Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Unable to decommission a Windows 2008 DC via dcpromo
Unable to decommission a Windows 2008 DC via dcpromo [message #157122] Tue, 30 June 2009 21:57 Go to next message
Haji  is currently offline Haji
Messages: 12
Registered: July 2009
Junior Member
I've got a Windows 2008 box that was my only DC in my test network that is on
some rather aged hardware. I've built a new box to replace the old DC with,
installed Server 2008 on it, added it to the domain, ran dcpromo, kicked it
up to a GC, and transfered the FSMO roles over to it. However, when I run
dcpromo on the old box that I'm wanting to retire, I get the following
message:

"You did not indicate that this Active Directory domain controller is the
last domain controller for the domain test.dns. However, no other Active
Directory domain controllers for that domain can be contacted."

I've also noticed that when the old box is powered down, none of my test
workstations can map a drive to the new server, due to an authentication
failure. The ID that the server is logged into is an enterprise admin ID,
and this is a single domain setup (no child domains in the forrest). Both
the forrest and the domain are at 2008 functional level. Each server has DNS
installed and is AD Integrated. Each server points to the other for DNS
primary, and itself for secondary.

I'm sure there is more information that is needed that I haven't provided,
just let me know what you need and I'll post it, but if anyone can help me
out, I'd really like to learn what this issue is and how to fix it.
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157132 is a reply to message #157122] Wed, 01 July 2009 01:37 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Haji,

Run diagnostics dcdiag /v and repadmin /showrepl to check for errors and
make sure both DCs have replicated. Are both listed in the DNS zones with
there A record and nema server record and also under all subfolders?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I've got a Windows 2008 box that was my only DC in my test network
> that is on some rather aged hardware. I've built a new box to replace
> the old DC with, installed Server 2008 on it, added it to the domain,
> ran dcpromo, kicked it up to a GC, and transfered the FSMO roles over
> to it. However, when I run dcpromo on the old box that I'm wanting to
> retire, I get the following message:
>
> "You did not indicate that this Active Directory domain controller is
> the last domain controller for the domain test.dns. However, no other
> Active Directory domain controllers for that domain can be contacted."
>
> I've also noticed that when the old box is powered down, none of my
> test workstations can map a drive to the new server, due to an
> authentication failure. The ID that the server is logged into is an
> enterprise admin ID, and this is a single domain setup (no child
> domains in the forrest). Both the forrest and the domain are at 2008
> functional level. Each server has DNS installed and is AD Integrated.
> Each server points to the other for DNS primary, and itself for
> secondary.
>
> I'm sure there is more information that is needed that I haven't
> provided, just let me know what you need and I'll post it, but if
> anyone can help me out, I'd really like to learn what this issue is
> and how to fix it.
>
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157151 is a reply to message #157122] Wed, 01 July 2009 08:22 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Sounds to me like you haven't made the new box a GC or not a DNS server.

Start by posting both boxes ip configuration details. From a command prompt
on both dc's run the following:

ipconfig /all

Next from each DC at a command prompt run the following and post:
nltest /server:<servername> /dsgetdc:<domainname>

Note: Feel free to modify the output, so as not to disclose any valuable
information. Such as changing the the first couple of octets on your ip
addresses, but please be consistent (192.168. is a good replacement value).

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Haji" <Haji@discussions.microsoft.com> wrote in message
news:35A43720-2CE5-4AAE-AB54-CE7FEFB7FCC6@microsoft.com...
> I've got a Windows 2008 box that was my only DC in my test network that is
> on
> some rather aged hardware. I've built a new box to replace the old DC
> with,
> installed Server 2008 on it, added it to the domain, ran dcpromo, kicked
> it
> up to a GC, and transfered the FSMO roles over to it. However, when I run
> dcpromo on the old box that I'm wanting to retire, I get the following
> message:
>
> "You did not indicate that this Active Directory domain controller is the
> last domain controller for the domain test.dns. However, no other Active
> Directory domain controllers for that domain can be contacted."
>
> I've also noticed that when the old box is powered down, none of my test
> workstations can map a drive to the new server, due to an authentication
> failure. The ID that the server is logged into is an enterprise admin ID,
> and this is a single domain setup (no child domains in the forrest). Both
> the forrest and the domain are at 2008 functional level. Each server has
> DNS
> installed and is AD Integrated. Each server points to the other for DNS
> primary, and itself for secondary.
>
> I'm sure there is more information that is needed that I haven't provided,
> just let me know what you need and I'll post it, but if anyone can help me
> out, I'd really like to learn what this issue is and how to fix it.
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157293 is a reply to message #157151] Sun, 05 July 2009 19:26 Go to previous messageGo to next message
Haji  is currently offline Haji
Messages: 12
Registered: July 2009
Junior Member
In Active Directory Sites and Services, both Server1 and Server 2 are listed
as IP Bridgeheads, and both are GC's. Both servers have Active Directory
integrated DNS running on them.

Windows IP Configuration

Host Hame . . . . . . . . . . . . : server2
Primary Dns Suffix . . . . . . . : domain.dns
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.dns

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : domain.dns
Description . . . . . . . . . . . : TEAM : Team #0
Physical Address. . . . . . . . . : 00-30-48-B8-96-8D
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.51(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.51
192.168.1.9
Primary WINS Server . . . . . . . : 192.168.1.9
Secondary WINS Server . . . . . . : 192.168.1.51
NetBIOS over Tcpip. . . . . . . . : Enabled

nltest /server:server2 /dsgetdc:domain.dns

DC: \\server1.domain.dns
Address: \\192.168.1.9
Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
Dom Name: domain.dns
Forest Name: domain.dns
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
CLOSE_SITE FULL SECRET



Windows IP Configuration

Host Hame . . . . . . . . . . . . : server1
Primary Dns Suffix . . . . . . . : domain.dns
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.dns

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : domain.dns
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-E0-81-58-2F-98
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.9
192.168.1.51
Primary WINS Server . . . . . . . : 192.168.1.51
Secondary WINS Server . . . . . . : 192.168.1.9
NetBIOS over Tcpip. . . . . . . . : Enabled

nltest /server:server1 /dsgetdc:domain.dns

DC: \\server1.domain.dns
Address: \\192.168.1.9
Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
Dom Name: domain.dns
Forest Name: domain.dns
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
CLOSE_SITE FULL SECRET


"Paul Bergson [MVP-DS]" wrote:

> Sounds to me like you haven't made the new box a GC or not a DNS server.
>
> Start by posting both boxes ip configuration details. From a command prompt
> on both dc's run the following:
>
> ipconfig /all
>
> Next from each DC at a command prompt run the following and post:
> nltest /server:<servername> /dsgetdc:<domainname>
>
> Note: Feel free to modify the output, so as not to disclose any valuable
> information. Such as changing the the first couple of octets on your ip
> addresses, but please be consistent (192.168. is a good replacement value).
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Haji" <Haji@discussions.microsoft.com> wrote in message
> news:35A43720-2CE5-4AAE-AB54-CE7FEFB7FCC6@microsoft.com...
> > I've got a Windows 2008 box that was my only DC in my test network that is
> > on
> > some rather aged hardware. I've built a new box to replace the old DC
> > with,
> > installed Server 2008 on it, added it to the domain, ran dcpromo, kicked
> > it
> > up to a GC, and transfered the FSMO roles over to it. However, when I run
> > dcpromo on the old box that I'm wanting to retire, I get the following
> > message:
> >
> > "You did not indicate that this Active Directory domain controller is the
> > last domain controller for the domain test.dns. However, no other Active
> > Directory domain controllers for that domain can be contacted."
> >
> > I've also noticed that when the old box is powered down, none of my test
> > workstations can map a drive to the new server, due to an authentication
> > failure. The ID that the server is logged into is an enterprise admin ID,
> > and this is a single domain setup (no child domains in the forrest). Both
> > the forrest and the domain are at 2008 functional level. Each server has
> > DNS
> > installed and is AD Integrated. Each server points to the other for DNS
> > primary, and itself for secondary.
> >
> > I'm sure there is more information that is needed that I haven't provided,
> > just let me know what you need and I'll post it, but if anyone can help me
> > out, I'd really like to learn what this issue is and how to fix it.
>
>
>
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157294 is a reply to message #157132] Sun, 05 July 2009 19:44 Go to previous messageGo to next message
Haji  is currently offline Haji
Messages: 12
Registered: July 2009
Junior Member
dcdiag from server2, which is the new one:


Directory Server Diagnosis


Performing initial setup:

Trying to find home server...

* Verifying that the local machine server2, is a Directory Server.
Home Server = server2

* Connecting to directory service on server server2.

* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.

Calling
ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings ),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site
Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio n,DC=domain,DC=dns
Getting ISTG and options for the site
* Identifying all servers.

Calling
ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS
Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=Configuration,DC=domain,DC=dns
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=Configuration,DC=domain,DC=dns
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.

* Found 2 DC(s). Testing 1 of them.

Done gathering initial info.


Doing initial required tests


Testing server: Default-First-Site-Name\server2

Starting test: Connectivity

* Active Directory LDAP Services Check
Determining IP4 connectivity
Determining IP6 connectivity
* Active Directory RPC Services Check
......................... server2 passed test Connectivity



Doing primary tests


Testing server: Default-First-Site-Name\server2

Starting test: Advertising

Warning: DsGetDcName returned information for

\\server1.domain.dns, when we were trying to reach server2.

SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

......................... server2 failed test Advertising

Test omitted by user request: CheckSecurityError

Test omitted by user request: CutoffServers

Starting test: FrsEvent

* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may
cause

Group Policy problems.
An Warning Event occurred. EventID: 0x800034C4

Time Generated: 07/04/2009 19:53:44

Event String:

The File Replication Service is having trouble enabling
replication from server1.domain.dns to server2 for c:\windows\sysvol\domain
using the DNS name server1.domain.dns. FRS will keep retrying.

Following are some of the reasons you would see this warning.



[1] FRS can not correctly resolve the DNS name
server1.domain.dns from this computer.

[2] FRS is not running on server1.domain.dns.

[3] The topology information in the Active Directory Domain
Services for this replica has not yet replicated to all the Domain
Controllers.



This event log message will appear once per connection, After
the problem is fixed you will see another event log message indicating that
the connection has been established.

An Warning Event occurred. EventID: 0x800034FE

Time Generated: 07/05/2009 17:59:10

Event String:

File Replication Service is scanning the data in the system
volume. Computer server2 cannot become a domain controller until this process
is complete. The system volume will then be shared as SYSVOL.



To check for the SYSVOL share, at the command prompt, type:

net share



When File Replication Service completes the scanning process,
the SYSVOL share will appear.



The initialization of the system volume can take some time. The
time is dependent on the amount of data in the system volume.

An Warning Event occurred. EventID: 0x800034C4

Time Generated: 07/05/2009 18:02:00

Event String:

The File Replication Service is having trouble enabling
replication from server1.domain.dns to server2 for c:\windows\sysvol\domain
using the DNS name server1.domain.dns. FRS will keep retrying.

Following are some of the reasons you would see this warning.



[1] FRS can not correctly resolve the DNS name
server1.domain.dns from this computer.

[2] FRS is not running on server1.domain.dns.

[3] The topology information in the Active Directory Domain
Services for this replica has not yet replicated to all the Domain
Controllers.



This event log message will appear once per connection, After
the problem is fixed you will see another event log message indicating that
the connection has been established.

An Warning Event occurred. EventID: 0x800034FE

Time Generated: 07/05/2009 18:08:29

Event String:

File Replication Service is scanning the data in the system
volume. Computer server2 cannot become a domain controller until this process
is complete. The system volume will then be shared as SYSVOL.



To check for the SYSVOL share, at the command prompt, type:

net share



When File Replication Service completes the scanning process,
the SYSVOL share will appear.



The initialization of the system volume can take some time. The
time is dependent on the amount of data in the system volume.

An Warning Event occurred. EventID: 0x800034C4

Time Generated: 07/05/2009 18:10:22

Event String:

The File Replication Service is having trouble enabling
replication from server1.domain.dns to server2 for c:\windows\sysvol\domain
using the DNS name server1.domain.dns. FRS will keep retrying.

Following are some of the reasons you would see this warning.



[1] FRS can not correctly resolve the DNS name
server1.domain.dns from this computer.

[2] FRS is not running on server1.domain.dns.

[3] The topology information in the Active Directory Domain
Services for this replica has not yet replicated to all the Domain
Controllers.



This event log message will appear once per connection, After
the problem is fixed you will see another event log message indicating that
the connection has been established.

An Warning Event occurred. EventID: 0x800034C4

Time Generated: 07/05/2009 18:18:22

Event String:

The File Replication Service is having trouble enabling
replication from server1 to server2 for c:\windows\sysvol\domain using the
DNS name server1.domain.dns. FRS will keep retrying.

Following are some of the reasons you would see this warning.



[1] FRS can not correctly resolve the DNS name
server1.domain.dns from this computer.

[2] FRS is not running on server1.domain.dns.

[3] The topology information in the Active Directory Domain
Services for this replica has not yet replicated to all the Domain
Controllers.



This event log message will appear once per connection, After
the problem is fixed you will see another event log message indicating that
the connection has been established.

......................... server2 passed test FrsEvent

Starting test: DFSREvent

The DFS Replication Event Log.
There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may
cause

Group Policy problems.
An Error Event occurred. EventID: 0xC00004B2

Time Generated: 07/05/2009 17:59:35

Event String:

The DFS Replication service failed to contact domain controller
to access configuration information. Replication is stopped. The service will
try again during the next configuration polling cycle, which will occur in 60
minutes. This event can be caused by TCP/IP connectivity, firewall, Active
Directory Domain Services, or DNS issues.



Additional Information:

Error: 160 (One or more arguments are not correct.)

......................... server2 failed test DFSREvent

Starting test: SysVolCheck

* The File Replication Service SYSVOL ready test
The registry lookup failed to determine the state of the SYSVOL. The

error returned was 0x0 "The operation completed successfully.".

Check the FRS event log to see if the SYSVOL has successfully been

shared.
......................... server2 passed test SysVolCheck

Starting test: KccEvent

* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15
minutes.
......................... server2 passed test KccEvent

Starting test: KnowsOfRoleHolders

Role Schema Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=Configuration,DC=domain,DC=dns
Role Domain Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=Configuration,DC=domain,DC=dns
Role PDC Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=Configuration,DC=domain,DC=dns
Role Rid Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=Configuration,DC=domain,DC=dns
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=Configuration,DC=domain,DC=dns
......................... server2 passed test KnowsOfRoleHolders

Starting test: MachineAccount

Checking machine account for DC server2 on DC server2.
* SPN found :LDAP/server2.domain.dns/domain.dns
* SPN found :LDAP/server2.domain.dns
* SPN found :LDAP/server2
* SPN found :LDAP/server2.domain.dns/domain
* SPN found
:LDAP/d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/d963b078-1f27-4154-843 6-870d19935efe/domain.dns
* SPN found :HOST/server2.domain.dns/domain.dns
* SPN found :HOST/server2.domain.dns
* SPN found :HOST/server2
* SPN found :HOST/server2.domain.dns/domain
* SPN found :GC/server2.domain.dns/domain.dns
......................... server2 passed test MachineAccount

Starting test: NCSecDesc

* Security Permissions check for all NC's on DC server2.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for

DC=ForestDnsZones,DC=domain,DC=dns
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

Replicating Directory Changes In Filtered Set
access rights for the naming context:

DC=ForestDnsZones,DC=domain,DC=dns
* Security Permissions Check for

DC=DomainDnsZones,DC=domain,DC=dns
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

Replicating Directory Changes In Filtered Set
access rights for the naming context:

DC=DomainDnsZones,DC=domain,DC=dns
* Security Permissions Check for

CN=Schema,CN=Configuration,DC=domain,DC=dns
(Schema,Version 3)
* Security Permissions Check for

CN=Configuration,DC=domain,DC=dns
(Configuration,Version 3)
* Security Permissions Check for

DC=domain,DC=dns
(Domain,Version 3)
......................... server2 failed test NCSecDesc

Starting test: NetLogons

* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\server2\netlogon)

[server2] An net use or LsaPolicy operation failed with error 67,

The network name cannot be found..

......................... server2 failed test NetLogons

Starting test: ObjectsReplicated

server2 is in domain DC=domain,DC=dns
Checking for CN=server2,OU=Domain Controllers,DC=domain,DC=dns in
domain DC=domain,DC=dns on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=Configuration,DC=domain,DC=dns
in domain CN=Configuration,DC=domain,DC=dns on 1 servers
Object is up-to-date on all servers.
......................... server2 passed test ObjectsReplicated

Test omitted by user request: OutboundSecureChannels

Starting test: Replications

* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=domain,DC=dns
Latency information for 8 entries in the vector were ignored.
8 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=domain,DC=dns
Latency information for 8 entries in the vector were ignored.
8 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=domain,DC=dns
Latency information for 9 entries in the vector were ignored.
9 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=domain,DC=dns
Latency information for 9 entries in the vector were ignored.
9 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
DC=domain,DC=dns
Latency information for 9 entries in the vector were ignored.
9 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
......................... server2 passed test Replications

Starting test: RidManager

* Available RID Pool for the Domain is 16606 to 1073741823
* server2.domain.dns is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 16106 to 16605
* rIDPreviousAllocationPool is 16106 to 16605
* rIDNextRID: 16106
......................... server2 passed test RidManager

Starting test: Services

* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... server2 passed test Services

Starting test: SystemLog

* The System Event log test
An Warning Event occurred. EventID: 0x8000001D

Time Generated: 07/05/2009 17:58:50

Event String:

The Key Distribution Center (KDC) cannot find a suitable
certificate to use for smart card logons, or the KDC certificate could not be
verified. Smart card logon may not function correctly if this problem is not
resolved. To correct this problem, either verify the existing KDC certificate
using certutil.exe or enroll for a new KDC certificate.

An Error Event occurred. EventID: 0xC0001B72

Time Generated: 07/05/2009 18:08:40

Event String:

The following boot-start or system-start driver(s) failed to
load:

storflt

superbmc

An Warning Event occurred. EventID: 0x00002724

Time Generated: 07/05/2009 18:19:30

Event String:

This computer has at least one dynamically assigned IPv6
address.For reliable DHCPv6 server operation, you should use only static IPv6
addresses.

......................... server2 failed test SystemLog

Test omitted by user request: Topology

Test omitted by user request: VerifyEnterpriseReferences

Starting test: VerifyReferences

The system object reference (serverReference)

CN=server2,OU=Domain Controllers,DC=domain,DC=dns and backlink on


CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN =Configuration,DC=domain,DC=dns

are correct.
The system object reference (serverReferenceBL)

CN=server2,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=domain,DC=dns

and backlink on

CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=Configuration,DC=domain,DC=dns

are correct.
......................... server2 passed test VerifyReferences

Test omitted by user request: VerifyReplicas


Test omitted by user request: DNS

Test omitted by user request: DNS


Running partition tests on : ForestDnsZones

Starting test: CheckSDRefDom

......................... ForestDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... ForestDnsZones passed test

CrossRefValidation


Running partition tests on : DomainDnsZones

Starting test: CheckSDRefDom

......................... DomainDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... DomainDnsZones passed test

CrossRefValidation


Running partition tests on : Schema

Starting test: CheckSDRefDom

......................... Schema passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Schema passed test CrossRefValidation


Running partition tests on : Configuration

Starting test: CheckSDRefDom

......................... Configuration passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Configuration passed test
CrossRefValidation


Running partition tests on : domain

Starting test: CheckSDRefDom

......................... domain passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... domain passed test CrossRefValidation


Running enterprise tests on : domain.dns

Test omitted by user request: DNS

Test omitted by user request: DNS

Starting test: LocatorCheck

GC Name: \\server1.domain.dns

Locator Flags: 0xe00011fc
PDC Name: \\server2.domain.dns
Locator Flags: 0xe00013fd
Time Server Name: \\server1.domain.dns
Locator Flags: 0xe00011fc
Preferred Time Server Name: \\server1.domain.dns
Locator Flags: 0xe00011fc
KDC Name: \\server1.domain.dns
Locator Flags: 0xe00011fc
......................... domain.dns passed test LocatorCheck

Starting test: Intersite

Skipping site Default-First-Site-Name, this site is outside the scope

provided by the command line arguments provided.
......................... domain.dns passed test Intersite



repadmin /showrepl from server2:



Repadmin: running command /showrepl against full DC localhost

Default-First-Site-Name\server2

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: d963b078-1f27-4154-8436-870d19935efe

DSA invocationID: 08e803de-61a0-4db8-bd91-8fdbfa816035



==== INBOUND NEIGHBORS ======================================



DC=domain,DC=dns

Default-First-Site-Name\server1 via RPC

DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326

Last attempt @ 2009-07-05 18:11:12 was successful.



CN=Configuration,DC=domain,DC=dns

Default-First-Site-Name\server1 via RPC

DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326

Last attempt @ 2009-07-05 18:08:23 was successful.



CN=Schema,CN=Configuration,DC=domain,DC=dns

Default-First-Site-Name\server1 via RPC

DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326

Last attempt @ 2009-07-05 18:08:23 was successful.



DC=DomainDnsZones,DC=domain,DC=dns

Default-First-Site-Name\server1 via RPC

DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326

Last attempt @ 2009-07-05 18:08:24 was successful.



DC=ForestDnsZones,DC=domain,DC=dns

Default-First-Site-Name\server1 via RPC

DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326

Last attempt @ 2009-07-05 18:28:46 was successful.


"Meinolf Weber [MVP-DS]" wrote:

> Hello Haji,
>
> Run diagnostics dcdiag /v and repadmin /showrepl to check for errors and
> make sure both DCs have replicated. Are both listed in the DNS zones with
> there A record and nema server record and also under all subfolders?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > I've got a Windows 2008 box that was my only DC in my test network
> > that is on some rather aged hardware. I've built a new box to replace
> > the old DC with, installed Server 2008 on it, added it to the domain,
> > ran dcpromo, kicked it up to a GC, and transfered the FSMO roles over
> > to it. However, when I run dcpromo on the old box that I'm wanting to
> > retire, I get the following message:
> >
> > "You did not indicate that this Active Directory domain controller is
> > the last domain controller for the domain test.dns. However, no other
> > Active Directory domain controllers for that domain can be contacted."
> >
> > I've also noticed that when the old box is powered down, none of my
> > test workstations can map a drive to the new server, due to an
> > authentication failure. The ID that the server is logged into is an
> > enterprise admin ID, and this is a single domain setup (no child
> > domains in the forrest). Both the forrest and the domain are at 2008
> > functional level. Each server has DNS installed and is AD Integrated.
> > Each server points to the other for DNS primary, and itself for
> > secondary.
> >
> > I'm sure there is more information that is needed that I haven't
> > provided, just let me know what you need and I'll post it, but if
> > anyone can help me out, I'd really like to learn what this issue is
> > and how to fix it.
> >
>
>
>
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157295 is a reply to message #157132] Sun, 05 July 2009 19:44 Go to previous messageGo to next message
Haji  is currently offline Haji
Messages: 12
Registered: July 2009
Junior Member
dcdiag from Server1, which is the old one:


Directory Server Diagnosis


Performing initial setup:

Trying to find home server...

* Verifying that the local machine server1, is a Directory Server.
Home Server = server1

* Connecting to directory service on server server1.

* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.

Calling
ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings ),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site
Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio n,DC=domain,DC=dns
Getting ISTG and options for the site
* Identifying all servers.

Calling
ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS
Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=Configuration,DC=domain,DC=dns
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=Configuration,DC=domain,DC=dns
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.

* Found 2 DC(s). Testing 1 of them.

Done gathering initial info.


Doing initial required tests


Testing server: Default-First-Site-Name\server1

Starting test: Connectivity

* Active Directory LDAP Services Check
Determining IP4 connectivity
Determining IP6 connectivity
* Active Directory RPC Services Check
......................... server1 passed test Connectivity



Doing primary tests


Testing server: Default-First-Site-Name\server1

Starting test: Advertising

The DC server1 is advertising itself as a DC and having a DS.
The DC server1 is advertising as an LDAP server
The DC server1 is advertising as having a writeable directory
The DC server1 is advertising as a Key Distribution Center
The DC server1 is advertising as a time server
The DS server1 is advertising as a GC.
......................... server1 passed test Advertising

Test omitted by user request: CheckSecurityError

Test omitted by user request: CutoffServers

Starting test: FrsEvent

* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may
cause

Group Policy problems.
An Error Event occurred. EventID: 0xC00034F0

Time Generated: 07/04/2009 23:13:40

Event String:

The File Replication Service is unable to add this computer to
the following replica set:

"DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"



This could be caused by a number of problems such as:

-- an invalid root path,

-- a missing directory,

-- a missing disk volume,

-- a file system on the volume that does not support NTFS 5.0



The information below may help to resolve the problem:

Computer DNS name is "server1.domain.dns"

Replica set member name is "server1"

Replica set root path is "d:\ad\sysvol\domain"

Replica staging directory path is "d:\ad\sysvol\staging\domain"

Replica working directory path is "c:\windows\ntfrs\jet"

Windows error status code is

FRS error status code is FrsErrorMismatchedJournalId



Other event log messages may also help determine the problem.
Correct the problem and the service will attempt to restart replication
automatically at a later time.

An Error Event occurred. EventID: 0xC00034F3

Time Generated: 07/04/2009 23:13:40

Event String:

The File Replication Service is in an error state. Files will
not replicate to or from one or all of the replica sets on this computer
until the following recovery steps are performed:



Recovery Steps:



[1] The error state may clear itself if you stop and restart
the FRS service. This can be done by performing the following in a command
window:



net stop ntfrs

net start ntfrs



If this fails to clear up the problem then proceed as follows.



[2] For Active Directory Domain Services Domain Controllers
that DO NOT host any DFS alternates or other replica sets with replication
enabled:



If there is at least one other Domain Controller in this domain
then restore the "system state" of this DC from backup (using ntbackup or
other backup-restore utility) and make it non-authoritative.



If there are NO other Domain Controllers in this domain then
restore the "system state" of this DC from backup (using ntbackup or other
backup-restore utility) and choose the Advanced option which marks the
sysvols as primary.



If there are other Domain Controllers in this domain but ALL of
them have this event log message then restore one of them as primary (data
files from primary will replicate everywhere) and the others as
non-authoritative.





[3] For Active Directory Domain Services Domain Controllers
that host DFS alternates or other replica sets with replication enabled:



(3-a) If the Dfs alternates on this DC do not have any other
replication partners then copy the data under that Dfs share to a safe
location.

(3-b) If this server is the only Active Directory Domain
Services Domain Controller for this domain then, before going to (3-c), make
sure this server does not have any inbound or outbound connections to other
servers that were formerly Domain Controllers for this domain but are now off
the net (and will never be coming back online) or have been fresh installed
without being demoted. To delete connections use the Sites and Services
snapin and look for

Sites->NAME_OF_SITE->Servers->NAME_OF_SERVER->NTDS
Settings->CONNECTIONS.

(3-c) Restore the "system state" of this DC from backup (using
ntbackup or other backup-restore utility) and make it non-authoritative.

(3-d) Copy the data from step (3-a) above to the original
location after the sysvol share is published.





[4] For other Windows servers:



(4-a) If any of the DFS alternates or other replica sets
hosted by this server do not have any other replication partners then copy
the data under its share or replica tree root to a safe location.

(4-b) net stop ntfrs

(4-c) rd /s /q c:\windows\ntfrs\jet

(4-d) net start ntfrs

(4-e) Copy the data from step (4-a) above to the original
location after the service has initialized (5 minutes is a safe waiting
time).



Note: If this error message is in the eventlog of all the
members of a particular replica set then perform steps (4-a) and (4-e) above
on only one of the members.

