Announcement

Collapse
No announcement yet.

Netlogons and Advertising Fail on Second Windows Server 2003 DC

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Netlogons and Advertising Fail on Second Windows Server 2003 DC

    I'm running a single Windows Server 2003 Standard Ed. with AD, DNS, File & Print Serving. Added a second DC into the same domain (also Server 2003 Std) which I'd like to have ready to take over as main DC with a change of DNS at some point.
    However, at this point, I'd just like to have the new DC to be a replica of the old DC - and run backups to it.
    AD seems to have replicated fine and updates replicate quickly. I can login using AD on the new DC from a workstation.
    The 2 DC's respond correctly w/ pings to each other by IP, Server Name, and FQDN.
    DC1 has no significant errors, but the new one (DC2) does. Having a lot of trouble with FRS and backups quit after partial.
    DCDIAG (on DC2) - everything passes except:
    -- Netlogons: "Unable to connect to the NETLOGONS share! (DC2\netlogon) An net use or LsaPolicy operation failed with error 1203. No network provider accepted the given network path"
    -- Advertising test fails with "Warning: DsGetDcName returned information for DC1 when trying to reach DC2. Server is not responding or is not considered suitable.
    NETDIAG (on DC2) - "Domain membership test.. failed. Warning: this system volume has not been completely replicated to the local machine. This machine is not working properly as a DC."
    NETDIAG /FIX (on DC2): everything passed, with exception: DNS test passed followed with "Warning: Cannot find a primary authoritative DNS server for the name DS2... DS2 may not be registered in DNS"
    EVENT LOG ERRORS (Warnings) ON DC2 include:
    13508 - NtFrs - FRS having trouble enabling replication from DC1 to DC2 for c:\windows\sysvol\domain
    13509 - NtFrs - FRS has enabled replication from DC1 to DC2 for c\windows\sysvol\domain after repeated retries.
    1054 - Userenv - Windows cannot obtain the domain controller name for your computer network.
    53258 - MSDTC - MS DTC could not correctly process a DC Promotion/Demotion event.
    1003 - SceSrv - Notifcation of policy change from LSA/SAM has been retried and failed. Error 4312 to save policy change for account xxxxx in the default GPOs.
    40960 - LSASRV - SPNEGO negotiator - authentication error for server LDAP/DC2
    Sure would appreciate some help if anyone can spot any common thread in this grouping of errors. Thanks you.

  • #2
    Re: Netlogons and Advertising Fail on Second Windows Server 2003 DC

    1. What type of DNS is configured in your DC -- Primary/Secondary or Active Directory Integrated?

    2. Try to stop and start the netlogon service.

    3. What is the share permission exist in the netlogon share on DC2 ? are you able to access the share from DC1?

    Comment


    • #3
      Re: Netlogons and Advertising Fail on Second Windows Server 2003 DC

      1. AD integrated.
      2. I have stop/started netlogon service mulitple times.
      3. Hmmm.. FROM DC1: I can see shared folders and files I created on DC2,
      however, cannot reach /sysvol
      Also, sysvol policy folders have not replicated from DC1 to DC2
      but the policy created on DC2 has replicated to DC1 sysvol policy folder
      (The DC2 policy was created during a ?failed? burflag process that was suggested a couple of weeks back when I was attempting to tackle this issue).
      Thanks for your reply.

      >> 1. What type of DNS is configured in your DC -- Primary/Secondary or Active >>Directory Integrated?
      >> 2. Try to stop and start the netlogon service.
      >> 3. What is the share permission exist in the netlogon share on DC2 ? are you able to access the share from DC1?

      Comment


      • #4
        Re: Netlogons and Advertising Fail on Second Windows Server 2003 DC

        You should start here and verify all this is working properly.

