Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

DNS Nightmare - Can't create forward zone

417 views
Skip to first unread message

BertramWilbe...@gmail.com

unread,
May 2, 2006, 7:22:22 AM5/2/06
to
Hi,

I am having trouble with Active Directory and DNS on a new Windows 2003
box. The default entries (_ldap etc.) which are usually created by
netlogon are not there, nor can I manage to create them. I have tried
creating the forward zone from scratch, however I am not able to.

When I try to create a new forward zone, I get the message:

"The zone cannot be replicated to all DNS servers in the (null) Active
Directory domain because the required application directory partition
does not exist. Only Enterprise Administrators have the appropriate
permissions to create an application directory partition."

As I'm logged on as Administrator, which is in the Enterprise Admins
group, this is somewhat worrying!

The message goes on to advise me to try using "Replicate to All Domain
Controllers in the Active Directory Domain" option. When I do this I
get:

"The zone can not be created - The data is invalid"


netdiag /fix gives the following output:

<snip>

DNS test . . . . . . . . . . . . . : Failed
[WARNING] Cannot find a primary authoritative DNS server for
the name
'dbsvr.domain.net.'. [ERROR_TIMEOUT]
The name 'dbsvr.domain.net.' may not be registered in DNS.
[WARNING] Cannot find a primary authoritative DNS server for
the name
'dbsvr.domain.net.'. [ERROR_TIMEOUT]
The name 'dbsvr.domain.net.' may not be registered in DNS.
[FATAL] Failed to fix: DC DNS entry domain.net. re-registeration on
DNS server '100.200.52.145' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.domain.net.
re-registeration on DNS server '100.200.52.145' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.domain.net. re-registeration
on DNS server '100.200.52.145' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.ec198d88-e0cb-4344-8703-b17839ed5ebd.domains._msdcs.domain.net.
re-registeration on DNS server '100.200.52.145' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
1750286d-b0a6-4633-a9d0-63967c9a5fcb._msdcs.domain.net.
re-registeration on DNS server '100.200.52.145' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.dc._msdcs.domain.net. re-registeration on DNS server
'100.200.52.145' failed.

<snip>

Does anyone know what steps I can take to get me back on my feet with
regards to DNS? Just let me know if you want the output from any more
commands.

As I'm sure you can imagine, this lack of DNS is causing me all sorts
of problems with AD, so any advice you can give will be immensely
appreciated!

Thanks,

Berty

(I'm afraid I've also posted this in .sbs, as I wasn't sure which was
the best location)

strongline

unread,
May 2, 2006, 10:35:41 AM5/2/06
to
try to create non-ad-integrated zones to see if that makes your DNS
work first. then you can work on other issues.

Jorge Silva

unread,
May 2, 2006, 1:47:07 PM5/2/06
to
Hi

Follow this steps:

- Point the DNS properties of Dc to the root Dc.

- Type on cmd prompt
dnscmd /clearcache press enter
ipconfig /flushdns press enter

- Go to c:\windows\system32\config and delete the netlogon.dns and the
netlogon.dnb files.

- Create the Dns Zone (At this point no error is shown)

- Point the DNS properties of Dc to itself (Make sure that the server is
cable of resolving the root domain through Forward zones or stub Zones or
Secondary zones)

- Type on cmd prompt
ipconfig /registerdns

- Type - net stop netlogon & net start netlogon (confirm the creation of the
netlogon.dns and the netlogon.dnb files on c:\windows\system32\config )

- Type - Netdiag /fix

- Test replication.

It should be fine now.

--
I hop that helps

Good Luck
Jorge Silva
MCSA
Systems Administrator

<BertramWilbe...@gmail.com> wrote in message
news:1146568942.5...@i39g2000cwa.googlegroups.com...

Jorge de Almeida Pinto [MVP]

unread,
May 2, 2006, 2:34:31 PM5/2/06
to
Do the default DNS application partitions exist on the DC/DNS server or at
all?
under the ZONE domain.net you should see a subdomain called "DomainDNSZones"
and "ForestDNSZones".
Yes or no?
I no.. then -->
http://www.windowsitpro.com/Article/ArticleID/47199/47199.html

if the DNS app. partition does not exist on that particular DC/DNS server
but it does on others, check if replication is working.

if it does not exist (for some reason) on all DC/DNS servers then recreate
it.
http://technet2.microsoft.com/WindowsServer/en/Library/c2d2fcbd-c859-493e-a4fc-aef57a880db11033.mspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------


<BertramWilbe...@gmail.com> wrote in message
news:1146568942.5...@i39g2000cwa.googlegroups.com...

Bertram

unread,
May 3, 2006, 12:02:44 PM5/3/06
to
Hi,

Thank you all for your responses.

strongline - I was able to create the DNS zone, but I got the same
error message when I tried to convert the zone to AD-integrated.

Jorges Silva - I followed the recommended steps, however I got the same
error message when I tried to recreate the zone (step four).

Jorges de Almeida Pinto - This is the only DC in the domain, and the
zone does not exist at all. I am currently following the steps in the
windowsitpro.com article - if this meets with no success I shall try
the technet article.

Any more suggestions?

Thank you all for taking the time to respond.

Bertram

unread,
May 3, 2006, 12:07:13 PM5/3/06
to
Further info:

C:\Documents and Settings\Administrator>dnscmd servername
/createbuiltindirectorypartitions /domain

Create built-in directory partitions failed
status = 13 (0x0000000d)

Command failed: ERROR_INVALID_DATA 13 (0000000d)

When I try dnscmd /enumdirectorypartitions

Bertram

unread,
May 3, 2006, 12:07:40 PM5/3/06
to
Further info:

When I try dnscmd /enumdirectorypartitions, I am told there are 0!!!

Message has been deleted

Jorge de Almeida Pinto [MVP]

unread,
May 3, 2006, 3:56:27 PM5/3/06
to
ok... back to basics...

is that DC the domain naming master FSMO?

