:39,0,,0,,0,,0,0,0,,0,06/06/2009
11:10:32,0,Ok,,,,,,,,,,,,,8626,8626,0,1,0,0,,,
ned,queensbridge.pri,QUEENSBRIDGE.PRI,Default-First-Site-Nam e,Failed, "FRSSets
(Unexpected output (0))",00:01:00,28/06/2009
14:03:35,109,Running,,C:\WINDOWS\SYSVOL\domain,C:\WINDOWS\SY SVOL\staging\domain,,,,,,,16/02/2007
20:01:30,Install Override fix,26/06/2009 15:07:06,,,,,,,,0,0,,,,0,Not
shared,,,,,,,,,,,,,14399,14399,0,0,0,0,,,
lisa,queensbridge.pri,QUEENSBRIDGE.PRI,Default-First-Site-Na me,Succeeded,,00:01:00,28/06/2009
14:03:35,297,Running,ACTIVE,C:\WINDOWS\SYSVOL\domain,C:\WIND OWS\SYSVOL\staging\domain,
2, 2, 1, 1,1.21:11:00,1.21:11:00,16/02/2007 20:01:30,Install Override
fix,26/06/2009 16:51:33,0,,0,,0,,0,0,0,,0,07/08/2008
14:11:39,0,Ok,,,,,,,,,,,,,143065,143065,0,1,0,0,,,

Thank you.
RE: DCpromo issue. Health check on AD and group policy. [message #156973 is a reply to message #156954] Sun, 28 June 2009 10:38 Go to previous messageGo to next message
ITTeamQueensbridgebha  is currently offline ITTeamQueensbridgebha
Messages: 7
Registered: July 2009
Junior Member
Please find attached information from dnslint file.

DNSLint Report
System Date: Fri Jun 26 16:18:04 2009
Command run:
\\techpc1\c$\dnslint\dnslint.exe /ad /s 10.122.84.58 /v
Root of Active Directory Forest:
QUEENSBRIDGE.PRI
Active Directory Forest Replication GUIDs Found:

DC: BART
GUID: 2a90b761-fac5-459a-8cd0-826a734afc1c

DC: NED
GUID: 6cb09c14-734e-44bf-b67c-30ef9d28b264

DC: LISA
GUID: ea498032-7e43-4b1a-b97a-4fbaeab64095


Total GUIDs found: 3
________________________________________
The following 3 DNS servers were checked for records related to AD forest
replication:
DNS server: ned.queensbridge.pri
IP Address: 10.122.84.58
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
Authoritative name server: ned.QUEENSBRIDGE.PRI
Hostmaster: hostmaster
Zone serial number: 467
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds
Additional authoritative (NS) records from server:
lisa.queensbridge.pri 10.122.84.53
bart.queensbridge.pri 10.122.84.51
ned.queensbridge.pri 10.122.84.58
Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: 2a90b761-fac5-459a-8cd0-826a734afc1c._msdcs.QUEENSBRIDGE.PRI
Alias: bart.QUEENSBRIDGE.PRI
Glue: 10.122.84.51

CNAME: 6cb09c14-734e-44bf-b67c-30ef9d28b264._msdcs.QUEENSBRIDGE.PRI
Alias: ned.QUEENSBRIDGE.PRI
Glue: 10.122.84.58

CNAME: ea498032-7e43-4b1a-b97a-4fbaeab64095._msdcs.QUEENSBRIDGE.PRI
Alias: lisa.QUEENSBRIDGE.PRI
Glue: 10.122.84.53


Total number of CNAME records found on this server: 3

Total number of CNAME records missing on this server: 0

Total number of glue (A) records this server could not find: 0
________________________________________
DNS server: lisa.queensbridge.pri
IP Address: 10.122.84.53
UDP port 53 responding to queries: NO
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: Unknown

SOA record data from server:
Authoritative name server: Unknown
Hostmaster: Unknown
Zone serial number: Unknown
Zone expires in: Unknown
Refresh period: Unknown
Retry delay: Unknown
Default (minimum) TTL: Unknown

Total number of CNAME records found on this server: 0

Total number of CNAME records missing on this server: 0

Total number of glue (A) records this server could not find: 0
________________________________________
DNS server: bart.queensbridge.pri
IP Address: 10.122.84.51
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
Authoritative name server: bart.QUEENSBRIDGE.PRI
Hostmaster: hostmaster
Zone serial number: 467
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds
Additional authoritative (NS) records from server:
lisa.queensbridge.pri 10.122.84.53
bart.queensbridge.pri 10.122.84.51
ned.queensbridge.pri 10.122.84.58
Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: 2a90b761-fac5-459a-8cd0-826a734afc1c._msdcs.QUEENSBRIDGE.PRI
Alias: bart.QUEENSBRIDGE.PRI
Glue: 10.122.84.51

CNAME: 6cb09c14-734e-44bf-b67c-30ef9d28b264._msdcs.QUEENSBRIDGE.PRI
Alias: ned.QUEENSBRIDGE.PRI
Glue: 10.122.84.58

CNAME: ea498032-7e43-4b1a-b97a-4fbaeab64095._msdcs.QUEENSBRIDGE.PRI
Alias: lisa.QUEENSBRIDGE.PRI
Glue: 10.122.84.53


Total number of CNAME records found on this server: 3

Total number of CNAME records missing on this server: 0

Total number of glue (A) records this server could not find: 0
________________________________________
Notes:
One or more DNS servers may not be authoritative for the domain
One or more DNS servers did not respond to UDP queries
One or more zone files may have expired
SOA record data was unavailable and/or missing on one or more DNS servers
RE: DCpromo issue. Health check on AD and group policy. [message #156974 is a reply to message #156954] Sun, 28 June 2009 10:36 Go to previous messageGo to next message
ITTeamQueensbridgebha  is currently offline ITTeamQueensbridgebha
Messages: 7
Registered: July 2009
Junior Member
Hi

Please find attached output from repl command:



repadmin running command /showrepl against server ned.QUEENSBRIDGE.PRI



Default-First-Site-Name\NED

DC Options: (none)

Site Options: (none)

DC object GUID: 6cb09c14-734e-44bf-b67c-30ef9d28b264

DC invocationID: 2b5e028e-a67f-4ed2-8ff0-b76cdd0ce4ac



==== INBOUND NEIGHBORS ======================================



==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============



DC=QUEENSBRIDGE,DC=PRI

Default-First-Site-Name\LISA via RPC

DC object GUID: ea498032-7e43-4b1a-b97a-4fbaeab64095

Address: ea498032-7e43-4b1a-b97a-4fbaeab64095._msdcs.QUEENSBRIDGE.PRI

WRITEABLE

Last attempt @ 2009-06-28 14:15:18 was successful.

