Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Add Windows 2003 server to Windows 2000 mixed mode server

30 views
Skip to first unread message

noob admin

unread,
Sep 10, 2006, 1:10:02 PM9/10/06
to
I have a win 2000 server in mixed mode (NT4.0 compatible) that is giving
me fits with "Access Denied" errors in trying to do the initial replication
to my new
2003 server.

On the 2000 DC I did run:
adprep / forrestprep
adprep / domainprep
adprep / domainprep /gpprep

and had no errors.

I'm using the "Configure Your Server" panel and already had to pull the
2003 server out manually once. This involved both demoting it at itself, and
also using the support tools on the 2000 DC.
(you know when you have it out, because only then can you put it back)

I put it back, and now have a 1/2 installed AD, that can login users, assign
folder perms, but still no SYSVOL, lots of Access Denied Kerberos errors
even though dcdiag says that's not the problem.

I've tried everything in the forums, to no avail.

Two questions I guess.

1) Do I have to raise the 2000 server to native mode before I get a good
automatic replication? (Currently it's in mixed mode).

2) Can I manually force the copy from the old to the new, just to get the
full AD, and then turn off the old box.?
(and do a clean up on the new box as we did on the old one).?

Any clues appreciated.

RobV.


Jorge de Almeida Pinto [MVP - DS]

unread,
Sep 10, 2006, 1:28:48 PM9/10/06
to
post the output of:
DCDIAG /D /C /V

also post event IDs with warning/errors

answers:
(1) no
(2) replication is not working and that has a reason which must be solved
first

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"noob admin" <noob...@discussions.microsoft.com> wrote in message
news:F2014B64-841A-48B9...@microsoft.com...

noob admin

unread,
Sep 11, 2006, 1:21:02 AM9/11/06
to
Jorge, Thank You So Much.

I'll have access to the server by 8:00am PST tomorrow( 9/11/06),
and I'll post the dcdiag output.

Sincerely,
RobV.

Jorge Silva

unread,
Sep 11, 2006, 10:05:06 AM9/11/06
to
Hi
Inline

> 1) Do I have to raise the 2000 server to native mode before I get a good
> automatic replication? (Currently it's in mixed mode).
No. Windows 2003 also works in mixed mode, and if you have NT4 DCs in your
domain, increasing the DFL will cause problems to NT4 DCs (they'll stop
working).

> 2) Can I manually force the copy from the old to the new, just to get the
> full AD, and then turn off the old box.?
> (and do a clean up on the new box as we did on the old one).?

If you're referring to manually remove the old DC from network, I would
reconsider that because the problems probably don't go away by removing the
old server, your problem sounds more like a configuration problem (DNS for
example), so I would fix these problems first then if you want, remove the
server using Dcpromo.

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"noob admin" <noob...@discussions.microsoft.com> wrote in message
news:F2014B64-841A-48B9...@microsoft.com...

noob admin

unread,
Sep 11, 2006, 12:19:03 PM9/11/06
to
They only allow 30k characters, I've got 57k characters

send me your email address at rvan...@hotmail.com and
I'll send back the output.

Sincerely,
RobV.


"Jorge de Almeida Pinto [MVP - DS]" wrote:

noob admin

unread,
Sep 11, 2006, 2:16:01 PM9/11/06
to
Here goes... (real long)
Server1 is the Windows 2000 DC
Server2 is the Windows 2003 DC-to-be
I ran t he command on both boxes.
fyi: dnslint passes on both machines.

Server1

DC Diagnosis

Performing initial setup:
* Verifing that the local machine Server1, is a DC.
* Connecting to directory service on server Server1.
* Collecting site info.
* Identifying all servers.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial non skippeable tests

Testing server: Default-First-Site-Name\Server1
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... Server1 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\Server1
Starting test: Replications
* Replications Check
......................... Server1 passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=my_domain,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Configuration,DC=my_domain,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=my_domain,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... Server1 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for
CN=Schema,CN=Configuration,DC=my_domain,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Configuration,DC=my_domain,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=my_domain,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... Server1 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=my_domain,DC=local
* Security Permissions Check for
CN=Configuration,DC=my_domain,DC=local
* Security Permissions Check for
DC=my_domain,DC=local
......................... Server1 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
......................... Server1 passed test NetLogons
Starting test: Advertising
The DC Server1 is advertising itself as a DC and having a DS.
The DC Server1 is advertising as an LDAP server
The DC Server1 is advertising as having a writeable directory
The DC Server1 is advertising as a Key Distribution Center
The DC Server1 is advertising as a time server
The DS Server1 is advertising as a GC.
......................... Server1 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS

