Re: Steps to take to demote a former PDC ...
- From: E-Double <EDouble@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 19 May 2009 15:11:02 -0700
Cool, thanks. Ran all of the steps you mentioned, then during the DCPromo
downgrade we received the following error: "The Operation Failed. Managing
The Network Session to somedomain.cc Failed. Logon Failure: The Target
Account Name Is Incorrect." The following is the results from DCDiag on the
machine that is being downgraded (DCDiag from PDC looked okay):
_____________________________________________________
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine Server1, is a DC.
* Connecting to directory service on server Server1.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\Server1
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... Server1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\Server1
Starting test: Replications
* Replications Check
[Replications Check,Server1B] Inbound replication is disabled.
To correct, run "repadmin /options Server1B -DISABLE_INBOUND_REPL"
[Replications Check,Server1B] Outbound replication is disabled.
To correct, run "repadmin /options Server1B -DISABLE_OUTBOUND_REPL"
......................... Server1B failed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC Server1B.
* Security Permissions Check for
DC=ForestDnsZones,DC=somedomain,DC=cc
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=somedomain,DC=cc
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=somedomain,DC=cc
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=somedomain,DC=cc
(Configuration,Version 2)
* Security Permissions Check for
DC=somedomain,DC=cc
(Domain,Version 2)
......................... Server1B passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\Server1B\netlogon
Verified share \\Server1B\sysvol
......................... Server1B passed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for
\\server2.somedomain.cc, when we were trying to reach Server1B.
Server is not responding or is not considered suitable.
The DC Server1B is advertising itself as a DC and having a DS.
The DC Server1B is advertising as an LDAP server
The DC Server1B is advertising as having a writeable directory
The DC Server1B is advertising as a Key Distribution Center
The DC Server1B is advertising as a time server
......................... Server1B failed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
[server2] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: server2 is the Schema Owner, but is not responding to DS
RPC Bind.
[server2] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: server2 is the Schema Owner, but is not responding to LDAP
Bind.
Role Domain Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
Warning: server2 is the Domain Owner, but is not responding to DS
RPC Bind.
Warning: server2 is the Domain Owner, but is not responding to LDAP
Bind.
Role PDC Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
Warning: server2 is the PDC Owner, but is not responding to DS RPC
Bind.
Warning: server2 is the PDC Owner, but is not responding to LDAP
Bind.
Role Rid Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
Warning: server2 is the Rid Owner, but is not responding to DS RPC
Bind.
Warning: server2 is the Rid Owner, but is not responding to LDAP
Bind.
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
Warning: server2 is the Infrastructure Update Owner, but is not
responding to DS RPC Bind.
Warning: server2 is the Infrastructure Update Owner, but is not
responding to LDAP Bind.
......................... Server1B failed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 4108 to 1073741823
* server2.somedomain.cc is the RID Master
......................... Server1B failed test RidManager
Starting test: MachineAccount
Checking machine account for DC Server1B on DC Server1B.
* SPN found :LDAP/Server1b.somedomain.cc/somedomain.cc
* SPN found :LDAP/Server1b.somedomain.cc
* SPN found :LDAP/Server1B
* SPN found :LDAP/Server1b.somedomain.cc/Server1
* SPN found
:LDAP/2635e1bc-00c2-4d22-8f71-3ea2b8e2f656._msdcs.somedomain.cc
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/2635e1bc-00c2-4d22-8f71-3ea2b8e2f656/somedomain.cc
* SPN found :HOST/Server1b.somedomain.cc/somedomain.cc
* SPN found :HOST/Server1b.somedomain.cc
* SPN found :HOST/Server1B
* SPN found :HOST/Server1b.somedomain.cc/Server1
* SPN found :GC/Server1b.somedomain.cc/somedomain.cc
......................... Server1B passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
w32time Service is stopped on [Server1B]
* Checking Service: NETLOGON
NETLOGON Service is paused on [Server1B]
......................... Server1B failed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
Server1B is in domain DC=somedomain,DC=cc
Checking for CN=Server1B,OU=Domain Controllers,DC=somedomain,DC=cc
in domain DC=somedomain,DC=cc on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=Server1B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
in domain CN=Configuration,DC=somedomain,DC=cc on 1 servers
Object is up-to-date on all servers.
......................... Server1B passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... Server1B passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... Server1B passed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15
minutes.
......................... Server1B passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:49:30
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was . This indicates that the password used to
encrypt the kerberos service ticket is different
than that on the target server. Commonly, this is
due to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:51:47
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was cifs/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:51:47
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was LDAP/server2.somedomain.cc/somedomain.cc. This
indicates that the password used to encrypt the
kerberos service ticket is different than that on
the target server. Commonly, this is due to
identically named machine accounts in the target
realm (somedomain.CC), and the client realm.
Please contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:52:11
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was Server1\server2$. This indicates that the password
used to encrypt the kerberos service ticket is
different than that on the target server.