Default-First-Site-Name\BART via RPC

DC object GUID: 2a90b761-fac5-459a-8cd0-826a734afc1c

Address: 2a90b761-fac5-459a-8cd0-826a734afc1c._msdcs.QUEENSBRIDGE.PRI

WRITEABLE

Last attempt @ 2009-06-28 14:45:18 was successful.



CN=Configuration,DC=QUEENSBRIDGE,DC=PRI

Default-First-Site-Name\LISA via RPC

DC object GUID: ea498032-7e43-4b1a-b97a-4fbaeab64095

Address: ea498032-7e43-4b1a-b97a-4fbaeab64095._msdcs.QUEENSBRIDGE.PRI

WRITEABLE

Last attempt @ 2009-06-28 13:56:57 was successful.

Default-First-Site-Name\BART via RPC

DC object GUID: 2a90b761-fac5-459a-8cd0-826a734afc1c

Address: 2a90b761-fac5-459a-8cd0-826a734afc1c._msdcs.QUEENSBRIDGE.PRI

WRITEABLE

Last attempt @ 2009-06-28 14:26:49 was successful.



CN=Schema,CN=Configuration,DC=QUEENSBRIDGE,DC=PRI

Default-First-Site-Name\LISA via RPC

DC object GUID: ea498032-7e43-4b1a-b97a-4fbaeab64095

Address: ea498032-7e43-4b1a-b97a-4fbaeab64095._msdcs.QUEENSBRIDGE.PRI

WRITEABLE

Last attempt @ 2009-06-27 19:51:14 was successful.

Default-First-Site-Name\BART via RPC

DC object GUID: 2a90b761-fac5-459a-8cd0-826a734afc1c

Address: 2a90b761-fac5-459a-8cd0-826a734afc1c._msdcs.QUEENSBRIDGE.PRI

WRITEABLE

Last attempt @ 2009-06-27 19:51:17 was successful.



DC=DomainDnsZones,DC=QUEENSBRIDGE,DC=PRI

Default-First-Site-Name\BART via RPC

DC object GUID: 2a90b761-fac5-459a-8cd0-826a734afc1c

Address: 2a90b761-fac5-459a-8cd0-826a734afc1c._msdcs.QUEENSBRIDGE.PRI

WRITEABLE

Last attempt @ 2009-06-28 13:56:48 was successful.

Default-First-Site-Name\LISA via RPC

DC object GUID: ea498032-7e43-4b1a-b97a-4fbaeab64095

Address: ea498032-7e43-4b1a-b97a-4fbaeab64095._msdcs.QUEENSBRIDGE.PRI

WRITEABLE

Last attempt @ 2009-06-28 13:56:51 was successful.



DC=ForestDnsZones,DC=QUEENSBRIDGE,DC=PRI

Default-First-Site-Name\BART via RPC

DC object GUID: 2a90b761-fac5-459a-8cd0-826a734afc1c

Address: 2a90b761-fac5-459a-8cd0-826a734afc1c._msdcs.QUEENSBRIDGE.PRI

WRITEABLE

Last attempt @ 2009-06-28 11:27:33 was successful.

Default-First-Site-Name\LISA via RPC

DC object GUID: ea498032-7e43-4b1a-b97a-4fbaeab64095

Address: ea498032-7e43-4b1a-b97a-4fbaeab64095._msdcs.QUEENSBRIDGE.PRI

WRITEABLE

Last attempt @ 2009-06-28 11:27:36 was successful.



==== KCC CONNECTION OBJECTS ============================================

Connection --

Connection name : 21cfcba8-d198-43a0-932e-c959a0f6ef23

Server DNS name : ned.QUEENSBRIDGE.PRI

Server DN name : CN=NTDS
Settings,CN=NED,CN=Servers,CN=Default-First-Site-Name,CN=Sit es,CN=Configuration,DC=QUEENSBRIDGE,DC=PRI

Source: Default-First-Site-Name\BART

No Failures.

TransportType: intrasite RPC

options: isGenerated

ReplicatesNC: DC=QUEENSBRIDGE,DC=PRI

Reason: RingTopology

Replica link has been added.

ReplicatesNC: DC=ForestDnsZones,DC=QUEENSBRIDGE,DC=PRI

Reason: RingTopology

Replica link has been added.

ReplicatesNC: CN=Schema,CN=Configuration,DC=QUEENSBRIDGE,DC=PRI

Reason: RingTopology

Replica link has been added.

ReplicatesNC: CN=Configuration,DC=QUEENSBRIDGE,DC=PRI

Reason: RingTopology

Replica link has been added.

ReplicatesNC: DC=DomainDnsZones,DC=QUEENSBRIDGE,DC=PRI

Reason: RingTopology

Replica link has been added.

enabledConnection: whenChanged: 20090120040619.0Z

whenCreated: 20080604085132.0Z

Schedule:

day: 0123456789ab0123456789ab

Sun: 111111111111111111111111

Mon: 111111111111111111111111

Tue: 111111111111111111111111

Wed: 111111111111111111111111

Thu: 111111111111111111111111

Fri: 111111111111111111111111

Sat: 111111111111111111111111

Connection --

Connection name : LISA

Server DNS name : ned.QUEENSBRIDGE.PRI

Server DN name : CN=NTDS
Settings,CN=NED,CN=Servers,CN=Default-First-Site-Name,CN=Sit es,CN=Configuration,DC=QUEENSBRIDGE,DC=PRI

Source: Default-First-Site-Name\LISA

No Failures.

