Repost: Missing ForestDNSZones and DomainDNSZones partitions under child AD 2003 domain

[Spin]

Experts,

How come I do not see a ForestDNSZones and DomainDNSZones partition under my
child AD 2003 domain inside the DNS management console? This child domain
is one of two domains in an AD 2003 forest (one parent, one child) forest.
I do indeed see both of these partitions in the forest root domain but not
under the child domain. See URL below, you will have to set Internet
Explorer to FULL screen mode to view the bitmap properly. Notice in the
corp.alpha.local (highlighted domain in picture), both ForestDNSZones and
DomainDNSZonesare missing. But if you look under alpha.local (forest root)
both of these partitions are present.

http://www.hicksfx.com/missing_domaindnszones_in_corp.gif

--
Spin

[Ace Fekay [MVP]]

In news:4bdagaF...@individual.net,
Spin <Sp...@spin.com> stated, which I commented on below:

Try rt-clicking the zone, new domain, type in DomainDnsZones. Then run
netdiag /v /fix. Refresh the console. I've done it this was a few times.
Keep in mind, from a child, (can't remember this for sure), you may not be
able to see the ForestDnsZones since I believe you need to be an EA.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy. - [Me]

[Paul Williams [MVP]]

In addition to Ace's reply, are you sure these partitions exist? Can you
see the crossRef objects for them under CN=Partitions, CN=Configuration,
DC=domain-name, DC=com? If not, they need to be recreated. You can do this
from the DNSMGMT.MSC tool if your Domain Naming master FSMO role holder is
running Server 2003.
-- http://www.msresource.net/content/view/51/47/

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

[Spin]

So Ace, I guess what you're saying is, if one does not log on as an EA to a
child domain (say they logon as a DA), and then proceeds to open the DNS
console, they will NOT see the ForestDNSZones and DomainDNSZones partitions
b/c these are only viewable by an EA? Or am I confused?

--
Spin

"Ace Fekay [MVP]" <Pleas...@SomeDomain.com> wrote in message
news:OvFnUfna...@TK2MSFTNGP02.phx.gbl...

[Ace Fekay [MVP]]

In news:4bego8F...@individual.net,

Spin <Sp...@spin.com> stated, which I commented on below:

> So Ace, I guess what you're saying is, if one does not log on as an
> EA to a child domain (say they logon as a DA), and then proceeds to
> open the DNS console, they will NOT see the ForestDNSZones and
> DomainDNSZones partitions b/c these are only viewable by an EA? Or
> am I confused?

No, that's not what I said. I said that you may be able to see the
DomainDnsZones, but _*MAY*_ not be able tosee the ForestDnsZones.

Have you tried my procedure yet? There's nothing to lose... and nothing
gained by not trying it.

Ace

[Paul Williams [MVP]]

You can check for their existence by viewing the namingContexts attribute of
the RootDSE. Simply fire up LDP and connect (enter nothing for serverless
bind or add a k3 DC).

[Spin]

Here are my results. I believe they exist. Can you confirm?

http://www.hicksfx.com/DNS_problem.htm

--
Spin

"Paul Williams [MVP]" <ptw...@hotmail.com> wrote in message
news:11462312...@ernani.logica.co.uk...

[Spin]

If the previous link did not work try each GIF below individually.

http://www.hicksfx.com/missing_domaindnszones_in_corp.gif
http://www.hicksfx.com/ldap_naming.GIF

--
Spin

"Spin" <Sp...@spin.com> wrote in message
news:4bfnrkF...@individual.net...

[Paul Williams [MVP]]

From that LDP output, you have a ForestDNSZone but not a DomainDNSZone App
NC.

The scope of your child domain is probably still "All domain controllers in
this domain" as opposed to "All DNS servers in this domain".

As for why the ForestDNSZones isn't showing, three things spring to mind (in
no particular order):

1. Non-Windows 2003 DNSMGMT.MSC console or DNS server.
2. Permissions problem.
3. Name resolution problem.

Logon to the child domain with an admin account in the root domain and see
if you can see the ForestDNSZones then. If you can, you need to check the
permissions on that zone. If you cannot, you need to check that that
snap-in is OK and that the DNS server in question is actually reading zone
info. from AD. In the child, can you resolve
ForestDNSZones.domain-name.com? That sub-domain should have been
registered. You should be able to resolve it. If you can't, that is
probably your issue.

[Spin]

There are only two servers in the test environment. One AD/DNS server in
the parent domain and one in the child. Both run Windows Server 2003. The
replication scope of the child domain is set to all domain controllers in
the AD domain. Two questions.

1) Is that why I do not have a DomainDNSZones partition?
2) How should I attempt to resolve "ForestDNSZones.domain-name.com"? Should
I be using this syntax:

nslookup ForestDNSZones.alpha.local

--
Spin

"Paul Williams [MVP]" <ptw...@hotmail.com> wrote in message

news:uHjf9H7a...@TK2MSFTNGP05.phx.gbl...

[Paul Williams [MVP]]

> 1) Is that why I do not have a DomainDNSZones partition?

Yes. Change to all DNS servers in the domain to store it in DomainDNSZones
app partition.

> 2) How should I attempt to resolve "ForestDNSZones.domain-name.com"?

> nslookup ForestDNSZones.alpha.local

Yes, that is correct. If that doesn't work, test from the root domain.
Does it work there? Can you resolve host.alpha.local (where host is any
given host in that domain)?

When you run nslookup forestdnszones.alpha.local you should have the IP
address of your DC returned.

[Ace Fekay [MVP]]

In news:4biqa4F...@individual.net,

Spin <Sp...@spin.com> stated, which I commented on below:

> There are only two servers in the test environment. One AD/DNS
> server in the parent domain and one in the child. Both run Windows
> Server 2003. The replication scope of the child domain is set to all
> domain controllers in the AD domain. Two questions.
>
> 1) Is that why I do not have a DomainDNSZones partition?
> 2) How should I attempt to resolve "ForestDNSZones.domain-name.com"?
> Should I be using this syntax:
>
> nslookup ForestDNSZones.alpha.local

In addition to Paul's response, you can also use ADSI Edit to look at the
partitions. Matter of fact, if you find any zones or records under the
partitions that start with CNF_, then you've got an issue due to conflicting
zones due to an administrator selecting the wrong replication scope of a
zone using the 2003 DNS console, say putting the zone in the "To all DNS
servers in the Active Directory domain contoso.com", which is the
DomainDNSZones, however, in the 2000 DNS console, it's still set to "To all
domain controllers in the Active Directory domain contoso.com", which is the
DomainNC partition, therefore creating a conflict. For obvious reasons, I've
see this quite often in a mixed 2000/2003 environment.

This will explain how to view them in ADSI Edit. Let us know if you find any
CNF entries in any of the partitions (Domain NC, DomainDnsZones, and
ForestDnsZones).

kbAlertz (867464) - Explains how to use ADSI Edit to resolve a problem where
the DNS service logs event ID 4515 in the DNS Server log.:
http://www.kbalertz.com/kb_867464.aspx

Ace

[Spin]

Yes, the command nslookup ForestDNSZones.alpha.local does in fact return the
IP addresses of my root domain AD/DNS server and my child domain AD/DNS
server. However, I get an error when I change the replication scope of
corp.alpha.local to all DNS servers in the AD domain. I am logged on as a
DA in corp.alpha.local whenever I try this. The error is:

"The replication scope could not be set... The specified directory partition
does not exist".

What is weird is, the error is saying the "specified directory partition
does not exist" -- my response to that is of course is doesn't exist, I am
trying to create it! I'm befuddled!

--
Spin

"Paul Williams [MVP]" <ptw...@hotmail.com> wrote in message

news:%23KWgQhR...@TK2MSFTNGP03.phx.gbl...

[Spin]

I was able to successfully use ADSIEDIT to see both the ForestDNSZones and
DomainDNSZones in the forest root domain alpha.local (logged on as an EA to
that domain to that AD/DNS server). However, I get "Directory Object Not
Found" while searching for both ForestDNSZones and DmainDNSZones in the
child domain, logged on as a DA in the child domain to the child domain
AD/DNS server and even when logged on as an EA the child domain AD/DNS
server.

--
Spin

"Ace Fekay [MVP]" <Pleas...@SomeDomain.com> wrote in message

news:ewV%23VcXbG...@TK2MSFTNGP02.phx.gbl...

[Ace Fekay [MVP]]

In news:4bnng6F...@individual.net,

Spin <Sp...@spin.com> stated, which I commented on below:

> I was able to successfully use ADSIEDIT to see both the
> ForestDNSZones and DomainDNSZones in the forest root domain
> alpha.local (logged on as an EA to that domain to that AD/DNS
> server). However, I get "Directory Object Not Found" while
> searching for both ForestDNSZones and DmainDNSZones in the child
> domain, logged on as a DA in the child domain to the child domain
> AD/DNS server and even when logged on as an EA the child domain
> AD/DNS server.

Then this sounds (obviously) more of a DNS misconfiguration. How is the
child domain's DNS configured? Is it delegated from the parent or using
stubs? If you are trying to set the scope for the child and it;s not
working, then how is the child supposed to find the parent? Set it up with a
parent to child delegation, then forward from the child to the parent for
now to get it working first.

Ace

[Spin]

The child domain DNS server points to itself for preferred DNS server under
TCP/IP properties. In the DNS console, I have setup a forwarder pointing at
the root domain DNS server for unresolved queries. I have not setup any
delegation or stubs. Do I need to?

--
Spin

"Ace Fekay [MVP]" <Pleas...@SomeDomain.com> wrote in message

news:e0ORrLeb...@TK2MSFTNGP03.phx.gbl...

[Spin]

Ace, YOU ARE A GENIUS! After I re-read your post, I understood what you
meant. All I needed to do, like you said, was create a delegation on the
forest root domain for the child domain on the root domain DNS server. Once
I did that, and selected "Create Default Application Directory Partitions"
on my child domain DNS server, the DomainDNSZones partition (folder) showed
up!

--
Spin

"Spin" <Sp...@spin.com> wrote in message

news:4bq8psF...@individual.net...

[Ace Fekay [MVP]]

In news:4bqavnF...@individual.net,

Spin <Sp...@spin.com> stated, which I commented on below:

> Ace, YOU ARE A GENIUS! After I re-read your post, I understood what
> you meant. All I needed to do, like you said, was create a
> delegation on the forest root domain for the child domain on the root
> domain DNS server. Once I did that, and selected "Create Default
> Application Directory Partitions" on my child domain DNS server, the
> DomainDNSZones partition (folder) showed up!

Voila!!

Time for a double shot of Crown Royal straight up...

:-)

[Spin]

You've heard of the "ACE Hardware" store right, well, you should be known as
ACE "Software"! :-)

Thanks to Paul Williams for sticking through this as well!

--
Spin

"Ace Fekay [MVP]" <Pleas...@SomeDomain.com> wrote in message

news:%23LdO7Vm...@TK2MSFTNGP03.phx.gbl...

[Ace Fekay [MVP]]

In news:4brfotF...@individual.net,

Spin <Sp...@spin.com> stated, which I commented on below:

> You've heard of the "ACE Hardware" store right, well, you should be
> known as ACE "Software"! :-)
>
> Thanks to Paul Williams for sticking through this as well!

Ace Software? Hmm, there may be some merit in that...

:-)

[Paul Williams [MVP]]

Or AD (or DS) Ace!

(and maybe pool ace, but we'll see next April ;-)

Glad its sorted. The cool thing here is that YOU understand what was wrong
and have now resolved it. Well done!

[Ace Fekay [MVP]]

In news:11467364...@ernani.logica.co.uk,
Paul Williams [MVP] <ptw...@hotmail.com> stated, which I commented on
below:

> Or AD (or DS) Ace!
>
> (and maybe pool ace, but we'll see next April ;-)
>
> Glad its sorted. The cool thing here is that YOU understand what was
> wrong and have now resolved it. Well done!

Thanks! But you helped out too! Between your responses and mine, it helped
to narrow it down.

Ahh, pool, you remembered!

Be glad to play a few racks... :-)

[rchipman]

I'm not sure if this post is still being watched but I am having a
similar issue however it is not between a child and parent in a domain,
it is between domain controllers in the same domain. In DNS on one of
my DCs exists all of the records however in DNS on the other DCs,
nothing exists. The one missing items in DNS on the server that has the
zones is the DomainDNSZones folder. I have attempted the steps
suggested above but to no avail: "a delegation on the forest root domain

for the child domain on the root domain DNS server. Once I did that, and
selected 'Create Default Application Directory Partitions' on my child

domain DNS server". The DomainDNSZones partition is still not showing
up. Any suggestions?

--
rchipman
------------------------------------------------------------------------
rchipman's Profile: http://forums.techarena.in/members/116985.htm
View this thread: http://forums.techarena.in/server-dns/503672.htm

http://forums.techarena.in

[Chris Dent]

This suggests replication failure. Creating the application partitions
should not be necessary if they exist on a current DC within the domain.

Check replication with RepAdmin, DCDiag and the contents of the
Directory Service event log?

A possible alternative is that you have two copies of the same zone.
However, that should be logging an event stating that in the DNS event
log. I would expect the two zones to be in different directory partions
(normally one in the domain NC and one in Domain / Forest DNS Zones). I
feel that's quite unlikely here, but would need more information.

Chris

[rchipman]

I definately have errors in the Directory Service event log - two of
them that continually repeats.
Event 1645 - Active Directory did not perform an authenticated remote
procedure call (RPC) to another domain controller because the desired
service principal name (SPN) for the destination domain controller is
not registered on the Key Distribution Center (IKDC) domain controller
that resolves the SPN.

Event 1925 - The attempt to establish a replication link for the
follwoing writable directory parition failed.
Additional Data
Error value: 1396 Logon Failure: The target account name is incorrect.

I have done a ton of research on these errors and I have yet to find
anything to resolve this issue. I'm hoping you can help.

Running repadmin /showrepl produces various errors also:
1) Logon Failure: The taget account name is incorrect.
2) Warning: KCC could not add this REPLICA LINK due to error.
3) The DSA operation is unable to proceed because of a DNS lookup
failure.

I have run dcdiag and receive the following error:
Starting test: FSMOCheck
Warning: DcGet DCNameM<GC_SERVER_REQUIRED> call failed, error 1355
A Global Catalog server could not be located - All GC's are down
................................hbrapp.hbr-inc.com failed test
FsmoCheck.

Thanks.

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message news:rchipma...@DoNotSpam.com...

This sounds like it could be a DNS misconfig issue. Can you post an unedited ipconfig /all of the two DCs, please? Let us eliminate the possibility it's a simple DNS misconfig to start off, as well as other issues that an ipconfig /all result will alert us to (single label name, disjointed namespace, multihomed DCs, ISP DNS, external DNS, router as a DNS, and much more).