NETDOM QUERY FSMO to find out who is the domain naming master FSMO?

is it that live DC or is it some other DC that does not exist anymore? if
true, you need to seize the FSMO role ans possibly other roles

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"Bertram" <BertramWilbe...@gmail.com> wrote in message
news:1146672460....@u72g2000cwu.googlegroups.com...

strongline

unread,
May 3, 2006, 4:01:39 PM5/3/06
to
he did mention that he has only one DC.

strongline

unread,
May 3, 2006, 4:09:23 PM5/3/06
to
sorry my bad, didn't realize that he could have multiple domains.

Jorge de Almeida Pinto [MVP]

unread,
May 3, 2006, 4:11:44 PM5/3/06
to
yes, true...

I'm just checking, as the possibility is there he could have had another DC
which was the owner of the FSMOs and that DC has been pulled out the AD

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"strongline" <joh...@gmail.com> wrote in message
news:1146686499.5...@i39g2000cwa.googlegroups.com...

Jorge de Almeida Pinto [MVP]

unread,
May 3, 2006, 4:13:05 PM5/3/06
to
what i'm doing is checking any assumption before believing it...

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------


"strongline" <joh...@gmail.com> wrote in message
news:1146686499.5...@i39g2000cwa.googlegroups.com...

Jorge Silva

unread,
May 3, 2006, 7:03:26 PM5/3/06
to
Hi

hum... this is strange....

Only one Dc?

Please Try the following steps:

- Make sure that the Dns Settings of the Dc has the IPAddress of the Dc ->
Right Click My Network places choose properties -> Right click local area
connection choose properties -Select TCPIP and choose properties -> Make
sure that in Preferred DNS server you have the Same IP that you have in IP
Address.

- Uninstall Dns - Go to Start -> Settings -> Control Painel -> Add remove
Programs -> Add/Remove Windows Components -> Select Networking Services ->
Choose details -> Unselect Dns -> click Ok -> then Next -> next...

- Go to c:\windows\system32\config and delete the netlogon.dns and the
netlogon.dnb files.

- Go to c:\windows\system32\config and delete the Dns Folder.

- Install Dns - Go to Start -> Settings -> Control Painel -> Add remove
Programs -> Add/Remove Windows Components -> Select Networking Services ->
Choose details -> Select Dns -> click Ok -> then Next -> next...

- Create Dns Zone - Go to Start -> Settings -> Control Painel -> open DNS
console -> create the zone.

- go to the command prompt

- type in the following order:

ipconfig /registerdns (press enter)
net stop netlogon & net start netlogon (press enter confirm the creation

of the netlogon.dns and the netlogon.dnb files on
c:\windows\system32\config )

Netdiag /fix

It should be fine now.

- After this if you still having problems please post the results here for:
netdiag /q


--
I hop that helps

Good Luck
Jorge Silva
MCSA
Systems Administrator

"strongline" <joh...@gmail.com> wrote in message
news:1146686963.3...@g10g2000cwb.googlegroups.com...

Bertram

unread,
May 4, 2006, 5:00:10 AM5/4/06
to
Hi guys,

This is indeed the only DC in the domain. There was another DC, which
have since been removed. FSMO roles were transferred successfully
before the old server was removed. netdom query fsmo confirms that this
server is holding all five roles - let me know if you want me to post
the output for your verification.

I have tried uninstalling and reinstalling DNS, however I did not
delete netlogon.dns and dns/, so I'll try that now.

Not sure if it's relevant, but now the server keeps shutting down every
hour as it seems to think it is not licensed!

Also, I think this is somewhere near the root of the problem:

When I try to recreate the active directory partition (using ntdsutil)
I am told that I do not have permission to do so, even when I'm logged
on as administrator. I added my personal account to enterprise admins
and had the same problem. Any advice?

Thanks again, I really appreciate the help you guys are giving me!

Berty

Bertram

unread,
May 4, 2006, 8:03:35 AM5/4/06
to
Update: I've just tried reinstalling DNS, and I'm still having the same
problem. When I try to create the zone, I am told the active directory
partition doesn't exist. I have tried recreating this partition, but am
told I do not have the requisite permissions.

Argh!

Jorge Silva

unread,
May 4, 2006, 9:05:39 AM5/4/06
to
Hi

Which account are you using to create the Dns Part are you using the
Administrator Account (Member Off Enterprise admins and member of Domain
admins, etc..?

Check:
1. Reboot the server and press F8. Choose Directory Services Restore Mode
from the Menu.
2. Check the physical location of the Winnt\NTDS\ folder.
3. Check the permissions on the \Winnt\NTDS folder.

The default permissions are (confirm this):
Administrators - Full Control
System - Full Control
4. Open a command prompt and run NTDSUTIL to verify the paths for the
NTDS.dit file. These should match the physical structure from Step 2


To check the file paths type the following commands:

NTDSUTIL <enter>
Files <enter>
Info <enter>

The output should look similar to:

Drive Information:

C:\ NTFS (Fixed Drive) free (2.9 Gb) total (3.9 Gb)
D:\ NTFS (Fixed Drive) free (3.6 Gb) total (3.9 Gb)

DS Path Information:

Database : C:\WINNT\NTDS\ntds.dit - 10.1 Mb
Backup dir: C:\WINNT\NTDS\dsadata.bak
Working dir: C:\WINNT\NTDS
Log dir : C:\WINNT\NTDS - 30.0 Mb total
res2.log - 10.0 Mb
res1.log - 10.0 Mb
edb.log - 10.0 Mb
5. Reboot the server to Normal Mode.

--
I hop that helps

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Bertram" <BertramWilbe...@gmail.com> wrote in message
news:1146744215....@v46g2000cwv.googlegroups.com...

Bertram

unread,
May 4, 2006, 11:42:22 AM5/4/06
to
Hi Jorge,

I have followed your instructions, and can confirm the following:

c:\windows\ntds exists, and Administrator has Full Control over it and
it's contents, as does System.