        Connectivity

        To test for domain controller connectivity, use the Dcdiag tool to do the following:
        • Verify that the DNS names for the server are registered.
        VERIFIED OK "The 2 DC's respond correctly w/ pings to each other by IP, Server Name, and FQDN."
        • Verify that the server can be reached by means of IP at its IP address.
        VERIFIED OK
        • Verify that the server can be reached by means of LDAP.
        Test LDAP: http://confluence.atlassian.com/disp...ty+with+Paddle
        • Verify that the server can be reached by means of an RPC call.
        RPC test: "net view \\DC1" from command prompt from DC2

        Can you verify that your trying to add a second DC that is part and joined to the first DC's? If so, did you start off by running DCPROMO?

        Have you tried undoing DCPROMO then DCPROMO again?

        Comment


        • #5
          Re: Netlogons and Advertising Fail on Second Windows Server 2003 DC

          Are you sure you're creating the policy in DC2...open dsa.msc and check the domain controller it is connecting to ( you can see it in the root (active directory users & computers) itself.

          Check this link out...this may help you ----
          http://support.microsoft.com/kb/315457

          Comment


          • #6
            Re: Netlogons and Advertising Fail on Second Windows Server 2003 DC

            Thanks. Yes, I can DCs can see each other. Main DC (DC1) has a bunch of errors today. I tried to run "netdom resetpwd" but it failed.
            Some of the errors are:
            -------------------------------------------------------------------------------------------------
            (reset password attempt):

            "Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again."
            -------------------------------------------------------------------------------------------------
            netdiags:

            DNS test . . . . . . . . . . . . . : Passed
            [WARNING] The DNS entries for this DC are not registered correctly on DNS se
            rver '192.168.150.201'. Please wait for 30 minutes for DNS server replication.
            PASS - All the DNS entries for DC are registered on DNS server '192.168.150.
            202' and other DCs also have some of the names registered.

            LDAP test. . . . . . . . . . . . . : Passed
            [FATAL] Cannot do Negotiate authenticated ldap_bind to 'DomainServer.MYDOMAIN.COM': Local Error.
            [WARNING] Failed to query SPN registration on DC 'DOMAINSERVER2.MYDOMAIN
            .COM'.
            -------------------------------------------------------------------------------------------------
            dcdiag /fix on DC1 generated a bunch of replication errors of course, plus:

            Testing server: Default-First-Site-Name\DOMAINSERVER
            Starting test: Connectivity
            *** Warning: could not confirm the identity of this server in
            the directory versus the names returned by DNS servers.
            If there are problems accessing this directory server then
            you may need to check that this server is correctly registered
            with DNS
            ......................... DOMAINSERVER passed test Connectivity

            Starting test: NCSecDesc
            Error MYDOMAIN-ME\Domain Controllers doesn't have
            Replicating Directory Changes All
            access rights for the naming context:
            DC=MYDOMAIN-ME,DC=COM
            ......................... DOMAINSERVER failed test NCSecDesc

            -------------------------------------------------------------------------------------------------
            dcdiag /test:CheckSecurityError/ReplSource:domainserver

            Testing server: Default-First-Site-Name\DOMAINSERVER
            Starting test: Connectivity
            ......................... DOMAINSERVER passed test Connectivity

            Doing primary tests
            Testing server: Default-First-Site-Name\DOMAINSERVER
            Starting test: CheckSecurityError
            Source DC DOMAINSERVER2 has possible security error (1722).
            Diagnosing... Error 53 querying time on DC DOMAINSERVER2.
            Ignoring this DC and continuing... Time skew error between client and 1 DCs!
            ERROR_ACCESS_DENIED or down machine recieved by: DOMAINSERVER2
            Source DC DOMAINSERVER was requested for a manual security error check.
            Diagnosing... Error MYDOMAIN-ME\Domain Controllers doesn't have
            Replicating Directory Changes All access rights for the naming context:
            DC=MYDOMAIN-ME,DC=COM
            ......................... DOMAINSERVER failed test CheckSecurityError
            --------------------------------------------------------------------------------
            Both DC's clocks read identically. Not sure why "Time Skew" error.
            --------------------------------------------------------------------------------
            nslookup

            *** Can't find server name for address 192.168.150.201: Non-existent domain
            Default Server: UnKnown
            Address: 192.168.150.201
            --------------------------------------------------------------------------------
            Thanks.
            Dave

            Comment

            Working...
            X