Re: Unable to Raise Domain Functional Level
- From: EOrtiz <EOrtiz@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 18 Apr 2006 12:34:02 -0700
Herb,
Thanks for the response. Regarding your points:
Two common reasons for this:
1) Incomplete replication
I'm able to verify the version number for the SOA record is consistent across all DC's in the child domain. Additionally, an eval version of "Spotlight on Active Directory" by Quest software indicates that directory replication is healthy on multiple test passes. Are there any other utilities (native and/or 3rd party) I may use to further verify replication is occurring properly?
2) Missing (removed/deleted) DC
I've previously ran NTDSUtil, connected to a functional DC located in two different child domains, enumerated each site, and enumerated the servers within the site. I did not see any dead DC's present. Should I check the remaining child domain and root domain to see if there are any ghosts there?
3) Screwed up DNS for the Domain or the DCs as DNS Clients.I presume when you say "...or the DCs as DNS Clients", you
are indicating the servers are receiving their DNS settings via DHCP. This
is not the case. All DC's have their configs statically defined. If this is
not what is meant, please clarify.
"It seems from your DCDiag you have #2; next most likely #3 and then #1."
(error output from DCDiag)
[1] Problem: Missing Expected Value
Base Object: CN=LostAndFoundConfig,CN=Configuration,DC=bethco,DC=local
Base Object Description: "Server Object"
Value Object Attribute: serverReference
Value Object Description: "DC Account Object"
Recommended Action: This could hamper authentication (and thus
replication,
etc). Check if this server is deleted, and if so clean up this DCs
Account
Object. If the problem persists and this is not a deleted DC,
authoratively
restore the DSA object from a good copy, for example the DSA on the DSA's
home server.
**CNR-PR-DOMA00 failed test VerifyEnterpriseReferences
**The server name (CNR-PR-DOMA00) listed in the output of the DCDiag is a
production server functioning in our environment. The server name indicated
on the last line of output changes depending on which server in the child
domain I run the utility on.
The same error always appears regardless of which DC in the child domain I
run it on. What I do not see is which server it is referencing as being
"dead" in the error output, just the LDAP structure of
Base Object: CN=LostAndFoundConfig,CN=Configuration,DC=bethco,DC=local.
Our topology is hub and spoke. In terms of the "primary server" field
defined on the SOA's record for AD integrated zones located at other sites
within the child domain. Should the SOA record reference the local DC at the
site as the "primary server", or should it reference a DC located at the hub?
Some further background on the environment. Our environment consists of an
empty root domain, along with three child domains (a.root.local,
b.root.local, c.root.local). All DC's are windows 2003.
The Root domain is an AD integrated DNS zone. Secondary zones are located
on remaining (but not all) DC's in child domains a.root.local and
c.root.local.
Child Domain A - Already Windows 2003 functional level. AD integrated zone.
Secondary zones of child domain a.root.local located on DC's (but not all
DC's) in child domain c.root.local.
Child Domain B (domain we are trying to raise the functional level on) - AD
integrated zone on all DC's located within child domain b.root.local.
Secondary zones of child domain b.root.local located on DC's (but not all
DC's) in child domains a.root.local & c.root.local.
Child Domain C - AD integrated zone on all DC's located in child domain C.
Secondary zones for child domain c.root.local located on DC's in child domain
a.root.local.
Ideally, I would like to have AD integrated zones throughout the enterprise
(with zone delegation and forwarding configured accordingly). This has been
the subject of numerous discussions with the other engineers. Is there a
document which compares the old way of MS DNS vs the new MS AD DNS
(highlighting the benefits and pitfalls) that you may direct me to?
What course of action do you recommend to further diagnose the issue we are
experiencing while trying to raise the functional level? Once again, thanks
in advance for your assistance.
I guess bottom line question is, how should DNS look like ideally?
Eric
"Herb Martin" wrote:
"EOrtiz" <EOrtiz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message.
news:A2714DF8-0153-4C80-A3B0-A9338AE2DCE4@xxxxxxxxxxxxxxxx
Hello All,
Any help provided would be greatly appreciated. All servers in my
environment are Windows 2003 server throughout the forest. One child
domain
has previously had it's functional level raised without any problems.