Output from ntdsutil seems to match yours:

Drive Information:

C:\ NTFS (Fixed Drive ) free(242.3 Gb) total(271.3 Gb)

DS Path Information:

Database : C:\WINDOWS\NTDS\ntds.dit - 14.1 Mb
Backup dir : C:\WINDOWS\NTDS\dsadata.bak
Working dir: C:\WINDOWS\NTDS
Log dir : C:\WINDOWS\NTDS - 50.0 Mb total


res2.log - 10.0 Mb
res1.log - 10.0 Mb

edb00003.log - 10.0 Mb
edb00002.log - 10.0 Mb
edb.log - 10.0 Mb

Server is now back to normal mode, but giving the same problem. Are
there any further steps you can recommend, in addition to the
impressive amount of help you've given me so far?

Thanks,

Berty

Jorge de Almeida Pinto [MVP]

unread,
May 4, 2006, 12:16:11 PM5/4/06
to
what are event IDs with errors?

do a DCDIAG /V /C /D

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------


"Bertram" <BertramWilbe...@gmail.com> wrote in message

news:1146757342.6...@v46g2000cwv.googlegroups.com...

Bertram

unread,
May 5, 2006, 4:34:44 AM5/5/06
to
OK, I'm not sure what's pertinent and what's not, so I thought I'd post
the entire output for your perusal:

===========================


Command Line: "dcdiag.exe /v /c /d"

Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine ag-dbsvr, is a DC.
* Connecting to directory service on server ag-dbsvr.
ag-dbsvr.currentTime = 20060505081315.0Z
ag-dbsvr.highestCommittedUSN = 301466
ag-dbsvr.isSynchronized = 1
ag-dbsvr.isGlobalCatalogReady = 1
* Collecting site info.
* Identifying all servers.
AG-DBSVR.currentTime = 20060505081315.0Z
AG-DBSVR.highestCommittedUSN = 301466
AG-DBSVR.isSynchronized = 1
AG-DBSVR.isGlobalCatalogReady = 1
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.


===============================================Printing out pDsInfo

GLOBAL:
ulNumServers=2
pszRootDomain=mydomain.net
pszNC=
pszRootDomainFQDN=DC=mydomain,DC=net
pszConfigNc=CN=Configuration,DC=mydomain,DC=net
pszPartitionsDn=CN=Partitions,CN=Configuration,DC=mydomain,DC=net
iSiteOptions=0
dwTombstoneLifeTimeDays=60

dwForestBehaviorVersion=0

HomeServer=1, AG-DBSVR

SERVER: pServer[0].pszName=TEMPSVR
pServer[0].pszGuidDNSName=7ae70e6f-3be2-45c3-a013-04661ca67912._msdcs.mydomain.net
pServer[0].pszDNSName=tempsvr.mydomain.net
pServer[0].pszDn=CN=NTDS
Settings,CN=TEMPSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
pServer[0].pszComputerAccountDn=(null)
pServer[0].uuidObjectGuid=7ae70e6f-3be2-45c3-a013-04661ca67912
pServer[0].uuidInvocationId=7ae70e6f-3be2-45c3-a013-04661ca67912
pServer[0].iSite=0 (Default-First-Site-Name)
pServer[0].iOptions=1
pServer[0].ftLocalAcquireTime=00000000 00000000

pServer[0].ftRemoteConnectTime=00000000 00000000

pServer[0].ppszMasterNCs:
ppszMasterNCs[0]=CN=Schema,CN=Configuration,DC=mydomain,DC=net
ppszMasterNCs[1]=CN=Configuration,DC=mydomain,DC=net
ppszMasterNCs[2]=DC=mydomain,DC=net

SERVER: pServer[1].pszName=AG-DBSVR
pServer[1].pszGuidDNSName=1750286d-b0a6-4633-a9d0-63967c9a5fcb._msdcs.mydomain.net
pServer[1].pszDNSName=ag-dbsvr.mydomain.net
pServer[1].pszDn=CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
pServer[1].pszComputerAccountDn=CN=AG-DBSVR,OU=Domain
Controllers,DC=mydomain,DC=net
pServer[1].uuidObjectGuid=1750286d-b0a6-4633-a9d0-63967c9a5fcb
pServer[1].uuidInvocationId=45155c5d-16a3-4ddf-952c-325ec78e6707
pServer[1].iSite=0 (Default-First-Site-Name)
pServer[1].iOptions=1
pServer[1].ftLocalAcquireTime=c29a5540 01c6701b

pServer[1].ftRemoteConnectTime=c220df80 01c6701b

pServer[1].ppszMasterNCs:
ppszMasterNCs[0]=CN=Schema,CN=Configuration,DC=mydomain,DC=net
ppszMasterNCs[1]=CN=Configuration,DC=mydomain,DC=net
ppszMasterNCs[2]=DC=mydomain,DC=net

SITES: pSites[0].pszName=Default-First-Site-Name
pSites[0].pszSiteSettings=CN=NTDS Site
Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
pSites[0].pszISTG=CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
pSites[0].iSiteOption=0

pSites[0].cServers=2

NC: pNCs[0].pszName=Schema
pNCs[0].pszDn=CN=Schema,CN=Configuration,DC=mydomain,DC=net

pNCs[0].aCrInfo[0].dwFlags=0x00000201
pNCs[0].aCrInfo[0].pszDn=CN=Enterprise
Schema,CN=Partitions,CN=Configuration,DC=mydomain,DC=net
pNCs[0].aCrInfo[0].pszDnsRoot=mydomain.net
pNCs[0].aCrInfo[0].iSourceServer=1
pNCs[0].aCrInfo[0].pszSourceServer=(null)
pNCs[0].aCrInfo[0].ulSystemFlags=0x00000001
pNCs[0].aCrInfo[0].bEnabled=TRUE
pNCs[0].aCrInfo[0].ftWhenCreated=00000000 00000000
pNCs[0].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[0].aCrInfo[0].pszNetBiosName=(null)
pNCs[0].aCrInfo[0].cReplicas=-1
pNCs[0].aCrInfo[0].aszReplicas=


