StevenSinclair
Wed Jun 18 15:10:01 PDT 2008
Yes, sorry, I did mention them both a PDC and a BDC in that original thread.
Since I'm unaware of how to "attach" the DCDIAG output, I'll simply insert
it here...
---------------
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine mcp01, is a DC.
* Connecting to directory service on server mcp01.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\MCP01
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... MCP01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\MCP01
Starting test: Replications
* Replications Check
* Replication Latency Check
......................... MCP01 passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
DC=ForestDnsZones,DC=mydomain,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
DC=DomainDnsZones,DC=mydomain,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=mydomain,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Configuration,DC=mydomain,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=mydomain,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... MCP01 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for
DC=ForestDnsZones,DC=mydomain,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=DomainDnsZones,DC=mydomain,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Schema,CN=Configuration,DC=mydomain,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Configuration,DC=mydomain,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=mydomain,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... MCP01 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC MCP01.
* Security Permissions Check for
DC=ForestDnsZones,DC=mydomain,DC=com
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=mydomain,DC=com
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=mydomain,DC=com
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=mydomain,DC=com
(Configuration,Version 2)
* Security Permissions Check for
DC=mydomain,DC=com
(Domain,Version 2)
......................... MCP01 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\MCP01\netlogon)
[MCP01] An net use or LsaPolicy operation failed with error 1203,
No network provider accepted the given network path..
......................... MCP01 failed test NetLogons
Starting test: Advertising
The DC MCP01 is advertising itself as a DC and having a DS.
The DC MCP01 is advertising as an LDAP server
The DC MCP01 is advertising as having a writeable directory
The DC MCP01 is advertising as a Key Distribution Center
The DC MCP01 is advertising as a time server
The DS MCP01 is advertising as a GC.
......................... MCP01 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
Role Domain Owner = CN=NTDS
Settings,CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
Role PDC Owner = CN=NTDS
Settings,CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
Role Rid Owner = CN=NTDS
Settings,CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
......................... MCP01 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 2104 to 1073741823
* mcp01.mydomain.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1604 to 2103
* rIDPreviousAllocationPool is 1604 to 2103
* rIDNextRID: 1635
......................... MCP01 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC MCP01 on DC MCP01.
* SPN found :LDAP/mcp01.mydomain.com/mydomain.com
* SPN found :LDAP/mcp01.mydomain.com
* SPN found :LDAP/MCP01
* SPN found :LDAP/mcp01.mydomain.com/PMHPRINEVILLE
* SPN found
:LDAP/17612149-47c5-4544-a68e-777e3207dc1a._msdcs.mydomain.com
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/17612149-47c5-4544-a68e-777e3207dc1a/mydomain.com
* SPN found :HOST/mcp01.mydomain.com/mydomain.com
* SPN found :HOST/mcp01.mydomain.com
* SPN found :HOST/MCP01
* SPN found :HOST/mcp01.mydomain.com/PMHPRINEVILLE
* SPN found :GC/mcp01.mydomain.com/mydomain.com
......................... MCP01 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... MCP01 passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... MCP01 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
MCP01 is in domain DC=mydomain,DC=com
Checking for CN=MCP01,OU=Domain Controllers,DC=mydomain,DC=com in
domain DC=mydomain,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
in domain CN=Configuration,DC=mydomain,DC=com on 1 servers
Object is up-to-date on all servers.
......................... MCP01 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... MCP01 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... MCP01 passed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15
minutes.
......................... MCP01 passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40011006
Time Generated: 06/18/2008 13:28:21
Event String: The connection was aborted by the remote WINS.
Remote WINS may not be configured to replicate
with the server.
......................... MCP01 failed test systemlog
Starting test: VerifyReplicas
......................... MCP01 passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=MCP01,OU=Domain Controllers,DC=mydomain,DC=com and backlink
on
CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
are correct.
The system object reference (frsComputerReferenceBL)
CN=MCP01,CN=Domain System Volume (SYSVOL share),CN=File Replication
Service,CN=System,DC=mydomain,DC=com
and backlink on
CN=MCP01,OU=Domain Controllers,DC=mydomain,DC=com are correct.
The system object reference (serverReferenceBL)
CN=MCP01,CN=Domain System Volume (SYSVOL share),CN=File Replication
Service,CN=System,DC=mydomain,DC=com
and backlink on
CN=NTDS
Settings,CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
are correct.