TransportType: intrasite RPC

ReplicatesNC: DC=QUEENSBRIDGE,DC=PRI

Reason: RingTopology

Replica link has been added.

ReplicatesNC: DC=ForestDnsZones,DC=QUEENSBRIDGE,DC=PRI

Reason: RingTopology

Replica link has been added.

ReplicatesNC: CN=Schema,CN=Configuration,DC=QUEENSBRIDGE,DC=PRI

Reason: RingTopology

Replica link has been added.

ReplicatesNC: CN=Configuration,DC=QUEENSBRIDGE,DC=PRI

Reason: RingTopology

Replica link has been added.

ReplicatesNC: DC=DomainDnsZones,DC=QUEENSBRIDGE,DC=PRI

Reason: RingTopology

Replica link has been added.

enabledConnection: whenChanged: 20090120035119.0Z

whenCreated: 20080811073920.0Z

Schedule:

day: 0123456789ab0123456789ab

Sun: ffffffffffffffffffffffff

Mon: ffffffffffffffffffffffff

Tue: ffffffffffffffffffffffff

Wed: ffffffffffffffffffffffff

Thu: ffffffffffffffffffffffff

Fri: ffffffffffffffffffffffff

Sat: ffffffffffffffffffffffff

2 connections found.



Partition Replication Schedule Loading:



00 01 02 03 04 05 06 07 08
09 10 11



0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1
2 3 0 1 2 3 0 1 2 3

Sun:
100505051005050510050505100505051005050510050505100505051005 050510050505100505051005050510050505

Sun:
100505051005050510050505100505051005050510050505100505051005 050510050505100505051005050510050505

Mon:
100505051005050510050505100505051005050510050505100505051005 050510050505100505051005050510050505

Mon:
100505051005050510050505100505051005050510050505100505051005 050510050505100505051005050510050505

Tue:
100505051005050510050505100505051005050510050505100505051005 050510050505100505051005050510050505

Tue:
100505051005050510050505100505051005050510050505100505051005 050510050505100505051005050510050505

Wed:
100505051005050510050505100505051005050510050505100505051005 050510050505100505051005050510050505

Wed:
100505051005050510050505100505051005050510050505100505051005 050510050505100505051005050510050505

Thu:
100505051005050510050505100505051005050510050505100505051005 050510050505100505051005050510050505

Thu:
100505051005050510050505100505051005050510050505100505051005 050510050505100505051005050510050505

Fri:
100505051005050510050505100505051005050510050505100505051005 050510050505100505051005050510050505

Fri:
100505051005050510050505100505051005050510050505100505051005 050510050505100505051005050510050505

Sat:
100505051005050510050505100505051005050510050505100505051005 050510050505100505051005050510050505

Sat:
100505051005050510050505100505051005050510050505100505051005 050510050505100505051005050510050505
RE: DCpromo issue. Health check on AD and group policy. [message #156975 is a reply to message #156973] Sun, 28 June 2009 12:47 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello IT Team Queensbridge.bham.sch.uk ITTeamQueensbridgebhamschukdiscussions.microsoft.com,

Please post an unedited ipconfig b/all from all DNS servers. Something is
strange with LISA, does it have all DNS zones and all domain machine entries
listed? As you can see nothing is in the dnslint output for it.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Please find attached information from dnslint file.
>
> DNSLint Report
> System Date: Fri Jun 26 16:18:04 2009
> Command run:
> \\techpc1\c$\dnslint\dnslint.exe /ad /s 10.122.84.58 /v
> Root of Active Directory Forest:
> QUEENSBRIDGE.PRI
> Active Directory Forest Replication GUIDs Found:
> DC: BART
> GUID: 2a90b761-fac5-459a-8cd0-826a734afc1c
> DC: NED
> GUID: 6cb09c14-734e-44bf-b67c-30ef9d28b264
> DC: LISA
> GUID: ea498032-7e43-4b1a-b97a-4fbaeab64095
> Total GUIDs found: 3
> ________________________________________
> The following 3 DNS servers were checked for records related to AD
> forest
> replication:
> DNS server: ned.queensbridge.pri
> IP Address: 10.122.84.58
> UDP port 53 responding to queries: YES
> TCP port 53 responding to queries: Not tested
> Answering authoritatively for domain: YES
> SOA record data from server:
> Authoritative name server: ned.QUEENSBRIDGE.PRI
> Hostmaster: hostmaster
> Zone serial number: 467
> Zone expires in: 1.00 day(s)
> Refresh period: 900 seconds
> Retry delay: 600 seconds
> Default (minimum) TTL: 3600 seconds
> Additional authoritative (NS) records from server:
> lisa.queensbridge.pri 10.122.84.53
> bart.queensbridge.pri 10.122.84.51
> ned.queensbridge.pri 10.122.84.58
> Alias (CNAME) and glue (A) records for forest GUIDs from server:
> CNAME: 2a90b761-fac5-459a-8cd0-826a734afc1c._msdcs.QUEENSBRIDGE.PRI
> Alias: bart.QUEENSBRIDGE.PRI
> Glue: 10.122.84.51
> CNAME: 6cb09c14-734e-44bf-b67c-30ef9d28b264._msdcs.QUEENSBRIDGE.PRI
> Alias: ned.QUEENSBRIDGE.PRI
> Glue: 10.122.84.58
> CNAME: ea498032-7e43-4b1a-b97a-4fbaeab64095._msdcs.QUEENSBRIDGE.PRI
> Alias: lisa.QUEENSBRIDGE.PRI
> Glue: 10.122.84.53
> Total number of CNAME records found on this server: 3
>
> Total number of CNAME records missing on this server: 0
>
> Total number of glue (A) records this server could not find: 0
> ________________________________________
> DNS server: lisa.queensbridge.pri
> IP Address: 10.122.84.53
> UDP port 53 responding to queries: NO
> TCP port 53 responding to queries: Not tested
> Answering authoritatively for domain: Unknown
> SOA record data from server:
> Authoritative name server: Unknown
> Hostmaster: Unknown
> Zone serial number: Unknown
> Zone expires in: Unknown
> Refresh period: Unknown
> Retry delay: Unknown
> Default (minimum) TTL: Unknown
> Total number of CNAME records found on this server: 0
>
> Total number of CNAME records missing on this server: 0
>
> Total number of glue (A) records this server could not find: 0
> ________________________________________
> DNS server: bart.queensbridge.pri
> IP Address: 10.122.84.51
> UDP port 53 responding to queries: YES
> TCP port 53 responding to queries: Not tested
> Answering authoritatively for domain: YES
> SOA record data from server:
> Authoritative name server: bart.QUEENSBRIDGE.PRI
> Hostmaster: hostmaster
> Zone serial number: 467
> Zone expires in: 1.00 day(s)
> Refresh period: 900 seconds
> Retry delay: 600 seconds
> Default (minimum) TTL: 3600 seconds
> Additional authoritative (NS) records from server:
> lisa.queensbridge.pri 10.122.84.53
> bart.queensbridge.pri 10.122.84.51
> ned.queensbridge.pri 10.122.84.58
> Alias (CNAME) and glue (A) records for forest GUIDs from server:
> CNAME: 2a90b761-fac5-459a-8cd0-826a734afc1c._msdcs.QUEENSBRIDGE.PRI
> Alias: bart.QUEENSBRIDGE.PRI
> Glue: 10.122.84.51
> CNAME: 6cb09c14-734e-44bf-b67c-30ef9d28b264._msdcs.QUEENSBRIDGE.PRI
> Alias: ned.QUEENSBRIDGE.PRI
> Glue: 10.122.84.58
> CNAME: ea498032-7e43-4b1a-b97a-4fbaeab64095._msdcs.QUEENSBRIDGE.PRI
> Alias: lisa.QUEENSBRIDGE.PRI
> Glue: 10.122.84.53
> Total number of CNAME records found on this server: 3
>
> Total number of CNAME records missing on this server: 0
>
> Total number of glue (A) records this server could not find: 0
> ________________________________________
> Notes:
> One or more DNS servers may not be authoritative for the domain
> One or more DNS servers did not respond to UDP queries
> One or more zone files may have expired
> SOA record data was unavailable and/or missing on one or more DNS
> servers
RE: DCpromo issue. Health check on AD and group policy. [message #156976 is a reply to message #156954] Sun, 28 June 2009 13:14 Go to previous messageGo to next message
ITTeamQueensbridgebha  is currently offline ITTeamQueensbridgebha
Messages: 7
Registered: July 2009
Junior Member
Hi