......................... server1 failed test FrsEvent

Starting test: DFSREvent

The DFS Replication Event Log.
......................... server1 passed test DFSREvent

Starting test: SysVolCheck

* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... server1 passed test SysVolCheck

Starting test: KccEvent

* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15
minutes.
......................... server1 passed test KccEvent

Starting test: KnowsOfRoleHolders

Role Schema Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=Configuration,DC=domain,DC=dns
Role Domain Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=Configuration,DC=domain,DC=dns
Role PDC Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=Configuration,DC=domain,DC=dns
Role Rid Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=Configuration,DC=domain,DC=dns
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=Configuration,DC=domain,DC=dns
......................... server1 passed test KnowsOfRoleHolders

Starting test: MachineAccount

Checking machine account for DC server1 on DC server1.
* SPN found :LDAP/server1.domain.dns/domain.dns
* SPN found :LDAP/server1.domain.dns
* SPN found :LDAP/server1
* SPN found :LDAP/server1.domain.dns/domain
* SPN found
:LDAP/10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/10054e4e-3786-4858-a74 5-5a3b299c2326/domain.dns
* SPN found :HOST/server1.domain.dns/domain.dns
* SPN found :HOST/server1.domain.dns
* SPN found :HOST/server1
* SPN found :HOST/server1.domain.dns/domain
* SPN found :GC/server1.domain.dns/domain.dns
......................... server1 passed test MachineAccount

Starting test: NCSecDesc

* Security Permissions check for all NC's on DC server1.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for

DC=ForestDnsZones,DC=domain,DC=dns
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

Replicating Directory Changes In Filtered Set
access rights for the naming context:

DC=ForestDnsZones,DC=domain,DC=dns
* Security Permissions Check for

DC=DomainDnsZones,DC=domain,DC=dns
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

Replicating Directory Changes In Filtered Set
access rights for the naming context:

DC=DomainDnsZones,DC=domain,DC=dns
* Security Permissions Check for

CN=Schema,CN=Configuration,DC=domain,DC=dns
(Schema,Version 3)
* Security Permissions Check for

CN=Configuration,DC=domain,DC=dns
(Configuration,Version 3)
* Security Permissions Check for

DC=domain,DC=dns
(Domain,Version 3)
......................... server1 failed test NCSecDesc

Starting test: NetLogons

* Network Logons Privileges Check
Verified share \\server1\netlogon
Verified share \\server1\sysvol
......................... server1 passed test NetLogons

Starting test: ObjectsReplicated

server1 is in domain DC=domain,DC=dns
Checking for CN=server1,OU=Domain Controllers,DC=domain,DC=dns in
domain DC=domain,DC=dns on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=Configuration,DC=domain,DC=dns
in domain CN=Configuration,DC=domain,DC=dns on 1 servers
Object is up-to-date on all servers.
......................... server1 passed test ObjectsReplicated

Test omitted by user request: OutboundSecureChannels

Starting test: Replications

* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=domain,DC=dns
Latency information for 8 entries in the vector were ignored.
8 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=domain,DC=dns
Latency information for 8 entries in the vector were ignored.
8 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=domain,DC=dns
Latency information for 9 entries in the vector were ignored.
9 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=domain,DC=dns
Latency information for 9 entries in the vector were ignored.
9 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
DC=domain,DC=dns
Latency information for 9 entries in the vector were ignored.
9 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
......................... server1 passed test Replications

Starting test: RidManager

* Available RID Pool for the Domain is 16606 to 1073741823
* server2.domain.dns is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 4606 to 5105
* rIDPreviousAllocationPool is 4606 to 5105
* rIDNextRID: 4616
......................... server1 passed test RidManager

Starting test: Services

* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... server1 passed test Services

Starting test: SystemLog

* The System Event log test
Found no errors in "System" Event log in the last 60 minutes.
......................... server1 passed test SystemLog

Test omitted by user request: Topology

Test omitted by user request: VerifyEnterpriseReferences

Starting test: VerifyReferences

The system object reference (serverReference)

CN=server1,OU=Domain Controllers,DC=domain,DC=dns and

backlink on


CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN =Configuration,DC=domain,DC=dns

are correct.
The system object reference (serverReferenceBL)

CN=server1,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=domain,DC=dns

and backlink on

CN=NTDS
Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=Configuration,DC=domain,DC=dns

are correct.
......................... server1 passed test VerifyReferences

Test omitted by user request: VerifyReplicas


Test omitted by user request: DNS

Test omitted by user request: DNS


Running partition tests on : ForestDnsZones

Starting test: CheckSDRefDom

......................... ForestDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... ForestDnsZones passed test

CrossRefValidation


Running partition tests on : DomainDnsZones

Starting test: CheckSDRefDom

......................... DomainDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... DomainDnsZones passed test

CrossRefValidation


Running partition tests on : Schema

Starting test: CheckSDRefDom

......................... Schema passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Schema passed test CrossRefValidation


Running partition tests on : Configuration

Starting test: CheckSDRefDom

......................... Configuration passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Configuration passed test
CrossRefValidation


Running partition tests on : domain

Starting test: CheckSDRefDom

......................... domain passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... domain passed test CrossRefValidation


Running enterprise tests on : domain.dns

Test omitted by user request: DNS

Test omitted by user request: DNS

Starting test: LocatorCheck

GC Name: \\server1.domain.dns

Locator Flags: 0xe00011fc
PDC Name: \\server2.domain.dns
Locator Flags: 0xe00013fd
Time Server Name: \\server1.domain.dns
Locator Flags: 0xe00011fc
Preferred Time Server Name: \\server1.domain.dns
Locator Flags: 0xe00011fc
KDC Name: \\server1.domain.dns
Locator Flags: 0xe00011fc
......................... domain.dns passed test LocatorCheck

Starting test: Intersite

Skipping site Default-First-Site-Name, this site is outside the scope

provided by the command line arguments provided.
......................... domain.dns passed test Intersite

repadmin /showrepl from server1:



Repadmin: running command /showrepl against full DC localhost

Default-First-Site-Name\server1

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326

DSA invocationID: d796d1fd-f4ef-400a-b2ba-a094c73c1659



==== INBOUND NEIGHBORS ======================================



DC=domain,DC=dns

Default-First-Site-Name\server2 via RPC

DSA object GUID: d963b078-1f27-4154-8436-870d19935efe

Last attempt @ 2009-07-05 18:23:20 was successful.



CN=Configuration,DC=domain,DC=dns

Default-First-Site-Name\server2 via RPC

DSA object GUID: d963b078-1f27-4154-8436-870d19935efe

Last attempt @ 2009-07-05 17:53:08 was successful.



CN=Schema,CN=Configuration,DC=domain,DC=dns

Default-First-Site-Name\server2 via RPC

DSA object GUID: d963b078-1f27-4154-8436-870d19935efe

Last attempt @ 2009-07-05 17:53:08 was successful.



DC=DomainDnsZones,DC=domain,DC=dns

Default-First-Site-Name\server2 via RPC

DSA object GUID: d963b078-1f27-4154-8436-870d19935efe

Last attempt @ 2009-07-05 17:53:08 was successful.



DC=ForestDnsZones,DC=domain,DC=dns

Default-First-Site-Name\server2 via RPC

DSA object GUID: d963b078-1f27-4154-8436-870d19935efe

Last attempt @ 2009-07-05 18:29:12 was successful.


"Meinolf Weber [MVP-DS]" wrote:

> Hello Haji,
>
> Run diagnostics dcdiag /v and repadmin /showrepl to check for errors and
> make sure both DCs have replicated. Are both listed in the DNS zones with
> there A record and nema server record and also under all subfolders?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > I've got a Windows 2008 box that was my only DC in my test network
> > that is on some rather aged hardware. I've built a new box to replace
> > the old DC with, installed Server 2008 on it, added it to the domain,
> > ran dcpromo, kicked it up to a GC, and transfered the FSMO roles over
> > to it. However, when I run dcpromo on the old box that I'm wanting to
> > retire, I get the following message:
> >
> > "You did not indicate that this Active Directory domain controller is
> > the last domain controller for the domain test.dns. However, no other
> > Active Directory domain controllers for that domain can be contacted."
> >
> > I've also noticed that when the old box is powered down, none of my
> > test workstations can map a drive to the new server, due to an
> > authentication failure. The ID that the server is logged into is an
> > enterprise admin ID, and this is a single domain setup (no child
> > domains in the forrest). Both the forrest and the domain are at 2008
> > functional level. Each server has DNS installed and is AD Integrated.
> > Each server points to the other for DNS primary, and itself for
> > secondary.
> >
> > I'm sure there is more information that is needed that I haven't
> > provided, just let me know what you need and I'll post it, but if
> > anyone can help me out, I'd really like to learn what this issue is
> > and how to fix it.
> >
>
>
>
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157299 is a reply to message #157293] Sun, 05 July 2009 22:35 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Haji" <Haji@discussions.microsoft.com> wrote in message news:50197C4B-1DCC-4AB1-B8B7-DB06D2B5F6A7@microsoft.com...
> In Active Directory Sites and Services, both Server1 and Server 2 are listed
> as IP Bridgeheads, and both are GC's. Both servers have Active Directory
> integrated DNS running on them.
>
> Windows IP Configuration
>
> Host Hame . . . . . . . . . . . . : server2
> Primary Dns Suffix . . . . . . . : domain.dns
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : domain.dns
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . : domain.dns
> Description . . . . . . . . . . . : TEAM : Team #0
> Physical Address. . . . . . . . . : 00-30-48-B8-96-8D
> DHCP Enabled. . . . . . . . . . . : No
> Autoconfiguration Enabled . . . . : Yes
> IPv4 Address. . . . . . . . . . . : 192.168.1.51(Preferred)
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.1.1
> DNS Servers . . . . . . . . . . . : 192.168.1.51
> 192.168.1.9
> Primary WINS Server . . . . . . . : 192.168.1.9
> Secondary WINS Server . . . . . . : 192.168.1.51
> NetBIOS over Tcpip. . . . . . . . : Enabled
>
> nltest /server:server2 /dsgetdc:domain.dns
>
> DC: \\server1.domain.dns
> Address: \\192.168.1.9
> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> Dom Name: domain.dns
> Forest Name: domain.dns
> Dc Site Name: Default-First-Site-Name
> Our Site Name: Default-First-Site-Name
> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
> CLOSE_SITE FULL SECRET
>
>
>
> Windows IP Configuration
>
> Host Hame . . . . . . . . . . . . : server1
> Primary Dns Suffix . . . . . . . : domain.dns
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : domain.dns
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . : domain.dns
> Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
> Physical Address. . . . . . . . . : 00-E0-81-58-2F-98
> DHCP Enabled. . . . . . . . . . . : No
> Autoconfiguration Enabled . . . . : Yes
> IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.1.1
> DNS Servers . . . . . . . . . . . : 192.168.1.9
> 192.168.1.51
> Primary WINS Server . . . . . . . : 192.168.1.51
> Secondary WINS Server . . . . . . : 192.168.1.9
> NetBIOS over Tcpip. . . . . . . . : Enabled
>
> nltest /server:server1 /dsgetdc:domain.dns
>
> DC: \\server1.domain.dns
> Address: \\192.168.1.9
> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> Dom Name: domain.dns
> Forest Name: domain.dns
> Dc Site Name: Default-First-Site-Name
> Our Site Name: Default-First-Site-Name
> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
> CLOSE_SITE FULL SECRET
>

Hello Haji,

For WINS, any WINS server must ONLY point to itself. So for each DC, if it is a WINS server, it must only point to itself, not it's partner. This is one of the rules for WINS servers due to it's own self registration and owner of records, otherwise it will cause problems with WINS. Not saying this is causing any problems with Sysvol or the dcdiag errors, but will affect WINS services. Clients can point to both.

What Event log errors exist on any of the DCs?

Is there any firewalls installed on the 2008 DCs Windows 2008 has the local firewall running by default. I would suggest to disable it. There are three parts of the firewall on 2008. To get to the settings:
Open Server Manager (right-click My Computer, choose Manage)
Expand Configuration
Right-click "Windows Firewall with Advanced Settings"
Choose Properties
Click on the Domain tab, Firewall State, choose "Off" in the drop-down box.
Click on the Private tab, Firewall State, choose "Off" in the drop-down box.
Click on the Public tab, Firewall State, choose "Off" in the drop-down box.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org
http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.




Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157301 is a reply to message #157295] Mon, 06 July 2009 02:20 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Haji,

Did you change the default locations to "d:\ad\sysvol\domain" and "d:\ad\sysvol\staging\domain"
on server1?

Was server1 ever restored from backup/image/snapshot(VM) without cleaning
the AD database before?

I am also a bit surprised about the difference of the RID pool between both
DCs, there is a really big difference which shouldn't be the case. Normally
they stick together.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> dcdiag from Server1, which is the old one:
>
> Directory Server Diagnosis
>
> Performing initial setup:
>
> Trying to find home server...
>
> * Verifying that the local machine server1, is a Directory Server.
> Home Server = server1
> * Connecting to directory service on server server1.
>
> * Identified AD Forest.
> Collecting AD specific global data
> * Collecting site info.
> Calling
> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns,L
> DAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
> The previous call succeeded
> Iterating through the sites
> Looking at base site object: CN=NTDS Site
> Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio n,DC=domai
> n,DC=dns
> Getting ISTG and options for the site
> * Identifying all servers.
> Calling
> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns,L
> DAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
> The previous call succeeded....
> The previous call succeeded
> Iterating through the list of servers
> Getting information for the server CN=NTDS
> Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> Configuration,DC=domain,DC=dns
> objectGuid obtained
> InvocationID obtained
> dnsHostname obtained
> site info obtained
> All the info for the server collected
> Getting information for the server CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> Configuration,DC=domain,DC=dns
> objectGuid obtained
> InvocationID obtained
> dnsHostname obtained
> site info obtained
> All the info for the server collected
> * Identifying all NC cross-refs.
> * Found 2 DC(s). Testing 1 of them.
>
> Done gathering initial info.
>
> Doing initial required tests
>
> Testing server: Default-First-Site-Name\server1
>
> Starting test: Connectivity
>
> * Active Directory LDAP Services Check
> Determining IP4 connectivity
> Determining IP6 connectivity
> * Active Directory RPC Services Check
> ......................... server1 passed test Connectivity
> Doing primary tests
>
> Testing server: Default-First-Site-Name\server1
>
> Starting test: Advertising
>
> The DC server1 is advertising itself as a DC and having a DS.
> The DC server1 is advertising as an LDAP server
> The DC server1 is advertising as having a writeable directory
> The DC server1 is advertising as a Key Distribution Center
> The DC server1 is advertising as a time server
> The DS server1 is advertising as a GC.
> ......................... server1 passed test Advertising
> Test omitted by user request: CheckSecurityError
>
> Test omitted by user request: CutoffServers
>
> Starting test: FrsEvent
>
> * The File Replication Service Event log test
> There are warning or error events within the last 24 hours
> after the
> SYSVOL has been shared. Failing SYSVOL replication problems
> may cause
>
> Group Policy problems.
> An Error Event occurred. EventID: 0xC00034F0
> Time Generated: 07/04/2009 23:13:40
>
> Event String:
>
> The File Replication Service is unable to add this
> computer to the following replica set:
>
> "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
>
> This could be caused by a number of problems such as:
>
> -- an invalid root path,
>
> -- a missing directory,
>
> -- a missing disk volume,
>
> -- a file system on the volume that does not support
> NTFS 5.0
>
> The information below may help to resolve the problem:
>
> Computer DNS name is "server1.domain.dns"
>
> Replica set member name is "server1"
>
> Replica set root path is "d:\ad\sysvol\domain"
>
> Replica staging directory path is
> "d:\ad\sysvol\staging\domain"
>
> Replica working directory path is "c:\windows\ntfrs\jet"
>
> Windows error status code is
>
> FRS error status code is FrsErrorMismatchedJournalId
>
> Other event log messages may also help determine the
> problem. Correct the problem and the service will attempt to restart
> replication automatically at a later time.
>
> An Error Event occurred. EventID: 0xC00034F3
>
> Time Generated: 07/04/2009 23:13:40
>
> Event String:
>
> The File Replication Service is in an error state. Files
> will not replicate to or from one or all of the replica sets on this
> computer until the following recovery steps are performed:
>
> Recovery Steps:
>
> [1] The error state may clear itself if you stop and
> restart the FRS service. This can be done by performing the following
> in a command window:
>
> net stop ntfrs
>
> net start ntfrs
>
> If this fails to clear up the problem then proceed as
> follows.
>
> [2] For Active Directory Domain Services Domain
> Controllers that DO NOT host any DFS alternates or other replica sets
> with replication enabled:
>
> If there is at least one other Domain Controller in this
> domain then restore the "system state" of this DC from backup (using
> ntbackup or other backup-restore utility) and make it
> non-authoritative.
>
> If there are NO other Domain Controllers in this domain
> then restore the "system state" of this DC from backup (using ntbackup
> or other backup-restore utility) and choose the Advanced option which
> marks the sysvols as primary.
>
> If there are other Domain Controllers in this domain but
> ALL of them have this event log message then restore one of them as
> primary (data files from primary will replicate everywhere) and the
> others as non-authoritative.
>
> [3] For Active Directory Domain Services Domain
> Controllers that host DFS alternates or other replica sets with
> replication enabled:
>
> (3-a) If the Dfs alternates on this DC do not have any
> other replication partners then copy the data under that Dfs share to
> a safe location.
>
> (3-b) If this server is the only Active Directory Domain
> Services Domain Controller for this domain then, before going to
> (3-c), make sure this server does not have any inbound or outbound
> connections to other servers that were formerly Domain Controllers for
> this domain but are now off the net (and will never be coming back
> online) or have been fresh installed without being demoted. To delete
> connections use the Sites and Services snapin and look for
>
> Sites->NAME_OF_SITE->Servers->NAME_OF_SERVER->NTDS
> Settings->CONNECTIONS.
>
> (3-c) Restore the "system state" of this DC from backup
> (using ntbackup or other backup-restore utility) and make it
> non-authoritative.
>
> (3-d) Copy the data from step (3-a) above to the original
> location after the sysvol share is published.
>
> [4] For other Windows servers:
>
> (4-a) If any of the DFS alternates or other replica sets
> hosted by this server do not have any other replication partners then
> copy the data under its share or replica tree root to a safe location.
>
> (4-b) net stop ntfrs
>
> (4-c) rd /s /q c:\windows\ntfrs\jet
>
> (4-d) net start ntfrs
>
> (4-e) Copy the data from step (4-a) above to the
> original location after the service has initialized (5 minutes is a
> safe waiting time).
>
> Note: If this error message is in the eventlog of all the
> members of a particular replica set then perform steps (4-a) and (4-e)
> above on only one of the members.
>
> ......................... server1 failed test FrsEvent
>
> Starting test: DFSREvent
>
> The DFS Replication Event Log.
> ......................... server1 passed test DFSREvent
> Starting test: SysVolCheck
>
> * The File Replication Service SYSVOL ready test
> File Replication Service's SYSVOL is ready
> ......................... server1 passed test SysVolCheck
> Starting test: KccEvent
>
> * The KCC Event log test
> Found no KCC errors in "Directory Service" Event log in the
> last 15
> minutes.
> ......................... server1 passed test KccEvent
> Starting test: KnowsOfRoleHolders
>
> Role Schema Owner = CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> Configuration,DC=domain,DC=dns
> Role Domain Owner = CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> Configuration,DC=domain,DC=dns
> Role PDC Owner = CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> Configuration,DC=domain,DC=dns
> Role Rid Owner = CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> Configuration,DC=domain,DC=dns
> Role Infrastructure Update Owner = CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> Configuration,DC=domain,DC=dns
> ......................... server1 passed test
> KnowsOfRoleHolders
> Starting test: MachineAccount
>
> Checking machine account for DC server1 on DC server1.
> * SPN found :LDAP/server1.domain.dns/domain.dns
> * SPN found :LDAP/server1.domain.dns
> * SPN found :LDAP/server1
> * SPN found :LDAP/server1.domain.dns/domain
> * SPN found
> :LDAP/10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> * SPN found
> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/10054e4e-3786-4858-a74 5-5a3b299c
> 2326/domain.dns
> * SPN found :HOST/server1.domain.dns/domain.dns
> * SPN found :HOST/server1.domain.dns
> * SPN found :HOST/server1
> * SPN found :HOST/server1.domain.dns/domain
> * SPN found :GC/server1.domain.dns/domain.dns
> ......................... server1 passed test MachineAccount
> Starting test: NCSecDesc
>
> * Security Permissions check for all NC's on DC server1.
> The forest is not ready for RODC. Will skip checking ERODC
> ACEs.
> * Security Permissions Check for
> DC=ForestDnsZones,DC=domain,DC=dns
> (NDNC,Version 3)
> Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
> Replicating Directory Changes In Filtered Set
> access rights for the naming context:
> DC=ForestDnsZones,DC=domain,DC=dns
> * Security Permissions Check for
> DC=DomainDnsZones,DC=domain,DC=dns
> (NDNC,Version 3)
> Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
> Replicating Directory Changes In Filtered Set
> access rights for the naming context:
> DC=DomainDnsZones,DC=domain,DC=dns
> * Security Permissions Check for
> CN=Schema,CN=Configuration,DC=domain,DC=dns
> (Schema,Version 3)
> * Security Permissions Check for
> CN=Configuration,DC=domain,DC=dns
> (Configuration,Version 3)
> * Security Permissions Check for
> DC=domain,DC=dns
> (Domain,Version 3)
> ......................... server1 failed test NCSecDesc
> Starting test: NetLogons
>
> * Network Logons Privileges Check
> Verified share \\server1\netlogon
> Verified share \\server1\sysvol
> ......................... server1 passed test NetLogons
> Starting test: ObjectsReplicated
>
> server1 is in domain DC=domain,DC=dns
> Checking for CN=server1,OU=Domain
> Controllers,DC=domain,DC=dns in
> domain DC=domain,DC=dns on 1 servers
> Object is up-to-date on all servers.
> Checking for CN=NTDS
> Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> Configuration,DC=domain,DC=dns
> in domain CN=Configuration,DC=domain,DC=dns on 1 servers
> Object is up-to-date on all servers.
> ......................... server1 passed test
> ObjectsReplicated
> Test omitted by user request: OutboundSecureChannels
>
> Starting test: Replications
>
> * Replications Check
> * Replication Latency Check
> DC=ForestDnsZones,DC=domain,DC=dns
> Latency information for 8 entries in the vector were
> ignored.
> 8 were retired Invocations. 0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc. 0 had no latency information (Win2K DC).
> DC=DomainDnsZones,DC=domain,DC=dns
> Latency information for 8 entries in the vector were
> ignored.
> 8 were retired Invocations. 0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc. 0 had no latency information (Win2K DC).
> CN=Schema,CN=Configuration,DC=domain,DC=dns
> Latency information for 9 entries in the vector were
> ignored.
> 9 were retired Invocations. 0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc. 0 had no latency information (Win2K DC).
> CN=Configuration,DC=domain,DC=dns
> Latency information for 9 entries in the vector were
> ignored.
> 9 were retired Invocations. 0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc. 0 had no latency information (Win2K DC).
> DC=domain,DC=dns
> Latency information for 9 entries in the vector were
> ignored.
> 9 were retired Invocations. 0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc. 0 had no latency information (Win2K DC).
> ......................... server1 passed test Replications
> Starting test: RidManager
>
> * Available RID Pool for the Domain is 16606 to 1073741823
> * server2.domain.dns is the RID Master
> * DsBind with RID Master was successful
> * rIDAllocationPool is 4606 to 5105
> * rIDPreviousAllocationPool is 4606 to 5105
> * rIDNextRID: 4616
> ......................... server1 passed test RidManager
> Starting test: Services
>
> * Checking Service: EventSystem
> * Checking Service: RpcSs
> * Checking Service: NTDS
> * Checking Service: DnsCache
> * Checking Service: DFSR
> * Checking Service: IsmServ
> * Checking Service: kdc
> * Checking Service: SamSs
> * Checking Service: LanmanServer
> * Checking Service: LanmanWorkstation
> * Checking Service: w32time
> * Checking Service: NETLOGON
> ......................... server1 passed test Services
> Starting test: SystemLog
>
> * The System Event log test
> Found no errors in "System" Event log in the last 60 minutes.
> ......................... server1 passed test SystemLog
> Test omitted by user request: Topology
>
> Test omitted by user request: VerifyEnterpriseReferences
>
> Starting test: VerifyReferences
>
> The system object reference (serverReference)
>
> CN=server1,OU=Domain Controllers,DC=domain,DC=dns and
>
> backlink on
>
> CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN =Configura
> tion,DC=domain,DC=dns
>
> are correct.
> The system object reference (serverReferenceBL)
> CN=server1,CN=Domain System Volume (SYSVOL share),CN=File
> Replication Service,CN=System,DC=domain,DC=dns
>
> and backlink on
>
> CN=NTDS
> Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> Configuration,DC=domain,DC=dns
>
> are correct.
> ......................... server1 passed test
> VerifyReferences
> Test omitted by user request: VerifyReplicas
>
> Test omitted by user request: DNS
>
> Test omitted by user request: DNS
>
> Running partition tests on : ForestDnsZones
>
> Starting test: CheckSDRefDom
>
> ......................... ForestDnsZones passed test
> CheckSDRefDom
>
> Starting test: CrossRefValidation
>
> ......................... ForestDnsZones passed test
>
> CrossRefValidation
>
> Running partition tests on : DomainDnsZones
>
> Starting test: CheckSDRefDom
>
> ......................... DomainDnsZones passed test
> CheckSDRefDom
>
> Starting test: CrossRefValidation
>
> ......................... DomainDnsZones passed test
>
> CrossRefValidation
>
> Running partition tests on : Schema
>
> Starting test: CheckSDRefDom
>
> ......................... Schema passed test CheckSDRefDom
>
> Starting test: CrossRefValidation
>
> ......................... Schema passed test
> CrossRefValidation
>
> Running partition tests on : Configuration
>
> Starting test: CheckSDRefDom
>
> ......................... Configuration passed test
> CheckSDRefDom
>
> Starting test: CrossRefValidation
>
> ......................... Configuration passed test
> CrossRefValidation
>
> Running partition tests on : domain
>
> Starting test: CheckSDRefDom
>
> ......................... domain passed test CheckSDRefDom
>
> Starting test: CrossRefValidation
>
> ......................... domain passed test
> CrossRefValidation
>
> Running enterprise tests on : domain.dns
>
> Test omitted by user request: DNS
>
> Test omitted by user request: DNS
>
> Starting test: LocatorCheck
>
> GC Name: \\server1.domain.dns
>
> Locator Flags: 0xe00011fc
> PDC Name: \\server2.domain.dns
> Locator Flags: 0xe00013fd
> Time Server Name: \\server1.domain.dns
> Locator Flags: 0xe00011fc
> Preferred Time Server Name: \\server1.domain.dns
> Locator Flags: 0xe00011fc
> KDC Name: \\server1.domain.dns
> Locator Flags: 0xe00011fc
> ......................... domain.dns passed test LocatorCheck
> Starting test: Intersite
>
> Skipping site Default-First-Site-Name, this site is outside
> the scope
>
> provided by the command line arguments provided.
> ......................... domain.dns passed test Intersite
> repadmin /showrepl from server1:
>
> Repadmin: running command /showrepl against full DC localhost
>
> Default-First-Site-Name\server1
>
> DSA Options: IS_GC
>
> Site Options: (none)
>
> DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326
>
> DSA invocationID: d796d1fd-f4ef-400a-b2ba-a094c73c1659
>
> ==== INBOUND NEIGHBORS ======================================
>
> DC=domain,DC=dns
>
> Default-First-Site-Name\server2 via RPC
>
> DSA object GUID: d963b078-1f27-4154-8436-870d19935efe
>
> Last attempt @ 2009-07-05 18:23:20 was successful.
>
> CN=Configuration,DC=domain,DC=dns
>
> Default-First-Site-Name\server2 via RPC
>
> DSA object GUID: d963b078-1f27-4154-8436-870d19935efe
>
> Last attempt @ 2009-07-05 17:53:08 was successful.
>
> CN=Schema,CN=Configuration,DC=domain,DC=dns
>
> Default-First-Site-Name\server2 via RPC
>
> DSA object GUID: d963b078-1f27-4154-8436-870d19935efe
>
> Last attempt @ 2009-07-05 17:53:08 was successful.
>
> DC=DomainDnsZones,DC=domain,DC=dns
>
> Default-First-Site-Name\server2 via RPC
>
> DSA object GUID: d963b078-1f27-4154-8436-870d19935efe
>
> Last attempt @ 2009-07-05 17:53:08 was successful.
>
> DC=ForestDnsZones,DC=domain,DC=dns
>
> Default-First-Site-Name\server2 via RPC
>
> DSA object GUID: d963b078-1f27-4154-8436-870d19935efe
>
> Last attempt @ 2009-07-05 18:29:12 was successful.
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Haji,
>>
>> Run diagnostics dcdiag /v and repadmin /showrepl to check for errors
>> and make sure both DCs have replicated. Are both listed in the DNS
>> zones with there A record and nema server record and also under all
>> subfolders?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I've got a Windows 2008 box that was my only DC in my test network
>>> that is on some rather aged hardware. I've built a new box to
>>> replace the old DC with, installed Server 2008 on it, added it to
>>> the domain, ran dcpromo, kicked it up to a GC, and transfered the
>>> FSMO roles over to it. However, when I run dcpromo on the old box
>>> that I'm wanting to retire, I get the following message:
>>>
>>> "You did not indicate that this Active Directory domain controller
>>> is the last domain controller for the domain test.dns. However, no
>>> other Active Directory domain controllers for that domain can be
>>> contacted."
>>>
>>> I've also noticed that when the old box is powered down, none of my
>>> test workstations can map a drive to the new server, due to an
>>> authentication failure. The ID that the server is logged into is an
>>> enterprise admin ID, and this is a single domain setup (no child
>>> domains in the forrest). Both the forrest and the domain are at
>>> 2008 functional level. Each server has DNS installed and is AD
>>> Integrated. Each server points to the other for DNS primary, and
>>> itself for secondary.
>>>
>>> I'm sure there is more information that is needed that I haven't
>>> provided, just let me know what you need and I'll post it, but if
>>> anyone can help me out, I'd really like to learn what this issue is
>>> and how to fix it.
>>>
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157302 is a reply to message #157293] Mon, 06 July 2009 02:23 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Haji,

