Unable to local DC ......... URGENT

  • Thread starter Thread starter Jolyn
  • Start date Start date
J

Jolyn

Hi,

Urgently need solutions for the following error.

Originally I have 2 DCs. Due to the fact that one of them have problem, so
it was reformatted and promote as a 2nd DC again. I log in to windows as
Adminsitrator user.

Now I have many errors:
(1.) On the new 2nd DC, i have error in system log every 2 min, Evend ID
16650 from source SAM stating "The account-identifier allocator failed to
initialize properly. The record data contains the NT error code that caused
the failure. Windows 2000 will retry the initialization until it succeeds;
until that time, account creation will be denied on this Domain Controller.
Please look for other SAM event logs that may indicate the exact reason for
the failure."

(2.) On both DCs, I have Event ID 3096 The Primary Domain COntroller for
this domain could not be located.

(3.) On both DCs, I'm also unable to open/access Domain Controller Security
Policy or Domain Security Policy, error message Failed to open the Group
Policy Object. You may not have appropriate rights. The specified domain
either does not exist or could not be contacted.

(4.) I execute DCdiag /v on the old DC, get the following

Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine NODE2, is a DC.
* Connecting to directory service on server NODE2.
* Collecting site info.
* Identifying all servers.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\NODE2
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... NODE2 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\NODE2
Starting test: Replications
* Replications Check
......................... NODE2 passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=TEST,DC=com
* Security Permissions Check for
CN=Configuration,DC=TEST,DC=com
* Security Permissions Check for
DC=TEST,DC=com
......................... NODE2 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
......................... NODE2 passed test NetLogons
Starting test: Advertising
The DC NODE2 is advertising itself as a DC and having a DS.
The DC NODE2 is advertising as an LDAP server
The DC NODE2 is advertising as having a writeable directory
The DC NODE2 is advertising as a Key Distribution Center
Warning: NODE2 is not advertising as a time server.
The DS NODE2 is advertising as a GC.
......................... NODE2 failed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN="NTDS Settings
DEL:4fc70a1f-be5d-436a-aaef-95e986d9b6f7",CN=NODE1,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com
Warning: CN="NTDS Settings
DEL:4fc70a1f-be5d-436a-aaef-95e986d9b6f7",CN=NODE1,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com is the Schema Owner, but
is deleted.
Role Domain Owner = CN="NTDS Settings
DEL:4fc70a1f-be5d-436a-aaef-95e986d9b6f7",CN=NODE1,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com
Warning: CN="NTDS Settings
DEL:4fc70a1f-be5d-436a-aaef-95e986d9b6f7",CN=NODE1,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com is the Domain Owner, but
is deleted.
Role PDC Owner = CN="NTDS Settings
DEL:4fc70a1f-be5d-436a-aaef-95e986d9b6f7",CN=NODE1,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com
Warning: CN="NTDS Settings
DEL:4fc70a1f-be5d-436a-aaef-95e986d9b6f7",CN=NODE1,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com is the PDC Owner, but is
deleted.
Role Rid Owner = CN="NTDS Settings
DEL:4fc70a1f-be5d-436a-aaef-95e986d9b6f7",CN=NODE1,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com
Warning: CN="NTDS Settings
DEL:4fc70a1f-be5d-436a-aaef-95e986d9b6f7",CN=NODE1,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com is the Rid Owner, but is
deleted.
Role Infrastructure Update Owner = CN="NTDS Settings
DEL:4fc70a1f-be5d-436a-aaef-95e986d9b6f7",CN=NODE1,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com
Warning: CN="NTDS Settings
DEL:4fc70a1f-be5d-436a-aaef-95e986d9b6f7",CN=NODE1,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com is the Infrastructure Up
date Owner, but is deleted.
......................... NODE2 failed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 2111 to 1073741823
Warning: FSMO Role Owner is deleted.
* NODE1.TEST.COM is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1611 to 2110
* rIDNextRID: 1618
* rIDPreviousAllocationPool is 1611 to 2110
......................... NODE2 passed test RidManager
Starting test: MachineAccount
* SPN found :LDAP/NODE2.TEST.COM/TEST.com
* SPN found :LDAP/NODE2.TEST.COM
* SPN found :LDAP/NODE2
* SPN found :LDAP/NODE2.TEST.COM/TEST
* SPN found :LDAP/32158106-7989-4cff-8da4-8ff93c0e1831._msdcs.TEST.co
m
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/32158106-7989-4cff-8d
a4-8ff93c0e1831/TEST.com
* SPN found :HOST/NODE2.TEST.COM/TEST.com
* SPN found :HOST/NODE2.TEST.COM
* SPN found :HOST/NODE2
* SPN found :HOST/NODE2.TEST.COM/TEST
* SPN found :GC/NODE2.TEST.COM/TEST.com
......................... NODE2 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: RPCLOCATOR
* Checking Service: w32time
w32time Service is stopped on [NODE2]
* Checking Service: TrkWks
* Checking Service: TrkSvr
* Checking Service: NETLOGON
* Checking Service: Dnscache
* Checking Service: NtFrs
SMTPSVC Service is stopped on [NODE2]
......................... NODE2 failed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
NODE2 is in domain DC=TEST,DC=com
Checking for CN=NODE2,OU=Domain Controllers,DC=TEST,DC=com in dom
ain DC=TEST,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=NODE2,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com in domain CN=Configuration,
DC=TEST,DC=com on 1 servers
Object is up-to-date on all servers.
......................... NODE2 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service Event log test
The SYSVOL has been shared, and the AD is no longer
prevented from starting by the File Replication Service.
......................... NODE2 passed test frssysvol
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15
minut
es.
......................... NODE2 passed test kccevent
Starting test: systemlog
* The System Event log test
Found no errors in System Event log in the last 60 minutes.
......................... NODE2 passed test systemlog

