Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Issue with DC

1,340 views
Skip to first unread message

T.@discussions.microsoft.com Jack T.

unread,
Jan 31, 2007, 6:49:00 PM1/31/07
to
Hi all,

I have 2 DCs. DC1 was infected with virus and malware, so I took it offline
for a while. When I brought DC1 back online, I ran dcdiag on DC2 and got this
error message:

Testing server: Default-First-Site-Name\td02
Starting test: Connectivity
The host d6894b62-f43c-45b2-9647-6981c09cbc2c._msdcs.TD.COM could
not be resolved to an IP address. Check the DNS server, DHCP, server name,
etc
Although the Guid DNS name
(d6894b62-f43c-45b2-9647-6981c09cbc2c._msdcs.TD.COM) couldn't be resolved,
the server name (td02.TD.COM) resolved to the IP address (192.168.1.5) and
was pingable. Check that the IP address is registered correctly with the DNS
server.......................... td02 failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\TD02
Skipping all tests, because server TD02 is not responding to directory
service requests

Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
......................... TD.COM failed test FsmoCheck

I ran dcdiag on DC1 and got the following:

Testing server: Default-First-Site-Name\TD01
Starting test: Replications
[TD02] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..

How do I fix this issue? Please help.

Thanks in advance,
Jack T.

Jorge Silva

unread,
Jan 31, 2007, 7:26:46 PM1/31/07
to
Hi
Do you have any FW between these DCs?
If yes Check
Active Directory in Networks Segmented by Firewalls
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=en
How to configure Windows Server 2003 SP1 firewall for a Domain Controller
http://support.microsoft.com/kb/555381

Restart Netlogon service, and make sure that you can force replication
between the 2 DCs
--

I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE

"Jack T." <Jack T.@discussions.microsoft.com> wrote in message
news:52095FBA-ABF9-4A7B...@microsoft.com...

Jack T.

unread,
Feb 1, 2007, 3:24:00 AM2/1/07
to
Thank you for your quick response.

1. No. I have no FW between these 2 DCs.
2. I did that and got the following error:

"The following error occurred during the attempt to synchronize naming
context TD.com from domain controller TD1 to domain controller TD2: the
target principal is incorrect. This operation will not continue."

When I forced the replication from TD2 to TD1, I got the following:
"Active Directory has replicated the connections".


Jack T.

Jorge Silva

unread,
Feb 1, 2007, 7:09:06 AM2/1/07
to
Can you explain how DCs/DNS are configured?

--

I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE

"Jack T." <Ja...@discussions.microsoft.com> wrote in message
news:01E43B85-A5CA-43D5...@microsoft.com...

Jack T.

unread,
Feb 1, 2007, 11:53:00 AM2/1/07
to
I have 2 DCs (TD1 and TD2). TD1 has FMSO roles (operations masters - RID,
PDC, Infrastructure).

If I log on to TD1, I can access both DNS servers (TD1 and TD2). If I log on
to TD2, I can only access DNS on TD2. When I try to access DNS on TD1, I got
this error message: "you do not have permission to access this DNS server. To
retru the connection, either press F%, or on the Action menu, click Refresh."

I checked the event logs and got this error:
"A zone transfer request for the secondary zone TD.COM was refused by the
master DNS server at 192.168.1.6. Check the zone at the master server
192.168.1.6 to verify that zone transfer is enabled to this server. To do
so, use the DNS console, and select master server 192.168.1.6 as the
applicable server, then in secondary zone TD.COM Properties, view the
settings on the Zone Transfers tab. Based on the settings you choose, make
any configuration adjustments there (or possibly in the Name Servers tab) so
that a zone transfer can be made to this server."

Jack T.

unread,
Feb 1, 2007, 12:01:01 PM2/1/07
to
also, it's Active Directory integrated. TD1 is the primary server.

Jorge Silva

unread,
Feb 1, 2007, 2:57:00 PM2/1/07
to
this is alittle confused....
Assuming that TD1 has the proper DNS infrastruture, try the following:
- Make Sure that TD1 point to itself under NIC Preferred DNS.
- Go to
- Make Sure that All other Servers point to TD1 under NIC Preferred DNS.
- Make Sure that DNS Zone on TD1 is Active Directory integrated and allow
Dynamic updates.
- Go to TD2 and under NIC Preferred DNS point it to TD1 ipaddress.
- run ipconfig /registerdns on both servers.
- Restart netlogon service in both servers.
- Force replication.

Also check
http://support.microsoft.com/?id=241515

--

I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE

"Jack T." <Ja...@discussions.microsoft.com> wrote in message

news:6107541C-306C-432C...@microsoft.com...

Jack T.

unread,
Feb 1, 2007, 9:21:01 PM2/1/07
to
I did that but still got the the following error:

The following error occurred during the attempt to synchronize naming
context TD.com from domain controller TD1 to domain controller TD2:

"the active directory cannot replicate with this server because the time
since the last replication with this server has exceeded the tombstone
lifetime"

This operation will not continue.

I checked the event viewer and event ID 2042 (NTDS replication) showed up.

Jorge Silva

unread,
Feb 2, 2007, 5:04:20 AM2/2/07
to
ok.
In that case it has been some time that domain controller has not replicated
with its partner for longer than a tombstone lifetime, it is possible that a
lingering object problem exists on one or both domain controllers.

Solution:
- Manually Remove that DC from AD.
- Use the dcpromo /forceremove to remove the AD from that DC.
- Re-Add the Server again to AD using Dcpromo

Follow
- Disconnect the Dc from network.
- On that DC use dcpromo /forceremoval to remove AD from the Server.
On the Existing AD Server:
- Then remove all references to that Dc on AD database (Metadata cleanup).
- Remove any Dns references to the Dc.
- If necessary seize any left Op Master roles that were hosted by that Dc.
- If the domain controller that you are demoting is a DNS server or global
catalog server, you must create a new GC or DNS server to satisfy load
balancing, fault tolerance, and configuration settings in the forest.
- Manually remove it from Sites and Services snap-in.
- Use the ActiveDirectory Sites and Services MMC snap-in to remove the
server object if the
domain controller will not be promoted into the forest with the same
computer name
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/kb/255504/
Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server
http://support.microsoft.com/kb/332199
How to remove data in Active Directory after an unsuccessful domain
controller demotion
http://support.microsoft.com/?kbid=216498

- Now you're ready to add the server again has additional DC.
--

I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE

"Jack T." <Ja...@discussions.microsoft.com> wrote in message

news:CD653CAF-CC15-4698...@microsoft.com...

Jack T.

unread,
Feb 3, 2007, 12:05:01 AM2/3/07
to
I'll try that and will let you know. I appreciate your help on this issue
Jorge.

Have a great weekend.

0 new messages