Please run:
dnslint /ad /s "ip address of your dc"

Therefore download and install:
http://support.microsoft.com/kb/321045

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> In Active Directory Sites and Services, both Server1 and Server 2 are
> listed as IP Bridgeheads, and both are GC's. Both servers have Active
> Directory integrated DNS running on them.
>
> Windows IP Configuration
>
> Host Hame . . . . . . . . . . . . : server2
> Primary Dns Suffix . . . . . . . : domain.dns
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : domain.dns
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . : domain.dns
> Description . . . . . . . . . . . : TEAM : Team #0
> Physical Address. . . . . . . . . : 00-30-48-B8-96-8D
> DHCP Enabled. . . . . . . . . . . : No
> Autoconfiguration Enabled . . . . : Yes
> IPv4 Address. . . . . . . . . . . : 192.168.1.51(Preferred)
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.1.1
> DNS Servers . . . . . . . . . . . : 192.168.1.51
> 192.168.1.9
> Primary WINS Server . . . . . . . : 192.168.1.9
> Secondary WINS Server . . . . . . : 192.168.1.51
> NetBIOS over Tcpip. . . . . . . . : Enabled
> nltest /server:server2 /dsgetdc:domain.dns
>
> DC: \\server1.domain.dns
> Address: \\192.168.1.9
> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> Dom Name: domain.dns
> Forest Name: domain.dns
> Dc Site Name: Default-First-Site-Name
> Our Site Name: Default-First-Site-Name
> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
> CLOSE_SITE FULL SECRET
> Windows IP Configuration
>
> Host Hame . . . . . . . . . . . . : server1
> Primary Dns Suffix . . . . . . . : domain.dns
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : domain.dns
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . : domain.dns
> Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
> Connection
> Physical Address. . . . . . . . . : 00-E0-81-58-2F-98
> DHCP Enabled. . . . . . . . . . . : No
> Autoconfiguration Enabled . . . . : Yes
> IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.1.1
> DNS Servers . . . . . . . . . . . : 192.168.1.9
> 192.168.1.51
> Primary WINS Server . . . . . . . : 192.168.1.51
> Secondary WINS Server . . . . . . : 192.168.1.9
> NetBIOS over Tcpip. . . . . . . . : Enabled
> nltest /server:server1 /dsgetdc:domain.dns
>
> DC: \\server1.domain.dns
> Address: \\192.168.1.9
> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> Dom Name: domain.dns
> Forest Name: domain.dns
> Dc Site Name: Default-First-Site-Name
> Our Site Name: Default-First-Site-Name
> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
> CLOSE_SITE FULL SECRET
> "Paul Bergson [MVP-DS]" wrote:
>
>> Sounds to me like you haven't made the new box a GC or not a DNS
>> server.
>>
>> Start by posting both boxes ip configuration details. From a command
>> prompt on both dc's run the following:
>>
>> ipconfig /all
>>
>> Next from each DC at a command prompt run the following and post:
>> nltest /server:<servername> /dsgetdc:<domainname>
>>
>> Note: Feel free to modify the output, so as not to disclose any
>> valuable information. Such as changing the the first couple of
>> octets on your ip addresses, but please be consistent (192.168. is a
>> good replacement value).
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Haji" <Haji@discussions.microsoft.com> wrote in message
>> news:35A43720-2CE5-4AAE-AB54-CE7FEFB7FCC6@microsoft.com...
>>
>>> I've got a Windows 2008 box that was my only DC in my test network
>>> that is
>>> on
>>> some rather aged hardware. I've built a new box to replace the old
>>> DC
>>> with,
>>> installed Server 2008 on it, added it to the domain, ran dcpromo,
>>> kicked
>>> it
>>> up to a GC, and transfered the FSMO roles over to it. However, when
>>> I run
>>> dcpromo on the old box that I'm wanting to retire, I get the
>>> following
>>> message:
>>> "You did not indicate that this Active Directory domain controller
>>> is the last domain controller for the domain test.dns. However, no
>>> other Active Directory domain controllers for that domain can be
>>> contacted."
>>>
>>> I've also noticed that when the old box is powered down, none of my
>>> test
>>> workstations can map a drive to the new server, due to an
>>> authentication
>>> failure. The ID that the server is logged into is an enterprise
>>> admin ID,
>>> and this is a single domain setup (no child domains in the forrest).
>>> Both
>>> the forrest and the domain are at 2008 functional level. Each
>>> server has
>>> DNS
>>> installed and is AD Integrated. Each server points to the other for
>>> DNS
>>> primary, and itself for secondary.
>>> I'm sure there is more information that is needed that I haven't
>>> provided, just let me know what you need and I'll post it, but if
>>> anyone can help me out, I'd really like to learn what this issue is
>>> and how to fix it.
>>>
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157303 is a reply to message #157294] Mon, 06 July 2009 02:21 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Haji,

Can you open and compare sysvol and netlogon share on both DCs?

Please ping between both DCs with ipaddress, computername and FQDN.

Any firewall running between them?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> dcdiag from server2, which is the new one:
>
> Directory Server Diagnosis
>
> Performing initial setup:
>
> Trying to find home server...
>
> * Verifying that the local machine server2, is a Directory Server.
> Home Server = server2
> * Connecting to directory service on server server2.
>
> * Identified AD Forest.
> Collecting AD specific global data
> * Collecting site info.
> Calling
> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns,L
> DAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
> The previous call succeeded
> Iterating through the sites
> Looking at base site object: CN=NTDS Site
> Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio n,DC=domai
> n,DC=dns
> Getting ISTG and options for the site
> * Identifying all servers.
> Calling
> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns,L
> DAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
> The previous call succeeded....
> The previous call succeeded
> Iterating through the list of servers
> Getting information for the server CN=NTDS
> Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> Configuration,DC=domain,DC=dns
> objectGuid obtained
> InvocationID obtained
> dnsHostname obtained
> site info obtained
> All the info for the server collected
> Getting information for the server CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> Configuration,DC=domain,DC=dns
> objectGuid obtained
> InvocationID obtained
> dnsHostname obtained
> site info obtained
> All the info for the server collected
> * Identifying all NC cross-refs.
> * Found 2 DC(s). Testing 1 of them.
>
> Done gathering initial info.
>
> Doing initial required tests
>
> Testing server: Default-First-Site-Name\server2
>
> Starting test: Connectivity
>
> * Active Directory LDAP Services Check
> Determining IP4 connectivity
> Determining IP6 connectivity
> * Active Directory RPC Services Check
> ......................... server2 passed test Connectivity
> Doing primary tests
>
> Testing server: Default-First-Site-Name\server2
>
> Starting test: Advertising
>
> Warning: DsGetDcName returned information for
>
> \\server1.domain.dns, when we were trying to reach server2.
>
> SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
>
> ......................... server2 failed test Advertising
>
> Test omitted by user request: CheckSecurityError
>
> Test omitted by user request: CutoffServers
>
> Starting test: FrsEvent
>
> * The File Replication Service Event log test
> There are warning or error events within the last 24 hours
> after the
> SYSVOL has been shared. Failing SYSVOL replication problems
> may cause
>
> Group Policy problems.
> An Warning Event occurred. EventID: 0x800034C4
> Time Generated: 07/04/2009 19:53:44
>
> Event String:
>
> The File Replication Service is having trouble enabling
> replication from server1.domain.dns to server2 for
> c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
> will keep retrying.
>
> Following are some of the reasons you would see this
> warning.
>
> [1] FRS can not correctly resolve the DNS name
> server1.domain.dns from this computer.
>
> [2] FRS is not running on server1.domain.dns.
>
> [3] The topology information in the Active Directory
> Domain Services for this replica has not yet replicated to all the
> Domain Controllers.
>
> This event log message will appear once per connection,
> After the problem is fixed you will see another event log message
> indicating that the connection has been established.
>
> An Warning Event occurred. EventID: 0x800034FE
>
> Time Generated: 07/05/2009 17:59:10
>
> Event String:
>
> File Replication Service is scanning the data in the
> system volume. Computer server2 cannot become a domain controller
> until this process is complete. The system volume will then be shared
> as SYSVOL.
>
> To check for the SYSVOL share, at the command prompt,
> type:
>
> net share
>
> When File Replication Service completes the scanning
> process, the SYSVOL share will appear.
>
> The initialization of the system volume can take some
> time. The time is dependent on the amount of data in the system
> volume.
>
> An Warning Event occurred. EventID: 0x800034C4
>
> Time Generated: 07/05/2009 18:02:00
>
> Event String:
>
> The File Replication Service is having trouble enabling
> replication from server1.domain.dns to server2 for
> c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
> will keep retrying.
>
> Following are some of the reasons you would see this
> warning.
>
> [1] FRS can not correctly resolve the DNS name
> server1.domain.dns from this computer.
>
> [2] FRS is not running on server1.domain.dns.
>
> [3] The topology information in the Active Directory
> Domain Services for this replica has not yet replicated to all the
> Domain Controllers.
>
> This event log message will appear once per connection,
> After the problem is fixed you will see another event log message
> indicating that the connection has been established.
>
> An Warning Event occurred. EventID: 0x800034FE
>
> Time Generated: 07/05/2009 18:08:29
>
> Event String:
>
> File Replication Service is scanning the data in the
> system volume. Computer server2 cannot become a domain controller
> until this process is complete. The system volume will then be shared
> as SYSVOL.
>
> To check for the SYSVOL share, at the command prompt,
> type:
>
> net share
>
> When File Replication Service completes the scanning
> process, the SYSVOL share will appear.
>
> The initialization of the system volume can take some
> time. The time is dependent on the amount of data in the system
> volume.
>
> An Warning Event occurred. EventID: 0x800034C4
>
> Time Generated: 07/05/2009 18:10:22
>
> Event String:
>
> The File Replication Service is having trouble enabling
> replication from server1.domain.dns to server2 for
> c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
> will keep retrying.
>
> Following are some of the reasons you would see this
> warning.
>
> [1] FRS can not correctly resolve the DNS name
> server1.domain.dns from this computer.
>
> [2] FRS is not running on server1.domain.dns.
>
> [3] The topology information in the Active Directory
> Domain Services for this replica has not yet replicated to all the
> Domain Controllers.
>
> This event log message will appear once per connection,
> After the problem is fixed you will see another event log message
> indicating that the connection has been established.
>
> An Warning Event occurred. EventID: 0x800034C4
>
> Time Generated: 07/05/2009 18:18:22
>
> Event String:
>
> The File Replication Service is having trouble enabling
> replication from server1 to server2 for c:\windows\sysvol\domain using
> the DNS name server1.domain.dns. FRS will keep retrying.
>
> Following are some of the reasons you would see this
> warning.
>
> [1] FRS can not correctly resolve the DNS name
> server1.domain.dns from this computer.
>
> [2] FRS is not running on server1.domain.dns.
>
> [3] The topology information in the Active Directory
> Domain Services for this replica has not yet replicated to all the
> Domain Controllers.
>
> This event log message will appear once per connection,
> After the problem is fixed you will see another event log message
> indicating that the connection has been established.
>
> ......................... server2 passed test FrsEvent
>
> Starting test: DFSREvent
>
> The DFS Replication Event Log.
> There are warning or error events within the last 24 hours
> after the
> SYSVOL has been shared. Failing SYSVOL replication problems
> may cause
>
> Group Policy problems.
> An Error Event occurred. EventID: 0xC00004B2
> Time Generated: 07/05/2009 17:59:35
>
> Event String:
>
> The DFS Replication service failed to contact domain
> controller to access configuration information. Replication is
> stopped. The service will try again during the next configuration
> polling cycle, which will occur in 60 minutes. This event can be
> caused by TCP/IP connectivity, firewall, Active Directory Domain
> Services, or DNS issues.
>
> Additional Information:
>
> Error: 160 (One or more arguments are not correct.)
>
> ......................... server2 failed test DFSREvent
>
> Starting test: SysVolCheck
>
> * The File Replication Service SYSVOL ready test
> The registry lookup failed to determine the state of the
> SYSVOL. The
> error returned was 0x0 "The operation completed
> successfully.".
>
> Check the FRS event log to see if the SYSVOL has successfully
> been
>
> shared.
> ......................... server2 passed test SysVolCheck
> Starting test: KccEvent
>
> * The KCC Event log test
> Found no KCC errors in "Directory Service" Event log in the
> last 15
> minutes.
> ......................... server2 passed test KccEvent
> Starting test: KnowsOfRoleHolders
>
> Role Schema Owner = CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> Configuration,DC=domain,DC=dns
> Role Domain Owner = CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> Configuration,DC=domain,DC=dns
> Role PDC Owner = CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> Configuration,DC=domain,DC=dns
> Role Rid Owner = CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> Configuration,DC=domain,DC=dns
> Role Infrastructure Update Owner = CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> Configuration,DC=domain,DC=dns
> ......................... server2 passed test
> KnowsOfRoleHolders
> Starting test: MachineAccount
>
> Checking machine account for DC server2 on DC server2.
> * SPN found :LDAP/server2.domain.dns/domain.dns
> * SPN found :LDAP/server2.domain.dns
> * SPN found :LDAP/server2
> * SPN found :LDAP/server2.domain.dns/domain
> * SPN found
> :LDAP/d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> * SPN found
> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/d963b078-1f27-4154-843 6-870d1993
> 5efe/domain.dns
> * SPN found :HOST/server2.domain.dns/domain.dns
> * SPN found :HOST/server2.domain.dns
> * SPN found :HOST/server2
> * SPN found :HOST/server2.domain.dns/domain
> * SPN found :GC/server2.domain.dns/domain.dns
> ......................... server2 passed test MachineAccount
> Starting test: NCSecDesc
>
> * Security Permissions check for all NC's on DC server2.
> The forest is not ready for RODC. Will skip checking ERODC
> ACEs.
> * Security Permissions Check for
> DC=ForestDnsZones,DC=domain,DC=dns
> (NDNC,Version 3)
> Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
> Replicating Directory Changes In Filtered Set
> access rights for the naming context:
> DC=ForestDnsZones,DC=domain,DC=dns
> * Security Permissions Check for
> DC=DomainDnsZones,DC=domain,DC=dns
> (NDNC,Version 3)
> Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
> Replicating Directory Changes In Filtered Set
> access rights for the naming context:
> DC=DomainDnsZones,DC=domain,DC=dns
> * Security Permissions Check for
> CN=Schema,CN=Configuration,DC=domain,DC=dns
> (Schema,Version 3)
> * Security Permissions Check for
> CN=Configuration,DC=domain,DC=dns
> (Configuration,Version 3)
> * Security Permissions Check for
> DC=domain,DC=dns
> (Domain,Version 3)
> ......................... server2 failed test NCSecDesc
> Starting test: NetLogons
>
> * Network Logons Privileges Check
> Unable to connect to the NETLOGON share! (\\server2\netlogon)
> [server2] An net use or LsaPolicy operation failed with error
> 67,
>
> The network name cannot be found..
>
> ......................... server2 failed test NetLogons
>
> Starting test: ObjectsReplicated
>
> server2 is in domain DC=domain,DC=dns
> Checking for CN=server2,OU=Domain
> Controllers,DC=domain,DC=dns in
> domain DC=domain,DC=dns on 1 servers
> Object is up-to-date on all servers.
> Checking for CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> Configuration,DC=domain,DC=dns
> in domain CN=Configuration,DC=domain,DC=dns on 1 servers
> Object is up-to-date on all servers.
> ......................... server2 passed test
> ObjectsReplicated
> Test omitted by user request: OutboundSecureChannels
>
> Starting test: Replications
>
> * Replications Check
> * Replication Latency Check
> DC=ForestDnsZones,DC=domain,DC=dns
> Latency information for 8 entries in the vector were
> ignored.
> 8 were retired Invocations. 0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc. 0 had no latency information (Win2K DC).
> DC=DomainDnsZones,DC=domain,DC=dns
> Latency information for 8 entries in the vector were
> ignored.
> 8 were retired Invocations. 0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc. 0 had no latency information (Win2K DC).
> CN=Schema,CN=Configuration,DC=domain,DC=dns
> Latency information for 9 entries in the vector were
> ignored.
> 9 were retired Invocations. 0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc. 0 had no latency information (Win2K DC).
> CN=Configuration,DC=domain,DC=dns
> Latency information for 9 entries in the vector were
> ignored.
> 9 were retired Invocations. 0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc. 0 had no latency information (Win2K DC).
> DC=domain,DC=dns
> Latency information for 9 entries in the vector were
> ignored.
> 9 were retired Invocations. 0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc. 0 had no latency information (Win2K DC).
> ......................... server2 passed test Replications
> Starting test: RidManager
>
> * Available RID Pool for the Domain is 16606 to 1073741823
> * server2.domain.dns is the RID Master
> * DsBind with RID Master was successful
> * rIDAllocationPool is 16106 to 16605
> * rIDPreviousAllocationPool is 16106 to 16605
> * rIDNextRID: 16106
> ......................... server2 passed test RidManager
> Starting test: Services
>
> * Checking Service: EventSystem
> * Checking Service: RpcSs
> * Checking Service: NTDS
> * Checking Service: DnsCache
> * Checking Service: DFSR
> * Checking Service: IsmServ
> * Checking Service: kdc
> * Checking Service: SamSs
> * Checking Service: LanmanServer
> * Checking Service: LanmanWorkstation
> * Checking Service: w32time
> * Checking Service: NETLOGON
> ......................... server2 passed test Services
> Starting test: SystemLog
>
> * The System Event log test
> An Warning Event occurred. EventID: 0x8000001D
> Time Generated: 07/05/2009 17:58:50
>
> Event String:
>
> The Key Distribution Center (KDC) cannot find a suitable
> certificate to use for smart card logons, or the KDC certificate could
> not be verified. Smart card logon may not function correctly if this
> problem is not resolved. To correct this problem, either verify the
> existing KDC certificate using certutil.exe or enroll for a new KDC
> certificate.
>
> An Error Event occurred. EventID: 0xC0001B72
>
> Time Generated: 07/05/2009 18:08:40
>
> Event String:
>
> The following boot-start or system-start driver(s) failed
> to load:
>
> storflt
>
> superbmc
>
> An Warning Event occurred. EventID: 0x00002724
>
> Time Generated: 07/05/2009 18:19:30
>
> Event String:
>
> This computer has at least one dynamically assigned IPv6
> address.For reliable DHCPv6 server operation, you should use only
> static IPv6 addresses.
>
> ......................... server2 failed test SystemLog
>
> Test omitted by user request: Topology
>
> Test omitted by user request: VerifyEnterpriseReferences
>
> Starting test: VerifyReferences
>
> The system object reference (serverReference)
>
> CN=server2,OU=Domain Controllers,DC=domain,DC=dns and
> backlink on
>
> CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN =Configura
> tion,DC=domain,DC=dns
>
> are correct.
> The system object reference (serverReferenceBL)
> CN=server2,CN=Domain System Volume (SYSVOL share),CN=File
> Replication Service,CN=System,DC=domain,DC=dns
>
> and backlink on
>
> CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> Configuration,DC=domain,DC=dns
>
> are correct.
> ......................... server2 passed test
> VerifyReferences
> Test omitted by user request: VerifyReplicas
>
> Test omitted by user request: DNS
>
> Test omitted by user request: DNS
>
> Running partition tests on : ForestDnsZones
>
> Starting test: CheckSDRefDom
>
> ......................... ForestDnsZones passed test
> CheckSDRefDom
>
> Starting test: CrossRefValidation
>
> ......................... ForestDnsZones passed test
>
> CrossRefValidation
>
> Running partition tests on : DomainDnsZones
>
> Starting test: CheckSDRefDom
>
> ......................... DomainDnsZones passed test
> CheckSDRefDom
>
> Starting test: CrossRefValidation
>
> ......................... DomainDnsZones passed test
>
> CrossRefValidation
>
> Running partition tests on : Schema
>
> Starting test: CheckSDRefDom
>
> ......................... Schema passed test CheckSDRefDom
>
> Starting test: CrossRefValidation
>
> ......................... Schema passed test
> CrossRefValidation
>
> Running partition tests on : Configuration
>
> Starting test: CheckSDRefDom
>
> ......................... Configuration passed test
> CheckSDRefDom
>
> Starting test: CrossRefValidation
>
> ......................... Configuration passed test
> CrossRefValidation
>
> Running partition tests on : domain
>
> Starting test: CheckSDRefDom
>
> ......................... domain passed test CheckSDRefDom
>
> Starting test: CrossRefValidation
>
> ......................... domain passed test
> CrossRefValidation
>
> Running enterprise tests on : domain.dns
>
> Test omitted by user request: DNS
>
> Test omitted by user request: DNS
>
> Starting test: LocatorCheck
>
> GC Name: \\server1.domain.dns
>
> Locator Flags: 0xe00011fc
> PDC Name: \\server2.domain.dns
> Locator Flags: 0xe00013fd
> Time Server Name: \\server1.domain.dns
> Locator Flags: 0xe00011fc
> Preferred Time Server Name: \\server1.domain.dns
> Locator Flags: 0xe00011fc
> KDC Name: \\server1.domain.dns
> Locator Flags: 0xe00011fc
> ......................... domain.dns passed test LocatorCheck
> Starting test: Intersite
>
> Skipping site Default-First-Site-Name, this site is outside
> the scope
>
> provided by the command line arguments provided.
> ......................... domain.dns passed test Intersite
> repadmin /showrepl from server2:
>
> Repadmin: running command /showrepl against full DC localhost
>
> Default-First-Site-Name\server2
>
> DSA Options: IS_GC
>
> Site Options: (none)
>
> DSA object GUID: d963b078-1f27-4154-8436-870d19935efe
>
> DSA invocationID: 08e803de-61a0-4db8-bd91-8fdbfa816035
>
> ==== INBOUND NEIGHBORS ======================================
>
> DC=domain,DC=dns
>
> Default-First-Site-Name\server1 via RPC
>
> DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326
>
> Last attempt @ 2009-07-05 18:11:12 was successful.
>
> CN=Configuration,DC=domain,DC=dns
>
> Default-First-Site-Name\server1 via RPC
>
> DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326
>
> Last attempt @ 2009-07-05 18:08:23 was successful.
>
> CN=Schema,CN=Configuration,DC=domain,DC=dns
>
> Default-First-Site-Name\server1 via RPC
>
> DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326
>
> Last attempt @ 2009-07-05 18:08:23 was successful.
>
> DC=DomainDnsZones,DC=domain,DC=dns
>
> Default-First-Site-Name\server1 via RPC
>
> DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326
>
> Last attempt @ 2009-07-05 18:08:24 was successful.
>
> DC=ForestDnsZones,DC=domain,DC=dns
>
> Default-First-Site-Name\server1 via RPC
>
> DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326
>
> Last attempt @ 2009-07-05 18:28:46 was successful.
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Haji,
>>
>> Run diagnostics dcdiag /v and repadmin /showrepl to check for errors
>> and make sure both DCs have replicated. Are both listed in the DNS
>> zones with there A record and nema server record and also under all
>> subfolders?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I've got a Windows 2008 box that was my only DC in my test network
>>> that is on some rather aged hardware. I've built a new box to
>>> replace the old DC with, installed Server 2008 on it, added it to
>>> the domain, ran dcpromo, kicked it up to a GC, and transfered the
>>> FSMO roles over to it. However, when I run dcpromo on the old box
>>> that I'm wanting to retire, I get the following message:
>>>
>>> "You did not indicate that this Active Directory domain controller
>>> is the last domain controller for the domain test.dns. However, no
>>> other Active Directory domain controllers for that domain can be
>>> contacted."
>>>
>>> I've also noticed that when the old box is powered down, none of my
>>> test workstations can map a drive to the new server, due to an
>>> authentication failure. The ID that the server is logged into is an
>>> enterprise admin ID, and this is a single domain setup (no child
>>> domains in the forrest). Both the forrest and the domain are at
>>> 2008 functional level. Each server has DNS installed and is AD
>>> Integrated. Each server points to the other for DNS primary, and
>>> itself for secondary.
>>>
>>> I'm sure there is more information that is needed that I haven't
>>> provided, just let me know what you need and I'll post it, but if
>>> anyone can help me out, I'd really like to learn what this issue is
>>> and how to fix it.
>>>
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157311 is a reply to message #157301] Mon, 06 July 2009 08:57 Go to previous messageGo to next message
Haji  is currently offline Haji
Messages: 12
Registered: July 2009
Junior Member
When I built server1, I specified those locations. They were never moved.

Server1 has never been restored from backup.

As for the RID pool, how do I correct that?