NC: pNCs[1].pszName=Configuration
pNCs[1].pszDn=CN=Configuration,DC=mydomain,DC=net

pNCs[1].aCrInfo[0].dwFlags=0x00000201
pNCs[1].aCrInfo[0].pszDn=CN=Enterprise
Configuration,CN=Partitions,CN=Configuration,DC=mydomain,DC=net
pNCs[1].aCrInfo[0].pszDnsRoot=mydomain.net
pNCs[1].aCrInfo[0].iSourceServer=1
pNCs[1].aCrInfo[0].pszSourceServer=(null)
pNCs[1].aCrInfo[0].ulSystemFlags=0x00000001
pNCs[1].aCrInfo[0].bEnabled=TRUE
pNCs[1].aCrInfo[0].ftWhenCreated=00000000 00000000
pNCs[1].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[1].aCrInfo[0].pszNetBiosName=(null)
pNCs[1].aCrInfo[0].cReplicas=-1
pNCs[1].aCrInfo[0].aszReplicas=


NC: pNCs[2].pszName=mydomain
pNCs[2].pszDn=DC=mydomain,DC=net

pNCs[2].aCrInfo[0].dwFlags=0x00000201
pNCs[2].aCrInfo[0].pszDn=CN=IBUSINESS,CN=Partitions,CN=Configuration,DC=mydomain,DC=net
pNCs[2].aCrInfo[0].pszDnsRoot=mydomain.net
pNCs[2].aCrInfo[0].iSourceServer=1
pNCs[2].aCrInfo[0].pszSourceServer=(null)
pNCs[2].aCrInfo[0].ulSystemFlags=0x00000003
pNCs[2].aCrInfo[0].bEnabled=TRUE
pNCs[2].aCrInfo[0].ftWhenCreated=00000000 00000000
pNCs[2].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[2].aCrInfo[0].pszNetBiosName=(null)
pNCs[2].aCrInfo[0].cReplicas=-1
pNCs[2].aCrInfo[0].aszReplicas=


3 NC TARGETS: Schema, Configuration, mydomain,
1 TARGETS: AG-DBSVR,

=============================================Done Printing pDsInfo

Doing initial required tests

Testing server: Default-First-Site-Name\AG-DBSVR
Starting test: Connectivity
* Active Directory LDAP Services Check
The host
1750286d-b0a6-4633-a9d0-63967c9a5fcb._msdcs.mydomain.net could not be
resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name

(1750286d-b0a6-4633-a9d0-63967c9a5fcb._msdcs.mydomain.net)

couldn't be resolved, the server name (ag-dbsvr.mydomain.net)

resolved to the IP address (100.200.52.145) and was pingable.
Check

that the IP address is registered correctly with the DNS
server.
......................... AG-DBSVR failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\AG-DBSVR
Skipping all tests, because server AG-DBSVR is
not responding to directory service requests

DNS Tests are running and not hung. Please wait a few minutes...

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test
CheckSDRefDom

Running partition tests on : mydomain
Starting test: CrossRefValidation
......................... mydomain passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... mydomain passed test CheckSDRefDom

Running enterprise tests on : mydomain.net
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside
the scope

provided by the command line arguments provided.
......................... mydomain.net passed test Intersite
Starting test: FsmoCheck
GC Name: \\ag-dbsvr.mydomain.net
Locator Flags: 0xe00003fc
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Time Server Name: \\ag-dbsvr.mydomain.net
Locator Flags: 0xe00003fc
Preferred Time Server Name: \\ag-dbsvr.mydomain.net
Locator Flags: 0xe00003fc
KDC Name: \\ag-dbsvr.mydomain.net
Locator Flags: 0xe00003fc
......................... mydomain.net failed test FsmoCheck
Starting test: DNS
Test results for domain controllers:

DC: ag-dbsvr.mydomain.net
Domain: mydomain.net


TEST: Authentication (Auth)
Authentication test: Successfully completed

TEST: Basic (Basc)
Error: No LDAP connectivity
Microsoft(R) Windows(R) Server 2003 for Small
Business Server (Service Pack level: 1.0) is supported
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000002] Compaq NC3123 Fast Ethernet NIC:
MAC address is 00:02:A5:43:ED:53
IP address is static
IP address: 100.200.52.145
DNS servers:
Warning: 100.200.52.145 (<name unavailable>)
[Invalid]
Error: all DNS servers are invalid
The A record for this DC was found
The SOA record for the Active Directory zone was
found
Warning: The Active Directory zone on this DC/DNS
server was not found (probably a misconfiguration)
Root zone on this DC/DNS server was not found

TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders are not configured on this DNS server
Root hint Information:
Name: a.root-servers.net. IP: 198.41.0.4 [Invalid]
Name: b.root-servers.net. IP: 192.228.79.201
[Invalid]
Name: c.root-servers.net. IP: 192.33.4.12
[Invalid]
Name: d.root-servers.net. IP: 128.8.10.90
[Invalid]
Name: e.root-servers.net. IP: 192.203.230.10
[Invalid]
Name: f.root-servers.net. IP: 192.5.5.241
[Invalid]
Name: g.root-servers.net. IP: 192.112.36.4 [Valid]
Name: h.root-servers.net. IP: 128.63.2.53
[Invalid]
Name: i.root-servers.net. IP: 192.36.148.17
[Invalid]
Name: j.root-servers.net. IP: 192.58.128.30
[Invalid]
Name: k.root-servers.net. IP: 193.0.14.129
[Invalid]
Name: l.root-servers.net. IP: 198.32.64.12
[Invalid]
Name: m.root-servers.net. IP: 202.12.27.33
[Invalid]

TEST: Records registration (RReg)
Error: Record registrations cannot be found for all the
network adapters
Total query time:0 min. 2 sec.. Total RPC connection
time:0 min. 0 sec.
Total WMI connection time:0 min. 0 sec. Total Netuse
connection time:0 min. 0 sec.