We have 2 DNS servers (bart and NED), Bart is the primary DNS server and is
the first DC in the domain. NED is the DC which isn't replicating but is also
a DNS server.

Please find ipconfig /all outputs from both servers

BART

indows IP Configuration



Host Name . . . . . . . . . . . . : bart

Primary Dns Suffix . . . . . . . : QUEENSBRIDGE.PRI

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : QUEENSBRIDGE.PRI



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network Connection

Physical Address. . . . . . . . . : 00-11-2F-63-BC-9B

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 10.122.84.51

Subnet Mask . . . . . . . . . . . : 255.255.252.0

Default Gateway . . . . . . . . . : 10.122.84.50

DNS Servers . . . . . . . . . . . : 10.122.84.51

10.122.84.58


NED



Windows IP Configuration



Host Name . . . . . . . . . . . . : ned

Primary Dns Suffix . . . . . . . : QUEENSBRIDGE.PRI

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : QUEENSBRIDGE.PRI



Ethernet adapter Local Area Connection 2:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Realtek RTL8169/8110 Family Gigabit
Ethernet NIC

Physical Address. . . . . . . . . : 00-0F-B5-09-A5-2C

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 10.122.84.58

Subnet Mask . . . . . . . . . . . : 255.255.252.0

Default Gateway . . . . . . . . . : 10.122.84.50

DNS Servers . . . . . . . . . . . : 10.122.84.51
RE: DCpromo issue. Health check on AD and group policy. [message #156977 is a reply to message #156976] Sun, 28 June 2009 13:48 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello IT Team Queensbridge.bham.sch.uk ITTeamQueensbridgebhamschukdiscussions.microsoft.com,

The output looks ok, but again about LISA. It is listed as a DNS server in
dnslint output. Was it some time ago DNS server, chek the nameserver tab
on all DNS zones you have. If it is listed there remove it if not needed.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi
>
> We have 2 DNS servers (bart and NED), Bart is the primary DNS server
> and is the first DC in the domain. NED is the DC which isn't
> replicating but is also a DNS server.
>
> Please find ipconfig /all outputs from both servers
>
> BART
>
> indows IP Configuration
>
> Host Name . . . . . . . . . . . . : bart
>
> Primary Dns Suffix . . . . . . . : QUEENSBRIDGE.PRI
>
> Node Type . . . . . . . . . . . . : Unknown
>
> IP Routing Enabled. . . . . . . . : No
>
> WINS Proxy Enabled. . . . . . . . : No
>
> DNS Suffix Search List. . . . . . : QUEENSBRIDGE.PRI
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
>
> Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network
> Connection
>
> Physical Address. . . . . . . . . : 00-11-2F-63-BC-9B
>
> DHCP Enabled. . . . . . . . . . . : No
>
> IP Address. . . . . . . . . . . . : 10.122.84.51
>
> Subnet Mask . . . . . . . . . . . : 255.255.252.0
>
> Default Gateway . . . . . . . . . : 10.122.84.50
>
> DNS Servers . . . . . . . . . . . : 10.122.84.51
>
> 10.122.84.58
>
> NED
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : ned
>
> Primary Dns Suffix . . . . . . . : QUEENSBRIDGE.PRI
>
> Node Type . . . . . . . . . . . . : Unknown
>
> IP Routing Enabled. . . . . . . . : No
>
> WINS Proxy Enabled. . . . . . . . : No
>
> DNS Suffix Search List. . . . . . : QUEENSBRIDGE.PRI
>
> Ethernet adapter Local Area Connection 2:
>
> Connection-specific DNS Suffix . :
>
> Description . . . . . . . . . . . : Realtek RTL8169/8110 Family
> Gigabit Ethernet NIC
>
> Physical Address. . . . . . . . . : 00-0F-B5-09-A5-2C
>
> DHCP Enabled. . . . . . . . . . . : No
>
> IP Address. . . . . . . . . . . . : 10.122.84.58
>
> Subnet Mask . . . . . . . . . . . : 255.255.252.0
>
> Default Gateway . . . . . . . . . : 10.122.84.50
>
> DNS Servers . . . . . . . . . . . : 10.122.84.51
>
RE: DCpromo issue. Health check on AD and group policy. [message #156978 is a reply to message #156976] Sun, 28 June 2009 13:54 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello IT Team Queensbridge.bham.sch.uk ITTeamQueensbridgebhamschukdiscussions.microsoft.com,