Settings,CN=Server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my_domain,DC=

local
Role Domain Owner = CN=NTDS

Settings,CN=Server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my_domain,DC=

local
Role PDC Owner = CN=NTDS

Settings,CN=Server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my_domain,DC=

local
Role Rid Owner = CN=NTDS

Settings,CN=Server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my_domain,DC=

local
Role Infrastructure Update Owner = CN=NTDS

Settings,CN=Server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my_domain,DC=

local
......................... Server1 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 2338 to 1073741823
* Server1.my_domain.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1838 to 2337
* rIDNextRID: 1957
* rIDPreviousAllocationPool is 1838 to 2337
......................... Server1 passed test RidManager
Starting test: MachineAccount
* SPN found :LDAP/Server1.my_domain.local/my_domain.local
* SPN found :LDAP/Server1.my_domain.local
* SPN found :LDAP/Server1
* SPN found :LDAP/Server1.my_domain.local/my_domain
* SPN found
:LDAP/e5985fa8-d13c-45c8-b28a-afa42e6757a5._msdcs.my_domain.local
* SPN found

:E3514235-4B06-11D1-AB04-00C04FC2DCD2/e5985fa8-d13c-45c8-b28a-afa42e6757a5/my_domain.local
* SPN found :HOST/Server1.my_domain.local/my_domain.local
* SPN found :HOST/Server1.my_domain.local
* SPN found :HOST/Server1
* SPN found :HOST/Server1.my_domain.local/my_domain
* SPN found :GC/Server1.my_domain.local/my_domain.local
......................... Server1 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: RPCLOCATOR
* Checking Service: w32time
* Checking Service: TrkWks
* Checking Service: TrkSvr
* Checking Service: NETLOGON
* Checking Service: Dnscache
Could not open IISADMIN Service on [Server1]:failed with 1060:
The specified service does not exist as an installed service.
* Checking Service: NtFrs
Could not open SMTPSVC Service on [Server1]:failed with 1060:
The specified service does not exist as an installed service.
......................... Server1 failed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... Server1 passed test
OutboundSecureChannels
Starting test: ObjectsReplicated
Server1 is in domain DC=my_domain,DC=local
Checking for CN=Server1,OU=Domain Controllers,DC=my_domain,DC=local
in domain DC=my_domain,DC=local on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS

Settings,CN=Server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my_domain,DC=

local
in domain CN=Configuration,DC=my_domain,DC=local on 1 servers
Object is up-to-date on all servers.
......................... Server1 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service Event log test
The SYSVOL has been shared, and the AD is no longer
prevented from starting by the File Replication Service.
......................... Server1 passed test frssysvol
Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x800004F1
Time Generated: 09/11/2006 08:39:42
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800004F1
Time Generated: 09/11/2006 08:39:42
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800004F1
Time Generated: 09/11/2006 08:39:42
(Event String could not be retrieved)
......................... Server1 failed test kccevent
Starting test: systemlog
* The System Event log test
Found no errors in System Event log in the last 60 minutes.
......................... Server1 passed test systemlog

Running enterprise tests on : my_domain.local
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the
scope

provided by the command line arguments provided.
......................... my_domain.local passed test Intersite
Starting test: FsmoCheck
GC Name: \\Server1.my_domain.local
Locator Flags: 0xe00001fd
PDC Name: \\Server1.my_domain.local
Locator Flags: 0xe00001fd
Time Server Name: \\Server1.my_domain.local
Locator Flags: 0xe00001fd
Preferred Time Server Name: \\Server1.my_domain.local
Locator Flags: 0xe00001fd
KDC Name: \\Server1.my_domain.local
Locator Flags: 0xe00001fd
......................... my_domain.local passed test FsmoCheck



noob admin

unread,
Sep 11, 2006, 2:21:04 PM9/11/06
to
===============================================
Here is the Server2 output...(Part 1)
(many failures)
Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine Server2, is a DC.
* Connecting to directory service on server Server2.

* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.

* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\Server2

Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... Server2 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\Server2

Starting test: Replications
* Replications Check
[Replications Check,Server2] A recent replication attempt failed:
From Server1 to Server2
Naming Context: CN=Schema,CN=Configuration,DC=my_domain,DC=local
The replication generated an error (5):
Access is denied.
The failure occurred at 2006-09-11 07:49:20.
The last success occurred at 2006-09-07 16:16:39.
92 failures have occurred since the last success.
[Replications Check,Server2] A recent replication attempt failed:
From Server1 to Server2
Naming Context: CN=Configuration,DC=my_domain,DC=local
The replication generated an error (5):
Access is denied.
The failure occurred at 2006-09-11 07:49:20.
The last success occurred at 2006-09-07 16:16:45.
92 failures have occurred since the last success.
[Replications Check,Server2] A recent replication attempt failed:
From Server1 to Server2
Naming Context: DC=my_domain,DC=local
The replication generated an error (5):
Access is denied.
The failure occurred at 2006-09-11 07:49:20.
The last success occurred at 2006-09-07 16:17:07.
116 failures have occurred since the last success.
* Replication Latency Check
REPLICATION-RECEIVED LATENCY WARNING
Server2: Current time is 2006-09-11 08:45:03.
CN=Schema,CN=Configuration,DC=my_domain,DC=local
Last replication recieved from Server1 at 2006-09-07
16:16:39.
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=my_domain,DC=local
Last replication recieved from Server1 at 2006-09-07
16:16:45.
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
DC=my_domain,DC=local
Last replication recieved from Server1 at 2006-09-07
16:17:07.
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
* Replication Site Latency Check
......................... Server2 passed test Replications

Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=my_domain,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
CN=Schema,CN=Configuration,DC=my_domain,DC=local.
These servers can't get changes from home server Server2:
Default-First-Site-Name/Server1

* Analyzing the connection topology for
CN=Configuration,DC=my_domain,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
CN=Configuration,DC=my_domain,DC=local.
These servers can't get changes from home server Server2:
Default-First-Site-Name/Server1

* Analyzing the connection topology for DC=my_domain,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
Downstream topology is disconnected for DC=my_domain,DC=local.
These servers can't get changes from home server Server2:
Default-First-Site-Name/Server1
......................... Server2 failed test Topology

Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for
CN=Schema,CN=Configuration,DC=my_domain,DC=local.
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified
for this replication operation is invalid..

* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified
for this replication operation is invalid..

* Analyzing the alive system replication topology for
CN=Configuration,DC=my_domain,DC=local.
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified
for this replication operation is invalid..

* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified
for this replication operation is invalid..

* Analyzing the alive system replication topology for
DC=my_domain,DC=local.
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified
for this replication operation is invalid..

* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified
for this replication operation is invalid..
......................... Server2 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC Server2.

* Security Permissions Check for
CN=Schema,CN=Configuration,DC=my_domain,DC=local
(Schema,Version 2)

* Security Permissions Check for
CN=Configuration,DC=my_domain,DC=local
(Configuration,Version 2)

* Security Permissions Check for
DC=my_domain,DC=local
(Domain,Version 2)
......................... Server2 passed test NCSecDesc

Starting test: NetLogons
* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\Server2\netlogon)
[Server2] An net use or LsaPolicy operation failed with error 1203,
No network provider accepted the given network path..
......................... Server2 failed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for
\\Server1.my_domain.local, when we were trying to reach Server2.
Server is not responding or is not considered suitable.
The DC Server2 is advertising itself as a DC and having a DS.
The DC Server2 is advertising as an LDAP server
The DC Server2 is advertising as having a writeable directory
The DC Server2 is advertising as a Key Distribution Center
The DC Server2 is advertising as a time server
......................... Server2 failed test Advertising

Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS

Settings,CN=Server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my_domain,DC=

local
Role Domain Owner = CN=NTDS

Settings,CN=Server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my_domain,DC=

local
Role PDC Owner = CN=NTDS

Settings,CN=Server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my_domain,DC=

local
Role Rid Owner = CN=NTDS

Settings,CN=Server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my_domain,DC=

local
Role Infrastructure Update Owner = CN=NTDS

Settings,CN=Server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my_domain,DC=

local
......................... Server2 passed test KnowsOfRoleHolders


Starting test: RidManager
* Available RID Pool for the Domain is 2338 to 1073741823
* Server1.my_domain.local is the RID Master
* DsBind with RID Master was successful