Running enterprise tests on : TEST.com
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... TEST.com passed test Intersite
Starting test: FsmoCheck
GC Name: \\NODE2.TEST.COM
Locator Flags: 0xe00001bc
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
1355
A Good Time Server could not be located.
KDC Name: \\NODE2.TEST.COM
Locator Flags: 0xe00001bc
......................... TEST.com failed test FsmoCheck



Thanks & Regards
Jolyn
 
Hello Jolyn,

Was the crashed machine the FSMO role holder? Did you move them before to
the other DC? From the output you posted, it is node1. So please give some
infos about server names, which is the old, which is the running and which
is the new one.
Also it seems that you have not removed the old entries from Active directory
after starting the rebuilding. Just deleting is not enough and also using
the same name is giving conflicts. So please describe more detailed what
you have done.

Here are some links about moving/seizing the 5FSMO roles and removing orphaned
dc's from active directory:

How to remove completely orphaned Domain Controller
http://support.microsoft.com/?kbid=555846&SD=tech

How to view and transfer FSMO roles in Windows Server 2003
http://support.microsoft.com/kb/324801

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/kb/255504


Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm
Hi,

Urgently need solutions for the following error.

Originally I have 2 DCs. Due to the fact that one of them have
problem, so it was reformatted and promote as a 2nd DC again. I log
in to windows as Adminsitrator user.

Now I have many errors:
(1.) On the new 2nd DC, i have error in system log every 2 min, Evend
ID
16650 from source SAM stating "The account-identifier allocator failed
to
initialize properly. The record data contains the NT error code that
caused
the failure. Windows 2000 will retry the initialization until it
succeeds;
until that time, account creation will be denied on this Domain
Controller.
Please look for other SAM event logs that may indicate the exact
reason for
the failure."
(2.) On both DCs, I have Event ID 3096 The Primary Domain COntroller
for this domain could not be located.

(3.) On both DCs, I'm also unable to open/access Domain Controller
Security Policy or Domain Security Policy, error message Failed to
open the Group Policy Object. You may not have appropriate rights.
The specified domain either does not exist or could not be contacted.

(4.) I execute DCdiag /v on the old DC, get the following

Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine NODE2, is a DC.
* Connecting to directory service on server NODE2.
* Collecting site info.
* Identifying all servers.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests

Testing server: Default-First-Site-Name\NODE2
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... NODE2 passed test Connectivity
Doing primary tests