When
trying to raising another child domain from Windows 2000 Native to Windows
Server 2003 domain functional level, I get the following error:
The functional level could not be raised. The error is: The server is
unwilling to process the request.
Two common reasons for this:
1) Incomplete replication
2) Missing (removed/deleted) DC
3) Screwed up DNS for the Domain or the DCs as DNS Clients
It seems from your DCDiag you have #2; next most likely
#3 and then #1.
If you have abandoned a DC account by removing a DC
without doing so properly then you will need to use NTDSutil
to cleanup the AD:
NTDSutil metadata cleanup
Search Google for:
[ NTDSutil "metadata cleanup" remove DC Domain ]
No need to add either site:microsoft.com OR microsoft:
since the NTDSutil and other terms make it Microsoft specific
by itself.
Unless you WISH to restrict answers to the site:microsoft.com
for some reason.
[ NTDSutil "metadata cleanup" remove DC Domain site:microsoft.com ]
Key points to NOTE when doing the metadata cleanup:
You CONNECT to a WORKING DC.
You SELECT the missing/dead DC or DOMAIN
'Connect' and 'Select' are technical terms in this context.
216498 - HOW TO Remove Data in Active Directory After an
Unsuccessful Domain Controller Demotion (2000 & 2003):
http://support.microsoft.com/?id=216498
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Now when I run dcdiag, I receive the following (I've limited the text
below
to the errors :
Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various important DN
references. Note, that these problems can be reported because of latency
in
replication. So follow up to resolve the following problems, only if the
same problem is reported on all DCs for a given domain or if the problem
persists after replication has had reasonable time to replicate changes.
[1] Problem: Missing Expected Value
Base Object: CN=LostAndFoundConfig,CN=Configuration,DC=bethco,DC=local
Base Object Description: "Server Object"
Value Object Attribute: serverReference
Value Object Description: "DC Account Object"
Recommended Action: This could hamper authentication (and thus
replication,
etc). Check if this server is deleted, and if so clean up this DCs
Account
Object. If the problem persists and this is not a deleted DC,
authoratively
restore the DSA object from a good copy, for example the DSA on the DSA's
home server.
CNR-PR-DOMA00 failed test VerifyEnterpriseReferences
Additionally, when I run DNSLint, I receive the following:
Notes:
One or more DNS servers is not authoritative for the domain
Zone serial numbers were not identical on every DNS server
One or more zone files may have expired
SOA record data was unavailable and/or missing on one or more DNS servers
At least one CNAME record for an AD forest GUID was missing from a DNS
server
This is listed for some of the DC's in the child domain that I want to
have
the functional level raised. Not sure if this is an issue. As I
understand,
DNSLint is only capable of verifiying records for a root domain, not the
records for DC's located in a child. If I am incorrect, by all means
please
correct me.
SOA record data from server:
Authoritative name server: Unknown
Hostmaster: Unknown
Zone serial number: Unknown
Zone expires in: Unknown
Refresh period: Unknown
Retry delay: Unknown
Default (minimum) TTL: Unknown
No Domain Controllers have failed or have been removed from our domain.
NTDSUtil doesn't reveal any old DC's lurking about in the metadata. I've
been googling the above error phrases without much luck.
Any help provided would be greatly appreciated.
- Follow-Ups:
- Re: Unable to Raise Domain Functional Level
- From: Herb Martin
- Re: Unable to Raise Domain Functional Level
- References:
- Unable to Raise Domain Functional Level
- From: EOrtiz
- Re: Unable to Raise Domain Functional Level
- From: Herb Martin
- Unable to Raise Domain Functional Level
- Prev by Date: Re: What to do with DHCP and WINS Services (during and after migration)
- Next by Date: Re: Unable to Raise Domain Functional Level
- Previous by thread: Re: Unable to Raise Domain Functional Level
- Next by thread: Re: Unable to Raise Domain Functional Level
- Index(es):
Relevant Pages
|
Loading