Also, Chris mentioned a possible duplicate zone, which I am leaning towards as well. I have a full outlined procedure to check and fix such an issue, but let's rule out the basics with the ipconfigs, please.

Thanks,

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum to benefit from collaboration among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer
ace...@mvps.RemoveThisPart.org
http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

[rchipman]

Here you go:
DC1: Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINNT\Profiles\Administrator>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : paw2
Primary Dns Suffix . . . . . . . : hbrpaw.hbr-inc.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hbrpaw.hbr-inc.com
hbr-inc.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 VM Network
Connection
Physical Address. . . . . . . . . : 00-08-02-20-A8-BE
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.250.16.12
Subnet Mask . . . . . . . . . . . : 255.255.248.0
Default Gateway . . . . . . . . . : 10.250.16.1
DNS Servers . . . . . . . . . . . : 10.250.16.12
10.250.16.15
Primary WINS Server . . . . . . . : 10.250.16.15
Secondary WINS Server . . . . . . : 10.250.16.2

C:\WINNT\Profiles\Administrator>

DC2: Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator.HBRPAW>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : PAWDC
Primary Dns Suffix . . . . . . . : hbrpaw.hbr-inc.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hbrpaw.hbr-inc.com
hbr-inc.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet
Adapter
Physical Address. . . . . . . . . : 00-50-56-B1-22-E5
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.250.16.15
Subnet Mask . . . . . . . . . . . : 255.255.248.0
Default Gateway . . . . . . . . . : 10.250.16.1
DNS Servers . . . . . . . . . . . : 10.250.16.12
10.250.16.15
Primary WINS Server . . . . . . . : 10.250.16.15
Secondary WINS Server . . . . . . : 10.250.16.2
10.250.16.10

C:\Documents and Settings\Administrator.HBRPAW>

Thank you so much for the help !

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message news:rchipma...@DoNotSpam.com...
>

You are welcome. It appears the ipconfigs look pretty good. I would just suggest for DC2 to point to itself in the first entry, and the partner DC as it's second entry. I notice there is another WINS server at 16.2. Keep in mind, with any WINS server, that a WINS server can only point to itself, no others. So make sure that's true on your WINS servers.

So my feeling, as well as Chris' feelings, is there may be a duplicate zone in the AD database. Please read the following to udnerstand what that means and how to find, and/or fix it, if found.

==================================================================
Conflicting or duplicate AD Integrated DNS zones
By Ace Fekay, MCSE 2003, MCT
First published 3/2006, updated accordingly

You may have a duplicate zone if a zone either exists in both the Domain NC and one of the Application Partitions, if you get an unusal error message stating, "The name limit for the local computer network adapter card was exceeded," or you installed DNS on another DC and manually created the AD zone and didn't wait for it to automatically populate.

Dupe zone errata:
A quick explanation: When you have an AD integrated zone, the DNS data is stored in the actual AD database and is replicated to all DCs and will be available to any DC that has DNS installed, depending on the zone replication scope setting. If rep scope is set to the bottom button, it will be store in the DomainNC partition of the AD database and compatible with Windows 2000. If the middle button, it will be stored in the DomainDnsZones and only works with Windows 2003 and newer DCs. These two scope types will be replicated to all DCs only in the domain it exists in. The third type, the top buttton, is stored in the ForestDnsZones application partition and is available to ALL DCs in the whole forest. The data in any of the AD integrated zone types are truly secured since you can;t get at them without the proper tools.

If you have an AD integrated zone existing on a DC and you install DNS on another DC in the domain or forest, depending what zone type, it will automatically appear on the new DNS installation without any interaction on your part. If you attempted to manually create the zone, then you pretty much just introduced a duplicate in the AD database, which will cause problems and other issues as well.

A Primary or Secondary zone that is not stored in AD is stored in a text file in the system32\dns folder. This type of zone storage has nothing to do with the above types ONLY unless it is truly a secondary with the Master being a DC transferring a copy of the zone. This types of zone storage is obviously not secure.

Now **IF** you did manually create a zone on one DC while it already existed on another DC, then you may have a duplicate. If this is the case, you can use ADSI Edit and look for zone data that starts with a "CNF..." in front of it. Delete them and you;re good to go.

Under Windows 2000, the physcial AD database is broken up into 3 logical partitions, the DomainNC (Domain Name Context, or some call the Domain Name Container), the Configuration Partition, and the Schema Partition. The Schema and Config partitions replicate to all DCs in a forest. However, the DomainNC is specific only to the domain the DC belongs to. That's where a user, domain local or global group is stored. The DomainNC only replicates to the DCs of that specific domain. When you create an AD INtegrated zone in Win 2000, it gets stored in the DomainNC. This causes a limitation if you want this zone to be available on a DC/DNS server that belongs to a different domain. The only way to get around that is for a little creative designing using either delegation, or secondary zones. This was a challenge for the _msdcs zone, which must be available forest wide to resolve the forest root domain, which contains the Schema and Domain Name Masters FSMO roles.

In Windows 2003, there were two additional partitions added, they are called the DomainDnsZones and ForestDnsZones Application Partitions, specifically to store DNS data. They were conceived to overcome the limitation of Windows 2000's AD Integrated zones. Now you can store an AD Integrated zone in either of these new partitions instead of the DomainNC. If stored in the DomainDnsZones app partition, it is available only in that domain's DomainDnsZones partition. If you store it in the ForestDnsZones app partition, it will be available to any DC/DNS server in the whole forest. This opens many more design options. It also ensures the availability of the _msdcs zone to all DCs in the forest. By default in Win 2003, the _msdcs zone is stored in the ForestDnsZones application partition.

When selecting a zone replication scope in Win2003, in the zone's properties, click on the "Change" button. Under that you will see 3 options:
To choose the ForestDnsZones:
"To all DNS servers in the AD forest example.com"

To choose DomainDnsZones:
"To all DNS servers in the AD domain example.com"

To choose the DomainNC (only for compatibility with Win2000):
"To all domain controllers in the AD domain example.com"

If you have a duplicate, that's indicating there is a zone that exists in the DomainNC and in the DomainDnsZones Application partition. This means at one time, or currently, you have a mixed Win2000/2003 environment and you have DNS installed on both operating systems. On Win2000, if the zone is AD Integrated, it is in the DomainNC, and should be set the same in Win2003's DC/DNS server to keep compatible. Someone must have attempted to change it in Win2003 DNS to put it in the DomainDnsZones partition no realizing the implications, hence the duplicate. In a scenario such as this where you want to use the Win2003 app partitions, you then must insure the zone on the Win2003 is set to the DomainNC, then uninstall DNS off the Win2000 machine, then once that's done, you can then go to the Win2003 DNS and change the partition's replication scope to one of the app partitions.

In ADSI Edit, you can view all five partitions. You were viewing the app partitions, but not the main partitions. You need to add the DomainNC partition in order to delete that zone. But you must uninstall DNS off the Win2000 server first, unless you want to keep the zone in the DomainNC. But that wouldn't make much sense if you want to take advantage of the _msdcs zone being available forest wide in the ForestDnsZones partition, which you should absolutley NOT delete. I would just use the Win2003 DNS servers only.

In ADSI Edit, rt-click ADSI Edit, connect to, in the Connection Point click on "Well known Naming Context", then in the drop-down box, select "Domain". Drill down to CN=System. Under that you will see CN=MicrosoftDNS. You will see the zone in there.

But make sure to decide FIRST which way to go before you delete anything.

To view the DomainDnsZones or the ForestDnsZones partitions, follow these steps:

[ForestDNSZones]
Click Start, click Run, type adsiedit.msc, and then click OK.
In the console tree, right-click ADSI Edit, and then click Connect to.
Click Select or type a Distinguished Name or Naming Context, type the following text in the list, and then click OK:
DC=ForestDNSZones, DC=contoso, DC=com
In the console tree, double-click DC=ForestDNSZones, DC=contoso, DC=com.
Double-click CN=MicrosoftDNS, and click the zone (contoso.com). You should now be able to view the DNS records which exist in this DNS partition. If you desire to remove this partition, right-click on contoso.com and then click Delete.

Note Deleting a zone is a destructive operation. Please confirm that a duplicate zone exists before you perform a deletion.
If you have deleted a zone, restart the DNS service. To do this, follow these steps:
Click Start, point to All Programs, point to Administrative Tools, and then click DNS.
In the console tree, right-click contoso.com, point to All Tasks, and then click Restart.

[DomainDNSZones]
Click Start, click Run, type adsiedit.msc, and then click OK.
In the console tree, right-click ADSI Edit, and then click Connect to.
Click Select or type a Distinguished Name or Naming Context, type the following text in the list, and then click OK: DC=DomainDNSZones,DC=contoso,DC=com.
In the console tree, double-click DC=DomainDNSZones,DC=contoso,DC=com
Double-click CN=MicrosoftDNS, and click the zone (contoso.com). You should now be able to view the DNS records which exist in this DNS partition. If you desire to remove this partition, right-click on contoso.com and then click Delete.

Note Deleting a zone is a destructive operation. Please confirm that a duplicate zone exists before you perform a deletion.
If you have deleted a zone, restart the DNS service. To do this, follow these steps:
Click Start, point to All Programs, point to Administrative Tools, and then click DNS.
In the console tree, right-click contoso.com, point to All Tasks, and then click Restart.

Some reading for you...

Directory Partitions:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbg_dat_favt.asp

kbAlertz- (867464) - Explains how to use ADSI Edit to resolve app partitions issues:
http://www.kbalertz.com/kb_867464.aspx

How to fix it?
-------------

What I've done in a few cases with my clients that have issues with
'duplicate' zone entries in AD (because the zone name was in the Domain NC
(Name Container) Partition, and also in the DomainDnsZones App partition),
was first to change the zone on one of the DCs to a Primary zone, and
allowed zone transfers. Then I went to the other DCs and changed the zone to
a Secondary, and using the first DC as the Master. Then I went into ADSI
Edit, (from memory) under the Domain NC, Services, DNS, and deleted any
reference to the domain name. Then I added the DomainDnsZones partition to
the ADSI Edit console, and deleted any reference to the zone name in there
as well. If you see anything saying something to the extent of a phrase that says
"In Progress...." or "CNF" with a long GUID number after it, delete them too. Everytime
you may have tried tochange the replication scope, it creates one of them.
Delete them all.

Then I forced replication. If there were Sites configured, I juggled around
the servers and subnet objects so all of the servers are now in one site,
then I forced replication (so I didn't have to wait for the next site
replication schedule). Once I've confirmed that replication occured, and the
zones no longer existed in either the Domain NC or DomainDnsZones, then I
changed the zone on the first server back to AD Integrated, choosing the
middle button for it's replication scope (which puts it in the
DomainDnsZones app partition). Then I went to the other servers and changed
the zone to AD Integrated choosing the same replication scope. Then I reset
the sites and subnet objects, and everything was good to go.

Keep in mind, I left the _msdcs... zone alone, since that wasn't causing any
problems and is located in the ForestDnsZones (default) in all of my client
cases I've come across with so far.

It seems like alot of steps, but not really. Just read it over a few times
to get familiar with the procedure. You may even want to change it into a
numbered step by step list if you like. If you only have one DC, and one
Site, then it's much easier since you don't have to mess with secondaries or
play with the site objects.

I hope that helps!
==================================================================

Ace

[Chris Dent]

> I would just suggest for DC2 to point to itself in the first entry, and the partner DC as it's second entry.

I would leave them both pointing at DC1 until any potential replication
failures are resolved, otherwise DC2 won't be able to locate DC1 within
it's own version of the zone.

Chris

[Ace Fekay [MCT]]

"Chris Dent" <ch...@noreply.null> wrote in message news:Oj5YcDuC...@TK2MSFTNGP04.phx.gbl...

Good point, since DC1 is the 'working' one at this time.

Ace

[rchipman]

Thank you for the good information. Interestingly enough I have read
this information and was able to get rid of the "extra" zone in my
forestdnszones. Once that was done, I was able to set the replication
scope to the forest however things are still not working.

So, if I am reading this properly, to fix the issue, I need to set my
DC1 up as the Primary zone and DC2 as a secondary zone. Do I need to do
a Zone transfer from DC1 to DC2?

After that, I need to go into ADSIEDIT to find and delete the domain
name under Domain NC, Services, DNS.??

>>Add the DomainDnsZones partition to the ADSI Edit console, and

deleted any reference to the zone name in there as well.

Where do I add this?

>>If you see anything saying something to the extent of a phrase that
says
"In Progress...." or "CNF" with a long GUID number after it, delete
them too.

I see multiple instances of "In Progress..." in ADSIEDIT.....so I need
to delete ALL of these? Just a note, I do see these "In Progress..."
items under ADSIEDIT on my OTHER domains in which DNS IS working
correctly.

>>Then I forced replication.
How is this done? Under AD Sites and Services?

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message news:rchipma...@DoNotSpam.com...
>

> Thank you for the good information. Interestingly enough I have read
> this information and was able to get rid of the "extra" zone in my
> forestdnszones. Once that was done, I was able to set the replication
> scope to the forest however things are still not working.
>
> So, if I am reading this properly, to fix the issue, I need to set my
> DC1 up as the Primary zone and DC2 as a secondary zone. Do I need to do
> a Zone transfer from DC1 to DC2?

NO, DO NOT USE SECONDARIES. AD Integrated zones are already part of the AD database. YOu must set the scope on ONLY ONE DC and let replication happen. Goto lunch or do something for awhile, and the zone will automatically appear on the other DC by itself. If you try to manually create it, or create a secondary, you will cause more problems and create additional duplicates. Now I see why you have duplicates. You must have did something similar in the past. Be patient, please.

>
> After that, I need to go into ADSIEDIT to find and delete the domain
> name under Domain NC, Services, DNS.??

Look under DomainNC, DomainDnsZones and ForestDnsZones.

>
>>>Add the DomainDnsZones partition to the ADSI Edit console, and
> deleted any reference to the zone name in there as well.
> Where do I add this?

I thought my instructions were clear?

In the console tree, right-click ADSI Edit, and then click Connect to.
Click Select or type a Distinguished Name or Naming Context, type the following text in the list, and then click OK: DC=DomainDNSZones,DC=contoso,DC=com.

>

>>>If you see anything saying something to the extent of a phrase that
> says
> "In Progress...." or "CNF" with a long GUID number after it, delete
> them too.
> I see multiple instances of "In Progress..." in ADSIEDIT.....so I need
> to delete ALL of these? Just a note, I do see these "In Progress..."
> items under ADSIEDIT on my OTHER domains in which DNS IS working
> correctly.

