Announcement

Collapse
No announcement yet.

global catalog problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • global catalog problem

    hello everyone

    in my company we have two domain controllers, 1 server is 2008R2 and the other is 2012R2 we are trying to upgrade the old server 2008R2, I started the process by making full backup on the old pc and checked all the prerequisites such FSMO roles and Global catalog they are installed on both servers, I demoted the server after that all the users start having logins problems. noticed that the global catalog isn't installed on server 2012R2 even if it's checked in the active directory sites and services and there is no GC record in the DNS. I tried to uncheck and then check the GCand restart the server but still when I connect through ldap it gives me isglobalcatalogcatalogready false. any help will be appreciated

    thanks in advanced

  • #2
    Re: global catalog problem

    Originally posted by fadygh View Post
    hello everyone

    in my company we have two domain controllers, 1 server is 2008R2 and the other is 2012R2 we are trying to upgrade the old server 2008R2, I started the process by making full backup on the old pc and checked all the prerequisites such FSMO roles and Global catalog they are installed on both servers, I demoted the server after that all the users start having logins problems. noticed that the global catalog isn't installed on server 2012R2 even if it's checked in the active directory sites and services and there is no GC record in the DNS. I tried to uncheck and then check the GCand restart the server but still when I connect through ldap it gives me isglobalcatalogcatalogready false. any help will be appreciated

    thanks in advanced
    Hello .
    you just want to do upgrate from Windows Server 2008R2 to 2012 ?
    you tried the upgrate on server 2008r2 or another server 2012 separate?
    please try to explain your problem

    Comment


    • #3
      Re: global catalog problem

      we need to change the old server we bought a new one and we are trying to remove the old on that holds server 2008R2, we have a secondary DC server 2012R2 that supposed to be a GC because in active directory sites and services the check mark for GC is checked but when I conect through ldap it gives me isglobalcatalogready = false

      Comment


      • #4
        Re: global catalog problem

        Originally posted by fadygh View Post
        we need to change the old server we bought a new one and we are trying to remove the old on that holds server 2008R2, we have a secondary DC server 2012R2 that supposed to be a GC because in active directory sites and services the check mark for GC is checked but when I conect through ldap it gives me isglobalcatalogready = false

        following the link :

        http://forums.petri.com/showthread.php?t=3856
        and check if port 3268 (GC) is open

        What do you mean you're saying
        " when I conect through ldap"
        Last edited by Meirp; 12th August 2014, 11:49.

        Comment


        • #5
          Re: global catalog problem

          A little bit of reading for you. The third link may be of help.

          http://technet.microsoft.com/en-us/l.../cc733162.aspx

          http://technet.microsoft.com/en-us/l.../cc733162.aspx

          http://technet.microsoft.com/en-us/l.../cc753187.aspx
          1 1 was a racehorse.
          2 2 was 1 2.
          1 1 1 1 race 1 day,
          2 2 1 1 2

          Comment


          • #6
            Re: global catalog problem

            dsmod server (ServerDN) -isgc yes

            dsmod server (ServerDN) -isgc no

            (from here: http://www.winvistatips.com/threads/...her-dc.783219/)
            Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

            Comment


            • #7
              Re: global catalog problem

              I checked port 3268 and it's opened I tried the command and nothing happen still global catalog not replicating to other domain controllers I ran the following command

              dcdiag /test:checksecurityerror

              Directory Server Diagnosis

              Performing initial setup:
              Trying to find home server...
              Home Server = 2k8DC
              * Identified AD Forest.
              Done gathering initial info.

              Doing initial required tests

              Testing server: mysite\2K8DC
              Starting test: Connectivity
              ......................... 2K8DC passed test Connectivity

              Doing primary tests

              Testing server: mysite\2K8DC
              Starting test: CheckSecurityError
              The account 2K8DC is not a DC account. It cannot replicate.
              Unable to verify the machine account
              (CN=2K8DC,OU=Domain Controllers,DC=mydomain,DC=local) for 2K8DC on
              2K8DC.
              Source DC WIN-SM5GUTCII7H has possible security error (8453).
              Diagnosing...
              Error 2184 querying time on DC WIN-SM5GUTCII7H. Ignoring this
              DC and continuing...
              * Missing SPN
              :LDAP/[email protected][email protected]/mydomain.local
              * Missing SPN :LDAP/[email protected][email protected]
              * Missing SPN :LDAP/WIN-SM5GUTCII7H
              * Missing SPN
              :LDAP/[email protected][email protected]/mydomain
              * Missing SPN
              :LDAP/f67b0f34-07ae-4dec-8ff5-7cd284ecb7b8._msdcs.mydomain.local
              * Missing SPN
              :HOST/[email protected][email protected]/mydomain.local
              * Missing SPN :HOST/[email protected][email protected]
              * Missing SPN
              :HOST/[email protected][email protected]/mydomain
              * Missing SPN
              :GC/[email protected][email protected]/mydomain.local
              Unable to verify the machine account
              (CN=WIN-SM5GUTCII7H,OU=Domain Controllers,DC=mydomain,DC=local)
              for WIN-SM5GUTCII7H on 2K8DC.
              Unable to connect to the NETLOGON share!
              (\\WIN-SM5GUTCII7H\netlogon)
              [WIN-SM5GUTCII7H] An net use or LsaPolicy operation failed with
              error 67, The network name cannot be found..
              [WIN-SM5GUTCII7H] Unable to verify logon privileges on DC
              shares. Please check the above output and take appropriate
              steps.
              Failed to read object metadata on WIN-SM5GUTCII7H, error
              Directory object not found.
              [WIN-SM5GUTCII7H] Unable to diagnose problem for this source.
              See any errors reported in attempting tests.
              ......................... 2K8DC failed test CheckSecurityError