Also do not forget the other questions and outputs, especially when the other
output is to big to post use the dcdiag /v /c on each DC separate and also
netdiag /v.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi
>
> We have 2 DNS servers (bart and NED), Bart is the primary DNS server
> and is the first DC in the domain. NED is the DC which isn't
> replicating but is also a DNS server.
>
> Please find ipconfig /all outputs from both servers
>
> BART
>
> indows IP Configuration
>
> Host Name . . . . . . . . . . . . : bart
>
> Primary Dns Suffix . . . . . . . : QUEENSBRIDGE.PRI
>
> Node Type . . . . . . . . . . . . : Unknown
>
> IP Routing Enabled. . . . . . . . : No
>
> WINS Proxy Enabled. . . . . . . . : No
>
> DNS Suffix Search List. . . . . . : QUEENSBRIDGE.PRI
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
>
> Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network
> Connection
>
> Physical Address. . . . . . . . . : 00-11-2F-63-BC-9B
>
> DHCP Enabled. . . . . . . . . . . : No
>
> IP Address. . . . . . . . . . . . : 10.122.84.51
>
> Subnet Mask . . . . . . . . . . . : 255.255.252.0
>
> Default Gateway . . . . . . . . . : 10.122.84.50
>
> DNS Servers . . . . . . . . . . . : 10.122.84.51
>
> 10.122.84.58
>
> NED
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : ned
>
> Primary Dns Suffix . . . . . . . : QUEENSBRIDGE.PRI
>
> Node Type . . . . . . . . . . . . : Unknown
>
> IP Routing Enabled. . . . . . . . : No
>
> WINS Proxy Enabled. . . . . . . . : No
>
> DNS Suffix Search List. . . . . . : QUEENSBRIDGE.PRI
>
> Ethernet adapter Local Area Connection 2:
>
> Connection-specific DNS Suffix . :
>
> Description . . . . . . . . . . . : Realtek RTL8169/8110 Family
> Gigabit Ethernet NIC
>
> Physical Address. . . . . . . . . : 00-0F-B5-09-A5-2C
>
> DHCP Enabled. . . . . . . . . . . : No
>
> IP Address. . . . . . . . . . . . : 10.122.84.58
>
> Subnet Mask . . . . . . . . . . . : 255.255.252.0
>
> Default Gateway . . . . . . . . . : 10.122.84.50
>
> DNS Servers . . . . . . . . . . . : 10.122.84.51
>
Re: DCpromo issue. Health check on AD and group policy. [message #156984 is a reply to message #156973] Sun, 28 June 2009 16:40 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"IT Team @ Queensbridge.bham.sch.uk"
<ITTeamQueensbridgebhamschuk@discussions.microsoft.com> wrote in message
news:1DE3BE5E-BF55-4F5C-B0B4-04E12B56DADC@microsoft.com...
> Please find attached information from dnslint file.
>
> ________________________________________
> DNS server: lisa.queensbridge.pri
> IP Address: 10.122.84.53
> UDP port 53 responding to queries: NO
> TCP port 53 responding to queries: Not tested
> Answering authoritatively for domain: Unknown
>
> SOA record data from server:
> Authoritative name server: Unknown
> Hostmaster: Unknown
> Zone serial number: Unknown
> Zone expires in: Unknown
> Refresh period: Unknown
> Retry delay: Unknown
> Default (minimum) TTL: Unknown
>
> Total number of CNAME records found on this server: 0
>
> Total number of CNAME records missing on this server: 0
>
> Total number of glue (A) records this server could not find: 0
> ________________________________________


The above says the DNS is not responding on lisa.queensbridge.pri. This
could either be due to firewall block or the DNS service may not be running.
Is the DNS service running on lisa.queensbridge.pri?

Ace
RE: DCpromo issue. Health check on AD and group policy. [message #156985 is a reply to message #156978] Sun, 28 June 2009 21:36 Go to previous messageGo to next message
Garry Starck-MCITP En  is currently offline Garry Starck-MCITP En
Messages: 69
Registered: July 2009
Member
Hi Meinholf and Hello IT Team Queensbridge.bham.sch.uk

Since Repadmin was not looking great to say the least, check FRS and AD evt
logs on the other intrastire DC's for failures creating connection objects
with NED. Presuming that NED was recently promo'd out and in again (I'm
really hoping)

I have a recollection of this issue after I removed a DC via DCPROMO and
within 20minutes I DCpromo'd the new Hardware in as the exact same name. What
happened then was GUID/CNAMES in DNS were 100% right for the new DC, but
every DC whether Intra or Intersite that was a direct replication partner
with the he renewed DC simply would not allow the new DC to create new
inbound connection objects (You can't even via manual methods). Every DC that
was a replication partner of the DC before removing it obviously continued
repl via KCC auto generated connection objects to another preferred bridge
head. I eventually found nothing on the internet to help, but what I did do
next was user repadmin /expertuser switch and users the following cowboy
trick (Int the LAB first, managed to replicate exact problem luckily):

/delrepsto <Naming Context> <DC> <Reps-To DC> <Reps-To DC GUID>
Examples:
Naming Context <DC=TESTDOM,DC=LOCAL >
<DC> done at each DC that was a pervious repl partner
<repsto dc> this will most definitely be NED in every run of the commands on
each old partners. And check intrasite DC's FRS/AD eventlogs on each DC to
see if their is an issue showing the old GUID/CNAME in the events. This GUID
will be the buid use supply for <Reps-To DC GUID>

Now I scripted this as the forest has over 200 DC's and due to lack of RAM /
perf on most DC's, KCC was not autogening connection obj's. 90 % of the dc's
used this DC as a bridgehead (Manually set seince we were still on 2000 AD
and it's hidden agenda, we had switched KCC &ISTG off and every connection
object was manual (This is how I know that not even a manual obj creation
helps to trick).