Summary of test results for DNS servers used by the above
domain controllers:

DNS server: 128.63.2.53 (h.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
[Error details: 9003 (Type: Win32 - Description: DNS
name does not exist.)]
Total query time:0 min. 0 sec., Total WMI connection
time:0 min. 0 sec.

DNS server: 128.8.10.90 (d.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
[Error details: 9003 (Type: Win32 - Description: DNS
name does not exist.)]
Total query time:0 min. 0 sec., Total WMI connection
time:0 min. 0 sec.

DNS server: 192.203.230.10 (e.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10
[Error details: 9003 (Type: Win32 - Description: DNS
name does not exist.)]
Total query time:0 min. 0 sec., Total WMI connection
time:0 min. 0 sec.

DNS server: 192.228.79.201 (b.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 192.228.79.201
[Error details: 9002 (Type: Win32 - Description: DNS
server failure.)]
Total query time:0 min. 0 sec., Total WMI connection
time:0 min. 0 sec.

DNS server: 192.33.4.12 (c.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12
[Error details: 9003 (Type: Win32 - Description: DNS
name does not exist.)]
Total query time:0 min. 0 sec., Total WMI connection
time:0 min. 0 sec.

DNS server: 192.36.148.17 (i.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17
[Error details: 9003 (Type: Win32 - Description: DNS
name does not exist.)]
Total query time:0 min. 0 sec., Total WMI connection
time:0 min. 0 sec.

DNS server: 192.5.5.241 (f.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241
[Error details: 9003 (Type: Win32 - Description: DNS
name does not exist.)]
Total query time:0 min. 0 sec., Total WMI connection
time:0 min. 0 sec.

DNS server: 192.58.128.30 (j.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30
[Error details: 9002 (Type: Win32 - Description: DNS
server failure.)]
Total query time:0 min. 0 sec., Total WMI connection
time:0 min. 0 sec.

DNS server: 193.0.14.129 (k.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 193.0.14.129
[Error details: 9003 (Type: Win32 - Description: DNS
name does not exist.)]
Total query time:0 min. 0 sec., Total WMI connection
time:0 min. 0 sec.

DNS server: 100.200.52.145 (<name unavailable>)
1 test failure on this DNS server
This is a valid DNS server.
Name resolution is not functional.
_ldap._tcp.mydomain.net. failed on the DNS server 100.200.52.145
[Error details: 9003 (Type: Win32 - Description: DNS
name does not exist.)]
Total query time:0 min. 0 sec., Total WMI connection
time:0 min. 0 sec.

DNS server: 198.32.64.12 (l.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 198.32.64.12
[Error details: 9003 (Type: Win32 - Description: DNS
name does not exist.)]
Total query time:0 min. 0 sec., Total WMI connection
time:0 min. 0 sec.

DNS server: 198.41.0.4 (a.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
[Error details: 9003 (Type: Win32 - Description: DNS
name does not exist.)]
Total query time:0 min. 0 sec., Total WMI connection
time:0 min. 0 sec.

DNS server: 202.12.27.33 (m.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 202.12.27.33
[Error details: 9003 (Type: Win32 - Description: DNS
name does not exist.)]
Total query time:0 min. 0 sec., Total WMI connection
time:0 min. 0 sec.

DNS server: 192.112.36.4 (g.root-servers.net.)
All tests passed on this DNS server
This is a valid DNS server.
Total query time:0 min. 0 sec., Total WMI connection
time:0 min. 0 sec.

Summary of DNS test results:

Auth Basc Forw Del Dyn
RReg Ext

________________________________________________________________
Domain: mydomain.net
ag-dbsvr PASS FAIL PASS n/a PASS
FAIL n/a

Total Time taken to test all the DCs:0 min. 2 sec.
......................... mydomain.net failed test DNS


====================

Thanks,

Berty

Bertram

unread,
May 5, 2006, 8:27:07 AM5/5/06
to
Yahoo! I've managed to get somewhere... I've now got a DNS service with
an AD-integrated forward zone set up.

There are still some worrying items in the output from dcdiag though -
I've included the output below in the hope that someone can shed some
light on my (new?) problem.

================

Command Line: "dcdiag.exe /v /d /c"

Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine ag-dbsvr, is a DC.
* Connecting to directory service on server ag-dbsvr.

ag-dbsvr.currentTime = 20060505121831.0Z
ag-dbsvr.highestCommittedUSN = 307279


ag-dbsvr.isSynchronized = 1
ag-dbsvr.isGlobalCatalogReady = 1
* Collecting site info.
* Identifying all servers.

AG-DBSVR.currentTime = 20060505121831.0Z
AG-DBSVR.highestCommittedUSN = 307279


===============================================Printing out pDsInfo

dwForestBehaviorVersion=0

HomeServer=1, AG-DBSVR

pServer[0].ftRemoteConnectTime=00000000 00000000

pServer[1].ftLocalAcquireTime=059f5850 01c6703e

pServer[1].ftRemoteConnectTime=058c4580 01c6703e

pSites[0].cServers=2

=============================================Done Printing pDsInfo

Doing initial required tests

Failure Analysis: AG-DBSVR ... OK.
* Active Directory RPC Services Check
......................... AG-DBSVR passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\AG-DBSVR
Starting test: Replications
* Replications Check
CN=Schema,CN=Configuration,DC=mydomain,DC=net has 2 cursors.
[Replications Check,AG-DBSVR] A recent replication attempt
failed:
From TEMPSVR to AG-DBSVR
Naming Context:
CN=Schema,CN=Configuration,DC=mydomain,DC=net
The replication generated an error (1722):
Win32 Error 1722
The failure occurred at 2006-05-05 12:50:32.
The last success occurred at 2006-04-25 14:58:36.
231 failures have occurred since the last success.
[TEMPSVR] DsBindWithSpnEx() failed with error 1722,
Win32 Error 1722.
Printing RPC Extended Error Info:
Error Record 1, ProcessID is 1128 (DcDiag)
System Time is: 5/5/2006 12:18:52:250
Generating component is 8 (winsock)
Status is 1722: The RPC server is unavailable.

