No announcement yet.

WS2k8 R2 PDC failed

  • Filter
  • Time
  • Show
Clear All
new posts

  • WS2k8 R2 PDC failed

    Hi all,

    In Jun, 2010 I upgraded all my DCs from WS2k3 & WS2k to WS2k8 R2.

    I demoted old DCs, installed new servers and changed name, IP of new servers as the same with old DCs. My old PDC is Windows server 2000

    After that, PDC sometimes failed, I couldn't open DNS and AD.

    It show message:

    Naming information cannot be located for the following reason: The server is not operational

    If you are trying to connect to a Domain Controller running Windows 2000, verify that Windows 2000 server Service Pack 3 or later is installed on the Dc, or use the Windows 2000 administration tools.

    I found some EventID as:

    ************************************************** ******

    EventID 2088

    Active Directory Domain Services could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory Domain Services successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.

    Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory Domain Services forest, including logon authentication or access to network resources.

    You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.

    Alternate server name:
    Failing DNS host name:

    NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:

    Registry Path:
    HKLM\System\CurrentControlSet\Services\NTDS\Diagno stics\22 DS RPC Client

    User Action:

    1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.

    2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view sourceDC name>" or "ping <source DC name>".

    3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on ...

    dcdiag /test:dns

    4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:

    dcdiag /test:dns

    5) For further analysis of DNS error failures see KB 824449:

    Additional Data
    Error value:
    11004 The requested name is valid, but no data of the requested type was found.

    ************************************************** *****
    Event ID 2886

    The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.

    Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.

    For more details and information on how to make this configuration change to the server, please <link to Microsoft website>

    You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.

    EventID 2092

    This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

    Operations which require contacting a FSMO operation master will fail until this condition is corrected.

    FSMO Role: DC=abc,DC=abc,DC=abc,DC=abc

    User Action:

    1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
    2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors. Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
    3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on <Link to microsoft website>

    The following operations may be impacted:
    Schema: You will no longer be able to modify the schema for this forest.
    Domain Naming: You will no longer be able to add or remove domains from this forest.
    PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
    RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
    Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.


    EventID 1126

    Active Directory Domain Services was unable to establish a connection with the global catalog.

    Additional Data
    Error value:
    10054 An existing connection was forcibly closed by the remote host.
    Internal ID:

    User Action:
    Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.


    If you have any advice, please let me know to solve this problem

  • #2
    Re: WS2k8 R2 PDC failed

    When you removed the old servers from the domain, did you transfer FSMO roles at that time to a Windows 2008 server?

    Did you ensure that the AD metadata, DNS entries and server object in AD Sites and Services had all been removed prior to promoting other DCs as the same IP and name? For example, when the DC was demoted, the computer account should have moved from the Domain Controllers OU into the Computers container.

    Do you only have Windows 2008 R2 DCs now?
    Last edited by Virtual; 7th March 2011, 16:41. Reason: Spelling


    • #3
      Re: WS2k8 R2 PDC failed

      Post a DCdiag result as well
      Caesar's cipher - 3




      • #4
        Re: WS2k8 R2 PDC failed

        To Virtual,

        Here is my steps to do:

        1. Install new servers
        2. Promote new server to become DC
        3. Demote old DC, unplug out of network
        4. Remove metadata, DNS entries, object associated in Site & Services, DC container...
        5. Change name & IP of new DC with name & IP of old DC

        (I did these steps with PDC also)

        And now all our DCs are WS2k8 servers

        To L4ndy.

        I attached dcdiag result as attached file.

        Thanks all,
        Attached Files


        • #5
          Re: WS2k8 R2 PDC failed

          We may be having some terminology misunderstanding. What do you mean by PDC? There is NO PDC in an AD environment but there is a PDC Emulator.

          Any particular reason why you renamed the new DC to the name of the old DC? If you missed cleaning and old DC entry from metadata then this may cause issues.

          Is DNS on the new DC pointing to itself or is it pointing to your ISP's DNS IP?

          Have you physically checked that the new DC has the Global Catelog option ticked?
          Joined: 23rd December 2003
          Departed: 23rd December 2015


          • #6
            Re: WS2k8 R2 PDC failed

            Sorry because of reply late.

            1. I mean PDC = primary domain controller. It kept FSMO roles

            2. The reason I didn't want to change IP and named is configuration of many equipments included iP of DCs (Proxy, firewall, routers).

            3. DNS of new DC I point to itself (its IP 192.168.. but not and IP of another DC in same site. Is it correct?

            4. When I was promoting, I saw the default setting of any new promoted server is Global Catalog option ticked

            And I think it has something of old DC information remaining.

            After I transfered FSMO roles to other DC, the error of Primary domain controllers gone immediately.

            Until now I couldn't figure out the exactly problem. So I have plan to demote and use new name & new IP for all DCs


            • #7
              Re: WS2k8 R2 PDC failed

              Well luckily there is no PDC anymore so you should be ok

              Anyhow, can you resolve this computername?

              Testing server: Site1\PrimaryDC
              Starting test: Connectivity
              The host e61ede83-83be-4658-98ab-c7db9335554d._msdcs.DomainName
              could not be resolved to an IP address. Check the DNS server, DHCP,
              server name, etc.
              Got error while checking LDAP and RPC connectivity. Please check your
              firewall settings.
              ......................... PrimaryDC failed test Connectivity
              Is he still switched on?
              Did you or did you not checked if the FSMO roles are moved over?
              Technical Consultant

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"