              Running partition tests on : ForestDnsZones

              Running partition tests on : DomainDnsZones

              Running partition tests on : Schema

              Running partition tests on : Configuration

              Running partition tests on : mydomain

              Running enterprise tests on : mydomain.local

              C:\Users\Administrator>dcdiag /test:checksecurityerror

              Directory Server Diagnosis

              Performing initial setup:
              Trying to find home server...
              Home Server = 2k8DC
              * Identified AD Forest.
              Done gathering initial info.

              Doing initial required tests

              Testing server: mysite\2K8DC
              Starting test: Connectivity
              ......................... 2K8DC passed test Connectivity

              Doing primary tests

              Testing server: mysite\2K8DC
              Starting test: CheckSecurityError
              The account 2K8DC is not a DC account. It cannot replicate.
              Unable to verify the machine account
              (CN=2K8DC,OU=Domain Controllers,DC=mydomain,DC=local) for 2K8DC on
              2K8DC.
              Source DC WIN-SM5GUTCII7H has possible security error (8453).
              Diagnosing...
              Error 2184 querying time on DC WIN-SM5GUTCII7H. Ignoring this
              DC and continuing...
              * Missing SPN
              :LDAP/[email protected][email protected]/mydomain.local
              * Missing SPN :LDAP/[email protected][email protected]
              * Missing SPN :LDAP/WIN-SM5GUTCII7H
              * Missing SPN
              :LDAP/[email protected][email protected]/mydomain
              * Missing SPN
              :LDAP/f67b0f34-07ae-4dec-8ff5-7cd284ecb7b8._msdcs.mydomain.local
              * Missing SPN
              :HOST/[email protected][email protected]/mydomain.local
              * Missing SPN :HOST/[email protected][email protected]
              * Missing SPN
              :HOST/[email protected][email protected]/mydomain
              * Missing SPN
              :GC/[email protected][email protected]/mydomain.local
              Unable to verify the machine account
              (CN=WIN-SM5GUTCII7H,OU=Domain Controllers,DC=mydomain,DC=local)
              for WIN-SM5GUTCII7H on 2K8DC.
              Unable to connect to the NETLOGON share!
              (\\WIN-SM5GUTCII7H\netlogon)
              [WIN-SM5GUTCII7H] An net use or LsaPolicy operation failed with
              error 67, The network name cannot be found..
              [WIN-SM5GUTCII7H] Unable to verify logon privileges on DC
              shares. Please check the above output and take appropriate
              steps.
              Failed to read object metadata on WIN-SM5GUTCII7H, error
              Directory object not found.
              [WIN-SM5GUTCII7H] Unable to diagnose problem for this source.
              See any errors reported in attempting tests.
              Authoritative attribute pwdLastSet on 2K8DC (writeable)
              usnLocalChange = 5866156
              LastOriginatingDsa = 2K8DC
              usnOriginatingChange = 5866156
              timeLastOriginatingChange = 2014-08-17 08:55:52
              VersionLastOriginatingChange = 42
              Out-of-date attribute pwdLastSet on WIN-SM5GUTCII7H (writeable)
              usnLocalChange = 12868
              LastOriginatingDsa = 22a5b57a-fac4-4cfe-9fcb-c545025d3716
              usnOriginatingChange = 5830453
              timeLastOriginatingChange = 2014-08-13 15:07:23
              VersionLastOriginatingChange = 41
              Unable to verify the convergence of this machine account
              (CN=2K8DC,OU=Domain Controllers,DC=mydomain,DC=local) on these DC's
              (DC=mydomain,DC=local,2K8DC). Does the machine account password need
              resetting?
              ......................... 2K8DC failed test CheckSecurityError


              Running partition tests on : ForestDnsZones

              Running partition tests on : DomainDnsZones

              Running partition tests on : Schema

              Running partition tests on : Configuration

              Running partition tests on : mydomain

              Running enterprise tests on : mydomain.local

              note that WIN-SM5GUTCII7H is a a new DC I renamed it to server 2008R2 but it can't be a global catalog due to the error.
              I tried to google this error but I didn't find any solution how to make make it replicate the GC

              Best
              Last edited by fadygh; 17th August 2014, 07:35.

              Comment


              • #8
                Re: global catalog problem

                format the new DC.
                Do a metadata cleanup and remove traces of the WIN-SMBLA computer DC.
                Test with DCDIAG and make sure it's happy.
                if you have to seize roles and clean up metadata so it's all the way back down to one DC, then do that..

                then, rebuild your new DC. Give it the name you want it to have, THEN join it to the domain.


                by renaming it, you've introduced some problems.. DCs don't like being renamed
                Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                Comment

                Working...
                X