Testing server: Default-First-Site-Name\NODE2
Starting test: Replications
* Replications Check
......................... NODE2 passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=TEST,DC=com
* Security Permissions Check for
CN=Configuration,DC=TEST,DC=com
* Security Permissions Check for
DC=TEST,DC=com
......................... NODE2 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
......................... NODE2 passed test NetLogons
Starting test: Advertising
The DC NODE2 is advertising itself as a DC and having a DS.
The DC NODE2 is advertising as an LDAP server
The DC NODE2 is advertising as having a writeable directory
The DC NODE2 is advertising as a Key Distribution Center
Warning: NODE2 is not advertising as a time server.
The DS NODE2 is advertising as a GC.
......................... NODE2 failed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN="NTDS Settings
DEL:4fc70a1f-be5d-436a-aaef-95e986d9b6f7",CN=NODE1,CN=Servers,CN=Defau
lt-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com
Warning: CN="NTDS Settings
DEL:4fc70a1f-be5d-436a-aaef-95e986d9b6f7",CN=NODE1,CN=Servers,CN=Defau
lt-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com is the Schema
Owner, but
is deleted.
Role Domain Owner = CN="NTDS Settings
DEL:4fc70a1f-be5d-436a-aaef-95e986d9b6f7",CN=NODE1,CN=Servers,CN=Defau
lt-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com
Warning: CN="NTDS Settings
DEL:4fc70a1f-be5d-436a-aaef-95e986d9b6f7",CN=NODE1,CN=Servers,CN=Defau
lt-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com is the Domain
Owner, but
is deleted.
Role PDC Owner = CN="NTDS Settings
DEL:4fc70a1f-be5d-436a-aaef-95e986d9b6f7",CN=NODE1,CN=Servers,CN=Defau
lt-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com
Warning: CN="NTDS Settings
DEL:4fc70a1f-be5d-436a-aaef-95e986d9b6f7",CN=NODE1,CN=Servers,CN=Defau
lt-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com is the PDC
Owner, but is
deleted.
Role Rid Owner = CN="NTDS Settings
DEL:4fc70a1f-be5d-436a-aaef-95e986d9b6f7",CN=NODE1,CN=Servers,CN=Defau
lt-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com
Warning: CN="NTDS Settings
DEL:4fc70a1f-be5d-436a-aaef-95e986d9b6f7",CN=NODE1,CN=Servers,CN=Defau
lt-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com is the Rid
Owner, but is
deleted.
Role Infrastructure Update Owner = CN="NTDS Settings
DEL:4fc70a1f-be5d-436a-aaef-95e986d9b6f7",CN=NODE1,CN=Servers,CN=Defau
lt-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com
Warning: CN="NTDS Settings
DEL:4fc70a1f-be5d-436a-aaef-95e986d9b6f7",CN=NODE1,CN=Servers,CN=Defau
lt-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com is the
Infrastructure Up
date Owner, but is deleted.
......................... NODE2 failed test
KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 2111 to 1073741823
Warning: FSMO Role Owner is deleted.
* NODE1.TEST.COM is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1611 to 2110
* rIDNextRID: 1618
* rIDPreviousAllocationPool is 1611 to 2110
......................... NODE2 passed test RidManager
Starting test: MachineAccount
* SPN found :LDAP/NODE2.TEST.COM/TEST.com
* SPN found :LDAP/NODE2.TEST.COM
* SPN found :LDAP/NODE2
* SPN found :LDAP/NODE2.TEST.COM/TEST
* SPN found
:LDAP/32158106-7989-4cff-8da4-8ff93c0e1831._msdcs.TEST.co
m
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/32158106-7989-4cff-8d
a4-8ff93c0e1831/TEST.com
* SPN found :HOST/NODE2.TEST.COM/TEST.com
* SPN found :HOST/NODE2.TEST.COM
* SPN found :HOST/NODE2
* SPN found :HOST/NODE2.TEST.COM/TEST
* SPN found :GC/NODE2.TEST.COM/TEST.com
......................... NODE2 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: RPCLOCATOR
* Checking Service: w32time
w32time Service is stopped on [NODE2]
* Checking Service: TrkWks
* Checking Service: TrkSvr
* Checking Service: NETLOGON
* Checking Service: Dnscache
* Checking Service: NtFrs
SMTPSVC Service is stopped on [NODE2]
......................... NODE2 failed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
NODE2 is in domain DC=TEST,DC=com
Checking for CN=NODE2,OU=Domain Controllers,DC=TEST,DC=com in
dom
ain DC=TEST,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=NODE2,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=TEST,DC=com in domain
CN=Configuration,
DC=TEST,DC=com on 1 servers
Object is up-to-date on all servers.
......................... NODE2 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service Event log test
The SYSVOL has been shared, and the AD is no longer
prevented from starting by the File Replication Service.
......................... NODE2 passed test frssysvol
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the
last 15
minut
es.
......................... NODE2 passed test kccevent
Starting test: systemlog
* The System Event log test
Found no errors in System Event log in the last 60 minutes.
......................... NODE2 passed test systemlog
Running enterprise tests on : TEST.com
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside
the scope
provided by the command line arguments provided.
......................... TEST.com passed test Intersite
Starting test: FsmoCheck
GC Name: \\NODE2.TEST.COM
Locator Flags: 0xe00001bc
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed,
error
1355
A Good Time Server could not be located.
KDC Name: \\NODE2.TEST.COM
Locator Flags: 0xe00001bc
......................... TEST.com failed test FsmoCheck
Thanks & Regards
Jolyn
 
Back
Top