Announcement

Collapse
No announcement yet.

Serious 2008 R2 DC issues

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Serious 2008 R2 DC issues

    I am trying to add another DC to an existing domain. They are in 2 seperate networks, with a firewall allowing the DCs to talk. As far as I know, all of the required ports and protocols are open and working. After doing a DCPromo, here are the DCDiag results. Please help!



    C:\>dcdiag

    Directory Server Diagnosis

    Performing initial setup:
    Trying to find home server...
    Home Server = DC03
    * Identified AD Forest.
    Ldap search capabality attribute search failed on server DC01, return value
    = 81
    Got error while checking if the DC is using FRS or DFSR. Error:
    Win32 Error 81The VerifyReferences, FrsEvent and DfsrEvent tests might fail
    because of this error.
    Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-Site-Name\DC03
    Starting test: Connectivity
    ......................... DC03 passed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site-Name\DC03
    Starting test: Advertising
    Warning: DsGetDcName returned information for
    \\DC02.domain.com, when we were trying to reach DC03.
    SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
    ......................... DC03 failed test Advertising
    Starting test: FrsEvent
    ......................... DC03 passed test FrsEvent
    Starting test: DFSREvent
    There are warning or error events within the last 24 hours after the
    SYSVOL has been shared. Failing SYSVOL replication problems may cause
    Group Policy problems.
    ......................... DC03 failed test DFSREvent
    Starting test: SysVolCheck
    ......................... DC03 passed test SysVolCheck
    Starting test: KccEvent
    A warning event occurred. EventID: 0x00000266
    Time Generated: 08/02/2010 08:56:29
    Event String:
    NTDS (456) NTDSA: Database 'C:\Windows\NTDS\ntds.dit': The secondary index 'PDNT_index' of table 'datatable' may be corrupt. If there is no later event showing the index being rebuilt, then please defragment the database to rebuild the index.
    A warning event occurred. EventID: 0x800005B7
    Time Generated: 08/02/2010 08:56:29
    Event String:
    Active Directory Domain Services has detected and deleted some possibly corrupted indices as part of initialization.
    A warning event occurred. EventID: 0x80000B46
    Time Generated: 08/02/2010 08:58:14
    Event String:
    The security of this directory server can be significantly enhancedby configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
    A warning event occurred. EventID: 0x80000785
    Time Generated: 08/02/2010 09:03:35
    Event String:
    The attempt to establish a replication link for the following writable directory partition failed.
    ......................... DC03 passed test KccEvent
    Starting test: KnowsOfRoleHolders
    ......................... DC03 passed test KnowsOfRoleHolders
    Starting test: MachineAccount
    * Missing SPN :LDAP/DC03.domain.com/domain.com
    * Missing SPN :LDAP/DC03.domain.com
    * Missing SPN :LDAP/DC03
    * Missing SPN :LDAP/DC03.domain.com/DOMAIN
    * Missing SPN
    :LDAP/27992827-8215-42cf-b3cf-25ccec278824._msdcs.domain.com
    * Missing SPN :HOST/DC03.domain.com/domain.com
    * Missing SPN :HOST/DC03.domain.com/DOMAIN
    * Missing SPN :GC/DC03.domain.com/domain.com
    ......................... DC03 failed test MachineAccount
    Starting test: NCSecDesc
    ......................... DC03 passed test NCSecDesc
    Starting test: NetLogons
    Unable to connect to the NETLOGON share! (\\DC03\netlogon)
    [DC03] An net use or LsaPolicy operation failed with error 67,
    The network name cannot be found..
    ......................... DC03 failed test NetLogons
    Starting test: ObjectsReplicated
    ......................... DC03 passed test ObjectsReplicated
    Starting test: Replications
    REPLICATION LATENCY WARNING
    ERROR: Expected notification link is missing.
    Source DC02
    Replication of new changes along this path will be delayed.
    This problem should self-correct on the next periodic sync.
    REPLICATION LATENCY WARNING
    ERROR: Expected notification link is missing.
    Source DC02
    Replication of new changes along this path will be delayed.
    This problem should self-correct on the next periodic sync.
    ......................... DC03 passed test Replications
    Starting test: RidManager
    ......................... DC03 passed test RidManager
    Starting test: Services
    ......................... DC03 passed test Services
    Starting test: SystemLog
    A warning event occurred. EventID: 0x000003F6
    Time Generated: 08/02/2010 08:53:54
    Event String:
    Name resolution for the name domain.com timed out after none of the configured DNS servers responded.
    A warning event occurred. EventID: 0x00000082
    Time Generated: 08/02/2010 08:56:26
    Event String:
    NtpClient was unable to set a domain peer to use as a time source because of failure in establishing a trust relationship between this computer and the '' domain in order to securely synchronize time. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The interface is unknown. (0x800706B5)
    A warning event occurred. EventID: 0x8000001D
    Time Generated: 08/02/2010 08:58:07
    Event String:
    The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
    A warning event occurred. EventID: 0x0000008E
    Time Generated: 08/02/2010 08:58:38
    Event String:
    The time service has stopped advertising as a time source because the local clock is not synchronized.
    A warning event occurred. EventID: 0x000003F6
    Time Generated: 08/02/2010 08:58:57
    Event String:
    Name resolution for the name domain.com timed out after none of the configured DNS servers responded.
    An error event occurred. EventID: 0xC0002719
    Time Generated: 08/02/2010 08:59:11
    Event String:
    DCOM was unable to communicate with the computer DC01.domain.com using any of the configured protocols.
    An error event occurred. EventID: 0xC0002719
    Time Generated: 08/02/2010 08:59:43
    Event String:
    DCOM was unable to communicate with the computer DC01.domain.com using any of the configured protocols.
    ......................... DC03 failed test SystemLog
    Starting test: VerifyReferences
    ......................... DC03 passed test VerifyReferences


