No announcement yet.

DC IP changed causing logon, RPC, and AD problem

  • Filter
  • Time
  • Show
Clear All
new posts

  • DC IP changed causing logon, RPC, and AD problem

    Hi, first time post here, thanks for all who can help.
    I have a problem with a DC ("CONFIS003", Windows 2003 R2 sp2, DNS, WINS, IIS) that causes it to pause a minute or two while logging in, and in the event log is this:
    >Event ID 1053
    >Windows cannot determine the user or computer name (The RPC server is unavailable. ). Group Policy processing aborted.
    I am also experiencing freezes of PCs in the site every 15 minutes, for a few seconds or so. I'm not sure if that is related, but it is annoying.
    The history of this server is that it had been a DC in the site CONDURA (domain structure described below) for a year or two with no problems. Six months or so ago we moved it to site RIMIR and changed the IP, apparently with no problems. A month or so ago it developed a Kerberos error, KRB_AP_ERR_MODIFIED, basically it couldn't talk to any of the other DCs. I uninstalled AD and DNS, but had to use ntdsutil to do a metadata cleanup since I had to force the DC demotion. I went to each server in each site and cleaned up the data, then rejoined, and everything was happy.
    Two weeks ago we had to move the DC to another building and so we had to change its IP again. The tech who did it just modified the IP in the control panel, shut it down, and moved it, which had worked before. When it started up things looked good but then we noticed the login problem. To resolve that, I uninstalled AD and DNS without any problems (no need for a forced demotion or ntdsutil), reinstalled both, but the problem is still there. I may be forced to remove AD and just leave the server as a stand alone for a period of time, which I think will eliminate the logon problem and hopefully the pause on the other PCs, but eventually it needs to be a DC, so any help in clearing it up would be appreciated.
    I also found some records of the old IP in the DNS as the name server, which I manually edited. Also, WINS had 2 records of the old server which I deleted (Messenger and Other, neither has been recreated yet). Everything else appears good, I have reinstalled DNS several times, flushed caches, rebooted, etc... and have not fixed the problem.
    I'm thinking if I uninstall AD, DNS, WINS, run ntsdutil and do a metadata cleanup on all the other servers, then wait a week or so to rejoin, maybe that would let everything work itself out. But I'm hoping there might be a simple fix because there is just the 1 or two error messages, everything else seems to be OK.
    Now for some info...
    Our site structure is like this
    - Forest with one domain: FISMEX.NORTHAMERICA.DELPHIAUTO.NET
    - 4 sites, below are the DC's in each site (site name - server1, server2...)
    - Each DC is running DNS, WINS, IIS. Each DNS is set to forward to the corporate DNS servers. Each server uses itself for DNS and WINS with the second server in the site as the secondary.
    Our corporate dns suffixes include,,,, but the FISMEX domain is standalone and is not related to their forest or DNS.
    The errors in dcdiag are
    1 - not advertising time service, which is correct, we have installed PTBSync on all DC's to keep the time correct to a corporate master time server. All are accurate to within a couple of seconds.
    2 - previous error messages in log files, which is OK since I know there are errors.
    The errors in netdiag are
    1- DC list test . . . . . . . . . . . : Failed
    List of DCs in Domain 'FISMEX':
    2 - [WARNING] Failed to query SPN registration on DC 'CONFIS003.FISMEX.NORTHAMERICA.DELPHIAUTO.NET'.
    3 - [WARNING] Failed to query SPN registration on DC 'ddmfis01.FISMEX.NORTHAMERICA.DELPHIAUTO.NET'.

    Attached is some useful info, ipconfig, dcdiag, and netdiag (2 parts)
    Attached Files

  • #2
    Re: DC IP changed causing logon, RPC, and AD problem

    Personally I usually recommend having the primary DNS as another DC not the same one (assuming DNS is on the DCs). It may be best to set all other DCs with primary DNS to the main FSMO holder (if all roles are held on one server) and then set that box to one of the others. Reboot the main one and then, once it has come back up, wait 20 mins and reboot the others one by one. Let it sit for a bit and then run dcdiag /fix and netdiag /fix posting the results.
    you can use DNSLint to check records too.
    dnslint /ad /s localhost /v /y /no_open /t /r "c:\DNSlintReport"
    Can you explain this a bit more?
    Our corporate dns suffixes include,,,, but the FISMEX domain is standalone and is not related to their forest or DNS.
    Is fismex part of this domain or not? if not why do you also write

    Also, uninstalling AD/DNS when you have problems isn't usually the best method, it would be better to try and find out the root cause.

    Please read this before you post:

    Quis custodiet ipsos custodes?