Detection location is 323
Error Record 2, ProcessID is 1128 (DcDiag)
System Time is: 5/5/2006 12:18:52:250
Generating component is 8 (winsock)
Status is 1237: The operation could not be completed. A
retry should be performed.

Detection location is 313
Error Record 3, ProcessID is 1128 (DcDiag)
System Time is: 5/5/2006 12:18:52:250
Generating component is 8 (winsock)
Status is 10060: A connection attempt failed because the
connected party did not properly respond after a period of time, or
established connection failed because connected host has failed to
respond.

Detection location is 311
NumberOfParameters is 3
Long val: 135
Pointer val: 0
Pointer val: 0
Error Record 4, ProcessID is 1128 (DcDiag)
System Time is: 5/5/2006 12:18:52:250
Generating component is 8 (winsock)
Status is 10060: A connection attempt failed because the
connected party did not properly respond after a period of time, or
established connection failed because connected host has failed to
respond.

Detection location is 318
The source remains down. Please check the machine.
CN=Configuration,DC=mydomain,DC=net has 2 cursors.
[Replications Check,AG-DBSVR] A recent replication attempt
failed:
From TEMPSVR to AG-DBSVR
Naming Context: CN=Configuration,DC=mydomain,DC=net
The replication generated an error (1722):
Win32 Error 1722
The failure occurred at 2006-05-05 12:50:11.
The last success occurred at 2006-04-25 15:29:41.
231 failures have occurred since the last success.
The source remains down. Please check the machine.
DC=mydomain,DC=net has 2 cursors.
[Replications Check,AG-DBSVR] A recent replication attempt
failed:
From TEMPSVR to AG-DBSVR
Naming Context: DC=mydomain,DC=net
The replication generated an error (1722):
Win32 Error 1722
The failure occurred at 2006-05-05 12:49:50.
The last success occurred at 2006-04-25 15:28:35.
239 failures have occurred since the last success.
The source remains down. Please check the machine.
* Replication Latency Check
REPLICATION-RECEIVED LATENCY WARNING
AG-DBSVR: Current time is 2006-05-05 13:18:31.
CN=Schema,CN=Configuration,DC=mydomain,DC=net
Last replication recieved from TEMPSVR at 2006-04-25
14:58:36.
CN=Configuration,DC=mydomain,DC=net
Last replication recieved from TEMPSVR at 2006-04-25
15:29:41.
DC=mydomain,DC=net
Last replication recieved from TEMPSVR at 2006-04-25
15:28:35.
* Replication Site Latency Check
Site Settings = CN=NTDS Site
Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
[0x904de,v=306,t=2006-05-05
12:39:29,g=45155c5d-16a3-4ddf-952c-325ec78e6707,orig=307254,local=307254]
Elapsed time (sec) = 2363
......................... AG-DBSVR passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=mydomain,DC=net.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Configuration,DC=mydomain,DC=net.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=mydomain,DC=net.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... AG-DBSVR passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for
CN=Schema,CN=Configuration,DC=mydomain,DC=net.
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error Win32 Error 8440.
* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error Win32 Error 8440.
* Analyzing the alive system replication topology for
CN=Configuration,DC=mydomain,DC=net.
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error Win32 Error 8440.
* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error Win32 Error 8440.
* Analyzing the alive system replication topology for
DC=mydomain,DC=net.
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error Win32 Error 8440.
* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error Win32 Error 8440.
......................... AG-DBSVR passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC AG-DBSVR.
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=mydomain,DC=net
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=mydomain,DC=net
(Configuration,Version 2)
* Security Permissions Check for
DC=mydomain,DC=net
(Domain,Version 2)
......................... AG-DBSVR passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\AG-DBSVR\netlogon
Verified share \\AG-DBSVR\sysvol
......................... AG-DBSVR passed test NetLogons
Starting test: Advertising
The DC AG-DBSVR is advertising itself as a DC and having a DS.
The DC AG-DBSVR is advertising as an LDAP server
The DC AG-DBSVR is advertising as having a writeable directory
The DC AG-DBSVR is advertising as a Key Distribution Center
The DC AG-DBSVR is advertising as a time server
The DS AG-DBSVR is advertising as a GC.
......................... AG-DBSVR passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
Role Domain Owner = CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
Role PDC Owner = CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
Role Rid Owner = CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
......................... AG-DBSVR passed test
KnowsOfRoleHolders
Starting test: RidManager
ridManagerReference = CN=RID
Manager$,CN=System,DC=mydomain,DC=net
* Available RID Pool for the Domain is 3863 to 1073741823
fSMORoleOwner = CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
* ag-dbsvr.mydomain.net is the RID Master
* DsBind with RID Master was successful
rIDSetReferences = CN=RID Set,CN=AG-DBSVR,OU=Domain
Controllers,DC=mydomain,DC=net
* rIDAllocationPool is 2863 to 3362
* rIDPreviousAllocationPool is 2863 to 3362
* rIDNextRID: 2879
......................... AG-DBSVR passed test RidManager
Starting test: MachineAccount
Checking machine account for DC AG-DBSVR on DC AG-DBSVR.
* SPN found :LDAP/ag-dbsvr.mydomain.net/mydomain.net
* SPN found :LDAP/ag-dbsvr.mydomain.net
* SPN found :LDAP/AG-DBSVR
* SPN found :LDAP/ag-dbsvr.mydomain.net/IBUSINESS
* SPN found
:LDAP/1750286d-b0a6-4633-a9d0-63967c9a5fcb._msdcs.mydomain.net
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/1750286d-b0a6-4633-a9d0-63967c9a5fcb/mydomain.net
* SPN found :HOST/ag-dbsvr.mydomain.net/mydomain.net
* SPN found :HOST/ag-dbsvr.mydomain.net
* SPN found :HOST/AG-DBSVR
* SPN found :HOST/ag-dbsvr.mydomain.net/IBUSINESS
* SPN found :GC/ag-dbsvr.mydomain.net/mydomain.net
......................... AG-DBSVR passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... AG-DBSVR passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... AG-DBSVR passed test
OutboundSecureChannels
Starting test: ObjectsReplicated
AG-DBSVR is in domain DC=mydomain,DC=net
Checking for CN=AG-DBSVR,OU=Domain
Controllers,DC=mydomain,DC=net in domain DC=mydomain,DC=net on 1
servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
in domain CN=Configuration,DC=mydomain,DC=net on 1 servers
Object is up-to-date on all servers.
......................... AG-DBSVR passed test
ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... AG-DBSVR passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours
after the