To add to my missery, when I spotted the errors after the new DC's promo. I
dcpromo'd out again and then there were now 2 wrong outdated GUID to remove.
I don't think the /delrepsto <Naming Context> <DC> <Reps-To DC> <Reps-To DC
GUID> way is complex, just guid's burnt into you retinas if manually done.
But you are small, so if this pie in the sky theory is write, each DC
Intrasite show hhave some eventlogs, hopefully showing the antiquated GUID's.
Since each other site had one or more DC's, only one is generally in need of
attention, the Bridgehead which KCC selects. KCC does the KCC thing every 15
minutes and will auto gen the new "true" connetion objects at those
intervals,

Also, who's the RID master, is he UP?

Root Cause Analysis of my issue, A bit of a thumb suck, I has just arrived
at the clients site and I have never seen the monetuos amount of linger
objects in AD, maybe that cintributed, I douted that, I then thought through
a personally created issue, I took the HDD's out of the old DC and added them
to the new server so as to mirrow the OS and current configs and then
promoted it in with 20mins. By this stage, the mirrors had completed sync and
pulled the old hdd's out. You may think this is menial, but in my VM labs, I
often promo one out then straigh back in, and have noticed similar issues
eventing. Apparently the now member server keeps it AD settings and what you
should do is promo it 1st into another new dummy.junk domain and promo it out
and reboot. All the "so called" domain history is now gone from registry etc.
I do not know what exacts around documented around that issue, maybe some of
the MVP can comment/ drill me/thrill me

Regards





Garry Starck
MCITP Enterprise Administrator, MCTS AD, MCSE 2003 Messaging, MCDBA


"Meinolf Weber [MVP-DS]" wrote:

> Hello IT Team Queensbridge.bham.sch.uk ITTeamQueensbridgebhamschukdiscussions.microsoft.com,
>
> Also do not forget the other questions and outputs, especially when the other
> output is to big to post use the dcdiag /v /c on each DC separate and also
> netdiag /v.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Hi
> >
> > We have 2 DNS servers (bart and NED), Bart is the primary DNS server
> > and is the first DC in the domain. NED is the DC which isn't
> > replicating but is also a DNS server.
> >
> > Please find ipconfig /all outputs from both servers
> >
> > BART
> >
> > indows IP Configuration
> >
> > Host Name . . . . . . . . . . . . : bart
> >
> > Primary Dns Suffix . . . . . . . : QUEENSBRIDGE.PRI
> >
> > Node Type . . . . . . . . . . . . : Unknown
> >
> > IP Routing Enabled. . . . . . . . : No
> >
> > WINS Proxy Enabled. . . . . . . . : No
> >
> > DNS Suffix Search List. . . . . . : QUEENSBRIDGE.PRI
> >
> > Ethernet adapter Local Area Connection:
> >
> > Connection-specific DNS Suffix . :
> >
> > Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network
> > Connection
> >
> > Physical Address. . . . . . . . . : 00-11-2F-63-BC-9B
> >
> > DHCP Enabled. . . . . . . . . . . : No
> >
> > IP Address. . . . . . . . . . . . : 10.122.84.51
> >
> > Subnet Mask . . . . . . . . . . . : 255.255.252.0
> >
> > Default Gateway . . . . . . . . . : 10.122.84.50
> >
> > DNS Servers . . . . . . . . . . . : 10.122.84.51
> >
> > 10.122.84.58
> >
> > NED
> >
> > Windows IP Configuration
> >
> > Host Name . . . . . . . . . . . . : ned
> >
> > Primary Dns Suffix . . . . . . . : QUEENSBRIDGE.PRI
> >
> > Node Type . . . . . . . . . . . . : Unknown
> >
> > IP Routing Enabled. . . . . . . . : No
> >
> > WINS Proxy Enabled. . . . . . . . : No
> >
> > DNS Suffix Search List. . . . . . : QUEENSBRIDGE.PRI
> >
> > Ethernet adapter Local Area Connection 2:
> >
> > Connection-specific DNS Suffix . :
> >
> > Description . . . . . . . . . . . : Realtek RTL8169/8110 Family
> > Gigabit Ethernet NIC
> >
> > Physical Address. . . . . . . . . : 00-0F-B5-09-A5-2C
> >
> > DHCP Enabled. . . . . . . . . . . : No
> >
> > IP Address. . . . . . . . . . . . : 10.122.84.58
> >
> > Subnet Mask . . . . . . . . . . . : 255.255.252.0
> >
> > Default Gateway . . . . . . . . . : 10.122.84.50
> >
> > DNS Servers . . . . . . . . . . . : 10.122.84.51
> >
>
>
>
Re: DCpromo issue. Health check on AD and group policy. [message #156986 is a reply to message #156985] Sun, 28 June 2009 22:15 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Garry Starck-MCITP Enterprise Admin"
<vjsparx@REMOVE_CAPS_INVALIDhotmail.com> wrote in message
news:86CEE86F-5BAF-4FBC-92D2-CA7129D83BBE@microsoft.com...
> Hi Meinholf and Hello IT Team Queensbridge.bham.sch.uk
>
> Since Repadmin was not looking great to say the least, check FRS and AD
> evt
> logs on the other intrastire DC's for failures creating connection objects
> with NED. Presuming that NED was recently promo'd out and in again (I'm
> really hoping)
>
> I have a recollection of this issue after I removed a DC via DCPROMO and
> within 20minutes I DCpromo'd the new Hardware in as the exact same name.
> What
> happened then was GUID/CNAMES in DNS were 100% right for the new DC, but
> every DC whether Intra or Intersite that was a direct replication partner
> with the he renewed DC simply would not allow the new DC to create new
> inbound connection objects (You can't even via manual methods). Every DC
> that
> was a replication partner of the DC before removing it obviously continued
> repl via KCC auto generated connection objects to another preferred bridge
> head. I eventually found nothing on the internet to help, but what I did
> do
> next was user repadmin /expertuser switch and users the following cowboy
> trick (Int the LAB first, managed to replicate exact problem luckily):
>
> /delrepsto <Naming Context> <DC> <Reps-To DC> <Reps-To DC GUID>
> Examples:
> Naming Context <DC=TESTDOM,DC=LOCAL >
> <DC> done at each DC that was a pervious repl partner
> <repsto dc> this will most definitely be NED in every run of the commands
> on
> each old partners. And check intrasite DC's FRS/AD eventlogs on each DC to
> see if their is an issue showing the old GUID/CNAME in the events. This
> GUID
> will be the buid use supply for <Reps-To DC GUID>
>
> Now I scripted this as the forest has over 200 DC's and due to lack of RAM
> /
> perf on most DC's, KCC was not autogening connection obj's. 90 % of the
> dc's
> used this DC as a bridgehead (Manually set seince we were still on 2000 AD
> and it's hidden agenda, we had switched KCC &ISTG off and every connection
> object was manual (This is how I know that not even a manual obj creation
> helps to trick).
>
> To add to my missery, when I spotted the errors after the new DC's promo.
> I
> dcpromo'd out again and then there were now 2 wrong outdated GUID to
> remove.
> I don't think the /delrepsto <Naming Context> <DC> <Reps-To DC> <Reps-To
> DC
> GUID> way is complex, just guid's burnt into you retinas if manually done.
> But you are small, so if this pie in the sky theory is write, each DC
> Intrasite show hhave some eventlogs, hopefully showing the antiquated
> GUID's.
> Since each other site had one or more DC's, only one is generally in need
> of
> attention, the Bridgehead which KCC selects. KCC does the KCC thing every
> 15
> minutes and will auto gen the new "true" connetion objects at those
> intervals,
>
> Also, who's the RID master, is he UP?
>
> Root Cause Analysis of my issue, A bit of a thumb suck, I has just arrived
> at the clients site and I have never seen the monetuos amount of linger
> objects in AD, maybe that cintributed, I douted that, I then thought
> through
> a personally created issue, I took the HDD's out of the old DC and added
> them
> to the new server so as to mirrow the OS and current configs and then
> promoted it in with 20mins. By this stage, the mirrors had completed sync
> and
> pulled the old hdd's out. You may think this is menial, but in my VM labs,
> I
> often promo one out then straigh back in, and have noticed similar issues
> eventing. Apparently the now member server keeps it AD settings and what
> you
> should do is promo it 1st into another new dummy.junk domain and promo it
> out
> and reboot. All the "so called" domain history is now gone from registry
> etc.
> I do not know what exacts around documented around that issue, maybe some
> of
> the MVP can comment/ drill me/thrill me
>
> Regards
>