"Meinolf Weber [MVP-DS]" wrote:

> Hello Haji,
>
> Did you change the default locations to "d:\ad\sysvol\domain" and "d:\ad\sysvol\staging\domain"
> on server1?
>
> Was server1 ever restored from backup/image/snapshot(VM) without cleaning
> the AD database before?
>
> I am also a bit surprised about the difference of the RID pool between both
> DCs, there is a really big difference which shouldn't be the case. Normally
> they stick together.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > dcdiag from Server1, which is the old one:
> >
> > Directory Server Diagnosis
> >
> > Performing initial setup:
> >
> > Trying to find home server...
> >
> > * Verifying that the local machine server1, is a Directory Server.
> > Home Server = server1
> > * Connecting to directory service on server server1.
> >
> > * Identified AD Forest.
> > Collecting AD specific global data
> > * Collecting site info.
> > Calling
> > ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns,L
> > DAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
> > The previous call succeeded
> > Iterating through the sites
> > Looking at base site object: CN=NTDS Site
> > Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio n,DC=domai
> > n,DC=dns
> > Getting ISTG and options for the site
> > * Identifying all servers.
> > Calling
> > ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns,L
> > DAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
> > The previous call succeeded....
> > The previous call succeeded
> > Iterating through the list of servers
> > Getting information for the server CN=NTDS
> > Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> > Configuration,DC=domain,DC=dns
> > objectGuid obtained
> > InvocationID obtained
> > dnsHostname obtained
> > site info obtained
> > All the info for the server collected
> > Getting information for the server CN=NTDS
> > Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> > Configuration,DC=domain,DC=dns
> > objectGuid obtained
> > InvocationID obtained
> > dnsHostname obtained
> > site info obtained
> > All the info for the server collected
> > * Identifying all NC cross-refs.
> > * Found 2 DC(s). Testing 1 of them.
> >
> > Done gathering initial info.
> >
> > Doing initial required tests
> >
> > Testing server: Default-First-Site-Name\server1
> >
> > Starting test: Connectivity
> >
> > * Active Directory LDAP Services Check
> > Determining IP4 connectivity
> > Determining IP6 connectivity
> > * Active Directory RPC Services Check
> > ......................... server1 passed test Connectivity
> > Doing primary tests
> >
> > Testing server: Default-First-Site-Name\server1
> >
> > Starting test: Advertising
> >
> > The DC server1 is advertising itself as a DC and having a DS.
> > The DC server1 is advertising as an LDAP server
> > The DC server1 is advertising as having a writeable directory
> > The DC server1 is advertising as a Key Distribution Center
> > The DC server1 is advertising as a time server
> > The DS server1 is advertising as a GC.
> > ......................... server1 passed test Advertising
> > Test omitted by user request: CheckSecurityError
> >
> > Test omitted by user request: CutoffServers
> >
> > Starting test: FrsEvent
> >
> > * The File Replication Service Event log test
> > There are warning or error events within the last 24 hours
> > after the
> > SYSVOL has been shared. Failing SYSVOL replication problems
> > may cause
> >
> > Group Policy problems.
> > An Error Event occurred. EventID: 0xC00034F0
> > Time Generated: 07/04/2009 23:13:40
> >
> > Event String:
> >
> > The File Replication Service is unable to add this
> > computer to the following replica set:
> >
> > "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
> >
> > This could be caused by a number of problems such as:
> >
> > -- an invalid root path,
> >
> > -- a missing directory,
> >
> > -- a missing disk volume,
> >
> > -- a file system on the volume that does not support
> > NTFS 5.0
> >
> > The information below may help to resolve the problem:
> >
> > Computer DNS name is "server1.domain.dns"
> >
> > Replica set member name is "server1"
> >
> > Replica set root path is "d:\ad\sysvol\domain"
> >
> > Replica staging directory path is
> > "d:\ad\sysvol\staging\domain"
> >
> > Replica working directory path is "c:\windows\ntfrs\jet"
> >
> > Windows error status code is
> >
> > FRS error status code is FrsErrorMismatchedJournalId
> >
> > Other event log messages may also help determine the
> > problem. Correct the problem and the service will attempt to restart
> > replication automatically at a later time.
> >
> > An Error Event occurred. EventID: 0xC00034F3
> >
> > Time Generated: 07/04/2009 23:13:40
> >
> > Event String:
> >
> > The File Replication Service is in an error state. Files
> > will not replicate to or from one or all of the replica sets on this
> > computer until the following recovery steps are performed:
> >
> > Recovery Steps:
> >
> > [1] The error state may clear itself if you stop and
> > restart the FRS service. This can be done by performing the following
> > in a command window:
> >
> > net stop ntfrs
> >
> > net start ntfrs
> >
> > If this fails to clear up the problem then proceed as
> > follows.
> >
> > [2] For Active Directory Domain Services Domain
> > Controllers that DO NOT host any DFS alternates or other replica sets
> > with replication enabled:
> >
> > If there is at least one other Domain Controller in this
> > domain then restore the "system state" of this DC from backup (using
> > ntbackup or other backup-restore utility) and make it
> > non-authoritative.
> >
> > If there are NO other Domain Controllers in this domain
> > then restore the "system state" of this DC from backup (using ntbackup
> > or other backup-restore utility) and choose the Advanced option which
> > marks the sysvols as primary.
> >
> > If there are other Domain Controllers in this domain but
> > ALL of them have this event log message then restore one of them as
> > primary (data files from primary will replicate everywhere) and the
> > others as non-authoritative.
> >
> > [3] For Active Directory Domain Services Domain
> > Controllers that host DFS alternates or other replica sets with
> > replication enabled:
> >
> > (3-a) If the Dfs alternates on this DC do not have any
> > other replication partners then copy the data under that Dfs share to
> > a safe location.
> >
> > (3-b) If this server is the only Active Directory Domain
> > Services Domain Controller for this domain then, before going to
> > (3-c), make sure this server does not have any inbound or outbound
> > connections to other servers that were formerly Domain Controllers for
> > this domain but are now off the net (and will never be coming back
> > online) or have been fresh installed without being demoted. To delete
> > connections use the Sites and Services snapin and look for
> >
> > Sites->NAME_OF_SITE->Servers->NAME_OF_SERVER->NTDS
> > Settings->CONNECTIONS.
> >
> > (3-c) Restore the "system state" of this DC from backup
> > (using ntbackup or other backup-restore utility) and make it
> > non-authoritative.
> >
> > (3-d) Copy the data from step (3-a) above to the original
> > location after the sysvol share is published.
> >
> > [4] For other Windows servers:
> >
> > (4-a) If any of the DFS alternates or other replica sets
> > hosted by this server do not have any other replication partners then
> > copy the data under its share or replica tree root to a safe location.
> >
> > (4-b) net stop ntfrs
> >
> > (4-c) rd /s /q c:\windows\ntfrs\jet
> >
> > (4-d) net start ntfrs
> >
> > (4-e) Copy the data from step (4-a) above to the
> > original location after the service has initialized (5 minutes is a
> > safe waiting time).
> >
> > Note: If this error message is in the eventlog of all the
> > members of a particular replica set then perform steps (4-a) and (4-e)
> > above on only one of the members.
> >
> > ......................... server1 failed test FrsEvent
> >
> > Starting test: DFSREvent
> >
> > The DFS Replication Event Log.
> > ......................... server1 passed test DFSREvent
> > Starting test: SysVolCheck
> >
> > * The File Replication Service SYSVOL ready test
> > File Replication Service's SYSVOL is ready
> > ......................... server1 passed test SysVolCheck
> > Starting test: KccEvent
> >
> > * The KCC Event log test
> > Found no KCC errors in "Directory Service" Event log in the
> > last 15
> > minutes.
> > ......................... server1 passed test KccEvent
> > Starting test: KnowsOfRoleHolders
> >
> > Role Schema Owner = CN=NTDS
> > Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> > Configuration,DC=domain,DC=dns
> > Role Domain Owner = CN=NTDS
> > Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> > Configuration,DC=domain,DC=dns
> > Role PDC Owner = CN=NTDS
> > Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> > Configuration,DC=domain,DC=dns
> > Role Rid Owner = CN=NTDS
> > Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> > Configuration,DC=domain,DC=dns
> > Role Infrastructure Update Owner = CN=NTDS
> > Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> > Configuration,DC=domain,DC=dns
> > ......................... server1 passed test
> > KnowsOfRoleHolders
> > Starting test: MachineAccount
> >
> > Checking machine account for DC server1 on DC server1.
> > * SPN found :LDAP/server1.domain.dns/domain.dns
> > * SPN found :LDAP/server1.domain.dns
> > * SPN found :LDAP/server1
> > * SPN found :LDAP/server1.domain.dns/domain
> > * SPN found
> > :LDAP/10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> > * SPN found
> > :E3514235-4B06-11D1-AB04-00C04FC2DCD2/10054e4e-3786-4858-a74 5-5a3b299c
> > 2326/domain.dns
> > * SPN found :HOST/server1.domain.dns/domain.dns
> > * SPN found :HOST/server1.domain.dns
> > * SPN found :HOST/server1
> > * SPN found :HOST/server1.domain.dns/domain
> > * SPN found :GC/server1.domain.dns/domain.dns
> > ......................... server1 passed test MachineAccount
> > Starting test: NCSecDesc
> >
> > * Security Permissions check for all NC's on DC server1.
> > The forest is not ready for RODC. Will skip checking ERODC
> > ACEs.
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157312 is a reply to message #157303] Mon, 06 July 2009 08:53 Go to previous messageGo to next message
Haji  is currently offline Haji
Messages: 12
Registered: July 2009
Junior Member
Server2 oddly enough doesn't have a sysvol or netlogon share, which could be
an issue... I noticed that when I initially setup the server, so I manually
created them, but apparently they didn't "stick."

Neither server has a firewall active on them. Both are disabled.

All pings are successful between both servers.

"Meinolf Weber [MVP-DS]" wrote:

> Hello Haji,
>
> Can you open and compare sysvol and netlogon share on both DCs?
>
> Please ping between both DCs with ipaddress, computername and FQDN.
>
> Any firewall running between them?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > dcdiag from server2, which is the new one:
> >
> > Directory Server Diagnosis
> >
> > Performing initial setup:
> >
> > Trying to find home server...
> >
> > * Verifying that the local machine server2, is a Directory Server.
> > Home Server = server2
> > * Connecting to directory service on server server2.
> >
> > * Identified AD Forest.
> > Collecting AD specific global data
> > * Collecting site info.
> > Calling
> > ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns,L
> > DAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
> > The previous call succeeded
> > Iterating through the sites
> > Looking at base site object: CN=NTDS Site
> > Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio n,DC=domai
> > n,DC=dns
> > Getting ISTG and options for the site
> > * Identifying all servers.
> > Calling
> > ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns,L
> > DAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
> > The previous call succeeded....
> > The previous call succeeded
> > Iterating through the list of servers
> > Getting information for the server CN=NTDS
> > Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> > Configuration,DC=domain,DC=dns
> > objectGuid obtained
> > InvocationID obtained
> > dnsHostname obtained
> > site info obtained
> > All the info for the server collected
> > Getting information for the server CN=NTDS
> > Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=
> > Configuration,DC=domain,DC=dns
> > objectGuid obtained
> > InvocationID obtained
> > dnsHostname obtained
> > site info obtained
> > All the info for the server collected
> > * Identifying all NC cross-refs.
> > * Found 2 DC(s). Testing 1 of them.
> >
> > Done gathering initial info.
> >
> > Doing initial required tests
> >
> > Testing server: Default-First-Site-Name\server2
> >
> > Starting test: Connectivity
> >
> > * Active Directory LDAP Services Check
> > Determining IP4 connectivity
> > Determining IP6 connectivity
> > * Active Directory RPC Services Check
> > ......................... server2 passed test Connectivity
> > Doing primary tests
> >
> > Testing server: Default-First-Site-Name\server2
> >
> > Starting test: Advertising
> >
> > Warning: DsGetDcName returned information for
> >
> > \\server1.domain.dns, when we were trying to reach server2.
> >
> > SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
> >
> > ......................... server2 failed test Advertising
> >
> > Test omitted by user request: CheckSecurityError
> >
> > Test omitted by user request: CutoffServers
> >
> > Starting test: FrsEvent
> >
> > * The File Replication Service Event log test
> > There are warning or error events within the last 24 hours
> > after the
> > SYSVOL has been shared. Failing SYSVOL replication problems
> > may cause
> >
> > Group Policy problems.
> > An Warning Event occurred. EventID: 0x800034C4
> > Time Generated: 07/04/2009 19:53:44
> >
> > Event String:
> >
> > The File Replication Service is having trouble enabling
> > replication from server1.domain.dns to server2 for
> > c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
> > will keep retrying.
> >
> > Following are some of the reasons you would see this
> > warning.
> >
> > [1] FRS can not correctly resolve the DNS name
> > server1.domain.dns from this computer.
> >
> > [2] FRS is not running on server1.domain.dns.
> >
> > [3] The topology information in the Active Directory
> > Domain Services for this replica has not yet replicated to all the
> > Domain Controllers.
> >
> > This event log message will appear once per connection,
> > After the problem is fixed you will see another event log message
> > indicating that the connection has been established.
> >
> > An Warning Event occurred. EventID: 0x800034FE
> >
> > Time Generated: 07/05/2009 17:59:10
> >
> > Event String:
> >
> > File Replication Service is scanning the data in the
> > system volume. Computer server2 cannot become a domain controller
> > until this process is complete. The system volume will then be shared
> > as SYSVOL.
> >
> > To check for the SYSVOL share, at the command prompt,
> > type:
> >
> > net share
> >
> > When File Replication Service completes the scanning
> > process, the SYSVOL share will appear.
> >
> > The initialization of the system volume can take some
> > time. The time is dependent on the amount of data in the system
> > volume.
> >
> > An Warning Event occurred. EventID: 0x800034C4
> >
> > Time Generated: 07/05/2009 18:02:00
> >
> > Event String:
> >
> > The File Replication Service is having trouble enabling
> > replication from server1.domain.dns to server2 for
> > c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
> > will keep retrying.
> >
> > Following are some of the reasons you would see this
> > warning.
> >
> > [1] FRS can not correctly resolve the DNS name
> > server1.domain.dns from this computer.
> >
> > [2] FRS is not running on server1.domain.dns.
> >
> > [3] The topology information in the Active Directory
> > Domain Services for this replica has not yet replicated to all the
> > Domain Controllers.
> >
> > This event log message will appear once per connection,
> > After the problem is fixed you will see another event log message
> > indicating that the connection has been established.
> >
> > An Warning Event occurred. EventID: 0x800034FE
> >
> > Time Generated: 07/05/2009 18:08:29
> >
> > Event String:
> >
> > File Replication Service is scanning the data in the
> > system volume. Computer server2 cannot become a domain controller
> > until this process is complete. The system volume will then be shared
> > as SYSVOL.
> >
> > To check for the SYSVOL share, at the command prompt,
> > type:
> >
> > net share
> >
> > When File Replication Service completes the scanning
> > process, the SYSVOL share will appear.
> >
> > The initialization of the system volume can take some
> > time. The time is dependent on the amount of data in the system
> > volume.
> >
> > An Warning Event occurred. EventID: 0x800034C4
> >
> > Time Generated: 07/05/2009 18:10:22
> >
> > Event String:
> >
> > The File Replication Service is having trouble enabling
> > replication from server1.domain.dns to server2 for
> > c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
> > will keep retrying.
> >
> > Following are some of the reasons you would see this
> > warning.
> >
> > [1] FRS can not correctly resolve the DNS name
> > server1.domain.dns from this computer.
> >
> > [2] FRS is not running on server1.domain.dns.
> >
> > [3] The topology information in the Active Directory
> > Domain Services for this replica has not yet replicated to all the
> > Domain Controllers.
> >
> > This event log message will appear once per connection,
> > After the problem is fixed you will see another event log message
> > indicating that the connection has been established.
> >
> > An Warning Event occurred. EventID: 0x800034C4
> >
> > Time Generated: 07/05/2009 18:18:22
> >
> > Event String:
> >
> > The File Replication Service is having trouble enabling
> > replication from server1 to server2 for c:\windows\sysvol\domain using
> > the DNS name server1.domain.dns. FRS will keep retrying.
> >
> > Following are some of the reasons you would see this
> > warning.
> >
> > [1] FRS can not correctly resolve the DNS name
> > server1.domain.dns from this computer.
> >
> > [2] FRS is not running on server1.domain.dns.
> >
> > [3] The topology information in the Active Directory
> > Domain Services for this replica has not yet replicated to all the
> > Domain Controllers.
> >
> > This event log message will appear once per connection,
> > After the problem is fixed you will see another event log message
> > indicating that the connection has been established.
> >
> > ......................... server2 passed test FrsEvent
> >
> > Starting test: DFSREvent
> >
> > The DFS Replication Event Log.
> > There are warning or error events within the last 24 hours
> > after the
> > SYSVOL has been shared. Failing SYSVOL replication problems
> > may cause
> >
> > Group Policy problems.
> > An Error Event occurred. EventID: 0xC00004B2
> > Time Generated: 07/05/2009 17:59:35
> >
> > Event String:
> >
> > The DFS Replication service failed to contact domain
> > controller to access configuration information. Replication is
> > stopped. The service will try again during the next configuration
> > polling cycle, which will occur in 60 minutes. This event can be
> > caused by TCP/IP connectivity, firewall, Active Directory Domain
> > Services, or DNS issues.
> >
> > Additional Information:
> >
> > Error: 160 (One or more arguments are not correct.)
> >
> > ......................... server2 failed test DFSREvent
> >
> > Starting test: SysVolCheck
> >
> > * The File Replication Service SYSVOL ready test
> > The registry lookup failed to determine the state of the
> > SYSVOL. The
> > error returned was 0x0 "The operation completed
> > successfully.".
> >
> > Check the FRS event log to see if the SYSVOL has successfully
> > been
> >
> > shared.
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157313 is a reply to message #157312] Mon, 06 July 2009 08:58 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Haji,

You can not create sysvol and netlogon share manual, they are creted during
dcpromo. Unfortunal server1 has problems so get them replicated will also
be a problem.

Do you have a backup from server1 available where it was running correct?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Server2 oddly enough doesn't have a sysvol or netlogon share, which
> could be an issue... I noticed that when I initially setup the
> server, so I manually created them, but apparently they didn't
> "stick."
>
> Neither server has a firewall active on them. Both are disabled.
>
> All pings are successful between both servers.
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Haji,
>>
>> Can you open and compare sysvol and netlogon share on both DCs?
>>
>> Please ping between both DCs with ipaddress, computername and FQDN.
>>
>> Any firewall running between them?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> dcdiag from server2, which is the new one:
>>>
>>> Directory Server Diagnosis
>>>
>>> Performing initial setup:
>>>
>>> Trying to find home server...
>>>
>>> * Verifying that the local machine server2, is a Directory Server.
>>> Home Server = server2
>>> * Connecting to directory service on server server2.
>>> * Identified AD Forest.
>>> Collecting AD specific global data
>>> * Collecting site info.
>>> Calling
>>> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns
>>> ,L
>>> DAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
>>> The previous call succeeded
>>> Iterating through the sites
>>> Looking at base site object: CN=NTDS Site
>>> Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio n,DC=dom
>>> ai
>>> n,DC=dns
>>> Getting ISTG and options for the site
>>> * Identifying all servers.
>>> Calling
>>> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns
>>> ,L
>>> DAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
>>> The previous call succeeded....
>>> The previous call succeeded
>>> Iterating through the list of servers
>>> Getting information for the server CN=NTDS
>>> Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
>>> N=
>>> Configuration,DC=domain,DC=dns
>>> objectGuid obtained
>>> InvocationID obtained
>>> dnsHostname obtained
>>> site info obtained
>>> All the info for the server collected
>>> Getting information for the server CN=NTDS
>>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
>>> N=
>>> Configuration,DC=domain,DC=dns
>>> objectGuid obtained
>>> InvocationID obtained
>>> dnsHostname obtained
>>> site info obtained
>>> All the info for the server collected
>>> * Identifying all NC cross-refs.
>>> * Found 2 DC(s). Testing 1 of them.
>>> Done gathering initial info.
>>>
>>> Doing initial required tests
>>>
>>> Testing server: Default-First-Site-Name\server2
>>>
>>> Starting test: Connectivity
>>>
>>> * Active Directory LDAP Services Check
>>> Determining IP4 connectivity
>>> Determining IP6 connectivity
>>> * Active Directory RPC Services Check
>>> ......................... server2 passed test Connectivity
>>> Doing primary tests
>>> Testing server: Default-First-Site-Name\server2
>>>
>>> Starting test: Advertising
>>>
>>> Warning: DsGetDcName returned information for
>>>
>>> \\server1.domain.dns, when we were trying to reach server2.
>>>
>>> SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
>>>
>>> ......................... server2 failed test Advertising
>>>
>>> Test omitted by user request: CheckSecurityError
>>>
>>> Test omitted by user request: CutoffServers
>>>
>>> Starting test: FrsEvent
>>>
>>> * The File Replication Service Event log test
>>> There are warning or error events within the last 24 hours
>>> after the
>>> SYSVOL has been shared. Failing SYSVOL replication problems
>>> may cause
>>> Group Policy problems.
>>> An Warning Event occurred. EventID: 0x800034C4
>>> Time Generated: 07/04/2009 19:53:44
>>> Event String:
>>>
>>> The File Replication Service is having trouble enabling
>>> replication from server1.domain.dns to server2 for
>>> c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
>>> will keep retrying.
>>> Following are some of the reasons you would see this warning.
>>>
>>> [1] FRS can not correctly resolve the DNS name
>>> server1.domain.dns from this computer.
>>> [2] FRS is not running on server1.domain.dns.
>>>
>>> [3] The topology information in the Active Directory
>>> Domain Services for this replica has not yet replicated to all the
>>> Domain Controllers.
>>> This event log message will appear once per connection,
>>> After the problem is fixed you will see another event log message
>>> indicating that the connection has been established.
>>> An Warning Event occurred. EventID: 0x800034FE
>>>
>>> Time Generated: 07/05/2009 17:59:10
>>>
>>> Event String:
>>>
>>> File Replication Service is scanning the data in the
>>> system volume. Computer server2 cannot become a domain controller
>>> until this process is complete. The system volume will then be
>>> shared
>>> as SYSVOL.
>>> To check for the SYSVOL share, at the command prompt, type:
>>>
>>> net share
>>>
>>> When File Replication Service completes the scanning process, the
>>> SYSVOL share will appear.
>>>
>>> The initialization of the system volume can take some
>>> time. The time is dependent on the amount of data in the system
>>> volume.
>>> An Warning Event occurred. EventID: 0x800034C4
>>>
>>> Time Generated: 07/05/2009 18:02:00
>>>
>>> Event String:
>>>
>>> The File Replication Service is having trouble enabling
>>> replication from server1.domain.dns to server2 for
>>> c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
>>> will keep retrying.
>>> Following are some of the reasons you would see this warning.
>>>
>>> [1] FRS can not correctly resolve the DNS name
>>> server1.domain.dns from this computer.
>>> [2] FRS is not running on server1.domain.dns.
>>>
>>> [3] The topology information in the Active Directory
>>> Domain Services for this replica has not yet replicated to all the
>>> Domain Controllers.
>>> This event log message will appear once per connection,
>>> After the problem is fixed you will see another event log message
>>> indicating that the connection has been established.
>>> An Warning Event occurred. EventID: 0x800034FE
>>>
>>> Time Generated: 07/05/2009 18:08:29
>>>
>>> Event String:
>>>
>>> File Replication Service is scanning the data in the
>>> system volume. Computer server2 cannot become a domain controller
>>> until this process is complete. The system volume will then be
>>> shared
>>> as SYSVOL.
>>> To check for the SYSVOL share, at the command prompt, type:
>>>
>>> net share
>>>
>>> When File Replication Service completes the scanning process, the
>>> SYSVOL share will appear.
>>>
>>> The initialization of the system volume can take some
>>> time. The time is dependent on the amount of data in the system
>>> volume.
>>> An Warning Event occurred. EventID: 0x800034C4
>>>
>>> Time Generated: 07/05/2009 18:10:22
>>>
>>> Event String:
>>>
>>> The File Replication Service is having trouble enabling
>>> replication from server1.domain.dns to server2 for
>>> c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
>>> will keep retrying.
>>> Following are some of the reasons you would see this warning.
>>>
>>> [1] FRS can not correctly resolve the DNS name
>>> server1.domain.dns from this computer.
>>> [2] FRS is not running on server1.domain.dns.
>>>
>>> [3] The topology information in the Active Directory
>>> Domain Services for this replica has not yet replicated to all the
>>> Domain Controllers.
>>> This event log message will appear once per connection,
>>> After the problem is fixed you will see another event log message
>>> indicating that the connection has been established.
>>> An Warning Event occurred. EventID: 0x800034C4
>>>
>>> Time Generated: 07/05/2009 18:18:22
>>>
>>> Event String:
>>>
>>> The File Replication Service is having trouble enabling
>>> replication from server1 to server2 for c:\windows\sysvol\domain
>>> using
>>> the DNS name server1.domain.dns. FRS will keep retrying.
>>> Following are some of the reasons you would see this warning.
>>>
>>> [1] FRS can not correctly resolve the DNS name
>>> server1.domain.dns from this computer.
>>> [2] FRS is not running on server1.domain.dns.
>>>
>>> [3] The topology information in the Active Directory
>>> Domain Services for this replica has not yet replicated to all the
>>> Domain Controllers.
>>> This event log message will appear once per connection,
>>> After the problem is fixed you will see another event log message
>>> indicating that the connection has been established.
>>> ......................... server2 passed test FrsEvent
>>>
>>> Starting test: DFSREvent
>>>
>>> The DFS Replication Event Log.
>>> There are warning or error events within the last 24 hours
>>> after the
>>> SYSVOL has been shared. Failing SYSVOL replication problems
>>> may cause
>>> Group Policy problems.
>>> An Error Event occurred. EventID: 0xC00004B2
>>> Time Generated: 07/05/2009 17:59:35
>>> Event String:
>>>
>>> The DFS Replication service failed to contact domain
>>> controller to access configuration information. Replication is
>>> stopped. The service will try again during the next configuration
>>> polling cycle, which will occur in 60 minutes. This event can be
>>> caused by TCP/IP connectivity, firewall, Active Directory Domain
>>> Services, or DNS issues.
>>> Additional Information:
>>>
>>> Error: 160 (One or more arguments are not correct.)
>>>
>>> ......................... server2 failed test DFSREvent
>>>
>>> Starting test: SysVolCheck
>>>
>>> * The File Replication Service SYSVOL ready test
>>> The registry lookup failed to determine the state of the
>>> SYSVOL. The
>>> error returned was 0x0 "The operation completed
>>> successfully.".
>>> Check the FRS event log to see if the SYSVOL has successfully been
>>>
>>> shared.
>>>
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157314 is a reply to message #157302] Mon, 06 July 2009 09:10 Go to previous messageGo to next message
Haji  is currently offline Haji
Messages: 12
Registered: July 2009
Junior Member
From Server1:

System Date: Mon Jul 06 08:05:37 2009

Command run:

dnslint /ad /s 192.168.1.9

Root of Active Directory Forest:

domain.dns

Active Directory Forest Replication GUIDs Found:

DC: server1
GUID: 10054e4e-3786-4858-a745-5a3b299c2326

DC: server2
GUID: d963b078-1f27-4154-8436-870d19935efe


Total GUIDs found: 2

------------------------------------------------------------ --------------------

The following 2 DNS servers were checked for records related to AD forest
replication:

DNS server: server1.domain.dns
IP Address: 192.168.1.9
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
Authoritative name server: server1.domain.dns
Hostmaster: hostmaster.domain.dns
Zone serial number: 3
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds


Additional authoritative (NS) records from server:
server1.domain.dns Unknown
server2.domain.dns Unknown




Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
Alias: server1.domain.dns
Glue: 192.168.1.9

CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
Alias: server2.domain.dns
Glue: 192.168.1.51


Total number of CNAME records found on this server: 2

Total number of CNAME records missing on this server: 0

Total number of glue (A) records this server could not find: 0



------------------------------------------------------------ --------------------

DNS server: server2.domain.dns
IP Address: 192.168.1.51
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
Authoritative name server: server2.domain.dns
Hostmaster: hostmaster.domain.dns
Zone serial number: 3
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds


Additional authoritative (NS) records from server:
server2.domain.dns Unknown
server1.domain.dns Unknown




Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
Alias: server1.domain.dns
Glue: 192.168.1.9

CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
Alias: server2.domain.dns
Glue: 192.168.1.51


Total number of CNAME records found on this server: 2

Total number of CNAME records missing on this server: 0

Total number of glue (A) records this server could not find: 0


From Server2:

System Date: Mon Jul 06 07:58:43 2009

Command run:

dnslint /ad /s 192.168.1.51

Root of Active Directory Forest:

domain.dns

Active Directory Forest Replication GUIDs Found:

DC: SERVER1
GUID: 10054e4e-3786-4858-a745-5a3b299c2326

DC: SERVER2
GUID: d963b078-1f27-4154-8436-870d19935efe


Total GUIDs found: 2

------------------------------------------------------------ --------------------

The following 2 DNS servers were checked for records related to AD forest
replication:

DNS server: server2.domain.dns
IP Address: 192.168.1.51
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
Authoritative name server: server2.domain.dns
Hostmaster: hostmaster.domain.dns
Zone serial number: 3
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds


Additional authoritative (NS) records from server:
server1.domain.dns Unknown
server2.domain.dns Unknown




Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
Alias: server1.domain.dns
Glue: 192.168.1.9

CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
Alias: server2.domain.dns
Glue: 192.168.1.51


Total number of CNAME records found on this server: 2

Total number of CNAME records missing on this server: 0

Total number of glue (A) records this server could not find: 0



------------------------------------------------------------ --------------------

DNS server: server1.domain.dns
IP Address: 192.168.1.9
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
Authoritative name server: server1.domain.dns
Hostmaster: hostmaster.domain.dns
Zone serial number: 3
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds


Additional authoritative (NS) records from server:
server2.domain.dns Unknown
server1.domain.dns Unknown




Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
Alias: server1.domain.dns
Glue: 192.168.1.9

CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
Alias: server2.domain.dns
Glue: 192.168.1.51


Total number of CNAME records found on this server: 2

Total number of CNAME records missing on this server: 0

Total number of glue (A) records this server could not find: 0


"Meinolf Weber [MVP-DS]" wrote:

> Hello Haji,
>
> Please run:
> dnslint /ad /s "ip address of your dc"
>
> Therefore download and install:
> http://support.microsoft.com/kb/321045
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > In Active Directory Sites and Services, both Server1 and Server 2 are
> > listed as IP Bridgeheads, and both are GC's. Both servers have Active
> > Directory integrated DNS running on them.
> >
> > Windows IP Configuration
> >
> > Host Hame . . . . . . . . . . . . : server2
> > Primary Dns Suffix . . . . . . . : domain.dns
> > Node Type . . . . . . . . . . . . : Hybrid
> > IP Routing Enabled. . . . . . . . : No
> > WINS Proxy Enabled. . . . . . . . : No
> > DNS Suffix Search List. . . . . . : domain.dns
> > Ethernet adapter Local Area Connection:
> >
> > Connection-specific DNS Suffix . : domain.dns
> > Description . . . . . . . . . . . : TEAM : Team #0
> > Physical Address. . . . . . . . . : 00-30-48-B8-96-8D
> > DHCP Enabled. . . . . . . . . . . : No
> > Autoconfiguration Enabled . . . . : Yes
> > IPv4 Address. . . . . . . . . . . : 192.168.1.51(Preferred)
> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > Default Gateway . . . . . . . . . : 192.168.1.1
> > DNS Servers . . . . . . . . . . . : 192.168.1.51
> > 192.168.1.9
> > Primary WINS Server . . . . . . . : 192.168.1.9
> > Secondary WINS Server . . . . . . : 192.168.1.51
> > NetBIOS over Tcpip. . . . . . . . : Enabled
> > nltest /server:server2 /dsgetdc:domain.dns
> >
> > DC: \\server1.domain.dns
> > Address: \\192.168.1.9
> > Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> > Dom Name: domain.dns
> > Forest Name: domain.dns
> > Dc Site Name: Default-First-Site-Name
> > Our Site Name: Default-First-Site-Name
> > Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
> > CLOSE_SITE FULL SECRET
> > Windows IP Configuration
> >
> > Host Hame . . . . . . . . . . . . : server1
> > Primary Dns Suffix . . . . . . . : domain.dns
> > Node Type . . . . . . . . . . . . : Hybrid
> > IP Routing Enabled. . . . . . . . : No
> > WINS Proxy Enabled. . . . . . . . : No
> > DNS Suffix Search List. . . . . . : domain.dns
> > Ethernet adapter Local Area Connection:
> >
> > Connection-specific DNS Suffix . : domain.dns
> > Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
> > Connection
> > Physical Address. . . . . . . . . : 00-E0-81-58-2F-98
> > DHCP Enabled. . . . . . . . . . . : No
> > Autoconfiguration Enabled . . . . : Yes
> > IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > Default Gateway . . . . . . . . . : 192.168.1.1
> > DNS Servers . . . . . . . . . . . : 192.168.1.9
> > 192.168.1.51
> > Primary WINS Server . . . . . . . : 192.168.1.51
> > Secondary WINS Server . . . . . . : 192.168.1.9
> > NetBIOS over Tcpip. . . . . . . . : Enabled
> > nltest /server:server1 /dsgetdc:domain.dns
> >
> > DC: \\server1.domain.dns
> > Address: \\192.168.1.9
> > Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> > Dom Name: domain.dns
> > Forest Name: domain.dns
> > Dc Site Name: Default-First-Site-Name
> > Our Site Name: Default-First-Site-Name
> > Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
> > CLOSE_SITE FULL SECRET
> > "Paul Bergson [MVP-DS]" wrote:
> >
> >> Sounds to me like you haven't made the new box a GC or not a DNS
> >> server.
> >>
> >> Start by posting both boxes ip configuration details. From a command
> >> prompt on both dc's run the following:
> >>
> >> ipconfig /all
> >>
> >> Next from each DC at a command prompt run the following and post:
> >> nltest /server:<servername> /dsgetdc:<domainname>
> >>
> >> Note: Feel free to modify the output, so as not to disclose any
> >> valuable information. Such as changing the the first couple of
> >> octets on your ip addresses, but please be consistent (192.168. is a
> >> good replacement value).
> >>
> >> --
> >> Paul Bergson
> >> MVP - Directory Services
> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> 2008, 2003, 2000 (Early Achiever), NT4
> >> http://www.pbbergs.com
> >>
> >> Please no e-mails, any questions should be posted in the NewsGroup
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >>
> >> "Haji" <Haji@discussions.microsoft.com> wrote in message
> >> news:35A43720-2CE5-4AAE-AB54-CE7FEFB7FCC6@microsoft.com...
> >>
> >>> I've got a Windows 2008 box that was my only DC in my test network
> >>> that is
> >>> on
> >>> some rather aged hardware. I've built a new box to replace the old
> >>> DC
> >>> with,
> >>> installed Server 2008 on it, added it to the domain, ran dcpromo,
> >>> kicked
> >>> it
> >>> up to a GC, and transfered the FSMO roles over to it. However, when
> >>> I run
> >>> dcpromo on the old box that I'm wanting to retire, I get the
> >>> following
> >>> message:
> >>> "You did not indicate that this Active Directory domain controller
> >>> is the last domain controller for the domain test.dns. However, no
> >>> other Active Directory domain controllers for that domain can be
> >>> contacted."
> >>>
> >>> I've also noticed that when the old box is powered down, none of my
> >>> test
> >>> workstations can map a drive to the new server, due to an
> >>> authentication
> >>> failure. The ID that the server is logged into is an enterprise
> >>> admin ID,
> >>> and this is a single domain setup (no child domains in the forrest).
> >>> Both
> >>> the forrest and the domain are at 2008 functional level. Each
> >>> server has
> >>> DNS
> >>> installed and is AD Integrated. Each server points to the other for
> >>> DNS
> >>> primary, and itself for secondary.
> >>> I'm sure there is more information that is needed that I haven't
> >>> provided, just let me know what you need and I'll post it, but if
> >>> anyone can help me out, I'd really like to learn what this issue is
> >>> and how to fix it.
> >>>
>
>
>
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157359 is a reply to message #157311] Tue, 07 July 2009 03:28 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Haji,

The RID pool is just noticeable. You can not correct that.

I assume you have event id 13555 and 13552 on server1 in the event log.
http://support.microsoft.com/kb/925633

Also have a look on this one:
http://support.microsoft.com/kb/290762/

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> When I built server1, I specified those locations. They were never
> moved.
>
> Server1 has never been restored from backup.
>
> As for the RID pool, how do I correct that?
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Haji,
>>
>> Did you change the default locations to "d:\ad\sysvol\domain" and
>> "d:\ad\sysvol\staging\domain" on server1?
>>
>> Was server1 ever restored from backup/image/snapshot(VM) without
>> cleaning the AD database before?
>>
>> I am also a bit surprised about the difference of the RID pool
>> between both DCs, there is a really big difference which shouldn't be
>> the case. Normally they stick together.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> dcdiag from Server1, which is the old one:
>>>
>>> Directory Server Diagnosis
>>>
>>> Performing initial setup:
>>>
>>> Trying to find home server...
>>>
>>> * Verifying that the local machine server1, is a Directory Server.
>>> Home Server = server1
>>> * Connecting to directory service on server server1.
>>> * Identified AD Forest.
>>> Collecting AD specific global data
>>> * Collecting site info.
>>> Calling
>>> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns
>>> ,L
>>> DAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
>>> The previous call succeeded
>>> Iterating through the sites
>>> Looking at base site object: CN=NTDS Site
>>> Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio n,DC=dom
>>> ai
>>> n,DC=dns
>>> Getting ISTG and options for the site
>>> * Identifying all servers.
>>> Calling
>>> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns
>>> ,L
>>> DAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
>>> The previous call succeeded....
>>> The previous call succeeded
>>> Iterating through the list of servers
>>> Getting information for the server CN=NTDS
>>> Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
>>> N=
>>> Configuration,DC=domain,DC=dns
>>> objectGuid obtained
>>> InvocationID obtained
>>> dnsHostname obtained
>>> site info obtained
>>> All the info for the server collected
>>> Getting information for the server CN=NTDS
>>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
>>> N=
>>> Configuration,DC=domain,DC=dns
>>> objectGuid obtained
>>> InvocationID obtained
>>> dnsHostname obtained
>>> site info obtained
>>> All the info for the server collected
>>> * Identifying all NC cross-refs.
>>> * Found 2 DC(s). Testing 1 of them.
>>> Done gathering initial info.
>>>
>>> Doing initial required tests
>>>
>>> Testing server: Default-First-Site-Name\server1
>>>
>>> Starting test: Connectivity
>>>
>>> * Active Directory LDAP Services Check
>>> Determining IP4 connectivity
>>> Determining IP6 connectivity
>>> * Active Directory RPC Services Check
>>> ......................... server1 passed test Connectivity
>>> Doing primary tests
>>> Testing server: Default-First-Site-Name\server1
>>>
>>> Starting test: Advertising
>>>
>>> The DC server1 is advertising itself as a DC and having a DS.
>>> The DC server1 is advertising as an LDAP server
>>> The DC server1 is advertising as having a writeable directory
>>> The DC server1 is advertising as a Key Distribution Center
>>> The DC server1 is advertising as a time server
>>> The DS server1 is advertising as a GC.
>>> ......................... server1 passed test Advertising
>>> Test omitted by user request: CheckSecurityError
>>> Test omitted by user request: CutoffServers
>>>
>>> Starting test: FrsEvent
>>>
>>> * The File Replication Service Event log test
>>> There are warning or error events within the last 24 hours
>>> after the
>>> SYSVOL has been shared. Failing SYSVOL replication problems
>>> may cause
>>> Group Policy problems.
>>> An Error Event occurred. EventID: 0xC00034F0
>>> Time Generated: 07/04/2009 23:13:40
>>> Event String:
>>>
>>> The File Replication Service is unable to add this computer to the
>>> following replica set:
>>>
>>> "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
>>>
>>> This could be caused by a number of problems such as:
>>>
>>> -- an invalid root path,
>>>
>>> -- a missing directory,
>>>
>>> -- a missing disk volume,
>>>
>>> -- a file system on the volume that does not support NTFS 5.0
>>>
>>> The information below may help to resolve the problem:
>>>
>>> Computer DNS name is "server1.domain.dns"
>>>
>>> Replica set member name is "server1"
>>>
>>> Replica set root path is "d:\ad\sysvol\domain"
>>>
>>> Replica staging directory path is
>>> "d:\ad\sysvol\staging\domain"
>>> Replica working directory path is "c:\windows\ntfrs\jet"
>>>
>>> Windows error status code is
>>>
>>> FRS error status code is FrsErrorMismatchedJournalId
>>>
>>> Other event log messages may also help determine the
>>> problem. Correct the problem and the service will attempt to
>>> restart
>>> replication automatically at a later time.
>>> An Error Event occurred. EventID: 0xC00034F3
>>>
>>> Time Generated: 07/04/2009 23:13:40
>>>
>>> Event String:
>>>
>>> The File Replication Service is in an error state. Files
>>> will not replicate to or from one or all of the replica sets on this
>>> computer until the following recovery steps are performed:
>>> Recovery Steps:
>>>
>>> [1] The error state may clear itself if you stop and
>>> restart the FRS service. This can be done by performing the
>>> following
>>> in a command window:
>>> net stop ntfrs
>>>
>>> net start ntfrs
>>>
>>> If this fails to clear up the problem then proceed as follows.
>>>
>>> [2] For Active Directory Domain Services Domain
>>> Controllers that DO NOT host any DFS alternates or other replica
>>> sets
>>> with replication enabled:
>>> If there is at least one other Domain Controller in this
>>> domain then restore the "system state" of this DC from backup (using
>>> ntbackup or other backup-restore utility) and make it
>>> non-authoritative.
>>> If there are NO other Domain Controllers in this domain
>>> then restore the "system state" of this DC from backup (using
>>> ntbackup
>>> or other backup-restore utility) and choose the Advanced option
>>> which
>>> marks the sysvols as primary.
>>> If there are other Domain Controllers in this domain but
>>> ALL of them have this event log message then restore one of them as
>>> primary (data files from primary will replicate everywhere) and the
>>> others as non-authoritative.
>>> [3] For Active Directory Domain Services Domain
>>> Controllers that host DFS alternates or other replica sets with
>>> replication enabled:
>>> (3-a) If the Dfs alternates on this DC do not have any
>>> other replication partners then copy the data under that Dfs share
>>> to
>>> a safe location.
>>> (3-b) If this server is the only Active Directory Domain
>>> Services Domain Controller for this domain then, before going to
>>> (3-c), make sure this server does not have any inbound or outbound
>>> connections to other servers that were formerly Domain Controllers
>>> for
>>> this domain but are now off the net (and will never be coming back
>>> online) or have been fresh installed without being demoted. To
>>> delete
>>> connections use the Sites and Services snapin and look for
>>> Sites->NAME_OF_SITE->Servers->NAME_OF_SERVER->NTDS
>>> Settings->CONNECTIONS.
>>>
>>> (3-c) Restore the "system state" of this DC from backup (using
>>> ntbackup or other backup-restore utility) and make it
>>> non-authoritative.
>>>
>>> (3-d) Copy the data from step (3-a) above to the original location
>>> after the sysvol share is published.
>>>
>>> [4] For other Windows servers:
>>>
>>> (4-a) If any of the DFS alternates or other replica sets
>>> hosted by this server do not have any other replication partners
>>> then
>>> copy the data under its share or replica tree root to a safe
>>> location.
>>> (4-b) net stop ntfrs
>>>
>>> (4-c) rd /s /q c:\windows\ntfrs\jet
>>>
>>> (4-d) net start ntfrs
>>>
>>> (4-e) Copy the data from step (4-a) above to the
>>> original location after the service has initialized (5 minutes is a
>>> safe waiting time).
>>> Note: If this error message is in the eventlog of all the
>>> members of a particular replica set then perform steps (4-a) and
>>> (4-e)
>>> above on only one of the members.
>>> ......................... server1 failed test FrsEvent
>>>
>>> Starting test: DFSREvent
>>>
>>> The DFS Replication Event Log. ......................... server1
>>> passed test DFSREvent Starting test: SysVolCheck
>>>
>>> * The File Replication Service SYSVOL ready test
>>> File Replication Service's SYSVOL is ready
>>> ......................... server1 passed test SysVolCheck
>>> Starting test: KccEvent
>>> * The KCC Event log test
>>> Found no KCC errors in "Directory Service" Event log in the
>>> last 15
>>> minutes.
>>> ......................... server1 passed test KccEvent
>>> Starting test: KnowsOfRoleHolders
>>> Role Schema Owner = CN=NTDS
>>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
>>> N=
>>> Configuration,DC=domain,DC=dns
>>> Role Domain Owner = CN=NTDS
>>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
>>> N=
>>> Configuration,DC=domain,DC=dns
>>> Role PDC Owner = CN=NTDS
>>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
>>> N=
>>> Configuration,DC=domain,DC=dns
>>> Role Rid Owner = CN=NTDS
>>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
>>> N=
>>> Configuration,DC=domain,DC=dns
>>> Role Infrastructure Update Owner = CN=NTDS
>>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
>>> N=
>>> Configuration,DC=domain,DC=dns
>>> ......................... server1 passed test
>>> KnowsOfRoleHolders
>>> Starting test: MachineAccount
>>> Checking machine account for DC server1 on DC server1.
>>> * SPN found :LDAP/server1.domain.dns/domain.dns
>>> * SPN found :LDAP/server1.domain.dns
>>> * SPN found :LDAP/server1
>>> * SPN found :LDAP/server1.domain.dns/domain
>>> * SPN found
>>> :LDAP/10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
>>> * SPN found
>>> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/10054e4e-3786-4858-a74 5-5a3b29
>>> 9c
>>> 2326/domain.dns
>>> * SPN found :HOST/server1.domain.dns/domain.dns
>>> * SPN found :HOST/server1.domain.dns
>>> * SPN found :HOST/server1
>>> * SPN found :HOST/server1.domain.dns/domain
>>> * SPN found :GC/server1.domain.dns/domain.dns
>>> ......................... server1 passed test MachineAccount
>>> Starting test: NCSecDesc
>>> * Security Permissions check for all NC's on DC server1. The forest
>>> is not ready for RODC. Will skip checking ERODC ACEs.
>>>
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157360 is a reply to message #157314] Tue, 07 July 2009 03:35 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Haji,

Did you change the ip address to UNKNOWN in this lines:

Additional authoritative (NS) records from server:
server1.domain.dns Unknown
server2.domain.dns Unknown

Your domain name is ending with .dns, or is this just a placeholder?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> From Server1:
>
> System Date: Mon Jul 06 08:05:37 2009
>
> Command run:
>
> dnslint /ad /s 192.168.1.9
>
> Root of Active Directory Forest:
>
> domain.dns
>
> Active Directory Forest Replication GUIDs Found:
>
> DC: server1
> GUID: 10054e4e-3786-4858-a745-5a3b299c2326
> DC: server2
> GUID: d963b078-1f27-4154-8436-870d19935efe
> Total GUIDs found: 2
>
> ------------------------------------------------------------ ----------
> ----------
>
> The following 2 DNS servers were checked for records related to AD
> forest replication:
>
> DNS server: server1.domain.dns
> IP Address: 192.168.1.9
> UDP port 53 responding to queries: YES
> TCP port 53 responding to queries: Not tested
> Answering authoritatively for domain: YES
> SOA record data from server:
> Authoritative name server: server1.domain.dns
> Hostmaster: hostmaster.domain.dns
> Zone serial number: 3
> Zone expires in: 1.00 day(s)
> Refresh period: 900 seconds
> Retry delay: 600 seconds
> Default (minimum) TTL: 3600 seconds
> Additional authoritative (NS) records from server:
> server1.domain.dns Unknown
> server2.domain.dns Unknown
> Alias (CNAME) and glue (A) records for forest GUIDs from server:
> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> Alias: server1.domain.dns
> Glue: 192.168.1.9
> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> Alias: server2.domain.dns
> Glue: 192.168.1.51
> Total number of CNAME records found on this server: 2
>
> Total number of CNAME records missing on this server: 0
>
> Total number of glue (A) records this server could not find: 0
>
> ------------------------------------------------------------ ----------
> ----------
>
> DNS server: server2.domain.dns
> IP Address: 192.168.1.51
> UDP port 53 responding to queries: YES
> TCP port 53 responding to queries: Not tested
> Answering authoritatively for domain: YES
> SOA record data from server:
> Authoritative name server: server2.domain.dns
> Hostmaster: hostmaster.domain.dns
> Zone serial number: 3
> Zone expires in: 1.00 day(s)
> Refresh period: 900 seconds
> Retry delay: 600 seconds
> Default (minimum) TTL: 3600 seconds
> Additional authoritative (NS) records from server:
> server2.domain.dns Unknown
> server1.domain.dns Unknown
> Alias (CNAME) and glue (A) records for forest GUIDs from server:
> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> Alias: server1.domain.dns
> Glue: 192.168.1.9
> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> Alias: server2.domain.dns
> Glue: 192.168.1.51
> Total number of CNAME records found on this server: 2
>
> Total number of CNAME records missing on this server: 0
>
> Total number of glue (A) records this server could not find: 0
>
> From Server2:
>
> System Date: Mon Jul 06 07:58:43 2009
>
> Command run:
>
> dnslint /ad /s 192.168.1.51
>
> Root of Active Directory Forest:
>
> domain.dns
>
> Active Directory Forest Replication GUIDs Found:
>
> DC: SERVER1
> GUID: 10054e4e-3786-4858-a745-5a3b299c2326
> DC: SERVER2
> GUID: d963b078-1f27-4154-8436-870d19935efe
> Total GUIDs found: 2
>
> ------------------------------------------------------------ ----------
> ----------
>
> The following 2 DNS servers were checked for records related to AD
> forest replication:
>
> DNS server: server2.domain.dns
> IP Address: 192.168.1.51
> UDP port 53 responding to queries: YES
> TCP port 53 responding to queries: Not tested
> Answering authoritatively for domain: YES
> SOA record data from server:
> Authoritative name server: server2.domain.dns
> Hostmaster: hostmaster.domain.dns
> Zone serial number: 3
> Zone expires in: 1.00 day(s)
> Refresh period: 900 seconds
> Retry delay: 600 seconds
> Default (minimum) TTL: 3600 seconds
> Additional authoritative (NS) records from server:
> server1.domain.dns Unknown
> server2.domain.dns Unknown
> Alias (CNAME) and glue (A) records for forest GUIDs from server:
> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> Alias: server1.domain.dns
> Glue: 192.168.1.9
> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> Alias: server2.domain.dns
> Glue: 192.168.1.51
> Total number of CNAME records found on this server: 2
>
> Total number of CNAME records missing on this server: 0
>
> Total number of glue (A) records this server could not find: 0
>
> ------------------------------------------------------------ ----------
> ----------
>
> DNS server: server1.domain.dns
> IP Address: 192.168.1.9
> UDP port 53 responding to queries: YES
> TCP port 53 responding to queries: Not tested
> Answering authoritatively for domain: YES
> SOA record data from server:
> Authoritative name server: server1.domain.dns
> Hostmaster: hostmaster.domain.dns
> Zone serial number: 3
> Zone expires in: 1.00 day(s)
> Refresh period: 900 seconds
> Retry delay: 600 seconds
> Default (minimum) TTL: 3600 seconds
> Additional authoritative (NS) records from server:
> server2.domain.dns Unknown
> server1.domain.dns Unknown
> Alias (CNAME) and glue (A) records for forest GUIDs from server:
> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> Alias: server1.domain.dns
> Glue: 192.168.1.9
> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> Alias: server2.domain.dns
> Glue: 192.168.1.51
> Total number of CNAME records found on this server: 2
>
> Total number of CNAME records missing on this server: 0
>
> Total number of glue (A) records this server could not find: 0
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Haji,
>>
>> Please run:
>> dnslint /ad /s "ip address of your dc"
>> Therefore download and install:
>> http://support.microsoft.com/kb/321045
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> In Active Directory Sites and Services, both Server1 and Server 2
>>> are listed as IP Bridgeheads, and both are GC's. Both servers have
>>> Active Directory integrated DNS running on them.
>>>
>>> Windows IP Configuration
>>>
>>> Host Hame . . . . . . . . . . . . : server2
>>> Primary Dns Suffix . . . . . . . : domain.dns
>>> Node Type . . . . . . . . . . . . : Hybrid
>>> IP Routing Enabled. . . . . . . . : No
>>> WINS Proxy Enabled. . . . . . . . : No
>>> DNS Suffix Search List. . . . . . : domain.dns
>>> Ethernet adapter Local Area Connection:
>>> Connection-specific DNS Suffix . : domain.dns
>>> Description . . . . . . . . . . . : TEAM : Team #0
>>> Physical Address. . . . . . . . . : 00-30-48-B8-96-8D
>>> DHCP Enabled. . . . . . . . . . . : No
>>> Autoconfiguration Enabled . . . . : Yes
>>> IPv4 Address. . . . . . . . . . . : 192.168.1.51(Preferred)
>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>> Default Gateway . . . . . . . . . : 192.168.1.1
>>> DNS Servers . . . . . . . . . . . : 192.168.1.51
>>> 192.168.1.9
>>> Primary WINS Server . . . . . . . : 192.168.1.9
>>> Secondary WINS Server . . . . . . : 192.168.1.51
>>> NetBIOS over Tcpip. . . . . . . . : Enabled
>>> nltest /server:server2 /dsgetdc:domain.dns
>>> DC: \\server1.domain.dns
>>> Address: \\192.168.1.9
>>> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
>>> Dom Name: domain.dns
>>> Forest Name: domain.dns
>>> Dc Site Name: Default-First-Site-Name
>>> Our Site Name: Default-First-Site-Name
>>> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
>>> CLOSE_SITE FULL SECRET
>>> Windows IP Configuration
>>> Host Hame . . . . . . . . . . . . : server1
>>> Primary Dns Suffix . . . . . . . : domain.dns
>>> Node Type . . . . . . . . . . . . : Hybrid
>>> IP Routing Enabled. . . . . . . . : No
>>> WINS Proxy Enabled. . . . . . . . : No
>>> DNS Suffix Search List. . . . . . : domain.dns
>>> Ethernet adapter Local Area Connection:
>>> Connection-specific DNS Suffix . : domain.dns
>>> Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
>>> Connection
>>> Physical Address. . . . . . . . . : 00-E0-81-58-2F-98
>>> DHCP Enabled. . . . . . . . . . . : No
>>> Autoconfiguration Enabled . . . . : Yes
>>> IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>> Default Gateway . . . . . . . . . : 192.168.1.1
>>> DNS Servers . . . . . . . . . . . : 192.168.1.9
>>> 192.168.1.51
>>> Primary WINS Server . . . . . . . : 192.168.1.51
>>> Secondary WINS Server . . . . . . : 192.168.1.9
>>> NetBIOS over Tcpip. . . . . . . . : Enabled
>>> nltest /server:server1 /dsgetdc:domain.dns
>>> DC: \\server1.domain.dns
>>> Address: \\192.168.1.9
>>> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
>>> Dom Name: domain.dns
>>> Forest Name: domain.dns
>>> Dc Site Name: Default-First-Site-Name
>>> Our Site Name: Default-First-Site-Name
>>> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
>>> CLOSE_SITE FULL SECRET
>>> "Paul Bergson [MVP-DS]" wrote:
>>>> Sounds to me like you haven't made the new box a GC or not a DNS
>>>> server.
>>>>
>>>> Start by posting both boxes ip configuration details. From a
>>>> command prompt on both dc's run the following:
>>>>
>>>> ipconfig /all
>>>>
>>>> Next from each DC at a command prompt run the following and post:
>>>> nltest /server:<servername> /dsgetdc:<domainname>
>>>>
>>>> Note: Feel free to modify the output, so as not to disclose any
>>>> valuable information. Such as changing the the first couple of
>>>> octets on your ip addresses, but please be consistent (192.168. is
>>>> a good replacement value).
>>>>
>>>> --
>>>> Paul Bergson
>>>> MVP - Directory Services
>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>> http://www.pbbergs.com
>>>> Please no e-mails, any questions should be posted in the NewsGroup
>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>> rights.
>>>>
>>>> "Haji" <Haji@discussions.microsoft.com> wrote in message
>>>> news:35A43720-2CE5-4AAE-AB54-CE7FEFB7FCC6@microsoft.com...
>>>>
>>>>> I've got a Windows 2008 box that was my only DC in my test network
>>>>> that is
>>>>> on
>>>>> some rather aged hardware. I've built a new box to replace the
>>>>> old
>>>>> DC
>>>>> with,
>>>>> installed Server 2008 on it, added it to the domain, ran dcpromo,
>>>>> kicked
>>>>> it
>>>>> up to a GC, and transfered the FSMO roles over to it. However,
>>>>> when
>>>>> I run
>>>>> dcpromo on the old box that I'm wanting to retire, I get the
>>>>> following
>>>>> message:
>>>>> "You did not indicate that this Active Directory domain controller
>>>>> is the last domain controller for the domain test.dns. However, no
>>>>> other Active Directory domain controllers for that domain can be
>>>>> contacted."
>>>>> I've also noticed that when the old box is powered down, none of
>>>>> my
>>>>> test
>>>>> workstations can map a drive to the new server, due to an
>>>>> authentication
>>>>> failure. The ID that the server is logged into is an enterprise
>>>>> admin ID,
>>>>> and this is a single domain setup (no child domains in the
>>>>> forrest).
>>>>> Both
>>>>> the forrest and the domain are at 2008 functional level. Each
>>>>> server has
>>>>> DNS
>>>>> installed and is AD Integrated. Each server points to the other
>>>>> for
>>>>> DNS
>>>>> primary, and itself for secondary.
>>>>> I'm sure there is more information that is needed that I haven't
>>>>> provided, just let me know what you need and I'll post it, but if
>>>>> anyone can help me out, I'd really like to learn what this issue
>>>>> is
>>>>> and how to fix it.
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157386 is a reply to message #157293] Tue, 07 July 2009 08:12 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Been on vacation... sorry

