Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Problem with 1st 2003 SP1 server in 2000 domain.

103 views
Skip to first unread message

Karen G

unread,
Feb 13, 2006, 10:25:26 PM2/13/06
to
I'm getting the following error (Event ID 53258) on a new 2003 SP1 server I
just dcpromo'd into a 2000 Server domain. Forestprep and domain prep ran
with no problems, and this is the first 2003 domain controller in the
forest/domain (3 other, 2000 servers in forest, all within the same building,
in native mode). This one has no FSMO roles.

"MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC
will continue to function and will use the existing security settings. Error
Specifics: d:\nt\com\complus\dtc\dtc\adme\uiname.cpp:9280, Pid: 1744
No Callstack,
CmdLine: C:\WINDOWS\system32\msdtc.exe"

The DCPromo appeared to have worked fine, but I did find the ldap and _gc
records did not create on the DNS server. After manually creating them,
replication is working smoothly. It is authenticating users and machines.

After the above error appears, I also get event ID 1097
"Windows cannot find the machine account, The Local Security Authority
cannot be contacted "

followed by event ID 1030
"Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this."

However, Netlogon is running, is automatic, and does start (referring to the
MS solution for these last two errors).

Any ideas? Should I try demoting and promoting again, or is there an easier
fix? Can't find any info on that first event regarding the DC
Promotion/Demotion event, and the info on the other events doesn't seem to
apply.

thanks

kg

Karen G

unread,
Feb 13, 2006, 11:02:27 PM2/13/06
to
I tried Don Wilwol's solution to an earlier post (quoted below), and it
solved the MSDTC problem. I'll reboot and see if all is well.

"If that doesn't fix it try
Run the Component Services MMC snap-in: Start -> Administrative Tools ->
Component Services
Browse to: Console Root -> Component Services -> Computers -> My Computer
Right click My Computer, and click "Stop MSDTC"
Then, right click My Computer again, and click "Start MSDTC"
In Component Services, right click on My Computer, and click "Properties".
Select the "MSDTC" tab. On the bottom of the tab page, click the "Security
Configuration" button. A new dialog will open. Just click "OK" to close
the
dialog (I believe this may set the MSDTC defaults). Then click "OK" to
close
the first dialog and try restarting the MSDTC service and see if the
warnings
still occur.
Then as a test, restart MSDTC (net stop msdtc && net start msdtc) and check
the application event log.

Karen G

unread,
Feb 13, 2006, 11:17:27 PM2/13/06
to
Don Wilwol's solution fixed the DTC problem (thanks), but I'm still getting
event ID 1097
"Windows cannot find the machine account, The Local Security Authority
cannot be contacted " - This is on a domain controller!! And replication is
working.

followed by event ID 1030
"Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this."

So, I'm still hoping for a solution. My hope was to make this the root DC,
but I can't till it is stable.

The AD is in native mode, all machines near by, DNS stable and not on this
computer, GC not on this computer, original root domain controller still has
all FSMO roles assigned. DCDiag /test for promoting all worked fine. I did
have to create the DNS SRV records for _gc and LDAP for this server, though
the keberos ones were created automatically, and it didn't replicate until I
did.

Paul Williams [MVP]

unread,
Feb 15, 2006, 8:35:53 AM2/15/06
to
Take a look at %systemroot%\debug\dcpromo.log on the dodgy box.

Also seach the domain for the computer account.

You should not update those DNS records manually. Delete the manually
created records. Ensure that your server is pointing to another DC for DNS
and restart NETLOGON. Are those records registered?

Also, run DCDIAG /V /C /E and post any errors.

Re. the GPO problems. Again, this sounds DNS related. Check
%systemroot%\debug\usermode\userenv.log and the userenv and scecli errors
and warinings in the app log against www.eventid.net

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net


Karen G

unread,
Feb 16, 2006, 2:58:28 PM2/16/06
to
demoting and repromoting solved all but the 1097 and 1030 errors (which you
are helping me with in a later post.

The dcpromo log had no errors.

I did run the DCDIAG, and all the DCs except this one (the new 2003 SP1 just
promoted into the 2000 forest/domain prep'd AD) had no errors.

This one had the following

basic (basc) test
Error: The A record for this DC was not found
[Error details: 9003 (Type: Win32 - Description: DNS name does not exist.) -
(my forest name)]

rreg test = Matching A record found at DNS server (my primary DNS Server
name):


Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0xC0002719
Time Generated: 02/16/2006 11:13:00
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 02/16/2006 11:13:20
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 02/16/2006 11:13:22
(Event String could not be retrieved)

Paul Williams [MVP]

unread,
Feb 18, 2006, 8:55:31 AM2/18/06
to
Yeah, that is fine. It only failed because there are errors in the system
log. We're looking at those in the other post. In this case, the
re-promotion worked.

Jason Walker

unread,
Apr 17, 2006, 4:32:01 PM4/17/06
to
Here's my fix for 1097:

I had the same problem, and spent a week browsing around and trying to find
solutions. DNS is good, time sync is good, GPO's apply for the user, they
just didn't apply for the machine. The Windows Firewall is configured to
"Off".

HOWEVER, I was also receiving audit failures in the security log from the
Windows Firewall showing that LSASS.EXE was trying to open a port and was
getting rejected by the firewall.

I was able to correct this by going into Services, and setting "Windows
Firewall / Internet Connection Sharing" to DISABLED. Apparently, the
Firewall still has to start up and run long enough to read it's config before
setting itself to quit blocking connections. On my slower domain
controllers, this delay (starting the Firewall, blocking connections, then
reading the config to stop blocking) was long enough to cause the events and
to prevent the domain controller from running machine-based group policies.
This was important to me because I use the GPO software distribution heavily.

I ended up finding three fixes. The one I preferred, is to disable the
Windows Firewall service completely (I have dedicated firewalls).
Alternatively, in the Control Panel / Windows Firewall, Advanced, you can
un-check your internal NIC to not run the firewall on that interface. Or,
you could try creating a firewall exception for the "LSASS.EXE" process.

0 new messages