YES, delete anything wtih those prefixes. They are your duplicates.

>
>>>Then I forced replication.
> How is this done? Under AD Sites and Services?
>

Yes, Sites and Services, or just let it happen.

Ace

[rchipman]

I'm sorry....I thought you instructions indicated to setup a secondary
zone:

>>How to fix it?
-------------
What I've done in a few cases with my clients that have issues with
'duplicate' zone entries in AD (because the zone name was in the Domain
NC
(Name Container) Partition, and also in the DomainDnsZones App
partition),
was first to change the zone on one of the DCs to a Primary zone, and
allowed zone transfers. Then I went to the other DCs and changed the
zone to a Secondary, and using the first DC as the Master.

I have never setup a secondary domain, normally the zones just appear
on the other DNS servers....unlike this situation.
So, right now on DC1 my replication scope is set to "All DNS servers in
the Active Directory forest hbrapp.hbr-inc.com". Do I need to set this
"To all DNS servers in the Active Directory domain hbrpaw.hbr-inc.com"?

If yes, I am not able to: I receive the error "The replication scope
could not be set. The error was: The specified directory partition does
not exist."

>>Then I went into ADSI Edit, (from memory) under the Domain NC,
Services, DNS, and deleted any reference to the domain name.
When you refer to Domain NC, I do not know what you are referring to.

>> Add the DomainDnsZones partition to the ADSI Edit console.
After adding this to the console, the only item listed is
CN+LostAndFound which contains nothing.

[Chris Dent]

Your replication scope indicates that your data is stored in
ForestDNSZones rather than DomainDNSZones. Could you verify you can
connect to ForestDNSZones as well?

Does it allow you to change the replication scope to All Domain
Controllers in the AD Domain? That moves it back into the Domain NC
which isn't ideal but it would be good to know if it works.

Chris

[rchipman]

>> Add the DomainDnsZones partition to the ADSI Edit console.
After adding this to the console, the only item listed is

CN=LostAndFound which contains nothing. DISREGARD this from post above.

When I try to add DomainDnsZones partition to the ADSI Edit console, I
receive the message: "Directory object not found."

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message news:rchipma...@DoNotSpam.com...
>

>>> Add the DomainDnsZones partition to the ADSI Edit console.
> After adding this to the console, the only item listed is
> CN=LostAndFound which contains nothing. DISREGARD this from post above.
>
>
> When I try to add DomainDnsZones partition to the ADSI Edit console, I
> receive the message: "Directory object not found."

If you added it correctly, and the zone is in the ForestDnsZones replication scope, then there shouldn't be anything in it.

btw - How are you posting? Are you creating new threads each time? Or are you hitting Reply when posting. Niormally when replying, a newsreader, and even Techarena, will put in an arrow in front of the previous post. Howevber, I've been finding it difficult to read your responses because I'm not seeing the arrow (">") in front of the post that you are quoting , which makes it appear as if I'm seeing my previous post intermixed with your responses. So it's difficult to read.

Ace

[rchipman]

>>Could you verify you can connect to ForestDNSZones as well?

Yes I can connect to ForestDNSZones.

>>Does it allow you to change the replication scope to All Domain
Controllers in the AD Domain?

YES it does. But I don't want to keep it set at this, do I?

[rchipman]

When I open ADSIEDIT, right ADSIEDIT, select Connect To and then "Select
or type a distinguished name or naming context" and type in
DC=DomainDNSZones,DC=hbrpaw,DC=hbr-inc,DC=com, I receive the error
"Directory object not found." I'm guessing I shouldn't be getting this
error. Any idea why I'm getting this?

Prior to this post, I have been using the Quick Reply to post my
responses. This time I selected the Post Reply button. Which one should
I be using or is there a completely different method?

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message news:rchipma...@DoNotSpam.com...
>

> When I open ADSIEDIT, right ADSIEDIT, select Connect To and then "Select
> or type a distinguished name or naming context" and type in
> DC=DomainDNSZones,DC=hbrpaw,DC=hbr-inc,DC=com, I receive the error
> "Directory object not found." I'm guessing I shouldn't be getting this
> error. Any idea why I'm getting this?

Is your domain name hbrpaw.hbr-inc.com?

>
> Prior to this post, I have been using the Quick Reply to post my
> responses. This time I selected the Post Reply button. Which one should
> I be using or is there a completely different method?
>

No idea. Not familiar with Techarena, but this one seems better, but then again, I don;t see my post in it, but I assume this is the better method. Techarena poses a challenge if you read the posts in the Microsoft Newsgroups. The posts from Techarena actually post to the newsgroups, and posts from here go to there. That's their source. But the way the web interface works, is probably what was causing the problem. Many find that using an actual newsreader is much better. It's free, and you don't have to log in.

Ace

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message news:rchipma...@DoNotSpam.com...
>

> Prior to this post, I have been using the Quick Reply to post my
> responses. This time I selected the Post Reply button. Which one should
> I be using or is there a completely different method?

Actually, just to update, I did notice that your post showed up normally this time as a "normal" repky. So we both learned something about Techarena!

:-)

[rchipman]

Yes, my domain is hbrpaw.hbr-inc.com.

[Chris Dent]

Not really, it was to see if there was an issue moving it from the
current ForestDNSZones NC rather than there being a problem moving it to
the DomainDNSZones NC.

I guess it still refuses to let you move it into the DomainDNSZones
partition?

We could potentially delete the DomainDNSZones partition and recreate
it, however it's worth noting that doing so is not supported. Happy to
go ahead with that anyway?

Unless Ace has any alternatives?

Chris

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message news:rchipma...@DoNotSpam.com...
>

> Yes, my domain is hbrpaw.hbr-inc.com.
>

If that domain name wasn't misspelled while adding it, then I am assuming that the partition doesn't exist. I assume you ran this while logged on as the enterprise admin?

Create the default DNS application directory partitions: Domain ...Jan 21, 2005
http://technet.microsoft.com/en-us/library/cc739505(WS.10).aspx

Ace

[Ace Fekay [MCT]]

"Chris Dent" <ch...@noreply.null> wrote in message news:OVyNGQED...@TK2MSFTNGP04.phx.gbl...

It appears from his latest post, the DomainDnsZones partition doesn't exist, when trying to add it in ADSI Edit. I forgot to ask him if that's true with the ForestDnsZones partition. So if that's the case, create one. :-)

Ace

[rchipman]

Yes, it is still refusing to let me move it to DomainDNSZones. I'm
still getting the error "The specified directory partition does not
exist".

I also notice in DNS under the zone that there is no DomainDNSZones
partition like there is with my other domains. I have created that
partition but nothing gets populated in it. If you need a picture to
understand better what I mean, let me know.

This might be a stupid question but how can we "delete the
DomainDNSZones partition" if we can't find it?

Do the errors in my Directory Service Event log mean anything? Or are
they occurring because of the DNS issues?

Event 1645 - Active Directory did not perform an authenticated remote
procedure call (RPC) to another domain controller because the desired
service principal name (SPN) for the destination domain controller is
not registered on the Key Distribution Center (IKDC) domain controller
that resolves the SPN.

Event 1925 - The attempt to establish a replication link for the
follwoing writable directory parition failed.
Additional Data
Error value: 1396 Logon Failure: The target account name is incorrect.

I certainly need to get this resolved sooner than later but of course
don't want to cause any MORE problems.....so if deleting it and
recreating it is the only option then I guess that's what I have to
do...... :-(

Thanks!

[rchipman]

>>If that domain name wasn't misspelled while adding it, then I am
assuming that the partition doesn't exist. I assume you ran this while
logged on as the enterprise admin?

The domain wasn't misspelled when adding it. I tried adding it to
ADSIEDIT while logged on as the domain administrator of the domain. How
would I login as the enterprise admin?

ForestDNSZones partition exists fine.

I have read this article on how to create the default DNS application
directory partitions but when I attempt to do this on my domain, I first
get the message "Would you like to create a single partition that stores
DNS zone data to all DNS server in the Active Directory domain
hbrpaw.hbr-inc.com?" I click YES and then receive the error "the
partition to replicate zone data to all DNS servers in the active
directory domain was not created. the application directory partition
operation failed. The domain controller holding the domain naming
master role is down or unable to service the request or is not running
Windows Server 2003." What am I doing wrong?

Remember this domain was added to an existing forest and is not the top
of the forest......

[Chris Dent]

Ignore recreating DomainDNSZones, that only applies if we can find an
existing but broken instance. For some reason I was under the impression
that was working on DC1. Sorry about that.

The DomainDNSZones sub-folder / sub-domain you see (or wanted to see)
under your Forward Lookup Zone is used to store a list of servers which
have enlisted the partition (in this case every DC in your domain which
is running the DNS service). Creating the sub-domain and associated
records wouldn't make the partition appear.

The event log errors aren't really very encouraging. Which DC are they
refusing to talk to?

You also mentioned a problem with the Domain Naming Master. Where is that?

I still think the full output from DCDiag would be beneficial.

Chris

[rchipman]

>>The event log errors aren't really very encouraging. Which DC are
they

refusing to talk to?They are referring to the domain which holds the
domain naming master role (hbrapp.hbr-inc.com) which is the one at the
top of the forest.
Event 1645: Active Directory did not perform an authenticated remote

procedure call (RPC) to another domain controller because the desired
service principal name (SPN) for the destination domain controller is

not registered on the Key Distribution Center (KDC) domain controller
that resolves the SPN.

Destination domain controller:
5371ec3a-d365-4bdd-81ad-0f53a3f8b492._msdcs.hbrapp.hbr-inc.com
SPN:
E3514235-4B06-11D1-AB04-00C04FC2DCD2/5371ec3a-d365-4bdd-81ad-0f53a3f8b492/hbrmse.hb...@hbrmse.hbr-inc.com

User Action
Verify that the names of the destination domain controller and domain
are correct. Also, verify that the SPN is registered on the KDC domain
controller. If the destination domain controller has been recently
promoted, it will be necessary for the local domain controller&#8217;s
computer account data to replicate to the KDC before this computer can
be authenticated.

Event 1925:
The attempt to establish a replication link for the following writable
directory partition failed.

Directory partition:
CN=Schema,CN=Configuration,DC=hbrapp,DC=hbr-inc,DC=com
Source domain controller:
CN=NTDS
Settings,CN=MSE3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hbrapp,DC=hbr-inc,DC=com

Source domain controller address:
5371ec3a-d365-4bdd-81ad-0f53a3f8b492._msdcs.hbrapp.hbr-inc.com
Intersite transport (if any):

This domain controller will be unable to replicate with the source
domain controller until this problem is corrected.

User Action
Verify if the source domain controller is accessible or network
connectivity is available.

Additional Data
Error value:
1396 Logon Failure: The target account name is

incorrect.[/COLOR][/COLOR]

The Domain Naming Master is located in another physical location from
the DC that I am working work (in the hbrpaw.hbr-inc.com domain). I can
ping that server and also browse to it through the network.

DCDiag results:
C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\PAW2
Starting test: Connectivity
........................ PAW2 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\PAW2
Starting test: Replications
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source SAGDC2
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source SAG
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source VCSERVER
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source SAGDC2
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.
REPLICATION-RECEIVED LATENCY WARNING
PAW2: Current time is 2009-07-24 13:27:57.
DC=ForestDnsZones,DC=hbrapp,DC=hbr-inc,DC=com
Last replication recieved from PVB1 at 2009-05-01
13:54:14.
WARNING: This latency is over the Tombstone Lifetime of
60 days!

CN=Schema,CN=Configuration,DC=hbrapp,DC=hbr-inc,DC=com
Last replication recieved from PVB1 at 2009-05-01
13:54:14.
WARNING: This latency is over the Tombstone Lifetime of
60 days!

CN=Configuration,DC=hbrapp,DC=hbr-inc,DC=com
Last replication recieved from PVB1 at 2009-05-01
13:54:14.
WARNING: This latency is over the Tombstone Lifetime of
60 days!

........................ PAW2 passed test Replications
Starting test: NCSecDesc
........................ PAW2 passed test NCSecDesc
Starting test: NetLogons
........................ PAW2 passed test NetLogons
Starting test: Advertising
........................ PAW2 passed test Advertising
Starting test: KnowsOfRoleHolders
........................ PAW2 passed test KnowsOfRoleHolders
Starting test: RidManager
........................ PAW2 passed test RidManager
Starting test: MachineAccount
........................ PAW2 passed test MachineAccount
Starting test: Services
........................ PAW2 passed test Services
Starting test: ObjectsReplicated
........................ PAW2 passed test ObjectsReplicated
Starting test: frssysvol
........................ PAW2 passed test frssysvol
Starting test: frsevent
........................ PAW2 passed test frsevent
Starting test: kccevent
An Warning Event occured. EventID: 0x80000785
Time Generated: 07/24/2009 13:24:34
Event String: The attempt to establish a replication link
for
An Error Event occured. EventID: 0xC000066D
Time Generated: 07/24/2009 13:24:34
Event String: Active Directory did not perform an
authenticated
An Warning Event occured. EventID: 0x80000785
Time Generated: 07/24/2009 13:24:34
Event String: The attempt to establish a replication link
for
An Error Event occured. EventID: 0xC000066D
Time Generated: 07/24/2009 13:24:35
Event String: Active Directory did not perform an
authenticated
An Warning Event occured. EventID: 0x80000785
Time Generated: 07/24/2009 13:24:35
Event String: The attempt to establish a replication link
for
An Error Event occured. EventID: 0xC000066D
Time Generated: 07/24/2009 13:24:35
Event String: Active Directory did not perform an
authenticated
An Warning Event occured. EventID: 0x80000785
Time Generated: 07/24/2009 13:24:35
Event String: The attempt to establish a replication link
for
An Error Event occured. EventID: 0xC000066D
Time Generated: 07/24/2009 13:24:35
Event String: Active Directory did not perform an
authenticated
An Warning Event occured. EventID: 0x80000785
Time Generated: 07/24/2009 13:24:35
Event String: The attempt to establish a replication link
for
An Error Event occured. EventID: 0xC000066D
Time Generated: 07/24/2009 13:24:35
Event String: Active Directory did not perform an
authenticated
An Warning Event occured. EventID: 0x80000785
Time Generated: 07/24/2009 13:24:35
Event String: The attempt to establish a replication link
for
An Error Event occured. EventID: 0xC000066D
Time Generated: 07/24/2009 13:24:35
Event String: Active Directory did not perform an
authenticated
An Warning Event occured. EventID: 0x80000785
Time Generated: 07/24/2009 13:24:35
Event String: The attempt to establish a replication link
for
........................ PAW2 failed test kccevent
Starting test: systemlog
........................ PAW2 passed test systemlog
Starting test: VerifyReferences
........................ PAW2 passed test VerifyReferences

Running partition tests on : hbrpaw
Starting test: CrossRefValidation
........................ hbrpaw passed test
CrossRefValidation
Starting test: CheckSDRefDom
........................ hbrpaw passed test CheckSDRefDom

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
........................ ForestDnsZones passed test
CrossRefValidation

Starting test: CheckSDRefDom
........................ ForestDnsZones passed test
CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
........................ Schema passed test
CrossRefValidation
Starting test: CheckSDRefDom
........................ Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
........................ Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
........................ Configuration passed test
CheckSDRefDom

Running enterprise tests on : hbrapp.hbr-inc.com
Starting test: Intersite
........................ hbrapp.hbr-inc.com passed test
Intersite
Starting test: FsmoCheck
........................ hbrapp.hbr-inc.com passed test
FsmoCheck

C:\Program Files\Support Tools>

[Chris Dent]

Do the tombstone warnings appear for both DCs in your domain? Or is this
only DCDiag from the second DC?