    Running partition tests on : DomainDnsZones
    Starting test: CheckSDRefDom
    ......................... DomainDnsZones passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... DomainDnsZones passed test CrossRefValidation

    Running partition tests on : ForestDnsZones
    Starting test: CheckSDRefDom
    ......................... ForestDnsZones passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... ForestDnsZones passed test CrossRefValidation

    Running partition tests on : Schema
    Starting test: CheckSDRefDom
    ......................... Schema passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... Schema passed test CrossRefValidation

    Running partition tests on : Configuration
    Starting test: CheckSDRefDom
    ......................... Configuration passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... Configuration passed test CrossRefValidation

    Running partition tests on : test
    Starting test: CheckSDRefDom
    ......................... test passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... test passed test CrossRefValidation

    Running enterprise tests on : domain.com
    Starting test: LocatorCheck
    ......................... domain.com passed test LocatorCheck
    Starting test: Intersite
    ......................... domain.com passed test Intersite

  • #2
    Re: Serious 2008 R2 DC issues

    Have you got a VPN set up between from site to site?
    Steven Roberts
    IT Mercenary

    MCITP:EA|MCTS|MCSE 2003 (Messaging and Security)|MCSA 2003 (Messaging and Security)|MCP|Prince2 Practitioner

    Don't forget to click on the Yin-Yang icon to leave reputation points if you think my advice has been worthwhile!

    Comment


    • #3
      Re: Serious 2008 R2 DC issues

      Originally posted by Ste View Post
      Have you got a VPN set up between from site to site?
      Yes, there is an 'always on' connection between the 2 networks.

      Comment


      • #4
        Re: Serious 2008 R2 DC issues

        Are all DCs in existence? DC01, and DC02? One of them hasn't been uncleanly removed has it?

        Are you trying to join a 2008R2 server to a 2003 domain?



        The below is for linking to an existing 2003 domain;

        http://support.microsoft.com/?kbid=232122

        This is aftger reading the section in your post
        "Event String:
        NTDS (456) NTDSA: Database 'C:\Windows\NTDS\ntds.dit': The secondary index 'PDNT_index' of table 'datatable' may be corrupt. If there is no later event showing the index being rebuilt, then please defragment the database to rebuild the index."

        Worth a go?

        Ste
        Last edited by Ste; 2nd August 2010, 15:53.
        Steven Roberts
        IT Mercenary

        MCITP:EA|MCTS|MCSE 2003 (Messaging and Security)|MCSA 2003 (Messaging and Security)|MCP|Prince2 Practitioner

        Don't forget to click on the Yin-Yang icon to leave reputation points if you think my advice has been worthwhile!

        Comment


        • #5
          Re: Serious 2008 R2 DC issues

          Have you check ur firewall and handshake?

          Comment


          • #6
            Re: Serious 2008 R2 DC issues

            Originally posted by rexsniper View Post
            Have you check ur firewall and handshake?
            What do you mean by a 'handshake'? The new DC appears to be successfully added to the domain, until I run DCDiag, which gives the results below.

            Originally posted by STE View Post
            Are all DCs in existence? DC01, and DC02? One of them hasn't been uncleanly removed has it?

            Are you trying to join a 2008R2 server to a 2003 domain?
            All DCs are 2008R2. DC01 and DC03 cannot talk. DC02 is the primary FSMO roles holder. DC02 and DC03 can talk just fine.

            Comment


            • #7
              Re: Serious 2008 R2 DC issues

              Ok, so I am now working on the following issue. The Netlogon and SYSVOL shares aren't being created. I have found some Win2000-03 guides on fixing this, but nothing for 2008. Any help?

              C:\>dcdiag /test:Netlogons

              Directory Server Diagnosis

              Performing initial setup:
              Trying to find home server...
              Home Server = DC03
              * Identified AD Forest.
              Done gathering initial info.

              Doing initial required tests

              Testing server: Default-First-Site-Name\DC03
              Starting test: Connectivity
              ......................... DC03 passed test Connectivity

              Doing primary tests

              Testing server: Default-First-Site-Name\DC03
              Starting test: NetLogons
              Unable to connect to the NETLOGON share! (\\DC03\netlogon)
              [DC03] An net use or LsaPolicy operation failed with error 67,
              The network name cannot be found..
              ......................... DC03 failed test NetLogons


              Running partition tests on : ForestDnsZones

              Running partition tests on : DomainDnsZones

              Running partition tests on : Schema

              Running partition tests on : Configuration

              Running partition tests on : domain

              Running enterprise tests on : domain.come

              Comment


              • #8
                Re: Serious 2008 R2 DC issues

                Consider demoting all DCs except the FSMO holder, cleaning up AD and then creating new DCs
                Tom Jones
                MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                PhD, MSc, FIAP, MIITT
                IT Trainer / Consultant
                Ossian Ltd
                Scotland

                ** Remember to give credit where credit is due and leave reputation points where appropriate **

                Comment


                • #9
                  Re: Serious 2008 R2 DC issues

                  Originally posted by Ossian View Post
                  Consider demoting all DCs except the FSMO holder, cleaning up AD and then creating new DCs
                  That's what I just got done doing. Is there a way to re-create the shares in 2008 R2?

                  Comment

                  Working...
                  X