Re: Unable to Raise Domain Functional Level
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Tue, 18 Apr 2006 16:03:42 -0500
"EOrtiz" <EOrtiz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D8F12E17-0495-4C21-9FCE-475786372F86@xxxxxxxxxxxxxxxx
Herb,
Thanks for the response. Regarding your points:
Two common reasons for this:
1) Incomplete replication
I'm able to verify the version number for the SOA record is
consistent across all DC's in the child domain. Additionally, an eval
version of "Spotlight on Active Directory" by Quest software indicates
that directory replication is healthy on multiple test passes. Are there
any other utilities (native and/or 3rd party) I may use to further verify
replication is occurring properly?
If this is AD DNS then replication is through the
AD and not directly dependent on the SOA serial
number BUT I doubted this would be the issue and
it sounds like it is not.
2) Missing (removed/deleted) DC
I've previously ran NTDSUtil, connected to a functional DC
located in two different child domains, enumerated each site, and
enumerated the servers within the site. I did not see any dead DC's
present. Should I check the remaining child domain and root domain to
see if there are any ghosts there?
This is the most likely but it would only be an issue FOR
THE DOMAIN which wouldn't upgrade.
The server that DCDiag complains about is CNR-PR-DOMA00
Can you find that server and confirm it's functioning?
Have you got a SINGLE LABEL DOMAIN name (e.g., Domain,
and not Domain.Local or Domain.Something)? This is bad.
You might (eventually) check all domains, since you really
have them replicated sooner or later.
Also, I forgot to mention: Did you remove any NT BDCs
without removing their DC accounts from the database?
That would make the AD thing you still had BDCs.
(Just turning them off or re-installing another OS would NOT
be sufficient.)
3) Screwed up DNS for the Domain or the DCs as DNS Clients.I presume when you say "...or the DCs as DNS Clients", you
are indicating the servers are receiving their DNS settings via DHCP.
This
Nope. I was suggesting (not very carefully) that you
might have the DCs OWN Client DNS settings (NIC->IP
Properties->DNS Servers) set to some incorrect DNS
server (or mixture of correct and incorrect) such as to
an EXTERNAL DNS server.
More specifically, any DNS Server (or mixture) that cannot
find the DYNAMIC DNS server(s) that hold the DYNAMIC
Zone.
Or something as simple as not having the domain's DNS
zone set to DYNAMIC.
is not the case. All DC's have their configs statically defined. If this
is
not what is meant, please clarify.
If you had this problem it would show in DCDiag so you
were doing the correct thing by running that tool.
You might continue running it on each DC in the affected
domain.
Below are my general checks concerning DNS for AD:
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)
netdiag /fix
....or maybe:
dcdiag /fix
(Win2003 can do this from Support tools):
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/
Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.
Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.
Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
"It seems from your DCDiag you have #2; next most likely #3 and then #1."
(error output from DCDiag)
[1] Problem: Missing Expected Value
Base Object: CN=LostAndFoundConfig,CN=Configuration,DC=bethco,DC=local
Base Object Description: "Server Object"
Value Object Attribute: serverReference
Value Object Description: "DC Account Object"
Recommended Action: This could hamper authentication (and thus
replication,
etc). Check if this server is deleted, and if so clean up this DCs
Account
Object. If the problem persists and this is not a deleted DC,
authoratively
restore the DSA object from a good copy, for example the DSA on the DSA's
home server.
**CNR-PR-DOMA00 failed test VerifyEnterpriseReferences
**The server name (CNR-PR-DOMA00) listed in the output of the DCDiag is a
production server functioning in our environment. The server name
indicated
on the last line of output changes depending on which server in the child
domain I run the utility on.
The same error always appears regardless of which DC in the child domain I
run it on. What I do not see is which server it is referencing as being
"dead" in the error output, just the LDAP structure of
Base Object: CN=LostAndFoundConfig,CN=Configuration,DC=bethco,DC=local.
Our topology is hub and spoke. In terms of the "primary server" field
defined on the SOA's record for AD integrated zones located at other sites
within the child domain. Should the SOA record reference the local DC at
the
site as the "primary server", or should it reference a DC located at the
hub?
Some further background on the environment. Our environment consists of
an
empty root domain, along with three child domains (a.root.local,
b.root.local, c.root.local). All DC's are windows 2003.
The Root domain is an AD integrated DNS zone. Secondary zones are located
on remaining (but not all) DC's in child domains a.root.local and
c.root.local.
Child Domain A - Already Windows 2003 functional level. AD integrated
zone.
Secondary zones of child domain a.root.local located on DC's (but not all
DC's) in child domain c.root.local.
Child Domain B (domain we are trying to raise the functional level on) -
AD
integrated zone on all DC's located within child domain b.root.local.
Secondary zones of child domain b.root.local located on DC's (but not all
DC's) in child domains a.root.local & c.root.local.
Child Domain C - AD integrated zone on all DC's located in child domain C.