If they both show this we will have to look at reducing the
restrictions on replication with tombstoned DCs on the DCs in the root
domain. I doubt you want to rebuild your domain after all.

If only one shows that issue I'd ditch that DC and build a new one,
cleaning any references to it out using NTDSUtil.

Chris

[rchipman]

Here is the DCDiag from the second DC in my domain:

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Program Files\Windows Resource Kits\Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\PAWDC
Starting test: Connectivity
........................ PAWDC passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\PAWDC
Starting test: Replications
REPLICATION-RECEIVED LATENCY WARNING
PAWDC: Current time is 2009-07-24 17:07:41.

CN=Schema,CN=Configuration,DC=hbrapp,DC=hbr-inc,DC=com
Last replication recieved from PVB1 at 2009-05-01
13:54:14.
WARNING: This latency is over the Tombstone Lifetime of
60 days!

CN=Configuration,DC=hbrapp,DC=hbr-inc,DC=com
Last replication recieved from PVB1 at 2009-05-01
13:54:14.
WARNING: This latency is over the Tombstone Lifetime of
60 days!

DC=hbrpvb,DC=hbr-inc,DC=com

Last replication recieved from PVB1 at 2009-05-01

14:08:42.

WARNING: This latency is over the Tombstone Lifetime of
60 days!

........................ PAWDC passed test Replications
Starting test: NCSecDesc
........................ PAWDC passed test NCSecDesc
Starting test: NetLogons
........................ PAWDC passed test NetLogons
Starting test: Advertising
........................ PAWDC passed test Advertising
Starting test: KnowsOfRoleHolders
........................ PAWDC passed test
KnowsOfRoleHolders
Starting test: RidManager
........................ PAWDC passed test RidManager
Starting test: MachineAccount
........................ PAWDC passed test MachineAccount
Starting test: Services
........................ PAWDC passed test Services
Starting test: ObjectsReplicated
........................ PAWDC passed test ObjectsReplicated
Starting test: frssysvol
........................ PAWDC passed test frssysvol
Starting test: frsevent
........................ PAWDC passed test frsevent

Starting test: kccevent
An Warning Event occured. EventID: 0x80000785

Time Generated: 07/24/2009 16:54:07

Event String: The attempt to establish a replication link
for
An Error Event occured. EventID: 0xC000066D

Time Generated: 07/24/2009 16:54:07
(Event String could not be retrieved)

An Warning Event occured. EventID: 0x80000785

Time Generated: 07/24/2009 16:54:07

Event String: The attempt to establish a replication link
for
An Error Event occured. EventID: 0xC000066D

Time Generated: 07/24/2009 16:54:07
(Event String could not be retrieved)

An Warning Event occured. EventID: 0x80000785

Time Generated: 07/24/2009 16:54:07

Event String: The attempt to establish a replication link
for
An Error Event occured. EventID: 0xC000066D

Time Generated: 07/24/2009 16:54:07
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x80000786
Time Generated: 07/24/2009 16:54:07

Event String: The attempt to establish a replication link

to a

An Error Event occured. EventID: 0xC000066D

Time Generated: 07/24/2009 16:54:08
(Event String could not be retrieved)

An Warning Event occured. EventID: 0x80000785

Time Generated: 07/24/2009 16:54:08

Event String: The attempt to establish a replication link
for
An Error Event occured. EventID: 0xC000066D

Time Generated: 07/24/2009 16:54:08
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x80000786
Time Generated: 07/24/2009 16:54:08

Event String: The attempt to establish a replication link

to a

An Error Event occured. EventID: 0xC000066D

Time Generated: 07/24/2009 16:54:08
(Event String could not be retrieved)

An Warning Event occured. EventID: 0x80000785

Time Generated: 07/24/2009 16:54:08

Event String: The attempt to establish a replication link
for
An Error Event occured. EventID: 0xC000066D

Time Generated: 07/24/2009 16:54:08
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x80000786
Time Generated: 07/24/2009 16:54:08

Event String: The attempt to establish a replication link

to a

An Error Event occured. EventID: 0xC000066D

Time Generated: 07/24/2009 16:54:08
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x80000786
Time Generated: 07/24/2009 16:54:08

Event String: The attempt to establish a replication link

to a

An Error Event occured. EventID: 0xC000066D

Time Generated: 07/24/2009 16:54:08
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x80000786
Time Generated: 07/24/2009 16:54:08

Event String: The attempt to establish a replication link

to a

An Error Event occured. EventID: 0xC000066D

Time Generated: 07/24/2009 16:54:09
(Event String could not be retrieved)

An Warning Event occured. EventID: 0x80000785

Time Generated: 07/24/2009 16:54:09

Event String: The attempt to establish a replication link
for
An Error Event occured. EventID: 0xC000066D

Time Generated: 07/24/2009 16:54:09
(Event String could not be retrieved)

An Warning Event occured. EventID: 0x80000785

Time Generated: 07/24/2009 16:54:09

Event String: The attempt to establish a replication link
for
An Error Event occured. EventID: 0xC000066D

Time Generated: 07/24/2009 16:54:09
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x80000786
Time Generated: 07/24/2009 16:54:09

Event String: The attempt to establish a replication link

to a
........................ PAWDC failed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00001659
Time Generated: 07/24/2009 16:47:27
Event String: The session setup to the Windows NT or
Windows
........................ PAWDC failed test systemlog
Starting test: VerifyReferences
........................ PAWDC passed test VerifyReferences

Running partition tests on : hbrpaw
Starting test: CrossRefValidation
........................ hbrpaw passed test
CrossRefValidation
Starting test: CheckSDRefDom
........................ hbrpaw passed test CheckSDRefDom

Running partition tests on : Schema

Starting test: CrossRefValidation
........................ Schema passed test
CrossRefValidation
Starting test: CheckSDRefDom
........................ Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
........................ Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
........................ Configuration passed test
CheckSDRefDom

Running enterprise tests on : hbrapp.hbr-inc.com
Starting test: Intersite
........................ hbrapp.hbr-inc.com passed test
Intersite
Starting test: FsmoCheck
........................ hbrapp.hbr-inc.com passed test
FsmoCheck

C:\Program Files\Windows Resource Kits\Tools>

In the DCDiag from DC1 (listed in my last post), the tombstone messages
regarding PVB1 can be disregarded.....that server and domain no longer
exist. I need to figure out how to clean that up but only AFTER I get
THIS problem figured out.

No, I don't want to rebuld my domain.....that does not sound like fun
at all.

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message
news:rchipma...@DoNotSpam.com...
>

> Here is the DCDiag from the second DC in my domain:

>

> In the DCDiag from DC1 (listed in my last post), the tombstone messages
> regarding PVB1 can be disregarded.....that server and domain no longer
> exist. I need to figure out how to clean that up but only AFTER I get
> THIS problem figured out.
>
> No, I don't want to rebuld my domain.....that does not sound like fun
> at all.
>

Follow the Metadata Cleanup procedure in the following link to remove PVB1
from the AD database.
http://support.microsoft.com/kb/216498

Then delete the PVB1 server object from Sites and Services.

It looks to me, that PAWDC1 is the good one. How many other DCs do you have?

Let's clean out PVB1 first before creating any partitions.

Ace

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message
news:rchipma...@DoNotSpam.com...
>

>>>If that domain name wasn't misspelled while adding it, then I am
> assuming that the partition doesn't exist. I assume you ran this while
> logged on as the enterprise admin?
>
> The domain wasn't misspelled when adding it. I tried adding it to
> ADSIEDIT while logged on as the domain administrator of the domain. How
> would I login as the enterprise admin?
>
> ForestDNSZones partition exists fine.
>
> I have read this article on how to create the default DNS application
> directory partitions but when I attempt to do this on my domain, I first
> get the message "Would you like to create a single partition that stores
> DNS zone data to all DNS server in the Active Directory domain
> hbrpaw.hbr-inc.com?" I click YES and then receive the error "the
> partition to replicate zone data to all DNS servers in the active
> directory domain was not created. the application directory partition
> operation failed. The domain controller holding the domain naming
> master role is down or unable to service the request or is not running
> Windows Server 2003." What am I doing wrong?
>
> Remember this domain was added to an existing forest and is not the top

To create a ForestDnsZones partition, you would need to be Enterprise Admin
(EA). How to log on as the EA while on a child domain controller? Simply log
on to the DC as EA by typing in administrator, the password, and in the
dropdown box for the domain, choose hbr-inc (if that is the NetBIOS domain
name).

Ace

[Chris Dent]

The domain that no longer exists wasn't the forest root domain was it?

Chris

[Ace Fekay [MCT]]

"Chris Dent" <ch...@noreply.null> wrote in message

news:%23idp9sL...@TK2MSFTNGP02.phx.gbl...

>
> The domain that no longer exists wasn't the forest root domain was it?
>
> Chris

Certainly hope not!

Ace

[rchipman]

>>It looks to me, that PAWDC1 is the good one. How many other DCs do you
have?

I have two other DCs in the domain.

>>The domain that no longer exists wasn't the forest root domain was
it?

No, the domain that no longer exists was not the forest root domain.

>>To create a ForestDnsZones partition, you would need to be Enterprise
Admin (EA).

My ForestDNSZones exists so I don't need to create one.

[Chris Dent]

In my opinion your next steps should be:

1. Clear out any dead DCs from the domain (refer to
http://technet.microsoft.com/en-us/library/cc781245(WS.10).aspx)
2. Clear out any dead / orphaned domains from the forest (refer to
http://technet.microsoft.com/en-us/library/cc781245(WS.10).aspx)
3. Account for all FSMO Roles (so you know where they are. "netdom query
fsmo" will do in each domain)
4. Check which servers are Global Catalogs (just to make sure)
5. Check DNS configuration (make sure all DCs can access a working DNS
server. It Doesn't matter if that's the local DNS service on the DC or
not, as long as it works.
6. Check replication on all DCs (RepAdmin / DCDiag / Event Logs)

Only after those steps are complete would I think about attempting to
create DomainDNSZones. From the errors you've been bumping into by the
time you finish the above you should be able to create it.

Chris

[rchipman]

I went through the article on the metadata cleanup and tried ran the
ntdsutil on PAWDC1. At the last step, "remove selected server", I
receive the error "access denied". Am I supposed to run this on the DC
at the forest root domain? I am logged on to the PAWDC1 server as the
domain administrator.

[Chris Dent]

PAWDC1 is the server you're trying to remove?

You will need to run remove selected server while connected to (using
connections, connect to server <someserver>) an active Domain Controller
(one that works perfectly) either as a Domain Admin within the same
domain as PAWDC1 or as an Enterprise Admin.

I was under the impression that PAWDC1 no longer existed? Are you going
to rebuild it after this? It won't be able to talk to the domain without
some work, a rebuild is the neatest way.

Chris

[rchipman]

>>PAWDC1 is the server you're trying to remove?

No, I am trying to remove PVB1 per suggestion from Ace and after his
review of the DCDiag results. PVB1 and it's domain no longer exist but
are not related in any way to the PAWDC1 and its domain so should not
have any barring on whether DNS on PAWDC1 works. Since this is the case,
is there a real need to get rid of PVB1 right now? Eventually, yes...I
understand that but my main focus is getting DNS working correctely on
ALL DCs in the hbrpaw.hbr-inc.com domain.

PAW2 is the GOOD DC1 on which DNS is "working". PAWDC and PAWBACKUP are
the other 2 DCs on which DNS is installed but not working in the
hbrpaw.hbr-inc.com domain.

[Chris Dent]

> No, I am trying to remove PVB1 per suggestion from Ace and after his
> review of the DCDiag results.

Okay, that's good then :) You were running the command with an
Enterprise Admin account?

> should not have any barring on whether DNS on PAWDC1 works

There's nothing wrong with DNS, but DNS is very simple. Your problems
lie in AD where you're trying to get DNS to store and replicate it's data.

Your diagnostic reports earlier had a significant number of errors.
Putting the forest into a state where it isn't continually upset carries
high priority for me, with those there as well it becomes extremely
difficult to pick out the real issue from the deluge of older errors.

Chris

[rchipman]

I was finally able to get the metadata cleanup process to complete
successfully. So, the PVB1 DC and hbrpvb.hbr-inc.com domain are no
longer showing up in DCDiag and RepAdmin when running on the PAW2 server
(the "good" DC in the hbrpaw.hbr-inc.com domain).

New results of DCDiag:
C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\PAW2
Starting test: Connectivity
........................ PAW2 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\PAW2

Starting test: Replications
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.

Source SAG
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source VCSERVER
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source SAGDC2
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.

