Problems rebuilding forest root DC

[Cameron Dorrough]

Hi, I have had to rebuild our W2k + AD forest root server ("MAIN") - we have
two DC's in the forest.

Now that the server is back up again, I and getting SAM 16650 errors on a
regular basis and can no longer access group policy - but replication seems
to be working (as far as I can tell). Running "dcdiag" gives the following
not nice report. Can anyone help me out here??

Thanks in advance,
Cameron
----------------

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: NC-Melbourne\MAIN
Starting test: Connectivity
......................... MAIN passed test Connectivity

Doing primary tests

Testing server: NC-Melbourne\MAIN
Starting test: Replications
......................... MAIN passed test Replications
Starting test: NCSecDesc
......................... MAIN passed test NCSecDesc
Starting test: NetLogons
......................... MAIN passed test NetLogons
Starting test: Advertising
......................... MAIN passed test Advertising
Starting test: KnowsOfRoleHolders
Warning: CN="NTDS Settings
DEL:05e60f35-cf52-45c2-81ac-c5e6fbb1fac5",CN=MAIN,CN=Servers,CN=NC-Melbourne
,CN=Sites,CN=Configuration,DC=nc-mel,DC=rmna,DC=com,DC=au is the PDC Owner,
but is deleted.
Warning: CN="NTDS Settings
DEL:05e60f35-cf52-45c2-81ac-c5e6fbb1fac5",CN=MAIN,CN=Servers,CN=NC-Melbourne
,CN=Sites,CN=Configuration,DC=nc-mel,DC=rmna,DC=com,DC=au is the Rid Owner,
but is deleted.
Warning: CN="NTDS Settings
DEL:05e60f35-cf52-45c2-81ac-c5e6fbb1fac5",CN=MAIN,CN=Servers,CN=NC-Melbourne
,CN=Sites,CN=Configuration,DC=nc-mel,DC=rmna,DC=com,DC=au is the
Infrastructure Update Owner, but is deleted.
......................... MAIN failed test KnowsOfRoleHolders
Starting test: RidManager
Warning: FSMO Role Owner is deleted.
Warning: rid set reference is deleted.
ldap_search_sW of CN=RID Set\
DEL:e2d3500c-e7ca-49d7-814a-7ae4e06f4881,CN=Deleted
Objects,DC=nc-mel,DC=rmna,DC=com,DC=au for rid info failed with 2: The
system cannot find the file specified.
......................... MAIN failed test RidManager
Starting test: MachineAccount
......................... MAIN passed test MachineAccount
Starting test: Services
......................... MAIN passed test Services
Starting test: ObjectsReplicated
......................... MAIN passed test ObjectsReplicated
Starting test: frssysvol
......................... MAIN passed test frssysvol
Starting test: kccevent
......................... MAIN passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 10:18:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 10:20:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 10:22:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 10:24:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 10:26:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 10:28:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 10:30:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 10:32:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 10:34:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 10:36:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 10:38:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 10:40:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 10:42:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 10:44:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 10:46:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 10:48:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 10:50:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 10:52:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 10:54:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 10:56:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 10:58:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 11:00:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 11:02:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 11:04:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 11:06:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 11:08:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 11:10:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 11:12:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 11:14:32
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/27/2004 11:16:32
(Event String could not be retrieved)
......................... MAIN failed test systemlog

Running enterprise tests on : nc-mel.rmna.com.au
Starting test: Intersite
......................... nc-mel.rmna.com.au passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
......................... nc-mel.rmna.com.au failed test FsmoCheck

 

[SaltPeter]

Hi, I have had to rebuild our W2k + AD forest root server ("MAIN") - we have
two DC's in the forest.

Now that the server is back up again, I and getting SAM 16650 errors on a
regular basis and can no longer access group policy - but replication seems
to be working (as far as I can tell). Running "dcdiag" gives the following
not nice report. Can anyone help me out here??

You suffer from the "I lost the FSMO roles" symptoms.

Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;255504
Flexible Single Master Operation Transfer and Seizure Process
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223787

 

[Cameron Dorrough]

You suffer from the "I lost the FSMO roles" symptoms.

Yes - I just can't find where I left them! ;-)

Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;255504
Flexible Single Master Operation Transfer and Seizure Process
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223787

Thanks heaps! I really appreciate that..

If I seize the roles, how do I go about returning them? Is it just a matter
of re-installing W2k and AD and transferring them back? Can I use the same
DC computer name??

Cameron

 

[SaltPeter]

on

Yes - I just can't find where I left them! ;-)


Thanks heaps! I really appreciate that..

If I seize the roles, how do I go about returning them? Is it just a matter
of re-installing W2k and AD and transferring them back? Can I use the same
DC computer name??