......................... MCP01 passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
......................... MCP01 passed test
VerifyEnterpriseReferences
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC MCP01 for domain mydomain.com in site
Default-First-Site-Name
Checking machine account for DC MCP01 on DC MCP01.
* SPN found :LDAP/mcp01.mydomain.com/mydomain.com
* SPN found :LDAP/mcp01.mydomain.com
* SPN found :LDAP/MCP01
* SPN found :LDAP/mcp01.mydomain.com/PMHPRINEVILLE
* SPN found
:LDAP/17612149-47c5-4544-a68e-777e3207dc1a._msdcs.mydomain.com
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/17612149-47c5-4544-a68e-777e3207dc1a/mydomain.com
* SPN found :HOST/mcp01.mydomain.com/mydomain.com
* SPN found :HOST/mcp01.mydomain.com
* SPN found :HOST/MCP01
* SPN found :HOST/mcp01.mydomain.com/PMHPRINEVILLE
* SPN found :GC/mcp01.mydomain.com/mydomain.com
[MCP01] No security related replication errors were found on this
DC! To target the connection to a specific source DC use /ReplSource:<DC>.
......................... MCP01 passed test CheckSecurityError
DNS Tests are running and not hung. Please wait a few minutes...
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : mydomain
Starting test: CrossRefValidation
......................... mydomain passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... mydomain passed test CheckSDRefDom
Running enterprise tests on : mydomain.com
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... mydomain.com passed test Intersite
Starting test: FsmoCheck
GC Name: \\mcp01.mydomain.com
Locator Flags: 0xe00003fd
PDC Name: \\mcp01.mydomain.com
Locator Flags: 0xe00003fd
Time Server Name: \\mcp01.mydomain.com
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\mcp01.mydomain.com
Locator Flags: 0xe00003fd
KDC Name: \\mcp01.mydomain.com
Locator Flags: 0xe00003fd
......................... mydomain.com passed test FsmoCheck
Starting test: DNS
Test results for domain controllers:
DC: mcp01.mydomain.com
Domain: mydomain.com
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
Microsoft(R) Windows(R) Server 2003, Enterprise Edition
(Service Pack level: 1.0) is supported
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000001] Intel(R) PRO/1000 MT Network Connection:
MAC address is 00:11:43:EE:CB:43
IP address is static
IP address: 192.168.144.150
DNS servers:
192.168.144.150 (<name unavailable>) [Valid]
192.168.144.151 (<name unavailable>) [Valid]
Adapter [00000002] Intel(R) PRO/1000 MT Network Connection:
MAC address is 00:11:43:EE:CB:44
IP address is static
IP address: 192.168.144.151
DNS servers:
192.168.144.150 (<name unavailable>) [Valid]
192.168.144.151 (<name unavailable>) [Valid]
The A record for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found
(primary)
Root zone on this DC/DNS server was not found
TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders Information:
TEST: Delegations (Del)
No delegations were found in this zone on this DNS server
TEST: Dynamic update (Dyn)
Warning: Dynamic update is enabled on the zone but not
secure mydomain.com.
Test record _dcdiag_test_record added successfully in zone
mydomain.com.
Test record _dcdiag_test_record deleted successfully in
zone mydomain.com.