........................ PAW2 passed test Replications
Starting test: NCSecDesc
........................ PAW2 passed test NCSecDesc
Starting test: NetLogons
........................ PAW2 passed test NetLogons
Starting test: Advertising
........................ PAW2 passed test Advertising
Starting test: KnowsOfRoleHolders
........................ PAW2 passed test KnowsOfRoleHolders
Starting test: RidManager
........................ PAW2 passed test RidManager
Starting test: MachineAccount
........................ PAW2 passed test MachineAccount
Starting test: Services
........................ PAW2 passed test Services
Starting test: ObjectsReplicated
........................ PAW2 passed test ObjectsReplicated
Starting test: frssysvol
........................ PAW2 passed test frssysvol
Starting test: frsevent
........................ PAW2 passed test frsevent
Starting test: kccevent

An Error Event occured. EventID: 0xC000066D

Time Generated: 07/27/2009 16:42:24

Event String: Active Directory did not perform an
authenticated

An Warning Event occured. EventID: 0x80000785

Time Generated: 07/27/2009 16:42:24

Event String: The attempt to establish a replication link
for
An Error Event occured. EventID: 0xC000066D

Time Generated: 07/27/2009 16:42:25

Event String: Active Directory did not perform an
authenticated

An Warning Event occured. EventID: 0x80000785

Time Generated: 07/27/2009 16:42:25

Event String: The attempt to establish a replication link
for
An Error Event occured. EventID: 0xC000066D

Time Generated: 07/27/2009 16:42:26

Event String: Active Directory did not perform an
authenticated

An Warning Event occured. EventID: 0x80000785

Time Generated: 07/27/2009 16:42:26

Event String: The attempt to establish a replication link
for
An Error Event occured. EventID: 0xC000066D

Time Generated: 07/27/2009 16:42:28

Event String: Active Directory did not perform an
authenticated

An Warning Event occured. EventID: 0x80000785

Time Generated: 07/27/2009 16:42:28

Event String: The attempt to establish a replication link
for
An Error Event occured. EventID: 0xC000066D

Time Generated: 07/27/2009 16:42:29

Event String: Active Directory did not perform an
authenticated

An Warning Event occured. EventID: 0x80000785

Time Generated: 07/27/2009 16:42:29

Event String: The attempt to establish a replication link
for
An Error Event occured. EventID: 0xC000066D

Time Generated: 07/27/2009 16:42:31

Event String: Active Directory did not perform an
authenticated

An Warning Event occured. EventID: 0x80000785

Time Generated: 07/27/2009 16:42:31

Event String: The attempt to establish a replication link
for

........................ PAW2 failed test kccevent
Starting test: systemlog
........................ PAW2 passed test systemlog
Starting test: VerifyReferences
........................ PAW2 passed test VerifyReferences

Running partition tests on : hbrpaw
Starting test: CrossRefValidation
........................ hbrpaw passed test
CrossRefValidation
Starting test: CheckSDRefDom
........................ hbrpaw passed test CheckSDRefDom

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
........................ ForestDnsZones passed test
CrossRefValidation

Starting test: CheckSDRefDom
........................ ForestDnsZones passed test
CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
........................ Schema passed test
CrossRefValidation
Starting test: CheckSDRefDom
........................ Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
........................ Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
........................ Configuration passed test
CheckSDRefDom

Running enterprise tests on : hbrapp.hbr-inc.com
Starting test: Intersite
........................ hbrapp.hbr-inc.com passed test
Intersite
Starting test: FsmoCheck
........................ hbrapp.hbr-inc.com passed test
FsmoCheck

C:\Program Files\Support Tools>

What is the KCCEVENT? I see that is the main test that is failing.

Results from Repadmin /showrepl:
C:\Program Files\Support Tools>repadmin /showrepl

repadmin running command /showrepl against server localhost

Default-First-Site-Name\PAW2
DC Options: (none)
Site Options: (none)
DC object GUID: c95ae251-3f01-4d4b-b996-d1c6252c0ac8
DC invocationID: 66ecca79-4e0e-4959-bc4c-8b8585e8d1fa

==== INBOUND NEIGHBORS ======================================

CN=Configuration,DC=hbrapp,DC=hbr-inc,DC=com
Default-First-Site-Name\SAG via RPC
DC object GUID: d77c9268-93ed-4ebc-b5e8-2c54dccdaa33
Last attempt @ 2009-07-27 15:56:00 was successful.
Default-First-Site-Name\VCSERVER via RPC
DC object GUID: 36dfa123-0a8e-40f2-a8a2-11f3696cd208
Last attempt @ 2009-07-27 15:56:00 was successful.
Default-First-Site-Name\SAGDC2 via RPC
DC object GUID: 62df7ef1-c11a-4dfb-bb74-1cddad991de0
Last attempt @ 2009-07-27 15:56:01 was successful.
Default-First-Site-Name\PAWBACKUP via RPC
DC object GUID: 2191998b-9274-4b91-b9d9-2d9632ad04fc
Last attempt @ 2009-07-27 16:42:59 was successful.
Default-First-Site-Name\PAWDC via RPC
DC object GUID: f217accd-a60e-407a-8ba0-6157fb1dae68
Last attempt @ 2009-07-27 16:43:00 was successful.

CN=Schema,CN=Configuration,DC=hbrapp,DC=hbr-inc,DC=com
Default-First-Site-Name\SAG via RPC
DC object GUID: d77c9268-93ed-4ebc-b5e8-2c54dccdaa33
Last attempt @ 2009-07-27 15:56:02 was successful.
Default-First-Site-Name\VCSERVER via RPC
DC object GUID: 36dfa123-0a8e-40f2-a8a2-11f3696cd208
Last attempt @ 2009-07-27 15:56:03 was successful.
Default-First-Site-Name\SAGDC2 via RPC
DC object GUID: 62df7ef1-c11a-4dfb-bb74-1cddad991de0
Last attempt @ 2009-07-27 15:56:04 was successful.
Default-First-Site-Name\PAWBACKUP via RPC
DC object GUID: 2191998b-9274-4b91-b9d9-2d9632ad04fc
Last attempt @ 2009-07-27 15:56:04 was successful.
Default-First-Site-Name\PAWDC via RPC
DC object GUID: f217accd-a60e-407a-8ba0-6157fb1dae68
Last attempt @ 2009-07-27 15:56:04 was successful.

DC=ForestDnsZones,DC=hbrapp,DC=hbr-inc,DC=com
Default-First-Site-Name\VCSERVER via RPC
DC object GUID: 36dfa123-0a8e-40f2-a8a2-11f3696cd208
Last attempt @ 2009-07-27 15:56:04 was successful.
Default-First-Site-Name\SAG via RPC
DC object GUID: d77c9268-93ed-4ebc-b5e8-2c54dccdaa33
Last attempt @ 2009-07-27 15:56:05 was successful.
Default-First-Site-Name\SAGDC2 via RPC
DC object GUID: 62df7ef1-c11a-4dfb-bb74-1cddad991de0
Last attempt @ 2009-07-27 15:56:06 was successful.

DC=hbrpaw,DC=hbr-inc,DC=com
Default-First-Site-Name\PAWBACKUP via RPC
DC object GUID: 2191998b-9274-4b91-b9d9-2d9632ad04fc
Last attempt @ 2009-07-27 16:43:37 was successful.
Default-First-Site-Name\PAWDC via RPC
DC object GUID: f217accd-a60e-407a-8ba0-6157fb1dae68
Last attempt @ 2009-07-27 16:47:07 was successful.

Source: Default-First-Site-Name\MSEDC
******* 764 CONSECUTIVE FAILURES since 2009-07-19 11:38:17
Last error: 1396 (0x574):

Logon Failure: The target account name is incorrect.

Naming Context: DC=ForestDnsZones,DC=hbrapp,DC=hbr-inc,DC=com
Source: Default-First-Site-Name\MSEDC
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Configuration,DC=hbrapp,DC=hbr-inc,DC=com
Source: Default-First-Site-Name\MSEDC
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Schema,CN=Configuration,DC=hbrapp,DC=hbr-inc,DC=com
Source: Default-First-Site-Name\MSEDC
******* WARNING: KCC could not add this REPLICA LINK due to error.

Source: Default-First-Site-Name\MSE3
******* 772 CONSECUTIVE FAILURES since 2009-07-19 09:34:19
Last error: 1396 (0x574):

Logon Failure: The target account name is incorrect.

Naming Context: DC=ForestDnsZones,DC=hbrapp,DC=hbr-inc,DC=com
Source: Default-First-Site-Name\MSE3
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Configuration,DC=hbrapp,DC=hbr-inc,DC=com
Source: Default-First-Site-Name\MSE3
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Schema,CN=Configuration,DC=hbrapp,DC=hbr-inc,DC=com
Source: Default-First-Site-Name\MSE3
******* WARNING: KCC could not add this REPLICA LINK due to error.

C:\Program Files\Support Tools>

So, my AD is messed up not DNS? YIKES ! That's a little more "scary"
than DNS..... ;-)

[rchipman]

I just re-ran DCDIAG on PAW2.....looks much better !

C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\PAW2
Starting test: Connectivity
........................ PAW2 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\PAW2
Starting test: Replications

........................ PAW2 passed test Replications
Starting test: NCSecDesc
........................ PAW2 passed test NCSecDesc
Starting test: NetLogons
........................ PAW2 passed test NetLogons
Starting test: Advertising
........................ PAW2 passed test Advertising
Starting test: KnowsOfRoleHolders
........................ PAW2 passed test KnowsOfRoleHolders
Starting test: RidManager
........................ PAW2 passed test RidManager
Starting test: MachineAccount
........................ PAW2 passed test MachineAccount
Starting test: Services
........................ PAW2 passed test Services
Starting test: ObjectsReplicated
........................ PAW2 passed test ObjectsReplicated
Starting test: frssysvol
........................ PAW2 passed test frssysvol
Starting test: frsevent
........................ PAW2 passed test frsevent
Starting test: kccevent

........................ PAW2 passed test kccevent

In my previous post, there were still errors in the Replications and
kccevent. None there are no errors !

Additionally, repadmin /showrepl is now showing no errors !

C:\Program Files\Support Tools>repadmin /showrepl

repadmin running command /showrepl against server localhost

Default-First-Site-Name\PAW2
DC Options: (none)
Site Options: (none)
DC object GUID: c95ae251-3f01-4d4b-b996-d1c6252c0ac8
DC invocationID: 66ecca79-4e0e-4959-bc4c-8b8585e8d1fa

==== INBOUND NEIGHBORS ======================================

CN=Configuration,DC=hbrapp,DC=hbr-inc,DC=com
Default-First-Site-Name\SAG via RPC
DC object GUID: d77c9268-93ed-4ebc-b5e8-2c54dccdaa33

Last attempt @ 2009-07-27 16:56:01 was successful.

Default-First-Site-Name\VCSERVER via RPC
DC object GUID: 36dfa123-0a8e-40f2-a8a2-11f3696cd208

Last attempt @ 2009-07-27 16:56:01 was successful.
Default-First-Site-Name\MSE3 via RPC
DC object GUID: 5371ec3a-d365-4bdd-81ad-0f53a3f8b492
Last attempt @ 2009-07-27 17:27:43 was successful.

Default-First-Site-Name\PAWDC via RPC
DC object GUID: f217accd-a60e-407a-8ba0-6157fb1dae68

Last attempt @ 2009-07-27 17:28:11 was successful.

Default-First-Site-Name\PAWBACKUP via RPC
DC object GUID: 2191998b-9274-4b91-b9d9-2d9632ad04fc

Last attempt @ 2009-07-27 17:28:14 was successful.

CN=Schema,CN=Configuration,DC=hbrapp,DC=hbr-inc,DC=com
Default-First-Site-Name\SAG via RPC
DC object GUID: d77c9268-93ed-4ebc-b5e8-2c54dccdaa33

Last attempt @ 2009-07-27 16:56:01 was successful.

Default-First-Site-Name\VCSERVER via RPC
DC object GUID: 36dfa123-0a8e-40f2-a8a2-11f3696cd208

Last attempt @ 2009-07-27 16:56:01 was successful.

Default-First-Site-Name\PAWBACKUP via RPC
DC object GUID: 2191998b-9274-4b91-b9d9-2d9632ad04fc

Last attempt @ 2009-07-27 16:56:02 was successful.

Default-First-Site-Name\PAWDC via RPC
DC object GUID: f217accd-a60e-407a-8ba0-6157fb1dae68

Last attempt @ 2009-07-27 16:56:02 was successful.
Default-First-Site-Name\MSE3 via RPC
DC object GUID: 5371ec3a-d365-4bdd-81ad-0f53a3f8b492
Last attempt @ 2009-07-27 17:27:44 was successful.

DC=ForestDnsZones,DC=hbrapp,DC=hbr-inc,DC=com
Default-First-Site-Name\VCSERVER via RPC
DC object GUID: 36dfa123-0a8e-40f2-a8a2-11f3696cd208

Last attempt @ 2009-07-27 16:56:02 was successful.

Default-First-Site-Name\SAG via RPC
DC object GUID: d77c9268-93ed-4ebc-b5e8-2c54dccdaa33

Last attempt @ 2009-07-27 16:56:02 was successful.
Default-First-Site-Name\MSE3 via RPC
DC object GUID: 5371ec3a-d365-4bdd-81ad-0f53a3f8b492
Last attempt @ 2009-07-27 17:27:44 was successful.

DC=hbrpaw,DC=hbr-inc,DC=com
Default-First-Site-Name\PAWBACKUP via RPC
DC object GUID: 2191998b-9274-4b91-b9d9-2d9632ad04fc

Last attempt @ 2009-07-27 17:26:50 was successful.

Default-First-Site-Name\PAWDC via RPC
DC object GUID: f217accd-a60e-407a-8ba0-6157fb1dae68

Last attempt @ 2009-07-27 17:32:23 was successful.

C:\Program Files\Support Tools>

It appears by removing the trust between the hbrpaw.hbr-inc.com domain
and another domain (hbrmse.hbr-inc.com), that resolved the errors.

Now should I be able to create the DomainDNSZones without issue??

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message
news:rchipma...@DoNotSpam.com...
>

> I just re-ran DCDIAG on PAW2.....looks much better !
>

{snipped}

>
> It appears by removing the trust between the hbrpaw.hbr-inc.com domain
> and another domain (hbrmse.hbr-inc.com), that resolved the errors.
>
> Now should I be able to create the DomainDNSZones without issue??
>
>

This looks a lot better. You had me worried for a sec, when I looked at the
previous dcdiag.

Run dcdiag on the other DCs, too. If clean, then sure, give it a shot now.

Ace

[rchipman]

DCDiag results on PAWDC:

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Program Files\Windows Resource Kits\Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\PAWDC
Starting test: Connectivity
........................ PAWDC passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\PAWDC
Starting test: Replications
........................ PAWDC passed test Replications
Starting test: NCSecDesc
........................ PAWDC passed test NCSecDesc
Starting test: NetLogons
........................ PAWDC passed test NetLogons
Starting test: Advertising
........................ PAWDC passed test Advertising
Starting test: KnowsOfRoleHolders
........................ PAWDC passed test
KnowsOfRoleHolders
Starting test: RidManager
........................ PAWDC passed test RidManager
Starting test: MachineAccount
........................ PAWDC passed test MachineAccount
Starting test: Services
........................ PAWDC passed test Services
Starting test: ObjectsReplicated
........................ PAWDC passed test ObjectsReplicated
Starting test: frssysvol
........................ PAWDC passed test frssysvol
Starting test: frsevent
........................ PAWDC passed test frsevent
Starting test: kccevent
........................ PAWDC passed test kccevent
Starting test: systemlog
........................ PAWDC passed test systemlog
Starting test: VerifyReferences
........................ PAWDC passed test VerifyReferences

Running partition tests on : hbrpaw
Starting test: CrossRefValidation
........................ hbrpaw passed test
CrossRefValidation
Starting test: CheckSDRefDom
........................ hbrpaw passed test CheckSDRefDom

Running partition tests on : Schema

Starting test: CrossRefValidation
........................ Schema passed test
CrossRefValidation
Starting test: CheckSDRefDom
........................ Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
........................ Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
........................ Configuration passed test
CheckSDRefDom

Running enterprise tests on : hbrapp.hbr-inc.com
Starting test: Intersite
........................ hbrapp.hbr-inc.com passed test
Intersite
Starting test: FsmoCheck
........................ hbrapp.hbr-inc.com passed test
FsmoCheck

C:\Program Files\Windows Resource Kits\Tools>

This DCDiag looks ok.