Very interesting, and very VERY plausible. I've seen this happen before
years ago in a 2000 domain, and without running numerous tests, I realized
it before it got too far, when replication was failing. Looking at
replication intervals where the removed DC's reference replication to other
sites did not occur before promoting the new machine into the domain with
the same name, caused the issue. Since this was a 2000 domain, there was no
/forceremoval switch to work with, but not that it would have probably
worked because of the identical names and two GUIDs. I pulled out the old DC
and ran a Metadata Cleanup, and manually cleaned out DNS, Sites & Services,
etc, and blew away the machine, and reinstalled it, but did not re-promote
it until waiting a day, ran replmon, etc, to monitor all DCs to make sure
there were no replication references.

As for registry settings, the only entry I am aware of would be the product
type entry, whether it's a DC or not
(HKLM\SYSTEM\CCS\Control\ProductOptions - only values would be either
LanmanNT or ServerNT). Everything else is in the AD database as far as the
GUID, etc, nut then again, there's the machine's TCP reg entries, as well as
netlogon reg entry, which registers the GUID into DNS and AD database, which
when demoted, the reg entry should get removed, as well as the DNS reg.

So if this is the case, and a /forceremoval doesn't work, I would think to
unplug it, run Metadata Cleanup, and rebuild the machine from scratch.

But then again, there were other similar cases where I've seen similar
issues where the customer updated one of their SonicWall routers wtih a new
firmware that changed the MTU to 1492 from 1500. It took me two days to
figure this one out. Apparently from researching it, LDAP/RPC traffic fails
at anything less than 1500 MTU. We put the old firmware back on and
replication started once again. This is one reason I advise customers to not
use an ADSL service for a corporate link.

Then again, it could be a simple firewall rule blocking necessary ports, but
I'm starting to think not because of the DNS issue I saw in the DNSLint
report.

Awaiting to see the dcdiag and netdiags to see what they have to say...

But I like your theory, and it may just probably be the case. We'll need IT
Team Queensbridge.bham.sch.uk to elaborate on what occured for a
determination.

Cheers!

Ace
RE: DCpromo issue. Health check on AD and group policy. [message #156989 is a reply to message #156985] Mon, 29 June 2009 01:48 Go to previous message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Garry,

really a good information about your solution to such a kind of problem.
And with 200 DCs, yes it's a lot of work when you can't find a way like you
did.

I also had the thoughts about a problem with removing and reinstalling, that
was my reason to ask the OP about the way he did it in detail. Maybe we will
get an answer.


Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi Meinholf and Hello IT Team Queensbridge.bham.sch.uk
>
> Since Repadmin was not looking great to say the least, check FRS and
> AD evt logs on the other intrastire DC's for failures creating
> connection objects with NED. Presuming that NED was recently promo'd
> out and in again (I'm really hoping)
>
> I have a recollection of this issue after I removed a DC via DCPROMO
> and within 20minutes I DCpromo'd the new Hardware in as the exact same
> name. What happened then was GUID/CNAMES in DNS were 100% right for
> the new DC, but every DC whether Intra or Intersite that was a direct
> replication partner with the he renewed DC simply would not allow the
> new DC to create new inbound connection objects (You can't even via
> manual methods). Every DC that was a replication partner of the DC
> before removing it obviously continued repl via KCC auto generated
> connection objects to another preferred bridge head. I eventually
> found nothing on the internet to help, but what I did do next was user
> repadmin /expertuser switch and users the following cowboy trick (Int
> the LAB first, managed to replicate exact problem luckily):
>
> /delrepsto <Naming Context> <DC> <Reps-To DC> <Reps-To DC GUID>
> Examples:
> Naming Context <DC=TESTDOM,DC=LOCAL >
> <DC> done at each DC that was a pervious repl partner
> <repsto dc> this will most definitely be NED in every run of the
> commands on
> each old partners. And check intrasite DC's FRS/AD eventlogs on each
> DC to
> see if their is an issue showing the old GUID/CNAME in the events.
> This GUID
> will be the buid use supply for <Reps-To DC GUID>
> Now I scripted this as the forest has over 200 DC's and due to lack of
> RAM / perf on most DC's, KCC was not autogening connection obj's. 90 %
> of the dc's used this DC as a bridgehead (Manually set seince we were
> still on 2000 AD and it's hidden agenda, we had switched KCC &ISTG off
> and every connection object was manual (This is how I know that not
> even a manual obj creation helps to trick).
>
> To add to my missery, when I spotted the errors after the new DC's
> promo. I dcpromo'd out again and then there were now 2 wrong outdated
> GUID to remove. I don't think the /delrepsto <Naming Context> <DC>
> <Reps-To DC> <Reps-To DC
>
GUID>> way is complex, just guid's burnt into you retinas if manually
GUID>> done.
GUID>>
> But you are small, so if this pie in the sky theory is write, each DC
> Intrasite show hhave some eventlogs, hopefully showing the antiquated
> GUID's. Since each other site had one or more DC's, only one is
> generally in need of attention, the Bridgehead which KCC selects. KCC
> does the KCC thing every 15 minutes and will auto gen the new "true"
> connetion objects at those intervals,
>
> Also, who's the RID master, is he UP?
>
> Root Cause Analysis of my issue, A bit of a thumb suck, I has just
> arrived at the clients site and I have never seen the monetuos amount
> of linger objects in AD, maybe that cintributed, I douted that, I then
> thought through a personally created issue, I took the HDD's out of
> the old DC and added them to the new server so as to mirrow the OS and
> current configs and then promoted it in with 20mins. By this stage,
> the mirrors had completed sync and pulled the old hdd's out. You may
> think this is menial, but in my VM labs, I often promo one out then
> straigh back in, and have noticed similar issues eventing. Apparently
> the now member server keeps it AD settings and what you should do is
> promo it 1st into another new dummy.junk domain and promo it out and
> reboot. All the "so called" domain history is now gone from registry
> etc. I do not know what exacts around documented around that issue,
> maybe some of the MVP can comment/ drill me/thrill me
>
> Regards
>
> Garry Starck
> MCITP Enterprise Administrator, MCTS AD, MCSE 2003 Messaging, MCDBA
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello IT Team Queensbridge.bham.sch.uk
>> ITTeamQueensbridgebhamschukdiscussions.microsoft.com,
>>
>> Also do not forget the other questions and outputs, especially when
>> the other output is to big to post use the dcdiag /v /c on each DC
>> separate and also netdiag /v.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi
>>>
>>> We have 2 DNS servers (bart and NED), Bart is the primary DNS server
>>> and is the first DC in the domain. NED is the DC which isn't
>>> replicating but is also a DNS server.
>>>
>>> Please find ipconfig /all outputs from both servers
>>>
>>> BART
>>>
>>> indows IP Configuration
>>>
>>> Host Name . . . . . . . . . . . . : bart
>>>
>>> Primary Dns Suffix . . . . . . . : QUEENSBRIDGE.PRI
>>>
>>> Node Type . . . . . . . . . . . . : Unknown
>>>
>>> IP Routing Enabled. . . . . . . . : No
>>>
>>> WINS Proxy Enabled. . . . . . . . : No
>>>
>>> DNS Suffix Search List. . . . . . : QUEENSBRIDGE.PRI
>>>
>>> Ethernet adapter Local Area Connection:
>>>
>>> Connection-specific DNS Suffix . :
>>>
>>> Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network
>>> Connection
>>>
>>> Physical Address. . . . . . . . . : 00-11-2F-63-BC-9B
>>>
>>> DHCP Enabled. . . . . . . . . . . : No
>>>
>>> IP Address. . . . . . . . . . . . : 10.122.84.51
>>>
>>> Subnet Mask . . . . . . . . . . . : 255.255.252.0
>>>
>>> Default Gateway . . . . . . . . . : 10.122.84.50
>>>
>>> DNS Servers . . . . . . . . . . . : 10.122.84.51
>>>
>>> 10.122.84.58
>>>
>>> NED
>>>
>>> Windows IP Configuration
>>>
>>> Host Name . . . . . . . . . . . . : ned
>>>
>>> Primary Dns Suffix . . . . . . . : QUEENSBRIDGE.PRI
>>>
>>> Node Type . . . . . . . . . . . . : Unknown
>>>
>>> IP Routing Enabled. . . . . . . . : No
>>>
>>> WINS Proxy Enabled. . . . . . . . : No
>>>
>>> DNS Suffix Search List. . . . . . : QUEENSBRIDGE.PRI
>>>
>>> Ethernet adapter Local Area Connection 2:
>>>
>>> Connection-specific DNS Suffix . :
>>>
>>> Description . . . . . . . . . . . : Realtek RTL8169/8110 Family
>>> Gigabit Ethernet NIC
>>>
>>> Physical Address. . . . . . . . . : 00-0F-B5-09-A5-2C
>>>
>>> DHCP Enabled. . . . . . . . . . . : No
>>>
>>> IP Address. . . . . . . . . . . . : 10.122.84.58
>>>
>>> Subnet Mask . . . . . . . . . . . : 255.255.252.0
>>>
>>> Default Gateway . . . . . . . . . : 10.122.84.50
>>>
>>> DNS Servers . . . . . . . . . . . : 10.122.84.51
>>>
Previous Topic:Re: Getting acctinfo2.dll
Next Topic:User to UserProxy failed in some users
Goto Forum:
  


Current Time: Fri Oct 24 20:34:55 EDT 2014

Total time taken to generate the page: 0.03146 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software