TEST: Records registration (RReg)
Network Adapter [00000001] Intel(R) PRO/1000 MT Network
Connection:
Matching A record found at DNS server 192.168.144.150:
mcp01.mydomain.com
Matching CNAME record found at DNS server
192.168.144.150:
17612149-47c5-4544-a68e-777e3207dc1a._msdcs.mydomain.com
Matching DC SRV record found at DNS server
192.168.144.150:
_ldap._tcp.dc._msdcs.mydomain.com
Matching GC SRV record found at DNS server
192.168.144.150:
_ldap._tcp.gc._msdcs.mydomain.com
Matching PDC SRV record found at DNS server
192.168.144.150:
_ldap._tcp.pdc._msdcs.mydomain.com
Matching A record found at DNS server 192.168.144.151:
mcp01.mydomain.com
Matching CNAME record found at DNS server
192.168.144.151:
17612149-47c5-4544-a68e-777e3207dc1a._msdcs.mydomain.com
Matching DC SRV record found at DNS server
192.168.144.151:
_ldap._tcp.dc._msdcs.mydomain.com
Matching GC SRV record found at DNS server
192.168.144.151:
_ldap._tcp.gc._msdcs.mydomain.com
Matching PDC SRV record found at DNS server
192.168.144.151:
_ldap._tcp.pdc._msdcs.mydomain.com
Network Adapter [00000002] Intel(R) PRO/1000 MT Network
Connection:
Matching A record found at DNS server 192.168.144.150:
mcp01.mydomain.com
Matching CNAME record found at DNS server
192.168.144.150:
17612149-47c5-4544-a68e-777e3207dc1a._msdcs.mydomain.com
Matching DC SRV record found at DNS server
192.168.144.150:
_ldap._tcp.dc._msdcs.mydomain.com
Matching GC SRV record found at DNS server
192.168.144.150:
_ldap._tcp.gc._msdcs.mydomain.com
Matching PDC SRV record found at DNS server
192.168.144.150:
_ldap._tcp.pdc._msdcs.mydomain.com
Matching A record found at DNS server 192.168.144.151:
mcp01.mydomain.com
Matching CNAME record found at DNS server
192.168.144.151:
17612149-47c5-4544-a68e-777e3207dc1a._msdcs.mydomain.com
Matching DC SRV record found at DNS server
192.168.144.151:
_ldap._tcp.dc._msdcs.mydomain.com
Matching GC SRV record found at DNS server
192.168.144.151:
_ldap._tcp.gc._msdcs.mydomain.com
Matching PDC SRV record found at DNS server
192.168.144.151:
_ldap._tcp.pdc._msdcs.mydomain.com
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 192.168.144.150 (<name unavailable>)
All tests passed on this DNS server
This is a valid DNS server.
Name resolution is funtional. _ldap._tcp SRV record for the
forest root domain is registered
DNS server: 192.168.144.151 (<name unavailable>)
All tests passed on this DNS server
This is a valid DNS server.
Name resolution is funtional. _ldap._tcp SRV record for the
forest root domain is registered
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg
Ext
________________________________________________________________
Domain: mydomain.com
mcp01 PASS PASS PASS PASS WARN PASS n/a
......................... mydomain.com passed test DNS
---------------
As for the "old pdc," it died and was simply removed from the network.
Thanx again for the help...it is GREATLY appreciated!!!
;-)
"Jorge de Almeida Pinto [MVP - DS]" wrote:
> by the way, you are the one talking about PDCs and BDCs. I'm just
> referencing them so that things do not get mixed
>
> I would like to see the FULL DCDIAG output (attach it to your reply)
>
> I forgot to mention:
>
> Has the OLD "PDC" been removed from the domain by cleaning its metadata with
> NTDSUTIL?
>
> see:
>
http://blogs.dirteam.com/blogs/jorge/archive/2005/12/03/213.aspx
>
> if the OLD "PDC" still exists then the "BDC" (the new "PDC") still thinks
> there is another DC, Because of that it wants to replicate with it, but it
> fails of course. Until replication succeeds or you tell the DC there is no
> other DC, it will start handing out RID pools
>
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>
> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
>
> BLOG (WEB-BASED)-->
http://blogs.dirteam.com/blogs/jorge/default.aspx
> BLOG (RSS-FEEDS)-->
http://blogs.dirteam.com/blogs/jorge/rss.aspx
> ------------------------------------------------------------------------------------------
> * How to ask a question -->
http://support.microsoft.com/?id=555375
> ------------------------------------------------------------------------------------------
> * This posting is provided "AS IS" with no warranties and confers no rights!
> * Always test ANY suggestion in a test environment before implementing!
> ------------------------------------------------------------------------------------------
> #################################################
> #################################################
> ------------------------------------------------------------------------------------------
> "Steven Sinclair" <StevenSinclair@discussions.microsoft.com> wrote in
> message news:2E5CA26A-7444-4303-96BB-DE2544555406@microsoft.com...
> > Okay...first of all, there is no PDC and BDC, there is only one server in
> > question, a PDC named mcp01.
> >
> > As for the first command (NETDOM QUERY FSMO), here are the results:
> >
> > Schema owner mcp01.mydomain.com
> > Domain role owner mcp01.mydomain.com
> > PDC role mcp01.mydomain.com
> > RID pool manager mcp01.mydomain.com
> > Infrastructure owner mcp01.mydomain.com
> >
> > As for the second command (REPADMIN /OPTIONS <mcp01.mydomain.com>), here
> > are
> > the results:
> >
> > Current DC Options: IS_GC
> >
> > And, yes, you are correct in that I can create a contact, but not a user.