Warning: attribute rIdSetReferences missing from
CN=Server2,OU=Domain Controllers,DC=my_domain,DC=local
Could not get Rid set Reference :failed with 8481: The search
failed to retrieve attributes from the database.
......................... Server2 failed test RidManager
Starting test: MachineAccount
Checking machine account for DC Server2 on DC Server2.
Warning: Attribute userAccountControl of Server2 is: 0x82020 = (
UF_PASSWD_NOTREQD | UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT |
UF_TRUSTED_FOR_DELEGATION )
This may be affecting replication?
* SPN found :LDAP/Server2.my_domain.local/my_domain.local
* SPN found :LDAP/Server2.my_domain.local
* SPN found :LDAP/Server2
* SPN found :LDAP/Server2.my_domain.local/my_domain
* SPN found
:LDAP/48fa3212-a8b8-4180-b29d-8aa18d7ae26a._msdcs.my_domain.local
* SPN found

:E3514235-4B06-11D1-AB04-00C04FC2DCD2/48fa3212-a8b8-4180-b29d-8aa18d7ae26a/my_domain.local
* SPN found :HOST/Server2.my_domain.local/my_domain.local
* SPN found :HOST/Server2.my_domain.local
* SPN found :HOST/Server2
* SPN found :HOST/Server2.my_domain.local/my_domain
* SPN found :GC/Server2.my_domain.local/my_domain.local
......................... Server2 passed test MachineAccount


Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs

* Checking Service: w32time
* Checking Service: NETLOGON
......................... Server2 passed test Services


Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered

......................... Server2 passed test
OutboundSecureChannels
Starting test: ObjectsReplicated
Server2 is in domain DC=my_domain,DC=local
Checking for CN=Server2,OU=Domain Controllers,DC=my_domain,DC=local

in domain DC=my_domain,DC=local on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS

Settings,CN=Server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my_domain,DC=

local
in domain CN=Configuration,DC=my_domain,DC=local on 1 servers
Object is up-to-date on all servers.

......................... Server2 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
The registry lookup failed to determine the state of the SYSVOL.
The

error returned was 0 (The operation completed successfully.).
Check

the FRS event log to see if the SYSVOL has successfully been
shared.
......................... Server2 passed test frssysvol
Starting test: frsevent


* The File Replication Service Event log test

......................... Server2 passed test frsevent


Starting test: kccevent
* The KCC Event log test

An Warning Event occured. EventID: 0x80250828
Time Generated: 09/11/2006 08:35:51


(Event String could not be retrieved)

......................... Server2 failed test kccevent


Starting test: systemlog
* The System Event log test

An Error Event occured. EventID: 0x00000423
Time Generated: 09/11/2006 08:04:41
Event String: The DHCP service failed to see a directory server

for authorization.


****************** about 30 repeated 0x0000168E errors deleted to allow port

An Error Event occured. EventID: 0x0000168E
Time Generated: 09/11/2006 08:39:44
Event String: The dynamic registration of the DNS record

'_kpasswd._udp.my_domain.local. 600 IN SRV 0 100 464
Server2.my_domain.local.'

failed on the following DNS server:



DNS server IP address: 192.168.1.10

Returned Response Code (RCODE): 5

Returned Status Code: 9017



For computers and users to locate this domain

controller, this record must be registered in

DNS.



USER ACTION

Determine what might have caused this failure,

resolve the problem, and initiate registration of

the DNS records by the domain controller. To

determine what might have caused this failure,

run DCDiag.exe. You can find this program on the

Windows Server 2003 installation CD in

Support\Tools\support.cab. To learn more about

DCDiag.exe, see Help and Support Center. To

initiate registration of the DNS records by this

domain controller, run 'nltest.exe /dsregdns'

from the command prompt on the domain controller

or restart Net Logon service. Nltest.exe is

available in the Microsoft Windows Server

Resource Kit CD.

Or, you can manually add this record to DNS,

but it is not recommended.


ELETEDITIONAL DATA

Error Value: %%9017

******************* End Deleted Group

noob admin

unread,
Sep 11, 2006, 2:22:01 PM9/11/06
to
===============================================
Here is the Server2 output...(Part 2)

An Error Event occured. EventID: 0x40000004
Time Generated: 09/11/2006 08:41:22
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/Server2.my_domain.local. The target

name used was

LDAP/48fa3212-a8b8-4180-b29d-8aa18d7ae26a._msdcs.my_domain.local.