Guys thanks for picking this up

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Haji" <Haji@discussions.microsoft.com> wrote in message
news:50197C4B-1DCC-4AB1-B8B7-DB06D2B5F6A7@microsoft.com...
> In Active Directory Sites and Services, both Server1 and Server 2 are
> listed
> as IP Bridgeheads, and both are GC's. Both servers have Active Directory
> integrated DNS running on them.
>
> Windows IP Configuration
>
> Host Hame . . . . . . . . . . . . : server2
> Primary Dns Suffix . . . . . . . : domain.dns
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : domain.dns
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . : domain.dns
> Description . . . . . . . . . . . : TEAM : Team #0
> Physical Address. . . . . . . . . : 00-30-48-B8-96-8D
> DHCP Enabled. . . . . . . . . . . : No
> Autoconfiguration Enabled . . . . : Yes
> IPv4 Address. . . . . . . . . . . : 192.168.1.51(Preferred)
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.1.1
> DNS Servers . . . . . . . . . . . : 192.168.1.51
> 192.168.1.9
> Primary WINS Server . . . . . . . : 192.168.1.9
> Secondary WINS Server . . . . . . : 192.168.1.51
> NetBIOS over Tcpip. . . . . . . . : Enabled
>
> nltest /server:server2 /dsgetdc:domain.dns
>
> DC: \\server1.domain.dns
> Address: \\192.168.1.9
> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> Dom Name: domain.dns
> Forest Name: domain.dns
> Dc Site Name: Default-First-Site-Name
> Our Site Name: Default-First-Site-Name
> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
> CLOSE_SITE FULL SECRET
>
>
>
> Windows IP Configuration
>
> Host Hame . . . . . . . . . . . . : server1
> Primary Dns Suffix . . . . . . . : domain.dns
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : domain.dns
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . : domain.dns
> Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
> Connection
> Physical Address. . . . . . . . . : 00-E0-81-58-2F-98
> DHCP Enabled. . . . . . . . . . . : No
> Autoconfiguration Enabled . . . . : Yes
> IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.1.1
> DNS Servers . . . . . . . . . . . : 192.168.1.9
> 192.168.1.51
> Primary WINS Server . . . . . . . : 192.168.1.51
> Secondary WINS Server . . . . . . : 192.168.1.9
> NetBIOS over Tcpip. . . . . . . . : Enabled
>
> nltest /server:server1 /dsgetdc:domain.dns
>
> DC: \\server1.domain.dns
> Address: \\192.168.1.9
> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> Dom Name: domain.dns
> Forest Name: domain.dns
> Dc Site Name: Default-First-Site-Name
> Our Site Name: Default-First-Site-Name
> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
> CLOSE_SITE FULL SECRET
>
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> Sounds to me like you haven't made the new box a GC or not a DNS server.
>>
>> Start by posting both boxes ip configuration details. From a command
>> prompt
>> on both dc's run the following:
>>
>> ipconfig /all
>>
>> Next from each DC at a command prompt run the following and post:
>> nltest /server:<servername> /dsgetdc:<domainname>
>>
>> Note: Feel free to modify the output, so as not to disclose any valuable
>> information. Such as changing the the first couple of octets on your ip
>> addresses, but please be consistent (192.168. is a good replacement
>> value).
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Haji" <Haji@discussions.microsoft.com> wrote in message
>> news:35A43720-2CE5-4AAE-AB54-CE7FEFB7FCC6@microsoft.com...
>> > I've got a Windows 2008 box that was my only DC in my test network that
>> > is
>> > on
>> > some rather aged hardware. I've built a new box to replace the old DC
>> > with,
>> > installed Server 2008 on it, added it to the domain, ran dcpromo,
>> > kicked
>> > it
>> > up to a GC, and transfered the FSMO roles over to it. However, when I
>> > run
>> > dcpromo on the old box that I'm wanting to retire, I get the following
>> > message:
>> >
>> > "You did not indicate that this Active Directory domain controller is
>> > the
>> > last domain controller for the domain test.dns. However, no other
>> > Active
>> > Directory domain controllers for that domain can be contacted."
>> >
>> > I've also noticed that when the old box is powered down, none of my
>> > test
>> > workstations can map a drive to the new server, due to an
>> > authentication
>> > failure. The ID that the server is logged into is an enterprise admin
>> > ID,
>> > and this is a single domain setup (no child domains in the forrest).
>> > Both
>> > the forrest and the domain are at 2008 functional level. Each server
>> > has
>> > DNS
>> > installed and is AD Integrated. Each server points to the other for
>> > DNS
>> > primary, and itself for secondary.
>> >
>> > I'm sure there is more information that is needed that I haven't
>> > provided,
>> > just let me know what you need and I'll post it, but if anyone can help
>> > me
>> > out, I'd really like to learn what this issue is and how to fix it.
>>
>>
>>
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157428 is a reply to message #157386] Tue, 07 July 2009 11:25 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message news:%23ea3oHx$JHA.5092@TK2MSFTNGP03.phx.gbl...
> Been on vacation... sorry
>
> Guys thanks for picking this up


Hey, no problem, Paul! We are all here to help each other!

And I hope you enjoyed your vacation.


Ace
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157542 is a reply to message #157359] Wed, 08 July 2009 20:58 Go to previous messageGo to next message
Haji  is currently offline Haji
Messages: 12
Registered: July 2009
Junior Member
Yes, I do have those event ID's. I'll run through both KB's you linked to
and report back.

"Meinolf Weber [MVP-DS]" wrote:

> Hello Haji,
>
> The RID pool is just noticeable. You can not correct that.
>
> I assume you have event id 13555 and 13552 on server1 in the event log.
> http://support.microsoft.com/kb/925633
>
> Also have a look on this one:
> http://support.microsoft.com/kb/290762/
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > When I built server1, I specified those locations. They were never
> > moved.
> >
> > Server1 has never been restored from backup.
> >
> > As for the RID pool, how do I correct that?
> >
> > "Meinolf Weber [MVP-DS]" wrote:
> >
> >> Hello Haji,
> >>
> >> Did you change the default locations to "d:\ad\sysvol\domain" and
> >> "d:\ad\sysvol\staging\domain" on server1?
> >>
> >> Was server1 ever restored from backup/image/snapshot(VM) without
> >> cleaning the AD database before?
> >>
> >> I am also a bit surprised about the difference of the RID pool
> >> between both DCs, there is a really big difference which shouldn't be
> >> the case. Normally they stick together.
> >>
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> dcdiag from Server1, which is the old one:
> >>>
> >>> Directory Server Diagnosis
> >>>
> >>> Performing initial setup:
> >>>
> >>> Trying to find home server...
> >>>
> >>> * Verifying that the local machine server1, is a Directory Server.
> >>> Home Server = server1
> >>> * Connecting to directory service on server server1.
> >>> * Identified AD Forest.
> >>> Collecting AD specific global data
> >>> * Collecting site info.
> >>> Calling
> >>> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns
> >>> ,L
> >>> DAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
> >>> The previous call succeeded
> >>> Iterating through the sites
> >>> Looking at base site object: CN=NTDS Site
> >>> Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio n,DC=dom
> >>> ai
> >>> n,DC=dns
> >>> Getting ISTG and options for the site
> >>> * Identifying all servers.
> >>> Calling
> >>> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns
> >>> ,L
> >>> DAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
> >>> The previous call succeeded....
> >>> The previous call succeeded
> >>> Iterating through the list of servers
> >>> Getting information for the server CN=NTDS
> >>> Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> objectGuid obtained
> >>> InvocationID obtained
> >>> dnsHostname obtained
> >>> site info obtained
> >>> All the info for the server collected
> >>> Getting information for the server CN=NTDS
> >>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> objectGuid obtained
> >>> InvocationID obtained
> >>> dnsHostname obtained
> >>> site info obtained
> >>> All the info for the server collected
> >>> * Identifying all NC cross-refs.
> >>> * Found 2 DC(s). Testing 1 of them.
> >>> Done gathering initial info.
> >>>
> >>> Doing initial required tests
> >>>
> >>> Testing server: Default-First-Site-Name\server1
> >>>
> >>> Starting test: Connectivity
> >>>
> >>> * Active Directory LDAP Services Check
> >>> Determining IP4 connectivity
> >>> Determining IP6 connectivity
> >>> * Active Directory RPC Services Check
> >>> ......................... server1 passed test Connectivity
> >>> Doing primary tests
> >>> Testing server: Default-First-Site-Name\server1
> >>>
> >>> Starting test: Advertising
> >>>
> >>> The DC server1 is advertising itself as a DC and having a DS.
> >>> The DC server1 is advertising as an LDAP server
> >>> The DC server1 is advertising as having a writeable directory
> >>> The DC server1 is advertising as a Key Distribution Center
> >>> The DC server1 is advertising as a time server
> >>> The DS server1 is advertising as a GC.
> >>> ......................... server1 passed test Advertising
> >>> Test omitted by user request: CheckSecurityError
> >>> Test omitted by user request: CutoffServers
> >>>
> >>> Starting test: FrsEvent
> >>>
> >>> * The File Replication Service Event log test
> >>> There are warning or error events within the last 24 hours
> >>> after the
> >>> SYSVOL has been shared. Failing SYSVOL replication problems
> >>> may cause
> >>> Group Policy problems.
> >>> An Error Event occurred. EventID: 0xC00034F0
> >>> Time Generated: 07/04/2009 23:13:40
> >>> Event String:
> >>>
> >>> The File Replication Service is unable to add this computer to the
> >>> following replica set:
> >>>
> >>> "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
> >>>
> >>> This could be caused by a number of problems such as:
> >>>
> >>> -- an invalid root path,
> >>>
> >>> -- a missing directory,
> >>>
> >>> -- a missing disk volume,
> >>>
> >>> -- a file system on the volume that does not support NTFS 5.0
> >>>
> >>> The information below may help to resolve the problem:
> >>>
> >>> Computer DNS name is "server1.domain.dns"
> >>>
> >>> Replica set member name is "server1"
> >>>
> >>> Replica set root path is "d:\ad\sysvol\domain"
> >>>
> >>> Replica staging directory path is
> >>> "d:\ad\sysvol\staging\domain"
> >>> Replica working directory path is "c:\windows\ntfrs\jet"
> >>>
> >>> Windows error status code is
> >>>
> >>> FRS error status code is FrsErrorMismatchedJournalId
> >>>
> >>> Other event log messages may also help determine the
> >>> problem. Correct the problem and the service will attempt to
> >>> restart
> >>> replication automatically at a later time.
> >>> An Error Event occurred. EventID: 0xC00034F3
> >>>
> >>> Time Generated: 07/04/2009 23:13:40
> >>>
> >>> Event String:
> >>>
> >>> The File Replication Service is in an error state. Files
> >>> will not replicate to or from one or all of the replica sets on this
> >>> computer until the following recovery steps are performed:
> >>> Recovery Steps:
> >>>
> >>> [1] The error state may clear itself if you stop and
> >>> restart the FRS service. This can be done by performing the
> >>> following
> >>> in a command window:
> >>> net stop ntfrs
> >>>
> >>> net start ntfrs
> >>>
> >>> If this fails to clear up the problem then proceed as follows.
> >>>
> >>> [2] For Active Directory Domain Services Domain
> >>> Controllers that DO NOT host any DFS alternates or other replica
> >>> sets
> >>> with replication enabled:
> >>> If there is at least one other Domain Controller in this
> >>> domain then restore the "system state" of this DC from backup (using
> >>> ntbackup or other backup-restore utility) and make it
> >>> non-authoritative.
> >>> If there are NO other Domain Controllers in this domain
> >>> then restore the "system state" of this DC from backup (using
> >>> ntbackup
> >>> or other backup-restore utility) and choose the Advanced option
> >>> which
> >>> marks the sysvols as primary.
> >>> If there are other Domain Controllers in this domain but
> >>> ALL of them have this event log message then restore one of them as
> >>> primary (data files from primary will replicate everywhere) and the
> >>> others as non-authoritative.
> >>> [3] For Active Directory Domain Services Domain
> >>> Controllers that host DFS alternates or other replica sets with
> >>> replication enabled:
> >>> (3-a) If the Dfs alternates on this DC do not have any
> >>> other replication partners then copy the data under that Dfs share
> >>> to
> >>> a safe location.
> >>> (3-b) If this server is the only Active Directory Domain
> >>> Services Domain Controller for this domain then, before going to
> >>> (3-c), make sure this server does not have any inbound or outbound
> >>> connections to other servers that were formerly Domain Controllers
> >>> for
> >>> this domain but are now off the net (and will never be coming back
> >>> online) or have been fresh installed without being demoted. To
> >>> delete
> >>> connections use the Sites and Services snapin and look for
> >>> Sites->NAME_OF_SITE->Servers->NAME_OF_SERVER->NTDS
> >>> Settings->CONNECTIONS.
> >>>
> >>> (3-c) Restore the "system state" of this DC from backup (using
> >>> ntbackup or other backup-restore utility) and make it
> >>> non-authoritative.
> >>>
> >>> (3-d) Copy the data from step (3-a) above to the original location
> >>> after the sysvol share is published.
> >>>
> >>> [4] For other Windows servers:
> >>>
> >>> (4-a) If any of the DFS alternates or other replica sets
> >>> hosted by this server do not have any other replication partners
> >>> then
> >>> copy the data under its share or replica tree root to a safe
> >>> location.
> >>> (4-b) net stop ntfrs
> >>>
> >>> (4-c) rd /s /q c:\windows\ntfrs\jet
> >>>
> >>> (4-d) net start ntfrs
> >>>
> >>> (4-e) Copy the data from step (4-a) above to the
> >>> original location after the service has initialized (5 minutes is a
> >>> safe waiting time).
> >>> Note: If this error message is in the eventlog of all the
> >>> members of a particular replica set then perform steps (4-a) and
> >>> (4-e)
> >>> above on only one of the members.
> >>> ......................... server1 failed test FrsEvent
> >>>
> >>> Starting test: DFSREvent
> >>>
> >>> The DFS Replication Event Log. ......................... server1
> >>> passed test DFSREvent Starting test: SysVolCheck
> >>>
> >>> * The File Replication Service SYSVOL ready test
> >>> File Replication Service's SYSVOL is ready
> >>> ......................... server1 passed test SysVolCheck
> >>> Starting test: KccEvent
> >>> * The KCC Event log test
> >>> Found no KCC errors in "Directory Service" Event log in the
> >>> last 15
> >>> minutes.
> >>> ......................... server1 passed test KccEvent
> >>> Starting test: KnowsOfRoleHolders
> >>> Role Schema Owner = CN=NTDS
> >>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> Role Domain Owner = CN=NTDS
> >>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> Role PDC Owner = CN=NTDS
> >>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> Role Rid Owner = CN=NTDS
> >>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> Role Infrastructure Update Owner = CN=NTDS
> >>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> ......................... server1 passed test
> >>> KnowsOfRoleHolders
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157543 is a reply to message #157313] Wed, 08 July 2009 20:53 Go to previous messageGo to next message
Haji  is currently offline Haji
Messages: 12
Registered: July 2009
Junior Member
No, I don't unfortunately, as this is just my home network that I test stuff
on. I didn't even notice any issues until I tried moving the AD over to the
new server.

"Meinolf Weber [MVP-DS]" wrote:

> Hello Haji,
>
> You can not create sysvol and netlogon share manual, they are creted during
> dcpromo. Unfortunal server1 has problems so get them replicated will also
> be a problem.
>
> Do you have a backup from server1 available where it was running correct?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Server2 oddly enough doesn't have a sysvol or netlogon share, which
> > could be an issue... I noticed that when I initially setup the
> > server, so I manually created them, but apparently they didn't
> > "stick."
> >
> > Neither server has a firewall active on them. Both are disabled.
> >
> > All pings are successful between both servers.
> >
> > "Meinolf Weber [MVP-DS]" wrote:
> >
> >> Hello Haji,
> >>
> >> Can you open and compare sysvol and netlogon share on both DCs?
> >>
> >> Please ping between both DCs with ipaddress, computername and FQDN.
> >>
> >> Any firewall running between them?
> >>
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> dcdiag from server2, which is the new one:
> >>>
> >>> Directory Server Diagnosis
> >>>
> >>> Performing initial setup:
> >>>
> >>> Trying to find home server...
> >>>
> >>> * Verifying that the local machine server2, is a Directory Server.
> >>> Home Server = server2
> >>> * Connecting to directory service on server server2.
> >>> * Identified AD Forest.
> >>> Collecting AD specific global data
> >>> * Collecting site info.
> >>> Calling
> >>> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns
> >>> ,L
> >>> DAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
> >>> The previous call succeeded
> >>> Iterating through the sites
> >>> Looking at base site object: CN=NTDS Site
> >>> Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio n,DC=dom
> >>> ai
> >>> n,DC=dns
> >>> Getting ISTG and options for the site
> >>> * Identifying all servers.
> >>> Calling
> >>> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns
> >>> ,L
> >>> DAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
> >>> The previous call succeeded....
> >>> The previous call succeeded
> >>> Iterating through the list of servers
> >>> Getting information for the server CN=NTDS
> >>> Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> objectGuid obtained
> >>> InvocationID obtained
> >>> dnsHostname obtained
> >>> site info obtained
> >>> All the info for the server collected
> >>> Getting information for the server CN=NTDS
> >>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> objectGuid obtained
> >>> InvocationID obtained
> >>> dnsHostname obtained
> >>> site info obtained
> >>> All the info for the server collected
> >>> * Identifying all NC cross-refs.
> >>> * Found 2 DC(s). Testing 1 of them.
> >>> Done gathering initial info.
> >>>
> >>> Doing initial required tests
> >>>
> >>> Testing server: Default-First-Site-Name\server2
> >>>
> >>> Starting test: Connectivity
> >>>
> >>> * Active Directory LDAP Services Check
> >>> Determining IP4 connectivity
> >>> Determining IP6 connectivity
> >>> * Active Directory RPC Services Check
> >>> ......................... server2 passed test Connectivity
> >>> Doing primary tests
> >>> Testing server: Default-First-Site-Name\server2
> >>>
> >>> Starting test: Advertising
> >>>
> >>> Warning: DsGetDcName returned information for
> >>>
> >>> \\server1.domain.dns, when we were trying to reach server2.
> >>>
> >>> SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
> >>>
> >>> ......................... server2 failed test Advertising
> >>>
> >>> Test omitted by user request: CheckSecurityError
> >>>
> >>> Test omitted by user request: CutoffServers
> >>>
> >>> Starting test: FrsEvent
> >>>
> >>> * The File Replication Service Event log test
> >>> There are warning or error events within the last 24 hours
> >>> after the
> >>> SYSVOL has been shared. Failing SYSVOL replication problems
> >>> may cause
> >>> Group Policy problems.
> >>> An Warning Event occurred. EventID: 0x800034C4
> >>> Time Generated: 07/04/2009 19:53:44
> >>> Event String:
> >>>
> >>> The File Replication Service is having trouble enabling
> >>> replication from server1.domain.dns to server2 for
> >>> c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
> >>> will keep retrying.
> >>> Following are some of the reasons you would see this warning.
> >>>
> >>> [1] FRS can not correctly resolve the DNS name
> >>> server1.domain.dns from this computer.
> >>> [2] FRS is not running on server1.domain.dns.
> >>>
> >>> [3] The topology information in the Active Directory
> >>> Domain Services for this replica has not yet replicated to all the
> >>> Domain Controllers.
> >>> This event log message will appear once per connection,
> >>> After the problem is fixed you will see another event log message
> >>> indicating that the connection has been established.
> >>> An Warning Event occurred. EventID: 0x800034FE
> >>>
> >>> Time Generated: 07/05/2009 17:59:10
> >>>
> >>> Event String:
> >>>
> >>> File Replication Service is scanning the data in the
> >>> system volume. Computer server2 cannot become a domain controller
> >>> until this process is complete. The system volume will then be
> >>> shared
> >>> as SYSVOL.
> >>> To check for the SYSVOL share, at the command prompt, type:
> >>>
> >>> net share
> >>>
> >>> When File Replication Service completes the scanning process, the
> >>> SYSVOL share will appear.
> >>>
> >>> The initialization of the system volume can take some
> >>> time. The time is dependent on the amount of data in the system
> >>> volume.
> >>> An Warning Event occurred. EventID: 0x800034C4
> >>>
> >>> Time Generated: 07/05/2009 18:02:00
> >>>
> >>> Event String:
> >>>
> >>> The File Replication Service is having trouble enabling
> >>> replication from server1.domain.dns to server2 for
> >>> c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
> >>> will keep retrying.
> >>> Following are some of the reasons you would see this warning.
> >>>
> >>> [1] FRS can not correctly resolve the DNS name
> >>> server1.domain.dns from this computer.
> >>> [2] FRS is not running on server1.domain.dns.
> >>>
> >>> [3] The topology information in the Active Directory
> >>> Domain Services for this replica has not yet replicated to all the
> >>> Domain Controllers.
> >>> This event log message will appear once per connection,
> >>> After the problem is fixed you will see another event log message
> >>> indicating that the connection has been established.
> >>> An Warning Event occurred. EventID: 0x800034FE
> >>>
> >>> Time Generated: 07/05/2009 18:08:29
> >>>
> >>> Event String:
> >>>
> >>> File Replication Service is scanning the data in the
> >>> system volume. Computer server2 cannot become a domain controller
> >>> until this process is complete. The system volume will then be
> >>> shared
> >>> as SYSVOL.
> >>> To check for the SYSVOL share, at the command prompt, type:
> >>>
> >>> net share
> >>>
> >>> When File Replication Service completes the scanning process, the
> >>> SYSVOL share will appear.
> >>>
> >>> The initialization of the system volume can take some
> >>> time. The time is dependent on the amount of data in the system
> >>> volume.
> >>> An Warning Event occurred. EventID: 0x800034C4
> >>>
> >>> Time Generated: 07/05/2009 18:10:22
> >>>
> >>> Event String:
> >>>
> >>> The File Replication Service is having trouble enabling
> >>> replication from server1.domain.dns to server2 for
> >>> c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
> >>> will keep retrying.
> >>> Following are some of the reasons you would see this warning.
> >>>
> >>> [1] FRS can not correctly resolve the DNS name
> >>> server1.domain.dns from this computer.
> >>> [2] FRS is not running on server1.domain.dns.
> >>>
> >>> [3] The topology information in the Active Directory
> >>> Domain Services for this replica has not yet replicated to all the
> >>> Domain Controllers.
> >>> This event log message will appear once per connection,
> >>> After the problem is fixed you will see another event log message
> >>> indicating that the connection has been established.
> >>> An Warning Event occurred. EventID: 0x800034C4
> >>>
> >>> Time Generated: 07/05/2009 18:18:22
> >>>
> >>> Event String:
> >>>
> >>> The File Replication Service is having trouble enabling
> >>> replication from server1 to server2 for c:\windows\sysvol\domain
> >>> using
> >>> the DNS name server1.domain.dns. FRS will keep retrying.
> >>> Following are some of the reasons you would see this warning.
> >>>
> >>> [1] FRS can not correctly resolve the DNS name
> >>> server1.domain.dns from this computer.
> >>> [2] FRS is not running on server1.domain.dns.
> >>>
> >>> [3] The topology information in the Active Directory
> >>> Domain Services for this replica has not yet replicated to all the
> >>> Domain Controllers.
> >>> This event log message will appear once per connection,
> >>> After the problem is fixed you will see another event log message
> >>> indicating that the connection has been established.
> >>> ......................... server2 passed test FrsEvent
> >>>
> >>> Starting test: DFSREvent
> >>>
> >>> The DFS Replication Event Log.
> >>> There are warning or error events within the last 24 hours
> >>> after the
> >>> SYSVOL has been shared. Failing SYSVOL replication problems
> >>> may cause
> >>> Group Policy problems.
> >>> An Error Event occurred. EventID: 0xC00004B2
> >>> Time Generated: 07/05/2009 17:59:35
> >>> Event String:
> >>>
> >>> The DFS Replication service failed to contact domain
> >>> controller to access configuration information. Replication is
> >>> stopped. The service will try again during the next configuration
> >>> polling cycle, which will occur in 60 minutes. This event can be
> >>> caused by TCP/IP connectivity, firewall, Active Directory Domain
> >>> Services, or DNS issues.
> >>> Additional Information:
> >>>
> >>> Error: 160 (One or more arguments are not correct.)
> >>>
> >>> ......................... server2 failed test DFSREvent
> >>>
> >>> Starting test: SysVolCheck
> >>>
> >>> * The File Replication Service SYSVOL ready test
> >>> The registry lookup failed to determine the state of the
> >>> SYSVOL. The
> >>> error returned was 0x0 "The operation completed
> >>> successfully.".
> >>> Check the FRS event log to see if the SYSVOL has successfully been
> >>>
> >>> shared.
> >>>
>
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157544 is a reply to message #157360] Wed, 08 July 2009 21:00 Go to previous messageGo to next message
Haji  is currently offline Haji
Messages: 12
Registered: July 2009
Junior Member
No, I didn't change the IP addresses to Unknown.