Here are the DCDiag results from the third W2K3 DC in the domain:

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator.HBRPAW>z:

Z:\>dcdiag

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\PAWBACKUP
Starting test: Connectivity
........................ PAWBACKUP passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\PAWBACKUP
Starting test: Replications
........................ PAWBACKUP passed test Replications
Starting test: NCSecDesc
........................ PAWBACKUP passed test NCSecDesc
Starting test: NetLogons
........................ PAWBACKUP passed test NetLogons
Starting test: Advertising
........................ PAWBACKUP passed test Advertising
Starting test: KnowsOfRoleHolders
........................ PAWBACKUP passed test
KnowsOfRoleHolders
Starting test: RidManager
........................ PAWBACKUP passed test RidManager
Starting test: MachineAccount
........................ PAWBACKUP passed test
MachineAccount
Starting test: Services
........................ PAWBACKUP passed test Services
Starting test: ObjectsReplicated
........................ PAWBACKUP passed test
ObjectsReplicated
Starting test: frssysvol
........................ PAWBACKUP passed test frssysvol
Starting test: frsevent
........................ PAWBACKUP passed test frsevent
Starting test: kccevent
........................ PAWBACKUP passed test kccevent
Starting test: systemlog
........................ PAWBACKUP passed test systemlog
Starting test: VerifyReferences
........................ PAWBACKUP passed test
VerifyReferences

Running partition tests on : hbrpaw
Starting test: CrossRefValidation
........................ hbrpaw passed test
CrossRefValidation
Starting test: CheckSDRefDom
........................ hbrpaw passed test CheckSDRefDom

Running partition tests on : Schema

Starting test: CrossRefValidation
........................ Schema passed test
CrossRefValidation
Starting test: CheckSDRefDom
........................ Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
........................ Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
........................ Configuration passed test
CheckSDRefDom

Running enterprise tests on : hbrapp.hbr-inc.com
Starting test: Intersite
........................ hbrapp.hbr-inc.com passed test
Intersite
Starting test: FsmoCheck
........................ hbrapp.hbr-inc.com passed test
FsmoCheck

Z:\>

This looks ok too.

[Chris Dent]

That looks wonderful :)

So where are we up to. ForestDNSZones is replicating properly? Does it
still refuse to create DomainDNSZones?

Chris

[rchipman]

>>ForestDNSZones is replicating properly?
I'm not exactly sure how to tell. The replication scope is still set
to "All DNS servers in the forest" but hbrpaw.hbr-inc.com is still not
showing up on the DNS servers in my other domains. I noticed this
morning the following error on DNS servers in my other domains:

The attempt to establish a replication link for the following writable
directory partition failed.

Directory partition:
CN=Configuration,DC=hbrapp,DC=hbr-inc,DC=com
Source domain controller:
CN=NTDS
Settings,CN=PAW2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hbrapp,DC=hbr-inc,DC=com

Source domain controller address:
c95ae251-3f01-4d4b-b996-d1c6252c0ac8._msdcs.hbrapp.hbr-inc.com
Intersite transport (if any):

This domain controller will be unable to replicate with the source
domain controller until this problem is corrected.

User Action
Verify if the source domain controller is accessible or network
connectivity is available.

Additional Data
Error value:
8524 The DSA operation is unable to proceed because of a DNS lookup
failure.

Additionially, on the PAW2 server (the "good" DC in the
hbrpaw.hbr-inc.com) domain, I am receiving the error below:
The Knowledge Consistency Checker (KCC) has detected that successive
attempts to replicate with the following domain controller has
consistently failed.

Attempts:
3
Domain controller:
CN=NTDS
Settings,CN=PAWDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hbrapp,DC=hbr-inc,DC=com

Period of time (minutes):
164

The Connection object for this domain controller will be ignored, and a
new temporary connection will be established to ensure that replication
continues. Once replication with this domain controller resumes, the
temporary connection will be removed.

Additional Data
Error value:
1723 The RPC server is too busy to complete this operation.

Apparently, it is not able to replicate to the other DCs in the
hbrpaw.hbr-inc.com domain yet.

>>Does it still refuse to create DomainDNSZones?

Yes it is still refusing to create DomainDNSZones.

[Chris Dent]

At the moment everything is pointing to the same DNS server (the current
working version)?

Can you manually verify whether or not
c95ae251-3f01-4d4b-b996-d1c6252c0ac8._msdcs.hbrapp.hbr-inc.com exists
(_msdcs folder)? If it does, which DC does it point to?

And is it still troubled about the Domain Naming Master? Where is that
hosted at the moment if you run "netdom query fsmo"?

Chris

[rchipman]

>>At the moment everything is pointing to the same DNS server (the
current working version)?

Yes, at the moment everything is pointing to the working DNS server.

>>Can you manually verify whether or not
c95ae251-3f01-4d4b-b996-d1c6252c0ac8._msdcs.hbrapp.hbr-inc.com exists
(_msdcs folder)?

I am assuming I'm looking in DNS at the _msdcs.hbrapp.hbr-inc.com
"folder" for this "record.....?? If yes, then YES it does exist.

>>If it does, which DC does it point to?

It is pointing to PAW2.hbrpaw.hbr-inc.com (the working DC and DNS
server).

>>And is it still troubled about the Domain Naming Master?

No, I don't think it's troubled.

>>Where is that hosted at the moment if you run "netdom query fsmo"?

The Domain role owner on PAW2 is showing VCServer.hbrapp.hbr-inc.com
which is the forest root domain controller.

I am now getting a different error in the Directory Service logs on
PAW2:
The attempt to establish a replication link to a read-only directory
partition with the following parameters failed.

Directory partition:
DC=hbrmse,DC=hbr-inc,DC=com
Source domain controller:
CN=NTDS
Settings,CN=PAWDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hbrapp,DC=hbr-inc,DC=com

Source domain controller address:
f217accd-a60e-407a-8ba0-6157fb1dae68._msdcs.hbrapp.hbr-inc.com
Intersite transport (if any):

Additional Data
Error value:
8420 The naming context could not be found.

Should I change the PDC role from PAWDC (the non-working DNS server) to
PAW2 for now?

[rchipman]

I ran Netdiag on PAW2 and here are the results:
C:\Program Files\Support Tools>netdiag

.........................................

Computer Name: PAW2
DNS Host Name: paw2.hbrpaw.hbr-inc.com
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 1 Stepping 2, GenuineIntel
List of installed hotfixes :
Q147222

Netcard queries test . . . . . . . : Passed

Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : paw2
IP Address . . . . . . . . : 10.250.16.12
Subnet Mask. . . . . . . . : 255.255.248.0
Default Gateway. . . . . . : 10.250.16.1
Primary WINS Server. . . . : 10.250.16.15
Secondary WINS Server. . . : 10.250.16.2
Dns Servers. . . . . . . . : 10.250.16.12
10.250.16.15

AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Passed

Adapter : IPX Internal Interface

Netcard queries test . . . : Passed

Ipx configration
Network Number . . . . : 00000000
Node . . . . . . . . . : 000000000001
Frame type . . . . . . : Ethernet II

Adapter : IpxLoopbackAdapter

Netcard queries test . . . : Passed

Ipx configration
Network Number . . . . : 1234cdef
Node . . . . . . . . . : 000000000002
Frame type . . . . . . : 802.2

Adapter : NDISWANIPX

Netcard queries test . . . : Passed

Ipx configration
Network Number . . . . : 00000000
Node . . . . . . . . . : ee7f20524153
Frame type . . . . . . : Ethernet II

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{274DECC4-C21B-4AE5-BA1E-30A8FBCE65E4}
1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Failed
[WARNING] The DNS entries for this DC cannot be verified right
now on DNS
server 10.250.16.12, ERROR_TIMEOUT.
[WARNING] The DNS entries for this DC cannot be verified right
now on DNS
server 10.250.16.15, ERROR_TIMEOUT.
[FATAL] No DNS servers have the DNS records for this DC
registered.

Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{274DECC4-C21B-4AE5-BA1E-30A8FBCE65E4}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{274DECC4-C21B-4AE5-BA1E-30A8FBCE65E4}
The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Passed
Secure channel for domain 'HBRPAW' is to
'\\PAWDC.hbrpaw.hbr-inc.com'.

Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/paw2.hbrpaw.hbr-inc.com

[rchipman]

Well, I was able to get the Kerberos test to pass by forcing Kerberos to
use TCP instead of UDP (http://support.microsoft.com/?id=244474).
Reruning netdiag /q on PAW2 produces the following results now:

DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'10.250.16.12
' and other DCs also have some of the names registered.

[WARNING] The DNS entries for this DC cannot be verified right
now on DNS
server 10.250.16.15, ERROR_TIMEOUT.

IP Security test . . . . . . . . . : Skipped

No more Kerberos failures.....I hope that's good. But what about the
DNS test. the 10.250.16.15 is the other DNS server that is not
currently working in my domain.

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message
news:rchipma...@DoNotSpam.com...
>

> Well, I was able to get the Kerberos test to pass by forcing Kerberos to
> use TCP instead of UDP (http://support.microsoft.com/?id=244474).
> Reruning netdiag /q on PAW2 produces the following results now:
>
> DNS test . . . . . . . . . . . . . : Passed
> PASS - All the DNS entries for DC are registered on DNS server
> '10.250.16.12
> ' and other DCs also have some of the names registered.
> [WARNING] The DNS entries for this DC cannot be verified right
> now on DNS
> server 10.250.16.15, ERROR_TIMEOUT.
>
> IP Security test . . . . . . . . . : Skipped
>
> No more Kerberos failures.....I hope that's good. But what about the
> DNS test. the 10.250.16.15 is the other DNS server that is not
> currently working in my domain.
>

Are there any firewall rules blocking traffic between the DCs?

Ace

[rchipman]

No firewall rules blocking....Windows firewall is disabled and no other
firewalls exist between the DCs.

[Chris Dent]

Take 10.250.16.15 out of the IP configuration for now?

Getting rid of the Kerberos failures is certainly a good thing.

How are the Event Logs doing these days? Any errors being generated in
Directory Service / DNS?

Chris

[rchipman]

This is going to be a stupid question.....what do you mean "Take
10.250.16.15 out of the IP configuration for now"? Do you mean remove it
from being a DNS server??

>>How are the Event Logs doing these days? Any errors being generated
in Directory Service / DNS?

The Directory Service and DNS Event logs on PAW2 (the "good" DNS
server) are showing no errors.

The Directory Service event log on PAWDC (10.250.16.15) is showing
Event 482 (NTDS ISAM):

NTDS (384) NTDSA: An attempt to write to the file
"C:\WINDOWS\NTDS\ntds.dit" at offset 14712832 (0x0000000000e08000) for
8192 (0x00002000) bytes failed after 1 seconds with system error 1784
(0x000006f8): "The supplied user buffer is not valid for the requested
operation. ". The write operation will fail with error -1011
(0xfffffc0d). If this error persists then the file may be damaged and
may need to be restored from a previous backup.

The DNS event log on PAWDC is showing Event 4015:

The DNS server has encountered a critical error from the Active
Directory. Check that the Active Directory is functioning properly. The
extended error debug information (which may be empty) is "000020B5:
AtrErr: DSID-03152392, #1:
0: 000020B5: DSID-03152392, problem 1005 (CONSTRAINT_ATT_TYPE), data
0, Att 9067d (msDS-NC-Replica-Locations)". The event data contains the
error.

4015 is followed by 4013:
The DNS server detected that it is not enlisted in the replication
scope of the directory partition ForestDnsZones.hbrapp.hbr-inc.com. This
prevents the zones that should be replicated to all DNS servers in the
hbrpaw.hbr-inc.com forest from replicating to this DNS server.

To create or repair the forest-wide DNS directory partition, open the
the DNS console. Right-click the applicable DNS server, and then click
'Create Default Application Directory Partitions'. Follow the
instructions to create the default DNS application directory partitions.
For more information, see 'To create the default DNS application
directory partitions' in Help and Support.

The error was 9002.

4013 is followed by Event 3000:
The DNS server has encountered numerous run-time events. To determine
the initial cause of these run-time events, examine the DNS server event
log entries that precede this event. To prevent the DNS server from
filling the event log too quickly, subsequent events with Event IDs
higher than 3000 will be suppressed until events are no longer being
generated at a high rate.

[Chris Dent]

This is going to be a stupid question.....what do you mean "Take
10.250.16.15 out of the IP configuration for now"? Do you mean remove it
from being a DNS server??

I mean remove references to it from TCP/IP configuration (network
adapter properties).

> The Directory Service and DNS Event logs on PAW2 (the "good" DNS
> server) are showing no errors.

Since the other DCs are fine, are we able to demote PAWDC?

I would like to know if it still suffers from Event ID 482 after
demotion (then ideally a rebuild) and promotion.

Given that it needs to be able to modify that attribute to enlist the
ForestDNSZones partition it does go a fair way to explaining why it's
not had much luck.

Chris

[Chris Dent]

The issues with DNS replication stem from your problems in AD.

> The DNS server was unable to connect to the domain naming FSMO
> VCServer.hbrapp.hbr-inc.com

Is VCServer online and happy?

Chris

[rchipman]

Yes, the VCServer is online and happy.

Do I still want to attempt to demote one of my DCs (either PAWDC or
PAWBackup) to see if that resolves anything or do we still think there
are underlying issues with AD?

[rchipman]

One additional question...it seems to me that since I am not currently
replicating DNS to the DNS servers in the forest from the PAW2 "working"
DNS server, there is still a problem with that. Correct?

Would the non-working DCs in the hbrpaw.hbr-inc.com domain effect the
replication to the forest?

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message
news:rchipma...@DoNotSpam.com...
>

> One additional question...it seems to me that since I am not currently
> replicating DNS to the DNS servers in the forest from the PAW2 "working"
> DNS server, there is still a problem with that. Correct?
>
> Would the non-working DCs in the hbrpaw.hbr-inc.com domain effect the
> replication to the forest?