This indicates that the password used to encrypt

the kerberos service ticket is different than

that on the target server. Commonly, this is due

to identically named machine accounts in the

target realm (my_domain.LOCAL), and the client

realm. Please contact your system

administrator.
An Error Event occured. EventID: 0xC0002719
Time Generated: 09/11/2006 08:41:27


(Event String could not be retrieved)

......................... Server2 failed test systemlog
Starting test: VerifyReplicas
......................... Server2 passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)

CN=Server2,OU=Domain Controllers,DC=my_domain,DC=local and

backlink on



CN=Server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my_domain,DC=local

are correct.
Some objects relating to the DC Server2 have problems:
[1] Problem: Missing Expected Value

Base Object:

CN=Server2,OU=Domain Controllers,DC=my_domain,DC=local

Base Object Description: "DC Account Object"

Value Object Attribute Name: frsComputerReferenceBL

Value Object Description: "SYSVOL FRS Member Object"

Recommended Action: See Knowledge Base Article: Q312862


[1] Problem: Missing Expected Value

Base Object:

CN=NTDS

Settings,CN=Server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my_domain,DC=

local

Base Object Description: "DSA Object"

Value Object Attribute Name: serverReferenceBL

Value Object Description: "SYSVOL FRS Member Object"

Recommended Action: See Knowledge Base Article: Q312862


......................... Server2 failed test VerifyReferences
Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various important
DN

references. Note, that these problems can be reported because of

latency in replication. So follow up to resolve the following

problems, only if the same problem is reported on all DCs for a
given

domain or if the problem persists after replication has had

reasonable time to replicate changes.
[1] Problem: Missing Expected Value

Base Object:

CN=Server2,OU=Domain Controllers,DC=my_domain,DC=local

Base Object Description: "DC Account Object"

Value Object Attribute Name: frsComputerReferenceBL

Value Object Description: "SYSVOL FRS Member Object"

Recommended Action: See Knowledge Base Article: Q312862


......................... Server2 failed test
VerifyEnterpriseReferences
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC Server1 for domain my_domain.local in site
Default-First-Site-Name
Checking machine account for DC Server2 on DC Server1.
* Missing SPN :LDAP/Server2.my_domain.local/my_domain.local
* Missing SPN :LDAP/Server2.my_domain.local
* Missing SPN :LDAP/Server2
* Missing SPN :LDAP/Server2.my_domain.local/my_domain
* Missing SPN

:LDAP/48fa3212-a8b8-4180-b29d-8aa18d7ae26a._msdcs.my_domain.local
* SPN found

:E3514235-4B06-11D1-AB04-00C04FC2DCD2/48fa3212-a8b8-4180-b29d-8aa18d7ae26a/my_domain.local

* Missing SPN :HOST/Server2.my_domain.local/my_domain.local
* Missing SPN :HOST/Server2.my_domain.local
* Missing SPN :HOST/Server2
* Missing SPN :HOST/Server2.my_domain.local/my_domain
* Missing SPN :GC/Server2.my_domain.local/my_domain.local
Unable to verify the machine account (CN=Server2,OU=Domain
Controllers,DC=my_domain,DC=local) for Server2 on Server1.
Source DC Server1 has possible security error (5). Diagnosing...
Found KDC Server1 for domain my_domain.local in site
Default-First-Site-Name
Checking time skew between servers:
Server1
Server2
Time is in sync: 0 seconds different.
Checking machine account for DC Server1 on DC Server1.


* SPN found :LDAP/Server1.my_domain.local/my_domain.local
* SPN found :LDAP/Server1.my_domain.local
* SPN found :LDAP/Server1
* SPN found :LDAP/Server1.my_domain.local/my_domain
* SPN found
:LDAP/e5985fa8-d13c-45c8-b28a-afa42e6757a5._msdcs.my_domain.local
* SPN found

:E3514235-4B06-11D1-AB04-00C04FC2DCD2/e5985fa8-d13c-45c8-b28a-afa42e6757a5/my_domain.local
* SPN found :HOST/Server1.my_domain.local/my_domain.local
* SPN found :HOST/Server1.my_domain.local
* SPN found :HOST/Server1
* SPN found :HOST/Server1.my_domain.local/my_domain
* SPN found :GC/Server1.my_domain.local/my_domain.local

* Security Permissions check for all NC's on DC Server1.


* Security Permissions Check for
CN=Schema,CN=Configuration,DC=my_domain,DC=local
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=my_domain,DC=local
(Configuration,Version 2)
* Security Permissions Check for
DC=my_domain,DC=local
(Domain,Version 2)

* Network Logons Privileges Check

Verified share \\Server1\netlogon
Verified share \\Server1\sysvol
Checking for CN=Server1,OU=Domain
Controllers,DC=my_domain,DC=local in domain DC=my_domain,DC=local on 2

servers
Object is up-to-date on all servers.

