Missing DC in ADSS Default-first-site NTDS Settings

[Phantom]

Hi,

I just put up a fourth domain controller (a GC server and
w/ADC-integrated DNS)in my single domain, single forest, single site
environment. In Active Directory Sites and Services, default-first-site,
only the two domain controllers configured as DNS servers can see it in
the NTDS Settings branch. It can display those two, but not the domain
controller with the FMSO role of PDC emulator (also RID and
Infrastructure master). The PDC emulator can't display it in its NTDS
branch either.

Running repadmin.exe /showrepl servername /verbose /all /intersite on
the new domain controller shows

"Last attempt @ 2009-08-16 01:50:56 was successful"

all around, with the exception that the new domain controller just
doesn't register the PDC emulator (act on it with repladmin) when
running this command.

I see event id 1586 warnings in the new domain controller's directory
service event log. Here is the text:

"The Windows NT 4.0 or earlier replication checkpoint with the PDC
emulator master was unsuccessful.

A full synchronization of the security accounts manager (SAM)
database to domain controllers running Windows NT 4.0 and earlier
might take place if the PDC emulator master role is transferred to
the local domain controller before the next successful checkpoint.

The checkpoint process will be tried again in four hours."

I'm baffled by all of this. Do I have a problem? I've never seen this
before with any of my domain controllers not seeing each other in NTDS
Settings.

Thanks,

- Brian

 

[Meinolf Weber [MVP-DS]]

Hello Phantom,

If you have 4 DCs they all should be listed in AD sites and services, not
only the ones with DNS installed. Which OS version are the DCs, are they
using latest SP and patches?

Please run:
- dcdiag /v /c /d /e /s:dcname > c:\dcdiag.txt
- netdiag /v > c:\netdiag.txt
- repadmin.exe /showrepl

and post the output here, netdiag and repadmin run on each DC. Also describe
your DNS setup and how are the DCs located, all in one site?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

 

[Ace Fekay [MCT]]

Hi,

I just put up a fourth domain controller (a GC server and w/ADC-integrated
DNS)in my single domain, single forest, single site environment. In Active
Directory Sites and Services, default-first-site, only the two domain
controllers configured as DNS servers can see it in the NTDS Settings
branch. It can display those two, but not the domain controller with the
FMSO role of PDC emulator (also RID and Infrastructure master). The PDC
emulator can't display it in its NTDS branch either.

Running repadmin.exe /showrepl servername /verbose /all /intersite on the
new domain controller shows

"Last attempt @ 2009-08-16 01:50:56 was successful"

all around, with the exception that the new domain controller just doesn't
register the PDC emulator (act on it with repladmin) when running this
command.

I see event id 1586 warnings in the new domain controller's directory
service event log. Here is the text:

"The Windows NT 4.0 or earlier replication checkpoint with the PDC
emulator master was unsuccessful.

A full synchronization of the security accounts manager (SAM) database to
domain controllers running Windows NT 4.0 and earlier might take place if
the PDC emulator master role is transferred to the local domain controller
before the next successful checkpoint.

The checkpoint process will be tried again in four hours."

I'm baffled by all of this. Do I have a problem? I've never seen this
before with any of my domain controllers not seeing each other in NTDS
Settings.

Thanks,

- Brian

Yep, it appears that way.

What OS? Are all four DCs Windows 2000?

What service pack level are the DCs?

What is the Source Name for the EventID 1568 you are seeing?

A number of things can cause this, such as:

Single label DNS domain name.
Multihomed DCs and/or RRAS on the DC
DCs are configured to use the ISP's DNS, the router as a DNS or some other
external DNS server
Disjointed namespace
SRV records missing in DNS

We'll need additional information to better understand your AD's base setup
and configuration, in order to better help out.

Post any additional event log errors you are seeing (eventID# and Source).

Please post an unedited ipconfig /all of your four DCs.

If you are not able to provide this info, it will be difficult to diagnose
the issue(s).

Thank you,

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum to benefit from collaboration
among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

 

[Phantom]

Hi

I've run the commands for each server, redirected to text files, and
also included some screen shots of how things look in ADSS on my ftp
server. It seems like posting all of that in a reply would take up too
much space.

If it's not too inconvenient, please log on to ftp://211.36.81.203 with
UID public and PWD pvblic.

I had two active directory-integrated servers before adding this third
one. Yes, all are in one site.

Thanks.

 

[Meinolf Weber [MVP-DS]]

Hello Phantom,

For 1586 check this one:
http://support.microsoft.com/kb/269417

Make sure all machines have the same time settings. The DC with the PDCEmulator
role should be configured to use an external time source if not already done.

What is '4858N-LOANER$', a removed trust with external domain or an existing
one? Or a deleted child domain? Or deleted server? Is it an existing domain
member?

Are your DCs installed from an image that is not sysprepped or all fresh
from scratch?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

 

[Phantom]

Yep, it appears that way.