Actually it would, because the Schema and Config container replicate forest
wide.

I thought you were going to demote PAWDC2?

Ace

[rchipman]

Demoting PAWDC2 won't cause any problem with accessing the data on the
server, will it?
Can I leave DNS, DHCP and WINS installed?

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message
news:rchipma...@DoNotSpam.com...
>

> Demoting PAWDC2 won't cause any problem with accessing the data on the
> server, will it?
> Can I leave DNS, DHCP and WINS installed?
>

You can leave those services on the server. It will just become a member
server, and you will still be able to access files, etc. Just make sure you
change the DNS address on it to another DC first, and not pointing to
itself. DNS on it will be useless because the zone is AD integrated,
therefore because it is no longer a DC, it will not load the AD integrated
zone. No problem there, other than making sure no other machine is using it
as a DNS server.

Will you be re-promoting it?

Ace

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message
news:rchipma...@DoNotSpam.com...

How long did you wait before you re-promoted it?

If you waited enough time to allow the information that removed DC is gone
to replicate, then you should be fine.

Are there any time issues or anything else in the event viewer?

Are there any services disabled?

Ace

> On dcpromo on the 2 other DCs in the domain (PAWDC and PAWBackup).
> They became member servers and I then re-promoted PAWDC.
>
> Unfortunately, DNS still isn't pulling in the AD Integrated zones. Was
> I supposed to do something special BEFORE re-promoting the server?
>
> I ran DCDiag on PAWDC after the promotion. Results are below:

> Microsoft Windows [Version 5.2.3790]
> (C) Copyright 1985-2003 Microsoft Corp.
>
> C:\Program Files\Windows Resource Kits\Tools>dcdiag
>
> Domain Controller Diagnosis
>
> Performing initial setup:
> Done gathering initial info.
>
> Doing initial required tests
>
> Testing server: Default-First-Site-Name\PAWDC
> Starting test: Connectivity
> ........................ PAWDC passed test Connectivity
>
> Doing primary tests
>
> Testing server: Default-First-Site-Name\PAWDC
> Starting test: Replications

> REPLICATION LATENCY WARNING
> ERROR: Expected notification link is missing.

> Source PAW2

> Replication of new changes along this path will be delayed.
> This problem should self-correct on the next periodic sync.
> REPLICATION LATENCY WARNING
> ERROR: Expected notification link is missing.

> Source PAW2

> Replication of new changes along this path will be delayed.
> This problem should self-correct on the next periodic sync.

> ........................ PAWDC passed test Replications
> Starting test: NCSecDesc
> ........................ PAWDC passed test NCSecDesc
> Starting test: NetLogons
> ........................ PAWDC passed test NetLogons
> Starting test: Advertising
> ........................ PAWDC passed test Advertising
> Starting test: KnowsOfRoleHolders
> ........................ PAWDC passed test
> KnowsOfRoleHolders
> Starting test: RidManager
> ........................ PAWDC passed test RidManager
> Starting test: MachineAccount
> ........................ PAWDC passed test MachineAccount
> Starting test: Services
> ........................ PAWDC passed test Services
> Starting test: ObjectsReplicated
> ........................ PAWDC passed test ObjectsReplicated
> Starting test: frssysvol
> ........................ PAWDC passed test frssysvol
> Starting test: frsevent

> There are warning or error events within the last 24 hours
> after the
> SYSVOL has been shared. Failing SYSVOL replication problems
> may cause
> Group Policy problems.
> ........................ PAWDC failed test frsevent
> Starting test: kccevent
> An Warning Event occured. EventID: 0x80000632
> Time Generated: 07/30/2009 22:32:35
> (Event String could not be retrieved)
> ........................ PAWDC failed test kccevent

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message
news:rchipma...@DoNotSpam.com...
>

> I just took another look at the system event log and did notice some
> errors regarding time.
>
> Event id 22:
> The time provider NtpServer encountered an error while digitally
> signing the NTP response for peer 10.250.16.10:123. NtpServer cannot
> provide secure (signed) time to the client and will ignore the request.
> The error was: The interface is unknown. (0x800706B5)
>
> Event id 25:
> The time provider NtpClient cannot determine whether the response
> received from VCServer.hbrapp.hbr-inc.com has a valid signature. The
> response will be ignored. The error was: The interface is unknown.
> (0x800706B5)
>
> So, what does THAT mean?

Hmm, so there are time errors. When you look at the clock on this machine,
and the clock on the PDC Emulator, how far off is the time compared to each
other? Keep in mind, it can be no more than 5 minutes.

Which machine is 10.250.16.10?

If I'm reading this correctly, the time errors could be the root cause of
all the problems. Just to double check (because this thread is so large that
it's difficult to go back and read through it to double check), there are no
firewalls blocks between the new DC and the other DCs, right?

Follow the following procedure. Make sure theer are no firewall ports are
blocked, and you have inbound UDP 123 allowed to go from the outside world
to the DC holding the PDC Emulator role. Follow the procedure below first on
the PDC Emulator (whcih will reset the time service), and then follow the
section to set the time service on the newly promoted machine (where it says
On Other DCs).

Before you do that, read the following link to see if any of the poster's
scenarios are similar to what you have going on.
http://eventid.net/display.asp?eventid=22&eventno=3672&source=W32Time&phase=1

======================================================================================================
Configuring the time service on your PDC FSMO role holder
by Ace Fekay, MCT, MCTS Exchange 2007, MCSE & MSCA 2003, MCSA Messaging
Updated 7/12/2009
---

To set the time service in an existing domain:

On the DC with the PDCEmulator FSMO:

w32tm /config /manualpeerlist:192.5.41.41 /syncfromflags:manual
/reliable:yes /update
net stop w32time
net start w32time

On other DCs (that are not the PDC Emulator):
w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time

---

If you move the PDC Emulator to another DC:

On the new PDCEmulator (where 'peers' is an Internet time source such as
192.5.41.41):
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes
/update

On the old PDCEmulator:
w32tm /config /syncfromflags:domhier /update

After that run the following on both DCs:
net stop w32time
net start w32time

---

The "peers" can be a text file, or direct input, allowing you to set the
time source, either DNS name
such as (time.windows.com, or an ip address for a reliable time source. I
normally use 192.5.41.41.
On your edge firewall, make sure UDP port 123 traffic is allowed inbound
from the time source.

Here you can find some time sources at this link:
The pool.ntp.org project is a big virtual cluster of timeservers striving to
provide reliable and easy to use NTP service for millions of clients without
putting strain on the big popular timeservers.
http://www.pool.ntp.org/

If some domain machines have problems

w32tm /config /syncfromflags:domhier /update

After that run:
net stop w32time
net start w32time

Some links to read up on:

Time Service:
http://support.microsoft.com/kb/216734

How to configure an authoritative time server in Windows Server 2003
http://support.microsoft.com/kb/816042/en-us

Change the Windows Time service configuration on the previous PDC emulator
http://technet.microsoft.com/en-us/library/cc738042.aspx
===================================

Ace

[rchipman]

Do these errors mean anything? They are occurring on the PAW2 DC which
is the one with all the zones listed in DNS?

Event 1058:
Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=hbrpaw,DC=hbr-inc,DC=com.
The file must be present at the location
<\\hbrpaw.hbr-inc.com\sysvol\hbrpaw.hbr-inc.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
(Access is denied. ). Group Policy processing aborted.

Event 1030:
Windows cannot query for the list of Group Policy objects. Check the
event log for possible messages previously logged by the policy engine
that describes the reason for this.

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message
news:rchipma...@DoNotSpam.com...
>

>>>When you look at the clock on this machine, and the clock on the PDC
> Emulator, how far off is the time compared to each other?

> The clock on this machine (PAWDC) and the clock on the PDC Emulator are
> the exact same time.
>
> 10.250.16.10 is currently a W2K3 member server in the
> hbrpaw.hbr-inc.com domain. Before the NT to W2K3 upgrade, it was an NT
> BDC. The 10.250.16.10 NT4.0 server was totally rebuilt - hard drives
> formated and W2K3 installed fresh as a member server. That server is not
> being used as a DC at all in the W2K3 domain.

>
>>>there are no firewalls blocks between the new DC and the other DCs,
> right?

> That is correct, no firewalls blocking the new DC from the other DCs.

>
>>>Make sure theer are no firewall ports are blocked, and you have
> inbound UDP 123 allowed to go from the outside world to the DC holding
> the PDC Emulator role.

> Since I didn't have a problem with the NT domain communicating with the
> other Domains and the PDC Emulator and the other W2K3 domains don't have
> a problem with this, wouldn't it indicate that inbound UDP 123 is

> allowed to go from the outside world to the DC holding the PDC Emulator

> role? Is there an easy way to check?
>
> Is 192.5.41.41 a GOOD time source address? Is that the one I should
> use on my PDCEmulator or should I use time.windows.com? Currently the
> NTPServer registry key
> (HKLM\SYSTEM\CurrentControlSet\ServiceW32Time\Parameters) on the PDC
> Emulator is set to time.windows.com. Should I be using an external time
> source or an internal hardware clock??
>
> I am reading through the links and following the procedure below. I
> will post back my results.
>

That's fine, you can use time.windows.com. I've been using, as well as many
others, 192.5.41.41, and it's reliable. It's a gov time server in
Washington, DC. There are others, as well. Here's a list of US Gov and other
NIST time servers:

A list of the Simple Network Time Protocol (SNTP) time servers ...This
article describes the Simple Network Time Protocol (SNTP) time servers that
are available on the Internet.
http://support.microsoft.com/kb/262680

How to tell if UDP is blocked? Setup the time service on the PDC emulator as
I've posted how, and look for any w32time errors in the event logs on the
PDC emulator. If none, it's working. Either way, I think it would be
beneficial to configure your time hierarchy for the forest.

Ace

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message
news:rchipma...@DoNotSpam.com...
>

> I went ahead and ran the following commands on the PDCEmulator:
>
> w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual

> /reliable:yes /update
> net stop w32time
> net start w32time
>

> On the two DCs in the hbrpaw.hbr-inc.com domain I ran:

>
> w32tm /config /syncfromflags:domhier /update
> net stop w32time
> net start w32time
>

> Now on both servers I get the events in the system log:
> Event 37:
> The time provider NtpClient is currently receiving valid time data from
> VCServer.hbrapp.hbr-inc.com
> (ntp.d|10.250.16.15:123->10.250.48.150:123).
>
> and Event 35:
> The time service is now synchronizing the system time with the time
> source VCServer.hbrapp.hbr-inc.com
> (ntp.d|10.250.16.15:123->10.250.48.150:123).
>
> Now what?

Sorry, I should have read this first before replying to the other one. This
looks good. These are informational, and are not errors. This will insure
all DCs are synched. Client machines will automatically look for the
hierarchy to synch time.

Ace

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message
news:rchipma...@DoNotSpam.com...
>

> Do these errors mean anything? They are occurring on the PAW2 DC which
> is the one with all the zones listed in DNS?
>
> Event 1058:
> Windows cannot access the file gpt.ini for GPO
> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=hbrpaw,DC=hbr-inc,DC=com.
> The file must be present at the location
> <\\hbrpaw.hbr-inc.com\sysvol\hbrpaw.hbr-inc.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
> (Access is denied. ). Group Policy processing aborted.
>
> Event 1030:
> Windows cannot query for the list of Group Policy objects. Check the
> event log for possible messages previously logged by the policy engine
> that describes the reason for this.
>

PAW2 was the one you just repromoted?

These are indicative of DNS or replication issues. They can also be
indicative of issues with DFS services (whether using it or not). Read
more...

Event ID 1058 Source Userenv1. dfsutil /purgemupcache (dfsutil.exe is in the
Windows 2003 Support Tools). ... As stated previously, dfsutil
/PurgeMupCache also solved my 1058 problems. ...
http://www.eventid.net/display.asp?eventid=1058&eventno=1752&source=Userenv&phase=1

Ace

[rchipman]

>PAW2 was the one you just repromoted?

No, PAW2 is the original DC, PAWDC is the one I repromoted.

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message
news:rchipma...@DoNotSpam.com...
>

>>PAW2 was the one you just repromoted?
>
> No, PAW2 is the original DC, PAWDC is the one I repromoted.

Ok, I'm just trying to keep track!

Try that dfsutil command and see if it works. No harm in trying.

Ace

[rchipman]

Ok, I ran the dfsutil command and it said it completed successfully. I
am waiting to see if the 1058 continue to occur. If these errors are
gone, what should I expect?

I had to reboot the PAW2 server (the "good" DC) and upon boot-up I see
the following errors in the system log:

Event 40960:
The Security System detected an authentication error for the server
ldap/paw2.hbrpaw.hbr-inc.com. The failure code from authentication
protocol Kerberos was "There are currently no logon servers available to
service the logon request.
(0xc000005e)".

Event 40961:
The Security System could not establish a secured connection with the
server ldap/paw2.hbrpaw.hbr-inc.com. No authentication protocol was
available.

Is this something I need to be concerned about?

[rchipman]

Well, it looks like the 1058 errors have stopped.

I'm not sure I've posted this error before but on the PAWDC server (the
DC without all of the DNS zones), I am receiving the error and message
below:

Event 4015:
The DNS server has encountered a critical error from the Active
Directory. Check that the Active Directory is functioning properly. The
extended error debug information (which may be empty) is "000020B5:
AtrErr: DSID-03152392, #1:
0: 000020B5: DSID-03152392, problem 1005 (CONSTRAINT_ATT_TYPE), data
0, Att 9067d (msDS-NC-Replica-Locations)". The event data contains the
error.

And Event 4513:

The DNS server detected that it is not enlisted in the replication
scope of the directory partition ForestDnsZones.hbrapp.hbr-inc.com. This
prevents the zones that should be replicated to all DNS servers in the
hbrpaw.hbr-inc.com forest from replicating to this DNS server.

To create or repair the forest-wide DNS directory partition, open the
the DNS console. Right-click the applicable DNS server, and then click
'Create Default Application Directory Partitions'. Follow the
instructions to create the default DNS application directory partitions.
For more information, see 'To create the default DNS application
directory partitions' in Help and Support.

The error was 9002.

This doesn't sound good to me.....

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message
news:rchipma...@DoNotSpam.com...
>

Did you try to follow the repair suggestions in the message?

