Re: Unable to decommission a Windows 2008 DC via dcpromo
- From: Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
- Date: Mon, 6 Jul 2009 06:20:03 +0000 (UTC)
Hello Haji,
Did you change the default locations to "d:\ad\sysvol\domain" and "d:\ad\sysvol\staging\domain" on server1?
Was server1 ever restored from backup/image/snapshot(VM) without cleaning the AD database before?
I am also a bit surprised about the difference of the RID pool between both DCs, there is a really big difference which shouldn't be the case. Normally they stick together.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
dcdiag from Server1, which is the old one:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine server1, is a Directory Server.
Home Server = server1
* Connecting to directory service on server server1.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling
ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=dns,L
DAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site
Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domai
n,DC=dns
Getting ISTG and options for the site
* Identifying all servers.
Calling
ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=dns,L
DAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS
Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=domain,DC=dns
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=domain,DC=dns
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\server1
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
Determining IP6 connectivity
* Active Directory RPC Services Check
......................... server1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\server1
Starting test: Advertising
The DC server1 is advertising itself as a DC and having a DS.
The DC server1 is advertising as an LDAP server
The DC server1 is advertising as having a writeable directory
The DC server1 is advertising as a Key Distribution Center
The DC server1 is advertising as a time server
The DS server1 is advertising as a GC.
......................... server1 passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours
after the
SYSVOL has been shared. Failing SYSVOL replication problems
may cause
Group Policy problems.
An Error Event occurred. EventID: 0xC00034F0
Time Generated: 07/04/2009 23:13:40
Event String:
The File Replication Service is unable to add this
computer to the following replica set:
"DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
This could be caused by a number of problems such as:
-- an invalid root path,
-- a missing directory,
-- a missing disk volume,
-- a file system on the volume that does not support
NTFS 5.0
The information below may help to resolve the problem:
Computer DNS name is "server1.domain.dns"
Replica set member name is "server1"
Replica set root path is "d:\ad\sysvol\domain"
Replica staging directory path is
"d:\ad\sysvol\staging\domain"
Replica working directory path is "c:\windows\ntfrs\jet"
Windows error status code is
FRS error status code is FrsErrorMismatchedJournalId
Other event log messages may also help determine the
problem. Correct the problem and the service will attempt to restart
replication automatically at a later time.
An Error Event occurred. EventID: 0xC00034F3
Time Generated: 07/04/2009 23:13:40
Event String:
The File Replication Service is in an error state. Files
will not replicate to or from one or all of the replica sets on this
computer until the following recovery steps are performed:
Recovery Steps:
[1] The error state may clear itself if you stop and
restart the FRS service. This can be done by performing the following
in a command window:
net stop ntfrs
net start ntfrs
If this fails to clear up the problem then proceed as
follows.
[2] For Active Directory Domain Services Domain
Controllers that DO NOT host any DFS alternates or other replica sets
with replication enabled:
If there is at least one other Domain Controller in this
domain then restore the "system state" of this DC from backup (using
ntbackup or other backup-restore utility) and make it
non-authoritative.
If there are NO other Domain Controllers in this domain
then restore the "system state" of this DC from backup (using ntbackup
or other backup-restore utility) and choose the Advanced option which
marks the sysvols as primary.
If there are other Domain Controllers in this domain but
ALL of them have this event log message then restore one of them as
primary (data files from primary will replicate everywhere) and the
others as non-authoritative.
[3] For Active Directory Domain Services Domain
Controllers that host DFS alternates or other replica sets with
replication enabled:
(3-a) If the Dfs alternates on this DC do not have any
other replication partners then copy the data under that Dfs share to
a safe location.
(3-b) If this server is the only Active Directory Domain
Services Domain Controller for this domain then, before going to
(3-c), make sure this server does not have any inbound or outbound
connections to other servers that were formerly Domain Controllers for
this domain but are now off the net (and will never be coming back
online) or have been fresh installed without being demoted. To delete
connections use the Sites and Services snapin and look for
Sites->NAME_OF_SITE->Servers->NAME_OF_SERVER->NTDS
Settings->CONNECTIONS.