Commonly, this is due to identically named
machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:53:04
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was
LDAP/server2.somedomain.cc/somedomain.cc@xxxxxxxxxxxxxx
This indicates that the password used to encrypt
the kerberos service ticket is different than
that on the target server. Commonly, this is due
to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:54:55
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/Server1a.somedomain.cc. The target name used
was cifs/Server1a. This indicates that the password
used to encrypt the kerberos service ticket is
different than that on the target server.
Commonly, this is due to identically named
machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:55:41
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was DNS/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x0000168E
Time Generated: 05/19/2009 16:55:41
Event String: The dynamic registration of the DNS record
'somedomain.cc. 600 IN A 123.45.67.240' failed
on the following DNS server:
DNS server IP address: 123.45.67.252
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:57:32
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was ldap/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:23:48
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was DNS/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x0000168E
Time Generated: 05/19/2009 17:23:48
Event String: The dynamic registration of the DNS record
'somedomain.cc. 600 IN A 123.45.67.240' failed
on the following DNS server:
DNS server IP address: 123.45.67.252
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:24:04
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was cifs/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:24:05
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was
LDAP/server2.somedomain.cc/somedomain.cc@xxxxxxxxxxxxxx
This indicates that the password used to encrypt
the kerberos service ticket is different than
that on the target server. Commonly, this is due
to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:24:18
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was . This indicates that the password used to
encrypt the kerberos service ticket is different
than that on the target server. Commonly, this is
due to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:24:22
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/Server1a.somedomain.cc. The target name used
was cifs/Server1a. This indicates that the password
used to encrypt the kerberos service ticket is
different than that on the target server.
Commonly, this is due to identically named
machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:25:07
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was
ldap/server2.somedomain.cc/somedomain.cc@xxxxxxxxxxxxxx
This indicates that the password used to encrypt
the kerberos service ticket is different than
that on the target server. Commonly, this is due
to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0x0000168E
Time Generated: 05/19/2009 17:28:50
Event String: The dynamic registration of the DNS record
'somedomain.cc. 600 IN A 123.45.67.240' failed
on the following DNS server:
DNS server IP address: 123.45.67.230
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:33:05
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was ldap/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:35:28
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was
LDAP/67d3c601-fc54-4360-9a4d-823a33197223._msdcs.somedomain.cc.
This indicates that the password used to encrypt
the kerberos service ticket is different than
that on the target server. Commonly, this is due
to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:35:28
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was
ldap/67d3c601-fc54-4360-9a4d-823a33197223._msdcs.somedomain.cc.
This indicates that the password used to encrypt
the kerberos service ticket is different than
that on the target server. Commonly, this is due
to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0xC25A002E
Time Generated: 05/19/2009 17:47:25
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0001B6F
Time Generated: 05/19/2009 17:47:25
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:48:37
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was LDAP/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
......................... Server1B failed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=Server1B,OU=Domain Controllers,DC=somedomain,DC=cc and backlink on
CN=Server1B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
are correct.
The system object reference (frsComputerReferenceBL)
CN=Server1B,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=somedomain,DC=cc
and backlink on CN=Server1B,OU=Domain Controllers,DC=somedomain,DC=cc
are correct.
The system object reference (serverReferenceBL)
CN=Server1B,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=somedomain,DC=cc
and backlink on
CN=NTDS
Settings,CN=Server1B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
are correct.
......................... Server1B passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : somedomain
Starting test: CrossRefValidation
......................... somedomain passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... somedomain passed test CheckSDRefDom
Running enterprise tests on : somedomain.cc
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... somedomain.cc passed test Intersite
Starting test: FsmoCheck
Warning: Couldn't verify this server as a GC in this servers AD.
GC Name: \\server2.somedomain.cc
Locator Flags: 0xe00003fd
PDC Name: \\server2.somedomain.cc
Locator Flags: 0xe00003fd
Time Server Name: \\server2.somedomain.cc
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\server2.somedomain.cc
Locator Flags: 0xe00003fd
KDC Name: \\server2.somedomain.cc
Locator Flags: 0xe00003fd
......................... somedomain.cc passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS
.
- Follow-Ups:
- Re: Steps to take to demote a former PDC ...
- From: Paul Bergson [MVP-DS]
- Re: Steps to take to demote a former PDC ...
- References:
- Steps to take to demote a former PDC ...
- From: E-Double
- Re: Steps to take to demote a former PDC ...
- From: Meinolf Weber [MVP-DS]
- Steps to take to demote a former PDC ...
- Prev by Date: Re: Operational Failover (DCs)
- Next by Date: Re: Slow Access
- Previous by thread: Re: Steps to take to demote a former PDC ...
- Next by thread: Re: Steps to take to demote a former PDC ...
- Index(es):
Relevant Pages
|
Loading