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message
news:rchipma...@DoNotSpam.com...
>

> Ok, I ran the dfsutil command and it said it completed successfully. I
> am waiting to see if the 1058 continue to occur. If these errors are
> gone, what should I expect?
>
> I had to reboot the PAW2 server (the "good" DC) and upon boot-up I see
> the following errors in the system log:
>
> Event 40960:
> The Security System detected an authentication error for the server
> ldap/paw2.hbrpaw.hbr-inc.com. The failure code from authentication
> protocol Kerberos was "There are currently no logon servers available to
> service the logon request.
> (0xc000005e)".
>
> Event 40961:
> The Security System could not establish a secured connection with the
> server ldap/paw2.hbrpaw.hbr-inc.com. No authentication protocol was
> available.
>
> Is this something I need to be concerned about?
>

Do you have a reverse zone created for all of your subnets?

It's possible the replication scope error in the other post may be causing
it.

Good to hear the 1058's are gone.

Ace

[rchipman]

>>Do you have a reverse zone created for all of your subnets?

There was a reverse zone missing from DNS on hbrpaw.hbr-inc.com for one
of my other domain so I added it. I've not sure this is what you meant.
The reverse zone for the hbrpaw.hbr-inc.com subnet was already there.

>>Did you try to follow the repair suggestions in the message?

When I try to 'Create Default Application Directory Partitions' on the
PAW2 or PAWDC DNS servers, I receive the message "would you like to
create a single partition that stores DNS zone data and replicats that
data to all DNS servers in the Active Directory domain
hbrpaw.hbr-inc.com?" I answer YES and then receive the error:

"The partition to replicate zone data to all DNS servers in the Active
Directory domain was not created. The application directory partition
operation failed. The domain controller holding the domain naming
master role is down or unable to service the request or is not running
Windows Server 2003."

The domain naming master role is held by the forest root
vcserver.hbrapp.hbr-inc.com. So, what am I doing wrong?

Do I need to uninstall DNS on PAWDC (the DC without all of the
Ad-integrated zones) and/or run dcpromo again on PAWDC?

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message
news:rchipma...@DoNotSpam.com...
>

>>>Do you have a reverse zone created for all of your subnets?
>
> There was a reverse zone missing from DNS on hbrpaw.hbr-inc.com for one
> of my other domain so I added it. I've not sure this is what you meant.
> The reverse zone for the hbrpaw.hbr-inc.com subnet was already there.
>
>>>Did you try to follow the repair suggestions in the message?
>
> When I try to 'Create Default Application Directory Partitions' on the
> PAW2 or PAWDC DNS servers, I receive the message "would you like to
> create a single partition that stores DNS zone data and replicats that
> data to all DNS servers in the Active Directory domain
> hbrpaw.hbr-inc.com?" I answer YES and then receive the error:
>
> "The partition to replicate zone data to all DNS servers in the Active
> Directory domain was not created. The application directory partition
> operation failed. The domain controller holding the domain naming
> master role is down or unable to service the request or is not running
> Windows Server 2003."
>
> The domain naming master role is held by the forest root
> vcserver.hbrapp.hbr-inc.com. So, what am I doing wrong?
>
> Do I need to uninstall DNS on PAWDC (the DC without all of the
> Ad-integrated zones) and/or run dcpromo again on PAWDC?
>

So if it can't contact the DNM, then no use rerunning dcpromo. Obviously
there's a communication issue. It really smells like a firewall issue,
unless the routers have the default MTU lowered from 1500, which will cause
LDAP communication problems. Such MTUs lower than 1500 are usually on ADSL
lines, but I don't rememeber you having such a line. I've seen some VPN
routers with altered MTUs that caused problems. I had one customer years ago
with a SonicWall that after an IOS upgrade, AD replication took a dive. It
took me two days to figure out what happened when I finally asked what
occured prior to the replication issue, which was when the customer told me
they had upgraded one firewall. Ouch! We wound putting on the old image, and
replication kicked off with no problems.

Check all of your routers and VPNs, please.

Also, run portquery on each DC between each DC to make sure all ports are
responding.

New features and functionality in PortQry version 2.0Dec 15, 2003 ... This
article discusses the new features and functionality that are available in
PortQry Command Line Port Scanner version 2.0.
http://support.microsoft.com/kb/832919

Download details: PortQry Command Line Port Scanner Version 2.0Dec 11, 2003
... Download PortQryV2.exe, a command-line utility that you can use to help
troubleshoot TCP/IP connectivity issues. Portqry.exe runs on Windows ...
http://www.microsoft.com/downloads/details.aspx?FamilyID=89811747-C74B-4638-A2D5-AC828BDC6983

Ace

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message
news:rchipma...@DoNotSpam.com...
>

If we can clear this up using the newsgroups, and udpquery shows there are
no ports blocked or not responding, and firewalls and VPNs check clean,
knowing this is important for your production network, I must say that it
may be time to call Microsoft PSS to remote in and take care of it for you.
With all due respect, this thread is pretty large, and without remoting in
on my part or anyone else offering to remote in to take a first hand look,
it may really be beneficial to call them to get it fixed. They only charge
USD $250 for the support call during the week, and will take as long as they
need for the one charge to fix it.

I think it's an option you'll need to consider at this point.

Ace

[rchipman]

Thank you Ace (and Chris) for ALL of your help. I *_REALLY__*appreciate
it.

I will run portquery and see what I can do about checking the routers
and VPNs.

Just a thought, would it help if I set the secondary DNS server (for
temporary purposes) on PAWDC and/or PAW2 to the
VCServer.hbrapp.hbr-inc.com address (remember this is the server that
holds the domain naming master role)? I was wondering if this would with
the error I get when trying to create the replication partition.

One more item....upon reboot of the PAW2 server, I noticed ANOTHER
couple of messages that might be worth noting (not sure if this has been
mentioned or not):

Event 1053:
Windows cannot determine the user or computer name. (The system
detected a possible attempt to compromise security. Please ensure that
you can contact the server that authenticated you. ). Group Policy
processing aborted.

Event 1054:
Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be
contacted. ). Group Policy processing aborted.

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message
news:rchipma...@DoNotSpam.com...
>

> Thank you Ace (and Chris) for ALL of your help. I *_REALLY__*appreciate
> it.
>
> I will run portquery and see what I can do about checking the routers
> and VPNs.
>
> Just a thought, would it help if I set the secondary DNS server (for
> temporary purposes) on PAWDC and/or PAW2 to the
> VCServer.hbrapp.hbr-inc.com address (remember this is the server that
> holds the domain naming master role)? I was wondering if this would with
> the error I get when trying to create the replication partition.
>
> One more item....upon reboot of the PAW2 server, I noticed ANOTHER
> couple of messages that might be worth noting (not sure if this has been
> mentioned or not):
>
> Event 1053:
> Windows cannot determine the user or computer name. (The system
> detected a possible attempt to compromise security. Please ensure that
> you can contact the server that authenticated you. ). Group Policy
> processing aborted.
>
> Event 1054:
> Windows cannot obtain the domain controller name for your computer
> network. (The specified domain either does not exist or could not be
> contacted. ). Group Policy processing aborted.
>

You are welcome, so far. It's been weeks, and I'm sure you want to resolve
this.

I assume the Source name is Userenv. The 1054's can be cleaned up with
dfsutil /purgemupcache. This utility is partof the support tools.

1053:
http://eventid.net/display.asp?eventid=1053&eventno=1584&source=Userenv&phase=1

1054:
http://eventid.net/display.asp?eventid=1054&eventno=1393&source=Userenv&phase=1

Ace

[rchipman]

Hello -

It's been awhile and my problem still exists.

I am finally getting a chance to utilize the portqry tool and thought I
would post some results in an effort to get some understanding of what
I'm actually seeing.

I ran the command "portqry -n myserver -p udp -e 137 on 4 servers: the
PAW2 server (the one with all DNS zones listed), PAWDC (the DC and DNS
server w/o all zones listed) and two others DCs in two of my other
domains. On the PAWDC DC and the other DCs, I received the below
results:

C:\PortQryV2>portqry -n pawdc -p udp -e 137

Querying target system called:

pawdc

Attempting to resolve name to IP address...

Name resolved to 10.250.16.15

querying...

UDP port 137 (netbios-ns service): LISTENING or FILTERED

Using ephemeral source port
Attempting NETBIOS adapter status query to UDP port 137...

Server's response: MAC address 005056b122e5
UDP port: LISTENING

However, on the PAW2 server, I received the following:

D:\PortQryV2>portqry -n paw2 -p udp -e 137

Querying target system called:

paw2

Attempting to resolve name to IP address...

Name resolved to 10.250.16.12

querying...

UDP port 137 (netbios-ns service): LISTENING or FILTERED

I'm guessing this is a problem since it didn't return this
information..?:

Using ephemeral source port
Attempting NETBIOS adapter status query to UDP port 137...

Server's response: MAC address 005056b122e5
UDP port: LISTENING

Also, on the same servers I tested port 135 and all of them but PAW2
indicated port 135 was not listening. On PAW2, I received the
following:

querying...

UDP port 135 (epmap service): LISTENING or FILTERED

Using ephemeral source port
Querying Endpoint Mapper Database...
Server's response:

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 DHCP Client LRPC Endpoint
ncalrpc:[dhcpcsvc]

UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076
ncacn_ip_tcp:14.0.0.0[3690]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC00000d00.00000001]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC00000d00.00000001]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC00000d00.00000001]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC00000d00.00000001]

UUID: 6bffd098-a112-3610-9833-46c3f874532d
ncalrpc:[OLEBC01E54B075D47EB9333D7DD355A]

UUID: 6bffd098-a112-3610-9833-46c3f874532d
ncacn_ip_tcp:14.0.0.0[1058]

UUID: 6bffd098-a112-3610-9833-46c3f874532d
ncalrpc:[DHCPSERVERLPC]

UUID: 5b821720-f63b-11d0-aad2-00c04fc324db
ncalrpc:[OLEBC01E54B075D47EB9333D7DD355A]

UUID: 5b821720-f63b-11d0-aad2-00c04fc324db
ncacn_ip_tcp:14.0.0.0[1058]

UUID: 5b821720-f63b-11d0-aad2-00c04fc324db
ncalrpc:[DHCPSERVERLPC]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncalrpc:[OLEFE2DFC3F337F4EEDAF282AFC0948]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncacn_ip_tcp:14.0.0.0[1043]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncalrpc:[LRPC000006a4.00000001]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncalrpc:[OLEFE2DFC3F337F4EEDAF282AFC0948]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncacn_ip_tcp:14.0.0.0[1043]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncalrpc:[LRPC000006a4.00000001]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncalrpc:[OLEFE2DFC3F337F4EEDAF282AFC0948]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncacn_ip_tcp:14.0.0.0[1043]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncalrpc:[LRPC000006a4.00000001]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS
Interface
ncacn_np:\\\\PAW2[\\PIPE\\lsass]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS
Interface
ncalrpc:[audit]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS
Interface
ncalrpc:[securityevent]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS
Interface
ncalrpc:[protected_storage]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS
Interface
ncacn_np:\\\\PAW2[\\PIPE\\protected_storage]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS
Interface
ncalrpc:[dsrole]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS
Interface
ncacn_ip_tcp:14.0.0.0[1025]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS
Interface
ncalrpc:[NTDS_LPC]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS
Interface
ncacn_http:14.0.0.0[1028]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_np:\\\\PAW2[\\PIPE\\lsass]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[audit]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[securityevent]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_np:\\\\PAW2[\\PIPE\\protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[dsrole]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_ip_tcp:14.0.0.0[1025]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[NTDS_LPC]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_http:14.0.0.0[1028]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_np:\\\\PAW2[\\PIPE\\lsass]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[audit]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[securityevent]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_np:\\\\PAW2[\\PIPE\\protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[dsrole]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_ip_tcp:14.0.0.0[1025]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[NTDS_LPC]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_http:14.0.0.0[1028]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncacn_np:\\\\PAW2[\\PIPE\\lsass]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncalrpc:[audit]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncalrpc:[securityevent]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncalrpc:[protected_storage]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncacn_np:\\\\PAW2[\\PIPE\\protected_storage]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncalrpc:[dsrole]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncacn_ip_tcp:14.0.0.0[1025]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncalrpc:[NTDS_LPC]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncacn_http:14.0.0.0[1028]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncacn_np:\\\\PAW2[\\PIPE\\lsass]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncalrpc:[audit]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncalrpc:[securityevent]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncalrpc:[protected_storage]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncacn_np:\\\\PAW2[\\PIPE\\protected_storage]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncalrpc:[dsrole]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncacn_ip_tcp:14.0.0.0[1025]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncalrpc:[NTDS_LPC]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncacn_http:14.0.0.0[1028]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:\\\\PAW2[\\PIPE\\lsass]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[audit]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[securityevent]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[protected_storage]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:\\\\PAW2[\\PIPE\\protected_storage]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[dsrole]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_ip_tcp:14.0.0.0[1025]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[NTDS_LPC]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_http:14.0.0.0[1028]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncacn_np:\\\\PAW2[\\PIPE\\lsass]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncalrpc:[audit]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncalrpc:[securityevent]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncalrpc:[protected_storage]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncacn_np:\\\\PAW2[\\PIPE\\protected_storage]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncalrpc:[dsrole]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncacn_ip_tcp:14.0.0.0[1025]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncalrpc:[NTDS_LPC]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncacn_http:14.0.0.0[1028]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncalrpc:[wzcsvc]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncalrpc:[OLE157288FA559C4D5AAB2F884A388C]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_np:\\\\PAW2[\\PIPE\\atsvc]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncalrpc:[wzcsvc]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncalrpc:[OLE157288FA559C4D5AAB2F884A388C]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncacn_np:\\\\PAW2[\\PIPE\\atsvc]

UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53
ncalrpc:[wzcsvc]

UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53
ncalrpc:[OLE157288FA559C4D5AAB2F884A388C]

UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53
ncacn_np:\\\\PAW2[\\PIPE\\atsvc]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 DHCP Client LRPC Endpoint
ncalrpc:[DNSResolver]

Total endpoints found: 94

==== End of RPC Endpoint Mapper query response ====

UDP port 135 is LISTENING

D:\PortQryV2>

I'm wondering why port 135 is open on PAW2 but no the other servers.
Since the other DCS in the other domains are working, I'm guessing it
doesn't need to be....?

[Ace Fekay [MCT]]

"rchipman" <rchipma...@DoNotSpam.com> wrote in message
news:rchipma...@DoNotSpam.com...

I haven't heard from you in awhile. Apparently from the results you've
posted, there's a block going on with the firewalls and/or VPN, or the local
machines. Did you say you checked the firewalls and VPN filters to insure
they allow 'any - any" between all locations? And also, there is no local
firewall installed or some other security or antivirus app installed that
could be blocking the traffic? Possibly an IPSec rule somewhere either
locally or in a GPO?

Ace