(3-c) Restore the "system state" of this DC from backup
(using ntbackup or other backup-restore utility) and make it
non-authoritative.
(3-d) Copy the data from step (3-a) above to the original
location after the sysvol share is published.
[4] For other Windows servers:
(4-a) If any of the DFS alternates or other replica sets
hosted by this server do not have any other replication partners then
copy the data under its share or replica tree root to a safe location.
(4-b) net stop ntfrs
(4-c) rd /s /q c:\windows\ntfrs\jet
(4-d) net start ntfrs
(4-e) Copy the data from step (4-a) above to the
original location after the service has initialized (5 minutes is a
safe waiting time).
Note: If this error message is in the eventlog of all the
members of a particular replica set then perform steps (4-a) and (4-e)
above on only one of the members.
......................... server1 failed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... server1 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... server1 passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the
last 15
minutes.
......................... server1 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=domain,DC=dns
Role Domain Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=domain,DC=dns
Role PDC Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=domain,DC=dns
Role Rid Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=domain,DC=dns
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=domain,DC=dns
......................... server1 passed test
KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC server1 on DC server1.
* SPN found :LDAP/server1.domain.dns/domain.dns
* SPN found :LDAP/server1.domain.dns
* SPN found :LDAP/server1
* SPN found :LDAP/server1.domain.dns/domain
* SPN found
:LDAP/10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/10054e4e-3786-4858-a745-5a3b299c
2326/domain.dns
* SPN found :HOST/server1.domain.dns/domain.dns
* SPN found :HOST/server1.domain.dns
* SPN found :HOST/server1
* SPN found :HOST/server1.domain.dns/domain
* SPN found :GC/server1.domain.dns/domain.dns
......................... server1 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC server1.
The forest is not ready for RODC. Will skip checking ERODC
ACEs.
* Security Permissions Check for
DC=ForestDnsZones,DC=domain,DC=dns
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domain,DC=dns
* Security Permissions Check for
DC=DomainDnsZones,DC=domain,DC=dns
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domain,DC=dns
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=domain,DC=dns
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=domain,DC=dns
(Configuration,Version 3)
* Security Permissions Check for
DC=domain,DC=dns
(Domain,Version 3)
......................... server1 failed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\server1\netlogon
Verified share \\server1\sysvol
......................... server1 passed test NetLogons
Starting test: ObjectsReplicated
server1 is in domain DC=domain,DC=dns
Checking for CN=server1,OU=Domain
Controllers,DC=domain,DC=dns in
domain DC=domain,DC=dns on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=domain,DC=dns
in domain CN=Configuration,DC=domain,DC=dns on 1 servers
Object is up-to-date on all servers.
......................... server1 passed test
ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=domain,DC=dns
Latency information for 8 entries in the vector were
ignored.
8 were retired Invocations. 0 were either:
read-only
replicas and are not verifiably latent, or dc's no longer replicating
this
nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=domain,DC=dns
Latency information for 8 entries in the vector were
ignored.
8 were retired Invocations. 0 were either:
read-only
replicas and are not verifiably latent, or dc's no longer replicating
this
nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=domain,DC=dns
Latency information for 9 entries in the vector were
ignored.
9 were retired Invocations. 0 were either:
read-only
replicas and are not verifiably latent, or dc's no longer replicating
this
nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=domain,DC=dns
Latency information for 9 entries in the vector were
ignored.
9 were retired Invocations. 0 were either:
read-only
replicas and are not verifiably latent, or dc's no longer replicating
this
nc. 0 had no latency information (Win2K DC).
DC=domain,DC=dns
Latency information for 9 entries in the vector were
ignored.
9 were retired Invocations. 0 were either:
read-only
replicas and are not verifiably latent, or dc's no longer replicating
this
nc. 0 had no latency information (Win2K DC).
......................... server1 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 16606 to 1073741823
* server2.domain.dns is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 4606 to 5105
* rIDPreviousAllocationPool is 4606 to 5105
* rIDNextRID: 4616
......................... server1 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... server1 passed test Services
Starting test: SystemLog
* The System Event log test
Found no errors in "System" Event log in the last 60 minutes.