Yes, my domain ends in .dns


"Meinolf Weber [MVP-DS]" wrote:

> Hello Haji,
>
> Did you change the ip address to UNKNOWN in this lines:
>
> Additional authoritative (NS) records from server:
> server1.domain.dns Unknown
> server2.domain.dns Unknown
>
> Your domain name is ending with .dns, or is this just a placeholder?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > From Server1:
> >
> > System Date: Mon Jul 06 08:05:37 2009
> >
> > Command run:
> >
> > dnslint /ad /s 192.168.1.9
> >
> > Root of Active Directory Forest:
> >
> > domain.dns
> >
> > Active Directory Forest Replication GUIDs Found:
> >
> > DC: server1
> > GUID: 10054e4e-3786-4858-a745-5a3b299c2326
> > DC: server2
> > GUID: d963b078-1f27-4154-8436-870d19935efe
> > Total GUIDs found: 2
> >
> > ------------------------------------------------------------ ----------
> > ----------
> >
> > The following 2 DNS servers were checked for records related to AD
> > forest replication:
> >
> > DNS server: server1.domain.dns
> > IP Address: 192.168.1.9
> > UDP port 53 responding to queries: YES
> > TCP port 53 responding to queries: Not tested
> > Answering authoritatively for domain: YES
> > SOA record data from server:
> > Authoritative name server: server1.domain.dns
> > Hostmaster: hostmaster.domain.dns
> > Zone serial number: 3
> > Zone expires in: 1.00 day(s)
> > Refresh period: 900 seconds
> > Retry delay: 600 seconds
> > Default (minimum) TTL: 3600 seconds
> > Additional authoritative (NS) records from server:
> > server1.domain.dns Unknown
> > server2.domain.dns Unknown
> > Alias (CNAME) and glue (A) records for forest GUIDs from server:
> > CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> > Alias: server1.domain.dns
> > Glue: 192.168.1.9
> > CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> > Alias: server2.domain.dns
> > Glue: 192.168.1.51
> > Total number of CNAME records found on this server: 2
> >
> > Total number of CNAME records missing on this server: 0
> >
> > Total number of glue (A) records this server could not find: 0
> >
> > ------------------------------------------------------------ ----------
> > ----------
> >
> > DNS server: server2.domain.dns
> > IP Address: 192.168.1.51
> > UDP port 53 responding to queries: YES
> > TCP port 53 responding to queries: Not tested
> > Answering authoritatively for domain: YES
> > SOA record data from server:
> > Authoritative name server: server2.domain.dns
> > Hostmaster: hostmaster.domain.dns
> > Zone serial number: 3
> > Zone expires in: 1.00 day(s)
> > Refresh period: 900 seconds
> > Retry delay: 600 seconds
> > Default (minimum) TTL: 3600 seconds
> > Additional authoritative (NS) records from server:
> > server2.domain.dns Unknown
> > server1.domain.dns Unknown
> > Alias (CNAME) and glue (A) records for forest GUIDs from server:
> > CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> > Alias: server1.domain.dns
> > Glue: 192.168.1.9
> > CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> > Alias: server2.domain.dns
> > Glue: 192.168.1.51
> > Total number of CNAME records found on this server: 2
> >
> > Total number of CNAME records missing on this server: 0
> >
> > Total number of glue (A) records this server could not find: 0
> >
> > From Server2:
> >
> > System Date: Mon Jul 06 07:58:43 2009
> >
> > Command run:
> >
> > dnslint /ad /s 192.168.1.51
> >
> > Root of Active Directory Forest:
> >
> > domain.dns
> >
> > Active Directory Forest Replication GUIDs Found:
> >
> > DC: SERVER1
> > GUID: 10054e4e-3786-4858-a745-5a3b299c2326
> > DC: SERVER2
> > GUID: d963b078-1f27-4154-8436-870d19935efe
> > Total GUIDs found: 2
> >
> > ------------------------------------------------------------ ----------
> > ----------
> >
> > The following 2 DNS servers were checked for records related to AD
> > forest replication:
> >
> > DNS server: server2.domain.dns
> > IP Address: 192.168.1.51
> > UDP port 53 responding to queries: YES
> > TCP port 53 responding to queries: Not tested
> > Answering authoritatively for domain: YES
> > SOA record data from server:
> > Authoritative name server: server2.domain.dns
> > Hostmaster: hostmaster.domain.dns
> > Zone serial number: 3
> > Zone expires in: 1.00 day(s)
> > Refresh period: 900 seconds
> > Retry delay: 600 seconds
> > Default (minimum) TTL: 3600 seconds
> > Additional authoritative (NS) records from server:
> > server1.domain.dns Unknown
> > server2.domain.dns Unknown
> > Alias (CNAME) and glue (A) records for forest GUIDs from server:
> > CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> > Alias: server1.domain.dns
> > Glue: 192.168.1.9
> > CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> > Alias: server2.domain.dns
> > Glue: 192.168.1.51
> > Total number of CNAME records found on this server: 2
> >
> > Total number of CNAME records missing on this server: 0
> >
> > Total number of glue (A) records this server could not find: 0
> >
> > ------------------------------------------------------------ ----------
> > ----------
> >
> > DNS server: server1.domain.dns
> > IP Address: 192.168.1.9
> > UDP port 53 responding to queries: YES
> > TCP port 53 responding to queries: Not tested
> > Answering authoritatively for domain: YES
> > SOA record data from server:
> > Authoritative name server: server1.domain.dns
> > Hostmaster: hostmaster.domain.dns
> > Zone serial number: 3
> > Zone expires in: 1.00 day(s)
> > Refresh period: 900 seconds
> > Retry delay: 600 seconds
> > Default (minimum) TTL: 3600 seconds
> > Additional authoritative (NS) records from server:
> > server2.domain.dns Unknown
> > server1.domain.dns Unknown
> > Alias (CNAME) and glue (A) records for forest GUIDs from server:
> > CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> > Alias: server1.domain.dns
> > Glue: 192.168.1.9
> > CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> > Alias: server2.domain.dns
> > Glue: 192.168.1.51
> > Total number of CNAME records found on this server: 2
> >
> > Total number of CNAME records missing on this server: 0
> >
> > Total number of glue (A) records this server could not find: 0
> >
> > "Meinolf Weber [MVP-DS]" wrote:
> >
> >> Hello Haji,
> >>
> >> Please run:
> >> dnslint /ad /s "ip address of your dc"
> >> Therefore download and install:
> >> http://support.microsoft.com/kb/321045
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> In Active Directory Sites and Services, both Server1 and Server 2
> >>> are listed as IP Bridgeheads, and both are GC's. Both servers have
> >>> Active Directory integrated DNS running on them.
> >>>
> >>> Windows IP Configuration
> >>>
> >>> Host Hame . . . . . . . . . . . . : server2
> >>> Primary Dns Suffix . . . . . . . : domain.dns
> >>> Node Type . . . . . . . . . . . . : Hybrid
> >>> IP Routing Enabled. . . . . . . . : No
> >>> WINS Proxy Enabled. . . . . . . . : No
> >>> DNS Suffix Search List. . . . . . : domain.dns
> >>> Ethernet adapter Local Area Connection:
> >>> Connection-specific DNS Suffix . : domain.dns
> >>> Description . . . . . . . . . . . : TEAM : Team #0
> >>> Physical Address. . . . . . . . . : 00-30-48-B8-96-8D
> >>> DHCP Enabled. . . . . . . . . . . : No
> >>> Autoconfiguration Enabled . . . . : Yes
> >>> IPv4 Address. . . . . . . . . . . : 192.168.1.51(Preferred)
> >>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> >>> Default Gateway . . . . . . . . . : 192.168.1.1
> >>> DNS Servers . . . . . . . . . . . : 192.168.1.51
> >>> 192.168.1.9
> >>> Primary WINS Server . . . . . . . : 192.168.1.9
> >>> Secondary WINS Server . . . . . . : 192.168.1.51
> >>> NetBIOS over Tcpip. . . . . . . . : Enabled
> >>> nltest /server:server2 /dsgetdc:domain.dns
> >>> DC: \\server1.domain.dns
> >>> Address: \\192.168.1.9
> >>> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> >>> Dom Name: domain.dns
> >>> Forest Name: domain.dns
> >>> Dc Site Name: Default-First-Site-Name
> >>> Our Site Name: Default-First-Site-Name
> >>> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
> >>> CLOSE_SITE FULL SECRET
> >>> Windows IP Configuration
> >>> Host Hame . . . . . . . . . . . . : server1
> >>> Primary Dns Suffix . . . . . . . : domain.dns
> >>> Node Type . . . . . . . . . . . . : Hybrid
> >>> IP Routing Enabled. . . . . . . . : No
> >>> WINS Proxy Enabled. . . . . . . . : No
> >>> DNS Suffix Search List. . . . . . : domain.dns
> >>> Ethernet adapter Local Area Connection:
> >>> Connection-specific DNS Suffix . : domain.dns
> >>> Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
> >>> Connection
> >>> Physical Address. . . . . . . . . : 00-E0-81-58-2F-98
> >>> DHCP Enabled. . . . . . . . . . . : No
> >>> Autoconfiguration Enabled . . . . : Yes
> >>> IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
> >>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> >>> Default Gateway . . . . . . . . . : 192.168.1.1
> >>> DNS Servers . . . . . . . . . . . : 192.168.1.9
> >>> 192.168.1.51
> >>> Primary WINS Server . . . . . . . : 192.168.1.51
> >>> Secondary WINS Server . . . . . . : 192.168.1.9
> >>> NetBIOS over Tcpip. . . . . . . . : Enabled
> >>> nltest /server:server1 /dsgetdc:domain.dns
> >>> DC: \\server1.domain.dns
> >>> Address: \\192.168.1.9
> >>> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> >>> Dom Name: domain.dns
> >>> Forest Name: domain.dns
> >>> Dc Site Name: Default-First-Site-Name
> >>> Our Site Name: Default-First-Site-Name
> >>> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
> >>> CLOSE_SITE FULL SECRET
> >>> "Paul Bergson [MVP-DS]" wrote:
> >>>> Sounds to me like you haven't made the new box a GC or not a DNS
> >>>> server.
> >>>>
> >>>> Start by posting both boxes ip configuration details. From a
> >>>> command prompt on both dc's run the following:
> >>>>
> >>>> ipconfig /all
> >>>>
> >>>> Next from each DC at a command prompt run the following and post:
> >>>> nltest /server:<servername> /dsgetdc:<domainname>
> >>>>
> >>>> Note: Feel free to modify the output, so as not to disclose any
> >>>> valuable information. Such as changing the the first couple of
> >>>> octets on your ip addresses, but please be consistent (192.168. is
> >>>> a good replacement value).
> >>>>
> >>>> --
> >>>> Paul Bergson
> >>>> MVP - Directory Services
> >>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >>>> 2008, 2003, 2000 (Early Achiever), NT4
> >>>> http://www.pbbergs.com
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157553 is a reply to message #157544] Thu, 09 July 2009 02:50 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Haji,

Did you follow the adivce/questions form Ace and made the chagnes regarding
WINS? Also strange is that "Unknown" is listed instead of the ip address.

Please check in the DNS zones, do you have _msdcs.domain.dns and domain.dns
listed?

Are included in domain.dns _msdcs, _sites, _tcp, _udp, DomainDNSzones and
ForestDNSzones with additional folders in the structure?

Are all DCs listed with _ldap and _kerberos listed and Global Catalog servers
with _gc depending on the different fodlers?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> No, I didn't change the IP addresses to Unknown.
>
> Yes, my domain ends in .dns
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Haji,
>>
>> Did you change the ip address to UNKNOWN in this lines:
>>
>> Additional authoritative (NS) records from server:
>> server1.domain.dns Unknown
>> server2.domain.dns Unknown
>> Your domain name is ending with .dns, or is this just a placeholder?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> From Server1:
>>>
>>> System Date: Mon Jul 06 08:05:37 2009
>>>
>>> Command run:
>>>
>>> dnslint /ad /s 192.168.1.9
>>>
>>> Root of Active Directory Forest:
>>>
>>> domain.dns
>>>
>>> Active Directory Forest Replication GUIDs Found:
>>>
>>> DC: server1
>>> GUID: 10054e4e-3786-4858-a745-5a3b299c2326
>>> DC: server2
>>> GUID: d963b078-1f27-4154-8436-870d19935efe
>>> Total GUIDs found: 2
>>> ------------------------------------------------------------ --------
>>> -- ----------
>>>
>>> The following 2 DNS servers were checked for records related to AD
>>> forest replication:
>>>
>>> DNS server: server1.domain.dns
>>> IP Address: 192.168.1.9
>>> UDP port 53 responding to queries: YES
>>> TCP port 53 responding to queries: Not tested
>>> Answering authoritatively for domain: YES
>>> SOA record data from server:
>>> Authoritative name server: server1.domain.dns
>>> Hostmaster: hostmaster.domain.dns
>>> Zone serial number: 3
>>> Zone expires in: 1.00 day(s)
>>> Refresh period: 900 seconds
>>> Retry delay: 600 seconds
>>> Default (minimum) TTL: 3600 seconds
>>> Additional authoritative (NS) records from server:
>>> server1.domain.dns Unknown
>>> server2.domain.dns Unknown
>>> Alias (CNAME) and glue (A) records for forest GUIDs from server:
>>> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
>>> Alias: server1.domain.dns
>>> Glue: 192.168.1.9
>>> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
>>> Alias: server2.domain.dns
>>> Glue: 192.168.1.51
>>> Total number of CNAME records found on this server: 2
>>> Total number of CNAME records missing on this server: 0
>>>
>>> Total number of glue (A) records this server could not find: 0
>>>
>>> ------------------------------------------------------------ --------
>>> -- ----------
>>>
>>> DNS server: server2.domain.dns
>>> IP Address: 192.168.1.51
>>> UDP port 53 responding to queries: YES
>>> TCP port 53 responding to queries: Not tested
>>> Answering authoritatively for domain: YES
>>> SOA record data from server:
>>> Authoritative name server: server2.domain.dns
>>> Hostmaster: hostmaster.domain.dns
>>> Zone serial number: 3
>>> Zone expires in: 1.00 day(s)
>>> Refresh period: 900 seconds
>>> Retry delay: 600 seconds
>>> Default (minimum) TTL: 3600 seconds
>>> Additional authoritative (NS) records from server:
>>> server2.domain.dns Unknown
>>> server1.domain.dns Unknown
>>> Alias (CNAME) and glue (A) records for forest GUIDs from server:
>>> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
>>> Alias: server1.domain.dns
>>> Glue: 192.168.1.9
>>> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
>>> Alias: server2.domain.dns
>>> Glue: 192.168.1.51
>>> Total number of CNAME records found on this server: 2
>>> Total number of CNAME records missing on this server: 0
>>>
>>> Total number of glue (A) records this server could not find: 0
>>>
>>> From Server2:
>>>
>>> System Date: Mon Jul 06 07:58:43 2009
>>>
>>> Command run:
>>>
>>> dnslint /ad /s 192.168.1.51
>>>
>>> Root of Active Directory Forest:
>>>
>>> domain.dns
>>>
>>> Active Directory Forest Replication GUIDs Found:
>>>
>>> DC: SERVER1
>>> GUID: 10054e4e-3786-4858-a745-5a3b299c2326
>>> DC: SERVER2
>>> GUID: d963b078-1f27-4154-8436-870d19935efe
>>> Total GUIDs found: 2
>>> ------------------------------------------------------------ --------
>>> -- ----------
>>>
>>> The following 2 DNS servers were checked for records related to AD
>>> forest replication:
>>>
>>> DNS server: server2.domain.dns
>>> IP Address: 192.168.1.51
>>> UDP port 53 responding to queries: YES
>>> TCP port 53 responding to queries: Not tested
>>> Answering authoritatively for domain: YES
>>> SOA record data from server:
>>> Authoritative name server: server2.domain.dns
>>> Hostmaster: hostmaster.domain.dns
>>> Zone serial number: 3
>>> Zone expires in: 1.00 day(s)
>>> Refresh period: 900 seconds
>>> Retry delay: 600 seconds
>>> Default (minimum) TTL: 3600 seconds
>>> Additional authoritative (NS) records from server:
>>> server1.domain.dns Unknown
>>> server2.domain.dns Unknown
>>> Alias (CNAME) and glue (A) records for forest GUIDs from server:
>>> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
>>> Alias: server1.domain.dns
>>> Glue: 192.168.1.9
>>> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
>>> Alias: server2.domain.dns
>>> Glue: 192.168.1.51
>>> Total number of CNAME records found on this server: 2
>>> Total number of CNAME records missing on this server: 0
>>>
>>> Total number of glue (A) records this server could not find: 0
>>>
>>> ------------------------------------------------------------ --------
>>> -- ----------
>>>
>>> DNS server: server1.domain.dns
>>> IP Address: 192.168.1.9
>>> UDP port 53 responding to queries: YES
>>> TCP port 53 responding to queries: Not tested
>>> Answering authoritatively for domain: YES
>>> SOA record data from server:
>>> Authoritative name server: server1.domain.dns
>>> Hostmaster: hostmaster.domain.dns
>>> Zone serial number: 3
>>> Zone expires in: 1.00 day(s)
>>> Refresh period: 900 seconds
>>> Retry delay: 600 seconds
>>> Default (minimum) TTL: 3600 seconds
>>> Additional authoritative (NS) records from server:
>>> server2.domain.dns Unknown
>>> server1.domain.dns Unknown
>>> Alias (CNAME) and glue (A) records for forest GUIDs from server:
>>> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
>>> Alias: server1.domain.dns
>>> Glue: 192.168.1.9
>>> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
>>> Alias: server2.domain.dns
>>> Glue: 192.168.1.51
>>> Total number of CNAME records found on this server: 2
>>> Total number of CNAME records missing on this server: 0
>>>
>>> Total number of glue (A) records this server could not find: 0
>>>
>>> "Meinolf Weber [MVP-DS]" wrote:
>>>
>>>> Hello Haji,
>>>>
>>>> Please run:
>>>> dnslint /ad /s "ip address of your dc"
>>>> Therefore download and install:
>>>> http://support.microsoft.com/kb/321045
>>>> Best regards
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers
>>>> no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> In Active Directory Sites and Services, both Server1 and Server 2
>>>>> are listed as IP Bridgeheads, and both are GC's. Both servers
>>>>> have Active Directory integrated DNS running on them.
>>>>>
>>>>> Windows IP Configuration
>>>>>
>>>>> Host Hame . . . . . . . . . . . . : server2
>>>>> Primary Dns Suffix . . . . . . . : domain.dns
>>>>> Node Type . . . . . . . . . . . . : Hybrid
>>>>> IP Routing Enabled. . . . . . . . : No
>>>>> WINS Proxy Enabled. . . . . . . . : No
>>>>> DNS Suffix Search List. . . . . . : domain.dns
>>>>> Ethernet adapter Local Area Connection:
>>>>> Connection-specific DNS Suffix . : domain.dns
>>>>> Description . . . . . . . . . . . : TEAM : Team #0
>>>>> Physical Address. . . . . . . . . : 00-30-48-B8-96-8D
>>>>> DHCP Enabled. . . . . . . . . . . : No
>>>>> Autoconfiguration Enabled . . . . : Yes
>>>>> IPv4 Address. . . . . . . . . . . : 192.168.1.51(Preferred)
>>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>>> Default Gateway . . . . . . . . . : 192.168.1.1
>>>>> DNS Servers . . . . . . . . . . . : 192.168.1.51
>>>>> 192.168.1.9
>>>>> Primary WINS Server . . . . . . . : 192.168.1.9
>>>>> Secondary WINS Server . . . . . . : 192.168.1.51
>>>>> NetBIOS over Tcpip. . . . . . . . : Enabled
>>>>> nltest /server:server2 /dsgetdc:domain.dns
>>>>> DC: \\server1.domain.dns
>>>>> Address: \\192.168.1.9
>>>>> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
>>>>> Dom Name: domain.dns
>>>>> Forest Name: domain.dns
>>>>> Dc Site Name: Default-First-Site-Name
>>>>> Our Site Name: Default-First-Site-Name
>>>>> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN
>>>>> DNS_FOREST
>>>>> CLOSE_SITE FULL SECRET
>>>>> Windows IP Configuration
>>>>> Host Hame . . . . . . . . . . . . : server1
>>>>> Primary Dns Suffix . . . . . . . : domain.dns
>>>>> Node Type . . . . . . . . . . . . : Hybrid
>>>>> IP Routing Enabled. . . . . . . . : No
>>>>> WINS Proxy Enabled. . . . . . . . : No
>>>>> DNS Suffix Search List. . . . . . : domain.dns
>>>>> Ethernet adapter Local Area Connection:
>>>>> Connection-specific DNS Suffix . : domain.dns
>>>>> Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
>>>>> Connection
>>>>> Physical Address. . . . . . . . . : 00-E0-81-58-2F-98
>>>>> DHCP Enabled. . . . . . . . . . . : No
>>>>> Autoconfiguration Enabled . . . . : Yes
>>>>> IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
>>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>>> Default Gateway . . . . . . . . . : 192.168.1.1
>>>>> DNS Servers . . . . . . . . . . . : 192.168.1.9
>>>>> 192.168.1.51
>>>>> Primary WINS Server . . . . . . . : 192.168.1.51
>>>>> Secondary WINS Server . . . . . . : 192.168.1.9
>>>>> NetBIOS over Tcpip. . . . . . . . : Enabled
>>>>> nltest /server:server1 /dsgetdc:domain.dns
>>>>> DC: \\server1.domain.dns
>>>>> Address: \\192.168.1.9
>>>>> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
>>>>> Dom Name: domain.dns
>>>>> Forest Name: domain.dns
>>>>> Dc Site Name: Default-First-Site-Name
>>>>> Our Site Name: Default-First-Site-Name
>>>>> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN
>>>>> DNS_FOREST
>>>>> CLOSE_SITE FULL SECRET
>>>>> "Paul Bergson [MVP-DS]" wrote:
>>>>>> Sounds to me like you haven't made the new box a GC or not a DNS
>>>>>> server.
>>>>>>
>>>>>> Start by posting both boxes ip configuration details. From a
>>>>>> command prompt on both dc's run the following:
>>>>>>
>>>>>> ipconfig /all
>>>>>>
>>>>>> Next from each DC at a command prompt run the following and post:
>>>>>> nltest /server:<servername> /dsgetdc:<domainname>
>>>>>>
>>>>>> Note: Feel free to modify the output, so as not to disclose any
>>>>>> valuable information. Such as changing the the first couple of
>>>>>> octets on your ip addresses, but please be consistent (192.168.
>>>>>> is a good replacement value).
>>>>>>
>>>>>> --
>>>>>> Paul Bergson
>>>>>> MVP - Directory Services
>>>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>>>> http://www.pbbergs.com
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157618 is a reply to message #157553] Thu, 09 July 2009 23:48 Go to previous messageGo to next message
Haji  is currently offline Haji
Messages: 12
Registered: July 2009
Junior Member
Everything that you are asking about in the DNS structure checks out. I've
also updated each server to point to itself for WINS, so yes, that change has
been made. Sorry for the pain in this, but I am learning a lot.

"Meinolf Weber [MVP-DS]" wrote:

> Hello Haji,
>
> Did you follow the adivce/questions form Ace and made the chagnes regarding
> WINS? Also strange is that "Unknown" is listed instead of the ip address.
>
> Please check in the DNS zones, do you have _msdcs.domain.dns and domain.dns
> listed?
>
> Are included in domain.dns _msdcs, _sites, _tcp, _udp, DomainDNSzones and
> ForestDNSzones with additional folders in the structure?
>
> Are all DCs listed with _ldap and _kerberos listed and Global Catalog servers
> with _gc depending on the different fodlers?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > No, I didn't change the IP addresses to Unknown.
> >
> > Yes, my domain ends in .dns
> >
> > "Meinolf Weber [MVP-DS]" wrote:
> >
> >> Hello Haji,
> >>
> >> Did you change the ip address to UNKNOWN in this lines:
> >>
> >> Additional authoritative (NS) records from server:
> >> server1.domain.dns Unknown
> >> server2.domain.dns Unknown
> >> Your domain name is ending with .dns, or is this just a placeholder?
> >>
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> From Server1:
> >>>
> >>> System Date: Mon Jul 06 08:05:37 2009
> >>>
> >>> Command run:
> >>>
> >>> dnslint /ad /s 192.168.1.9
> >>>
> >>> Root of Active Directory Forest:
> >>>
> >>> domain.dns
> >>>
> >>> Active Directory Forest Replication GUIDs Found:
> >>>
> >>> DC: server1
> >>> GUID: 10054e4e-3786-4858-a745-5a3b299c2326
> >>> DC: server2
> >>> GUID: d963b078-1f27-4154-8436-870d19935efe
> >>> Total GUIDs found: 2
> >>> ------------------------------------------------------------ --------
> >>> -- ----------
> >>>
> >>> The following 2 DNS servers were checked for records related to AD
> >>> forest replication:
> >>>
> >>> DNS server: server1.domain.dns
> >>> IP Address: 192.168.1.9
> >>> UDP port 53 responding to queries: YES
> >>> TCP port 53 responding to queries: Not tested
> >>> Answering authoritatively for domain: YES
> >>> SOA record data from server:
> >>> Authoritative name server: server1.domain.dns
> >>> Hostmaster: hostmaster.domain.dns
> >>> Zone serial number: 3
> >>> Zone expires in: 1.00 day(s)
> >>> Refresh period: 900 seconds
> >>> Retry delay: 600 seconds
> >>> Default (minimum) TTL: 3600 seconds
> >>> Additional authoritative (NS) records from server:
> >>> server1.domain.dns Unknown
> >>> server2.domain.dns Unknown
> >>> Alias (CNAME) and glue (A) records for forest GUIDs from server:
> >>> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> >>> Alias: server1.domain.dns
> >>> Glue: 192.168.1.9
> >>> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> >>> Alias: server2.domain.dns
> >>> Glue: 192.168.1.51
> >>> Total number of CNAME records found on this server: 2
> >>> Total number of CNAME records missing on this server: 0
> >>>
> >>> Total number of glue (A) records this server could not find: 0
> >>>
> >>> ------------------------------------------------------------ --------
> >>> -- ----------
> >>>
> >>> DNS server: server2.domain.dns
> >>> IP Address: 192.168.1.51
> >>> UDP port 53 responding to queries: YES
> >>> TCP port 53 responding to queries: Not tested
> >>> Answering authoritatively for domain: YES
> >>> SOA record data from server:
> >>> Authoritative name server: server2.domain.dns
> >>> Hostmaster: hostmaster.domain.dns
> >>> Zone serial number: 3
> >>> Zone expires in: 1.00 day(s)
> >>> Refresh period: 900 seconds
> >>> Retry delay: 600 seconds
> >>> Default (minimum) TTL: 3600 seconds
> >>> Additional authoritative (NS) records from server:
> >>> server2.domain.dns Unknown
> >>> server1.domain.dns Unknown
> >>> Alias (CNAME) and glue (A) records for forest GUIDs from server:
> >>> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> >>> Alias: server1.domain.dns
> >>> Glue: 192.168.1.9
> >>> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> >>> Alias: server2.domain.dns
> >>> Glue: 192.168.1.51
> >>> Total number of CNAME records found on this server: 2
> >>> Total number of CNAME records missing on this server: 0
> >>>
> >>> Total number of glue (A) records this server could not find: 0
> >>>
> >>> From Server2:
> >>>
> >>> System Date: Mon Jul 06 07:58:43 2009
> >>>
> >>> Command run:
> >>>
> >>> dnslint /ad /s 192.168.1.51
> >>>
> >>> Root of Active Directory Forest:
> >>>
> >>> domain.dns
> >>>
> >>> Active Directory Forest Replication GUIDs Found:
> >>>
> >>> DC: SERVER1
> >>> GUID: 10054e4e-3786-4858-a745-5a3b299c2326
> >>> DC: SERVER2
> >>> GUID: d963b078-1f27-4154-8436-870d19935efe
> >>> Total GUIDs found: 2
> >>> ------------------------------------------------------------ --------
> >>> -- ----------
> >>>
> >>> The following 2 DNS servers were checked for records related to AD
> >>> forest replication:
> >>>
> >>> DNS server: server2.domain.dns
> >>> IP Address: 192.168.1.51
> >>> UDP port 53 responding to queries: YES
> >>> TCP port 53 responding to queries: Not tested
> >>> Answering authoritatively for domain: YES
> >>> SOA record data from server:
> >>> Authoritative name server: server2.domain.dns
> >>> Hostmaster: hostmaster.domain.dns
> >>> Zone serial number: 3
> >>> Zone expires in: 1.00 day(s)
> >>> Refresh period: 900 seconds
> >>> Retry delay: 600 seconds
> >>> Default (minimum) TTL: 3600 seconds
> >>> Additional authoritative (NS) records from server:
> >>> server1.domain.dns Unknown
> >>> server2.domain.dns Unknown
> >>> Alias (CNAME) and glue (A) records for forest GUIDs from server:
> >>> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> >>> Alias: server1.domain.dns
> >>> Glue: 192.168.1.9
> >>> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> >>> Alias: server2.domain.dns
> >>> Glue: 192.168.1.51
> >>> Total number of CNAME records found on this server: 2
> >>> Total number of CNAME records missing on this server: 0
> >>>
> >>> Total number of glue (A) records this server could not find: 0
> >>>
> >>> ------------------------------------------------------------ --------
> >>> -- ----------
> >>>
> >>> DNS server: server1.domain.dns
> >>> IP Address: 192.168.1.9
> >>> UDP port 53 responding to queries: YES
> >>> TCP port 53 responding to queries: Not tested
> >>> Answering authoritatively for domain: YES
> >>> SOA record data from server:
> >>> Authoritative name server: server1.domain.dns
> >>> Hostmaster: hostmaster.domain.dns
> >>> Zone serial number: 3
> >>> Zone expires in: 1.00 day(s)
> >>> Refresh period: 900 seconds
> >>> Retry delay: 600 seconds
> >>> Default (minimum) TTL: 3600 seconds
> >>> Additional authoritative (NS) records from server:
> >>> server2.domain.dns Unknown
> >>> server1.domain.dns Unknown
> >>> Alias (CNAME) and glue (A) records for forest GUIDs from server:
> >>> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> >>> Alias: server1.domain.dns
> >>> Glue: 192.168.1.9
> >>> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> >>> Alias: server2.domain.dns
> >>> Glue: 192.168.1.51
> >>> Total number of CNAME records found on this server: 2
> >>> Total number of CNAME records missing on this server: 0
> >>>
> >>> Total number of glue (A) records this server could not find: 0
> >>>
> >>> "Meinolf Weber [MVP-DS]" wrote:
> >>>
> >>>> Hello Haji,
> >>>>
> >>>> Please run:
> >>>> dnslint /ad /s "ip address of your dc"
> >>>> Therefore download and install:
> >>>> http://support.microsoft.com/kb/321045
> >>>> Best regards
> >>>> Meinolf Weber
> >>>> Disclaimer: This posting is provided "AS IS" with no warranties,
> >>>> and
> >>>> confers
> >>>> no rights.
> >>>> ** Please do NOT email, only reply to Newsgroups
> >>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>>>> In Active Directory Sites and Services, both Server1 and Server 2
> >>>>> are listed as IP Bridgeheads, and both are GC's. Both servers
> >>>>> have Active Directory integrated DNS running on them.
> >>>>>
> >>>>> Windows IP Configuration
> >>>>>
> >>>>> Host Hame . . . . . . . . . . . . : server2
> >>>>> Primary Dns Suffix . . . . . . . : domain.dns
> >>>>> Node Type . . . . . . . . . . . . : Hybrid
> >>>>> IP Routing Enabled. . . . . . . . : No
> >>>>> WINS Proxy Enabled. . . . . . . . : No
> >>>>> DNS Suffix Search List. . . . . . : domain.dns
> >>>>> Ethernet adapter Local Area Connection:
> >>>>> Connection-specific DNS Suffix . : domain.dns
> >>>>> Description . . . . . . . . . . . : TEAM : Team #0
> >>>>> Physical Address. . . . . . . . . : 00-30-48-B8-96-8D
> >>>>> DHCP Enabled. . . . . . . . . . . : No
> >>>>> Autoconfiguration Enabled . . . . : Yes
> >>>>> IPv4 Address. . . . . . . . . . . : 192.168.1.51(Preferred)
> >>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> >>>>> Default Gateway . . . . . . . . . : 192.168.1.1
> >>>>> DNS Servers . . . . . . . . . . . : 192.168.1.51
> >>>>> 192.168.1.9
> >>>>> Primary WINS Server . . . . . . . : 192.168.1.9
> >>>>> Secondary WINS Server . . . . . . : 192.168.1.51
> >>>>> NetBIOS over Tcpip. . . . . . . . : Enabled
> >>>>> nltest /server:server2 /dsgetdc:domain.dns
> >>>>> DC: \\server1.domain.dns
> >>>>> Address: \\192.168.1.9
> >>>>> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> >>>>> Dom Name: domain.dns
> >>>>> Forest Name: domain.dns
> >>>>> Dc Site Name: Default-First-Site-Name
> >>>>> Our Site Name: Default-First-Site-Name
> >>>>> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN
> >>>>> DNS_FOREST
> >>>>> CLOSE_SITE FULL SECRET
> >>>>> Windows IP Configuration
> >>>>> Host Hame . . . . . . . . . . . . : server1
> >>>>> Primary Dns Suffix . . . . . . . : domain.dns
> >>>>> Node Type . . . . . . . . . . . . : Hybrid
> >>>>> IP Routing Enabled. . . . . . . . : No
> >>>>> WINS Proxy Enabled. . . . . . . . : No
> >>>>> DNS Suffix Search List. . . . . . : domain.dns
> >>>>> Ethernet adapter Local Area Connection:
> >>>>> Connection-specific DNS Suffix . : domain.dns
> >>>>> Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
> >>>>> Connection
> >>>>> Physical Address. . . . . . . . . : 00-E0-81-58-2F-98
> >>>>> DHCP Enabled. . . . . . . . . . . : No
> >>>>> Autoconfiguration Enabled . . . . : Yes
> >>>>> IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
> >>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> >>>>> Default Gateway . . . . . . . . . : 192.168.1.1
> >>>>> DNS Servers . . . . . . . . . . . : 192.168.1.9
> >>>>> 192.168.1.51
> >>>>> Primary WINS Server . . . . . . . : 192.168.1.51
> >>>>> Secondary WINS Server . . . . . . : 192.168.1.9
> >>>>> NetBIOS over Tcpip. . . . . . . . : Enabled
> >>>>> nltest /server:server1 /dsgetdc:domain.dns
> >>>>> DC: \\server1.domain.dns
> >>>>> Address: \\192.168.1.9
> >>>>> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> >>>>> Dom Name: domain.dns
> >>>>> Forest Name: domain.dns
> >>>>> Dc Site Name: Default-First-Site-Name
> >>>>> Our Site Name: Default-First-Site-Name
> >>>>> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN
> >>>>> DNS_FOREST
> >>>>> CLOSE_SITE FULL SECRET
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157629 is a reply to message #157618] Fri, 10 July 2009 02:25 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Haji" <Haji@discussions.microsoft.com> wrote in message news:9F0E1257-667F-41C5-9AEB-A5EEC36EAEC2@microsoft.com...
> Everything that you are asking about in the DNS structure checks out. I've
> also updated each server to point to itself for WINS, so yes, that change has
> been made. Sorry for the pain in this, but I am learning a lot.