[Server1] Unable to diagnose problem for this source. See
any errors reported in attempting tests.
......................... Server2 passed test CheckSecurityError

DNS Tests are running and not hung. Please wait a few minutes...

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : my_domain
Starting test: CrossRefValidation
......................... my_domain passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... my_domain passed test CheckSDRefDom



Running enterprise tests on : my_domain.local
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the
scope

provided by the command line arguments provided.
......................... my_domain.local passed test Intersite
Starting test: FsmoCheck
GC Name: \\Server1.my_domain.local
Locator Flags: 0xe00001fd
PDC Name: \\Server1.my_domain.local
Locator Flags: 0xe00001fd
Time Server Name: \\Server1.my_domain.local
Locator Flags: 0xe00001fd
Preferred Time Server Name: \\Server1.my_domain.local
Locator Flags: 0xe00001fd
KDC Name: \\Server1.my_domain.local
Locator Flags: 0xe00001fd
......................... my_domain.local passed test FsmoCheck

Starting test: DNS
Test results for domain controllers:

DC: Server2.my_domain.local
Domain: my_domain.local


TEST: Authentication (Auth)
Authentication test: Successfully completed

TEST: Basic (Basc)
Microsoft(R) Windows(R) Server 2003, Standard Edition
(Service Pack level: 1.0) is supported
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000007] Intel(R) PRO/1000 MT Network
Connection:
MAC address is 00:13:72:F9:4C:33
IP address is static
IP address: 192.168.1.11
DNS servers:
192.168.1.10 (<name unavailable) [Valid]
Warning: 206.13.28.12 (<name unavailable) [Invalid]
The A record for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found
(secondary)
Root zone on this DC/DNS server was not found

TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders are not configured on this DNS server
Root hint Information:
Name: a.root-servers.net. IP: 198.41.0.4 [Invalid]
Name: b.root-servers.net. IP: 192.228.79.201 [Invalid]
Name: c.root-servers.net. IP: 192.33.4.12 [Invalid]
Name: d.root-servers.net. IP: 128.8.10.90 [Invalid]
Name: e.root-servers.net. IP: 192.203.230.10 [Invalid]
Name: f.root-servers.net. IP: 192.5.5.241 [Invalid]
Name: g.root-servers.net. IP: 192.112.36.4 [Invalid]
Name: h.root-servers.net. IP: 128.63.2.53 [Invalid]
Name: i.root-servers.net. IP: 192.36.148.17 [Invalid]
Name: j.root-servers.net. IP: 192.58.128.30 [Invalid]
Name: k.root-servers.net. IP: 193.0.14.129 [Invalid]
Name: l.root-servers.net. IP: 198.32.64.12 [Invalid]
Name: m.root-servers.net. IP: 202.12.27.33 [Invalid]

TEST: Delegations (Del)
No delegations were found in this zone on this DNS server

TEST: Dynamic update (Dyn)
Dynamic Update tests are skipped since my_domain.local
is a secondary zone. DNS Record updates can't happen on
the secondary zones

TEST: Records registration (RReg)
Network Adapter [00000007] Intel(R) PRO/1000 MT Network
Connection:
Matching A record found at DNS server 192.168.1.10:
Server2.my_domain.local

Matching CNAME record found at DNS server 192.168.1.10:

48fa3212-a8b8-4180-b29d-8aa18d7ae26a._msdcs.my_domain.local

Warning: Missing DC SRV record at DNS server
192.168.1.10 :
_ldap._tcp.dc._msdcs.my_domain.local
(Ignore the error if DNSAvoidRegisterRecord registry
key or its Group Policy
has been configured to prevent registration of this
Record.)

Error: Record registrations cannot be found for all the
network adapters

Summary of test results for DNS servers used by the above domain
controllers:

DNS server: 128.63.2.53 (h.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
[Error details: 9003 (Type: Win32 - Description: DNS name
does not exist.)]

DNS server: 128.8.10.90 (d.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
[Error details: 9003 (Type: Win32 - Description: DNS name
does not exist.)]

DNS server: 192.112.36.4 (g.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 192.112.36.4
[Error details: 9002 (Type: Win32 - Description: DNS server
failure.)]

DNS server: 192.203.230.10 (e.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10
[Error details: 9003 (Type: Win32 - Description: DNS name
does not exist.)]

DNS server: 192.228.79.201 (b.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 192.228.79.201
[Error details: 9003 (Type: Win32 - Description: DNS name
does not exist.)]