What OS? Are all four DCs Windows 2000?

What service pack level are the DCs?

What is the Source Name for the EventID 1568 you are seeing?

A number of things can cause this, such as:

Single label DNS domain name.
Multihomed DCs and/or RRAS on the DC
DCs are configured to use the ISP's DNS, the router as a DNS or some
other external DNS server
Disjointed namespace
SRV records missing in DNS

We'll need additional information to better understand your AD's base
setup and configuration, in order to better help out.

Post any additional event log errors you are seeing (eventID# and Source).

Please post an unedited ipconfig /all of your four DCs.

If you are not able to provide this info, it will be difficult to
diagnose the issue(s).

Thank you,

Hi,

All four DCs are running Server 2003, and all but one is running SP2.

The source name for event 1586 is "NTDS replication."

Thanks.

 

[Phantom]

Hi Mr. Weber,

Indeed the PDC Emulator is configured to use an external time source.
The time is synchronized on all four Windows 2003 DCs.

4858N-LOANER$ is actually the name of a plain notebook XP workstation.

All the DCs were built from scratch using the cd, and not rapidly
deployed from images. One is running in VMWare as a VM.

 

[Ace Fekay [MCT]]

Hi Mr. Weber,

Indeed the PDC Emulator is configured to use an external time source. The
time is synchronized on all four Windows 2003 DCs.

4858N-LOANER$ is actually the name of a plain notebook XP workstation.

All the DCs were built from scratch using the cd, and not rapidly deployed
from images. One is running in VMWare as a VM.

I would suggest to install SP2 on that one DC.

Not that it has anything to do with AD, but just a recommendation that for
all of your WINS server, a WINS server can only point to itself. It has to
do with the way a WINS registers itself as owner on names it registers. If
you add another one in its config, it can cause WINS issues.

For that one eventID for that laptop, 4858N-LOANER$, it seems the join trust
between the DC and the laptop is corrupted. Simply disjoin the laptop,
delete the machine account in AD, and rejoin it.

As far as the NTDS settings and the parnterships, they seem inline. I
actually drew this out on paper looking at each picture.
http://www.fekay.com/supportblogs/phantom.jpg

This is the KCC doing its work, which optimized the connection objects
between your DCs. It optimizes it based on the maximum time allowed for
replication between DCs in a site, which is 15 minutes. Notice in the
picture, that there is no connection between Alpha and Beta, however if
something was created, changed or deleted on Alpha, it will replicate to
both Bkup and CDNS, which then replicates to Beta.

On a side note, that's why if you have multiple Sites, the least amount of
time you can reduce replication times is 15 minutes. So it looks fine to me.

Ace

 

[Phantom]

I would suggest to install SP2 on that one DC.

Not that it has anything to do with AD, but just a recommendation that
for all of your WINS server, a WINS server can only point to itself. It
has to do with the way a WINS registers itself as owner on names it
registers. If you add another one in its config, it can cause WINS issues.

For that one eventID for that laptop, 4858N-LOANER$, it seems the join
trust between the DC and the laptop is corrupted. Simply disjoin the
laptop, delete the machine account in AD, and rejoin it.

As far as the NTDS settings and the parnterships, they seem inline. I
actually drew this out on paper looking at each picture.
http://www.fekay.com/supportblogs/phantom.jpg

This is the KCC doing its work, which optimized the connection objects
between your DCs. It optimizes it based on the maximum time allowed for
replication between DCs in a site, which is 15 minutes. Notice in the
picture, that there is no connection between Alpha and Beta, however if
something was created, changed or deleted on Alpha, it will replicate to
both Bkup and CDNS, which then replicates to Beta.

On a side note, that's why if you have multiple Sites, the least amount
of time you can reduce replication times is 15 minutes. So it looks fine
to me.

Ace

Hi Ace,

What a relief. I thought for sure this was an anomaly. I appreciate you
working up that diagram and explaining the relationships between the
servers.

As to the other issues, I'll make sure the WINS servers are configured
as you recommend and re add that problematic notebook as soon as possible.

Thanks again.

 

[Ace Fekay [MCT]]

Hi Ace,

What a relief. I thought for sure this was an anomaly. I appreciate you
working up that diagram and explaining the relationships between the
servers.

As to the other issues, I'll make sure the WINS servers are configured as
you recommend and re add that problematic notebook as soon as possible.

Thanks again.

My pleasure.

You can also create a diagram like I did, but automatically. I basically did
it manuall by looking at your site connections and drew them out on paper.
There's a tool called replmon.exe, the GUI version, that if you right click
(can't remember the spot) in one of the settings, you can choose to 'view
connection objects,' and it will draw all your DCs for you with colored
connection objects. That was the basis how I drew it up. You can see that
not all DCs are partnered. Even in sites with 20 DCs, not all are partners.
The KCC does that automatically when optimizing partnerships.

Cheers!!

Ace