......................... server1 passed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=server1,OU=Domain Controllers,DC=domain,DC=dns and
backlink on
CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configura
tion,DC=domain,DC=dns
are correct.
The system object reference (serverReferenceBL)
CN=server1,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=domain,DC=dns
and backlink on
CN=NTDS
Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=domain,DC=dns
are correct.
......................... server1 passed test
VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test
CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test
CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test
CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test
CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Running partition tests on : domain
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... domain passed test
CrossRefValidation
Running enterprise tests on : domain.dns
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\server1.domain.dns
Locator Flags: 0xe00011fc
PDC Name: \\server2.domain.dns
Locator Flags: 0xe00013fd
Time Server Name: \\server1.domain.dns
Locator Flags: 0xe00011fc
Preferred Time Server Name: \\server1.domain.dns
Locator Flags: 0xe00011fc
KDC Name: \\server1.domain.dns
Locator Flags: 0xe00011fc
......................... domain.dns passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside
the scope
provided by the command line arguments provided.
......................... domain.dns passed test Intersite
repadmin /showrepl from server1:
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\server1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326
DSA invocationID: d796d1fd-f4ef-400a-b2ba-a094c73c1659
==== INBOUND NEIGHBORS ======================================
DC=domain,DC=dns
Default-First-Site-Name\server2 via RPC
DSA object GUID: d963b078-1f27-4154-8436-870d19935efe
Last attempt @ 2009-07-05 18:23:20 was successful.
CN=Configuration,DC=domain,DC=dns
Default-First-Site-Name\server2 via RPC
DSA object GUID: d963b078-1f27-4154-8436-870d19935efe
Last attempt @ 2009-07-05 17:53:08 was successful.
CN=Schema,CN=Configuration,DC=domain,DC=dns
Default-First-Site-Name\server2 via RPC
DSA object GUID: d963b078-1f27-4154-8436-870d19935efe
Last attempt @ 2009-07-05 17:53:08 was successful.
DC=DomainDnsZones,DC=domain,DC=dns
Default-First-Site-Name\server2 via RPC
DSA object GUID: d963b078-1f27-4154-8436-870d19935efe
Last attempt @ 2009-07-05 17:53:08 was successful.
DC=ForestDnsZones,DC=domain,DC=dns
Default-First-Site-Name\server2 via RPC
DSA object GUID: d963b078-1f27-4154-8436-870d19935efe
Last attempt @ 2009-07-05 18:29:12 was successful.
"Meinolf Weber [MVP-DS]" wrote:
Hello Haji,
Run diagnostics dcdiag /v and repadmin /showrepl to check for errors
and make sure both DCs have replicated. Are both listed in the DNS
zones with there A record and nema server record and also under all
subfolders?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
I've got a Windows 2008 box that was my only DC in my test network
that is on some rather aged hardware. I've built a new box to
replace the old DC with, installed Server 2008 on it, added it to
the domain, ran dcpromo, kicked it up to a GC, and transfered the
FSMO roles over to it. However, when I run dcpromo on the old box
that I'm wanting to retire, I get the following message:
"You did not indicate that this Active Directory domain controller
is the last domain controller for the domain test.dns. However, no
other Active Directory domain controllers for that domain can be
contacted."
I've also noticed that when the old box is powered down, none of my
test workstations can map a drive to the new server, due to an
authentication failure. The ID that the server is logged into is an
enterprise admin ID, and this is a single domain setup (no child
domains in the forrest). Both the forrest and the domain are at
2008 functional level. Each server has DNS installed and is AD
Integrated. Each server points to the other for DNS primary, and
itself for secondary.
I'm sure there is more information that is needed that I haven't
provided, just let me know what you need and I'll post it, but if
anyone can help me out, I'd really like to learn what this issue is
and how to fix it.
.
- Follow-Ups:
- References:
- Prev by Date: Re: Rejoining Computers to domain
- Next by Date: Re: Unable to decommission a Windows 2008 DC via dcpromo
- Previous by thread: Re: Unable to decommission a Windows 2008 DC via dcpromo
- Next by thread: Re: Unable to decommission a Windows 2008 DC via dcpromo
- Index(es):
Relevant Pages
|