Cameron

You can't give away the roles but you can transfer them. Yes, reinstalling
W2K, join + promote and transfer or seize the roles. Then use DCDiag and
other tools to assert your domain is up and alive.

http://www.microsoft.com/windows2000/techinfo/reskit/tools/default.asp

The only way you can use the same computer name is if you delete all
references to the "old" name first. Also, remember that a name means nothing
in the sense that its the SID that matters. This means seize roles from
other DCs, remove any DNS entry pointing to old server, zap the computer
account in AD UandComp and insure the domain is healthy before proceeding.

 

[Cameron Dorrough]

You can't give away the roles but you can transfer them. Yes, reinstalling
W2K, join + promote and transfer or seize the roles. Then use DCDiag and
other tools to assert your domain is up and alive.

http://www.microsoft.com/windows2000/techinfo/reskit/tools/default.asp

The only way you can use the same computer name is if you delete all
references to the "old" name first. Also, remember that a name means nothing
in the sense that its the SID that matters. This means seize roles from
other DCs, remove any DNS entry pointing to old server, zap the computer
account in AD UandComp and insure the domain is healthy before proceeding.

It took some time to get a 2 hour window to do this. The server is back up
and going now (dcdiag below) - many thanks for your help!

Cameron
----------------------
Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: NC-Melbourne\MAIN
Starting test: Connectivity
......................... MAIN passed test Connectivity

Doing primary tests

Testing server: NC-Melbourne\MAIN
Starting test: Replications
......................... MAIN passed test Replications
Starting test: NCSecDesc
......................... MAIN passed test NCSecDesc
Starting test: NetLogons
......................... MAIN passed test NetLogons
Starting test: Advertising
......................... MAIN passed test Advertising
Starting test: KnowsOfRoleHolders
......................... MAIN passed test KnowsOfRoleHolders
Starting test: RidManager
......................... MAIN passed test RidManager
Starting test: MachineAccount
......................... MAIN passed test MachineAccount
Starting test: Services
......................... MAIN passed test Services
Starting test: ObjectsReplicated
......................... MAIN passed test ObjectsReplicated
Starting test: frssysvol
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... MAIN passed test frssysvol
Starting test: kccevent
......................... MAIN passed test kccevent
Starting test: systemlog
......................... MAIN passed test systemlog

Running enterprise tests on : nc-mel.rmna.com.au
Starting test: Intersite
......................... nc-mel.rmna.com.au passed test Intersite
Starting test: FsmoCheck
......................... nc-mel.rmna.com.au passed test FsmoCheck
-----------------------

 

[SaltPeter]

It took some time to get a 2 hour window to do this. The server is back up
and going now (dcdiag below) - many thanks for your help!

Cameron
----------------------
Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: NC-Melbourne\MAIN
Starting test: Connectivity
......................... MAIN passed test Connectivity

Doing primary tests

Testing server: NC-Melbourne\MAIN
Starting test: Replications
......................... MAIN passed test Replications
Starting test: NCSecDesc
......................... MAIN passed test NCSecDesc
Starting test: NetLogons
......................... MAIN passed test NetLogons
Starting test: Advertising
......................... MAIN passed test Advertising
Starting test: KnowsOfRoleHolders
......................... MAIN passed test KnowsOfRoleHolders
Starting test: RidManager
......................... MAIN passed test RidManager
Starting test: MachineAccount
......................... MAIN passed test MachineAccount
Starting test: Services
......................... MAIN passed test Services
Starting test: ObjectsReplicated
......................... MAIN passed test ObjectsReplicated
Starting test: frssysvol
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... MAIN passed test frssysvol
Starting test: kccevent
......................... MAIN passed test kccevent
Starting test: systemlog
......................... MAIN passed test systemlog

Running enterprise tests on : nc-mel.rmna.com.au
Starting test: Intersite
......................... nc-mel.rmna.com.au passed test Intersite
Starting test: FsmoCheck
......................... nc-mel.rmna.com.au passed test FsmoCheck

Thanx for feedback, You might want to check the SYSVOL hierarchy to correct
that problem too. Use the following KB as a guide to check and perhaps
recreate the SYSVOL folder structure:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;253268

 

[Cameron Dorrough]

Thanx for feedback, You might want to check the SYSVOL hierarchy to correct
that problem too. Use the following KB as a guide to check and perhaps
recreate the SYSVOL folder structure:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;253268

Hi! I was wondering about that...

I checked and all the folders seem to be there.. There are three GUIDs
listed in ADUC with matching "Machine" and "User" folders (and a few others
too - like "Adm").

Any other ideas what may be causing this?? AD seems to be working fine,
although I haven't got around to setting policies yet (it's on my list).

Thanks again for your help.
Cameron