> >
> > As for the final command (DCDIAG /C /D /V), here are only the results of
> > the
> > failures:
> >
> > Starting test: NetLogons
> > * Network Logons Privileges Check
> > Unable to connect to the NETLOGON share! (\\MCP01\netlogon)
> > [MCP01] An net use or LsaPolicy operation failed with error 1203, No
> > network provider accepted the given network path..
> > .........................MCP01 failed test NetLogons
> >
> > Starting test: systemlog
> > * The System Event log test
> > An Error Event occured. EventID: 0x40011006
> > Time Generated: 06/18/2008 13:28:21
> > Event String: The connection was aborted by the remote WINS. Remote
> > WINS may not be configured to replicate with the server.
> > .........................MCP01 failed test systemlog
> >
> > All other tests passed.
> >
> > Any more suggestions will be greatly appreciated.
> >
> > Thanx.
> >
> >
> >
> > "Jorge de Almeida Pinto [MVP - DS]" wrote:
> >
> >> ORIGINAL QUESTION: (ANSWER BELOW)
> >> ---------------------------------------------
> >> "Steven Sinclair" wrote:
> >>
> >> > Good morning, all.
> >> >
> >> > We've recently run into a situation where an individual (who is no
> >> > longer
> >> > with the company) decided to take our PDC offline and only left our BDC
> >> > up
> >> > and running, but did not transfer control of the domain to the BDC, nor
> >> > did
> >> > he promote the BDC.
> >> >
> >> > Now, we're unable to create new users (even though there are no users
> >> > listed
> >> > in ADUC...we simply get an error, "An error occurred. Contact your
> >> > system
> >> > administrator." However, nothing ever shows up in the event viewer.
> >> > Within
> >> > ADUC, even the "Raise Domain Function Level" command states the domain
> >> > is
> >> > operating at the highest possible functional level and the "Operations
> >> > Masters" only lists the remaining server as the Operations master and
> >> > the
> >> > PDC.
> >> >
> >> > Any ideas on how we can get this remaining controller to "control" the
> >> > domain?
> >> >
> >> > Thanx.
> >> ---------------------------------------------
> >>
> >>
> >> ANSWER GIVEN BY ME:
> >> first thing I would say is:
> >>
> >> on that "BDC" check who owns the FSMO roles using: NETDOM QUERY FSMO
> >>
> >> For ALL FSMO that are NOT owned by the "BDC" seize those roles. for more
> >> info see:
> >>
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/373.aspx
> >>
> >> on the BDC execute: REPADMIN /OPTIONS <NAME OF BDC SERVER>
> >> OR
> >> REPADMIN /OPTIONS <NAME OF BDC SERVER> +IS_GC
> >>
> >> My guess is that the main reason that you cannot create users, groups, or
> >> computers is because the RID master is owned by the "PDC" that was taken
> >> offline
> >> Can I say you are able to create a contact but not a user account?
> >> If yes, the RID master is probably the issue
> >>
> >> DCDIAG /C /D /V should give you more info abou the health of the "BDC"
> >>
> >> also have a look at:
> >>
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/25/1040.aspx
> >>
> >>
> >> --
> >>
> >> Cheers,
> >> (HOPEFULLY THIS INFORMATION HELPS YOU!)
> >>
> >> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
> >>
> >> BLOG (WEB-BASED)-->
http://blogs.dirteam.com/blogs/jorge/default.aspx
> >> BLOG (RSS-FEEDS)-->
http://blogs.dirteam.com/blogs/jorge/rss.aspx
> >> ------------------------------------------------------------------------------------------
> >> * How to ask a question -->
http://support.microsoft.com/?id=555375
> >> ------------------------------------------------------------------------------------------
> >> * This posting is provided "AS IS" with no warranties and confers no
> >> rights!
> >> * Always test ANY suggestion in a test environment before implementing!
> >> ------------------------------------------------------------------------------------------
> >> #################################################
> >> #################################################
> >> ------------------------------------------------------------------------------------------
> >> "Steven Sinclair" <StevenSinclair@discussions.microsoft.com> wrote in
> >> message news:DEA0DDEE-E96C-46DB-88D3-DAF0FD9F0F25@microsoft.com...
> >> > Is anyone available to take a look at this thread...
> >> >
> >> >
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windows.server.active_directory&mid=be90de26-d4c1-4805-bd3a-8a70ab0e70d4&sloc=en-us
> >> >
> >> > ...and donate some invaluable assistance?
> >> >
> >> > Thanx.
> >>
> >>
>
>