DNS server: 192.33.4.12 (c.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12
[Error details: 9003 (Type: Win32 - Description: DNS name
does not exist.)]

DNS server: 192.36.148.17 (i.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17
[Error details: 9003 (Type: Win32 - Description: DNS name
does not exist.)]

DNS server: 192.5.5.241 (f.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241
[Error details: 9003 (Type: Win32 - Description: DNS name
does not exist.)]

DNS server: 192.58.128.30 (j.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30
[Error details: 9002 (Type: Win32 - Description: DNS server
failure.)]

DNS server: 193.0.14.129 (k.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 193.0.14.129
[Error details: 9003 (Type: Win32 - Description: DNS name
does not exist.)]

DNS server: 198.32.64.12 (l.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 198.32.64.12
[Error details: 9003 (Type: Win32 - Description: DNS name
does not exist.)]

DNS server: 198.41.0.4 (a.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
[Error details: 9003 (Type: Win32 - Description: DNS name
does not exist.)]

DNS server: 202.12.27.33 (m.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 202.12.27.33
[Error details: 9003 (Type: Win32 - Description: DNS name
does not exist.)]

DNS server: 206.13.28.12 (<name unavailable)
1 test failure on this DNS server
This is a valid DNS server.
Name resolution is not functional.
_ldap._tcp.my_domain.local. failed on the DNS server 206.13.28.12
[Error details: 9003 (Type: Win32 - Description: DNS name
does not exist.)]

DNS server: 192.168.1.10 (<name unavailable)
All tests passed on this DNS server
This is a valid DNS server.
Name resolution is funtional. _ldap._tcp SRV record for the
forest root domain is registered

Summary of DNS test results:

Auth Basc Forw Del Dyn RReg
Ext

________________________________________________________________
Domain: my_domain.local
Server2 PASS WARN FAIL PASS n/a FAIL n/a

......................... my_domain.local failed test DNS

Jorge Silva

unread,
Sep 11, 2006, 4:39:23 PM9/11/06
to
are you sure that " \\Server1.my_domain.local" is your servername or you
just changed that and is something like: \\Server1.mydomain.local??

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"noob admin" <noob...@discussions.microsoft.com> wrote in message

news:63167432-0950-4E45...@microsoft.com...

Jorge Silva

unread,
Sep 11, 2006, 4:42:38 PM9/11/06
to
please place the results for both servers of ipconfig /all

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"noob admin" <noob...@discussions.microsoft.com> wrote in message

news:1C1F609E-D354-417D...@microsoft.com...

noob admin

unread,
Sep 11, 2006, 5:30:02 PM9/11/06
to
Ya I changed them,

The customer is paraniod about their identity.

the real names are like xxx_nt_server and yyy_2k3_server.

They can share drives and such, just no AD. Also, I confirned that
the SMTP service was not installed on either. The first listing blows
out in NtFRS at that point.

Thanks,
RobV.

Jorge Silva

unread,
Sep 11, 2006, 5:52:21 PM9/11/06
to
ipconfig /all for both servers?


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"noob admin" <noob...@discussions.microsoft.com> wrote in message

news:18C61AE3-6646-4DF4...@microsoft.com...

noob admin

unread,
Sep 11, 2006, 6:55:02 PM9/11/06
to
Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : xxx_nt_server
Primary DNS Suffix . . . . . . . : xxx_dom.local
Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

Windows IP Configuration

Host Name . . . . . . . . . . . . : yyy_w2k3_server

Primary Dns Suffix . . . . . . . : xxx_dom.local

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : Yes

WINS Proxy Enabled. . . . . . . . : Yes

DNS Suffix Search List. . . . . . : xxx_dom.local

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection

Physical Address. . . . . . . . . : 00-13-72-F9-4C-33

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.1.11

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.254

DNS Servers . . . . . . . . . . . : 192.168.1.10

206.13.28.12


WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : xxx_dom.local

Ethernet adapter Local Area Connection 3:

Media State . . . . . . . . . . . : Cable Disconnected

Description . . . . . . . . . . . : HP NetServer 10/100TX PCI LAN Adapter
Physical Address. . . . . . . . . : 00-D0-B7-20-19-67


Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC7760 Gigabit Server Adapter
Physical Address. . . . . . . . . : 00-0B-CD-4E-E9-17

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.1.10

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.254

DNS Servers . . . . . . . . . . . : 192.168.1.10
207.215.92.4
207.105.189.2


Where do I change the kerberos passwords to what I want them to be
on both machines.