SYSVOL has been shared. Failing SYSVOL replication problems
may cause

Group Policy problems.
An Warning Event occured. EventID: 0x800034FA
Time Generated: 05/05/2006 12:23:54
(Event String could not be retrieved)
......................... AG-DBSVR failed test frsevent
Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x8025082C
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x8025082C
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x8025082C
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000748
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x8025082C
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000748
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x8025082C
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000748
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
......................... AG-DBSVR failed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40000004
Time Generated: 05/05/2006 12:52:19
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/ag-dbsvr.mydomain.net. The target name

used was

LDAP/ag-dbsvr.mydomain.net/mydoma...@mydomain.net.

This indicates that the password used to encrypt

the kerberos service ticket is different than

that on the target server. Commonly, this is due

to identically named machine accounts in the

target realm (mydomain.NET), and the client

realm. Please contact your system

administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/05/2006 12:53:09
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/ag-dbsvr.mydomain.net. The target name

used was cifs/ag-dbsvr.mydomain.net. This

indicates that the password used to encrypt the

kerberos service ticket is different than that on

the target server. Commonly, this is due to

identically named machine accounts in the target

realm (mydomain.NET), and the client realm.

Please contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/05/2006 12:55:37
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/ag-dbsvr.mydomain.net. The target name

used was LDAP/AG-DBSVR. This indicates that the

password used to encrypt the kerberos service

ticket is different than that on the target

server. Commonly, this is due to identically

named machine accounts in the target realm

(mydomain.NET), and the client realm.

Please contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/05/2006 13:05:23
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/ag-dbsvr.mydomain.net. The target name

used was

LDAP/ag-dbsvr.mydomain.net/mydomain.net.

This indicates that the password used to encrypt

the kerberos service ticket is different than

that on the target server. Commonly, this is due

to identically named machine accounts in the

target realm (mydomain.NET), and the client

realm. Please contact your system

administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/05/2006 13:05:23
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/ag-dbsvr.mydomain.net. The target name

used was

LDAP/ag-dbsvr.mydomain.net/IBUSINESS. This

indicates that the password used to encrypt the

kerberos service ticket is different than that on

the target server. Commonly, this is due to

identically named machine accounts in the target

realm (mydomain.NET), and the client realm.

Please contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/05/2006 13:18:52
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/ag-dbsvr.mydomain.net. The target name

used was

LDAP/1750286d-b0a6-4633-a9d0-63967c9a5fcb._msdcs.mydomain.net.

This indicates that the password used to encrypt

the kerberos service ticket is different than

that on the target server. Commonly, this is due

to identically named machine accounts in the

target realm (mydomain.NET), and the client

realm. Please contact your system

administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/05/2006 13:22:01
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/ag-dbsvr.mydomain.net. The target name

used was cifs/AG-DBSVR. This indicates that the

password used to encrypt the kerberos service

ticket is different than that on the target

server. Commonly, this is due to identically

named machine accounts in the target realm

(mydomain.NET), and the client realm.

Please contact your system administrator.
......................... AG-DBSVR failed test systemlog
Starting test: VerifyReplicas
......................... AG-DBSVR passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)

CN=AG-DBSVR,OU=Domain Controllers,DC=mydomain,DC=net and
backlink

on


CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net

are correct.
The system object reference (frsComputerReferenceBL)

CN=AG-DBSVR,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=mydomain,DC=net

and backlink on

CN=AG-DBSVR,OU=Domain Controllers,DC=mydomain,DC=net are
correct.
The system object reference (serverReferenceBL)

CN=AG-DBSVR,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=mydomain,DC=net

and backlink on

CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net

are correct.
......................... AG-DBSVR passed test
VerifyReferences
Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various
important DN

references. Note, that these problems can be reported
because of

latency in replication. So follow up to resolve the following

problems, only if the same problem is reported on all DCs for
a given

domain or if the problem persists after replication has had

reasonable time to replicate changes.
[1] Problem: Missing Expected Value

Base Object:


CN=TEMPSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net

Base Object Description: "Server Object"

Value Object Attribute: serverReference

Value Object Description: "DC Account Object"

Recommended Action: This could hamper authentication (and
thus

replication, etc). Check if this server is deleted, and
if so

clean up this DCs Account Object. If the problem persists
and

this is not a deleted DC, authoratively restore the DSA
object from

a good copy, for example the DSA on the DSA's home server.


[2] Problem: Missing Expected Value

Base Object:

CN=NTSERVER,OU=Domain Controllers,DC=mydomain,DC=net

Base Object Description: "DC Account Object"

Value Object Attribute Name: serverReferenceBL

Value Object Description: "Server Object"

Recommended Action: Check if this server is deleted, and
if so

clean up this DCs Account Object.