Ok, let's try to get caught up and recap what's been done so far. This thread has grown, and is difficult to go back through everything to catch up with everything that has been changed, etc.

Glad to hear you changed the WINS address so far.
Going back to the subject line, are you still unable to demote the 2008 DC? If so, have you tried the /forceremoval switch?

Whatever happened with Server1's event id 13555 and 13552? Which server was that on? Were they addressed? Is the Sysvol share still missing?

Sounds like if all we need to do is remove Server1, wihch is having problems, and leave Server2, which is not having problems, then maybe if I can suggest to run dcpromo /forceremoval on Server1. , and clean up AD using the Metadata Cleanup procedure in the following article:
http://support.microsoft.com/kb/216498.

You can also run the Metadata Cleanup Script, which was written by a Microsoft employee, and posted by Mark MacLachlan as an FAQ at:
http://www.tek-tips.com/faqs.cfm?fid=4733

Once it is cleaned up, delete any reference to Server1 in Sites and Services.

Delete any residual references in DNS. Check all folders.

Seize the FSMO roles to Server2.

Remove the DNS address for Server1 from Server2's IP properties.

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain ....Describes how you can use the Ntdsutil.exe utility to transfer or to seize Flexible Single Master Operations (FSMO) roles.
http://support.microsoft.com/kb/255504

Remove the WINS partnership.

Then once this is all done, post back with the following:

Updated ipconfig /all of Server2
Any event log errors on Server2
dcdiag /v /fix
netdiag /v /fix

Thanks,

Ace





Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157637 is a reply to message #157359] Fri, 10 July 2009 07:36 Go to previous messageGo to next message
Haji  is currently offline Haji
Messages: 12
Registered: July 2009
Junior Member
I performed the BurFlags fix to fix the file replication service, and I'm now
able to decomission server1 correctly.

"Meinolf Weber [MVP-DS]" wrote:

> Hello Haji,
>
> The RID pool is just noticeable. You can not correct that.
>
> I assume you have event id 13555 and 13552 on server1 in the event log.
> http://support.microsoft.com/kb/925633
>
> Also have a look on this one:
> http://support.microsoft.com/kb/290762/
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > When I built server1, I specified those locations. They were never
> > moved.
> >
> > Server1 has never been restored from backup.
> >
> > As for the RID pool, how do I correct that?
> >
> > "Meinolf Weber [MVP-DS]" wrote:
> >
> >> Hello Haji,
> >>
> >> Did you change the default locations to "d:\ad\sysvol\domain" and
> >> "d:\ad\sysvol\staging\domain" on server1?
> >>
> >> Was server1 ever restored from backup/image/snapshot(VM) without
> >> cleaning the AD database before?
> >>
> >> I am also a bit surprised about the difference of the RID pool
> >> between both DCs, there is a really big difference which shouldn't be
> >> the case. Normally they stick together.
> >>
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> dcdiag from Server1, which is the old one:
> >>>
> >>> Directory Server Diagnosis
> >>>
> >>> Performing initial setup:
> >>>
> >>> Trying to find home server...
> >>>
> >>> * Verifying that the local machine server1, is a Directory Server.
> >>> Home Server = server1
> >>> * Connecting to directory service on server server1.
> >>> * Identified AD Forest.
> >>> Collecting AD specific global data
> >>> * Collecting site info.
> >>> Calling
> >>> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns
> >>> ,L
> >>> DAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
> >>> The previous call succeeded
> >>> Iterating through the sites
> >>> Looking at base site object: CN=NTDS Site
> >>> Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio n,DC=dom
> >>> ai
> >>> n,DC=dns
> >>> Getting ISTG and options for the site
> >>> * Identifying all servers.
> >>> Calling
> >>> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=dns
> >>> ,L
> >>> DAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
> >>> The previous call succeeded....
> >>> The previous call succeeded
> >>> Iterating through the list of servers
> >>> Getting information for the server CN=NTDS
> >>> Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> objectGuid obtained
> >>> InvocationID obtained
> >>> dnsHostname obtained
> >>> site info obtained
> >>> All the info for the server collected
> >>> Getting information for the server CN=NTDS
> >>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> objectGuid obtained
> >>> InvocationID obtained
> >>> dnsHostname obtained
> >>> site info obtained
> >>> All the info for the server collected
> >>> * Identifying all NC cross-refs.
> >>> * Found 2 DC(s). Testing 1 of them.
> >>> Done gathering initial info.
> >>>
> >>> Doing initial required tests
> >>>
> >>> Testing server: Default-First-Site-Name\server1
> >>>
> >>> Starting test: Connectivity
> >>>
> >>> * Active Directory LDAP Services Check
> >>> Determining IP4 connectivity
> >>> Determining IP6 connectivity
> >>> * Active Directory RPC Services Check
> >>> ......................... server1 passed test Connectivity
> >>> Doing primary tests
> >>> Testing server: Default-First-Site-Name\server1
> >>>
> >>> Starting test: Advertising
> >>>
> >>> The DC server1 is advertising itself as a DC and having a DS.
> >>> The DC server1 is advertising as an LDAP server
> >>> The DC server1 is advertising as having a writeable directory
> >>> The DC server1 is advertising as a Key Distribution Center
> >>> The DC server1 is advertising as a time server
> >>> The DS server1 is advertising as a GC.
> >>> ......................... server1 passed test Advertising
> >>> Test omitted by user request: CheckSecurityError
> >>> Test omitted by user request: CutoffServers
> >>>
> >>> Starting test: FrsEvent
> >>>
> >>> * The File Replication Service Event log test
> >>> There are warning or error events within the last 24 hours
> >>> after the
> >>> SYSVOL has been shared. Failing SYSVOL replication problems
> >>> may cause
> >>> Group Policy problems.
> >>> An Error Event occurred. EventID: 0xC00034F0
> >>> Time Generated: 07/04/2009 23:13:40
> >>> Event String:
> >>>
> >>> The File Replication Service is unable to add this computer to the
> >>> following replica set:
> >>>
> >>> "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
> >>>
> >>> This could be caused by a number of problems such as:
> >>>
> >>> -- an invalid root path,
> >>>
> >>> -- a missing directory,
> >>>
> >>> -- a missing disk volume,
> >>>
> >>> -- a file system on the volume that does not support NTFS 5.0
> >>>
> >>> The information below may help to resolve the problem:
> >>>
> >>> Computer DNS name is "server1.domain.dns"
> >>>
> >>> Replica set member name is "server1"
> >>>
> >>> Replica set root path is "d:\ad\sysvol\domain"
> >>>
> >>> Replica staging directory path is
> >>> "d:\ad\sysvol\staging\domain"
> >>> Replica working directory path is "c:\windows\ntfrs\jet"
> >>>
> >>> Windows error status code is
> >>>
> >>> FRS error status code is FrsErrorMismatchedJournalId
> >>>
> >>> Other event log messages may also help determine the
> >>> problem. Correct the problem and the service will attempt to
> >>> restart
> >>> replication automatically at a later time.
> >>> An Error Event occurred. EventID: 0xC00034F3
> >>>
> >>> Time Generated: 07/04/2009 23:13:40
> >>>
> >>> Event String:
> >>>
> >>> The File Replication Service is in an error state. Files
> >>> will not replicate to or from one or all of the replica sets on this
> >>> computer until the following recovery steps are performed:
> >>> Recovery Steps:
> >>>
> >>> [1] The error state may clear itself if you stop and
> >>> restart the FRS service. This can be done by performing the
> >>> following
> >>> in a command window:
> >>> net stop ntfrs
> >>>
> >>> net start ntfrs
> >>>
> >>> If this fails to clear up the problem then proceed as follows.
> >>>
> >>> [2] For Active Directory Domain Services Domain
> >>> Controllers that DO NOT host any DFS alternates or other replica
> >>> sets
> >>> with replication enabled:
> >>> If there is at least one other Domain Controller in this
> >>> domain then restore the "system state" of this DC from backup (using
> >>> ntbackup or other backup-restore utility) and make it
> >>> non-authoritative.
> >>> If there are NO other Domain Controllers in this domain
> >>> then restore the "system state" of this DC from backup (using
> >>> ntbackup
> >>> or other backup-restore utility) and choose the Advanced option
> >>> which
> >>> marks the sysvols as primary.
> >>> If there are other Domain Controllers in this domain but
> >>> ALL of them have this event log message then restore one of them as
> >>> primary (data files from primary will replicate everywhere) and the
> >>> others as non-authoritative.
> >>> [3] For Active Directory Domain Services Domain
> >>> Controllers that host DFS alternates or other replica sets with
> >>> replication enabled:
> >>> (3-a) If the Dfs alternates on this DC do not have any
> >>> other replication partners then copy the data under that Dfs share
> >>> to
> >>> a safe location.
> >>> (3-b) If this server is the only Active Directory Domain
> >>> Services Domain Controller for this domain then, before going to
> >>> (3-c), make sure this server does not have any inbound or outbound
> >>> connections to other servers that were formerly Domain Controllers
> >>> for
> >>> this domain but are now off the net (and will never be coming back
> >>> online) or have been fresh installed without being demoted. To
> >>> delete
> >>> connections use the Sites and Services snapin and look for
> >>> Sites->NAME_OF_SITE->Servers->NAME_OF_SERVER->NTDS
> >>> Settings->CONNECTIONS.
> >>>
> >>> (3-c) Restore the "system state" of this DC from backup (using
> >>> ntbackup or other backup-restore utility) and make it
> >>> non-authoritative.
> >>>
> >>> (3-d) Copy the data from step (3-a) above to the original location
> >>> after the sysvol share is published.
> >>>
> >>> [4] For other Windows servers:
> >>>
> >>> (4-a) If any of the DFS alternates or other replica sets
> >>> hosted by this server do not have any other replication partners
> >>> then
> >>> copy the data under its share or replica tree root to a safe
> >>> location.
> >>> (4-b) net stop ntfrs
> >>>
> >>> (4-c) rd /s /q c:\windows\ntfrs\jet
> >>>
> >>> (4-d) net start ntfrs
> >>>
> >>> (4-e) Copy the data from step (4-a) above to the
> >>> original location after the service has initialized (5 minutes is a
> >>> safe waiting time).
> >>> Note: If this error message is in the eventlog of all the
> >>> members of a particular replica set then perform steps (4-a) and
> >>> (4-e)
> >>> above on only one of the members.
> >>> ......................... server1 failed test FrsEvent
> >>>
> >>> Starting test: DFSREvent
> >>>
> >>> The DFS Replication Event Log. ......................... server1
> >>> passed test DFSREvent Starting test: SysVolCheck
> >>>
> >>> * The File Replication Service SYSVOL ready test
> >>> File Replication Service's SYSVOL is ready
> >>> ......................... server1 passed test SysVolCheck
> >>> Starting test: KccEvent
> >>> * The KCC Event log test
> >>> Found no KCC errors in "Directory Service" Event log in the
> >>> last 15
> >>> minutes.
> >>> ......................... server1 passed test KccEvent
> >>> Starting test: KnowsOfRoleHolders
> >>> Role Schema Owner = CN=NTDS
> >>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> Role Domain Owner = CN=NTDS
> >>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> Role PDC Owner = CN=NTDS
> >>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> Role Rid Owner = CN=NTDS
> >>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> Role Infrastructure Update Owner = CN=NTDS
> >>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> ......................... server1 passed test
> >>> KnowsOfRoleHolders
Re: Unable to decommission a Windows 2008 DC via dcpromo [message #157670 is a reply to message #157637] Sat, 11 July 2009 06:05 Go to previous message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Haji,

Congratulations, so you did it. :-)

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I performed the BurFlags fix to fix the file replication service, and
> I'm now able to decomission server1 correctly.
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Haji,
>>
>> The RID pool is just noticeable. You can not correct that.
>>
>> I assume you have event id 13555 and 13552 on server1 in the event
>> log. http://support.microsoft.com/kb/925633
>>
>> Also have a look on this one:
>> http://support.microsoft.com/kb/290762/
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> When I built server1, I specified those locations. They were never
>>> moved.
>>>
>>> Server1 has never been restored from backup.
>>>
>>> As for the RID pool, how do I correct that?
>>>
>>> "Meinolf Weber [MVP-DS]" wrote:
>>>
>>>> Hello Haji,
>>>>
>>>> Did you change the default locations to "d:\ad\sysvol\domain" and
>>>> "d:\ad\sysvol\staging\domain" on server1?
>>>>
>>>> Was server1 ever restored from backup/image/snapshot(VM) without
>>>> cleaning the AD database before?
>>>>
>>>> I am also a bit surprised about the difference of the RID pool
>>>> between both DCs, there is a really big difference which shouldn't
>>>> be the case. Normally they stick together.
>>>>
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers
>>>> no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> dcdiag from Server1, which is the old one:
>>>>>
>>>>> Directory Server Diagnosis
>>>>>
>>>>> Performing initial setup:
>>>>>
>>>>> Trying to find home server...
>>>>>
>>>>> * Verifying that the local machine server1, is a Directory Server.
>>>>> Home Server = server1
>>>>> * Connecting to directory service on server server1.
>>>>> * Identified AD Forest.
>>>>> Collecting AD specific global data
>>>>> * Collecting site info.
>>>>> Calling
>>>>> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=d
>>>>> ns
>>>>> ,L
>>>>> DAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
>>>>> The previous call succeeded
>>>>> Iterating through the sites
>>>>> Looking at base site object: CN=NTDS Site
>>>>> Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio n,DC=d
>>>>> om
>>>>> ai
>>>>> n,DC=dns
>>>>> Getting ISTG and options for the site
>>>>> * Identifying all servers.
>>>>> Calling
>>>>> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domai n,DC=d
>>>>> ns
>>>>> ,L
>>>>> DAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
>>>>> The previous call succeeded....
>>>>> The previous call succeeded
>>>>> Iterating through the list of servers
>>>>> Getting information for the server CN=NTDS
>>>>> Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN =Sites
>>>>> ,C
>>>>> N=
>>>>> Configuration,DC=domain,DC=dns
>>>>> objectGuid obtained
>>>>> InvocationID obtained
>>>>> dnsHostname obtained
>>>>> site info obtained
>>>>> All the info for the server collected
>>>>> Getting information for the server CN=NTDS
>>>>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites
>>>>> ,C
>>>>> N=
>>>>> Configuration,DC=domain,DC=dns
>>>>> objectGuid obtained
>>>>> InvocationID obtained
>>>>> dnsHostname obtained
>>>>> site info obtained
>>>>> All the info for the server collected
>>>>> * Identifying all NC cross-refs.
>>>>> * Found 2 DC(s). Testing 1 of them.
>>>>> Done gathering initial info.
>>>>> Doing initial required tests
>>>>>
>>>>> Testing server: Default-First-Site-Name\server1
>>>>>
>>>>> Starting test: Connectivity
>>>>>
>>>>> * Active Directory LDAP Services Check
>>>>> Determining IP4 connectivity
>>>>> Determining IP6 connectivity
>>>>> * Active Directory RPC Services Check
>>>>> ......................... server1 passed test Connectivity
>>>>> Doing primary tests
>>>>> Testing server: Default-First-Site-Name\server1
>>>>> Starting test: Advertising
>>>>>
>>>>> The DC server1 is advertising itself as a DC and having a DS.
>>>>> The DC server1 is advertising as an LDAP server
>>>>> The DC server1 is advertising as having a writeable directory
>>>>> The DC server1 is advertising as a Key Distribution Center
>>>>> The DC server1 is advertising as a time server
>>>>> The DS server1 is advertising as a GC.
>>>>> ......................... server1 passed test Advertising
>>>>> Test omitted by user request: CheckSecurityError
>>>>> Test omitted by user request: CutoffServers
>>>>> Starting test: FrsEvent
>>>>>
>>>>> * The File Replication Service Event log test
>>>>> There are warning or error events within the last 24 hours
>>>>> after the
>>>>> SYSVOL has been shared. Failing SYSVOL replication problems
>>>>> may cause
>>>>> Group Policy problems.
>>>>> An Error Event occurred. EventID: 0xC00034F0
>>>>> Time Generated: 07/04/2009 23:13:40
>>>>> Event String:
>>>>> The File Replication Service is unable to add this computer to the
>>>>> following replica set:
>>>>>
>>>>> "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
>>>>>
>>>>> This could be caused by a number of problems such as:
>>>>>
>>>>> -- an invalid root path,
>>>>>
>>>>> -- a missing directory,
>>>>>
>>>>> -- a missing disk volume,
>>>>>
>>>>> -- a file system on the volume that does not support NTFS 5.0
>>>>>
>>>>> The information below may help to resolve the problem:
>>>>>
>>>>> Computer DNS name is "server1.domain.dns"
>>>>>
>>>>> Replica set member name is "server1"
>>>>>
>>>>> Replica set root path is "d:\ad\sysvol\domain"
>>>>>
>>>>> Replica staging directory path is
>>>>> "d:\ad\sysvol\staging\domain"
>>>>> Replica working directory path is "c:\windows\ntfrs\jet"
>>>>> Windows error status code is
>>>>>
>>>>> FRS error status code is FrsErrorMismatchedJournalId
>>>>>
>>>>> Other event log messages may also help determine the
>>>>> problem. Correct the problem and the service will attempt to
>>>>> restart
>>>>> replication automatically at a later time.
>>>>> An Error Event occurred. EventID: 0xC00034F3
>>>>> Time Generated: 07/04/2009 23:13:40
>>>>>
>>>>> Event String:
>>>>>
>>>>> The File Replication Service is in an error state. Files
>>>>> will not replicate to or from one or all of the replica sets on
>>>>> this
>>>>> computer until the following recovery steps are performed:
>>>>> Recovery Steps:
>>>>> [1] The error state may clear itself if you stop and
>>>>> restart the FRS service. This can be done by performing the
>>>>> following
>>>>> in a command window:
>>>>> net stop ntfrs
>>>>> net start ntfrs
>>>>>
>>>>> If this fails to clear up the problem then proceed as follows.
>>>>>
>>>>> [2] For Active Directory Domain Services Domain
>>>>> Controllers that DO NOT host any DFS alternates or other replica
>>>>> sets
>>>>> with replication enabled:
>>>>> If there is at least one other Domain Controller in this
>>>>> domain then restore the "system state" of this DC from backup
>>>>> (using
>>>>> ntbackup or other backup-restore utility) and make it
>>>>> non-authoritative.
>>>>> If there are NO other Domain Controllers in this domain
>>>>> then restore the "system state" of this DC from backup (using
>>>>> ntbackup
>>>>> or other backup-restore utility) and choose the Advanced option
>>>>> which
>>>>> marks the sysvols as primary.
>>>>> If there are other Domain Controllers in this domain but
>>>>> ALL of them have this event log message then restore one of them
>>>>> as
>>>>> primary (data files from primary will replicate everywhere) and
>>>>> the
>>>>> others as non-authoritative.
>>>>> [3] For Active Directory Domain Services Domain
>>>>> Controllers that host DFS alternates or other replica sets with
>>>>> replication enabled:
>>>>> (3-a) If the Dfs alternates on this DC do not have any
>>>>> other replication partners then copy the data under that Dfs share
>>>>> to
>>>>> a safe location.
>>>>> (3-b) If this server is the only Active Directory Domain
>>>>> Services Domain Controller for this domain then, before going to
>>>>> (3-c), make sure this server does not have any inbound or
>>>>> outbound
>>>>> connections to other servers that were formerly Domain Controllers
>>>>> for
>>>>> this domain but are now off the net (and will never be coming back
>>>>> online) or have been fresh installed without being demoted. To
>>>>> delete
>>>>> connections use the Sites and Services snapin and look for
>>>>> Sites->NAME_OF_SITE->Servers->NAME_OF_SERVER->NTDS
>>>>> Settings->CONNECTIONS.
>>>>> (3-c) Restore the "system state" of this DC from backup (using
>>>>> ntbackup or other backup-restore utility) and make it
>>>>> non-authoritative.
>>>>>
>>>>> (3-d) Copy the data from step (3-a) above to the original location
>>>>> after the sysvol share is published.
>>>>>
>>>>> [4] For other Windows servers:
>>>>>
>>>>> (4-a) If any of the DFS alternates or other replica sets
>>>>> hosted by this server do not have any other replication partners
>>>>> then
>>>>> copy the data under its share or replica tree root to a safe
>>>>> location.
>>>>> (4-b) net stop ntfrs
>>>>> (4-c) rd /s /q c:\windows\ntfrs\jet
>>>>>
>>>>> (4-d) net start ntfrs
>>>>>
>>>>> (4-e) Copy the data from step (4-a) above to the
>>>>> original location after the service has initialized (5 minutes is
>>>>> a
>>>>> safe waiting time).
>>>>> Note: If this error message is in the eventlog of all the
>>>>> members of a particular replica set then perform steps (4-a) and
>>>>> (4-e)
>>>>> above on only one of the members.
>>>>> ......................... server1 failed test FrsEvent
>>>>> Starting test: DFSREvent
>>>>>
>>>>> The DFS Replication Event Log. ......................... server1
>>>>> passed test DFSREvent Starting test: SysVolCheck
>>>>>
>>>>> * The File Replication Service SYSVOL ready test
>>>>> File Replication Service's SYSVOL is ready
>>>>> ......................... server1 passed test SysVolCheck
>>>>> Starting test: KccEvent
>>>>> * The KCC Event log test
>>>>> Found no KCC errors in "Directory Service" Event log in the
>>>>> last 15
>>>>> minutes.
>>>>> ......................... server1 passed test KccEvent
>>>>> Starting test: KnowsOfRoleHolders
>>>>> Role Schema Owner = CN=NTDS
>>>>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites
>>>>> ,C
>>>>> N=
>>>>> Configuration,DC=domain,DC=dns
>>>>> Role Domain Owner = CN=NTDS
>>>>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites
>>>>> ,C
>>>>> N=
>>>>> Configuration,DC=domain,DC=dns
>>>>> Role PDC Owner = CN=NTDS
>>>>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites
>>>>> ,C
>>>>> N=
>>>>> Configuration,DC=domain,DC=dns
>>>>> Role Rid Owner = CN=NTDS
>>>>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites
>>>>> ,C
>>>>> N=
>>>>> Configuration,DC=domain,DC=dns
>>>>> Role Infrastructure Update Owner = CN=NTDS
>>>>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN =Sites
>>>>> ,C
>>>>> N=
>>>>> Configuration,DC=domain,DC=dns
>>>>> ......................... server1 passed test
>>>>> KnowsOfRoleHolders
Previous Topic:seksi djevojka
Next Topic:windows 2003 server and cannot create shares?
Goto Forum:
  


Current Time: Sat Oct 21 18:59:04 EDT 2017

Total time taken to generate the page: 0.05430 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software