Installing SMTP service on server1 cleared up the NtFRS test, but outbound
channels failed still..


Jorge Silva

unread,
Sep 11, 2006, 8:13:32 PM9/11/06
to
This is messy...

If you want to replace the values not to show the real names make sure that
you do it correctly DON'T CHANGE THE STRUCTURE.
If your server is:
dc01.addomain.local replace by Server01.mydomain.local
mantain the exact structure please DON'T CHANGE THE STRUCTURE this is
important to see if DNS is OK.

You send:
xxx_nt_server.xxx_dom.local
then you have
yyy_w2k3_server.xxx_dom.local

then you have 3 different NIC configuration, which one is which?
Ok.

-Now, Sounds like that 192.168.1.10 is your DNS server is this correct?
-I Also see that you have a Multihimed DC, This isn't recommended. Check if
the DNS is listening in the correct ipaddress (192.168.1.10). It would be
better to disable the RRAS server on that DC and the Public NIC.
-Check if the DNS server Zone allows dynamic updates in the DNS zone.
-On the DNS server Run netdiag /fix (install support tools first)
-Go to the server 192.168.1.11 and run ipconfig /registerdns, and verify
that the record was created in the DNS server.
-REMOVE the ISP DNS Servers from DNS properties in both servers.

FOR DNS CONFIGURATION:
Assuming DNS AD Integrated Zone

-Make sure that each DNS server points to itself under NIC preferred DNS. If
the Server IP-Address is 192.168.0.1 then the preferred DNS should also be
192.168.0.1.

-When Adding Additional DCs to an existent Domain, and if you want to make
it a DNS server, Install DNS service, make sure that the server (the
additional DC) points to the existent DNS DC under NIC preferred DNS, then
run Dcpromo, wait or force replication (this can take a awhile), then check
on DNS console, and if the DNS zone is already transferred, then point the
additional DC to itself again.

- Clients: Make sure that the clients only use their local available DNS
server(s) on their NIC DNS configuration. Do not place the ISP DNS server or
any other DNS on the client or DNS Server NIC properties, this is a common
mistake. The clients should use their local DNS server to resolve all
queries. It's up to the local DNS server to handle the Internet resolution
as any other Zone that the DNS is not authoritative for. Check the link for
configuring DNS for Internet resolution.

Note: The DNS client does not utilize each of the DNS servers listed in
TCP/IP configuration for each query. By default, on startup the DNS client
will attempt to utilize the server in the Preferred DNS server entry. If
this server FAILS to respond for any reason, the DNS client will switch to
the server listed in the alternate DNS server entry. The DNS client will
continue to use this alternate DNS server.

Best practices for DNS client settings in Windows 2000 Server and in Windows
Server 2003

http://support.microsoft.com/kb/825036/en-us

How to configure DNS for Internet access in Windows Server 2003

http://support.microsoft.com/kb/323380/


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"noob admin" <noob...@discussions.microsoft.com> wrote in message

news:02529ED6-30C7-4742...@microsoft.com...

noob admin

unread,
Sep 11, 2006, 8:25:01 PM9/11/06
to
I think this isn't going to go anywhere soon enough for the customer.

This environment is too hosed. It has been decided to end this hairball
and just add the users to the server, cut over from the old server
and turn it off.

5 days, no results.. enough.

Thanks for all your help.

Sincerely,
RobV.

noob admin

unread,
Sep 11, 2006, 10:30:01 PM9/11/06
to
Hi Jorge,

Thanks for replying..

No, there are two seperate machines, none of which is actively multi homed.
(the extra NIC's are disabled).

the x's and y's are because the company's initials are part of the hostnames.
(not my call)

I'm very sorry if that caused you any grief. Please accept my apologies.

The first machine xxx is (was) the only DC until the client bought a new
Dell , and Windows 2003 Server from my company.

I followed the docs for adding a W2k3 server to a w2k DC domain to the
letter. The fact is the old machine had never been properly installed, and
folks had messed with the Registry in places I'm still finding out about.

f.y.i: 206.13.28.12 is Pac-Bell DNS. I just searched and the 207's point to
the
former maint company servers, NOT to the client's ISP.. Nice guys.

I might be able to slip in one more try at it, and thanks for the play by
play
for future reference. Otherwise, we're just going to build it from the ground
up and unplug the heap of slag the "other guys" left us.

Sincerely,
RobV.

0 new messages