[3] Problem: Missing Expected Value

Base Object:

CN=NTSERVER,OU=Domain Controllers,DC=mydomain,DC=net

Base Object Description: "DC Account Object"

Value Object Attribute Name: frsComputerReferenceBL

Value Object Description: "SYSVOL FRS Member Object"

Recommended Action: See Knowledge Base Article: Q312862


[4] Problem: Missing Expected Value

Base Object:

CN=TEMPSVR,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=mydomain,DC=net

Base Object Description: "SYSVOL FRS Member Object"

Value Object Attribute Name: frsComputerReference

Value Object Description: "DC Account Object"

Recommended Action: Check if this server is deleted, and
if so

clean up this DCs SYSVOL FRS Member Object. Also see
Knowledge

Base Article: Q312862


......................... AG-DBSVR failed test
VerifyEnterpriseReferences
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
DcDiag: uncaught exception raised, continuing search


===============

Specifically, why on earth is the PDC role not working? I had hoped
that all of these issues would magically disappear once the DNS issue
was rectified!

Thanks again for all your help, and thanks in advance for the help I
hope you're going to give with this one! ;-)

Berty

strongline

unread,
May 5, 2006, 8:59:33 AM5/5/06
to
the server "TMPSVR" wasn't demoted gracefully. You need do perform a
metadata cleanup. Also your current DC doesn't look like the PDC owner
( I know you've check once, but please double check). It doesn't hurt
to seize it again.

Q216498
Q255504

Bertram

unread,
May 5, 2006, 12:43:18 PM5/5/06
to
Hi strongline,

I have performed the steps outlined in the KB's you mentioned - things
are looking a bit more positive, however I get the following error when
running dcdiag:


==========
Starting test: FsmoCheck


Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.

......................... mydomain.net failed test FsmoCheck

====================

This server is in fact the holder of the PDC role, which I have
verified using ntdsutil.

Any suggestions?

Oh, and for some as-yet unknown reason my DNS zone disappeared again
when I rebooted. Resetting teh kerberos password, and restarting
netlogon/DNS brought it back again.

If anyone has any suggestions for me to try over the weekend (God bless
Remote Desktop and VPNs!) please let me know!

Jorge Silva

unread,
May 5, 2006, 2:24:45 PM5/5/06
to
Hi again...

Please answer This question:

1 - In your first post after the first test for dcdiag, you said that you
finally got the Dns working with AD integrated right? Please tell us what
did you changed to achive that ?


Now:

1- Remove any references to "tempsvr.mydomain.net" i believe this was the
old server.
use this link:
How to remove data in Active Directory after an unsuccessful domain
controller demotion

http://support.microsoft.com/?scid=kb%3Ben-us%3B216498&x=6&y=11#XSLTH3140121122120121120120


After this Use the Active Directory Sites and Services MMC snap-in to remove
the server "tempsvr.mydomain.net" object.
VERY IMPORTANT - Next go to the Dns and remove any references to this
server. Or you can delete the dns zone and recreate it again, using the
steps that i already gave you in previous posts, deleting the netlogon
files, etc...

Reboot the server twice.

Run the tests again..


--
I hop that helps

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Bertram" <BertramWilbe...@gmail.com> wrote in message
news:1146832027.8...@e56g2000cwe.googlegroups.com...

Bertram

unread,
May 8, 2006, 6:39:01 AM5/8/06
to
Hi again!

What finally resolved the DNS issue appears to be resetting the
Kerberos password by running netdom resetpasswd. Upon rebooting the
machine, then starting and stopping netlogon and DNS, the correct
forward zone entries were automatically created.

The problem is not entirely resolved, as I have actually had to do this
again over the weekend, as the problem reared it's ugly head again.

I have followed your instructions and removed any references to
tmpserver - I will reboot it twice shortly.

Apropos the kerberos problem... do you think this is related to the
references to tmpserver? Should it be permanently resolved now that
these references have been removed?

Your help and persistence with this problem are enormously appreciated
- you've saved me pulling out a lot of my hair. You are a credit and
example to this newgroup and the internet in general.

Thanks again,

Berty

Jorge Silva

unread,
May 8, 2006, 9:08:35 AM5/8/06
to
Hi

What problems are you having now?

DNS problem is soved?

--
I hop that helps

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Bertram" <BertramWilbe...@gmail.com> wrote in message

news:1147084741....@j73g2000cwa.googlegroups.com...

Bertram

unread,
May 19, 2006, 7:02:33 AM5/19/06
to
Hi Jorge,

Sorry for the delay in replying, I've been away from the office. The
DNS problem I initially reported has been resolved, thanks for your
help with that. I'm having another problem which is probably best left
for another thread... hope to see you there! :-)

Thanks,

Berty

Jorge Silva

unread,
May 19, 2006, 9:34:48 AM5/19/06
to
Any time.

Can you share with us how do you solved?

--
I hop that helps

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Bertram" <BertramWilbe...@gmail.com> wrote in message

news:1148036553.2...@y43g2000cwc.googlegroups.com...

weskandr

unread,
Jun 27, 2006, 9:34:21 PM6/27/06
to

Hey Guys i'm new to this forum but i have a question and i hope to find
an answer for it.

couple of days ago i was installing a new exchange 2003 on a new server
because i wanted to move the current Exchange 2003 from the pdc server
it was on. somehow things didn't work as i hoped and i messed up the
PDC.
the PDC computer account has gone from the domain controller list under
ACTIVE DIRECTORY USERS AND COMPUTERS.

does any one know how to recreate the machine account???
can i use ntdsutil to do this??

your help is really appreciated.

Wadea


--
weskandr
------------------------------------------------------------------------
weskandr's Profile: http://forums.techarena.in/member.php?userid=15948
View this thread: http://forums.techarena.in/showthread.php?t=505657

www.techarena.in

0 new messages