Secondary zones for child domain c.root.local located on DC's in child
domain
a.root.local.
Ideally, I would like to have AD integrated zones throughout the
enterprise
(with zone delegation and forwarding configured accordingly). This has
been
the subject of numerous discussions with the other engineers. Is there a
document which compares the old way of MS DNS vs the new MS AD DNS
(highlighting the benefits and pitfalls) that you may direct me to?
What course of action do you recommend to further diagnose the issue we
are
experiencing while trying to raise the functional level? Once again,
thanks
in advance for your assistance.
I guess bottom line question is, how should DNS look like ideally?
Eric
"Herb Martin" wrote:
"EOrtiz" <EOrtiz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A2714DF8-0153-4C80-A3B0-A9338AE2DCE4@xxxxxxxxxxxxxxxx
Hello All,
Any help provided would be greatly appreciated. All servers in my
environment are Windows 2003 server throughout the forest. One child
domain
has previously had it's functional level raised without any problems.
When
trying to raising another child domain from Windows 2000 Native to
Windows
Server 2003 domain functional level, I get the following error:
The functional level could not be raised. The error is: The server is
unwilling to process the request.
Two common reasons for this:
1) Incomplete replication
2) Missing (removed/deleted) DC
3) Screwed up DNS for the Domain or the DCs as DNS Clients
It seems from your DCDiag you have #2; next most likely
#3 and then #1.
If you have abandoned a DC account by removing a DC
without doing so properly then you will need to use NTDSutil
to cleanup the AD:
NTDSutil metadata cleanup
Search Google for:
[ NTDSutil "metadata cleanup" remove DC Domain ]
No need to add either site:microsoft.com OR microsoft:
since the NTDSutil and other terms make it Microsoft specific
by itself.
Unless you WISH to restrict answers to the site:microsoft.com
for some reason.
[ NTDSutil "metadata cleanup" remove DC Domain site:microsoft.com ]
Key points to NOTE when doing the metadata cleanup:
You CONNECT to a WORKING DC.
You SELECT the missing/dead DC or DOMAIN
'Connect' and 'Select' are technical terms in this context.
216498 - HOW TO Remove Data in Active Directory After an
Unsuccessful Domain Controller Demotion (2000 & 2003):
http://support.microsoft.com/?id=216498
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Now when I run dcdiag, I receive the following (I've limited the text
below
to the errors :
Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various important DN
references. Note, that these problems can be reported because of
latency
in
replication. So follow up to resolve the following problems, only if
the
same problem is reported on all DCs for a given domain or if the
problem
persists after replication has had reasonable time to replicate
changes.
[1] Problem: Missing Expected Value
Base Object: CN=LostAndFoundConfig,CN=Configuration,DC=bethco,DC=local
Base Object Description: "Server Object"
Value Object Attribute: serverReference
Value Object Description: "DC Account Object"
Recommended Action: This could hamper authentication (and thus
replication,
etc). Check if this server is deleted, and if so clean up this DCs
Account
Object. If the problem persists and this is not a deleted DC,
authoratively
restore the DSA object from a good copy, for example the DSA on the
DSA's
home server.
CNR-PR-DOMA00 failed test VerifyEnterpriseReferences
Additionally, when I run DNSLint, I receive the following:
Notes:
One or more DNS servers is not authoritative for the domain
Zone serial numbers were not identical on every DNS server
One or more zone files may have expired
SOA record data was unavailable and/or missing on one or more DNS
servers
At least one CNAME record for an AD forest GUID was missing from a DNS
server
This is listed for some of the DC's in the child domain that I want to
have
the functional level raised. Not sure if this is an issue. As I
understand,
DNSLint is only capable of verifiying records for a root domain, not
the
records for DC's located in a child. If I am incorrect, by all means
please
correct me.
SOA record data from server:
Authoritative name server: Unknown
Hostmaster: Unknown
Zone serial number: Unknown
Zone expires in: Unknown
Refresh period: Unknown
Retry delay: Unknown
Default (minimum) TTL: Unknown
No Domain Controllers have failed or have been removed from our domain.
NTDSUtil doesn't reveal any old DC's lurking about in the metadata.
I've
been googling the above error phrases without much luck.
Any help provided would be greatly appreciated.
.
- Follow-Ups:
- Re: Unable to Raise Domain Functional Level
- From: EOrtiz
- Re: Unable to Raise Domain Functional Level
- References:
- Unable to Raise Domain Functional Level
- From: EOrtiz
- Re: Unable to Raise Domain Functional Level
- From: Herb Martin
- Re: Unable to Raise Domain Functional Level
- From: EOrtiz
- Unable to Raise Domain Functional Level
- Prev by Date: Re: Unable to Raise Domain Functional Level
- Next by Date: Re: Big move...
- Previous by thread: Re: Unable to Raise Domain Functional Level
- Next by thread: Re: Unable to Raise Domain Functional Level
- Index(es):
Relevant Pages
|
